Privacy & Information Security Law Blog

On October 18, 2016, the United States Court of Appeals for the Fifth Circuit held in Apache Corp. v. Great American Ins. Co., No 15-20499 (5th Cir. Oct. 18, 2016), that a crime protection insurance policy does not cover loss resulting from a fraudulent email directing funds to be sent electronically to the imposter’s bank account because the scheme did not constitute “computer fraud” under the policy.

Earlier this month, Hunton & Williams announced that Global Privacy and Cybersecurity partner Aaron P. Simpson has switched to London from the firm’s New York office. He will continue his work on behalf of clients as a leader of the firm’s Global Privacy and Cybersecurity practice.

Earlier this month, at a meeting of the Article 31 Committee, the European Commission (“Commission”) unveiled two draft Commission Implementing Decisions that propose amendments to the existing adequacy decisions and decisions on EU Model Clauses.

On October 19, 2016, the International Trade Administration issued a press release reaffirming the commitment of both the U.S. Department of Commerce and Japan’s Personal Information Protection Commission (the “PPC”) to continue implementation of the APEC Cross-Border Privacy Rules (“CBPR”) system in order to foster the protection of personal information transferred across borders. According to the press release, the PPC’s “recent decision to recognize the system as a mechanism for international data transfers in the implementing guidelines for Japan’s amended privacy law marks an important milestone for the development of the APEC CBPR system in Japan.” Going forward, both agencies also have committed to cooperate in raising awareness and encouraging other APEC member economies to implement the CBPR system.

On October 14, 2016, the National Highway Transportation Administration (“NHTSA”) indicated in a letter to Congress that it intends to issue new best practices on vehicle cybersecurity. This letter came in response to an earlier request from the House Committee on Energy and Commerce (“Energy and Commerce Committee”) that NHTSA convene an industry-wide effort to develop a plan to address vulnerabilities posed to vehicles by On-Board Diagnostics (“OBD-II”) ports. Since 1994, the Environmental Protection Agency has required OBD-II ports be installed in all vehicles so that they can be tested for compliance with the Clean Air Act. OBD-II ports provide valuable vehicle diagnostic information and allow for aftermarket devices providing services such as “good driver” insurance benefits and vehicle tracking. Because OBD-II ports provide direct access to a vehicle’s internal network; however, OBD-II ports are widely cited as the central vulnerability to vehicle cybersecurity.

On October 7, 2016, the Article 29 Working Party (the “Working Party”) published a summary of the discussions that took place at its “Fablab” workshop entitled GDPR/from concepts to operational toolbox, DIY, which took place on July 26, 2016, in Brussels.

Earlier this month, the Department of Health and Human Services’ Office for Civil Rights issued guidance (the “Guidance”) for HIPAA-covered entities that use cloud computing services involving electronic protected health information (“ePHI”).

On October 14, 2016, California Attorney General Kamala D. Harris announced the release of a publicly available online form that will enable consumers to report potential violations of the California Online Privacy Protection Act (“CalOPPA”). CalOPPA requires website and mobile app operators to post a privacy policy that contains certain specific content.

On October 19, 2016, the Court of Justice of the European Union (the “CJEU”) issued its judgment in Patrick Breyer v. Bundesrepublik Deutschland, following the Opinion of Advocate General Manuel Campos Sánchez-Bordona on May 12, 2016. The CJEU followed the Opinion of the Advocate General and declared that a dynamic IP address registered by a website operator must be treated as personal data by that operator to the extent that the user's Internet service provider ("ISP") has - and may provide - additional data that in combination with the IP address that would allow for the identification of the user.

On October 19, 2016, the Federal Deposit Insurance Corporation (“FDIC”), the Federal Reserve System (the “Fed”) and Office of the Comptroller of the Currency issued an advance notice of proposed rulemaking suggesting new cybersecurity regulations for banks with assets totaling more than $50 billion (the “Proposed Standards”).