Privacy & Cybersecurity Newsletter

November 13, 2015

Locke Lord’s Privacy & Cybersecurity Newsletter provides topical snapshots of recent developments in the fast-changing world of privacy, data protection, and cyber risk management. For further information on any of the subjects covered in the newsletter, please contact one of the members of our privacy and cybersecurity team.

To read the Locke Lord Privacy & Cybersecurity Newsletter, click here.

In This Issue

California Amends Breach Notification Law: Unique New Refinements and Requirements
The California legislature has again amended the state’s breach notification statutes to impose new and unique requirements and refinements, adding further complexity to the patchwork of breach notification requirements. read more

NAIC Cybersecurity Bill of Rights: The Awkward New Guest at the Data Breach Law Party
On October 14, 2015, the NAIC’s Cybersecurity (EX) Task Force adopted a Cybersecurity Bill of Rights, an aspirational, well-intended document outlining the rights insurance consumers should (or could? or might? this point remains uncertain) expect with regard to their personal information in the hands of insurance companies, insurance agents, and any of their vendors. read more

U.S.-EU Safe Harbor Scheme Declared Invalid
The Court of Justice of the European Union (the “CJEU”), Europe’s highest court, declared last month that the U.S.-EU Safe Harbor Scheme is invalid. The CJEU also declared that national supervisory authorities are free to challenge findings of the European Commission (the “Commission”) that a third country ensures an adequate level of protection for personal data transferred to that country. read more

OCR Expected to Strengthen HIPAA Enforcement in 2016
Two recent reports issued by the Office of Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) recommended that HHS’s Office for Civil Rights (“OCR”) should fully implement a permanent audit program and strengthen its follow-up procedures relating to breaches of Protected Health Information (“PHI”). read more

Which Way is the “Wyndham” Blowing? Cyber Regulation after FTC vs. Wyndham
Does the Third Circuit’s recent decision in FTC v. Wyndham Worldwide Corp. usher in a new era of enforcement by the FTC and other federal agencies regarding cybersecurity practices? Regardless of the answer, it is important to note what this new decision does not do. read more

Development of Cybersecurity Information Sharing Standards
As the Obama administration continues to direct attention to cybersecurity, The University of Texas at San Antonio (“UTSA”) recently won an $11 million dollar grant to develop standards for so-called “Information Sharing and Analysis Organizations” (“ISAOs”). read more

Opt-in System Introduced in Turkey for Commercial Electronic Communications in E-commerce Law
Turkey’s solid and rapidly expanding e-commerce market volume reached 18.9 billion Turkish Liras as of the end of 2014. The Turkish e-commerce sector accounts for 1.6% of the country’s overall retail sector. read more

Weltimmo v Hungarian DPA: Landmark Verdict on the Meaning of “Established”
In the case of Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, the Court of Justice of the European Union (“CJEU”) handed down a landmark judgment in October 2015 on data protection legislation, tackling the issue of jurisdiction when a company is headquartered in one EU country and operates its business in another. read more

SEC Releases Guidance on Examination of Broker-Dealer and Investment Advisor Information Security Practices; NYSE Releases Cybersecurity Guide
The Security and Exchange Commission’s Office of Compliance Inspections and Examinations (the “OCIE”) recently announced its 2015 Cybersecurity Examination Initiative, which describes the focus of the OCIE’s examination of cybersecurity practices within the securities industry and “encourage[s] registered broker-dealers and investment advisers to reflect upon their own practices, policies, and procedures with respect to cybersecurity.” read more

Recent Cases Highlight Importance of Compliance with Hong Kong Privacy Law
The use of personal data in direct marketing without the customer’s consent and without fulfilling legal prerequisites has resulted fines issued by the Hong Kong Office of the Privacy Commissioner of Personal Data (“PCPD”). read more

Breaches, Damned Breaches and Their Statistics
Interesting conclusions about data breach costs emerge from two new studies, the 2015 Ponemon Institute’s Cost of Cyber Crime Study: Global and the 2015 NetDiligence® Cyber Claims Study. read more

UK Information Commissioner’s Office Assesses Nuisance Calls Fines
The Information Commissioner’s Officer (“ICO”) has issued a fine of £200,000, its largest ever penalty for nuisance calls, to Home Energy & Lifestyle Management Ltd. (“HELM”), a green energy company. read more

California Enacts Electronic Communication Privacy Statute, Connected Television Privacy Statute
The California legislature recently enacted the California Electronic Communications Privacy Act (“CalECPA”) (Senate Bill 178), which provides greater protections against governmental searches for persons’ electronic communications. read more