ThinkstockPhotos-87341406-webThis article is the third in a series of articles that discuss the importance of privacy and data security considerations in the transactional context.

In any transaction in which an entity invests in or acquires another business or its assets, the investing or acquiring entity (the “Acquiror”) should fully evaluate its counterparty (the “Company”), the Company’s assets, and the Company’s liabilities and risks prior to the consummation of the transaction. A spate of significant data security incidents and exposés in the past few years has raised awareness across industries of the need to adequately contemplate privacy concerns and appropriately secure data systems. Businesses, acquirors, and investors increasingly understand that expensive data security incidents, lawsuits, and government investigations can result from basic failures to comply with applicable privacy laws or data processing contracts or, with regard to information security, well-established industry best practices.
Continue Reading Privacy and Data Security Due Diligence

ThinkstockPhotos-516780641-webOn September 17, 2015, California Attorney General Kamala Harris announced a $33 million settlement with Comcast Corp. to resolve an investigation into Comcast’s publishing of phone numbers that consumers had paid the company not to publish.1 Notably, the settlement is the largest privacy settlement on record to date, surpassing the recent $25 million settlement the Federal Communications Commission (FCC) obtained from AT&T in April 2015.2 The action is also notable for which agency brought it and which agencies did not participate—this was a California state action and not an FCC or Federal Trade Commission (FTC) enforcement proceeding. The FTC has been the leading privacy enforcer over the last twenty years, and the FCC has spent the last two years nipping at the FTC’s heels on privacy enforcement. So, why did the two leading federal privacy regulators apparently sit on the sidelines for the largest privacy settlement on record? This article examines that question and posits some theories on why the other agencies may not have proceeded. Regardless of whether federal regulators decided to act in this case, the Comcast settlement with California offers a stark reminder for companies that failing to protect consumer privacy or misleading consumers about privacy protections can land you in expensive hot water on a wide variety of regulatory fronts.
Continue Reading Comcast Enters into Largest Privacy Settlement on Record with California Attorney General

ThinkstockPhotos-488982577-webOn June 16, 2015, the body of European data protection regulators known as the Article 29 Working Party (WP29) issued an opinion1 that clarifies EU data protection rules in the context of civil drones. The opinion explains how the principles of EU data protection law apply to drones, and provides a list of recommendations for drone manufacturers and operators, regulators and policymakers, and other stakeholders. This article highlights the key takeaways of the WP29 opinion.
Continue Reading EU Data Protection Regulators Issue Guidance on Drones

Historically, businesses have called for greater connection between the legal requirements of European data protection law and the requirements of information technology standards. The new International Organization for Standardization (ISO) standard for securely processing personal information in cloud computing environments, ISO 27018, could be a significant and major first step toward creating technical standards that take privacy legal requirements into account.1 While its effects on compliance under the forthcoming EU General Data Protection Regulation (GDPR) remain to be seen, ISO 27018 offers a promising look at what a more harmonized data protection regime might look like.
Continue Reading Technical Standards Open New Avenue to EU Data Protection Compliance

De-identification techniques are often at the forefront of companies’ concerns when it comes to the processing of big data. In addition, anonymization and pseudonymization techniques have been a heavily debated topic in the ongoing reform of EU data protection law. This makes last year’s Article 29 Working Party (WP29) Opinion on Anonymization Techniques1 even more important, as it examines the effectiveness and limits of anonymization techniques and places them in the context of data protection law. This article details the WP29 Opinion on Anonymization Techniques and considers the opinion in relation to the upcoming EU General Data Protection Regulation.
Continue Reading Personal Data, Anonymization, and Pseudonymization in the EU

The Department of Health and Humans Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) recently released a practical guide designed to help healthcare providers and their service providers better understand and implement privacy and security protections for electronic health information.1 Organizations that handle personal health-related information, even when they are subject to HIPAA regulation, may find the HHS guide to be a source of information on emerging and better practices. This is updated guidance following HHS’s substantial changes to HIPAA regulations through the omnibus rule in early 2013.
Continue Reading HHS Updates Guide to Protecting Electronic Health Information