Amended Washington Data Breach Law Requires Attorney General Notification, Imposes 45-Day Notice Time Limit. Earlier this year, Washington state passed an amended version of its data breach notification law, which became effective Friday, July 24, 2015. Among other provisions, the updated statute requires compromised entities to notify the state Attorney General (AG) in some circumstances and requires notification to both consumers and, as applicable, the state AG within 45 days after discovery of a breach.
PCI Security Standards Council Issues New Supplementary Compliance Requirements for the Data Security Standard. The Payment Card Industry Security Standards Council recently published a supplement to the PCI Data Security Standard that will require certain Designated Entities to comply with an additional set of compliance-based requirements. The additional requirements, called the “Designated Entities Supplemental Validation,” or DESV, are designed to “help organizations make payment security part of everyday business practice” and are “intended to provide greater assurance that PCI DSS controls are maintained effectively and on a continuous basis through validation of business-as-usual processes, and increased validation and scoping consideration.”
Canadian Parliament Amends PIPEDA with the Digital Privacy Act. On June 18, 2015, the Canadian Parliament passed into law the Digital Privacy Act, which amends Canada’s federal data protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to businesses in every Canadian province except British Columbia, Alberta and Quebec. However, businesses in those provinces may become subject to PIPEDA if they operate in federally regulated sectors or if personal information that originated in their province crosses provincial borders. Although many of the act’s provisions are now effective, certain key features, such as the mandatory breach notification requirement and the mandatory record-keeping requirement, will not come into force until regulations are issued by the Canadian government.
FFIEC Issues Optional Cybersecurity Assessment Tool. The Office of the Comptroller of the Currency (OCC) announced on June 30 that the Federal Financial Institutions Examination Council has issued an optional Cybersecurity Assessment Tool for banking institutions to use to evaluate risks and cybersecurity maturity. The OCC also announced that it would “gradually incorporate the Assessment into examinations of national banks, federal savings associations and federal branches and agencies.”
Rhode Island and Oregon Update Data Breach Statutes. The Rhode Island Bill, signed June 26, 2015, requires entities that experience a data breach that “poses a risk of identity theft to any resident of Rhode Island” to notify affected individuals within 45 calendar days after discovery of the breach. It also requires notification to the state AG following a data breach but only if the breach affects more than 500 Rhode Islanders. The Oregon Bill, signed June 10, 2015, broadens the definition of personal information that will trigger notice to individuals and adds a requirement to notify the state’s AG of certain breaches.
FTC Releases New Data Security Guidance for Businesses, Announces Conference Series. The Federal Trade Commission (FTC) has released new guidance called “Start with Security,” intended to assist businesses to improve their data security practices based on lessons learned from its 53 data security cases to date. Issued on June 30, 2015, the guidance “distill[s] the facts of those cases down to their essence” in ten “lessons to learn that touch on vulnerabilities that could affect your company.” In addition, the FTC announced that the “Start with Security” initiative would also include a series of conferences aimed at small and medium businesses in various industries across the country. These conferences are intended to provide “practical tips and strategies for implementing effective data security” measures and thereby avoiding scrutiny from the FTC.
Alston & Bird Issues an Advisory on Proposed New Export Requirements for Cybersecurity Products and Technologies. Alston & Bird issued an advisory on a new regulation proposed by the Department of Commerce’s Bureau of Industry Security that would require certain developers, manufacturers and users of cybersecurity intrusion and surveillance items to obtain export licenses before conducting business and performing their work – even when working with their affiliated companies or with business partners in the most closely allied countries.
European Data Protection Supervisor Releases Opinion on Mobile Health. The European Data Protection Supervisor, Giovanni Buttarelli, published an opinion on Mobile Health (mHealth), a rapidly evolving sector stemming from the convergence of healthcare and information communication technology. mHealth includes mobile applications designed to provide health care-related services through smart devices by processing personal information about an individual’s health, well-being and lifestyle. The opinion discusses the growing ubiquity of mHealth, which in large part is due to the proliferation of smartphones and wearable computing devices.
FCC’s TCPA Ruling Delivers Blow to Businesses. The Federal Communications Commission (FCC) approved a Declaratory Ruling and Order resolving approximately 20 pending petitions seeking clarification of a variety of items relating to the federal Telephone Consumer Protection Act (TCPA). The FCC’s order expands consumer rights and protections and adds fuel to the already expanding fire of TCPA litigation. In light of the ruling, businesses should reevaluate telemarketing, debt collection, and text messaging practices to ensure compliance with both new and existing TCPA rules.
Alston & Bird in the News
Swire on the Declining Half-Life of Secrets. Senior Counsel Peter Swire released his new paper titled “The Declining Half-Life of Secrets,” a concept reviewed in Sputnik News and in an op-ed for CNN. Swire examines the challenges faced by the national security and signals intelligence communities in maintaining secrets. The paper explains why intelligence operations will continue to face ‘leaks’ given the pervasiveness and power of modern computing and the internet, the libertarian ethos of many information technology workers and the changing nature of signals intelligence work.
Peter Swire Testifies Before Senate Judiciary Committee on Encryption. Continuing his busy month, Peter Swire testified before the Senate Judiciary Committee as part of its hearing on “Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy.” The hearing focused on the seemingly competing interests of law enforcement/national security and privacy/civil liberties in the context of encryption. In his testimony, Swire asserted that increased use of encryption will not lead to law enforcement “going dark,” saying instead that we live in a “Golden Age of Surveillance.”
Alston & Bird Attorneys Honored with 2015 Burton Award. Partners Kim Peretti and Jessica Corley, senior associate Kelley Barnaby and associate Lauren Tapson were honored with a 2015 Burton Award for Legal Achievement for their analysis of the corporate governance risks associated with cyber-attacks and the critical role played by boards of directors in addressing those risks. The winning article, “Cybersecurity: What Directors Need to Know in an Era of Increased Scrutiny,” delves into the rapidly changing cyber risk landscape – including increased scrutiny by the Securities and Exchange Commission and other regulators and its potential impact on director liability – and what boards of directors can, and should, do to ensure that their organizations are appropriately considering and addressing cyber risks.
Kim Peretti and Jason Wool co-author CIO Insight article on Cyber-Risk Management. Partner Kim Peretti and associate Jason Wool, along with Kiersten Todt and Roger Cressey of Liberty Group Ventures, coauthored the CIO Insight article “Five Steps to Strengthening Cyber-Defenses.” In the article, Peretti et al discuss five risk management steps that companies can take to better manage cyber-risk and reduce their liability exposure after a breach occurs.
- Sept. 24, 2015, National Security, Cyber Espionage and ‘Bulk PII’ Breaches. Jim Harvey, Peter Swire, Kim Peretti and others will host this live program and webinar.
- Sept. 28-Oct. 1, 2015, Privacy. Security. Risk. Dominique Shelton and Peter Swire will present sessions on health care privacy and behavioral advertising.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.