Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in Consumer Privacy

Department of Education Clarifies Obligations of Schools When Contracting With Online Service Providers

The Department of Education recently released a fourteen-page guidance document that intensifies the pressure on school districts, schools, and higher education institutions to examine and confirm the sufficiency of the procedures they use when engaging a service provider to host or process student data. A recent Hogan Lovells Education and Privacy Alert analyzes this guidance, through which the department has put entities covered by student privacy laws on notice of its expectations regarding their responsibilities when entering into these arrangements. Service providers who store and process student data on behalf of school districts and schools should therefore carefully consider the guidance and how it may affect the market for their services and the contractual demands from their education customers.

For a detailed analysis of the guidance document authored by members of the Hogan Lovells Education and Privacy and Information Management practices, click here.

Update: On April 1 at 1:00pm ET, Harriet Pearson, Maree Sneed, Bret Cohen, and Michelle Tellock, authors of the Hogan Lovells Education and Privacy Alert, will discuss the guidance and its implications for schools, school districts, and their service providers during a webinar hosted by the American Association of School Administrators. To register for the webinar, click here

Posted in Health Privacy/HIPAA

HHS Reaches First Settlement with Local Government Over HIPAA Violations

The U.S. Department of Health and Human Services (HHS) sent a strong message to local governments last week when it reached a settlement with Skagit County, Washington over alleged violations of the Health Insurance Portability and Accountability Act (HIPAA).  This is the first time that HHS has settled charges against a local—and not state level—government entity for HIPAA violations (in a prior HIPAA enforcement action, HHS reached a settlement with Alaska’s state Medicaid agency).  Continue Reading

Posted in International/EU Privacy

European Parliament Overwhelmingly Approves Data Protection Regulation

On 12 March 2014, the European Parliament voted overwhelmingly in favour of the European Commission’s data protection reform with 621 votes for, 10 against, and 22 abstentions for the proposed General Data Protection Regulation.  The vote is significant because it confirms the approval of the European Parliament, one of the required participants in the so-called “trilogue” process along with the Commission and the Council, which will not change even if the composition of the Parliament changes following the European elections in May. Continue Reading

Posted in Financial Privacy

CFTC Issues GLBA Security Guidelines

The Commodity Futures Trading Commission (CFTC) has issued guidance for CFTC-regulated financial institutions on compliance with the security safeguards provisions of Title V of the Gramm-Leach-Bliley Act (GLBA).  In a Staff Advisory, the CFTC recommends that futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants implement certain best practices to meet their obligations under GLBA, as well as the CFTC’s GLBA regulations at 17 C.F.R. Part 160, to adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.   Continue Reading

Posted in International/EU Privacy

CNIL Adds New Consent Requirement for Use of Credit Card Data

The CNIL, France’s data protection authority, published on 25 February 2014 a new recommendation relating to the collection of credit card information (in French), replacing an older 2003 recommendation. The new recommendation, which represents a de facto standard for online merchants and payment services providers who collect data from French consumers, is more prescriptive than the old, particularly regarding how online merchants should seek consent for the retention of credit card information. Continue Reading

Posted in News & Events

Hogan Lovells Engages at IAPP Global Privacy Summit

The Hogan Lovells Privacy Team looks forward to seeing many of you this week at the International Association of Privacy Professionals (IAPP) Global Privacy Summit in Washington, D.C. We are delighted to once again participate in the Summit as a gold level sponsor and hope you will visit us at Booth 7 in the Exhibition Hall to learn more about our Global Privacy and Information Management Practice. Hogan Lovells attorneys will also be featured at a number of breakout sessions: Continue Reading

Posted in International/EU Privacy

French Data Protection Authority Broadens the Scope of Its Whistleblowing Authorization

The French data protection authority (the Commission Nationale de l’Informatique et des Libertés – CNIL) has just published an amended version of its standard authorization for professional whistleblowing helplines which results in a significant broadening of its scope but also tightens the requirements for anonymous reporting.

Under French data protection legislation, whistleblowing helplines are subject to prior authorization by the French data protection authority. Indeed, French data protection legislation requires that processes which may result in the exclusion of a person from the benefit of a right or a contract are subject to prior authorization, as could be the case when resorting to a whistleblowing helpline (employees may incur sanctions and be terminated). Continue Reading

Posted in International/EU Privacy

Isabelle Falque-Pierrotin Selected Head of Article 29 Working Party

Isabelle Falque-Pierrotin, the recently reelected president of the French Data Protection Authority, the CNIL, was elected today to head the Article 29 Working Party for two years effective immediately.  The Article 29 Working brings together representatives of data protection authorities of the EU Member States, the European Data Protection Supervisor, and other European data protection authorities as observers.  The Working Party is influential in its examination and pronouncements on EU data protection matters, and is charged with giving expert advice to the member states regarding data protection, with promoting equal application of the Data Protection Directive in all EU member states and with giving the European Commission input on data protection matters. Continue Reading

Posted in Cybersecurity & Data Breaches

New U.S. Cybersecurity Framework Issued: In Wake of Cyberattacks and Lawsuits, How Should Organizations Respond?

For an in-depth analysis of the new U.S. cybersecurity Framework, click here.

With cyberattacks prompting litigation, regulatory inquiries, and reactions from customers and media outlets on an almost daily basis, companies of every type are considering what they should be doing now to address the risks of cyber intrusions and data security breaches. Continue Reading