Information Security | Privacy and Information Security Law Blog

UK and U.S. Regulators Introduce New Breach Guidance, Notification Forms

Posted on February 3, 2012 by Hunton & Williams LLP

In recent weeks, regulators in California and Illinois have issued guidance on responding to data security breaches, while UK and California authorities released online forms for organizations to use when providing notification of a breach to regulators.

In December 2011, the UK Information Commissioner’s Office (“ICO”) released a new breach notification form, reinforcing its expectation that organizations provide notification whether or not such notification is legally required. Sector-specific breach notification requirements were introduced in the UK by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and since May 2011, public electronic communication service providers have been required to notify the ICO, and in some cases affected individuals, in the event of a data security breach. All other organizations are strongly encouraged to notify the ICO of serious security breaches, and the fact that an incident was reported voluntarily is something the ICO takes into consideration when determining the appropriate enforcement action.

Tags: California, Data Protection Act, E-Privacy Directive, Illinois, Information Commissioners Office, State Attorneys General, United Kingdom

Chinese Ministry of Industry and Information Technology Issues New Data Protection Regulations

Posted on February 3, 2012 by Hunton & Williams LLP

The Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) recently issued a regulation entitled “Several Provisions on Regulating Market Orders of Internet Information Services” (the “New Regulations”). The New Regulations, which will take effect on March 15, 2012, include significant new data protection requirements applicable to Internet information service providers (“IISPs”). Consistent with data protection regimes currently in place elsewhere in the world, IISPs will be required to provide much stronger protection for the personal data they collect from users in China, and will be subject to notice and consent requirements, collection limitations and use limitations.

Tags: China, Personally Identifiable Information, Telecommunications

UK ICO Outlines the Year Ahead

Posted on January 26, 2012 by Hunton & Williams LLP

On December 28, 2011, UK Information Commissioner Christopher Graham outlined the ICO’s agenda for 2012 in a post on the ICO blog, highlighting the European Commission’s proposals for reviewing the EU data protection framework, the post-legislative scrutiny process with respect to the UK Freedom of Information Act (“FOIA”) and the ICO’s Information Rights Strategy. The Commissioner cautioned against allowing data protection compliance to fall by the wayside in the current, tough economic climate, especially given the inevitable reputational damage caused by big data breaches and the ICO’s power to impose fines.

Tags: Christopher Graham, EU Data Protection Directive, Freedom of Information Act, Information Commissioners Office, Ireland, United Kingdom

Massachusetts Court Dismisses ZIP Code Suit for Failure to Allege a Cognizable Injury

Posted on January 12, 2012 by Hunton & Williams LLP

On January 6, 2012, the United States District Court for the District of Massachusetts granted Michaels Stores, Inc.’s (“Michaels”) a motion to dismiss against a customer-plaintiff who alleged that Michaels’ in-store information collection practices violated Massachusetts law. Although the court ruled in Michaels’ favor, it found that customer ZIP codes do constitute personal information under Massachusetts state law when collected in the context of a credit card transaction. The plaintiff’s class action complaint alleged that “Michaels illegally requested customers’ ZIP codes when processing their credit card transactions in violation of” Massachusetts General Laws Chapter 93, Section 105(a) (“Section 105(a)”). Specifically, Section 105(a) states that “[n]o person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.”

Tags: California, Class Action, Consumer Protection, Massachusetts, New Jersey, Personally Identifiable Information, ZIP Codes

FTC Settles with Alleged Stealth Behavioral Advertising Targeter

Posted on January 9, 2012 by Hunton & Williams LLP

On January 5, 2012, the Federal Trade Commission announced a proposed settlement with Upromise, Inc., a membership reward service that gives cash rebates for college savings accounts to members who purchase products and services from its partner merchants. The FTC alleged that the “Personalized Offers” feature on the Upromise TurboSaver Toolbar (1) collected far more information about users’ browsing behavior than was disclosed at the time of installation, and (2) contrary to representations in the company’s privacy notice, transmitted that information, which included data such as Social Security numbers and financial account numbers, in clear text.

Tags: Advertisement, Consent Order, Consumer Protection, Federal Trade Commission, Personally Identifiable Information, Social Security Number

Sotto Breaks Down Data Breach Response in Interview with BankInfoSecurity

Posted on December 16, 2011 by Hunton & Williams LLP

On November 30, 2011, Tracy Kitten, Managing Editor of BankInfoSecurity, interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. Discussing how data breaches can be game changers for organizations that suffer major incidents, Sotto emphasized that companies need to consider both the legal compliance issues involved with data breaches and potential reputational risks. Sotto also addressed how attorneys can play a key role in helping companies through the process.

Read the interview transcript or listen to the podcast, which can be streamed or downloaded as an MP3 on the BankInfoSecurity website.

Tags: Lisa Sotto

German Data Protection Association Issues Report on “Uniform Data Protection Law in Europe through Regulation”

Posted on November 23, 2011 by Hunton & Williams LLP

On November 17, 2011, the German Association for Data Protection and Data Security (“GDD”) held its 35th Privacy Conference (“DAFTA”) in Cologne, Germany. At the opening plenary session, Paul Nemitz, Director for Fundamental Rights and Citizenship of the European Commission, announced that the European Commission plans to implement a Regulation that is directly applicable to all EU Member States, to harmonize data protection laws in Europe.

Tags: Consumer Protection, Data Protection Authority, EU Member States, European Commission, Germany

Rockefeller to Hold Hearing on “Alarming” Online Tracking Practices

Posted on November 18, 2011 by Hunton & Williams LLP

On November 17, 2011, Senator Jay Rockefeller (D-WV), Chair of the Senate Committee on Commerce, Science and Transportation, issued a statement emphasizing the need for increased consumer protection on the Internet. Rockefeller cited “disturbing” reports about Facebook’s ability to track non-members and members who have logged out of the site, stating that companies should not be tracking users without their consent.

Tags: Consumer Protection, Cookies, Do Not Track, Facebook, Federal Trade Commission, Jay Rockefeller

Law360 Q&A with Lisa Sotto

Posted on November 9, 2011 by Hunton & Williams LLP

On November 4, 2011, Law360 interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. In a question and answer session, Sotto discussed the challenges of working with multinational companies on compliance with privacy laws, and addressed questions related to her practice and career. Read the full interview.

Tags: Lisa Sotto

New Chinese Legislation Includes Provisions Protecting Personal Information

Posted on November 8, 2011 by Hunton & Williams LLP

In the past two months, Chinese national authorities amended a law, and provincial authorities in Jiangsu Province issued a new regulation, both of which include provisions concerning the protection of personal information.

Law of the People’s Republic of China on Resident Identity Cards

Any Chinese citizen who resides in China is required to obtain a resident identity card when he or she turns 16 years old. The cards carry information which generally would be considered personal information under Chinese law, such as name, gender, date of birth, home address and identity card number. The Law of the People’s Republic of China on Resident Identity Cards, a national law originally enacted in 2003, was amended on October 29, 2011, to include the following new provisions on the protection of personal information: Continue reading…

Tags: China, Criminal Law, Liability, Penalty, Telecommunications

Privacy and Information Security Law Blog - Global privacy and information security law updates and analysis

UK and U.S. Regulators Introduce New Breach Guidance, Notification Forms

Chinese Ministry of Industry and Information Technology Issues New Data Protection Regulations

UK ICO Outlines the Year Ahead

Massachusetts Court Dismisses ZIP Code Suit for Failure to Allege a Cognizable Injury

Sotto Breaks Down Data Breach Response in Interview with BankInfoSecurity

German Data Protection Association Issues Report on “Uniform Data Protection Law in Europe through Regulation”

Rockefeller to Hold Hearing on “Alarming” Online Tracking Practices

Law360 Q&A with Lisa Sotto

New Chinese Legislation Includes Provisions Protecting Personal Information

Published By Hunton & Williams

Search

Subscribe

Topics

Recent Updates

Blogroll

Privacy News