Privacy & Information Security Law Blog

The Office of Management and Budget (“OMB”) recently issued updates to Circular A-130 covering the management of federal information resources. OMB revised Circular A-130 “to reflect changes in law and advances in technology, as well as to ensure consistency with Executive Orders, Presidential Directives, and other OMB policy.” The revised policies are intended to transform how privacy is addressed across the branches of the federal government.

Recently, the People’s Republic of China’s Ministry of Public Security, the National Development and Reform Commission and six other administrative departments jointly published the Announcement on Regulating the Administration of the Use of Resident Identity Cards (the “Announcement”). The Announcement came into effect on July 15, 2016, the date of its issuance.

The Announcement reiterates existing prohibitions against leasing, lending or assigning a resident identity card to another person, and reiterates an existing requirement that resident identity cards must not be seized or held as a security by government agencies, related entities or their staff.

Lisa J. Sotto, partner and head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice group, recently spoke at Bloomberg Law’s Second Annual Big Law Business Summit. In Part 1 of the panel discussion, Lisa describes the dramatic changes in the legal landscape of privacy over the last 10 to 15 years, discussing the emergence of privacy laws such as “the Gramm-Leach-Bliley Act for the financial sector, HIPAA for the health care sector and…of course, the local implementation of the European Data Protection Directive.” She then continues to note an ...

As reported in the Hunton Insurance Recovery Blog, insurance-giant American International Group (“AIG”) announced that it will be the first insurer to offer standalone primary coverage for property damage, bodily injury, business interruption and product liability that results from cyber attacks and other cyber-related risks. According to AIG, “Cyber is a peril [that] can no longer be considered a risk covered by traditional network security insurance product[s].” The new AIG product, known as CyberEdge Plus, is intended to offer broader and clearer coverage for harms that had previously raised issues with insurers over the scope of available coverage. AIG explains its new coverage as follow:

The State Administration for Industry and Commerce of the People’s Republic of China published a draft of its Implementing Regulations for the P.R.C. Law on the Protection of the Rights and Interests of Consumers (the “Draft”) for public comment. The draft is open for comment until September 5, 2016.

On August 4, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Advocate Health Care Network (“Advocate”), the largest health care system in Illinois, over alleged HIPAA violations. The $5.5 million settlement with Advocate is the largest settlement to date against a single covered entity.

On July 29, 2016, the Federal Trade Commission (“FTC”) announced that it had issued an opinion and final order concluding that LabMD, Inc. (“LabMD”) violated the unfairness prong of Section 5 of the FTC Act by failing to maintain reasonable security practices to protect consumers’ sensitive personal information. The unanimous decision reverses a November 2015 administrative law judge’s initial decision that, as we previously reported, dismissed the FTC’s charges against LabMD for failing to show that LabMD’s allegedly unreasonable data security practices caused, or were likely to cause, substantial consumer injury.

On July 25, 2016, the Article 29 Working Party (the “Working Party”) and the European Data Protection Supervisor (“EDPS”) released their respective Opinions regarding the review of Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive"). Both the Working Party and the EDPS stressed that new rules should complement the protections available under the EU General Data Protection Regulation (“GDPR”).

On July 21, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into resolution agreements with two large public health centers, Oregon Health & Science University (“OHSU”) and the University of Mississippi Medical Center (“UMMC”), over alleged HIPAA violations.

On July 26, 2016, the White House unveiled Presidential Policy Directive PPD-41 (“PPD-41”), Subject: United States Cyber Incident Coordination, which sets forth principles for federal responses to cyber incidents approved by the National Security Council (“NCS”). Coming on the heels of several high-profile federal breaches, including the Office of Personnel Management’s loss of security clearance information and the hack of over 700,000 IRS accounts, PPD-41 is a component of President Obama’s Cybersecurity National Action Plan. PPD-41 first focuses on incident response to cyber attacks on government assets, but also outlines federal incident responses to cyber attacks on certain critical infrastructure within the private sector.