RSS Print Email

Legislation

Kentucky Becomes 47th State To Require Data Breach Notification; Adds Restrictions on use of “Student Data”

Kentucky Governor Steve Beshear signed a data breach notification bill on April 10, adding Kentucky to the ranks of U.S. states requiring notice to individuals in the event of a data breach and leaving Alabama, New Mexico and South Dakota as the only states that do not require such notice.

Read More

Kim Peretti to Speak at Georgetown Law’s Cybersecurity Law Institute

April 7, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Events, Legislation, International, Security Breach, Data Security, Cybersecurity, Regulation

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, will be a featured speaker during the second annual Cybersecurity Law Institute sponsored by the Georgetown University Law Center. Cybersecurity continues to stay in the news in 2014 as the White House calls for a "Consumer Privacy Bill of Rights" for the digital age. What does this mean for your company or organization? The following topics will be covered during the May 21-22 program in Washington, D.C: 

--Learn how an effective Enterprise Security Program drastically reduces cyber risks within your organization. 
--Debate the value of insurance in the cyber context; learn about coverages and what risk mitigation strategies may lower premium costs. 
--Participate in simulations that animate the complexity and speed of data breach response, including from a global perspective. 
--Hear from top general counsel regarding the evolving role of legal counsel and their relationship with the board of directors. 
--Discover how the brand-new NIST Framework may potentially impact you even if you are not in a critical infrastructure sector.

For more information and to register, please click here.

Posted by Security Incident Management & Response Team | Alston & Bird LLP

HIPAA Audit Program Returning?

We previously blogged about the Office for Civil Rights’ (OCR) HIPAA Privacy, Security and Breach Audit Program (HIPAA Audit Program) on November 30, 2011, March 7, 2012, and June 26, 2012.  On Monday, OCR published a notice in the Federal Register in which it essentially announces the return of its HIPAA Audit Program. In the notice, OCR announces that it plans to submit a new information collection request (ICR) – a HIPAA Audit Program survey – to the Office of Management and Budget (OMB) for approval under the Paperwork Reduction Act of 1995, and seeks comments on the proposed survey and the burden imposed by it. The title of the survey is “HIPAA Covered Entity and Business Associate Pre-Audit Survey.” OCR proposes to survey up to 1200 HIPAA covered entities and business associates to determine suitability for the OCR HIPAA Audit Program. OCR plans to use the survey to assess the size, complexity, and fitness of the surveyed covered entities and/or business associates for a HIPAA audit. The survey will collect information about the number of patient visits or insured lives, use of electronic information, revenue, and business locations.

Read More

Energy and Commerce Committee to Hold First U.S. House of Representatives Hearing in 2014 on Protecting Consumer Information and Preventing Data Security Breaches

Following the recent announcement of two U.S. Senate committee hearings on data security breaches, the House Energy and Commerce Committee announced the first U.S. House of Representatives hearing to examine the issue. During the same week as the Senate hearings, the committee’s Subcommittee on Commerce, Manufacturing and Trade (CMT), chaired by Rep. Lee Terry (R-NE), will hold a hearing entitled “Protecting Consumer Information: Can Data Breaches Be Prevented?” on Wednesday, February 5, 2014, at 9:30 a.m. EST in 2123 Rayburn House Office Building. According to the hearing notice released yesterday, witnesses will include executives from Target and Neiman Marcus, as well as government officials from the United States Secret Service and Department of Homeland Security. The Subcommittee will examine the preparations made by businesses to prevent data security breaches and the resources that exist to identify threats and improve the security of consumer information. The CMT Subcommittee notice also referenced the subcommittee’s recently issued data breach resource guide, which is a webpage that provides consumers with information they can use to help protect themselves against identity theft and take action when they learn of potential fraudulent charges on their accounts.

Read More

U.S. Senate Banking and Judiciary Committees to Hold Hearings Examining Data Security Breaches, Identity Theft, and the Safeguarding of Consumers’ Financial Data

The U.S. Senate Committees on Banking and the Judiciary will each host hearings during the week of February 3, 2014, to examine the impact on consumers from recently reported data security breaches and what measures may be taken to protect sensitive information of consumers, including customer financial information, from criminal acquisition and misuse. Consistent with the assigned jurisdiction and oversight authority of each committee, the Banking Committee will examine the protection of consumer financial data, whereas the Senate Judiciary Committee will focus on the prevention of data security breaches and combating cybercrime. While these hearings will be open to the public at the Senate office buildings in Washington, D.C., each hearing will also be webcast live to the public via the committees’ hearing web pages at the links provided below. Witness testimony will not be made publicly available until the hearings start, but will be posted and available at the same committee web pages. (Please click on “Read More” to see more detailed information on each hearing and links to the committee webpages.)

Read More

Senator Leahy Reintroduces “Personal Data Privacy and Security Act”: Federal Data Breach Notification Law Includes Criminal Penalties for Failure to Notify

On January 8, 2014, Senator Leahy (D-VT) reintroduced the “Personal Data Privacy and Security Act” (S. 1897) in an effort to both enhance criminal penalties for computer hacking, and create a tough Federal data breach notification statute. The bill was originally cosponsored (at the time of its introduction) by Senators Chuck Schumer (D-NY), Al Franken (D-MN) and Richard Blumenthal (D-CT), and has since been cosponsored by Senator Robert Menendez (D-NJ). The bill has been referred to the Senate Judiciary Committee for consideration, and the committee is expected to hold a hearing on data security breach issues within the coming weeks.

Read More

House of Representatives Passes Health Exchange Security and Transparency Act of 2014: HR 3811 Would Require HHS to Notify Affected Individuals of a Breach of a Health Insurance Exchange Within 2 Days of Discovery

On Friday, January 10, 2014, the House of Representatives passed H.R. 3811, the “Health Exchange Security and Transparency Act of 2014” by a vote of 291 to 122. The bill was introduced on January 7, 2014 by Representative Joe Pitts (R-PA), and has a total of 75 cosponsors. Under the bill, the Secretary of Health and Human Services would be required to provide notice to each individual “[n]ot later than two business days after the breach of security of any system maintained by an Exchange established under section 1311 or 1321 of [the Affordable Care Act] which is known to have resulted in personally identifiable information of an individual being stolen or unlawfully accessed.” By contrast, the HITECH Act requires HIPAA covered entities to provide breach notifications to individuals, to HHS (if the breach involves the PHI of 500 or more individuals), and/or to the media (if required) “without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved.” The bill would require HHS to notify individuals not only with respect to breaches of security of a federally facilitated health insurance exchange – a health insurance exchange established and operated by HHS that is accessed through www.healthcare.gov – but also with respect to breaches of security of any health insurance exchange established and operated by a State under the Affordable Care Act.” 
 

Read More

Alston & Bird Webinar: The Cybersecurity Framework: Understanding Its Structure, Content and Potential Impact

January 6, 2014 | Posted by Privacy & Data Security Team | Topic(s): Events, Legislation, Cybersecurity, Privacy, National Institute for Standards and Technology (NIST)

On Tuesday, January 21, join Alston & Bird in a lively discussion on the NIST Preliminary Cybersecurity Framework. The release of the NIST Preliminary Cybersecurity Framework in October marks one of the final steps in creating the “voluntary” framework envisioned in the Obama administration’s Executive Order on Improving Critical Infrastructure Cybersecurity. While the development of the framework involved significant input by the private sector, questions remain of how to understand and interpret its structure, content and potential impact.

This program brings together Alston & Bird privacy partners Kim Peretti and Todd McClelland and a panel of experts to discuss these topics as companies prepare for a finalized version of the framework to be issued in February.

Webinar - The Cybersecurity Framework: Understanding Its Structure, Content and Potential Impact
Tuesday, January 21
1 to 2 p.m. (ET)

To learn more about this Webinar and to register, please click here.

Posted by the Privacy & Data Security Team | Alston & Bird LLP

Privacy Partners Paul Martino and Dominique Shelton Author Law360 Article on Proposed California Guidance for Do-Not-Track Disclosures

December 19, 2013 | Posted by Privacy & Data Security Team | Topic(s): Online Privacy, Legislation, Behavioral Advertising, US State Law, Privacy, Mobile Privacy, Regulatory Enforcement , Tracking

Today, Paul Martino and Dominique Shelton, partners in Alston and Bird’s Privacy and Security practice and respective members of the firm’s Legislative & Public Policy and Litigation and Trial Practice groups, co-authored the Law360 article, “Inside Calif.'s Proposed Guidance For Do-Not-Track Law." In the article, Martino and Shelton address the potential impact of the meeting held for interested stakeholders on December 10, 2013, by the Privacy Enforcement and Protection Unit of the California Office of the Attorney General (“CA AG”) to discuss the AG’s proposed guidance on corporate privacy policy disclosures regarding behavioral tracking and do-not-disclose. To learn more about what CA AG staff and industry stakeholders discussed at the December 10, 2013 meeting, please see Alston & Bird’s client advisory entitled On Eve of New Law Taking Effect, California Attorney General Announces Upcoming Best Practices Guidelines for Do-Not-Track Disclosures. For further information about the requirements of A.B. 370, California’s new Do-Not-Track disclosure law that takes effect on January 1, 2014, please see our previous client advisory entitled California Adopts Do-Not-Track Disclosure Law, Reflecting a Significant New Development in a National Trend to Improve the Transparency of Online and Mobile Privacy Practices, which provides an in-depth analysis of A.B. 370’s CalOPPA amendments and its potential impact on businesses with websites, mobile apps or online services used by California residents.

Written by the Privacy & Data Security TeamAlston & Bird LLP

FTC Chairwoman Reiterates Support for National Data Breach Law with FTC Enforcement Powers

December 16, 2013 | Posted by Louis Dennig | Topic(s): Federal Trade Commission (FTC), Legislation, Enforcement, Cybersecurity, Data Breach, Regulatory Enforcement

At the National Consumers League Conference on identity theft, held on December 12, 2013 in Washington, D.C., Federal Trade Commission (“FTC”) Chairwoman Edith Ramirez pushed for a federal data breach law featuring the FTC as the “enforcer.” Chairwoman Ramirez engaged in a keynote discussion with former FTC Chairwoman Deborah Platt Majoras and made her position clear that a federal data breach notification law that complements existing state laws would benefit consumers. The keynote can be viewed in its entirety here (the discussion related to a national data breach notification law begins at 21:35).

Read More

Congress Considers Cybersecurity Bills

December 16, 2013 | Posted by jeffrey.sural@alston.com | Topic(s): US Congress, Legislation, Cybersecurity, Hearing

Earlier last week, House Homeland Security Committee Chairman Michael McCaul (R-TX) introduced H.R. 3696, a bill to amend the Homeland Security Act to make certain improvements regarding cybersecurity and critical infrastructure protection. The committee circulated the draft earlier this year, and had planned to mark up the bill when the Edward Snowden revelations became public. The bill faces several criticisms, including that the House passed a bipartisan bill earlier in the year that addressed the major issues facing cybersecurity. Also, the main provision of Chairman McCaul’s bill—designating the Department of Homeland Security to facilitate information sharing--was accepted as an amendment to the Cyber Intelligence Sharing and Protection Act (CISPA).

Read More

California Attorney General Announces Upcoming Best Practices Guidelines for Do-Not-Track Disclosures; Guidelines Will Not Delay New A.B. 370 Do-Not-Track Disclosure Requirements from Taking Effect on January 1, 2014

December 16, 2013 | Posted by Paul Martino & Dominique Shelton | Topic(s): Online Privacy, Legislation, Behavioral Advertising, Marketing, US State Law, Privacy, Mobile Privacy, Regulatory Enforcement , Tracking

On December 10, 2013, the Privacy Enforcement and Protection Unit of the California Office of the Attorney General (CA AG) held a meeting in San Francisco for interested stakeholders to discuss best practices in light of the Assembly’s enactment of A.B. 370, California’s new do-not-track disclosure law that goes into effect on January 1, 2014. A.B. 370 amended the California Online Privacy Protection Act (CalOPPA) to require operators of websites, online services and mobile applications to amend their privacy policies as of the new year to either (1) disclose how they respond to do-not-track signals from Internet browsers or other consumer choice mechanisms regarding the collection of behavioral tracking data; or (2) link to an online location containing a description of a consumer choice program the operator follows and explain the effects of that program. The new law also requires these operators to disclose the type and nature of any third-party tracking occurring on their sites, services or apps. The CA AG staff focused the discussion with stakeholders on what should constitute “best practices” regarding do-not-track disclosures, rather than on what would be required for businesses to simply comply with the new disclosure requirements created by passage of A.B. 370. To learn more about what CA AG staff and industry stakeholders discussed at the December 10, 2013 meeting, please see Alston & Bird’s client advisory entitled On Eve of New Law Taking Effect, California Attorney General Announces Upcoming Best Practices Guidelines for Do-Not-Track Disclosures.

Read More

California’s New Privacy Law Covering Utility ‘Smart Meter’ Data Takes Effect on January 1, 2014

December 2, 2013 | Posted by Privacy & Data Security Team | Topic(s): Online Privacy, Legislation, Data Security, Privacy, Privacy Litigation

On January 1, 2014, California’s new “smart meter” privacy law goes into effect, which may impact Internet Service Providers, financial institutions and other businesses that handle or receive smart meter data. On October 5, 2013, California Governor Brown approved the law passed by the Assembly (A.B. 1274) that will require certain non-utility businesses to obtain the express consent of utility customers before sharing their electrical or natural gas usage information.

Read More

California Privacy Ballot Initiative Moves Forward: Act Would Amend California Constitution to Set Standards for Collection and Protection of Personally Identifying Information, including Financial and/or Health Information

October 4, 2013 | Posted by Nick Stamos and Claire Lucy Readhead | Topic(s): Online Privacy, Legislation, Behavioral Advertising, Health Privacy, US State Law, Privacy, Financial Privacy, Privacy Class Actions, Privacy Litigation

California Secretary of State Debra Bowen has allowed signature collection to commence for a ballot initiative, named the Personal Privacy Protection Act, that could drastically alter the California privacy regime. The initiative, led by former state Senator Steve Peace and retired attorney Michael Thorsnes, seeks to amend the California Constitution to define personally identifiable information as “any information which can be used to distinguish or trace a natural person's identity which is linked or linkable to a specific natural person” but excludes information that is publicly available from government records. The definition of personally identifying information would also explicitly include “financial and/or health information.”

Read More

Update: California Governor Brown Signs into Law A.B. 370, "Do Not Track Disclosure Law"

On September 27, 2013, California Governor Brown signed into law A.B. 370, amending the California Online Protection Act (CalOPPA) to require two new privacy policy disclosures for websites and online services regarding behavioral tracking. California Assembly member Al Muratsuchi (D-Torrance), who introduced A.B. 370, released a statement in which he said the amended law “will protect Californians' right to privacy by providing transparency that will allow consumers to know when their online activity is being tracked. The consumer can then make an informed decision about their use of a particular website or service. The support for AB 370 resonated statewide as Californians expressed their concern with entities tracking their information, many times without their knowledge or consent. While we must continue to foster innovation, we must likewise ensure that consumer protection and privacy are key priorities as technology advances. Further, Attorney General Kamal Harris, the sponsor for this Legislation, worked tirelessly alongside me and stakeholders to make this law a reality. I commend Governor Brown for joining us as we work to ensure transparency in online commerce and interaction.” The new law will become effective as of January 1, 2014. For more information on A.B. 370, please see our previous blog posting entitled California Adopts Do-Not-Track Disclosure Law: A.B. 370 Amends the California Online Privacy Protection Act (CalOPPA) to Require New Privacy Policy Disclosures for Websites, Online Services and Mobile Apps about Behavioral Tracking.

For more detailed information on the new law, please refer to our full-length client advisory entitled
California Adopts Do-Not-Track Disclosure Law, Reflecting a Significant New Development in a National Trend to Improve the Transparency of Online and Mobile Privacy Practices.

Written by Claire Lucy Readhead, Associate, Privacy & Data SecurityAlston & Bird LLP

12345