Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

Philippines Finalizes Data Privacy Act Implementing Rules

shutterstock_230063500The Philippines Data Privacy Regime

The Philippines’ first comprehensive data protection law, the Data Privacy Act of 2012 (the “Act“), took effect on 8 September 2012. The Act mandated the creation of a National Privacy Commission (“NPC“) to implement, enforce and monitor compliance with the Act, with one of its duties to promulgate rules and regulations to effectively implement the provisions of the Act. It was not until March 2016 that the NPC was officially formed, and soon after issued draft implementing rules and regulations of the Act (“IRRs“). Following a period of public consultation, the IRRs were finalised and formally promulgated on 24 August 2016 and will come into effect today, 9 September 2016.

Continue Reading

Posted in Cybersecurity & Data Breaches

FTC Highlights How Agency’s Approach to Data Security Aligns with NIST Cybersecurity Framework

shutterstock_346593215The Federal Trade Commission (FTC) recently presented an analysis of how its approach to data security over the past two decades compares with the Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) issued in 2014 by the National Institute of Standards and Technology (NIST) and strongly endorsed by the White House.

The FTC’s recent blog post on “The NIST Cybersecurity Framework and the FTC” frames its discussion around the frequently asked question, “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?”

The FTC first explains how this question has a faulty premise, as the Framework is not designed to be a compliance checklist.  Instead, in this new blog post, the FTC outlines how the FTC’s enforcement actions comport with the Framework’s five Core functions—Identify, Protect, Detect, Respond, and Recover—and emphasizes how both the Framework and the FTC’s approach highlight risk assessment and management, along with implementation of reasonable security measures, as the touchstones of any data security compliance program. Continue Reading

Posted in Consumer Privacy

The Federal Aviation Administration’s De Facto Drone Privacy Standards

shutterstock_376067443On August 29, 2016, the Federal Aviation Administration’s (“FAA”) long-awaited small unmanned aircraft systems (“UAS” or “drone”) rule went into effect, for the first time broadly authorizing commercial drone operations.  This is a positive step, as drones have great safety and efficiency benefits for the public.  Nevertheless, the American public remains concerned about drone privacy issues.

Continue Reading

Posted in News & Events

Privacy and Cybersecurity September 2016 Events

Please join us for our September 2016 Privacy and Cybersecurity Events.

September 1
Internet of Things Strategy
Julie Brill will speak on “The Role of Government in IoT: Do We Need a National Strategy?” at the U.S. Department of Commerce’s Internet of Things Workshop.
Location: Alexandria, Virginia


September 5
Brexit and UK Data Protection Policy
Hogan Lovells will be hosting a roundtable discussion with representatives of the UK government to discuss Brexit and UK data protection policy.
Location: Hogan Lovells’ office in London


September 12
Cybercrime Compliance
Christian Tinnefeld will discuss compliance management requirements relating to new anti-cybercrime regulations at a Financial Experts Association event.
Location: Hamburg, Germany


September 15
Data and Business
Scott Loughlin will participate in a breakout session on “Privacy and Cybersecurity: A Big Deal for Big Deals” at the IAPP P.S.R. Conference.
Location: San Jose, California


September 16
Privacy Shield and National Security
Julie Brill will moderate a panel on “Privacy Shield and Its National Security Implications” at the IAPP P.S.R. Conference.
Location: San Jose, California

Continue Reading

Posted in Consumer Privacy, Financial Privacy

FTC Seeks Public Comment on Safeguards Rule

FTC-Logo-300x300[1]The FTC today announced a request for public comment on the Standards for Safeguarding Consumer Information Rule (the Safeguards Rule). The FTC promulgated the Safeguards Rule in 2002, implementing Title V of the Gramm-Leach-Bliley Act (GLBA), which required federal agencies to establish standards for the administrative, technical, and physical safeguards employed by financial institutions for certain information. In addition to general requests for comment, the FTC requested that five specific issues be addressed, which we have outlined below. Comments are due by November 7, 2016. Continue Reading

Posted in Health Privacy/HIPAA

FPF Releases Guide for Consumer Wearables and Wellness Apps and Devices

shutterstock_363729734 CROPOn Wednesday, August 17, 2016, the Future of Privacy Forum (FPF) released a set of detailed guidelines for the collection and use of consumer-generated wellness data. The document, Best Practices for Consumer Wearables & Wellness Apps & Devices, was drafted by FPF with input from a wide range of stakeholders, including privacy advocates, companies, and regulators. The Best Practices guidelines set forth a Fair Information Practice Principles (FIPPs)-based trust framework that builds on existing legal expectations to provide a set of best practices designed to result in providing appropriate protections in light of the nature and sensitivity of the data.

Continue Reading

Posted in Consumer Privacy

Deirdre Mulligan, Hogan Lovells, Discuss Relations Between Tech Community and Government at Silicon Valley Dinner

91898939_mainOn July 25, 2016, Hogan Lovells hosted a Silicon Valley dinner as part of its 2025 dinner series. The theme of the dinner was “I’m from Mars, You’re from Venus: The Tech Community and its Future Relationship with Government”.  The discussion, moderated by Deirdre Mulligan of UC, Berkeley, focused on the tech community’s view of regulatory, law enforcement and national security issues, here in the U.S., as well as in Europe; and how the tech industry will be impacted by the upcoming U.S. elections as well as Brexit.

Continue Reading

Posted in Health Privacy/HIPAA

ONC Report Identifies Gaps in Data Protection for Health, Wellness, and Fitness Data

shutterstock_319787375A new report from the Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) highlights data protection gaps in the U.S. for health data from wearable devices, social media, and emerging technologies. The report, “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” identifies several areas in which privacy and security protections for health data have lagged behind technological developments that are expanding the collection of health data outside the traditional venues for health care. Continue Reading

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

OCR Emphasizes Security Obligations of Business Associates with Latest Enforcement

HHSThe Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.

Continue Reading

Posted in Consumer Privacy, Privacy & Security Litigation

FTC Unanimously Overturns Dismissal of LabMD Security Practices Case

FTC Logo

In a case that could have far-reaching implications for how companies are held liable for data security lapses, the FTC issued an order and opinion unanimously overturning its Chief Administrative Law Judge’s (ALJ) November 2015 dismissal of charges that LabMD’s allegedly lax data security measures were unfair practices under Section 5 of the FTC Act (see our coverage of the ALJ’s decision here). The FTC found that the ALJ applied the incorrect legal standard for unfairness—that the question was not whether LabMD’s data security practices were “likely to cause” “substantial consumer injury”, but whether they presented a “significant risk” of injury. The FTC went on to issue its own legal and factual findings that LabMD’s data security practices were unreasonable and unfair.

The FTC’s decision marks another twist in a long-running dispute about whether allegedly lax security procedures can, on their own, result in liability when there has not been demonstrated harm to consumers, a line of reasoning that some worry will expose victimized companies to liability.  For the time being the FTC’s decision provides grounds for counseling companies to take steps to ensure their data security programs are aligned with industry standards or best practices. The Commission’s decision reinforces its role as a key player in the field of data security, a role that received additional support in last year’s Wyndham decision in the Third Circuit (see our coverage of that decision here). Continue Reading