Much of the focus on the California Consumer Protection Act (“CCPA”) has been on the new rights that it affords California consumers, including the rights to access, delete, and opt out of the sale of their personal information. But arguably the greatest risk to covered businesses involves data security, as the CCPA creates for the first time a private right of action with substantial statutory penalties for breaches involving California consumers’ personal information. This installment of the Hogan Lovells’ CCPA series explains the CCPA’s security requirement and consequences for non-compliance, and describes security controls that most organizations can implement to mitigate this risk.
The California Consumer Privacy Act of 2018 (“CCPA”) provides a series of new compliance obligations and operational challenges for companies doing business in California. A vital first step for any company subject to the CCPA and looking to forge a practical path forward is to inventory the personal information (“PI”) that the company collects, stores, and shares with others. As part of our ongoing series on the CCPA and its implications, this post sets out key issues and questions to consider when contemplating a data mapping exercise.
We have heard the California Consumer Privacy Act of 2018 (CCPA) called many things since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy. We will explore the ramifications for businesses of this seminal legislation in this multi-part series, “The Challenge Ahead” authored by members of Hogan Lovells’ CCPA team. In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.
With the coming into effect of the GDPR on 25 May 2018, the modernisation of European privacy laws has reached a critical milestone. Hogan Lovells has updated our guide “Future-proofing privacy,” which aims to be a useful starting point for organisations seeking to understand the GDPR and comply with it. Twenty-four authors from 10 European Hogan Lovells offices have contributed their knowledge, efforts, and advice to compile a unique resource of practical guidance. We have identified the key issues and explained why they matter. Crucially, we have approached the new framework with a practical mindset, providing concrete suggestions for actions to take now.
Join us this month as our Privacy and Cybersecurity team will discuss medical device cybersecurity preparedness and response, employee monitoring, IoT’s impact on health care, and key legal and compliance issues for insider threat programs.
According to the Constitution of Mexico, the protection of personal data is a fundamental right of all Mexican citizens. Under federal law, individuals also have a right to access, change, oppose, or suppress their personal data. Although all private companies process data, some are not sufficiently familiar with Mexico’s data privacy principles and regulations, and many may not have an up-to-date assessment of their own risk of a data breach. In addition, they may not be aware that the Mexican Supreme Court’s recent shift in perspective regarding personal injury cases may herald a change in the way data privacy breaches are handled in the future. This interview explores the impact of Mexico’s data privacy regulations on private companies, discusses the unique approach of Mexican regulators to data privacy enforcement, and offers advice as to how companies can stay compliant.
The International Institute for Conflict Prevention and Resolution, a New York-based organisation offering Alternative Dispute Resolution services, has recently announced the launch of a new specialised panel of neutrals, commissioned to deal with cybersecurity disputes. The Cyber Panel is composed of experts in cyber-related areas such as data breaches and subsequent insurance claims. In a press release, Noah Hanft, President of CPR, described the new panel as guiding the “critical effort” by businesses to “prevent and/or resolve cyber-related disputes in a manner that best protects operations, customers and reputation” due to attacks now occurring with increased frequency and sophistication.
Please join us for our June 2017 Privacy and Cybersecurity Events.
“Connected” products—not just traditional IT products—are increasingly subject to cyber attacks globally. The question companies are (and should be) asking is no longer whether there will be an attack involving Internet of Things devices and infrastructure, but when. Join us on May 24 for the third installment of our 2017 IoT webinar series and get practical guidance from our international team of cybersecurity lawyers, who will present key elements of Hogan Lovells’ well-received client workshop on this rapidly evolving topic.
On 19 April 2017, the UK Government’s Department for Culture, Media and Sport (DCMS) published a report on cyber security breaches and how they affected UK companies in the last year. The report indicates that a number of UK companies have not implemented comprehensive cybersecurity policies or implemented strong safeguards to protect against cyber attacks. The General Data Protection Regulation — in particular the requirement to ensure all personal data is protected by appropriate technical and organisational measures — provides a real opportunity for any organisation to build a new cyber security strategy. Documenting the decisions taken on these measures will be useful for showing compliance with the new requirements for data protection by design and by default.
Last week, the UK’s Information Commissioner’s Office published a monetary penalty notice, which fined a private healthcare company, HCA International, £200,000 for its failure to keep sensitive data secure.
The Federal Communications Commission’s Media Relations Office has released a statement announcing Chairman Pai’s intention to stay a data security rule adopted by the Commission late last year in its Broadband Privacy Order. Absent a stay, the rule is set to go into effect on March 2.
On 4 February 2017, the Cyberspace Administration of China issued a draft of the Network Products and Services Security Review Measures for public comment: the Draft Measures remain open for comments until 4 March 2017. The Draft Measures are follow-on legislation to China’s Cyber Security Law adopted on 7 November 2016, which will take effect from 1 June 2017.
Please join us for our February 2017 Privacy and Cybersecurity Events.
In the past month, the National Institute of Standards and Technology has issued a draft update to its flagship cybersecurity framework as well as new standalone guidance on how organizations can plan to recover from cybersecurity events. The publication of these documents demonstrates NIST’s ongoing focus on providing substantive guidance to the private and public sectors alike on cybersecurity risk management. In this post we summarize the highlights of each of these new NIST publications.
Please join us for our December 2016 Privacy and Cybersecurity Events.
The Internet of Things continues to draw broad interest from policymakers and regulators around the globe. Following on the heels of a major distributed denial-of-service attack in October 2016 that leveraged potentially millions of compromised IoT devices, members of Congress have sent letters to US federal agencies regarding the risks posed by insecure IoT devices and held a hearing about what if anything should be the US federal response to such IoT-driven cyberattacks. Against that backdrop, in November 2016 two US federal agencies have issued guidance on securing IoT.
Please join us for our November 2016 Privacy and Cybersecurity Events.
Close followers of the cases FTC v. Wyndham Worldwide Corp. and In the Matter of LabMD know that the litigation has prompted increased Congressional oversight of the Federal Trade Commission’s data security enforcement practices. Prior to Wyndham and LabMD, Congressional debates on the FTC’s data security practices centered on whether the Commission should have additional tools to address these issues, including traditional rulemaking authority to create new data security rules, civil penalty authority to fine violators, or authority over the activities of non-profit entities. To the extent Congress questioned the FTC’s enforcement decisions in this pre- Wyndham and LabMD era, those inquires typically focused on the length of time of FTC settlement agreements, while relatively little attention was paid to how the Commission provided notice of its data security standards or how the Commission chose its enforcement targets. Wyndham and LabMD fundamentally shifted this debate.
Cybersecurity risk continues to evolve at an astonishingly rapid rate, prompting companies to review and adjust their plans to deal with the fast-moving threats posed by an increasingly connected world. At the same time, cybersecurity law and regulation around the world are coming of age. In this complex and uncertain environment, it is not surprising that lawyers are increasingly being asked to guide on governance, counsel on compliance and risk allocation, and lead in the event of a cyber incident.
Drawing on our work with clients across the globe, Hogan Lovells’ cross-practice team of cybersecurity lawyers has launched Ready, Set, Respond, a new set of online cybersecurity resources.
The Federal Trade Commission recently presented an analysis of how its approach to data security over the past two decades compares with the Framework for Improving Critical Infrastructure Cybersecurity issued in 2014 by the National Institute of Standards and Technology and strongly endorsed by the White House. The FTC first explains how this question has a faulty premise, as the Framework is not designed to be a compliance checklist. Instead, in this new blog post, the FTC outlines how the FTC’s enforcement actions comport with the Framework’s five Core functions—Identify, Protect, Detect, Respond, and Recover—and emphasizes how both the Framework and the FTC’s approach highlight risk assessment and management, along with implementation of reasonable security measures, as the touchstones of any data security compliance program.
In a case that could have far-reaching implications for how companies are held liable for data security lapses, the FTC issued an order and opinion unanimously overturning its Chief Administrative Law Judge’s (ALJ) November 2015 dismissal of charges that LabMD’s allegedly lax data security measures were unfair practices under Section 5 of the FTC Act (see our coverage of […]
On 6th July, the UK Government published two independent reviews concerning data security and data sharing in the health and care system in England. At the same time the UK Government launched a public consultation on proposals resulting from these reviews. The public consultation will be of interest to organisations that regularly interact with the public health sector in the UK and in particular to those organisations that rely on access to health data from the NHS for research purposes.
On November 13, 2015, the Federal Trade Commission’s Chief Administrative Law Judge dismissed an FTC administrative complaint based on LabMD’s alleged failure to provide “reasonable and appropriate” security for personal information maintained on its computers. The ALJ concluded that the complaint counsel failed to prove that LabMD’s alleged practices constituted an unfair trade practice. Specifically, according to the ALJ’s initial decision, complaint counsel failed to prove by a preponderance of the evidence the first prong of the three-part unfairness test – that the alleged unreasonable conduct caused or is likely to cause substantial injury to consumers as required by Section 5(n) of the FTC Act. The case is notable for being the first data security case tried before an ALJ and only one of two instances where a company has fought the FTC’s decision to move forward with an enforcement action based on allegations that a company has engaged in unfair practices because of inadequate data security practices. Companies have otherwise voluntarily entered into consent decrees without admitting liability. In the other instance where a company did not capitulate to an FTC enforcement action, Wyndham moved to dismiss the FTC’s lawsuit against it in federal district court based on lack of jurisdiction. Wyndham lost in the district court and on an interlocutory appeal the federal court of appeals upheld that ruling, but remanded the case to district court for a trial on the merits which will assess whether Wyndham’s alleged unreasonable data security practices meet the unfairness factors in section 5(n) of the FTC Act. Accordingly, as the ALJ did here, the court in Wyndham will consider whether the practices and the data breaches there caused or were likely to cause substantial consumer injury under the first prong of an unfairness inquiry