Privacy & Information Security Law Blog

On June 23, 2014, the Article 29 Working Party (the “Working Party”) published its Opinion 7/2014 on the protection of personal data in Québec (the “Opinion”). In this Opinion, the Working Party provides its recommendations to the European Commission on whether the relevant provisions of the Civil Code of Québec and the Québec Act on the Protection of Personal Information in the Private Sector (the “Québec Privacy Act”) ensure an adequate level of protection for international data transfers in accordance with the EU Data Protection Directive 95/46/EC (the “Directive”). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an adequate level of data protection.

On June 19, 2014, the President’s Export Council (“PEC”) held a meeting to discuss nine key issues, including the effects of foreign laws that restrict cross-border data flows. At the meeting, the private sector members of the PEC submitted a recommendation letter to President Obama expressing their concern about the threat to American business from protectionist, cross-border data transfer restrictions imposed by foreign countries. The letter describes how certain governments are implementing “digital protectionism” in the form of laws and policies restricting the cross-border flow of data (for example, by requiring domestic processing and storage of data citing concerns for personal privacy and national security). These foreign laws may limit the ability of American businesses, particularly small- and medium-sized businesses, to expand their business operations to include countries that enact such measures.

On June 23, 2014, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $800,000 settlement with Parkview Health System, Inc. (“Parkview”) following a complaint involving patient medical records that were dumped by Parkview employees and left unattended on a physician’s driveway.

Cyber incidents have become more common — and more severe — in recent years. Like other federal agencies, the Securities and Exchange Commission (“Commission”) has recently been analyzing the applicability of its existing regulations relating to cybersecurity risks. The Commission’s efforts are focused on maintaining the integrity of market systems, protecting customer data and the disclosure of material information. We provide an overview of recent developments in public company cybersecurity disclosure of particular interest to public companies.

On June 2, 2014, the U.S. Department of Justice announced a U.S.-led multinational effort to disrupt the “Gameover Zeus” botnet and the malware known as “Cryptolocker.” The DOJ also unsealed charges filed in Pittsburgh, Pennsylvania and Omaha, Nebraska against an administrator of Gameover Zeus.

In response to increasing interest in a “risk-based” approach among privacy experts, including policymakers working on the proposed EU General Data Protection Regulation, the Article 29 Working Party (the “Working Party”) published a statement on the role of a risk-based approach in data protection legal frameworks (the “Statement”).

On June 12, 2014, Connecticut Governor Dannel Malloy signed a bill into law that may require retailers to modify their existing Health Insurance Portability and Accountability Act (“HIPAA”) authorizations for pharmacy reward programs. The law, which will become effective on July 1, 2014, obligates retailers to provide consumers with a “plain language summary of the terms and conditions” of their pharmacy reward programs before the consumers may enroll. It also requires retailers to include specific content in their authorization forms that are required pursuant to the HIPAA. If the consumer is required to sign a HIPAA authorization to participate in a pharmacy reward program, the authorization must include the following items “adjacent to the point where the HIPAA authorization form is to be signed:”

It seems that every week brings news that another company has been impacted by a major data breach – and of the resulting financial, legal and public relations costs. As companies seek out ways to prevent these events and recoup losses associated with a data breach, cyber insurance is increasingly discussed as an effective method of recovery. In a recent article published in the Daily Journal, Hunton & Williams’ Insurance Coverage Counseling and Litigation attorney William T. Um offers a primer on cyber insurance, outlining key considerations for businesses as they explore this emerging area of coverage. The article discusses how:

On June 6, 2014, Viviane Reding, Vice-President of the European Commission and EU Commissioner for Justice, outlined the progress that has been made with respect to the proposed EU General Data Protection Regulation (the “Proposed Regulation”) in a meeting of the Council of the European Union, acting through the Justice Council (the “Council”). In particular, the Council has agreed on two important aspects of the Proposed Regulation.

On June 5, 2014, new OpenSSL vulnerabilities were announced, including one vulnerability that permits man-in-the-middle attacks and another that allows attackers to run arbitrary code on vulnerable devices. These vulnerabilities, along with the previously-discovered Heartbleed bug, show that technological solutions alone may not eliminate cyber risk.