On July 21, 2017, New Jersey Governor Chris Christie signed a bill that places new restrictions on the collection and use of personal information by retail establishments for certain purposes. The statute, which is called the Personal Information and Privacy Protection Act, permits retail establishments in New Jersey to scan a person’s driver’s license or other state-issued identification card only for eight purposes. … Continue Reading
On July 5, 2017, the FTC announced that Blue Global Media, LLC agreed to settle charges that it misled consumers into filling out loan applications and then sold those applications, including sensitive personal information contained therein, to other entities without verifying how consumers’ information would be used or whether it would remain secure.… Continue Reading
On June 26, 2017, Airway Oxygen reported that it was the subject of a ransomware attack affecting 500,000 patients’ protected health information. The attack is the second largest health data breach recorded by the Office for Civil Rights this year, and the largest ransomware incident recorded by OCR since it began tracking incidents in 2009. … Continue Reading
On June 23, 2017, Anthem Inc., the nation’s second largest health insurer, reached a record 115 million dollar settlement in a class action lawsuit arising out of a 2015 data breach that exposed the personal information of more than 78 million people. Among other things, the settlement creates a pool of funds to provide credit monitoring and reimbursement for out-of-pocket costs for customers. … Continue Reading
Hunton & Williams LLP will host a webinar on Japan’s amendments to its Act on the Protection of Personal Information on June 29, 2017. This blog entry provides additional information on the event and a link to register for the complimentary program.… Continue Reading
On June 20, 2017, the UK Information Commissioner’s Office published an updated version of its Code of Practice on Subject Access Requests. The updates are primarily in response to three Court of Appeal decisions from earlier this year regarding data controllers’ obligations to respond to subject access requests. The revisions more closely align the ICO’s position with the court’s judgments.… Continue Reading
On June 21, 2017, the Federal Trade Commission updated its guidance for complying with the Children’s Online Privacy Protection Act. The FTC enforces the COPPA Rule, which sets requirements regarding children’s privacy and safety online.… Continue Reading
Recently, the National Information Security Standardization Technical Committee of China published draft guidelines on cross-border transfers pursuant to the new Cybersecurity Law, entitled Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment. Once finalized, the Guidelines are intended to establish norms regarding security assessments conducted in the context of cross-border data transfers. … Continue Reading
On June 2, 2017, in preparation for the first annual review of the EU-U.S. Privacy Shield framework, the European Commission has sent questionnaires to trade associations and other groups to seek information from their Privacy Shield-certified members on the experiences of such organizations during the first year of the Privacy Shield.… Continue Reading
On June 1, 2017, the new Cybersecurity Law went into effect in China. This post takes stock of (1) which measures have been passed so far, (2) which ones go into effect on June 1 and (3) which ones are in progress but have yet to be promulgated.… Continue Reading
Recently, the Colorado Division of Securities published cybersecurity regulations for broker-dealers and investment advisers regulated by the Division. Colorado’s cybersecurity regulations follow similar regulations enacted in New York that apply to certain state-regulated financial institutions.… Continue Reading
On May 25, 2017, Oregon Governor Kate Brown signed into law H.B. 2090, which updates Oregon’s Unlawful Trade Practices Act by holding companies liable for making misrepresentations on their websites or in their consumer agreements about how they will use, disclose, collect, maintain, delete or dispose of consumer information.… Continue Reading
On May 23, 2017, Target reached a settlement with the Attorneys’ General of 47 states and the District of Columbia to resolve the states’ investigation of Target’s 2013 data breach.… Continue Reading
On May 22, 2017, New York Attorney General Eric T. Schneiderman announced that the AG’s office has reached a settlement with Safetech Products LLC regarding the company’s sale of insecure Bluetooth-enabled wireless doors and padlocks. This “marks the first time an Attorneys General’s Office has taken legal action against a wireless security company for failing to protect their [customers’] personal and private information.” … Continue Reading
On May 19, 2017, the Cyberspace Administration of China issued a revised draft of its Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data. This blog entry provides highlights on the revised draft.… Continue Reading
On May 10, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a 2.4 million dollar civil monetary penalty against Memorial Hermann Health System for alleged violations of the Health Insurance Portability and Accountability Act of 1996 Privacy Rule. … Continue Reading
On May 2, 2017, the Cyberspace Administration of China published the final version of the Measures for the Security Review of Network Products and Services (for trial implementation), after having published a draft for public comment in February. The Measures provide detailed information about how security reviews will be implemented pursuant to the Cybersecurity Law of China.… Continue Reading
On April 19, 2017, the FTC announced that it is seeking public comment on proposed changes to TRUSTe, Inc.’s safe harbor program under the Children’s Online Privacy Protection Rule.… Continue Reading
On April 6, 2017, New York Attorney General Eric T. Schneiderman announced that privacy compliance company TRUSTe, Inc., agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. According to Attorney General Schneiderman, the enforcement action taken by the NY AG is the first to target a privacy compliance company over children’s privacy.… Continue Reading
On April 6, 2017, New Mexico became the 48th state to enact a data breach notification law, leaving Alabama and South Dakota as the two remaining states without such requirements. The Data Breach Notification Act (H.B. 15) goes into effect on July 1, 2017. … Continue Reading
On April 4, 2017, the Massachusetts Attorney General’s office announced a settlement with Copley Advertising LLC in a case involving geofencing. … Continue Reading
On April 11, 2017, the Cyberspace Administration of China published a draft of its proposed Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data. The Draft provides further guidance on how security assessments might be carried out.… Continue Reading
On March 7, 2017, Hunton & Williams LLP hosted a webinar with Beijing partner Bing Maisog on China’s new Cybersecurity Law. China’s new Cybersecurity Law will impose new restrictions on information flows from operators of key information infrastructure, and will become effective in June 2017.… Continue Reading
On March 21, 2017, New York Attorney General Eric Schneiderman announced that the New York Office of the Attorney General received over 1,300 data breach notifications in 2016, a 60 percent increase from 2015. … Continue Reading
