Privacy & Information Security Law Blog

On July 27, 2011, the Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) published a draft rule including provisions regulating the processing of personal information by “Internet Information Service Providers.”  The draft rule, entitled “Provisions on the Administration of Internet Information Services” (the “Draft Provisions”), is not the first rule regulating Internet information services in China.  In 2000, the MIIT enacted the “Measures for the Administration of Internet Information Services” (the “Measures”), which took effect on September 25, 2000.  However, the Measures do not include any explicit provisions addressing the protection of personal information.

On June 9, 2011, Lisa J. Sotto, partner and head of Hunton & Williams LLP’s Privacy and Data Security practice, spoke during the regulatory session on state and federal laws at NetDiligence’s Cyber Risk & Privacy Liability Forum in Philadelphia.  Sotto discussed recent changes to the legal landscape, emphasizing regulatory authorities’ growing interest in policy and enforcement issues and increased legislative activity on the state and federal levels.

View an excerpt from Sotto’s remarks as part of the panel discussion.

Several health care industry groups requested that the Department of Health and Human Services (“HHS”) either remove or significantly revise a proposed “access report” requirement in its recent notice of proposed rulemaking (the “Proposed Rule”) for the accounting of disclosures of protected health information (“PHI”).  As we reported in May, HHS issued the Proposed Rule that revises existing HIPAA Privacy Rule provisions regarding accounting of disclosures and gives individuals a new right to obtain an “access report” that would list the specific persons who have accessed a patient’s PHI, and describe any actions taken by those persons with respect to the PHI (e.g., create, modify, access or delete).

On July 28, 2011, the International Association of Privacy Professionals (“IAPP”) hosted a webinar that addressed the upcoming audit program of the Department of Health and Human Services Office of Civil Rights (“OCR”).  Susan McAndrew, the Deputy Director for Health Information Privacy at OCR, provided an overview of the audit program, noting that it stemmed from Section 13411 of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  That section of the HITECH Act authorized the Secretary of the Health and Human Services to “provide for periodic audits to ensure that covered entities and business associates” comply with the requirements of the HIPAA Privacy and Security Rules.

On July 29, 2011, Massachusetts Attorney General Martha Coakley announced a $7,500 settlement with Belmont Savings Bank following a May 2011 data breach involving the names, Social Security numbers and account numbers of more than 13,000 Massachusetts residents.  The bank has stated that it has no evidence of unauthorized access to or use of consumers’ personal information in connection with this breach.

As reported in the Hunton Employment & Labor Perspectives Blog, Connecticut recently became the latest state to pass a law regulating employer use of credit reports. The law, which goes into effect on October 1, 2011, prohibits employers from requiring employees or prospective employees to consent to the employer requesting their credit report as a condition of employment.  The full post includes a discussion of the exceptions to this restriction.

Read our previous posts on regulatory scrutiny of employee credit checks and a similar Illinois law that went into effect on January 1 ...

Read the Dallas Business Journal's DBJ Confidential blog post discussing Hunton & Williams partner Lisa J. Sotto's thoughts on how companies should approach privacy issues in the United States. Sotto was interviewed while in Dallas giving a privacy law presentation for in-house counsel.

As we previously reported, the Mexican government has developed draft regulations for the implementation of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares). The U.S. Department of Commerce recently circulated an English translation of the draft regulations. Public comments on the draft are due on August 3, 2011, and Mexican officials have indicated they will not grant extensions for late submissions. A final version of the regulations is ...

As reported in BNA’s Privacy Law Watch, on July 25, 2011, Russian President Dmitry Medvedev signed a new federal law amending Russia’s personal data privacy law, “On Personal Data.” The amended law, which was made public on July 27 and is effective retroactively from July 1, 2011, imposes new rules on international data transfers. As we previously reported, and as noted by the BNA, Russia had been considering improving its data protection regime and has enacted two other laws regarding the protection of personal data in the past several weeks.

On July 25, 2011, Netflix stated that it will hold off on the launch of its Facebook integration in the U.S. due to legal issues related to the Video Privacy Protection Act (“VPPA”).  The new Facebook feature would allow Netflix subscribers to share their movie viewing information with friends online.  Netflix indicated in its second quarter shareholder letter that it supports House Bill 2471 (“H.B. 2471”), a proposed bipartisan amendment to the VPPA intended to clarify the consent requirement for sharing consumer video viewing information.  The letter states that “[u]nder the VPPA, it is ambiguous when and how a user can give permission for his or her video viewing data to be shared” and that the VPPA “discourages us from launching our Facebook integration domestically.”  As a result, the company plans to limit the campaign to Canada and Latin America until questions concerning the VPPA are resolved.