Privacy & Information Security Law Blog

On November 23, 2018, both Australia and Chinese Taipei joined the APEC Cross-Border Privacy Rules (“CBPR”) system. The system is a regional multilateral cross-border transfer mechanism and an enforceable privacy code of conduct and certification developed for businesses by the 21 APEC member economies.

In connection with its hearings on data security, the Federal Trade Commission hosted a December 12 panel discussion on “The U.S. Approach to Consumer Data Security.” Moderated by the FTC’s Deputy Director for Economic Analysis James Cooper, the panel featured private practitioners Lisa Sotto, from Hunton Andrews Kurth, and Janis Kestenbaum, academics Daniel Solove (GW Law School) and David Thaw (University of Pittsburgh School of Law), and privacy advocate Chris Calabrese (Center for Democracy and Technology). Lisa set the stage with an overview of the U.S. data security framework, highlighting the complex web of federal and state rules and influential industry standards that result in a patchwork of overlapping mandates. Panelists debated the effect of current law and enforcement on companies’ data security programs before turning to the “optimal” framework for a U.S. data security regime. Among the details discussed were establishing a risk-based approach with a baseline set of standards and clear process requirements. While there was not uniform agreement on the specifics, the panelists all felt strongly that federal legislation was warranted, with the FTC taking on the role of principal enforcer.

On December 4, 2018, the New York Attorney General (“NY AG”) announced that Oath Inc., which was known as AOL Inc. (“AOL”) until June 2017 and is a subsidiary of Verizon Communications Inc., agreed to pay New York a $4.95 million civil penalty following allegations that it had violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting and disclosing children’s personal information in conducting online auctions for advertising placement. This is the largest-ever COPPA penalty.

On December 4, 2018, the Federal Trade Commission published a notice in the Federal Register indicating that it is seeking public comment on whether any amendments should be made to the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule”) and the duties of card issuers regarding changes of address (“Card Issuers Rule”) (collectively, the “Identity Theft Rules”). The request for comment forms part of the FTC’s systematic review of all current FTC regulations and guides. These periodic reviews seek input from stakeholders on the benefits and costs of specific FTC rules and guides along with information about their regulatory and economic impacts.

Hunton Andrews Kurth LLP is pleased to announce that the firm was recognized in the inaugural Chambers and Partners 2019 FinTech guide. The guide commends the firm for attaining an “excellent reputation for the strengths of its data protection and cybersecurity practice, where it counsels FinTech businesses on privacy issues in commercial contracts and transactional matters.”

On November 29, 2018, the French Data Protection Authority (the “CNIL”) launched an online public consultation regarding two new CNIL draft standards (“Referentials”) concerning the processing of personal data to manage (1) business activities and (2) unpaid invoices. 

Hunton Andrews Kurth’s Privacy & Information Security Law Blog has been nominated in The Expert Institute’s 2018 Best Legal Blog Contest for Best AmLaw Blog of 2018. For nearly 10 years, our award-winning privacy blog has provided readers with current information and legal commentary on news stories; breaking international, federal and state legislation; and other issues on privacy, data protection and cybersecurity. We appreciate your continued support and readership, and ask that you please take a moment to vote for our blog. Click here to vote

The Federal Trade Commission published the agenda for the ninth session of its Hearings on Competition and Consumer Protection in the 21st Century (“Hearings Initiative”), a wide-ranging series of public hearings. The ninth session, to take place on December 11-12, 2018, will focus on data security. Lisa Sotto, chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, is one of five panel participants discussing “The U.S. Approach to Consumer Data Security.” The panel will be moderated by James Cooper, Deputy Director for Economic Analysis of the FTC’s ...

On November 21, 2018, the Supreme Court of Pennsylvania ruled that a putative class action filed against UPMC (d/b/a The University of Pittsburg Medical Center) should not have been dismissed.

On November 9, 2018, Serbia’s National Assembly enacted a new data protection law. The Personal Data Protection Law, which becomes effective on August 21, 2019, is modeled after the EU General Data Protection Regulation (“GDPR”).