Tag Archives: data protection

Enforcing Canadian Anti-Spam Law

The Canadian Anti-Spam Legislation (CASL) has aroused concern among marketers on both sides of the border since it started coming into force in July 2014 (some provisions, such as a private right of action, do not take effect until next year). It has stricter consent requirements than the US CAN-SPAM Act, as well as rules … Continue Reading

Record Number of Data Breaches for New Yorkers in 2013

Over the past eight years, the New York Attorney General’s office has been compiling statistics on data breaches pursuant to the state’s breach notification law.  Earlier this week, Attorney General Eric Schneiderman published a report titled, “Information Exposed: Historical Examination of Data Breaches in New York State,” which provides analysis and insight into how those … Continue Reading

FAQs Concerning the Legal Implications of the Heartbleed Vulnerability

(Contributors to this post include:  Scott Koller, David Navetta, Mark Paulding and Boris Segalis) By now, most of the world is aware of the massive security vulnerability known as Heartbleed (it even comes with a slick logo and its own website  created by the organization that discovered the vulnerability).  According to reports this vulnerability has been … Continue Reading

Cybersecurity Effort Moves Forward – NIST Issues Final Critical Infrastructure Cybersecurity Framework

Our Senior Counsel Mark Paulding assisted in the preparation of this post. There is little argument that the issue of information security has bipartisan support in Congress.  It has been some time since we have seen both parties come together for information governance legislation, but they did just that in December 2010, passing the Red … Continue Reading

New HIPAA/HITECH Rules Implementation Roadmap: Countdown Begins to September 23, 2013 Compliance Deadline

Last week marked the effective date of the Department of Health and Human Services (HHS) Office of Civil Rights comprehensive modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (“the Rules”).  The arrival of the effective date commences the 180-day period for covered entities to come into compliance with most of the Rule’s … Continue Reading

White House Cyber Security Order Likely to Have Long-Term Impact on Critical Infrastructure Owners and Operators

On February 12, 2013, following Congress’ failure to enact cybersecurity legislation, the Administration issues an executive order — entitled “Improving Critical Infrastructure Cybersecurity” — that seeks to move forward the effort to comprehensively address the cybersecurity of the country’s critical assets. The White House observed that “the cyber threat to critical infrastructure continues to grow … Continue Reading

NIST Issues Finalized Guidelines for Managing Security & Privacy in Public Cloud Computing

Say what you will about the federal government, the Nat’l Institute of Standards & Technology (“NIST“), part of the Department of Commerce, has certainly been busy over the past year releasing numerous special drafts and reports addressing cloud computing recommendations, security and issues. [Full disclosure: I’m a member of several NIST working groups, including one currently working … Continue Reading

Privacy Hot Topics for 2012

As 2011 is coming to a close, many of us are thinking about what 2012 will bring. With regard to privacy, there are numerous key issues to choose from (and I am sure many privacy professionals would add to this list) - but from a corporate compliance standpoint, here are my top five picks for hot topics to address in 2012: … Continue Reading

Israel Slated for Trial of Biometric National IDs

Dan Or-Hof, a privacy and technology partner at the Israeli law firm Pearl Cohen Zedek Latzer is reporting that new regulations and orders introduced by Israel's Ministers Committee for Biometric Applications set the ground for a two-year biometric IDs issuance trial period. The Ministry of Home Affairs is making final preparations to start issuing the IDs that will contain encoded fingerprints and facial image, and will be stored in a national database. A campaign led by privacy activists against the controversial biometric database has failed to yield a positive result so far. … Continue Reading

Russia Data Protection Enforcement Update – Administrative Charges Follow Breach

It is being reported that Moscow prosecutors conducted an investigation into whether several websites that were involved in data breaches earlier this year violated the country's data protection law. As a result of the breaches, names, contact information and order histories of Internet magazine subscribers (including adult-themed publications) became available on Internet search engines, including Russian-language Yandex. Without naming the websites, the report states that the prosecutors have filed administrative charges against two Internet magazines as a result of the investigation. … Continue Reading

Federal Information Security and Breach Notification Law Approved by House Trade Subcommittee

On July 20, 2011, the U.S. House of Representatives Energy and Commerce Committee's Trade Subcommittee approved the Secure and Fortify Electronic Data Act (the "SAFE Data Act"). The Act would require any business that maintains personal information to implement an information security program and notify affected individuals in the event of an information security breach. The SAFE Data Act would preempt the over 45 existing state information security and breach notification laws and task the Federal Trade Commission with developing information security rules implementing the Act. … Continue Reading

Russia Amends Federal Data Protection Law; Privacy Enforcement on the Rise

Last week, the upper house of Russia's federal legislature approved amendments to the country's federal data protection law. The amendments impose detailed information security requirements on businesses that process personal data and revise some of the statute's data subject consent provisions.The amended law will come into force when it is published in the official newsletter. … Continue Reading

FCRA Violations Result in $1.8 Million FTC Penalty

The Federal Trade Commission announced today that Teletrack, Inc. has agreed to pay $1.8 million to settle charges that the company sold credit reports for marketing purposes, in violation of the Fair Credit Reporting Act (FCRA). According to the FTC's complaint, Teletrack sells credit reports and other services to businesses that mainly serve financially distressed consumers. Teletrack's business customers include pay day lenders, rental purchase stores and non-prime rate auto lenders. These businesses use Teletrack's credit reports to decide whether and on what terms to extend credit to their customers. … Continue Reading

Mobile Location Privacy Opinion Adopted by Europe’s WP29

On May 16, 2011, EU's Article 29 Working Party (WP29) adopted an opinion setting out privacy compliance guidance for mobile geolocation services. WP29 is comprised of representatives from the EU member states' data protection authorities (DPAs), the European Data Protection Supervisor and the European Commission. WP29's mandate includes (i) giving expert advice to the EU member states regarding the implementation of European data protection directives, and (ii) promoting uniform implementation of the directives in all EU state members as well as in Norway, Liechtenstein and Iceland. WP29's opinions, therefore, carry significant weight in the interpretation and enforcement of data protection laws by European DPAs. Not surprisingly, WP29 has concluded that geolocation data is "personal data" subject to the protections of the European data protection framework, including the EU Data Protection Directive 95/46/EC. The Working Party also determined that the collection, use and other processing of geolocation data through mobile devices generally requires explicit, informed consent of the individual. Below are the highlights of the opinion. … Continue Reading

FTC Enforcement Update: “Virtual Worlds” Operators Settle Children’s Privacy Violation Charges; Pay $3M Fine

On May 12, 2011, the Federal Trade Commission announced that the operators of 20 online virtual worlds have agreed to pay $3 million to settle charges that they violated the Children's Online Privacy Protection (COPPA) Rule by collecting and disclosing personal information from hundreds of thousands of children under age 13 without their parents' prior consent. The FTC noted that this settlement is the largest civil penalty for a violation of the FTC's COPPA Rule. … Continue Reading

InfoLawGroup Speaks with Fox Live about Mobile Privacy

On May 10, 2011, the Senate Subcommittee on Privacy, Technology and the Law held a hearing on mobile privacy. We covered the hearing in detail on our blog. Yesterday, InfoLawGroup partner Boris Segalis spoke with Fox Live's Tracy Byrnes about the balance between business and consumer interests that mobile privacy implicates. The clip from the interview is available on Fox at http://video.foxnews.com/v/4689248/the-congressional-mobile-privacy-hearing/?playlist_id=86861 … Continue Reading

Federal Privacy Enforcement Update: SEC Fines Executives for Privacy and Security Violations

As we have reported previously on our blog, federal agencies, including the FTC, NLRB and EEOC have been very active in taking action against privacy and information security violations. This trend continues with the Securities and Exchange Commission's (SEC's) recent announcement of a settlement with three former executives a brokerage firm (GunnAllen Financial, Inc.). The SEC alleged that the former executives violated the Commission's Privacy Rule and Safeguards Rule (Regulation S-P) and aided and abetted the firm in violating these rules. This enforcement action marks the first time the SEC assessed financial penalties against individuals charged solely with violating Regulation S-P. … Continue Reading

FTC Takes a Big Step in Privacy Enforcement with Google Buzz Settlement

The Google Buzz settlement that the Federal Trade Commission announced on March 30, 2011 is the latest in the line of the Commission's numerous Section 5 actions related to privacy and data security violations. The Google Buzz settlement, however, is unique in several important ways. The settlement represents (i) the first FTC settlement order has requires a company to implement a comprehensive privacy program to protect the privacy of consumers' information, and (ii) the Commission's first substantive U.S.-EU Safe Harbor framework enforcement action. Let's dive in (make sure to read the "Action Item" at the conclusion of the post!). … Continue Reading

Oklahoma State House Passes Smart Grid Privacy Bill

On March 18, 2011, the Oklahoma State House passed the Electric Utility Data Protection Act (House Bill 1079). The state's Senate will consider the bill next. The Act seeks to establish standards to govern the use and disclosure of electric utility usage data (including personal information) by electric utilities, customers of electric utilities and third parties. The Act also requires electric utility companies to maintain the confidentiality of customer data and allow customers to access the data. State Rep. Scott Martin noted that customers will see energy savings from the Smart Grid, but are vulnerable to potential access of their data by third parties. "This legislation should ensure customers can reap the many benefits of this new system without having to fear someone getting access to their data without permission," said Martin. The legislation is said to have the support of the Oklahoma Gas & Electric Company, which has already converted 100,000 standard meters to smart meters in the state and plans to install 800,000 smart meters in the next two years. … Continue Reading

ABA Information Security Committee Launches Smart Grid Working Group

On February 12, 2011, the American Bar Association Information Security Committee established the Smart Grid Privacy and Security Working Group. The working group's mission is to increase awareness regarding privacy and information security legal issues arising in connection with the Smart Grid among consumers, regulators, utilities, service provider and other stakeholders. Gib Sorebo, Chief Cybersecurity Technologist at SAIC, and Boris Segalis, partner at InfoLawGroup, will co-chair the group. … Continue Reading

EU Confirms Adequacy of Data Protection in Israel, Simplifies Personal Data Transfers

Dan Or-Hof, a privacy and technology partner at the Israeli law firm Pearl Cohen Zedek Latzer is reporting that the EU Commission published the much-anticipated announcement on the adequacy of data protection law in Israel. Published on January 31, 2011, the decision adopted by the Commission determines that Israel provides an adequate level of protection for personal data transferred from the EU, however only in relation to automated international data transfers and to automated processing of data in Israel. … Continue Reading

Russia Postpones Enforcement of Data Protection Law; Considers Revisions

On December 23, 2010, Russia's President Dmitry Medvedev signed legislation delaying until July 1, 2011 the enforcement of the country's omnibus data protection law (the Federal Law Regarding Personal Data). Pursuant to the new legislation, the revised effective date for the country's data protection law is January 1, 2011, but operators have until July 1, 2011 to bring their personal data information systems into compliance with the law. … Continue Reading
LexBlog