Regulatory—Policy and Best Practices
California Attorney General Releases Data Breach Report
On October 28, the California Attorney General released the second annual California Data Breach Report, detailing the 167 breaches reported in 2013 and their impact on the personal information of 18.5 million state residents. The report identifies a 28 percent increase in reported breaches over the previous year and offers specific recommendations for consumers, retailers, the health care industry, and the legislature.
Retail Industry Groups Argue Financial Industry Shares Blame for Recent Data Breaches
On October 6, three retail industry groups—National Grocers Association, National Restaurant Association, and National Association of Convenience Stores—wrote a letter to President Obama stating that the financial sector was more heavily impacted by data breaches in 2013 and claiming that bank-issued debit and credit cards are "fraud-prone." The letter was written in response to a September 29 letter from the National Association of Federal Credit Unions to President Obama requesting cybersecurity legislation aimed specifically at retailers.
Payments Security Task Force Reports Nearly Half of U.S. Retail Terminals Will Accept Chip Card Technology by 2016
On October 17, the Payments Security Task Force, comprising a diverse group of U.S. electronic payment industry players, forecasted that half of U.S. merchant terminals will be microchip-enabled by the end of 2015. The forecast was based on data provided by acquirers representing approximately 80 percent of the U.S. purchase volume.
Retail and Restaurant Groups Urge Breach Notification Law Across All Industries
On November 6, more than 40 trade associations representing the U.S. retail and restaurant industries asked Congress to pass a federal data breach notification law and insisted that new notification requirements extend to any business that handles customer information, including banks and financial institutions.
OCC Chief Asks Congress to Hold Retailers Responsible for Data Breach Costs
On November 7, Comptroller of the Currency Thomas Curry asked Congress to enact legislation that would hold retailers responsible for at least some of the costs related to data breaches. Curry stated that such cost-sharing legislation makes sense, because currently, banks are solely responsible for costs associated with replacing debit and credit cards, monitoring accounts, and repaying customers for fraudulent charges.
The Financial Services Roundtable Urges Payment Innovation to Curb Cybersecurity Threats
On October 17, the Financial Services Roundtable released a statement supporting advanced payment technologies and information-sharing legislation as critical steps to reduce cybersecurity threats.
CFPB Issues Final Rule Allowing Financial Institutions to Post Annual Privacy Notices Online
On October 20, the Consumer Financial Protection Bureau issued a final rule allowing financial institutions to post online the annual privacy notices required by the Gramm-Leach-Bliley Act instead of mailing them.
The American Bankers Association Stays Active in Cybersecurity Awareness
On October 31, the American Bankers Association published an infographic on cybersecurity and data breaches, which conveys banks' measures to protect customers from data breaches and illustrates how banks absorb costs and reimburse customers following data breaches. On December 2, the American Bankers Association published a letter to members of the United States Senate, encouraging the Senate to pass the Cybersecurity Information Sharing Act of 2014. This legislation is aimed at allowing financial institutions and the U.S. government to share information regarding cybersecurity threats.
The Federal Financial Institutions Examination Council Releases Cybersecurity Assessment Observations
On November 3, the Federal Financial Institutions Examination Council ("FFIEC") released its Cybersecurity Assessment General Observations. The FFIEC performed a cybersecurity assessment at more than 500 community financial institutions to evaluate the institutions' preparedness to mitigate cybersecurity threats. The FFIEC's General Observations describe common themes and issues that institutions might consider when assessing their own preparedness.
House, Senate Democrats Seek Details from Financial Firms on Data Breaches
On November 18, Democrats in Congress sent letters (sample letter) to 16 major financial institutions requesting detailed information about recent data breaches and briefings from corporate data security officials. Lawmakers requested details of all data breaches experienced over the past year, the number of customers affected, findings by forensic investigators, information about potential suspects in these attacks, and descriptions of newly implemented cybersecurity measures.
SEC Adopts Regulation Systems Compliance and Integrity (Regulation SCI)
On November 19, the Securities Exchange Commission adopted Regulation SCI, which requires certain securities market participants to implement procedures to protect their technological systems and take corrective actions when necessary. In his statement at the open meeting, an SEC Commissioner noted that these measures respond to the "27 serious technical malfunctions at exchanges around the world in the last three years alone." Regulation SCI takes effect on February 15, 2015, and regulated entities must comply within nine months.
Deputy Treasury Secretary Advises on Handling Cyberattacks
On December 3, the Deputy Treasury Secretary, speaking to the Texas Bankers' Association Executive Leadership Cybersecurity Conference, provided guidance on preventing, preparing for, and responding to cyberattacks.
New York Department of Financial Services Expands Cybersecurity Examination Process
On December 10, New York's Department of Financial Services issued a bulletin notifying all New York state-chartered or licensed banking institutions that cybersecurity examinations will be included within the overall IT examination process. The cybersecurity examinations will now include reviews of: (i) corporate governance; (ii) protections against intrusion; (iii) information security testing and monitoring; (iv) cybersecurity insurance coverage; and (v) third-party protections.
Connecticut Expands HIPAA Liability
On November 11, the Connecticut Supreme Court ruled that the Health Insurance Portability and Accountability Act ("HIPAA") does not preempt state negligence claims for unlawful exposure of confidential health data. The court reversed a trial court decision holding that HIPAA preempts state actions related to confidentiality of medical information. The court held that HIPAA was not intended to preempt state tort actions arising from unauthorized release of medical records.
Indiana Appeals Court Affirms National Retailer's Liability for Privacy Breach
On November 14, an Indiana appeals court affirmed a $1.44 million jury verdict, holding that the retailer was liable under the respondeat superiordoctrine for a HIPAA violation by an employee. The court determined that the HIPAA violation constituted harm inflicted while acting within the scope of employment.
NIST Updates Smart Grid Framework and Cybersecurity Guidelines
On October 1, the National Institute of Standards and Technology ("NIST") released the third version of the NIST Framework and Roadmap for Smart Grid Interoperability Standards. The framework was updated to accommodate new developments in smart grid interoperability standards development and smart grid-related measurement science and technology. NIST also revised its Guidelines for Smart Grid Cybersecurity to describe the relationship between smart grid technology and the broader Cybersecurity Framework developed by NIST.
NIST Issues Cloud Computing Technology Roadmap
On October 22, NIST issued its final version of the U.S. Government Cloud Computing Technology Roadmap. The Roadmap is intended to support the federal government's adoption of cloud technology and prioritizes security, interoperability, portability, performance, and accessibility.
NIST Holds Sixth Workshop on Cybersecurity Framework
On October 29 and 30, NIST held its sixth workshop on the Cybersecurity Framework. NIST representatives confirmed that no major revisions to the Cybersecurity Framework should be expected in the near future. Workshop attendees discussed initial experiences with the Cybersecurity Frameworksince its rollout in February 2014, with a focus on resources to help organizations use the Framework more efficiently and effectively.
NIST Issues Guidance for Protecting Controlled Unclassified Information
In November, NIST released a draft version of NIST Special Publication 800-171, "Protecting Controlled Unclassified Information ("CUI") in Nonfederal Information Systems and Organizations." The guidance addresses information technology infrastructure and associated security policies and practices by contractors serving the federal government. The requirements apply to: (i) nonfederal information systems that are beyond the scope of the systems covered by the Federal Information Security Management Act; and (ii) all components of nonfederal systems that process, store, or transmit CUI.
President Issues Executive Order to Secure Consumer Payment Information
On October 17, President Obama unveiled an executive order to safeguard consumers' financial information by enhancing the security of government payment processing terminals and identity theft remediation measures.
FTC Supports NHTSA's Approach to Vehicle-to-Vehicle Communications
On October 20, the Federal Trade Commission ("FTC") issued a public comment to the National Highway Traffic Safety Administration's advance notice of proposed rulemaking regarding vehicle-to-vehicle communications. The FTC announced that it supports the Administration's approach, which includes a privacy risk assessment and limitations on data collection and storage.
The Justice Department's National Security Division Announces Restructuring of Counter-Espionage Efforts
On October 21, the assistant attorney general for National Security announced changes to the National Security Division ("NSD") of the Justice Department that were intended to place additional focus on the NSD's efforts to protect national assets from state-sponsored economic espionage threats. The changes included the appointment of new individuals to the NSD's senior leadership and the creation of a new deputy assistant attorney general position focused on the protection of national assets.
Administration and DOJ Announce Reauthorization of Telephony Metadata Collection Program
On December 8, the Office of the Director of National Intelligence ("ODNI") and the Department of Justice announced that the Foreign Intelligence Surveillance Court ("FISC") has reauthorized the government's bulk telephony metadata collection program for 90 days. The statement disclosed the FISC's December 4 reauthorization order and noted that the order will be posted to the ODNI's website following declassification review.
Judicial Rulings and Enforcement Actions
U.S. Supreme Court Seeks Administration's Views on Article III Standing
On October 6, the Supreme Court invited the Solicitor General to file a brief in a case that turns on whether a plaintiff has Article III standing to sue for violations of the Fair Credit Reporting Act ("FCRA") without showing actual harm. Reversing the district court, the Ninth Circuit ruled in February that an alleged violation of the plaintiff's FCRA statutory rights established an injury sufficient to satisfy Article III.
District Court Dismisses Wyndham Shareholder Derivative Action for Data Breach
On October 20, a district court in New Jersey dismissed with prejudice a shareholder derivative suit brought against Wyndham Worldwide Corp. for a series of data breaches suffered by the company. The suit alleged that the board of directors' actions following a shareholder demand for a particular response to the data breaches constituted a breach of its fiduciary duties of care and loyalty to the company. The court held that the board's response was protected by the business judgment rule.
MDL Consolidates Data Breach Actions in Northern District of Georgia
Earlier this fall, a national retailer suffered a data breach involving the theft and exposure of private information belonging to more than 50 million consumers. Plaintiffs and financial institutions have filed class actions stating claims for violation of state data privacy laws and common law claims for negligence and misrepresentation. On December 11, the U.S. Judicial Panel on Multidistrict Litigation ruled that these cases be centralized in the Northern District of Georgia.
District Court Allows Banks' Data Breach Lawsuit to Proceed
On December 2, the Minnesota district court overseeing consolidated cases against a national retailer denied the majority of the retailer's motion to dismiss the action brought by financial institutions for losses as a result of a data breach in late 2013. Although the court dismissed the banks' negligent misrepresentation claim, it allowed claims for negligence, negligence per se, and violations of Minnesota's Plastic Card Security Act. The court has not yet ruled on the retailer's motion to dismiss the separate action brought by individual consumers.
Retailer Settles Consumer Protection and Privacy Allegations for $28.4 Million
On October 7, a rent-to-own retailer agreed to pay $25 million to California customers and $3.4 million in civil penalties to settle a consumer protection and privacy suit brought by the California Attorney General. In addition to alleging that the retailer violated California's rent-to-own law, the complaint claimed that the retailer violated state privacy laws by installing spyware on rented laptop computers without customer consent. The spyware monitored keystrokes, captured screenshots, tracked physical locations, and activated the computer webcam.
Bank Agrees to $850,000 Settlement with Eight States Over Breached Customer Personal Information
On October 16, a national bank agreed to an Assurance of Voluntary Compliance with the attorneys general of Connecticut, Florida, Maine, Maryland, North Carolina, New Jersey, New York, Pennsylvania, and Vermont. The settlement follows a lengthy investigation into breached customer personal information, and it requires the bank to pay $850,000, maintain reasonable security policies to protect personal information, and notify customers of any future breaches in a timely manner. The breach at issue occurred in 2012 when the bank lost unencrypted backup tapes containing personal information for 260,000 customers nationwide.
Boston Hospital Pays $100,000 for Allegations of Breached Patient Information
On November 17, Beth Israel Deaconess Medical Center agreed to a consent judgment to settle claims that it failed to protect the health information of nearly 4,000 patients and employees. The hospital must pay $100,000 and ensure future compliance with state and federal data security laws, such as properly tracking and encrypting portable devices. The judgment, entered in Suffolk Superior Court on November 20, resolved charges brought by the Massachusetts Attorney General arising from the theft of an unencrypted personal laptop used by a physician for hospital-related business.
FTC Brings "Throttling" Claim Against Major Retailer and Wireless Broadband Internet Provider
On October 28, the FTC filed a complaint alleging that a major retailer and wireless broadband internet provider engaged in deceptive acts in violation of Section 5 of the FTC Act by imposing significant restrictions on the data speeds of customers with "unlimited" mobile plans who had used more than a fixed amount of data in a month, a practice known as "throttling." The complaint alleges that the company failed to inform consumers adequately of the practice and intentionally withheld the information.
FTC Closes Investigation Into Router Security of Wireless Communications Provider
On November 12, the FTC published a letter announcing that it was closing its investigation of a wireless communications provider's alleged violation of Section 5 of the FTC Act for failing to reasonably secure routers for its consumers. The FTC's letter explained that despite the fact that the company regularly shipped customers routers with an outdated default encryption standard (Wired Equivalent Privacy), the company maintained reasonable overall data security practices related to its routers and took steps to mitigate the risk to consumers' information such as changing the default setting on routers in distribution centers and implementing an outreach campaign to ask customers to update their security settings.
FTC Settles with Major Privacy Certification Provider
On November 17, the FTC announced that a major provider of privacy certifications for online businesses agreed to settle charges that it deceived customers about its recertification program for the company's privacy practices and facilitated a misunderstanding that it was a nonprofit entity. The FTC alleged that between 2006 and early 2013, the company failed to conduct annual recertifications of companies in accordance with its own published standard.
FTC Files Complaints Against Debt Brokers for Privacy Violations
In August and October, the FTC filed two complaints (first complaint and second complaint) against debt brokers for allegedly posting debt portfolios online that contained the personal information of at least 28,000 consumers, including full bank account and routing numbers. The FTC claims that the broker's actions violate the "unfairness" prong of the FTC Act by causing consumers unavoidable substantial injury that is not outweighed by countervailing benefits to consumers or competition. The federal district court has issued preliminary injunctions against the defendants requiring notification to affected consumers and use of reasonable safeguards for consumer information in the brokers' possession.
Panel Discusses SEC/FINRA Investigations and Cybersecurity Priorities at 2014 Securities Enforcement Forum
On October 14, a panel at the 2014 Securities Forum, which included the SEC's deputy director of enforcement, discussed trends in the cybersecurity space. The panel noted the SEC's focus on the adequacy of compliance programs and agency efforts such as the OCIE Cybersecurity Initiative.
Senate Blocks NSA Surveillance Bill
On November 18, a bill to end the National Security Agency's ("NSA's") bulk collection of telephone records failed to move through the Senate. The Senate first considered the legislation last year when former NSA contractor Edward Snowden revealed U.S. intelligence regarding the collections and storage of communications metadata. The bill would have required the NSA to ask a communications company for records of a specific person when investigating a terrorism case.
Congress Passes Bill to Update Federal Information Security to Protect Federal Agencies from Cyberattack
On December 11, the House of Representatives approved the Federal Information Security Modernization Act of 2014, which would amend the Federal Information Security Management Act of 2002. According to a statement by the bill sponsor and Senate Homeland Security and Governmental Affairs Committee chairman, the bill "will modernize our outdated federal network security laws, provide the tools and authorities needed to improve security at our federal agencies, and increase transparency and accountability for data breaches at federal agencies." Having already passed the Senate, the bill awaits President Obama's signature to become law.
Congress Passes National Cybersecurity Protection Act
On December 11, the House of Representatives approved the National Cybersecurity Protection Act of 2014, which allows the National Cybersecurity and Communications Integration Center to share cybersecurity information and analysis with the private sector, provide incident response and technical assistance to federal and non-federal agencies, and recommend security measures to enhance cybersecurity. President Obama must sign the bill before the legislation takes effect.
Congress Codifies Cybersecurity Responsibilities for DHS
On December 11, the House of Representatives passed the Cybersecurity Workforce Assessment Act, which requires the Department of Homeland Security ("DHS") to periodically assess the cybersecurity readiness of its workforce and to enhance the training and recruitment of this workforce. The bill was presented for President's Obama's final approval on December 12.
Congress Enhances Hiring Procedures for DHS
On December 10, the House of Representatives approved the Border Patrol Agent Pay Reform Act of 2014, part of which aims to improve hiring procedures and compensation rates for cybersecurity positions at DHS and requires DHS to file annual reports on these procedures. The legislation needs President Obama's signature before becoming official.
New Jersey Legislature Considers Amending Data Breach Notification Law
On October 23, the New Jersey Assembly Consumer Affairs Committee approved an amendment to the state's breach notification law that would require businesses to inform consumers if their user names, email addresses, or security questions and answers for online accounts become compromised in a data breach. The current law requires notification for breaches involving Social Security numbers, driver's license numbers, or credit and debit card numbers in combination with access codes or passwords. If passed by the full legislature, the bill would take effect 90 days after the date of enactment.
British Columbia Supreme Court Declines to Certify Privacy Class Action
On September 30, the British Columbia Supreme Court refused to certify a class proceeding against an international technology company related to alleged breaches of privacy because the claims were overly broad and imprecisely framed.
Canadian Privacy Commissioner Confirms Doubling of Government Data Breaches Between FY 2013 and 2014
On October 30, the Office of the Privacy Commissioner of Canada released its annual report, which found that the number of data breaches reported to Canada's Federal Privacy Agency by other Canadian government agencies more than doubled during the 2013–2014 fiscal year, but the number of privacy complaints filed by individual Canadians decreased.
Canada's Telecommunications Regulator Offers Guidance for Compliance with Anti-Spam Legislation
In November, the Canadian Radio-Television and Telecommunications Commission offered advice on how to comply with the complexities of Section 8 of Canada's Anti-Spam Legislation. The provision, which is set to take effect January 15, prohibits the installation of a computer program on another person's laptop, phone, desktop, gaming console, or other connected device in the course of commercial activity without the express consent of the device owner or an authorized user.
Alberta Proposes Changes to Personal Information Protection Act
On November 18, the Alberta Legislature passed a first reading on the Personal Information Protection Amendment Act. The proposed amendments specifically address the collection, use, and disclosure of personal information by a trade union in a labor dispute after the Supreme Court of Canada's November 2013 decision in Alberta v. United Food and Commercial Workers, Local 401 to provisionally invalidate the Personal Information Protection Act because the Act improperly restricted union activity.
Canadian and International Privacy Authorities Reach Out to Mobile Application Marketplaces
On December 9, a coalition of global privacy authorities sent a letter to mobile application marketplaces urging them to require privacy policies for applications that collect personal information.
The following Jones Day attorneys contributed to the United States and Canada sections: Chris Cogburn, Steven Gersten, Jay Johnson, Colin Leary, Gabe Ledeen, Chiji Offor, Mauricio Paez, Nicole Perry, Scott Poteet, Jessica Sawyer, Anand Varadarajan, Zach Werner, Olivia White, and Meredith Williams.
Argentina's Supreme Court of Justice Finds Search Engines Not Liable
On October 28, the Argentine Supreme Court of Justice ruled that an internet search engine was not responsible for the online content related to a fashion model who complained that her image was included in pornographic websites. The Argentine Court found that search engines are not obliged to monitor the internet and the content provided by those who run the websites. However, the Court noted that search engines may be held accountable if users file requests to remove links and search engines refuse to comply.
Brazil Considers "Right to Be Forgotten" Law
On November 11, the Brazilian House of Representatives circulated a bill(source document in Portuguese) to the Consumers Defense Commission covering the "right to be forgotten" ("RTBF") was recently recognized by the European Court of Justice. Prior to this bill, Brazil enacted a law in April that highlighted the freedom of speech and privacy (Federal Law 12.965/14) (source document in Portuguese). Currently, the RTBF is applicable in Brazil only when a former convicted criminal seeks to enforce his or her right to rehabilitation and social integration through confidentiality of criminal and prosecution records.
Brazil and Germany Sponsor New Draft Resolution to Improve Protection Standards Against Digital Spying
On November 25, the United Nations General Assembly's Third Committee (Social, Humanitarian, and Cultural) approved without a vote a new draft resolution sponsored by Brazil and Germany on the right to privacy in the digital age. The new resolution added a reference to metadata in the context of digital surveillance, highlighting that metadata can be used to compile personal profiles of individuals and affirming the responsibilities of private parties when dealing with personal data. The draft resolution must still be voted on by the U.N. General Assembly.
Colombian Chamber of IT and Telecommunications Issues Recommendations to Strengthen Cybersecurity Policy
On November 25, the Colombian Chamber of IT and Telecommunications and Fedesarrollo released a report (source document in Spanish) focused on cybercrime, titled "Developments and Challenges of Digital Defense in Colombia." The report recommended measures to strengthen cybersecurity policy, including creating a national center responsible for training relevant government bodies, enlisting specialized prosecution teams to investigate cyber crimes, and increasing international cooperation.
Mexican Senate Discusses Secondary Laws to Transparency Constitutional Amendment
On September 29, Mexico's data protection authority (Instituto Federal de Acceso a la Información Pública y Protección de Datos, or "IFAI") presented the Mexican Congress with two legislative initiatives, the Proposed General Law of Transparency and Access to Public Information (source document in Spanish) and the Proposed General Law of Protection of Personal Data Held by Public Entities (source document in Spanish), applicable to governmental authorities. On October 7, the Mexican Senate established a working group to incorporate these secondary laws with the transparency reform currently underway.
Mexico's Data Protection Authority Hosts XII Ibero-American Congress on Data Protection
On November 12 and 13, the IFAI hosted the XII Ibero-American Congress on Data Protection (source document in Spanish) in Mexico City. The event featured data protection authorities and experts from public and private sectors throughout North and South America. Topics of discussion included the experience of data protection authorities in the Ibero-American region, privacy in the performance of business activities, institutional models for the protection of personal data, and data privacy in labor relations.
Company Pays Fine Imposed by Mexico's Data Protection Authority
On November 29, the IFAI reported a Mx$129,520 (approximately US$9,300) fine to an undisclosed company for breaching Mexico's data privacy law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares). According to the statement, the fine marks the first time an offender has voluntarily complied with a sanction imposed for breaching the data privacy law. Since the law became effective in 2012, the IFAI has resolved 34 sanctioning procedures, imposing fines that in the aggregate add up to Mx$100,516,107.13 (approximately US$7,217,769.89).
Peruvian Data Protection Authority Fails to Enforce its First Fine
On October 30, the Peruvian Data Protection Authority ("ANPDP") issued a fine of PEN228,000 (approximately US$78,000) against the website DatosPeru.org after the site failed to remove inaccurate personal information regarding two public officials (first fine and second fine). However, the fine is currently unenforceable because ANPDP has not been able to determine who owns the web domain or to identify the person who should be sanctioned.
The following Jones Day attorneys contributed to the Latin America section: Guillermo Larrea and Virginia Uelze.
EUROPE, MIDDLE EAST, AND AFRICA
European Medicines Agency Issues Policy on Publication of Clinical Data
On October 2, the European Medicines Agency ("EMA") published a new policy on the proactive disclosure of clinical data submitted by pharmaceutical companies in the context of marketing authorization applications. The policy would allow the EMA to publish such data after marketing authorization has been granted, and companies would have to redact the submitted dossier for personal data of doctors and patients.
Article 29 Working Party
Article 29 Working Party Issues Opinion on "Internet of Things"
On September 16, the Article 29 Working Party adopted an opinion on recent developments on the "internet of things," in which it specifically investigates three areas: wearable computing, quantified self, and home automation-related devices. The opinion provides stakeholders with practical recommendations for the implementation of the EU data protection rules that focus on obligations imposed on the stakeholders, rights of the users of connected objects, and data security that must be implemented by data controllers.
Article 29 Working Party Raises Concerns to U.S. DOT on IATA New Distribution Capability Project
On September 26, the Article 29 Working Party sent a letter to the U.S. Department of Transportation on the likely impacts of the International Air Transport Association' National Distribution Capability project (IATA Resolution 787) on privacy and data protection. The letter emphasized the need to consult the EU and national data protection rules, and referred to compliance measures previously proposed in an earlier letter.
Article 29 Working Party Approves Guidelines Relating to Right to be Forgotten
On November 26, the Article 29 Working Party Group (GT29) approved guidelines to implement the European Court of Justice's 2014 decision on the right to be forgotten. The guidelines outline the common criteria for the practical implementation of the judgment in the different Member States and establish how to evaluate applications submitted by individuals when search engines refuse their rights to cancel or do not respond to their requests adequately.
Article 29 Working Party Publishes Working Document on Issuing Common Opinions on Contractual Clauses
In a November 26 working document, the Article 29 Working Party proposes a procedure to coordinate the approaches among the various EU data protection authorities to use identical contractual clauses (based on the EU Model Clauses) in different Member States. The document contains criteria to be used when deciding which data protection authority should act as lead authority and discusses a system of mutual recognition.
European Network and Information Security Agency
ENISA Organizes Largest Cybersecurity Exercise Ever in Europe
On October 30, more than 200 organizations and 400 cybersecurity professionals from 29 European countries tested their readiness to counter cyberattacks in a day-long simulation organized by the European Network and Information Security Agency ("ENISA"). The exercise simulated large-scale crises related to critical information infrastructures. ENISA will issue a report with key findings.
ENISA Calls for New Membership in the Permanent Stakeholders' Group
On November 6, ENISA published a call to candidates for membership to the Permanent Stakeholders' Group, ENISA's advisory body, by January 5, 2015. Twenty experts will be appointed, representing areas such as information and communication technology industries, consumer organizations, and academic institutions.
ENISA Issues Guidelines on Cryptographic Solutions
On November 21, ENISA issued two reports. The 2014 algorithms, key size, and parameters report provides guidelines to decision-makers on security measures to protect personal data, with a focus on commercial online services, hardware and software side-channels, random number generation, key life cycle management, and long-term data-retention issues. The study on cryptographic protocols focuses on the current status in cryptographic protocols, covering guidelines regarding protocols required to protect commercial online communications containing personal data.
ENISA Issues Framework on Evaluating National Cybersecurity Strategies
On November 28, ENISA issued a first evaluation framework on national cybersecurity strategies ("NCSS") addressed to policy experts and government officials who design, implement, and evaluate NCSS policy. It is aimed at assisting Member States in developing NCSS capabilities.
European Data Protection Supervisor
European Parliament Names New European Data Protection Supervisor
On November 27, the European Parliament's president announced that the next European data protection supervisor ("EDPS") will be Giovanni Buttarelli. He previously served as assistant EDPS and has been replaced in this role by Wojciech Rafal Wiewiórowski. The EDPS is in charge of protecting personal data and privacy as well as promoting good practice within EU institutions and bodies.
European Data Protection Congress
The 2014 IAPP Europe Data Protection Congress Discusses Cybersecurity Issues
In November, the International Association of Privacy Professionals Europe Data Protection Congress 2014 met in Brussels to discuss major topics in the industry, including the EU General Data Protection regulation, the right to be forgotten, and the future of the EU-US Safe Harbor decision. Luca de Matteis, a member of the Italian Presidency of the Council of the European Union, gave the keynote address.
New Cybersecurity Center to Coordinate National Strategy
On October 10, Belgium issued a Royal Decree (source document in Dutch) establishing a federal Belgian Cybersecurity Center. The Center's main purpose is to manage Belgian policy on cybersecurity by integrating and coordinating the various authorities already involved in combating cybersecurity threats in Belgium. The Center is expected to be operational in early 2015.
New Belgian Government Establishes Dedicated Privacy Member
On October 11, Bart Tommelein (source document in French) began his position in the Belgian government as the secretary of state responsible for privacy matters. The coalition agreement (source document in Dutch/French) contains a specific chapter on privacy, outlining the revision of the privacy legislation and the reform of the Belgian privacy commission to strengthen its independence and sanctioning powers.
French Supreme Judicial Court Rules that Employee's Personal Information Processed Before CNIL Registration Cannot Be Used as Evidence to Support Employee Dismissal
On October 8, the French Supreme Judicial Court (Cour de cassation) ruled (source document in French) that evidence resulting from personal data processing that occurred prior to registration with the French Data Protection Authority ("CNIL") is illegal and cannot be used to support an employee dismissal. This decision overturns a 2009 decision, in which an appellate court decided that personal data processing that enables the employer to monitor employee email, even if registered afterward with CNIL, did not disqualify the evidence.
French Data Protection Authority Issues "Conformity Pack" to Simplify Formalities for Data Processing by Insurance Professionals
On November 12, CNIL issued a new compliance pack dedicated to professionals of the insurance sector (source document in French). It provides guidance on data protection compliance regarding such issues as the processing by insurance professionals of customer data, Social Security numbers, or criminal data. This insurance "conformity pack" continues CNIL's trend of promoting simplified registration procedures defined in cooperation with major industry players and representatives in order to propose compliance tools adapted to the needs of given industry sectors.
Germany Makes Most Requests for Disclosure of User Data to Facebook
Facebook's 2014 Government Request Report reveals that Germany has the highest number of requests for user data per million Facebook users. However, the U.S. and UK have had a significantly higher rate of success in obtaining data via these requests.
Bavarian Data Protection Authority Inspects Email Servers
As of September, the Bavarian data protection authority conducted an automated online inspection (source document in German) of more than 2,000 email servers of companies located in Bavaria. The inspections evaluated compliance with the security standards of the Federal German Data Protection Act, particularly the encryption protocols, Perfect Forward Secrecy, and the closure of the safety gap used by the Heartbleed Bug.
German Federal Supreme Court Submits Questions to ECJ
In October, the German Federal Supreme Court ("BGH") submitted(source document in German) to the ECJ a question regarding whether dynamic IP addresses constitute personal data. In addition, the BGH submitted a second question to the ECJ regarding whether the restrictions imposed by the German Tele Media Act comply with Art. 7 of the EU Data Protection Directive, which allows for the processing of personal data if necessary for legitimate interests pursued by the controller.
German Data Protection Commissioners Update Orientation Guideline on Cloud Computing
In October, the Conference of the German Data Protection Commissioners issued an update (source document in German) of their "2011 Orientierungshilfe—Cloud Computing" ("Orientation Guideline—Cloud Computing"). The changes underlying the recent update discuss the employment of subcommissioned data processors by cloud service providers. The update also discusses the processing of encrypted data, reassessments of international data transfers with emphasis on U.S. NSA surveillance, and the relevance of granting the customer access to protocol data for lawful data transfer to the U.S.
Conference of Data Protection Commissioners Publishes Resolution on Connected Cars
In October, the Conference of the Data Protection Commissioners issued a resolution (source document in German) on the combination of data gathered by car technologies and their disclosure to interested parties, including car insurances or employers. In addition to discussing the application of data minimization and data security to the automotive industry, the resolution also emphasizes the need for driver and owner control of any data processing.
Dutch Courts Address Right to be Forgotten for First Time
On September 19, a Dutch Court ruled on the ECJ judgment regarding the "right to be forgotten," finding that an internet search engine did not have an obligation to delete search results naming the plaintiff. The court held that the plaintiff's prior conviction and resulting negative publicity remained permanently relevant, and that there was insufficient evidence that the website links were irrelevant, excessive, or defamatory. According to a November 26 Dutch Data Protection Agency ("DDPA") press release, 30 individuals in the past six months sought relief with the DDPA after having their request for removal denied by the search engine.
DDPA Chairman Asks for Data Processing Transparency for "Internet of Thing" Devices
The DDPA chairman argued that companies manufacturing "internet of things" devices should specify the data they collect and use, purposes, and retention policies. The chairman also stated that transparency should be the guiding principle when creating privacy conditions and regulations.
Chairman of DDPA Presents on Privacy Safeguards for Big Data Applications
On October 3, the DDPA chairman called (source document in Dutch) for a robust debate on how to effectively deal with the risks and consequences of big data. The chairman further stated that the current privacy regulations alone cannot tackle the risks associated with big data, and preconditions should be in place to ensure socially responsible application of the big data phenomenon.
DHPA Responds to Pressure to Remove Content from Internet without Judicial Review
In an October 14 statement (source document in Dutch), the Dutch Hosting Provider Association ("DHPA") expressed concerns over pressure from investigative authorities on host internet service providers ("ISP") to remove "illegal" content. According to the statement, the DHPA is worried that removing content without judicial review may amount to censorship and may expose ISPs to third-party liability.
Dutch Government Upholds Existing Implementation of the EU Data Retention Directive and Proceeds with Proposal for Data Retention
On November 17, the Dutch government responded (source document in Dutch) to the ECJ's invalidation of the EU Data Retention Directive in April. To bring the Dutch Telecommunications Data Retention Act in line with the ECJ's decision, the Dutch government proposed several changes, including more restricted access to stored information and access conditioned on judicial permission.
Interim Employment Agencies Violate Personal Data Protection Act
The DDPA concluded (source document in Dutch) that two of the largest interim employment agencies in the Netherlands violated the Personal Data Protection Act when processing personal data of temporary employees. The agencies copied identification documents of persons who did not yet work with the agencies and registered the cause and nature of possible illnesses of temporary employees. The two interim employment agencies have announced measures to amend their procedures, and the DDPA will be monitoring compliance.
DDPA Questions Effectiveness of Legislative Proposal Allowing Imposition of Administrative Fines for Privacy Law Violations
On November 24, the Dutch government proposed to broaden (source document in Dutch) the DDPA's authority to impose administrative fines. The DDPA chairman expressed concern (source document in Dutch) thatthe proposed procedure will prevent quick and effective responses to severe violations of privacy laws.
Spanish Data Protection Agency Issues Annual Report
On October 13, the Spanish Data Protection Agency published its Annual Report (source document in Spanish) for 2013, which includes the activity and operations of the different areas of the institution, prominent trends for data protection matters, relevant decisions and proceedings, and an analysis of the future challenges for privacy. According to the Annual Report, search engine providers comprised the highest number of claims resolved. The total volume of financial penalties declared in 2013 increased by 6.1 percent from 2012.
Spanish Data Protection Agency Approves New Guide on Impact Assessment on Protection of Personal Data
In October, the Spanish Data Protection Agency approved the New Guide on Impact Assessment on the Protection of Personal Data (source document in Spanish). Although Spain does not require companies to perform this type of impact assessment, the guide describes the measures companies can utilize to analyze the compatibility of their products and services with privacy regulations.
Spanish Courts Amend Spanish Intellectual Property Law
On November 3, the Spanish courts approved Law 21/2014 amending the Revised Text of Intellectual Property Law and amending the Civil Procedure Law. The amendments, which do not become effective until January 1, 2015, represent significant modifications to Spanish regulations on intellectual and industrial property matters. Notably, the amendments acknowledge the taxation of digital content aggregators for using fragments of current information.
UK Government Plans to Extend UK ICO's Ability to Levy Fines for Spam Texts and Calls
On October 25, the UK government proposed to remove the threshold requirement to demonstrate "substantial damage or distress" from the Privacy and Electronic Communications Regulation, broadening the information commissioner's ability to levy fines of up to £500,000 (approximately US$786,852) for nuisance direct marketing calls and SMS messages.
UK House of Commons Science and Technology Committee Warns of Social Media Providers
In a November 28 communication, the UK House of Commons Science and Technology Committee warned that social media site terms and conditions are not fit as a mechanism for demonstrating user consent because the terms and conditions are excessively long and complex. The Committee called on the Information Commissioner and the UK government to develop a set of information standards for clear, concise, and simple terms.
The following Jones Day attorneys contributed to this section: Paloma Bru, Wolfgang Büchner, Undine von Diemar, Christian Fulda, Olivier Haas, Olaf Hohlefelder, Bastiaan Kout, Ted Kroke, Jonathon Little, Laurent De Muyter, Selma Olthof, Elizabeth Robertson, and Thomas Rhys.
The People's Republic of China Supreme People's Court Issues Interpretations Regarding Infringement of Privacy and Personal Information on Internet
On October 10, the China Supreme People's Court approved interpretations (source in Chinese), titled "Provisions of the Supreme People's Court on Several Issues concerning the Application of the Rules regarding Cases of the Infringement of Personal Rights over Information Networks," which assert that genetic information, medical records, health examination data, criminal records, home address, and other personal information should not be shared by network users or network service providers.
Chinese Ministry of Industry and Information Technology Compiles Telecommunications Industry Standards
On November 13, the Chinese Ministry of Industry and Information Technology published for approval (source in Chinese) the "Telecommunications and Internet Services to Protect Users' Personal Information Definition and Classification" and "Telecommunications and Internet Services to Protect Users' Personal Information Classification Guide."
Privacy Commissioner for Personal Data Publishes Guidance Note on Handling Customers' Personal Data for Banking Industry
On October 6, the Privacy Commissioner for Personal Data ("PCPD") published a new guidance note, Guidance on the Proper Handling of Customers' Personal Data for the Banking Industry, to help banks and financial institutions comply with the Personal Data (Privacy) Ordinance when handling their customers' personal data and the customers' data access requests.
PCPD Issues Brochure on Cyber-Bullying
On October 30, the PCPD published a brochure titled Cyber-bullying—What you need to know, to respond to the recent trend in cyber-bullying and to remind internet users of the associated privacy and legal issues.
PCPD Investigates and Reports on Excessive Collection and Disclosure of Personal Data by Recruitment Agencies
On November 20, the PCPD published an investigation report finding that six tutorial service agency websites breached the Personal Data (Privacy) Ordinance. According to the report, these websites collected the Hong Kong identity card numbers of private tutors and information on their contact persons through online registration systems, a practice condemned by the report as both excessive and unnecessary to accomplish identity verification. Another investigation report published on the same day found that 10 employment agencies for foreign domestic helpers were also in breach of the Personal Data (Privacy) Ordinance for similar reasons.
PCPD Publishes Guidance Note on Mobile App Development
On November 25, the PCPD issued a new guidance note titled Best Practice Guide for Mobile App Development to assist mobile app developers in complying with the Personal Data (Privacy) Ordinance when building apps.
Ministry of Economy, Trade, and Industry Publishes Draft Amendment to Guidelines on Personal Information Protection Act
After a review of the public comments, the minister of the Ministry of Economy, Trade, and Industry ("METI") published on December 12 its amended ministerial guidelines on the Personal Information Protection Act (source document in Japanese). METI's amendment has aimed to reinforce security measures taken by companies, particularly in the subcontractor context, by reinforcing supervision over subcontractors through the selection, inspection, and audit process.
Diet Passes the Basic Act of Cybersecurity
On November 6, the National Diet enacted the Basic Act of Cybersecurity(source document in Japanese) ("Basic Act"). Under the Basic Act, the Cybersecurity Strategy Headquarters will be established under the Cabinet Secretariat and will be responsible for the preparation, promotion, and implementation of cybersecurity strategic plans. The Basic Act also requires critical infrastructure companies and cybersecurity companies to cooperate with central and local governments to implement cybersecurity policies.
Personal Data Protection Commission Publishes First Annual Report
On October 31, the Personal Data Protection Commission published its first annual report outlining the Commission's activities since its establishment in January 2013. These included issuance of advisory guidelines, outreach events, informal guidance, enforcement, and international engagement. The annual report also discussed an industry readiness survey, which revealed that approximately half of the organizations had put in place data protection measures.
Ministry of Education Promulgates Regulation Governing Personal Information Protection of Private Universities and Private Academic Research Institutions
On August 21, the Ministry of Education issued a regulation governing personal information protection of private universities and private academic research institutions. According to the regulation, private universities and academic research institutions must develop a personal information protection plan and take necessary measures to prevent personal information from being stolen, manipulated, damaged, or illegally disclosed.
Ministry of Justice Issues Management Outline of Personal Information Protection
On September 30, the Ministry of Justice established the department in charge of personal information protection and issued a management outline of personal information protection. The outline covers policy establishment, policy promotion, risk assessment, rules legitimacy review, and training programs.
The following Jones Day attorney contributed to this section: Elaine Ho, Li-Jung Huang, Anita Leung, Michiru Takahashi, and Grace Zhang.
Australia and New Zealand
OAIC Provides Guidance on the Exercise of Information Commissioner's Regulatory Powers
On November 17, the Office of the Australian Information Commissioner ("OAIC") issued the Privacy Regulatory Action Policy to explain the OAIC's approach to taking regulatory action. The policy details the OAIC's powers of investigation and the factors that the OAIC may take into account when considering enforcement actions in response to privacy breaches. The OAIC is expected to release a Guide to Privacy Regulatory Action to provide further detail on the Information Commissioner's regulatory powers.
The following Jones Day attorneys contributed to this section: Adam Salter and Nicola Walker.