Archives: Enforcement

Subscribe to Enforcement RSS Feed

HHS Announces HIPAA Settlement with UMass

On November 22, 2016, the Department of Health and Human Services announced a $650,000 settlement with University of Massachusetts Amherst, resulting from alleged violations of the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules. … Continue Reading

France Adopts Class Action Regime for Data Protection Violations

On November 19, 2016, the French government enacted a bill creating a legal basis for class actions against data controllers and processors resulting from data protection violations. The bill establishes a general class action regime and includes specific provisions regarding data protection violations.… Continue Reading

Russia Set to Block Access to LinkedIn

On November 10, 2016, Moscow’s Court of Appeal upheld a lower court’s decision that LinkedIn violated Russia’s data localization law requiring Russian personal data to be stored within Russian territory. Roskomnadzor, Russia’s data protection authority, is now set to block access to the social media website across Russia.… Continue Reading

FinCEN Issues Advisory on SAR Reporting Obligations Involving Cyber Crime

Recently, the U.S. Department of Treasury’s Financial Crimes Enforcement Network issued an advisory entitled Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, to help financial institutions understand how to fulfill their Bank Secrecy Act obligations with regard to cyber events and cyber-enabled crime.… Continue Reading

Entry into Force of the French Digital Republic Bill

On October 7, 2016, the French Digital Republic Bill (the “Bill”) was enacted after a final vote from the Senate. The Bill aligns the French legal data protection framework with the EU General Data Protection Regulation (“GDPR”) requirements before the GDPR becomes applicable in May 2018.… Continue Reading

UK ICO Seeks Personal Liability for Directors

On October 13, 2016, Elizabeth Denham, the UK Information Commissioner, suggested at a House of Commons Public Bill Committee meeting that directors of companies who violate data protection laws should be personally liable to pay fines.… Continue Reading

Department of Defense Finalizes Rule for Cyber Incident Reporting

On October 4, 2016, the U.S. Department of Defense finalized a new mandatory cyber incident reporting rule for defense contractors. The new rule applies to DoD contractors and subcontractors that are targets of any cyber incident with a potential adverse impact on information systems and "covered defense information" on those systems. … Continue Reading

CIPL and its GDPR Project Stakeholders Discuss DPOs and Risk under GDPR

Last month, the Centre for Information Policy Leadership held its second GDPR Workshop in Paris as part of its two-year GDPR Implementation Project. The purpose of the project is to provide a forum for stakeholders to promote EU-wide consistency in implementing the GDPR, encourage forward-thinking and future-proof interpretations of key GDPR provisions, develop and share relevant best practices, and foster a culture of trust and collaboration between regulators and industry. … Continue Reading

EDPS Issues Opinion on Coherent Enforcement of Fundamental Rights in the Age of Big Data

Recently, the European Data Protection Supervisor released Opinion 8/2016 on the coherent enforcement of fundamental rights in the age of big data. The Opinion updates the EDPS' Preliminary Opinion on Privacy and Competitiveness in the Age of Big Data, first published in 2014, and provides practical recommendations on how the EU's objectives and standards can be applied holistically across the EU institutions.… Continue Reading

OCR Settles Largest HIPAA Violation Against a Single Covered Entity

On August 4, 2016, the U.S. Department of Health and Human Services' Office for Civil Rights entered into a resolution agreement with Advocate Health Care Network over alleged HIPAA violations. The multimillion dollar settlement with Advocate is the largest settlement to date against a single covered entity.… Continue Reading

Article 29 Working Party and EDPS Release Opinions on the ePrivacy Directive

On July 25, 2016, the Article 29 Working Party and the European Data Protection Supervisor released their respective Opinions regarding the evaluation and review of Directive 2002/58/EC on privacy and electronic communications. Both the Working Party and the EDPS stressed that new rules should complement the protections available under the EU General Data Protection Regulation. … Continue Reading

The EU-U.S. Privacy Shield: A How-To Guide

Hunton partner Lisa Sotto and associate Chris Hydak recently published an article in Law360 entitled “The EU-U.S. Privacy Shield: A How-To Guide,” detailing the Privacy Shield principles, the benefits of certification, how the Shield will be enforced, and the challenges and risks associated with the future of the Privacy Shield. This blog post contains a link to the full article. … Continue Reading

Ad Network to Pay Nearly 1 Million in Civil Penalties to Settle FTC Charges That It Geo-Tracked Consumers Without Permission

On June 22, 2016, the Federal Trade Commission announced that it reached a settlement with a mobile advertising company, InMobi, to resolve charges that the company deceptively tracked hundreds of millions of consumers’ locations without their knowledge or consent. Among other requirements, the settlement orders the company to pay 950,000 dollars in civil penalties. … Continue Reading

Will Spokeo Undermine CAFA?

As we previously reported, the Supreme Court’s decision in Spokeo v. Robins, has been nearly universally lauded by defense counsel as a new bulwark against class actions alleging technical violations of federal statutes. But Spokeo also poses a significant threat to defendants by defeating their ability to remove exactly the types of cases that defendants most want in federal court.… Continue Reading
LexBlog