William Long, partner and global co-leader of Sidley’s Privacy and Cybersecurity practice, has been working on global data privacy and information security matters for a number of years. In particular, William advises international clients on a wide variety of General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), data protection, cybersecurity and financial services issues.
DataGuidance by OneTrust spoke with William about data protection issues in the financial services sector, and in particular about approaching compliance with the GDPR, sector-specific challenges, issues around Big Data, and cybersecurity.
The English Court of Appeal has recently issued a landmark judgment against Google which could open the door to data privacy litigation in the EU.
The case concerned the collection by Google of Safari users’ browser information, allegedly without their knowledge or consent. In its opinion, the Court of Appeal held that four individuals who used Safari browsers can bring a claim for breach of privacy and that the damages claimed can include distress – even in circumstances where there is no financial loss, as this had been the intention of the EU’s Data Protection Directive. To reach this result, the Court relied on EU legal authorities to override and displace limitations on recovery under the UK Data Protection Act.
On May 4, 2015, an intermediate appellate court in California held that the Song-Beverly Credit Card Act of 1971 (Song-Beverly), Cal. Civil Code § 1747.08, does not apply to online transactions involving the sale of merchandise that the buyer chooses to pick up at a retail store.
Recently, the Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) published new guidance on the privacy and security of electronic health information (the “Guide”). Although the Guide was drafted primarily for the benefit of smaller healthcare providers, it provides useful information on privacy and security issues that is potentially valuable to providers of all sizes. The Guide, last published in 2011, provides updated information about compliance with Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs (“Meaningful Use Programs”) and the HIPAA Privacy, Security and Breach Notification Rules.
Connecticut Attorney General George Jepsen has announced the creation of a new Privacy and Data Security Department within the AG’s office. The Department will be tasked with handling all consumer privacy investigations and litigation, as well as educating the public and businesses about protecting sensitive data. Assistant Attorney General Matthew Fitzsimmons, who previously chaired a privacy and data security task force within the AG’s office, will head the new department and its dedicated team of lawyers. The AG has not received any additional funding for the Department.
Cyberthreat Sharing Bills Gain Momentum. On March 12, the Senate Intelligence Committee approved the Cybersecurity Information Sharing Act of 2015 (“CISA”) to increase sharing of cybersecurity threat information by U.S. companies on a vote of 14-1. The legislation grants liability protections for companies that voluntarily share cybersecurity threat information with the government or industry partners. The measure should be scheduled for a vote on the Senate floor shortly.
Yesterday, the United States established a new sanctions program designed to deter and financially target foreign parties who engage in, support or profit from “significant malicious cyber-enabled activities.” Declaring a national emergency, President Barack Obama issued an executive order authorizing the Secretary of the Treasury, in consultation with the Attorney General and Secretary of State, to identify as Specially Designated Nationals and Blocked Persons (SDNs) cyber-actors whose activities significantly harm the national security, foreign policy or economic health or financial stability of the United States. The U.S. government has not yet designated any parties under this new sanctions program. Once parties are so designated, U.S. companies must cease doing business with them and report any blocked property to the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).
On February 26, 2015, the Federal Communications Commission (FCC) passed the Open Internet Order to reclassify “broadband Internet access service” as a telecommunication service under Title II of the Communications Act of 1934. In doing so, the FCC found that applying section 222 of the Communications Act to broadband Internet access services is in the public interest and necessary for the protection of customers. Section 222 imposes a duty on telecommunications carriers to protect the confidentiality of proprietary information obtained from their customers or other carriers, and imposes special rules for use and disclosure of information related to customers’ phone service and usage, known as customer proprietary network information (“CPNI”).
Montana Governor Steve Bullock has signed a bill, H.B. 74, that will toughen the state’s breach notification law. The bill expands the definition of “personal information” covered by the law to include medical record information (as further defined by the state’s Insurance Information and Privacy Protection Act), taxpayer identification number, or other identification number issued by the Internal Revenue Service. The revised law also requires organizations to notify the Attorney General’s Consumer Protection Office in the event of a breach. Insurance entities such as licensees or insurance support organizations must also provide notification to the state Insurance Commissioner. Notice to these regulators must identify the number of affected individuals, state the date and distribution method of the notice to affected individuals, and include a copy of the notice provided to individuals. The law takes effect October 1, 2015.
On March 2, Wyoming Governor Matt Mead signed a bill, S.F. 36, amending the state’s data breach notification law to revise the state’s definition of “personal information” and to specify the type of information required in notices to individuals. The amendment removes from the definition of “personal information” an individual’s demand deposit account, savings account, employee identification number, place of employment, and mother’s maiden name. At the same time, it adds new data elements to the definition, including taxpayer identification number, birth or marriage certificates, biometric data, medical history and health insurance information. The new law also specifies that a notification letter to individuals affected by a breach must include the types of personal identifying information that were the subject of the breach, a general description of the breach, the approximate date of the breach, and the actions taken to protect the affected system from further breaches.
“A question we often get as financial regulators is: ‘What keeps you up at night?’ The answer is ‘a lot of things.’ But right at the top of the list is the cybersecurity at the financial institutions we regulate.”
Benjamin Lawsky, prepared remarks from speech at Columbia Law School on February 25, 2015.1
Insurance regulators are gearing up to impose enhanced scrutiny on information security practices to boost protection of sensitive personal information.