Virginia Becomes First State to Mandate Advanced Credit Card Security for State Agencies. On May 5, Virginia Governor Terry McAuliffe signed Executive Directive 5 (2015). The directive requires the state’s technology and finance secretaries, treasurer and comptroller to update Virginia’s main purchasing card program to include advanced chip-and-pin technology by December.
Peter Swire on the History of Bulk Metadata Collection. Alston & Bird Senior Counsel Peter Swire published a historical primer on bulk data collection under Section 215 of the USA PATRIOT Act. The article reviews the recent Second Circuit decision in ACLU v. Clapper rejecting the National Security Administration’s bulk collection of telephone metadata, a program Congress ended in the just-passed USA FREEDOM Act.
Visa Updates Global Compromised Account Recovery Program. On May 14, 2015, Visa announced several updates to its Global Compromised Account Recovery (GCAR) Program, which helps card issuers recover costs and fraud losses after a card data compromise. Pursuant to the new updates, GCAR operating expense amounts per eligible account will be determined using a new tiered structure based on issuer size.
Nevada and North Dakota Update Their Data Breach Laws. The Nevada law expands the definition of personal information to include an individual’s medical identification number or health insurance identification number and a username, unique identifier or email address with its associated password, access code or security question and answer that would permit access to an online account. The North Dakota law clarifies that the obligation to notify individuals of a breach applies to any entity that “owns or licenses” personal information of the residents of North Dakota.
Alston & Bird Issues a Privacy and Security ADVISORY on Russia’s New Data Localization Law. Under Russia’s new Data Localization Law, which will take effect in September 2015, penalties for noncompliance can be severe, including suspension of offending websites. Alston & Bird’s Privacy & Data Security Group provides details on the law, the compliance challenges facing U.S. companies and the solutions available to them.
FTC Looks “More Favorably” upon Companies That Report Data Breaches to Law Enforcement. The Federal Trade Commission recently announced that it views companies that report data breaches to appropriate law enforcement “more favorably” than those companies that are less cooperative. The FTC included the announcement in a May 20, 2015, blog post describing a typical FTC data breach investigation to help companies know what to expect if they are investigated. In other FTC news, the commission also announced it will host a “Start with Security” initiative in September, a program intended to provide small- and medium-sized businesses with resources, education and guidance on data security.
RadioShack Agrees to Significant Limitations in Sale of Customer Data Following Pressure from State Regulators and the FTC. In what may become viewed as the de facto standard for selling customer information in bankruptcies, a Delaware bankruptcy court approved a multiparty agreement that would substantially limit RadioShack’s ability to sell 117 million customer records. Despite its original intention to sell all of its customer records, RadioShack entered into the agreement in response to filings made by 36 state attorneys general and the Federal Trade Commission. Instead of selling the entire cache of data, RadioShack will destroy the majority of the data and sell only a subset of customer email addresses. That subset of customer data will also be subject to various restrictions.
Alston & Bird in the News
- Paula Stannard authors Bloomberg BNA article on business associates’ HIPAA compliance.
- Kristy Brown comments on TCPA issues in Inside Counsel.
- Peter Swire comments on the passage of the USA FREEDOM Act on MSNBC (look for him at the 8:50 mark), comments on the import of the legislation in The New York Times and provides an extended analysis to Atlanta’s WABE public radio affiliate.
- June 16, 2015, ACC Israel: Mergers & Acquisitions. Dominique Shelton will discuss privacy and security issues in M&A.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.