Privacy & Information Security Law Blog

On January 18, 2018, the Federal Energy Regulatory Commission (“FERC”) issued a Notice of Proposed Rulemaking (“NOPR”) that proposes the adoption of new mandatory Reliability Standards designed to mitigate cybersecurity risk in the supply chain for electric grid-related cyber systems. The Reliability Standards were developed by the North American Electric Reliability Corporation (“NERC”) in response to FERC Order No. 829, which ordered the development of standards to address supply chain risk management for industrial control system hardware, software and computing and networking services.

On January 24, 2018, the European Commission issued a communication to the European Parliament and the Council (the “Communication”) on the direct application of the EU General Data Protection Regulation (“GDPR”). The Communication (1) recounts novel elements of the GDPR that create stronger protections for individuals and new opportunities for organizations; (2) reviews preparatory work undertaken to date for GDPR implementation; (3) outlines remaining steps for successful preparation; and (4) outlines measures the European Commission intends to take up until May 25, 2018.

On January 22, 2018, the New York Department of Financial Services (“NYDFS”) issued a press release reminding entities covered by its cybersecurity regulation that the first certification of compliance with the regulation is due on or prior to February 15, 2018. Covered entities must file the certification, which covers the 2017 calendar year, at the NYDFS online portal.

On January 18, 2018, Hunton & Williams LLP’s retail industry lawyers, composed of more than 100 lawyers across practices, released their annual Retail Year in Review publication. The Retail Year in Review includes several articles authored by our Global Privacy and Cybersecurity lawyers, and touches on many topics of interest including blockchain, ransomware, cyber insurance and the Internet of Things.

Read the full publication.

On January 18, 2018, the Federal Trade Commission (“FTC”) released its 2017 Privacy & Data Security Update (the “Report”). The annual Report, which summarizes the privacy and data security-related activities conducted by the FTC over the past year, is broken down into five key areas: (1) enforcement; (2) advocacy; (3) workshops; (4) reports and surveys; (5) consumer education and business guidance; and (6) international engagement.

Read the full Report.

Hunton & Williams LLP is pleased to announce that Richard Thomas, Global Strategy Advisor to the Centre for Information Policy Leadership, has been appointed by the UK Prime Minister to serve as a member of its Advisory Committee on Business Appointments (“ACOBA”), effective February 1, 2018.

On January 10, 2018, the Law of 3 December 2017 creating the Data Protection Authority (the “Law”) was published in the Belgian Official Gazette. The Law was submitted in the Chamber of Representatives on August 23, 2017, and was approved by the Parliament in plenary meeting on November 16, 2017.

On January 8, 2017, the UK Information Commissioner (“ICO”) issued an unprecedented monetary penalty of £400,000 against British mobile phone retailer, The Car Phone Warehouse Limited. Following an attack on their system in 2015, the ICO found that the company had failed to take adequate steps to protect the personal data it held on its system.

On January 9, 2018, the FTC issued a paper recapping the key takeaways from the FTC’s and National Highway Traffic Safety Administration’s June 2017 workshop on privacy and security issues involving connected cars. The workshop featured representatives from consumer groups, industry, government and academia.

On January 8, 2018, the FTC announced an agreement with electronic toy manufacturer, VTech Electronics Limited and its U.S. subsidiary, settling charges that VTech violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting personal information from hundreds of thousands of children without providing direct notice or obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected. Under the agreement, VTech will (1) pay a $650,000 civil penalty; (2) implement a comprehensive data security program, subject to ...