Three Bills Introduced to Repeal Section 929I of the Dodd-Frank Financial Reform Bill

Posted on August 6, 2010 by Hunton & Williams LLP

As reported in BNA’s Privacy Law Watch on July 29, 2010, three bills were introduced by House Republicans to repeal Section 929I of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”).  Section 929I of the Dodd-Frank Act has been a source of controversy because it gives the SEC significant latitude to sidestep FOIA requests by providing that the SEC "shall not be compelled to disclose" certain information it obtains pursuant to the '34 Act when conducting surveillance, risk assessments or other regulatory and oversight activities.

The bills include (i) the “SEC Freedom of Information Restoration Act” (H.R. 5924) (introduced by Representatives Darrell E. Issa (R-Calif.) and Spencer Bachus (R-Ala.) along with 13 other House Republicans); (ii) H.R. 5948 (introduced by Representative John Campbell (R-Calif.) and cosponsors Scott Garrett (R-N.J.), Jeb Hensarling (R-Texas) and Walter B. Jones Jr. (R-N.C.)), and (iii) the “SEC Transparency Act of 2010” (H.R. 5970) (introduced by Representative Ron Paul (R-Texas)).  In addition to the bills introduced by House Republicans, Senator Patrick Leahy (D-Vt.) also voiced concerns regarding the breadth of Section 929I and introduced bipartisan legislation cosponsored by John Cornyn (R-Texas), Ted Kaufman (D.-Del.) and Chuck Grassley (R.-Iowa) that strikes exemptions that give the SEC authority to withhold records on entities subject to the SEC regulation.
Tags: , , , , ,

Uncertainty Reigns Supreme: What Impact Will a Coalition Government Have on Data Protection Law in the UK?

Posted on May 13, 2010 by Hunton & Williams LLP

Following the first “hung parliament” since 1974, the UK is facing considerable legislative reform under the newly formed Conservative - Liberal Democrat coalition government.  Although the parties appear to have differing opinions on a number of legislative issues, one issue that unites them is their commitment (at least in theory) to strengthening the current data protection regime implemented under the Labour government.

Each party’s manifesto states that, should it be elected, it will enhance the audit powers of the Information Commissioner (the UK data protection regulator).  Currently, the Information Commissioner may audit government departments and public authorities suspected of violating data protection principles without their prior consent.  The Conservatives and Liberal Democrats propose to extend the Information Commissioner’s audit powers to private sector organizations.  This could be achieved in theory by secondary legislation.

The proposals set forth by the Conservatives and Liberal Democrats are not the only voices calling for reform.  The European Union Agency for Fundamental Rights (“FRA”), recently has criticized several countries, including the UK, for the limited enforcement powers available to data protection authorities.  In particular, the FRA has focused on the limited capacity of data protection authorities to investigate, intervene and enter into legal proceedings against data controllers who violate data protection laws.

The Conservatives and the Liberal Democrats also propose the abolition of central government databases containing sensitive personal information, such as ContactPoint, a database containing details of all children under 18, and the proposed ID card scheme and National Identity Register.

The Conservative Party manifesto contains proposals to extend the scope of the Freedom of Information Act to include taxpayer funded institutions such as Northern Rock, National Rail and the Local Government Association.  In addition, the Conservatives have proposed the implementation of the “Right to Government Data” scheme, modeled on the “Right to Data” policy initiated by President Obama in the United States.  Under this scheme, details of government spending, for example, government contracts (including contract value and performance indicators) and salaries and expenditure of government officials and civil servants will be routinely made available to the public without the need for a Freedom of Information request.  The scheme is likely to expand the range of publically available data that may, in turn, be used by the private sector for commercial purposes.

Following the appointment of this historic coalition, we wait to see how many of the aforementioned campaign pledges will be converted into legislation.
Tags: , , , , ,

HHS Posts Breach Notice Reporting Form

Posted on October 2, 2009 by Hunton & Williams LLP

The Department of Health and Human Services (“HHS”) has posted to its website a notification form that may be used to report breaches of unsecured protected health information to the agency.  Although some state agencies requiring notice of a breach employ a standard reporting form, the form issued by HHS has several unique features and requests more information than a typical breach reporting form.  Some interesting features of the form include:

  • The form may be used to report both breaches affecting 500 or more individuals, as well as breaches affecting fewer than 500 individuals, although the former must be notified to the agency within 60 days of discovery and the later need only be logged over the course of the year and reported to the agency on an annual basis.
  • The form requires that, if the breach occurred "at or by" a business associate, that business associate must be identified by name and contact information must be provided.  The form is, however, required to be completed by the covered entity.
  • The form requires a description of the breach and provides drop-down lists to facilitate the description of the type of breach (e.g., theft, loss, improper disposal, etc.), the location of the "breached information" (e.g., laptop, desktop computer, network server, etc.) and the type of PHI affected (e.g., demographic information, financial information, clinical information or "other").
  • The form further requests a description of the safeguards that were in place prior to the breach and a description of actions taken in response to the breach, again via selection from a drop-down list.  Actions taken in response to the breach also may be described in narrative form.
  • The form requires completion of an attestation that the information provided is accurate, and acknowledgement that the Office of Civil Rights ("OCR") may be required to release information provided via the form pursuant to the Freedom of Information Act, that some of the information will be posted to HHS's web site, and that OCR will use the information to provide an annual report to Congress, as required by the HITECH Act.
  • The form also may be used to submit an "initial breach report" or an "addendum to previous report," implying that covered entities could submit the form based on then-available information and later file an addendum, which may be necessary in some cases to avoid missing the 60-day reporting deadline.

The form, which is intended to be submitted electronically, includes all of the required elements specified by the HITECH Act and HHS's implementing regulations.  HHS also has provided instructions for completing the form.

Tags: , , , ,