Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in News & Events

Student Privacy and Drone Policy: Vote for Hogan Lovells at SXSW 2016

Austin, Texas is renowned for its live music scene, clean air, college vibe … and of course its technology conferences. Two Hogan Lovells lawyers—Bret Cohen and Lisa Ellman—have made the list of finalists for panels at the South by Southwest group of conferences this upcoming March, to talk about Student Privacy and Domestic Drone Policy.

Don’t let the audience miss out on these presentations by voting for them at the links below. Continue Reading

Posted in International/EU Privacy

Russian Data Localization Law: First Day in Force and Schedule for Compliance Inspections

Russian-ServersToday, on 1 September, the Russian Data Localization Law came into force. So far there have been no unexpected developments or reports of any unplanned inspections by Roskomnadzor, the Russian Data Protection Authority.  Existing planning documents, however, provide some predictability for organizations subject to the law about the schedule under which Roskomnadzor plans on conducting compliance inspections. Continue Reading

Posted in Cybersecurity & Data Breaches

Life is Short. Take Cybersecurity Seriously

data-security-lock-shutterstock_152697521-250This article is not about morality but about an urgently-needed change in behaviour. For real and for good. The much talked-about saga involving the theft and subsequent publication of customer data from extramarital affairs website (what a surreal description!) Ashley Madison, has sparked many debates. Opinions have ranged from those who see this as a just punishment for the organised cheating industry to those who have ranked this hack as the most serious privacy violation since the invention of the Internet. The degree of sympathy for the victims has also been variable, but what appears to be a constant theme is the perception that this incident will have more dramatic consequences than any other cyber-attacks we have seen. Continue Reading

Posted in Consumer Privacy, Privacy & Security Litigation

California Legislature Advances UAS Legislation

shutterstock_149083385For the past several years, California’s Legislature has actively sought to regulate unmanned aerial systems (“UAS”), including, but not only, through privacy-related legislation.

In the 2014 session, one bill (AB 2306) passed and was signed by Governor Brown.  It bans the use of UAS to capture images or record voices of people without their permission, and is widely regarded as an anti-paparazzi law, aimed at protecting the many celebrities – and their children – in California’s entertainment industry.  However, the wording of the bill more broadly protects individuals’ privacy from visual or audio recording in a manner that is “offensive to a reasonable person … under circumstances in which the [person] had a reasonable expectation of privacy” if the recording could not have been made without either trespassing or using special equipment (such as a UAS).  The bill is codified at California Civil Code section 1708.8.

In the 2015 session, the California Legislature introduced five more bills, covering a range of issues. Continue Reading

Posted in Consumer Privacy, Cybersecurity & Data Breaches

Analysis of FTC v. Wyndham: Third Circuit Affirms FTC Authority to Regulate Data Security


On Monday, August 24, 2015, the U.S. Court of Appeals for the Third Circuit issued its opinion in FTC v. Wyndham Worldwide Corp upholding the authority of the Federal Trade Commission (“FTC”) to oversee cybersecurity practices. The Wyndham case first made headlines in June 2012, when it became the first cybersecurity enforcement action to be litigated instead of being resolved by settlement. Wyndham Worldwide Corp. (“Wyndham”) moved to dismiss the FTC’s claims that allegedly insufficient cybersecurity practices constituted unlawful “unfair” and “deceptive” business practices, arguing that the FTC’s unfairness authority did not extend to cybersecurity, and that the statements in its online privacy policy were not deceptive. Since that time, the case has been closely watched as the District Court for the District of New Jersey and the Third Circuit Court of Appeals considered the issue of whether the FTC had authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act.

The Third Circuit affirmed the ruling of the district court, finding that the Third Circuit found that the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act and that neither the plain meaning of “unfairness” nor congressional action in the area of cybersecurity negate such authority. The Third Circuit also found that, to satisfy due process, a company need not have had “fair notice” of the FTC’s interpretation of what specific cybersecurity standards are required to avoid liability under the unfairness prong of § 45(a), but only “fair notice” that cybersecurity practices can form the basis of an unfair practice under § 45(a)—notice the court found to exist here. Continue Reading

Posted in International/EU Privacy

Influential OECD Report Sets Out Future Challenges for the Digital Economy

OECD_logo_new.svgThe Organisation for Economic Co-operation and Development (OECD) has published its 2015 Digital Economy Outlook (“Report”), a survey of changes and opportunities in, and challenges arising from, the digital economy.  The Report identifies three broad trends for member countries and their partners to focus on in digitising their economies: Continue Reading

Posted in Cybersecurity & Data Breaches

FTC v. Wyndham: Third Circuit Affirms FTC Authority to Regulate Data Security


The United States Court of Appeals for the Third Circuit’s much anticipated ruling in FTC v. Wyndham has now been released. The court affirmed the FTC’s authority under section 5 of the FTC Act to seek consent decrees or bring enforcement actions against companies that allegedly failed to put in place reasonable cybersecurity practices to protect consumer data. The court also affirmed the district court’s finding that the Federal Trade Commission provided sufficient “fair notice” to Wyndham regarding the cybersecurity practices the agency deems reasonable to avoid liability under the FTC Act. With this decision, the case will now move forward to the merits phase at the district court. A more detailed analysis of this decision will be posted here shortly.

For our previous blog post on FTC v. Wyndham, click here.

Posted in Cybersecurity & Data Breaches

NIST Requests Input on Revised Cryptographic Standards

500px-NIST_logo.svgOn August 12, the National Institute of Standards and Technology (NIST) published a Request for Information (RFI) to help develop the next generation of technical encryption standards used by the U.S. Government and federal contractors to protect sensitive information. The new standard will update Fair Information Processing Standard (FIPS) 140-2, which has provided the baseline requirements for the development, testing, and validation of cryptographic modules since 2001. While the RFI seeks input on several questions, NIST is primarily interested in the risks and benefits of transitioning—in whole or in part—to a competing standard developed by the International Standards Organization and International Electrotechnical Commission: ISO/IEC 19790:2012. Continue Reading

Posted in Consumer Privacy

FTC Settlement Reinforces Lessons for Data Broker Industry

FTC LogoThe FTC has brought a number of actions over the years against companies that shared or failed to protect consumer information in violation of privacy policy promises or transferred data in violation of specific laws, such as the Fair Credit Reporting Act.  In what may be viewed as charting new territory, the FTC recently brought a second action against a data broker for selling payday loan application information to entities that were not engaged in making any kind of loans to consumers. Both sets of defendants purchased payday loan application information from online payday loan websites where consumers provided personal information, including financial institution account information, on the applications.  The defendants purchased the application information from the websites and sold the information to third parties who did not make payday loans to consumers, but rather made unauthorized charges to consumers’ accounts.  The Commission alleged that the selling of such sensitive information was unfair. Continue Reading

Posted in International/EU Privacy

Russia Introduces a Right to be Forgotten

Russian FlagWith the aim of keeping pace alongside European practice, on July 13th 2015, the Russian President signed into law a bill amending the Federal Law “On Information, information technologies and on protection of information” No. 149-FZ of 27 July 2006. This law (the “Law”) introduces in Russia the so-called “right to be forgotten” or “right to oblivion” and will take effect on January 1st 2016.

Under the Law, upon receiving a request from an individual, search engines must cease listing links to Internet pages with information on the individual where such information is:

  • unlawfully disseminated;
  • untrustworthy;
  • outdated; or
  • irrelevant (i.e. it has lost its importance to the individual due to subsequent events or actions of the individual).

Continue Reading