NIST releases “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans.”

Written by
On December 12, 2014, the National Institute for Standards and Technology (“NIST”) announced the release of Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (“SP 800-53A”). SP 800-53A is a companion guideline to Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations (“SP 800-53”) and discusses how to build effective assessment plans and how to analyze and manage assessment results. NIST’s announcement highlights [...] Read more

23 Privacy Enforcement Authorities Issue a Joint Open Letter to App Marketplaces

Written by
On December 9, 2014, a joint open letter (“Letter”) was issued to the operators of seven (7) app marketplaces, urging them to “make the basic commitment to require each app that can access or collect personal information, to provide users with timely access to the app’s privacy policy.” Although the Letter was sent to Apple, Google, Samsung, Microsoft, Nokia, BlackBerry and Amazon.com, the Office of the Privacy Commissioner of Canada (“OPC”) explains that it is intended for all companies that operate app marketplaces. The Letter was issued by twenty-three (23) privacy enforcement [...] Read more

CFPB’s Final Rule Allows Online Privacy Notice Posting In Certain Circumstances

Written by
The Consumer Financial Protection Bureau (CFPB) recently published a final rule regarding annual privacy notices from financial institutions to their customers. The rule allows financial institutions that limit their consumer data-sharing and meet other requirements to post their annual privacy notices online rather than delivering them individually. Under the Gramm-Leach-Bliley Act (GLBA), financial institutions generally must send annual privacy notices to customers. These notices must describe whether and how the financial institution shares consumers’ nonpublic personal information. If [...] Read more

Giovanni Buttarelli Confirmed as New European Data Protection Supervisor

Written by
On November 27, the European Parliament confirmed that Giovanni Buttarelli will serve as the next European Data Protection Supervisor (“EDPS”). Buttarelli will take over for Peter Hustinx, who served as EDPS for 10 years. Prior to his appointment, Buttarelli was the Assistant EDPS, a position which will now be held by Wojciech Rafal Wiewiórowski. Buttarelli’s privacy experience dates back to 1996, when he chaired the European Union Council Working Group, which drafted Directive 97/66/EC concerning the processing of personal data and the protection of privacy in the telecommunications [...] Read more

European Data Protection Supervisor Releases Guidelines on Data Protection for Financial Services Regulation

Written by
The European Data Protection Supervisor has released guidance to European financial services regulators to help them analyze data protection and privacy in the financial services arena. The guidance sets forth a 10-step methodology to “facilitate policymaking which respects the fundamental rights and freedoms in the [EU Charter of Fundamental Rights] and in particular the rights to privacy and to the protection of personal data.” The 10 steps to assessing data protection aspects of proposed measures include identifying the personal information to be processed, defining the purpose for processing [...] Read more

FTC Settles with TRUSTe Inc. Over Deception Claims

Written by
The Federal Trade Commission (FTC) and TRUSTe Inc. entered into a settlement agreement Monday over the FTC’s allegations that the internet privacy certifier deceived consumers about its privacy seal recertification program and allowed its customers to falsely advertise it as a nonprofit entity. Under the settlement, TRUSTe will pay a $200,000 fine and stop making certain claims. TRUSTe provides seals to businesses that meet requirements for consumer privacy programs that it administers. TRUSTe seals represent to consumers that businesses’ privacy practices are in compliance with specific [...] Read more

Kim Peretti Addresses Cyber Risk with the National Retail Federation

Written by
The National Retail Federation featured a three-part series, “Talking Tactics,” that examined cybercrime in retail and how the industry is responding. Kim Peretti, co-chair of Alston & Bird’s Security Incident Management & Response Team and a former U.S. Department of Justice senior litigator, says mitigation planning amounts to corporate governance. “There need to be people who have the roles and responsibilities to understand the risks,” said Peretti. “And you have to establish systems and controls that are appropriate to the type of risk that the organization might [...] Read more

Law360 Quotes Dominique Shelton on CA Online Privacy Protection Act

Written by
California Attorney General Kamala Harris reiterated her commitment to enforcing the state’s Online Privacy Protection Act following her re-election and to pursuing guidelines advising companies how she will interpret the act. Dominique Shelton, a partner in the firm’s Privacy & Data Security Group, called Harris’ guidelines “groundbreaking” in privacy protection and allows her clients to focus on compliance instead of becoming a test case for enforcement. “I think we’re only getting started. The attorney general views this as a growing area that [...] Read more

Data Protection Commissioners Adopt Resolution on International Cooperation

Written by
On October 14, the International Data Protection and Privacy Commissioners’ (“IDPPC”) conference adopted a resolution calling for increased enforcement cooperation among international data protection authorities. Data protection authorities from around the world participated in the IDPCC conference, including representatives from Europe, Asia, the United States (including the Federal Trade Commission), and South America. In the “Resolution on Enforcement Cooperation,” the IDPCC encourages “efforts to bring about more effective cooperation in cross-border investigation [...] Read more

Defendants to Pay FTC $9.3 Million to Settle Suit Over Alleged Text Messaging Scam

Written by
Three groups of defendants have agreed to pay the Federal Trade Commission (FTC) $9.3 million to settle claims that they operated a scam to send unsolicited and deceptive text messages to millions of consumers. The settlement is the result of a major campaign by the FTC targeting senders of unsolicited commercial messages using the promise of free gifts or products to get consumers to reveal “personal information for sale to marketers, their mobile numbers to cram unwanted charges on their bill, and to drive them to paid subscriptions for which the senders receive affiliate referral fees.” [...] Read more