Scrutiny of EU-US Privacy Shield

On 12 June 2018, the Civil Liberties, Justice and Home Affairs Committee (the ‘Committee’) of the European Parliament passed a Resolution, with a vote of 29 votes in favour, 25 opposed and 3 abstentions, calling on the European Commission to suspend the EU-US Privacy Shield arrangement (‘Privacy Shield’).

The Resolution calls for the international data transfer framework to be suspended unless the US demonstrates compliance by 1st September 2018, since it ‘fails to provide enough data protection for EU citizens. Continue Reading

Law360 Expert Analysis: Health Tech Is The New Focus For Cybersecurity Policy

In an article posted in Law360 Expert Analysis on May 22, 2018, Squire Patton Boggs partner Elliot Golding describes how the rise of health care smart devices and tracking apps has intensified the focus on data privacy and cybersecurity within the health care industry.  Subsequently, new and proposed government and regulatory initiatives are underway.

Additional insights and analysis, including details on regulatory, government action, privacy/security and other related issues related to vendor management, planning and training may be found here.

Polish Supervisory Authority Publishes a Proposed “Black List” Recommendation on Processing Activities That Require a DPIA

One of the new obligations introduced by the General Data Protection Regulation (GDPR) is to prepare a data protection impact assessment (DPIA) for certain types of processing operations – i.e., those which are likely to result in a high risk. To put it simply, a DPIA is a process for building and demonstrating compliance with the GDPR, which complements the new focus on accountability, privacy by design and a far more risk-based approach. Continue Reading

Significant Health Care Technology Privacy and Cybersecurity Considerations

Elliot Golding, in a podcast interview with Healthcare InfoSecurity, discusses progressing healthcare privacy and security issues, especially complex issues involving Internet of Things (IoT) devices. Topic points include, new risks when connected devices link to legacy systems, the applicable regulatory environment, and other important issues companies operating in the health care space need to confront with new technologies. The interview closes with practical recommendations to help companies recognize and address these privacy and cybersecurity risks and compliance obligations. The segment may be heard here.

Cybersecurity Bill Vetoed in Georgia

On May 8, Georgia governor Nathan Deal vetoed Senate Bill 315, a proposed cybersecurity law imposing penalties of up to one year in jail and a $5,000 fine for “unauthorized computer access.”  In his veto, Governor Deal expressly cited concerns with the “national security implications” of the bill.  He noted the it could “inadvertently hinder the ability of government and private industries” to protect against cybersecurity breaches. Continue Reading

Time is Running Out… is Your Car GDPR Compliant?

Change is the order of the day for the automotive industry. Cars are going solo. Traffic tests of autonomous cars are occurring all over the world, even if scientists differ on whether the technology is ready to be deployed in everyday traffic. However, this concerns mainly safety issues, such as the physical safety of passengers and pedestrians that are still more or less matter of a theory, but other relevant issues, such as data protection and cybersecurity are already relevant. Continue Reading

France Issues New Rules for the Accreditation of Health Data Hosting Services Providers

As some companies may have experienced already, the French Public Health Code (Article L.1111-8) requires that services providers hosting certain types of health/medical data (in French “hébergeurs de données de santé” or “HDS”) be accredited for this activity.

The accreditation procedure is changing, effective 1 April 2018, from an authorisation procedure to a certification Continue Reading

SEC Fines Yahoo $35 Million for Misleading Investors by Failing to Disclose Cybersecuity Breach

In a first of its kind, the SEC recently fined Yahoo US$35 million for failing to assess and disclose a 2014 data breach that affected over 500 million user accounts. What caused the SEC to charge Yahoo with cybersecurity-related disclosure violations?  Our colleagues Tara Swaminatha and Coates Lear have prepared an analysis of this enforcement action, including the post-breach information relayed by Yahoo’s Security team to its executives. The analysis may be read here.

Data Breach Laws on the Books in Every State; Federal Data Breach Law Hangs in the Balance

With no central federal data breach law, states have taken the reins, passing an increasing number of laws that require both the protection of citizens’ private data and prompt notice of any breach of that privacy.  Governors in the last two holdout states, South Dakota and Alabama, recently signed bills to enact laws governing data breaches.  Now, all 50 states (plus D.C., Guam, Puerto Rico, and the Virgin Islands) have passed data breach notification laws. Continue Reading

LexBlog