Privacy & Information Security Law Blog

On January 27, 2020, CISCO released its 2020 Data Privacy Benchmark Study entitled “From Privacy to Profit: Achieving Positive Returns on Privacy Investments” (the “Study”). The Study explores the return on investing in privacy compliance for organizations, examines how such return correlates with an organization’s accountability level and details the value of privacy certifications in the buying process. To measure organizations’ accountability level, CISCO used the CIPL Accountability Wheel, a privacy accountability framework developed by the Centre for Information Policy Leadership. More than 2,500 respondents took part in the Study from across 13 countries.

In a recent podcast by Never Stop Learning, Lisa Sotto, partner and chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, and Eric Friedberg, Co-President of Stroz Friedberg, LLC, and Aon’s Cyber Solutions Group, discuss “Cybersecurity: How Concerned Should We Be?” As threats from cyber attacks continue to grow in both scope and complexity, it is imperative for companies and individuals alike to have a better understanding of cyber threats and the risks involved. We have broken down the podcast into a three-part series to help highlight the key themes.

On February 7, 2020, the California Attorney General (“AG”) issued modified draft regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). The AG has provided a redline to the initial draft regulations about which we previously reported.  According to the AG’s website, the modified draft regulations are subject to another public comment period. The deadline to submit written comments is February 24, 2020, at 5:00 p.m. (PST).

On January 30, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Department of Telecommunications at the Brazilian Ministry of Science, Technology, Innovations and Communications (“MCTIC”) on its public consultation on creating a national Artificial Intelligence (“AI”) strategy for Brazil (the “Consultation”).

At this point, most companies doing business in California are aware of the California Consumer Privacy Act (“CCPA”), and most have been bracing for the eventual onslaught of class action litigation to follow its passage.

The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) recently announced the publication of a report entitled “Cybersecurity and Resiliency Observations.” The report summarizes the observations gleaned from OCIE’s cybersecurity examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.

As previously posted on our Hunton Insurance Recovery blog, a Maryland federal court awarded summary judgment to policyholder National Ink in National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, finding coverage for a cyber attack under a non-cyber insurance policy after the insured’s server and networked computer system were damaged as a result of a ransomware attack. This is significant because it demonstrates that insureds can obtain insurance coverage for cyber attacks even if they do not have a specific cyber insurance policy.

On February 1, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali, the “Garante”) announced that it had levied a fine of €27,802,946 on TIM S.p.A. (“TIM”), a telecommunications company, for several unlawful marketing data processing practices. Between 2017 and 2019, the Garante received numerous complaints from individuals (including from individuals who were not existing customers of TIM) claiming that they had received unwanted marketing calls, without having provided their consent or despite having registered on an opt-out list. The Garante indicated that the violations impacted several million individuals.

Facebook disclosed on January 29, 2020, that it has agreed to pay $550,000,000 to resolve a biometric privacy class action filed by Illinois users under the Biometric Information Privacy Act (“BIPA”). BIPA is an Illinois law enacted in 2008 that governs the collection, use, sharing, protection and retention of biometric information. In recent years, numerous class action lawsuits have been filed under BIPA seeking statutory damages ranging from $1,000 per negligent violation to $5,000 per reckless or intentional violation.

On January 21, 2020, the UK Information Commissioner’s Office (“ICO”) published the final version of its Age Appropriate Design Code (“the code”), which sets out the standards that online services need to meet in order to protect children’s privacy. It applies to providers of information services likely to be accessed by children in the UK, including applications, programs, websites, social media platforms, messaging services, games, community environments and connected toys and devices, where these offerings involve the processing of personal data.