November 2015

On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor framework as a legal basis for transferring personal data from the European Union to the U.S.1 The judgment was delivered in Schrems v. Data Protection Commissioner, a case in which Max Schrems, an Austrian student, complained to the Data Protection Authority (DPA) in Ireland about the transfer of his personal data by Facebook to its servers in the U.S.

The Schrems judgment is of major importance to the over 4,000 companies that relied on Safe Harbor to transfer personal data from the EU to the U.S. This article details the background of the case, analyzes its holdings and consequences, and summarizes the main developments that have occurred since the judgment was issued.
Continue Reading What’s Next for U.S.-EU Data Transfers? An Analysis of Recent Developments Following Schrems

On October 1, 2015, the Court of Justice of the European Union (CJEU), which is the EU’s highest court, delivered its judgment in Case C-230/14—Weltimmo.1 The CJEU ruling is a landmark decision in determining the territorial scope of application of national data protection laws and the competence of national Data Protection Authorities (DPAs) in the EU.

All 28 countries of the EU have their own national data protection laws. The territorial scope of application of these laws often raises questions for companies doing business in multiple EU countries. The main rule states that the national data protection law of a certain EU country applies if data processing is “carried out in the context of the activities of an establishment” of the data controller in that EU country. If the data controller is not established in the EU, but makes use of “equipment” in a certain EU country to process personal data, the national data protection law of that EU country will apply. The Weltimmo case provides some clarity on how to determine the application of EU data protection law when the data controller is established in the EU.
Continue Reading Landmark Decision Clarifies Territorial Scope of Application of National Data Protection Laws in the EU

Following the conclusion of the Health Insurance Portability and Accountability Act (HIPAA) pilot audit program in 2012, speculation began about the timing of the permanent program of periodic HIPAA audits. Originally, the Department of Health and Human Service’s Office of Civil Rights (OCR) scheduled the permanent audit program for 2014. However, personnel and budget limitations delayed the launch, and the year came and went without implementation of the program.

With 2015 nearing its close, advisors in the health data industry may have felt like they were crying wolf while encouraging clients to take this time to review and improve HIPAA compliance efforts given the impending audits. Finally, however, in late September 2015, the OCR announced that the permanent audit program will launch in early 2016. Reports indicate that the OCR has already sent out inquiries to covered entities confirming contact information for possible follow-up.
Continue Reading No More Crying Wolf—HIPAA Audits Coming in 2016

California Attorney General Kamala Harris recently announced a settlement with Houzz Inc., a home design website, over allegations that the company failed to notify individuals that it was recording their phone calls with the company.1 While the settlement included the payment of $175,000 in penalties and fees, it also included the surprising requirement that Houzz appoint a “Chief Privacy Officer” or similar employee responsible for privacy compliance at the company. This settlement is the first time a U.S. privacy regulator has specifically included such a requirement in a privacy settlement, and it signals the importance to the California Attorney General of companies having executive management oversight for a privacy program.
Continue Reading California Attorney General Includes Chief Privacy Officer Requirement in Data Privacy Settlement

ThinkstockPhotos-469750754-webOn September 29, 2015, the PCI Security Standard Council (PCI SSC) issued guidance regarding data breach responses for merchants and service providers who process payment cards. The PCI SSC is a global forum founded by card brands (American Express, Discover, JCB, MasterCard, and Visa), and it is responsible for the development and management of the data security standards (i.e., the PCI-DSS and the PA-DSS standards) required by the card brands’ security programs. The new guidance includes the PCI SSC’s recommendations on: (i) how to prepare in advance of an incident to reduce risks and costs; and (ii) engaging and working with a Payment Card Industry Forensic Investigator (PFI) following a cardholder data breach.
Continue Reading PCI Security Standards Council Issues Guidance on Responding to a Data Breach

AA042950In the wake of numerous cyberattacks aimed at companies spanning various industries, it is no surprise that yet another federal agency—this time the SEC—is stressing the importance of proper cybersecurity protocols for the entities it regulates. Broker-dealers, investment advisors, and others in the securities industry often have access to some of the most sensitive client and consumer financial information, making data security a high priority for the SEC.
Continue Reading SEC Increases Focus on Cybersecurity–A Look at Recent Data Security Guidance and Enforcement

ThinkstockPhotos-489306446On September 9, 2015, the Federal Trade Commission (FTC) held its first “Start with Security” conference at the University of California Hastings College of the Law in San Francisco. The conference was the first in a series of events hosted by the agency intended to provide additional guidance to businesses regarding how to keep consumers’ information secure.

The FTC’s San Francisco event was aimed primarily at start-ups and software developers, with panels focusing on building a culture of security, scaling security during periods of rapid growth, investing in security, vulnerability disclosure and response, and implementing security features. The panels were each moderated by a staff attorney from the FTC’s Division of Privacy and Identity Protection, with panelists hailing primarily from Silicon Valley tech companies. Each panel is summarized below.
Continue Reading FTC Begins “Start with Security” Conference Series