Privacy & Information Security Law Blog

On May 23, 2013, the Office of the Privacy Commissioner of Canada (“OPC”) issued a position paper (the “Paper”) proposing revisions to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) to better align PIPEDA with the risks facing a modern information economy. Privacy Commissioner of Canada Jennifer Stoddart addressed the release of the Paper in her remarks at the IAPP Canada Privacy Symposium, stating that “[i]t is increasingly clear that the law is not up to the task of meeting the challenges of today – and certainly not those of tomorrow.” According to the Paper, the surge in the collection, availability and use of personal data has upset the balance between the privacy rights of individuals and the legitimate needs of businesses originally struck by PIPEDA. In response, the Paper proposes four general revisions to PIPEDA:

On May 21, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $400,000 settlement with Idaho State University (“ISU”) for a breach that affected 17,500 individuals.

The ISU settlement relates to servers that had their firewall protections disabled, which left the electronic protected health information (“ePHI”) of patients at ISU’s Pocatello Family Medicine Clinic unsecured for at least ten months. Following the submission of a breach report to the HHS Office for Civil Rights (“OCR”), an investigation determined that ISU allegedly had not complied with HIPAA Security Rule requirements, including by conducting an incomplete and inadequate risk analysis and by failing to “adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner.”

On May 9, 2013, the Federal Communications Commission (“FCC”) released a declaratory ruling clarifying the liability of a seller for violations of the Telemarketing Consumer Protection Act (“TCPA”) made by third-party telemarketers and others who place calls to market the seller’s products or services.

On May 20, 2013, the Irish Office of the Data Protection Commissioner (“ODPC”) published its annual report for 2012 (the “Report”). The Report summarizes the activities of the ODPC during 2012, including its investigations and audits, policy matters, and European and international activities.

Lisa J. Sotto, head of Hunton & Williams LLP’s Privacy and Data Security practice and managing partner of the New York office, was recently re-appointed as Chair of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (“DPIAC”). Sotto was first appointed Chair of DPIAC in 2012 for a one-year term. This most recent tenure will expire in April 2014.

On May 16, 2013, UK Trade & Investment (“UKTI”), a UK government department working with businesses based in the UK to ensure their success in international markets, published the first export strategy paper (the “Paper”) on the UK’s approach to the $100 billion annual cybersecurity export market.

In November 2011, the UK’s Cyber Security Strategy was published. ‘Objective 1’ of the strategy’s implementation plan recognized that cyberspace is an important and expanding part of the UK economy. One of the supporting actions for Objective 1 was to develop a ...

In April 2013, the People’s Republic of China’s General Office of the National People’s Congress published a draft amendment to the Law on the Protection of Consumer Rights and Interests (the “ Proposed Amendment”) and solicited public comments on the Proposed Amendment until May 31, 2013. The Proposed Amendment includes provisions that affect the collection and use of consumer personal information.

On April 30, 2013, the UK government announced guidance on its consultation on cybersecurity standards (the ”Consultation”). The Consultation was launched in March 2013, and follows the UK government’s recent announcement regarding a cybersecurity partnership initiative to facilitate information-sharing on cyber threats.

On May 15, 2013, the Federal Trade Commission announced that it sent educational letters to over 90 businesses that appear to collect personal information from children under the age of 13, reminding them of the impending July 1 deadline for compliance with the updated Children’s Online Privacy Protection Rule (the “Rule”). The letters were sent to domestic and foreign companies that may be collecting information from children that is now considered “personal information” under the Children’s Online Privacy Protection Act (“COPPA”) but was not previously considered “personal information.” The definition of “personal information” under COPPA was expanded to include (1) photos, videos and audio recordings of children; and (2) persistent identifiers that may recognize users over time and across various websites and online services (e.g., cookies and IP addresses).

In March 2013, the UK government launched its consultation on cybersecurity standards (the “Consultation”) following the government’s recent announcement regarding a cybersecurity partnership initiative to facilitate information sharing on cyber threats.