We held our 5th Annual Privacy and Cybersecurity Roundtable on May 1, in Washington, D.C. The event featured the Chair of the European Data Protection Board Andrea Jelinek and FTC Commissioner Noah Phillips. Other government speakers represented the White House, UK’s Information Commissioner’s Office, and staff members from the U.S. Senate and House of Representatives. Other distinguished panelists included Cam Kerry of Brookings and Jane Horvath from Apple. The speakers addressed privacy and cybersecurity enforcement in the U.S. and EU, Brexit, Online Harms and the prospects for federal privacy legislation. The insightful program was followed by a competition between the sausage-making (and brewing) achievements of leading privacy jurisdictions such as Brussels, California, Washington, D.C. and China (representing a privacy continuum!). Sidley also commemorated “20 Years of CyberLaw at Sidley” – two decades since the founding of today’s Privacy and Cybersecurity practice. We look forward to continuing to thrive and serve our clients. We hope to see you at next year’s Privacy and Cybersecurity Roundtable.
New Annual HIPAA Penalty Tiers
Six months after imposing the largest ever HIPAA fine ($16 million) following a HIPAA data breach, the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) has announced that it is exercising its enforcement discretion to lower maximum annual HIPAA penalties.
The Malaysia Personal Data Protection Act applies to all companies operating in Malaysia, as well as persons not established in Malaysia, if they use equipment in Malaysia for the processing of personal data otherwise than for the purposes of transit through Malaysia. (more…)
On 29 March 2019, the Belgian House of Representatives appointed a new Data Protection Commissioner and four directors to the executive committee of the Belgian Data Protection Authority (‘DPA’).
These are the first appointments to be made to the DPA since it replaced the previous Belgian Privacy Commission in anticipation of the EU GDPR. This is therefore the first time that executive roles have been officially filled in the context of the regulator’s expanded competence – including the DPA’s new power to impose administrative fines of up to €20,000,000 EUR or 4 percent of an undertaking’s worldwide annual revenues for certain infringements of the EU GDPR.
The updated 2019 Chambers Global Practice Guide for Data Protection & Cybersecurity is available, covering important developments across the globe and bringing expert legal commentary for businesses particularly involved in the life sciences sector. Read More
On February 27, 2019, the Federal Trade Commission (“FTC”) announced a record-setting $5.7 million civil penalty against makers of the popular free video creation and sharing app, Musical.ly (now known as TikTok), for violations of U.S. children’s privacy rules. This is the largest civil penalty the FTC has issued concerning violations of the Children’s Online Privacy Protection Act (“COPPA”).
Over the last few years, States have enacted increasingly aggressive legislation concerning data privacy and security, raising concerns that companies will be subject to a patchwork of different standards. Congress has recently taken notice, convening hearings on potential federal privacy legislation, with the possibility of preemption a hot topic during the hearings. Last week, the Federal Trade Commission (“FTC”) got into the act as well, releasing two notices of proposed rulemaking (“NPRM”) on potential changes to its the Standards for Safeguarding Customer Information (“Safeguards Rule”) and Privacy of Consumer Financial Information Rule (“Privacy Rule”) under the Gramm-Leach-Bliley Act. The proposed amendments – and particularly the proposed changes to the Safeguard Rule – signal the FTC’s desire to align its rules with those of key states and to further protect customer information held by financial institutions.
The UK Financial Conduct Authority (“FCA”) has carried out a multi-firm review of cybersecurity practices with a sample of 20 firms in the wholesale banking and asset management sectors (the “Report”). The review aimed to look more closely at how wholesale banking and asset management firms oversee and manage their cybersecurity, including the extent to which firms identify and mitigate relevant cyber risks and their current capability to respond to and recover from data security incidents.
On January 25, 2019, the North American Electric Reliability Corporation (“NERC”) asked the Federal Energy Regulatory Commission (“FERC”) to approve a settlement issuing a record $10 million fine against an unidentified utility resulting from violations of critical infrastructure protection standards (“CIP”) occurring mostly between 2015 and 2018 (referred to hereafter as the “Settlement Agreement”). Although none of the violations resulted in any reported outages, NERC concluded that the cumulative effect of the violations posed a serious risk to the reliability of the bulk U.S. power grid because “many of the violations involved long durations, multiple instances of noncompliance, and repeated failures to implement physical and cyber security protections.” Settlement Agreement at 12.
On December 28, 2018, Michigan adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law in the form of Michigan H.B. 6491 (Act). By doing so, Michigan joins Ohio and South Carolina as the third state to adopt the Model Law and the fifth state – along with Connecticut and New York – to have enacted cybersecurity regulations focused on insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (Please see our prior coverage for more information on Ohio and South Carolina’s adoption of the Model Law). Moreover, adoption of the Model Law is still gaining steam with Rhode Island potentially next in line.