Financial Privacy

Article 29 Working Party Calls for Political Action

Written by

In a concise statement, the Article 29 Working Party (WP29), a consortium of European Data Protection Authorities (DPAs), released a position paper today about the landmark ruling of the European Court of Justice in Maximilian Schrems v. Data Protection Commissioner (C-362-14). WP29 makes a political call on the EU Member States to finalize discussions with the US authorities on a political and legal solution for the transfer of personal information from the EU to the US.  The solution should ensure that strong guarantees are provided to EU data subjects against US surveillance.   WP29 calls [...] Read more

A Discussion with FTC Commissioner Julie Brill: The Future of Trans-Atlantic Privacy

Written by

On October 20, Alston & Bird will host a panel discussion with FTC Commissioner Julie Brill. The event will be broadcast as a webinar. Commissioner Brill will discuss the future of U.S. – European privacy with Brussels Partner Jan Dhont and Senior Counsel Peter Swire. The discussion will be moderated by Partner Jim Harvey. This timely discussion with Commissioner Brill follows the European Court of Justice’s rejection of the Safe Harbor framework in the judgment issued on October 6. That rejection affects thousands of businesses engaged in E.U. – U.S. data transfers. Meanwhile, the [...] Read more

David Keating Quoted on Law360 about Data Transfer Issues After Safe Harbor is Invalidated

Written by

David Keating, partner and co-leader of the firm’s Privacy & Data Security practice, was quoted on Law360 regarding the practical impact on companies of the decision of the European Court of Justice (ECJ) invalidating the EU-U.S. Safe Harbor program for transfers of personal data. The ECJ decision requires companies to evaluate the mechanisms they and their vendors use to move data out of the European Union and the European Economic Area. One option that is being discussed by the commentators is to secure individual data subject consents.  David points out that this approach may [...] Read more

European Court of Justice Strikes Down Safe Harbor

Written by

In a momentous judgment, the European Court of Justice (“ECJ”) today invalidated the European Commission’s decision establishing the E.U.-US Safe Harbor for transfers of personal data (“Safe Harbor Decision”).  The ruling was made with record dispatch, following on an Advocate General Opinion recommending invalidation that was delivered to the Court only two weeks ago. Facts of the case: In the wake of the 2013 Snowden revelations, Maximilian Schrems, an Austrian citizen, privacy activist, and Facebook user, lodged a complaint with Ireland's Data Privacy Authority (“DPA”), [...] Read more

PCI Security Standards Council Publishes Data Breach Response Guidance

Written by

The PCI Security Standards Council (PCI-SSC) has released new guidance on its website advising merchants how to deal with a data breach. The guidance particularly details when a PCI Forensic Investigator (PFI) will be required, and provides tips on making the PFI process go smoothly. The PCI-SSC states that “preparing for the worst is the best defense” by having an incident response plan. In addition, PCI-SSC advises limiting data exposure by isolating affected systems without turning them off, notifying necessary business partners (such as the payment brands and merchant banks) immediately [...] Read more

Swire Challenges Factual Basis of Schrems Decision

Written by

In an article published today, Senior Counsel Peter Swire challenges the factual basis for the Advocate General’s recent opinion in the so-called “Schrems case” against the E.U.-U.S. Safe Harbor framework. Thousands of U.S. businesses rely on the Safe Harbor framework in order to support the transfer of data from the European Union. As previously discussed on this blog, Maximilian Schrems challenged Safe Harbor by arguing that regulators in each E.U. country should be permitted to make their own determination to accept or reject the framework. Last month, Advocate General Yves Bot recommended [...] Read more

FFIEC Issues Optional Cybersecurity Assessment Tool

Written by

On June 30, 2015, the Office of the Comptroller of the Currency (OCC) announced that the Federal Financial Institutions Examination Council (FFIEC) has issued an optional Cybersecurity Assessment Tool (Assessment) for banking institutions (“institution”) to use to evaluate risks and cybersecurity maturity (i.e., level of preparedness).  OCC also announced that it would “gradually incorporate the Assessment into examinations of national banks, federal savings associations, and federal branches and agencies.”  This arises out of a 2014 pilot cybersecurity examination work program at more [...] Read more

Virginia Becomes First State To Mandate Advanced Credit Card Security for State Agencies

Written by

On May 5, Virginia Governor Terry McAuliffe signed Executive Directive 5 (2015), which requires the state's technology and finance secretaries, treasurer and comptroller to update Virginia’s main purchasing card program to include advanced chip-and-pin technology by December. The Directive notes that many of Virginia’s political subdivisions and authorities have already converted purchase card programs to chip authentication technology. In addition, the Directive requires the state’s Treasury Department to provide a plan to the governor's office by October 1 of this year detailing its [...] Read more

CFPB’s Final Rule Allows Online Privacy Notice Posting In Certain Circumstances

Written by

The Consumer Financial Protection Bureau (CFPB) recently published a final rule regarding annual privacy notices from financial institutions to their customers. The rule allows financial institutions that limit their consumer data-sharing and meet other requirements to post their annual privacy notices online rather than delivering them individually. Under the Gramm-Leach-Bliley Act (GLBA), financial institutions generally must send annual privacy notices to customers. These notices must describe whether and how the financial institution shares consumers’ nonpublic personal information. If [...] Read more

European Data Protection Supervisor Releases Guidelines on Data Protection for Financial Services Regulation

Written by

The European Data Protection Supervisor has released guidance to European financial services regulators to help them analyze data protection and privacy in the financial services arena. The guidance sets forth a 10-step methodology to “facilitate policymaking which respects the fundamental rights and freedoms in the [EU Charter of Fundamental Rights] and in particular the rights to privacy and to the protection of personal data.” The 10 steps to assessing data protection aspects of proposed measures include identifying the personal information to be processed, defining the purpose for processing [...] Read more