International DPA Working Group Publishes Working Paper on Privacy Issues in Cloud Computing

Posted on May 7, 2012 by Hunton & Williams LLP

Following a meeting in Sopot, Poland, on April 24, 2012, the International Working Group on Data Protection in Telecommunications (the “Working Group”), led by the Berlin Commissioner for Data Protection and Freedom of Information, issued a Working Paper that focuses on privacy and data protection issues related to the use of cloud computing in the international context. The Working Paper aims to reduce uncertainty regarding the definition of cloud computing and how the technology intersects with privacy, data protection and other legal issues.

Continue reading…

Tags: , , ,

House Passes Two Cybersecurity Bills

Posted on May 1, 2012 by Hunton & Williams LLP

On April 26, 2012, the U.S. House of Representatives approved the Cyber Intelligence Sharing and Protection Act (“CISPA” or H.R. 3523), which is aimed at facilitating the exchange of cyber threat intelligence information between the government and certain private entities. In addition, the House approved the Federal Information Security Amendments Act of 2012 (H.R. 4257), which modifies the Federal Information Security Management Act of 2002 to provide for automated and continuous monitoring of the security of government information systems.

Continue reading…

Tags: , , ,

German Insurance Industry to Establish “Trusted German Insurance Cloud”

Posted on April 13, 2012 by Hunton & Williams LLP

On March 8, 2012, during the CeBIT international IT trade show, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or “BSI”) accepted the German Insurance Association’s application for certification of the “Trusted German Insurance Cloud,” a project that aims to establish a secure IT platform for the German insurance industry.  The parties previously had agreed to work together to develop practical requirements for a secure cloud solution, and to implement appropriate security measures in the “Trusted German Insurance Cloud.” In accordance with the BSI’s baseline security parameters, the practical requirements for the cloud are meant to contemplate the ISO 27001 standard as well as appropriate IT security criteria issued by data protection authorities. The implementation of the cloud security requirements will be finalized pursuant to the BSI’s certification process.

As was the case when it drafted the position paper “Information Security Issues for Cloud Computing,” the BSI has stated that its goal is to work in cooperation with the private sector to develop practical guidelines and recommendations for IT security. The BSI likely will be looking to extend this approach to other industries and sectors by developing a generally applicable certification procedure for cloud services.

Tags: ,

RockYou Settles FTC Charges Related to Data Breach, COPPA Violations

Posted on March 28, 2012 by Hunton & Williams LLP

On March 27, 2012, the Federal Trade Commission announced a proposed settlement order with RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites. The FTC alleged that RockYou failed to protect the personal information of 32 million of its users, and violated multiple provisions of the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule when it collected information from approximately 179,000 children.

Continue reading…

Tags: , , , , , , , ,

Massachusetts Attorney General Announces $15,000 Settlement with Property Management Firm

Posted on March 27, 2012 by Hunton & Williams LLP

On March 21, 2012, Massachusetts Attorney General Martha Coakley announced that Maloney Properties Inc. (“MPI”), a property management firm, executed an Assurance of Discontinuance and agreed to pay $15,000 in civil penalties following an October 2011 theft of an unencrypted company-issued laptop. The laptop contained personal information of more than 600 Massachusetts residents and was left in an employee’s car overnight. MPI has indicated that it has no evidence of unauthorized access to or use of the personal information in connection with this breach.

Continue reading…

Tags: , , ,

FTC Privacy Report Emphasizes Privacy by Design, Individual Control and Transparency

Posted on March 27, 2012 by Hunton & Williams LLP

On March 26, 2012, the Federal Trade Commission issued a new privacy report entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” The report charts a path forward for companies to act in the interest of protecting consumer privacy.

In his introductory remarks, FTC Chairman Jon Leibowitz indicated his support for Do Not Track stating, “Simply put, your computer is your property; no one has the right to put anything on it that you don’t want.” In later comments he predicted that if effective Do Not Track mechanisms are not available by the end of this year, the new Congress likely would introduce a legislative solution.

Continue reading…

Tags: , , , , , , , , , , , , , ,

Philippines Passes Omnibus Data Protection Law

Posted on March 22, 2012 by Hunton & Williams LLP

On March 20, 2012, the Senate of the Philippines unanimously approved the omnibus Data Privacy Act of 2011, also known as “An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for This Purpose a National Data Protection Commission, and for Other Purposes” (S.B. 2965). Once signed into law, the legislation will impose a privacy regime modeled on the EU Data Protection Directive. It features significant notice, consent and data breach notification requirements, and it imposes direct obligations on both data controllers and data processors. The law will create a National Privacy Commission with authority to monitor compliance and recommend to the Department of Justice the imposition of penalties for noncompliance, including imprisonment and fines.

Although the bill does not contain cross-border data transfer restrictions, the law will apply to certain foreign processing of personal information about Philippine residents. In an apparent effort to protect the domestic outsourcing industry, however, the law will not apply to “personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.”

Tags: , , , , , , ,

Sotto Discusses White House Administration’s Consumer Privacy Bill of Rights

Posted on March 8, 2012 by Hunton & Williams LLP

On February 24, 2012, Eric Chabrow of BankInfoSecurity interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. Discussing the need for a Consumer Privacy Bill of Rights, Sotto briefly outlined the strengths and weaknesses of the proposed bill, and its potential impact on businesses.

Read the interview or listen to the podcast, which can be streamed or downloaded as an MP3 on the BankInfoSecurity website.

Tags: , , , , ,

CBI for the Cloud

Posted on March 7, 2012 by Hunton & Williams LLP

A growing number of companies are implementing cloud computing solutions to lower IT costs and increase efficiency. Although cloud technology offers an array of advantages, organizations that rely on the cloud must compensate for the corresponding increase in risk associated with outsourcing business operations to a third party. A recent article  authored by Hunton & Williams Insurance Litigation & Counseling partner Lon Berk discusses the ways in which business interruptions caused by cloud service provider failures may be covered by contingent business interruption insurance, or CBI.

Read CBI for the Cloud.

Tags: , ,

UK ICO Issues Revised Guidance on Fines

Posted on February 7, 2012 by Hunton & Williams LLP

Monetary penalties are one mechanism in a suite of tools that the UK Information Commissioner’s Office (“ICO”) uses to encourage compliance with data protection regulations. The ICO generally uses monetary penalties to sanction deliberate or negligent breaches of the law, but the purpose is not to impose financial hardship but rather to “act as an encouragement towards compliance, or at least as a deterrent against non-compliance.” The following is a brief overview of the ICO’s authority to issue monetary penalties. Continue reading…

Tags: , , ,