Recently, Louisiana amended its Database Security Breach Notification Law (the “amended law”). Notably, the amended law (1) amends the state’s data breach notification law to expand the definition of personal information and requires notice to affected Louisiana residents within 60 days, and (2) imposes data security and destruction requirements on covered entities. The amended law goes into effect on August 1, 2018. Continue Reading Louisiana Amends Data Breach Notification Law, Eliminates Fees for Security Freezes

On June 6, 2018, the U.S. Court of Appeals for the Eleventh Circuit vacated a 2016 Federal Trade Commission (“FTC”) order compelling LabMD to implement a “comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” The Eleventh Circuit agreed with LabMD that the FTC order was unenforceable because it did not direct the company to stop any “unfair act or practice” within the meaning of Section 5(a) of the Federal Trade Commission Act (the “FTC Act”). Continue Reading Eleventh Circuit Vacates FTC Data Security Order

On April 11, 2018, Arizona amended its data breach notification law (the “amended law”). The amended law will require persons, companies and government agencies doing business in the state to notify affected individuals within 45 days of determining that a breach has resulted in or is reasonably likely to result in substantial economic loss to affected individuals. The old law only required notification “in the most expedient manner possible and without unreasonable delay.” The amended law also broadens the definition of personal information and requires regulatory notice and notice to the consumer reporting agencies (“CRAs”) under certain circumstances. Continue Reading Arizona Amends Data Breach Notification Law

On May 1, 2018, the Information Security Technology – Personal Information Security Specification (the “Specification”) went into effect in China. The Specification is not binding and cannot be used as a direct basis for enforcement. However, enforcement agencies in China can still use the Specification as a reference or guideline in their administration and enforcement activities. For this reason, the Specification should be taken seriously as a best practice in personal data protection in China, and should be complied with where feasible. Continue Reading National Standard on Personal Information Security Goes into Effect in China

The Belgian Privacy Commission (the “Belgian DPA”) recently released a Recommendation (in French and Dutch) on Data Protection Impact Assessment (“DPIA”) and the prior consultation requirements under Articles 35 and 36 of the EU General Data Protection Regulation (“GDPR”) (the “Recommendation”). The Recommendation aims to provide guidance on the core elements and requirements of a DPIA, the different actors involved and specific provisions. Continue Reading Belgian Privacy Commission Issues Recommendation on Data Protection Impact Assessment

As reported in the Hunton Nickel Report:

Recent press reports indicate that a cyber attack disabled the third-party platform used by oil and gas pipeline company Energy Transfer Partners to exchange documents with other customers. Effects from the attack were largely confined because no other systems were impacted, including, most notably, industrial controls for critical infrastructure. However, the attack comes on the heels of an FBI and Department of Homeland Security (“DHS”) alert warning of Russian attempts to use tactics including spearphishing, watering hole attacks, and credential gathering to target industrial control systems throughout critical infrastructure, as well as an indictment against Iranian nationals who used similar tactics to attack private, education, and government institutions, including the Federal Energy Regulatory Commission (“FERC”). These incidents raise questions about cybersecurity across the U.S. pipeline network. Continue Reading Attacks Targeting Oil and Gas Sector Renew Questions About Cybersecurity

The Federal Trade Commission has modified its 2017 settlement with Uber Technologies, Inc. (“Uber”) after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The modifications are based on the fact that Uber failed to notify the FTC of a November 2016 breach, which took place during the time that the FTC was investigating an earlier, 2014 breach. The 2016 breach occurred when intruders used an access key that an Uber engineer had posted on GitHub to download more than 47 million user names, including related email addresses or phone numbers, as well as more than 600,000 drivers’ names and license numbers. The FTC alleged that after Uber learned of the breach, it paid the intruders a $100,000 ransom through its “bug bounty” program. The bug bounty program is intended to reward responsible disclosure of security vulnerabilities. Continue Reading FTC Revises Its Security Settlement with Uber

On March 29, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its draft guidelines on the accreditation of certification bodies under the GDPR (the “Guidelines”). The Guidelines were adopted by the Working Party on February 6, 2018, for public consultation. Continue Reading CIPL Submits Comments to Article 29 Working Party’s Draft Guidelines on the Accreditation of Certification Bodies under the GDPR

On March 20, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued a factsheet outlining relevant GDPR provisions for negotiations surrounding the proposed ePrivacy Regulation (the “Factsheet”). Continue Reading CIPL Issues Factsheet on Key Issues Relating to the Relationship Between the Proposed ePrivacy Regulation and the GDPR