Privacy & Information Security Law Blog

On February 11, 2013, the Federal Trade Commission announced that a congressionally-mandated study of the U.S. credit reporting industry found that 26 percent of consumers identified at least one error that might affect their credit score. The study reported that 5 percent of consumers had errors on their credit reports that could result in less favorable terms for loans and insurance.

Today, the Obama Administration released an executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”), which is focused primarily on government actions to support critical infrastructure owners and operators in protecting their systems and networks from cyber threats. The Executive Order requires administrative agencies with cybersecurity responsibilities to (1) share information in the near-term with the private sector within the scope of their current authority and to develop processes to address cyber risks; and (2) review and report to the President on the sufficiency of their current cyber authorities. The requirements to review and report to the President likely will serve to pressure Congress to pass more comprehensive legislation that should, inter alia, address issues that an executive order cannot, such as the provision of liability protection, incentives for compliance, and regulatory authority to compel compliance.

On January 17, 2013, Mexico’s Ministry of Economy published its Lineamientos del Aviso de Privacidad (in Spanish) (“Privacy Notice Guidelines” or “Guidelines”), which it prepared in collaboration with the Mexican data protection authority. The Guidelines introduce heightened notice and opt-out requirements for the use of cookies, web beacons and similar technology, and they impose extensive requirements on the content and delivery of privacy notices generally (with respect to all personal data, not just data collected via cookies and other automated means). The Guidelines will take effect in mid-April.

On February 7, 2013, the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, launched their cybersecurity strategy for the European Union (“Strategy”). As part of this Strategy, the European Commission also proposed a draft directive on measures to ensure a common level of network and information security (“NIS”) across the EU (the “Directive”).

On February 4, 2013, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or “BSI”) published a paper (in German) providing an overview of the information technology risks inherent in consumerization and bring your own device (“BYOD”) strategies. The Paper responds to what the BSI views as a growing trend of employees making personal use of employer IT systems as well as using their personal IT devices for work purposes.

On February 5, 2013, Singapore’s new data protection agency, the Personal Data Protection Commission, published its first consultation paper (the “Paper”) articulating proposals for a data protection regulation. The Paper outlines the Commission’s positions on three key issues: (1) requests for access and correction; (2) transfer of personal data outside of Singapore; and (3) individuals who may act for others under the Personal Data Protection Act (“PDPA”). The PDPA was passed by the Singapore Parliament in October 2012 and became law in January 2013.

On January 29, 2013, the UK Court of Appeal ruled that the UK criminal records disclosure regime is disproportionate and incompatible with the UK Human Rights Act 1998 (the “Act”). The landmark judgment focused on the case of an appellant named “T,” who had received two “cautions” for stealing two bicycles when he was 11 years old. After a number of years, the appellant had to disclose these cautions twice in connection with required criminal records checks: first, at the age of 17, when he applied for a part-time job at a local football club, and again when he applied for a college course.

On February 4, 2013, the Supreme Court of California examined whether Section 1747.08 of the Song-Beverly Credit Card Act (“Song-Beverly”) prohibits an online retailer from requesting or requiring personal identification information from a customer as a condition to accepting a credit card as payment for an electronically downloadable product. In a split decision, the majority of the court ruled that Song-Beverly does not apply to online purchases in which the product is downloaded electronically.

On January 25, 2013, Kmart Corporation (“Kmart”) agreed to a $3 million settlement stemming from allegations that it violated the Fair Credit Reporting Act (“FCRA”) when using background checks to make employment decisions. The FCRA addresses adverse actions taken against consumers based on information in consumer reports and includes numerous requirements relating to the use of such reports in the employment context.

On January 28, 2013, the London office of Hunton & Williams marked European Data Privacy Day with the launch of the fourth edition of Data Protection Law & Practice, written by Senior Attorney Rosemary Jay. A panel comprised of the current UK Information Commissioner, Christopher Graham; his three predecessors, Eric Howe CBE, Elizabeth France CBE and Richard Thomas CBE; and the UK Minister of State for Justice, Lord McNally, spoke at the event and provided a retrospective on data protection in the United Kingdom since the Information Commissioner’s Office’s (“ICO’s”) inception in 1984.