Privacy & Information Security Law Blog

On February 8, 2013, during the Centre for Information Policy Leadership’s First Friday call, Hunton & Williams partner Frederick Eames offered insights on how key U.S. government players are likely to approach privacy and data security initiatives this session. Eames discussed upcoming privacy legislation and outlined his predictions regarding how several Congressional committees, including the House of Representatives Energy & Commerce Committee and the Senate Committee on Commerce, Science, & Transportation, will address privacy-related issues.

On February 12, 2013, the Obama Administration released its highly-anticipated Executive Order on cybersecurity. Evolving cyber threats and increased government attention to these issues will affect companies in every industry, and businesses must consider a proactive approach to protecting against risks to critical business systems, company personal data, intellectual property and other proprietary information.

On February 12, 2013, in conjunction with the release of an executive order on Improving Critical Infrastructure Cybersecurity (the “Executive Order”), President Obama signed a Presidential Policy Directive on Critical Infrastructure Security and Resilience (“PPD-21” or “PPD”). The PPD revokes the 2003 Homeland Security Presidential Directive-7 (issued by President George W. Bush as an initiative under the former Office of Homeland Security and the Homeland Security Council) to adjust to the new risk environment and make the nation’s critical infrastructure more resilient. The PPD expands upon the work that has been accomplished to date for the physical security of critical infrastructure and lays a foundation for the implementation of the Executive Order to protect critical infrastructure cybersecurity.

On February 11, 2013, the Federal Trade Commission announced that a congressionally-mandated study of the U.S. credit reporting industry found that 26 percent of consumers identified at least one error that might affect their credit score. The study reported that 5 percent of consumers had errors on their credit reports that could result in less favorable terms for loans and insurance.

Today, the Obama Administration released an executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”), which is focused primarily on government actions to support critical infrastructure owners and operators in protecting their systems and networks from cyber threats. The Executive Order requires administrative agencies with cybersecurity responsibilities to (1) share information in the near-term with the private sector within the scope of their current authority and to develop processes to address cyber risks; and (2) review and report to the President on the sufficiency of their current cyber authorities. The requirements to review and report to the President likely will serve to pressure Congress to pass more comprehensive legislation that should, inter alia, address issues that an executive order cannot, such as the provision of liability protection, incentives for compliance, and regulatory authority to compel compliance.

On January 17, 2013, Mexico’s Ministry of Economy published its Lineamientos del Aviso de Privacidad (in Spanish) (“Privacy Notice Guidelines” or “Guidelines”), which it prepared in collaboration with the Mexican data protection authority. The Guidelines introduce heightened notice and opt-out requirements for the use of cookies, web beacons and similar technology, and they impose extensive requirements on the content and delivery of privacy notices generally (with respect to all personal data, not just data collected via cookies and other automated means). The Guidelines will take effect in mid-April.

On February 7, 2013, the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, launched their cybersecurity strategy for the European Union (“Strategy”). As part of this Strategy, the European Commission also proposed a draft directive on measures to ensure a common level of network and information security (“NIS”) across the EU (the “Directive”).

On February 4, 2013, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or “BSI”) published a paper (in German) providing an overview of the information technology risks inherent in consumerization and bring your own device (“BYOD”) strategies. The Paper responds to what the BSI views as a growing trend of employees making personal use of employer IT systems as well as using their personal IT devices for work purposes.

On February 5, 2013, Singapore’s new data protection agency, the Personal Data Protection Commission, published its first consultation paper (the “Paper”) articulating proposals for a data protection regulation. The Paper outlines the Commission’s positions on three key issues: (1) requests for access and correction; (2) transfer of personal data outside of Singapore; and (3) individuals who may act for others under the Personal Data Protection Act (“PDPA”). The PDPA was passed by the Singapore Parliament in October 2012 and became law in January 2013.

On January 29, 2013, the UK Court of Appeal ruled that the UK criminal records disclosure regime is disproportionate and incompatible with the UK Human Rights Act 1998 (the “Act”). The landmark judgment focused on the case of an appellant named “T,” who had received two “cautions” for stealing two bicycles when he was 11 years old. After a number of years, the appellant had to disclose these cautions twice in connection with required criminal records checks: first, at the age of 17, when he applied for a part-time job at a local football club, and again when he applied for a college course.