Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in Cybersecurity & Data Breaches

Opinion Piece by Hogan Lovells Lawyer in “The Hill” Proposes Opt In Federal Data Security and Breach Notification Legislation

Hogan Lovells Privacy and Information Management lawyer Jared Bomberg makes a novel proposal regarding federal data security and breach notification legislation in his opinion piece in The Hill. Bomberg suggests “making federal rules for data security and breach notification voluntary, opt-in standards enforceable by the FTC, instead of mandatory rules that remove all companies from the state system.” Continue Reading

Posted in International/EU Privacy

Why Binding Safe Processor Rules Are Key to Global Privacy

Ask any data protection officer or privacy counsel what tops their list of trepidations and engaging global data services’ vendors will be up there. The combination of security threats and burdens, restrictions on international data transfers and data-hungry law enforcement authorities has turned delegating any data processing or storage operations to cloud service providers into an unnerving proposition. This is unfortunate given all the practical benefits and crucial role of cloud computing for the world’s economy and the information society. If we add to this the incessant scrutiny of Safe Harbor and the growing distrust surrounding technology giants which is part of the legacy of the post-Snowden era, things are not looking very rosy for the global guardians of our information. It needs not be this way. Continue Reading

Posted in Consumer Privacy

Hogan Lovells Article Anticipates Busy FTC Enforcement Season

Writing for Expert Guide: Competition and Antitrust Law, Hogan Lovells attorneys Dean Hansell and Charles Dickinson discuss the FTC’s current consumer protection initiatives and identify emerging areas of focus of the agency’s regulatory initiatives.  Hansell and Dickinson also expect that the FTC may be “more willing to push enforcement initiatives” with its current roster of Commissioners and offer that “companies of all sizes would be well-served to understand how their businesses might fall under the FTC’s radar.”

To read “Current FTC Enforcement Initiative in the Consumer Protection Arena,” click here.

Posted in Cybersecurity & Data Breaches

NIST Seeks Information on Cybersecurity Framework Experience

Six months after release of the Framework for Improving Critical Infrastructure Cybersecurity (Framework), on August 21 the National Institute of Standards and Technology (NIST) put forward a draft Request For Information (RFI) to learn more about experiences with and effectiveness of the Framework. Through the RFI process, NIST seeks to better understand how organizations in all critical infrastructure sectors are approaching and making specific use of the Framework. Responses to the RFI are expected to shape the agenda for NIST’s 6th Cybersecurity Framework Workshop, its first following the Framework’s release. Continue Reading

Posted in Cybersecurity & Data Breaches

NIST Launches into the Internet of Things

This week, the National Institute of Standards and Technology (NIST) convened the first face-to-face meeting of the cyber-physical systems public working group (CPS PWG) to develop and implement a new cybersecurity framework dedicated to cyber-physical systems (CPS), also known as the “Internet of Things.” Companies developing products and services involving CPS may consider participating in the CPS PWG, as participation in webinars and meetings is open and intended to be convenient. The group’s efforts may affect the legal landscape developing around CPS. Continue Reading

Posted in International/EU Privacy, Privacy & Security Litigation

Unsurprisingly, U.S. Court Rules that Cloud Provider Must Produce Data Stored Abroad

On July 31, a U.S. District Court judge ruled from the bench that Microsoft could be forced to turn over customer emails in the context of a law enforcement investigation even though those emails were stored on servers located in Ireland.  Microsoft had contested the government’s request, arguing that the data was subject to Irish law and that the U.S. government was required to utilize law enforcement treaty channels to obtain the data.  Microsoft has appealed the ruling, which now will be heard by the Second Circuit court of appeals.

Since the ruling, I have had a number of conversations, mostly with lawyers located outside of the U.S., expressing surprise that the ruling gave such seemingly expansive jurisdiction to the U.S. government. But it shouldn’t come as a surprise to those who follow these issues, including readers of Hogan Lovells’ white papers on government access, that U.S. law enforcement can compel companies subject to its jurisdiction to produce data stored abroad, and that many other countries’ governments provide the exact same authority.

Continue Reading

Posted in International/EU Privacy

Is Appointing an EU Controller Still Valuable for Global Businesses?

The dust has yet to settle but much has already been said about the implications of the Google Spain decision by the Court of Justice of the European Union (CJEU) and the right to be forgotten. The controversy has focused on the impact of this judgment on freedom of expression and the right of access to information, as well as the potentially devastating effect of a large amount of deletion requests. EU regulators are wondering – like everybody else – how big and unmanageable this is going to get, whilst search engines scramble for resources to deal with the unknown. With the prospect of an even more demanding EU privacy framework looming over the horizon, the right to be forgotten decision is a potential game changer for the whole Internet industry. But the CJEU did not just enable an unprecedented level of control by individuals over their data, it shook the basis on which the applicability of EU data protection law has been understood until now. Continue Reading

Posted in Consumer Privacy

Destroy Securely: Delaware Adopts New Data Destruction Law

Delaware recently adopted a new law that will add requirements related to the destruction of records containing “personal identifying information.”  With that law, Delaware joined a number of other states that place restrictions on the ways in which entities destroy or dispose of personal information. The Delaware law will become effective January 1, 2015. Continue Reading

Posted in Consumer Privacy

Hogan Lovells Partner Engages in NY Times on Big Data and Inequality

Writing for the New York Times “Room for Debate,” Christopher Wolf, Hogan Lovells partner and co-director of the firm’s global Privacy and Information Management group, focuses on the potential positive uses for Big Data, observing that “Big Data can also advance the interests of minorities and actually fight discrimination.”  Wolf cites examples such as Entelo Diversity, an employee recruiting platform that promises to diversify workplaces by using powerful algorithms to analyze public data and find qualified candidates who are also members of underrepresented classes.

In Is Big Data Spreading Inequality?, Wolf’s Times column is joined by contributions from academia, civil society, and businesses who each offer reflection on the future of Big Data’s impact on inequality.

Posted in Health Privacy/HIPAA

California Appeals Court Rules that Mere Possession of Medical Information by Unauthorized Person is Insufficient to Support Breach Claims Under the CMIA

In a ruling that was welcome news to health care providers, insurers, and others that maintain medical information of California residents, the California Court of Appeals recently held that the mere possession of medical information by an unauthorized person, without actual viewing of the information, is not sufficient to establish a breach of confidentiality under the California Confidentiality of Medical Information Act (CMIA), Cal. Civ. Code §§ 56 et seq.  Continue Reading