Time 2 Minute Read

The cost to register as a data controller in the United Kingdom is likely to increase significantly later this year, rising from £35 to £500 for companies with annual sales of at least £25.9 million and 250 or more employees.

The UK Information Commissioner has proposed a two-tiered fee structure as part of the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (the “Regulations”).  The Regulations are expected to come into force as of October 1, 2009.

Time 3 Minute Read

In a closely-watched case, the U.S. District Court for the Western District of Washington recently held that Internet Protocol (“IP”) addresses do not constitute personally identifiable information (“PII”). The plaintiffs in Johnson v. Microsoft Corp. brought a class action suit against Microsoft claiming that the collection of consumer IP addresses during the Windows XP installation process violated the XP End User License Agreement. The Agreement stated that Microsoft would not collect PII without the user’s consent. The plaintiffs referenced Microsoft’s own online glossary to support their claim that IP addresses should be considered PII. The glossary defined “personally identifiable information” as “[a]ny information relating to an identified or identifiable individual. Such information may include…IP address.” In granting summary judgment in favor of Microsoft, U.S. District Court Judge Richard Jones found that “[i]n order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”

Time 2 Minute Read

On July 2, 2009, five marketing industry associations jointly published a set of voluntary behavioral marketing guidelines entitled “Self-Regulatory Principles for Online Behavioral Advertising.” The American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, the Interactive Advertising Bureau and the Better Business Bureau developed the standards, which correspond to the self-regulatory principles proposed by the Federal Trade Commission (“FTC”).

Time 2 Minute Read

On June 30, 2009, the Obama Administration sent legislation to Congress that would create a new Consumer Financial Protection Agency ("CFPA").  Working with state regulators, the new agency would assume authority for the privacy provisions of the Gramm-Leach-Bliley Act, and would have the power to write rules and impose penalties pursuant to a variety of existing statutes, including the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act.  To date, these powers have been shared among all financial services regulators, including the Federal Trade ...

Time 3 Minute Read

On July 1, 2009, new laws will take effect in Alaska and South Carolina that will require entities that have experienced data security breaches involving personal information to notify affected individuals of the breaches.  With these additions, a total of 44 states, plus the District of Columbia, Puerto Rico and the U.S. Virgin Islands, will have active breach notification laws in place.  There are no breach notification laws in Alabama, Kentucky, Mississippi, Missouri, New Mexico and South Dakota.

Time 1 Minute Read

As of January 1, 2010, Nevada law will require businesses to use encryption when data storage devices that contain personal information are moved beyond the physical or logical controls of the business, in addition to continuing to require that personal information be encrypted if it is transferred outside the secure system of the business. The new law repeals the existing Nevada encryption law, which will remain in effect until January 1, 2010. (For more information on the existing Nevada encryption law, please see our previous Client Alert.) The new law also mandates compliance ...

Time 1 Minute Read

The Obama Administration today formally announced its sweeping proposal for new regulation of the financial industry.  The plan proposes the formation of a new watchdog agency that would seek to protect consumers' interests.  The proposal raises a number of privacy and data security questions, such as the role of the new financial services consumer protection agency in protecting privacy and data security and the continued role of the Federal Trade Commission as the lead agency in this area.  We will keep you posted as more details regarding the plan emerge.

Time 2 Minute Read

A lawsuit that will soon commence in Arizona has the potential to alter the data breach liability landscape by making data security auditors liable for data breaches experienced by the companies they audit.  The case, Merrick Bank Corp. v. Savvis Inc., has its origins in events that began in 2003, when Merrick Bank (“Merrick”) offered to hire CardSystems Solutions (“CardSystems”) to process credit card transactions for its merchant customers.  The offer was contingent upon CardSystems achieving certification under VISA’s Cardholder Information Security Program (“CISP”), which is the predecessor to the Payment Card Industry Data Security Standard (“PCI DSS”).  Savvis audited CardSystems in 2004 and found that it had “implemented sufficient security solutions” and followed “industry best practices.”  VISA certified CardSystems shortly after receiving Savvis’ audit report.  In 2005, CardSystems revealed that it had experienced an information security breach that compromised forty million payment cards.

Time 1 Minute Read

The UK Information Commissioner is initiating a consultation to develop a code of practice that will help companies address online privacy issues. It is anticipated that the code will provide guidance on the following matters:

  • Operating a privacy-friendly website
  • Rights and protections for individuals
  • Privacy choices and default settings
  • Cyberspace and territoriality
The UK Information Commissioner's Office has requested that interested parties host discussion sessions. Hunton & Williams' London office, together with the firm's Centre for Information Policy ...
Time 2 Minute Read

On June 3, 2009, the French Senate’s Commission on Laws issued a report on the right to privacy in the digital age (‘La vie privée à l’heure des mémoires numériques’) (the “Report”). The issuance of the Report is perhaps the most important legislative initiative in France in the field of privacy and data protection since the implementation of the EU Data Protection Directive in 2004.

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page