The HHS Office for Civil Rights (OCR) announced on Monday that it has launched the long-awaited Phase 2 of its HIPAA Privacy, Security, and Breach Notification Audit Program.
March 2016
Norton Rose Fulbright Adds Data Privacy Partner in Hong Kong
Norton Rose Fulbright is pleased to announce that Anna Gamvros, a leading lawyer in outsourcing, privacy and data protection, has joined as partner in Hong Kong.
Gamvros has more than 14 years’ experience working as a technology and privacy lawyer…
Dutch DPA: Employers May Not Process Employee Health Data From Wearables
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “AP”) announced on March 8, 2016, that two companies agreed to stop processing employees’ personal health data after the AP initiated an investigation into the employers’ practices. The two companies provided their employees with wearable devices (or “wearables”), which allowed the companies to track their employees’ physical activity and sleep patterns. In addition to the two investigations, the AP issued guidance to employers emphasizing that employers are prohibited from engaging in these practice.
Verizon Settles FCC Privacy Investigation Over Use of “Supercookies”
The FCC announced last week that it reached a settlement with Verizon Wireless (“Verizon”) over its use of “supercookies.” More specifically, the FCC alleged that Verizon inserted unique identifiers into the headers of its customers’ HTTP requests to support its targeted advertising programs, and that customers had not consented to this practice. In this post, we analyze the settlement and some of its unique features.
French National Assembly adopts “Digital Republic” bill
On January 26, 2016, the French National Assembly adopted the “Digital Republic” bill — a comprehensive bill introducing various provisions to regulate the digital sphere within the French society. Access to public data, neutrality of the Internet, access to the…
FTC Orders PCI DSS Compliance Reports
The Federal Trade Commission (FTC) has ordered nine companies to file Special Reports detailing how they assess their clients’ compliance with Payment Card Industry Data Security Standards (PCI DSS). Payment card issuing companies require businesses that process over one million card transactions per year to undergo PCI DSS compliance assessments, or audits, performed by PCI Qualified Security Assessors (QSAs), to ensure that the businesses comply with PCI DSS and are adequately protecting their customers’ sensitive personal information. The Order includes a laundry list of requests related to the targeted companies’ PCI DSS assessment process, from the bidding for and staffing of compliance assessments, to the number and percentage of clients that are ultimately determined to be PCI DSS compliant or non-compliant.
British supermarket chain faces group litigation action in the UK based on data breach
In November of 2015, the English High Court in London approved a Group Litigation Order (“GLO”) allowing employees of one of the United Kingdom’s largest supermarket chains to join the pending action.
Consumer Financial Protection Bureau Enters the Cyber Regulatory Enforcement Arena
On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) released a Consent Order entered between it and Dwolla, a company providing an online money transfer and payment processing platform to consumers. The Consent Order alleges that Dwolla made false representations concerning its data security practices and engaged in deceptive acts and practices in connection with the offering of consumer financial products or services, in violation of the Consumer Financial Protection Act of 2010 (“CFPA”) sections 12 U.S.C. 5531(a) and 5536(a)(1).
This is the CFPB’s first foray into the data security and privacy enforcement space and could foreshadow additional similar enforcement activity. Interestingly, it appears that this investigation and Consent Order was not triggered by a security breach suffered by Dwolla. Although the CFPB’s approach and enforcement rationale is reminiscent of similar actions taken by the FTC, the Consent Order is the first of its kind and has its own quirks. In this post we take a deeper look at the CFPB’s action and the Dwolla Consent Order.
OCR issues guidance on HIPAA Security Rule compliance and mobile health apps
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently published two guidance documents to aid organizations in complying with HIPAA.
Dubai issues Open Data Law
Dubai has issued a new law regulating the dissemination and exchange of data in the Emirate. This is one of the first open data initiatives in the Middle East and is being promoted by the Prime Minister’s office as a significant step forward in Dubai’s cyber legislation and smart city ambitions.