In a recent case involving a breach of patients’ privacy rights — Hopkins v Kay,[i] — the Ontario Court of Appeal ruled that a proposed class action could proceed based on allegations of violation of patients’ common law privacy rights, concluding that those rights were not preempted by the Personal Health Information Protection Act (PHIPA). Specifically, the court determined that PHIPA is not a “complete code” and therefore did not “oust” the plaintiff’s common law tort claim for breach of privacy (the tort of intrusion upon seclusion). Hopkins provides important guidance in the fields of privacy law and class actions, as well as with respect to the sustainability of privacy claims that touch upon areas governed by legislation.
February 2015
German draft bill to authorize privacy “class actions”
The German government recently released a draft bill seeking to grant authority to the country’s consumer and business associations to enforce compliance with data protection laws. Because the proposed draft bill appears to have received support from the governing parties,…
White House presses for robust sharing of cyber-threat information
On February 13, 2015, President Obama spoke forcefully on cybersecurity threats at the Cybersecurity and Consumer Protection Summit, and signed an Executive Order designed to encourage the sharing of cyber-threat information through the formation of “hubs” – Information Sharing and Analysis Organizations (ISAOs).
The President observed that much of the United States’ critical infrastructure runs on networks connected to the Internet, resulting in vulnerabilities that foreign governments and criminals are probing every day. The President outlined four basic principles that should guide the efforts to combat cyber threats:
- A shared mission between the private sector and the government;
- Focus by private and public sectors on their unique strengths;
- Flexibility in the approach to cybersecurity; and
- Protection for the privacy and civil liberty of the American people.
The President called the protection against cyber-threats a shared mission because neither government nor the private sector can defend against cyber-attacks alone. While the government has many capabilities, it is neither appropriate nor possible for the government to secure the networks of the private sector. On the other hand, the private sector is at the cutting edge of technology, but does not always have the situational awareness, the ability to warn other companies in real time, or the capacity to coordinate a response across companies to a cyber-attack.
Cybersecurity Efforts Turn Focus to Financial Institutions, Technology Service Providers and “Cyber Resilience”
Financial institutions around the country recently received cybersecurity guidance in the form of a new appendix to the Federal Financial Institutions Examination Council’s (“FFIEC’s”) Business Continuity Planning Booklet, which is part of its Information Technology Examination Handbook. In the guidance, the FFIEC places the onus on financial institutions, their boards of directors, and senior management to manage the cybersecurity risks, recovery services, testing programs, and “cyber resilience” associated with outsourced or third-party technology services. The guidance came just a week before another important event for financial and other institutions: the White House Summit on Cybersecurity and Consumer Protection that was held at Stanford University on Friday, February 13, 2015, and that featured, as attendees and speakers, government and industry leaders, including those from financial institutions.
The FFIEC is the federal interagency body tasked with setting forth uniform principles, standards, and forms for examining and supervising financial institutions. In that capacity, the FFIEC provides guidance on “business continuity planning” or how financial institutions will recover and resume their businesses after an unexpected disruption, which, in today’s world, necessarily includes cyber breaches and attacks.
Here is our take on the FFIEC’s recent round of updates:
Importance of data privacy and transparency in the UK highlighed by Investigatory Powers Tribunal decision
A recent landmark ruling from the UK’s Investigatory Powers Tribunal has highlighted the growing importance the UK courts place on data privacy and transparency. It is the first occasion that the Investigatory Powers Tribunal has upheld part of a complaint…
Privacy action in Russia indicates enforcement focus on Western companies
According to news reports in Russia, the Russian Federation’s data protection authority – Roscomnadzor – may be targeting Western companies for enforcement action. What appears to be the first enforcement action of this kind is directed at Twitter.
At…
SEC’s cyber preparedness priorities on display in the agency’s cybersecurity examination initiative
Last week, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert that summarized findings from the agency’s examinations of the practices employed by financial service firms to address cybersecurity risks.
The…
Anthem breach poses significant cybersecurity risks for Anthem’s customers; may trigger legal obligations
Organizations whose employees are insured by Anthem or whose self-insured health plans are administered by Anthem should consider steps to mitigate the cybersecurity and legal risk arising from the breach recently reported by Anthem.
The hackers who perpetrated the Anthem…
China requires providers to enforce real-name registration and ban on “harmful” usernames
The Cyberspace Administration of China announced on February 4, 2015 new regulations requiring Internet users to register accounts under their real names for social network sites like blogs, discussion forums, comment sections, instant messaging, and related services. The rules impose…
National breach law proposal — focus of Congressional hearing
…