Category

Enforcement

03 April 2019

The Belgian Data Protection Authority Appoints First Commissioner and Directors

On 29 March 2019, the Belgian House of Representatives appointed a new Data Protection Commissioner and four directors to the executive committee of the Belgian Data Protection Authority (‘DPA’).

These are the first appointments to be made to the DPA since it replaced the previous Belgian Privacy Commission in anticipation of the EU GDPR. This is therefore the first time that executive roles have been officially filled in the context of the regulator’s expanded competence – including the DPA’s new power to impose administrative fines of up to €20,000,000 EUR or 4 percent of an undertaking’s worldwide annual revenues for certain infringements of the EU GDPR.

(more…)

EmailShare
14 March 2019

FTC Announces Record-Setting $5.7M COPPA Penalty

On February 27, 2019, the Federal Trade Commission (“FTC”) announced a record-setting $5.7 million civil penalty against makers of the popular free video creation and sharing app, Musical.ly (now known as TikTok), for violations of U.S. children’s privacy rules. This is the largest civil penalty the FTC has issued concerning violations of the Children’s Online Privacy Protection Act (“COPPA”).

(more…)

EmailShare
12 March 2019

FTC Seeks Comment on Proposed Changes to its GLBA Safeguards and Privacy Rules

Over the last few years, States have enacted increasingly aggressive legislation concerning data privacy and security, raising concerns that companies will be subject to a patchwork of different standards.  Congress has recently taken notice, convening hearings on potential federal privacy legislation, with the possibility of preemption a hot topic during the hearings.  Last week, the Federal Trade Commission (“FTC”) got into the act as well, releasing two notices of proposed rulemaking (“NPRM”) on potential changes to its the Standards for Safeguarding Customer Information (“Safeguards Rule”) and Privacy of Consumer Financial Information Rule (“Privacy Rule”) under the Gramm-Leach-Bliley Act.  The proposed amendments – and particularly the proposed changes to the Safeguard Rule – signal the FTC’s desire to align its rules with those of key states and to further protect customer information held by financial institutions.

(more…)

EmailShare
28 February 2019

FCA Publishes Wholesale Banks and Asset Management Cyber Multi-Firm Review Findings

The UK Financial Conduct Authority (“FCA”) has carried out a multi-firm review of cybersecurity practices with a sample of 20 firms in the wholesale banking and asset management sectors (the “Report”). The review aimed to look more closely at how wholesale banking and asset management firms oversee and manage their cybersecurity, including the extent to which firms identify and mitigate relevant cyber risks and their current capability to respond to and recover from data security incidents.

(more…)

EmailShare
26 February 2019

NERC $10,000,000 Fine of Public Utility Highlights the Need for Cybersecurity Preparedness and CIP Compliance Programs

On January 25, 2019, the North American Electric Reliability Corporation (“NERC”) asked the Federal Energy Regulatory Commission (“FERC”) to approve a settlement issuing a record $10 million fine against an unidentified utility resulting from violations of critical infrastructure protection standards (“CIP”) occurring mostly between 2015 and 2018 (referred to hereafter as the “Settlement Agreement”).  Although none of the violations resulted in any reported outages, NERC concluded that the cumulative effect of the violations posed a serious risk to the reliability of the bulk U.S. power grid because “many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections.” Settlement Agreement at 12.

(more…)

EmailShare
11 February 2019

Michigan Adopts National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law

On December 28, 2018, Michigan adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law in the form of Michigan H.B. 6491 (Act). By doing so, Michigan joins Ohio and South Carolina as the third state to adopt the Model Law and the fifth state – along with Connecticut and New York – to have enacted cybersecurity regulations focused on insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (Please see our prior coverage for more information on Ohio and South Carolina’s adoption of the Model Law).  Moreover, adoption of the Model Law is still gaining steam with Rhode Island potentially next in line.

(more…)

EmailShare
06 February 2019

First Multistate HIPAA Data Breach Lawsuit May Signal Increased State Interest in Data Security Enforcement

On December 3, 2018, twelve attorneys general (“AGs”) jointly filed a data breach lawsuit against Medical Informatics Engineering and its subsidiary, NoMoreClipboard LLC (collectively “the Company”), an electronic health records company, in federal district court in Indiana.  See Indiana v. Med. Informatics Eng’g, Inc., No. 3:18-cv-00969 (N.D. Ind. filed Dec. 3, 2018).  The suit—led by Indiana Attorney General Curtis Hill—is joined by AGs from Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.  While state AGs have previously exercised their civil enforcement authorities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this is the first multi-state data breach lawsuit alleging HIPAA violations in federal court and may signal increased interest on the part of state officials in exercising their data protection authorities to address cybersecurity incidents.

(more…)

EmailShare
04 February 2019

Second Annual Review of Privacy Shield Continues to Call for Improvements; White House Nominates Privacy Shield Ombudsperson

In December 2018, the European Commission published its report on the second annual review of the EU-US Privacy Shield (the “Report”). The Report concluded that the Privacy Shield “continues to ensure an adequate level of protection” for personal data transferred from the EU to the US. However, the Commission did identify a number of recommendations from the first annual review which still required implementation including the appointment by the US of a permanent ombudsperson to oversee complaints.  To date, the U.S. has only appointed an interim ombudsperson (Manisha Singh). In the first annual review, the Commission did not set a deadline for the appointment. However, the latest review required an appointee to be identified by 28 February 2019 failing which the Commission will “consider taking appropriate measures.”

(more…)

EmailShare
XSLT Plugin by BMI Calculator