Privacy & Information Security Law Blog

In 2017, over $1.3 billion has been raised by start-ups through Initial Coin Offerings (“ICOs”), a relatively new form of financing technique in which a company (typically one operating in the digital currency space) seeking to raise seed money makes a “token” available for sale, and the token gives the purchaser some future right in the business or other benefit. Amidst much anticipation, on July 25, 2017, the Securities and Exchange Commission (“SEC”) released a Report of Investigation (“Report”) under Section 21(a) of the Securities Exchange Act of 1934 ...

On August 14, 2017, the Colombian Superintendence of Industry and Commerce (“SIC”) announced that it was adding the United States to its list of nations that provide an adequate level of protection for the transfer of personal information, according to a report from Bloomberg BNA. The SIC, along with the Superintendence of Finance, is Colombia’s data protection authority, and is responsible for enforcing Colombia’s data protection law. Under Colombian law, transfers of personal information to countries that are deemed to have laws providing an adequate level of ...

In the wake of China’s Cybersecurity Law going into effect on June 1, 2017, local authorities in Shantou and Chongqing have brought enforcement actions against information technology companies for violations of the Cybersecurity Law. These are, reportedly, the first enforcement actions brought pursuant to the Cybersecurity Law.

On August 11, 2017, the FTC published the fourth blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Require secure passwords and authentication, examines five effective security measures companies can take to safeguard their computer networks.

On August 1, 2017, a unanimous three-judge panel for the D.C. Circuit reversed the dismissal of a putative data breach class action against health insurer CareFirst, Attias v. CareFirst, Inc., No. 16-7108, slip op. (D.C. Cir. Aug. 1, 2017), finding the risk of future injury was not too speculative to establish injury in fact under Article III. 

On August 9, 2017, Nationwide Mutual Insurance Co. (“Nationwide”) agreed to a $5.5 million settlement with attorneys general from 32 states in connection with a 2012 data breach that exposed the personal information of over 1.2 million individuals. 

On August 4, 2017, the FTC published the third blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled “Stick with security: Control access to data sensibly,” details key security measures businesses can take to limit unauthorized access to data in their possession.

In a video roundtable series, Hunton & Williams LLP partners Lisa J. Sotto and Steven M. Haas and special counsel Allen C. Goolsby, along with Stroz Friedberg’s co-president Eric M. Friedberg and Lee Pacchia of Mimesis Law, discuss the special consideration that should be given to privacy and cybersecurity risks in corporate transactions.

On August 7, 2017, the UK Government’s Department for Culture, Media and Sport published a Statement of Intent setting out the planned reforms to be included in the forthcoming Data Protection Bill, which we previously reported is expected to be laid before the UK Parliament in early September.

Media sources have reported that the UK Department for Culture, Media & Sport has confirmed its plans to present its Data Protection Bill to Parliament when MPs return to Parliament in early September. The Bill follows commitments made in the Queen’s Speech in June, and will effectively copy the EU General Data Protection Regulation (“GDPR”) into the UK statute book. The Bill’s primary aim is to ensure that the UK retains the same data protection laws as the rest of the EU once it leaves the EU, which is likely to be in March 2019.