Privacy & Information Security Law Blog

Recently, Virginia passed an amendment to its data breach notification law that adds state income tax information to the types of data that require notification to the Virginia Office of the Attorney General in the event of unauthorized access and acquisition of such data. Under the amended law, an employer or payroll service provider must notify the Virginia Office of the Attorney General after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a Virginia resident’s taxpayer identification number in combination with the income tax withheld for that taxpayer. 

On March 28, 2017, the French Data Protection Authority (“CNIL”) published its Annual Activity Report for 2016 (the “Report”) and released its annual inspection program for 2017.

On April 5, 2017, Hunton & Williams LLP and Stroz Friedberg will host a webinar on managing privacy and data security risks before, during and after an M&A transaction. Join Lisa J. Sotto, partner and chair of Global Privacy and Cybersecurity at Hunton & Williams; Rocco Grillo, Cyber Resilience Global Leader from Stroz Friedberg; and Keith O’Sullivan, CISO from Time Inc., for a discussion on how to prepare for and understand privacy and data security challenges in the context of corporate transactions.

On March 21, 2017, New York Attorney General Eric Schneiderman announced that the New York Office of the Attorney General received over 1,300 data breach notifications in 2016, a 60 percent increase from 2015. The reported breaches led to the exposure of personal information of 1.6 million New York residents. According to the Attorney General’s report, 46 percent of the exposed personal information consisted of Social Security numbers, and 35 percent consisted of financial account information. Attorney General Schneiderman cited the updated New York State Department of ...

On March 17, 2017, the Federal Trade Commission announced that Upromise, Inc., (“Upromise”) agreed to pay $500,000 to settle allegations (the “Settlement”) that it violated the terms of a 2012 consent order (the “2012 Order”) that required Upromise to provide notice to consumers regarding its data collection and use practices, and obtain third-party audits.

On March 17, 2017, retailer Neiman Marcus agreed to pay $1.6 million as part of a proposed settlement (the “Settlement”) to a consumer class action lawsuit stemming from a 2013 data breach that allegedly compromised the credit card data of approximately 350,000 customers.

On March 15, 2017, the French data protection authority (the “CNIL”) published a six step methodology and tools for businesses to prepare for the EU General Data Protection Regulation (“GDPR”) that will become applicable on May 25, 2018.

On March 2, 2017, the UK Information Commissioner’s Office (“ICO”) published draft guidance regarding the consent requirements of the EU General Data Protection Regulation (“GDPR”). The guidance sets forth how the ICO interprets the GDPR’s consent requirements, and its recommended approach to compliance and good practice. The ICO guidance precedes the Article 29 Working Party’s guidance on consent, which is expected in 2017.

On March 9, 2017, AllClear ID hosted a webinar with Hunton & Williams partner and chair of the Global Privacy and Cybersecurity practice Lisa J. Sotto on the new cybersecurity regulations from the New York State Department of Financial Services (“NYDFS”). The NYDFS regulations impose significant cybersecurity requirements on impacted businesses that will dictate how they plan for, respond to and recover from data security events.

On March 21, 2017, Hunton & Williams is pleased to host an in-person seminar in its London office featuring seasoned cybersecurity practitioners. Drawing from deep experience in their respective fields, the panel members will discuss the implications of the EU General Data Protection Regulation’s breach notification obligations in the context of a state-of-the-art cyber attack simulation. In doing so, the panelists will share best practices to help protect organizations in the event of a cyber attack.