Financial Privacy

Virginia Amends Data Breach Notification Law

Written by

Virginia amended the state’s data breach notification law, effective July 1, 2017, to expand notification requirements for employers and payroll service providers to data breaches that involve “unauthorized access and acquisition of unencrypted and unredacted computerized data containing a [Virginia] taxpayer’s identification number in combination with the income tax withheld for that taxpayer. . . .”[1] The expanded notification obligation is subject to the same likelihood of harm threshold that applies in the original law. Notification is required only when the employer or payroll [...] Read more

Bank Regulators Issue Advanced Notice of Proposed Rulemaking on Cyber Risk Governance and Management Regulations

Written by

More regulators (apart from the FTC) are now taking note of cybersecurity issues in the financial services industry and are taking steps to protect the industry and its consumers. Earlier this year, the Consumer Financial Protection Bureau (“CFPB”) issued its first enforcement action on data security against an online payment system.   In June, the Federal Financial Institutions Examination Council (“FFIEC”), an interagency body, issued a press release advising financial institutions to review their risk-management practices.  Last month, the New York State Department of Financial [...] Read more

D.C. Circuit Holds CFPB is Unconstitutionally Constructed; Removes For-Cause Removal Protection from CFPB Director

Written by

On Tuesday, October 11, 2016, the D.C. Circuit Court issued its opinion in PHH Corp. v. Consumer Financial Protection Bureau, holding that the Consumer Financial Protection Bureau (CFPB) was unconstitutionally structured. In the majority opinion, Judge Kavanaugh described the position of CFPB Director as, in terms of unilateral authority, “the single most powerful official in the entire U.S. Government, other than the President.” (Maj. Opinion at 27). The Court’s ruling severs the for-cause removal protection provision for the Director from the Dodd-Frank Act, repositioning the CFPB as an [...] Read more

FTC PrivacyCon Event Examines Cutting-Edge Research and Current Policies Regarding Privacy and Data Security

Written by , and

The Federal Trade Commission held its PrivacyCon event, featuring nineteen presentations showcasing original research regarding important consumer privacy and security issues by leading academics from universities and think tanks from around the world. A full video recording of the webcast is available here. The conference took place in Washington on Jan. 14, 2016, and included discussion about the policy implications of the research being conducted with thought leaders from academia, research, consumer advocacy, and industry. FTC Commissioner Julie Brill succinctly outlined the top concerns [...] Read more

FFIEC Warns of Increase in Cyber Attacks Involving Extortion, Encourages Financial Institutions to Develop Response Programs

Written by

Last week, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement warning of an “increasing frequency and severity of cyber attacks involving extortion.” The statement warned that criminals have been extorting financial institutions using a variety of tactics, including denial of service attacks, theft of sensitive information, and use of “ransomware,” which is software that prevents legitimate users from accessing company files unless a ransom is paid. To protect against these attacks, the FFIEC encouraged financial institutions to “develop and implement [...] Read more

Jan Dhont Authors Corporate Counsel Article on Safe Harbor Decision

Written by

Jan Dhont, Brussels partner and head of the firm’s European Privacy and Data Protection practice authored the Corporate Counsel article, “The Sinking of the Safe Harbor: Just Another Symbolic Decision?”  In the article, Dhont discusses the concerns and uncertainty stemming from the October 6 European Court of Justice strike-down of Safe Harbor, and where companies may go from here.  This ruling is a matter of global concern and may actually result in less privacy for individuals, not more. Dhont notes that while there are mid- to long-term solutions to take the place of Safe Harbor, [...] Read more

Article 29 Working Party Calls for Political Action

Written by and

In a concise statement, the Article 29 Working Party (WP29), a consortium of European Data Protection Authorities (DPAs), released a position paper today about the landmark ruling of the European Court of Justice in Maximilian Schrems v. Data Protection Commissioner (C-362-14). WP29 makes a political call on the EU Member States to finalize discussions with the US authorities on a political and legal solution for the transfer of personal information from the EU to the US.  The solution should ensure that strong guarantees are provided to EU data subjects against US surveillance.   WP29 calls [...] Read more

A Discussion with FTC Commissioner Julie Brill: The Future of Trans-Atlantic Privacy

Written by

On October 20, Alston & Bird will host a panel discussion with FTC Commissioner Julie Brill. The event will be broadcast as a webinar. Commissioner Brill will discuss the future of U.S. – European privacy with Brussels Partner Jan Dhont and Senior Counsel Peter Swire. The discussion will be moderated by Partner Jim Harvey. This timely discussion with Commissioner Brill follows the European Court of Justice’s rejection of the Safe Harbor framework in the judgment issued on October 6. That rejection affects thousands of businesses engaged in E.U. – U.S. data transfers. Meanwhile, the [...] Read more

David Keating Quoted on Law360 about Data Transfer Issues After Safe Harbor is Invalidated

Written by

David Keating, partner and co-leader of the firm’s Privacy & Data Security practice, was quoted on Law360 regarding the practical impact on companies of the decision of the European Court of Justice (ECJ) invalidating the EU-U.S. Safe Harbor program for transfers of personal data. The ECJ decision requires companies to evaluate the mechanisms they and their vendors use to move data out of the European Union and the European Economic Area. One option that is being discussed by the commentators is to secure individual data subject consents.  David points out that this approach may [...] Read more

European Court of Justice Strikes Down Safe Harbor

Written by

In a momentous judgment, the European Court of Justice (“ECJ”) today invalidated the European Commission’s decision establishing the E.U.-US Safe Harbor for transfers of personal data (“Safe Harbor Decision”).  The ruling was made with record dispatch, following on an Advocate General Opinion recommending invalidation that was delivered to the Court only two weeks ago. Facts of the case: In the wake of the 2013 Snowden revelations, Maximilian Schrems, an Austrian citizen, privacy activist, and Facebook user, lodged a complaint with Ireland's Data Privacy Authority (“DPA”), [...] Read more