On September 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights issued an announcement containing disaster preparedness and recovery guidance in advance of Hurricane Irma. The announcement underscores key privacy and security issues for entities covered by HIPAA to help them protect individuals’ health information before, during and after emergency situations.… Continue Reading
On September 5, 2017, the FTC announced that Lenovo, Inc. agreed to settle charges that its preloaded software on some laptop computers compromised online security protections in order to deliver advertisements to consumers. … Continue Reading
Recently, the National Information Security Standardization Technical Committee of China published a draft document entitled Information Security Technology – Guidelines for De-Identifying Personal Information. The Draft Guidelines are open for comment from the general public until October 9, 2017.… Continue Reading
On August 25, 2017, U.S. District Judge Lucy Koh signed an order granting preliminary approval of the record class action settlement agreed to by Anthem Inc. this past June.… Continue Reading
On August 25, 2017, the FTC published the sixth blog post in its “Stick with Security” series. This week’s post, entitled Stick with Security: Segment your network and monitor who’s trying to get in and out, illustrates the benefits of segmenting networks and monitoring the size and frequency of data transfers.… Continue Reading
On August 17, 2017, as reported in BNA Privacy Law Watch, Delaware amended its data breach notification law, effective April 14, 2018. The amendments include expansion of the definition of personal information, timing of notification, changes to the harm threshold and credit monitoring service changes. … Continue Reading
On August 15, 2017, the FTC announced that it had reached a settlement with Uber, Inc., over allegations that the ride-sharing company had made deceptive data privacy and security representations to its consumers. Under the terms of the settlement, Uber has agreed to implement a comprehensive privacy program and to undergo regular, independent privacy audits for the next 20 years.… Continue Reading
On August 18, 2017, the FTC published the fifth blog post in its "Stick with Security" series, which outlines steps businesses can take to secure sensitive data, including when it is in transit. … Continue Reading
On August 14, 2017, the Colombian Superintendence of Industry and Commerce announced that it was adding the United States to its list of nations that provide an adequate level of protection for the transfer of personal information. This development should help facilitate the transfer of personal information from Colombia to the United States.… Continue Reading
On August 11, 2017, the Federal Trade Commission published the fourth blog post in its "Stick with Security" series, which examines five effective security measures companies can take to safeguard their computer networks.… Continue Reading
On August 9, 2017, Nationwide Mutual Insurance Co. agreed to a 5.5 million dollar settlement with attorneys general from 32 states in connection with a 2012 data breach that exposed the personal information of over 1.2 million individuals. … Continue Reading
On August 4, 2017, the FTC published the third blog post in its Stick with Security series. This week’s post, entitled "Stick with security: Control access to data sensibly," details key security measures businesses can take to limit unauthorized access to data in their possession.… Continue Reading
On July 31, 2017, the Federal Trade Commission announced that it has approved modifications to TRUSTe’s safe harbor program under the Children’s Online Privacy Protection Rule.… Continue Reading
On July 28, 2017, the FTC published the second blog post in its "Stick with Security" series. This week’s post, entitled "Start with security – and stick with it," looks at key security principles that apply to all businesses regardless of their size or the types of data they handle. The guidance offers five steps companies can take to ensure the security of the data they hold.… Continue Reading
On July 26, 2017, the Court of Justice of the European Union declared that the envisaged EU-Canada agreement on the transfer of passenger name records interferes with the fundamental right to respect for private life and the right to the protection of personal data and is therefore incompatible with EU law in its current form.… Continue Reading
On July 21, 2017, New Jersey Governor Chris Christie signed a bill that places new restrictions on the collection and use of personal information by retail establishments for certain purposes. The statute, which is called the Personal Information and Privacy Protection Act, permits retail establishments in New Jersey to scan a person’s driver’s license or other state-issued identification card only for eight purposes. … Continue Reading
On July 5, 2017, the FTC announced that Blue Global Media, LLC agreed to settle charges that it misled consumers into filling out loan applications and then sold those applications, including sensitive personal information contained therein, to other entities without verifying how consumers’ information would be used or whether it would remain secure.… Continue Reading
On June 26, 2017, Airway Oxygen reported that it was the subject of a ransomware attack affecting 500,000 patients’ protected health information. The attack is the second largest health data breach recorded by the Office for Civil Rights this year, and the largest ransomware incident recorded by OCR since it began tracking incidents in 2009. … Continue Reading
On June 23, 2017, Anthem Inc., the nation’s second largest health insurer, reached a record 115 million dollar settlement in a class action lawsuit arising out of a 2015 data breach that exposed the personal information of more than 78 million people. Among other things, the settlement creates a pool of funds to provide credit monitoring and reimbursement for out-of-pocket costs for customers. … Continue Reading
Hunton & Williams LLP will host a webinar on Japan’s amendments to its Act on the Protection of Personal Information on June 29, 2017. This blog entry provides additional information on the event and a link to register for the complimentary program.… Continue Reading
On June 20, 2017, the UK Information Commissioner’s Office published an updated version of its Code of Practice on Subject Access Requests. The updates are primarily in response to three Court of Appeal decisions from earlier this year regarding data controllers’ obligations to respond to subject access requests. The revisions more closely align the ICO’s position with the court’s judgments.… Continue Reading
On June 21, 2017, the Federal Trade Commission updated its guidance for complying with the Children’s Online Privacy Protection Act. The FTC enforces the COPPA Rule, which sets requirements regarding children’s privacy and safety online.… Continue Reading
Recently, the National Information Security Standardization Technical Committee of China published draft guidelines on cross-border transfers pursuant to the new Cybersecurity Law, entitled Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment. Once finalized, the Guidelines are intended to establish norms regarding security assessments conducted in the context of cross-border data transfers. … Continue Reading
On June 2, 2017, in preparation for the first annual review of the EU-U.S. Privacy Shield framework, the European Commission has sent questionnaires to trade associations and other groups to seek information from their Privacy Shield-certified members on the experiences of such organizations during the first year of the Privacy Shield.… Continue Reading
