Privacy & Information Security Law Blog

On June 29, 2021, the UK Department for Digital, Culture, Media and Sport (“DCMS”) published guidance for businesses on child online safety, which includes guidance on data protection and privacy, age-appropriate content, positive user interactions, and protecting children from online sexual exploitation and abuse.

On July 22, 2021, a Magistrate Judge in the U.S. District Court for the Middle District of Pennsylvania (the “Court”) ordered Rutter’s, a convenience-store chain, to produce an investigative report prepared by a security consultant regarding a suspected data breach event, as well as all communications between the party and the company performing the investigation. In the ruling, Rutter’s Data Sec Breach Litig, No. 1:20-cv-000382-JEJ-KM, the Court held that the report and related communications were not protected from disclosure by the work product doctrine or the attorney-client privilege.

On July 22, 2021, the Dutch Data Protection Authority (“Dutch DPA”) announced that it had imposed a €750,000 fine on TikTok for violating the privacy of young children namely for the company’s alleged lack of transparency.

On July 28, 2021, President Biden signed a National Security Memorandum entitled “Improving Cybersecurity for Critical Infrastructure Control Systems” (the “Memorandum”). The Memorandum formally establishes an Industrial Control Systems Cybersecurity Initiative and directs the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) and the Department of Commerce’s National Institute of Standards and Technology (“NIST”), in collaboration with other agencies, to develop and issue cybersecurity performance goals for critical infrastructure. The Memorandum follows recent high-profile attacks on U.S. critical infrastructure, including ransomware attacks on Colonial Pipeline and JBS Foods.

The California Attorney General (“AG”) recently released a summary of enforcement actions the agency brought against companies in violation of the CCPA since enforcement of the Act began on July 1, 2020. The summary provides 27 illustrative examples of instances in which the AG sent notices of alleged noncompliance with the CCPA and how each company cured the alleged noncompliance.

On July 9, 2021, President Biden signed the Executive Order on Promoting Competition in the American Economy (the “Executive Order”). The stated goal of the Executive Order is to increase competition in the United States and resolve issues related to monopolistic behaviors, including with respect to privacy and data protection.

On July 2, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper on How the Legitimate Interest Ground for Processing for Processing Enables Responsible Data Use and Innovation (the “Paper”). The Paper explains the growing importance of the legitimate interests legal basis for organizations, whether for routine or more complex and innovative data processing activities. It provides recommendations on how this legal basis should be interpreted, used and applied to unlock the value of data in today’s global connected world. Finally, the Paper includes examples of data processing activities where organizations currently rely on the legitimate interests legal basis, illustrated by 16 case studies that describe how organizations balance the legitimate interest of the controller and individuals’ rights and freedoms.

Hunton Andrews Kurth LLP is pleased to announce that POLITICO has named Centre for Information Policy Leadership (“CIPL”) President Bojana Bellamy among its Tech 28, the news organization’s inaugural list of top “rulemakers, rulebreakers and visionaries” shaping the future of technology in Europe and beyond.

On July 13, 2021, federal bank regulators – the Board of Governors of the Federal Reserve System (the “Board”), the Federal Deposit Insurance Corporation (“FDIC”) and the Office of the Comptroller of the Currency (“OCC”) (collectively, the “Regulators”) – requested public comment on proposed joint guidance regarding banking organizations’ management of risks related to relationships with third-party support and service providers (the “Proposed Guidance”). Each of the Regulators previously issued guidance on the subject for their respective supervised banking organizations. The Proposed Guidance seeks to promote consistency in banking organizations’ third-party risk management, replacing agency-specific guidance with a framework that applies to all banking organizations supervised by the Regulators. According to the Regulators, the Proposed Guidance largely would adopt the text of the OCC’s 2013 guidance, broadening its scope to include organizations supervised by all three Regulators.

On July 12, 2021, Chris Inglis was formally sworn in as the first White House National Cyber Director. The newly established position, as well as the Office of the National Cyber Director, was created as part of the 2021 National Defense Authorization Act. Inglis, who previously served as the National Security Agency Deputy Director, was unanimously confirmed to the position by the Senate on June 17, 2021.

Read more on the Office of the National Cyber Director.