Nebraska Makes Changes to Data Breach Statute

Written by
Nebraska Governor Pete Ricketts has signed LB835 into law, updating the state’s data breach notification statute. The changes take effect on July 20, 2016. With the updates, Nebraska joins a growing number of states that include a username or email in combination with a password or security question and answer that would permit access to an online account in the definition of personal information which, if acquired by an unauthorized person, would require notice. In addition, the statute has been modified to require notice to the state’s Attorney General concurrent with notice provided [...] Read more

Turkey’s New Data Protection Law

Written by and
Turkey’s new “Law on the Protection of Personal Data” has entered into effect following passage by the Turkish Parliament in late March and official publication last week.  The Data Protection Law adopts a broadly European model for data protection and helps clarify key aspects of the regulation of personal data under Turkish law. This blog post examines the law and highlights certain important provisions. Scope The Data Protection Law applies to the “personal data” of natural persons where that personal data is processed “wholly or partly by automatic means,” and to non-automatic [...] Read more

GDPR Approved by Parliament, Set to Become EU Law

Written by
Last week, we reported that the Council of Ministers accelerated the timetable for passage of the General Data Protection Regulation (GDPR).  The European Parliament followed suit and approved the GDPR this morning. As a result, the GDPR is now officially adopted and will become the law of the land in the EU.  The GDPR will be published either this month or next in the Official Journal of the European Union.  Twenty days after its publication, it will enter into force – i.e. either in May or June 2016.  As soon as the GDPR enters into force, its two-year clock for bringing business operations [...] Read more

Art. 29 Working Party Issues Formal Opinion Opposing Privacy Shield

Written by
Several hours after holding a closely-watched press conference we reported on yesterday, the Article 29 Working Party (“Art. 29 WP”) released its highly anticipated formal opinion on the adequacy of Privacy Shield. Background The European Commission has put forth a draft “adequacy decision” in which it declares that on the basis of Privacy Shield, the United States offers data protection that is essentially equivalent to that offered in the EU.  If adopted, this adequacy decision would permit data transfers to US companies that agree to abide by the Privacy Shield principles.  The [...] Read more

Art. 29 Working Party Announces it Will Not Support Privacy Shield at Press Conference

Written by
Early this afternoon, the Article 29 Working Party (“Art. 29 WP”) held a press conference at which it presented its forthcoming opinion on the adequacy of the US-EU Privacy Shield. As background, the European Commission has put forth a draft “adequacy decision” in which it declares that on the basis of Privacy Shield, the United States offers data protection that is essentially equivalent to that offered in the EU.  Such an adequacy decision would permit data transfers to US companies that agree to abide by the Privacy Shield principles.  However, an important part of the approval [...] Read more

EU Council Issues New Consolidated GDPR and Accelerates GDPR’s Legislative Timetable

Written by
Yesterday evening, the Council of Ministers issued a new consolidated version of the General Data Protection Regulation (GDPR).  This is the first “clean” version of the GDPR that (a) incorporates all revisions agreed upon from the time of the Commission’s original 2012 proposal to the December 2015 trilogue compromise text; and (b) numbers individual provisions as can be anticipated in the final adopted version of the GDPR.  The new consolidated text can be accessed here. The new GDPR text follows closely on the heels of the Council accelerating the timetable for the GDPR’s passage.  [...] Read more

Kim Peretti Named to Cybersecurity Docket’s “Incident Response 30”

Written by
Kim Peretti, partner and co-chair of Alston & Bird’s Cybersecurity Preparedness & Response Team, has been named to Cybersecurity Docket’s inaugural “Incident Response 30.” Described by the publication as the “30 best and brightest data breach response lawyers,” the list “honors incident response attorneys and compliance professionals who not only have the right stuff to manage a data breach response, but are also the kind of professionals who are critical to have on speed-dial when the inevitable data breach occurs.” Cybersecurity Docket is a comprehensive and timely [...] Read more

European Data Protection Supervisor Issues Information Security Risk Management Guidance for E.U. Institutions

Written by
The European Data Protection Supervisor (“EDPS”) Giovanni Buttarelli issued a guidance document on data security and risk management for the E.U. institutions (such as the European Parliament, the European Council, and the Council of the European Union) on March 21, 2016.  Although aimed at E.U. institutions, the document may nonetheless become a source of guidance on risk-based information security practices for other data controllers in the E.U., given its authority and the similarity between the security provisions of a number of E.U. directives and regulations. The guidance, called [...] Read more

Alston & Bird Issues Cyber Alert on the EU Network Information Security Directive

Written by
This morning, Alston & Bird partners Jim Harvey and Jan Dhont issued an Advisory on the EU’s forthcoming Network Information Security Directive (“NIS Directive”).  National laws passed to implement the NIS Directive will impose substantial new compliance responsibilities on providers of “essential services,” as well as on a broad range of “digital service providers”—potentially even if a digital service provider's only EU presence is a website.  Companies subject to the NIS Directive will be obligated to implement internal cybersecurity measures.  Moreover, the NIS Directive [...] Read more

Tennessee Updates Data Breach Statute

Written by
On March 24, 2016, Tennessee Governor Bill Haslam signed SB 2005 into law. The bill makes three principal updates to Tennessee’s data breach statute. First, the statute will now require organizations that have experienced a data breach to notify individuals within 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement. Service providers must report a breach to the organization for which they are processing the data within 45 days of discovery. The second update to the statute adds employees of the [...] Read more