German DPAs to Create Model Processing Records for GDPR Compliance

Written by
On May 25, 2018, the EU General Data Protection Regulation (GDPR) enters into force.  One of the major changes the GDPR introduces is a duty for in-scope controllers and processors to maintain written records of processing activities.  Under Article 30 GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth, inter alia, the purposes of processing operations, international transfers, and retention periods.  Companies must provide their processing records (sometimes informally referred to as a “processing [...] Read more

Department of Commerce Announces First Privacy Shield Participants

Written by
Over the weekend, the Department of Commerce’s Privacy Shield website was updated to show the first participants in the U.S.-EU Privacy Shield.  In total, about 45 companies have registered for Privacy Shield.  Prominent examples include Microsoft Corp. (along with 20 subsidiaries), Salesforce, and corporate-travel giant World Travel, Inc. Companies with questions about Privacy Shield are welcomed to visit our detailed Privacy Shield FAQs. Alston & Bird is closely following the development of Privacy Shield and advising companies on all aspects of EU data protection compliance.  [...] Read more

FTC Overrules LabMD Dismissal, Finds Unfair Data Security Practices

Written by
The FTC issued an Opinion and Final Order reversing the previously dismissed charges against LabMD on July 29.  FTC Administrative Law Judge (ALJ) D. Michael Chappell had dismissed the case against LabMD on November 13, 2015 based on an insufficient showing of harm, as required to find an act or practice unfair under § 5 of the FTC Act (15 U.S.C. § 45(n)).  In overturning the ALJ’s Initial Decision, the FTC clarified its view of the proper standard for unfairness under § 5.  The FTC further detailed specific security failings of LabMD and signaled the importance of timely and effective [...] Read more

FERC Takes Action on Cybersecurity in Response to Ukrainian Cyber Attacks

Written by
The Federal Energy Regulatory Commission (“FERC”) issued a Notice of Inquiry (“NOI”) and Final Rule at the end of July to address several urgent cybersecurity issues affecting the bulk electric system.  FERC is taking these actions in the face of increasingly sophisticated threats to our power grid, including in response to an actual cyber-attack against Ukraine’s electricity system last year. In the NOI, the Commission seeks comments on possible modifications to the Critical Infrastructure Protection (“CIP”) Reliability Standards developed and managed by the North American [...] Read more

German DPAs Will Not Be Able to Challenge Privacy Shield this Year

Written by
Even before the ECJ’s Schrems decision invalidated Safe Harbor, the European Commission had begun working closely with US negotiators to craft what has become the U.S.-EU Privacy Shield.  While EU privacy leaders have noted that Privacy Shield represents important improvements in data protection, some German DPAs have voiced a desire to challenge Privacy Shield in court.  This desire is not necessarily uniform; Germany has 16 state and one federal DPA, and their approaches to particular issues can diverge.  Nonetheless, as we reported last year, at least one German DPA has taken the position [...] Read more

Advocate Health Care Network Agrees to Pay $5.55 Million to Settle Potential HIPAA Penalties

Written by
On August 4, 2016, the Office of Civil Rights (“OCR”) announced that Advocate Health Care Network (“Advocate”), Illinois’ largest fully-integrated health care system, has agreed to pay a record-breaking $5.55 million to settle claims of multiple Health Insurance Portability and Accountability Act (“HIPAA”) violations involving electronic protected health information (“ePHI”).  The substantial settlement stems from the extent and duration of the alleged noncompliance and the large number of individuals whose information was compromised, among other factors. The OCR initiated [...] Read more

EU Commission Publishes Long-Awaited Privacy Shield Citizen’s Guide

Written by
Just over two weeks ago, the European Commission formally adopted the US-EU Privacy Shield.  As part of making Privacy Shield accessible to EU residents, the Commission has long planned to issue a "Citizen's Guide" to the rights and remedies EU residents enjoy when data is transferred to certified Privacy Shield organizations.  (A leader in the Commission's Directorate-General for Justice and Consumers announced that a Citizen's Guide was in the works at an event Alston & Bird co-hosted back in March.) Today, the Commission released its "Guide to the EU-U.S. Privacy Shield" for EU residents [...] Read more

President Obama Issues Directive on Government Cyber Incident Response

Written by
Last week, President Obama issued a new Presidential Policy Directive (PPD) establishing principles to govern the federal government’s response to cyber incidents, “whether involving government or private sector entities.”  Titled “PPD-41,” the document also designates the lead federal agencies for so-called significant cyber incidents and creates an “architecture for coordinating the broader Federal Government response” to significant cyber incidents that is further described in an attached Annex. PPD-41 defines a cyber incident as: An event occurring on or conducted through [...] Read more

FTC Issues Warning Letters to 28 Companies Claiming Participation in the APEC CBPR System

Written by
On July 14, 2016, the Federal Trade Commission (FTC) announced that it had issued warning letters to 28 companies regarding their claim of participation in the Asia Pacific Economic Cooperation Cross Border Privacy Rule (APEC CBPR) system.  The APEC CBPR system is a voluntary, enforceable mechanism that certifies a company’s compliance with the principles in the APEC CBPR and facilitates privacy-respecting transfers of data among APEC member economies.  The warning letter states the FTC’s records do not indicate these companies have taken the requisite steps to be able to claim participation [...] Read more

Alston & Bird Issues Advisory on Six Myths of Breach Response

Written by
Alston & Bird recently issued an Advisory entitled “Six Myths of Breach Response,” authored by Jim Harvey. As data breaches are on the rise, so are the challenges that businesses face in handling these security incidents. This Advisory identifies six strategic pitfalls to avoid when responding to breaches. The Advisory addresses the true significance of public notification, common mistakes in preserving attorney-client privilege, and tough choices regarding the selection of public relation, investigative, and legal counsel. Jim Harvey co-chairs Alston & Bird’s Cybersecurity Preparedness [...] Read more