Security Breach | Privacy and Information Security Law Blog

UK ICO Encourages Voluntary Data Protection Audits and Advisory Visits

Posted on February 3, 2012 by Hunton & Williams LLP

Throughout 2011, the UK Information Commissioner’s Office (“ICO”) escalated its use of data protection audits, encouraging organizations to submit to voluntary audits and seeking to increase its ability to conduct compulsory audits. Currently, the ICO has the authority to compel central government departments to undergo audits, but it would like to extend compulsory audits to include local government, the national health service and the private sector.

Tags: Christopher Graham, Information Commissioners Office, United Kingdom

UK and U.S. Regulators Introduce New Breach Guidance, Notification Forms

Posted on February 3, 2012 by Hunton & Williams LLP

In recent weeks, regulators in California and Illinois have issued guidance on responding to data security breaches, while UK and California authorities released online forms for organizations to use when providing notification of a breach to regulators.

In December 2011, the UK Information Commissioner’s Office (“ICO”) released a new breach notification form, reinforcing its expectation that organizations provide notification whether or not such notification is legally required. Sector-specific breach notification requirements were introduced in the UK by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and since May 2011, public electronic communication service providers have been required to notify the ICO, and in some cases affected individuals, in the event of a data security breach. All other organizations are strongly encouraged to notify the ICO of serious security breaches, and the fact that an incident was reported voluntarily is something the ICO takes into consideration when determining the appropriate enforcement action.

Tags: California, Data Protection Act, E-Privacy Directive, Illinois, Information Commissioners Office, State Attorneys General, United Kingdom

Chinese Ministry of Industry and Information Technology Issues New Data Protection Regulations

Posted on February 3, 2012 by Hunton & Williams LLP

The Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) recently issued a regulation entitled “Several Provisions on Regulating Market Orders of Internet Information Services” (the “New Regulations”). The New Regulations, which will take effect on March 15, 2012, include significant new data protection requirements applicable to Internet information service providers (“IISPs”). Consistent with data protection regimes currently in place elsewhere in the world, IISPs will be required to provide much stronger protection for the personal data they collect from users in China, and will be subject to notice and consent requirements, collection limitations and use limitations.

Tags: China, Personally Identifiable Information, Telecommunications

Connecticut AG Announces Agreement with MetLife over 2009 Breach Incident

Posted on January 27, 2012 by Hunton & Williams LLP

On January 24, 2011, Connecticut Attorney General George Jepsen and Consumer Protection Commissioner William Rubenstein announced that they had reached an Assurance of Voluntary Compliance (“AVC”) with Metropolitan Life Insurance Co. (“MetLife”) in connection with an incident involving the disclosure of customer personal information on the Internet. In November 2009, a MetLife employee posted the personally identifiable information of current and former MetLife customers, including their Social Security numbers, on the Internet. Following the discovery of the posting, MetLife acted to mitigate possible harm by providing credit monitoring and identity theft insurance to the affected customers.

Tags: Connecticut, Consumer Protection, Credit Monitoring, Personally Identifiable Information, Social Security Number, State Attorneys General

Minnesota AG Sues Debt Collection Agency for Health Privacy Violations

Posted on January 24, 2012 by Hunton & Williams LLP

On January 19, 2012, Minnesota Attorney General Lori Swanson announced a lawsuit against Accretive Health, Inc., (“Accretive”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, the Minnesota Health Records Act, Minnesota’s debt collection statutes and Minnesota’s consumer protection laws. The suit, which was filed in Federal District Court in Minnesota, alleges that Accretive failed to adequately safeguard patients’ protected health information (“PHI”). This failure contributed to a July 2011 information security breach when an Accretive employee left an unencrypted laptop containing information of approximately 23,500 patients in a rental car. The laptop was stolen and has not yet been recovered.

Tags: Consumer Protection, HIPAA, HITECH Act, Minnesota, Privacy Rule, Protected Health Information, Social Security Number, State Attorneys General

Third Circuit Holds Data Breach Plaintiffs Lack Standing

Posted on January 20, 2012 by Hunton & Williams LLP

On December 12, 2011, the United States Court of Appeals for the Third Circuit affirmed a decision that employees of Ceridian Corporation’s (“Ceridian’s”) customers did not have standing to sue Ceridian after the payroll processing firm suffered a data breach.

In December 2009, a hacker may have gained access to personal and financial information of Ceridian’s customers, including names, addresses, Social Security numbers, dates of birth and bank account information. Although it is not known if the hacker read, copied or understood the data, Ceridian sent notification letters to affected individuals informing them of the breach and offering to provide one year of complimentary credit monitoring and identity theft protection.

Tags: Consent Order, Consumer Protection, Credit Monitoring, Cybersecurity, Federal Trade Commission, Hacker, Litigation, Social Security Number

Sotto Breaks Down Data Breach Response in Interview with BankInfoSecurity

Posted on December 16, 2011 by Hunton & Williams LLP

On November 30, 2011, Tracy Kitten, Managing Editor of BankInfoSecurity, interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. Discussing how data breaches can be game changers for organizations that suffer major incidents, Sotto emphasized that companies need to consider both the legal compliance issues involved with data breaches and potential reputational risks. Sotto also addressed how attorneys can play a key role in helping companies through the process.

Read the interview transcript or listen to the podcast, which can be streamed or downloaded as an MP3 on the BankInfoSecurity website.

Tags: Lisa Sotto

European Commission Drafts to Reform the EU Data Protection Framework Enter Interservice Consultation

Posted on December 6, 2011 by Hunton & Williams LLP

In early December 2011, drafts of two legal instruments prepared by DG Justice of the European Commission to reform the EU data protection framework entered interservice consultation. This process will give other Directorates-General of the Commission the opportunity to comment on the drafts before they are formally released as legislative proposals; accordingly, changes to the drafts are likely. Following this comment period, the drafts will enter the EU legislative process, which is likely to take at least two to three years before they become law. It is believed that Justice Commissioner and Commission Vice-President Viviane Reding will formally announce final versions of the drafts at an appearance at the World Economic Forum in late January 2012.

Tags: Article 29 Working Party, Binding Corporate Rules, Data Controller, Data Processor, Data Protection Authority, EU Data Protection Directive, European Commission, European Data Protection Supervisor, European Parliament, Opt-In Consent, Viviane Reding

New Breach Notification Requirement in Lithuania

Posted on November 30, 2011 by Hunton & Williams LLP

Lithuanian firm LAWIN Lideika, Petrauskas, Valiūnas ir partneriai reports that recent amendments to Lithuania’s Law on Legal Protection of Personal Data and the Law on Electronic Communications have established a breach notification requirement. Specifically, providers of publicly-available electronic communications services or of public communications networks must notify the data protection authority of data security breaches, and, when the breach is likely to have an adverse effect on the privacy of affected individuals, the data controller also may be required to notify those individuals.

Tags: Data Controller, Data Protection Authority, Lithuania

Law360 Q&A with Lisa Sotto

Posted on November 9, 2011 by Hunton & Williams LLP

On November 4, 2011, Law360 interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. In a question and answer session, Sotto discussed the challenges of working with multinational companies on compliance with privacy laws, and addressed questions related to her practice and career. Read the full interview.

Tags: Lisa Sotto

Privacy and Information Security Law Blog - Global privacy and information security law updates and analysis

UK ICO Encourages Voluntary Data Protection Audits and Advisory Visits

UK and U.S. Regulators Introduce New Breach Guidance, Notification Forms

Chinese Ministry of Industry and Information Technology Issues New Data Protection Regulations

Sotto Breaks Down Data Breach Response in Interview with BankInfoSecurity

New Breach Notification Requirement in Lithuania

Law360 Q&A with Lisa Sotto

Published By Hunton & Williams

Search

Subscribe

Topics

Recent Updates

Blogroll

Privacy News