Privacy & Information Security Law Blog

On August 4, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Advocate Health Care Network (“Advocate”), the largest health care system in Illinois, over alleged HIPAA violations. The $5.5 million settlement with Advocate is the largest settlement to date against a single covered entity.

On July 29, 2016, the Federal Trade Commission (“FTC”) announced that it had issued an opinion and final order concluding that LabMD, Inc. (“LabMD”) violated the unfairness prong of Section 5 of the FTC Act by failing to maintain reasonable security practices to protect consumers’ sensitive personal information. The unanimous decision reverses a November 2015 administrative law judge’s initial decision that, as we previously reported, dismissed the FTC’s charges against LabMD for failing to show that LabMD’s allegedly unreasonable data security practices caused, or were likely to cause, substantial consumer injury.

On July 25, 2016, the Article 29 Working Party (the “Working Party”) and the European Data Protection Supervisor (“EDPS”) released their respective Opinions regarding the review of Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive"). Both the Working Party and the EDPS stressed that new rules should complement the protections available under the EU General Data Protection Regulation (“GDPR”).

On July 21, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into resolution agreements with two large public health centers, Oregon Health & Science University (“OHSU”) and the University of Mississippi Medical Center (“UMMC”), over alleged HIPAA violations.

On July 26, 2016, the White House unveiled Presidential Policy Directive PPD-41 (“PPD-41”), Subject: United States Cyber Incident Coordination, which sets forth principles for federal responses to cyber incidents approved by the National Security Council (“NCS”). Coming on the heels of several high-profile federal breaches, including the Office of Personnel Management’s loss of security clearance information and the hack of over 700,000 IRS accounts, PPD-41 is a component of President Obama’s Cybersecurity National Action Plan. PPD-41 first focuses on incident response to cyber attacks on government assets, but also outlines federal incident responses to cyber attacks on certain critical infrastructure within the private sector.

On July 25, 2016, Lisa Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, was interviewed on KUCI 88.9 FM radio’s Privacy Piracy show. Lisa discussed the changing regulatory landscape, information security enforcement actions, the threat actors who attack companies’ data and how to manage the aftermath of a data breach. “There is no industry sector that is exempt [from being targeted],” Lisa says. She notes that, because “data can be sold for a monetary sum, data is now the equivalent of cash.”

Listen to the full interview.

On July 20, 2016, the French Data Protection Authority (“CNIL”) announced that it issued a formal notice to Microsoft Corporation (“Microsoft”) about Windows 10, ordering Microsoft to comply with the French Data Protection Act within three months.

Background

Following the launch of Microsoft’s new operation system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties that Microsoft could collect excessive personal data via Windows 10. A group composed of several EU data protection authorities was created within the Article 29 Working Party to examine the issue and conduct investigations in their relevant EU Member States. The CNIL initiated its investigation and carried out seven online inspections in April and June 2016. The CNIL also questioned Microsoft on certain points of its privacy statement.

On July 26, 2016, Isabelle Falque-Pierrotin, the Chairwoman of the Article 29 Working Party of data protection regulators, announced that EU data protection regulators will not challenge the adequacy of the EU-U.S. Privacy Shield (“Privacy Shield”) for at least one year (i.e., until after summer 2017). The European Commission is scheduled to conduct a mandatory review of the adequacy of the Privacy Shield by May 2017.

On July 12, 2016, after months of negotiations and criticism, the EU-U.S. Privacy Shield (“Privacy Shield”) was officially adopted by the European Commission and the Department of Commerce. Similar to the Safe Harbor, companies must certify their compliance with the seven principles comprising the Privacy Shield to use the Shield as a valid data transfer mechanism. Hunton & Williams partner Lisa J. Sotto and associate Chris D. Hydak recently published an article in Law360 entitled “The EU-U.S. Privacy Shield: A How-To Guide.” In the article, Lisa and Chris detail the ...

On July 26, 2016, the U.S. Department of Commerce announced that it has launched a new website that provides individuals and companies with additional information regarding the EU-U.S. Privacy Shield Framework (“Privacy Shield”). Among other things, the website provides information about complying with, and self-certifying to, the Privacy Shield’s principles. The Department of Commerce’s website will begin accepting certifications on August 1, 2016.