Privacy & Information Security Law Blog

On October 28, 2014, California Attorney General Kamala D. Harris announced the release of the second annual California Data Breach Report. The report provides information on data breaches reported to California’s Attorney General in 2012 and 2013. Overall, 167 breaches were reported by 136 different entities to California’s Attorney General in 2013. According to the report, 18.5 million records of California residents were compromised by these reported breaches, up more than 600 percent from the 2.6 million records compromised in 2012. In addition, the number of reported data breaches increased by 28 percent in 2013, rising from 131 in 2012 to 167 in 2013.

Eduardo Cunha, a congressman from the Brazilian Democratic Movement Party in Rio de Janeiro, recently introduced a new bill in Brazil that provides Brazilians with a right to be forgotten (PL 7881/2014). Rep. Cunha is one of the most influential congressmen in Brazil and has been reported likely to be the next Speaker of the Brazilian House of Representatives (also translated as the “Chamber of Deputies”).

On October 22, 2014, the Federal Trade Commission announced that several interrelated online marketing and advertising companies (“Stipulating Defendants”) agreed to pay nearly $10 million to settle allegations that they engaged in a pattern of text message spamming, robocalling and mobile cramming practices in violation of Section 5 of the FTC Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, and the Telemarketing Sales Rule.

On October 10, 2014, TD Bank, N.A. entered into an assurance of voluntary compliance (“Assurance”) with a multistate group of nine attorneys general to settle allegations that the company violated state consumer protection and personal information safeguards laws in connection with a 2012 data breach. The breach involved the loss of two unencrypted backup tapes containing the personal information of approximately 260,000 customers. The Assurance requires TD Bank to pay $850,000 to the attorneys general.

On October 20, 2014, the Consumer Financial Protection Bureau (“CFPB”) announced a finalized rule that enables certain financial institutions to comply with the Gramm-Leach-Bliley Act (“GLB”) by publishing their financial privacy notices online instead of mailing them to their customers. The GLB Privacy Rule requires financial institutions to provide privacy notices to their customers on an annual basis. The new disclosure method only applies to financial institutions regulated by the CFPB and does not impact those entities regulated by the Securities and Exchange Commission, Commodity Futures Trading Commission or Federal Trade Commission.

On October 9, 2014, the 88th Conference of the German Data Protection Commissioners concluded in Hamburg. This biannual conference provides a private forum for all German state data protection authorities (“DPAs”) and the Federal Commissioner for Data Protection and Freedom of Information to share their views on current data protection issues, discuss relevant cases and adopt resolutions aimed at harmonizing how data protection law is applied across Germany. During the conference, several resolutions concerning privacy were adopted.

On October 17, 2014, the White House announced that the President signed a new executive order focused on cybersecurity.  The signed executive order, entitled Improving the Security of Consumer Financial Transactions (the “Order”), is focused on securing consumer transactions and sensitive personal data handled by the U.S. Federal Government.

On October 16, 2014, the 36th International Conference of Data Protection and Privacy Commissioners in Mauritius hosted a panel including representatives from the European Data Protection Supervisor ("EDPS") and Hunton & Williams to discuss the need for a coordinated approach to net neutrality and data protection in the EU. While there are divergent views on what net neutrality should (or should not) entail, net neutrality in the EU typically refers to the principle that all Internet traffic is treated equally and without discrimination, restriction or interference.

During the October 14, 2014 closed session of the 36th International Conference of Data Protection and Privacy Commissioners (the “Conference”) held in Balaclava, Mauritius, the host, the Data Protection Office of Mauritius, and member authorities of the Conference issued the “Mauritius Declaration on the Internet of Things,” and four new resolutions – a “Resolution on Accreditation” of new members, a “Resolution on Big Data,” a “Resolution on enforcement cooperation,” and a “Resolution on Privacy in the digital age.” Brief summaries of each of these documents are below.

In October 2014, the People’s Republic of China Supreme People’s Court issued interpretations regarding the infringement of privacy and personal information on the Internet. The interpretations are entitled Provisions of the Supreme People’s Court on Several Issues concerning the Application of the Rules regarding Cases of the Infringement of Personal Rights over Information Networks (the “Provisions”) and became effective on October 10, 2014.