Attorney General

Yesterday, the European Parliament voted to approve the EU-U.S. Umbrella Agreement, a framework for the exchange of personal data for law-enforcement (including anti-terrorism) purposes between the EU and U.S.  As we previously explained, negotiations on this Agreement have been underway for quite some time, with the European Parliament first calling for it back in March 2009.

According to the European Commission’s fact sheet, the Agreement “puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation.”  Specifically, the Umbrella Agreement includes the following protections:

  • Data Use Limitations
  • Onward Transfer Requirements
  • Publicly Available Retention Periods
  • Access and Rectification Rights
  • Data Breach Notification
  • Judicial Redress and Enforceability

Continue Reading European Parliament Approves EU-U.S. Umbrella Agreement

This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation.  Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in both the House and Senate to replace with a national standard the 47 currently existing state data breach laws so far have been unsuccessful.  This activity in the House is yet another attempt to enact a federal law governing data security, and today’s hearing made clear that many practical questions still remain for lawmakers to “get it right” on a data breach bill, as Rep. Fred Upton (R-MI) said.
Continue Reading House Debates Federal Data Breach Legislation

Iowa’s governor recently signed into law S.F. 2259, which amends Iowa’s data breach notification law.  Under the amendment, entities that suffer breaches of personal information that are required to notify more than 500 state residents will also be required to notify the state’s attorney general.  The notice to the attorney general must be provided

On Monday, California Attorney General Kamala Harris for the first time released a data breach report; the report details 131 data breaches reported to the CA AG’s office, which collectively exposed the personal information of 2.5 million Californians.  56% of the breaches involved Social Security numbers, a category of information disclosure which creates a heightened risk of identity theft.

“Data breaches are a serious threat to individuals’ privacy, finances and even personal security,” Attorney General Harris said. “Companies and government agencies must do more to protect people by protecting data.”

The report contains recommendations to companies, law enforcement agencies, and the legislature about how data security could be improved, including:Continue Reading CA AG Releases Data Breach Report

Politico is reporting that California Attorney General Kamala Harris will release a report containing privacy recommendations for key players in the mobile app ecosystem (including developers, advertisers, and others).  The report could be released as early as this week. 

As we have noted elsewhere, Harris has made mobile privacy a key priority for her

California Attorney General Kamala Harris has formally warned 100 app developers that their apps are not in compliance with the California Online Privacy Protection Act (OPPA).  Harris has given these developers 30 days to come into compliance by “conspicuously post[ing] a privacy policy within their app that informs users of what personally identifiable information about

Last month, Vermont amended its breach notice requirements to add an obligation to notify the Vermont attorney general and an outside deadline to notify affected consumers.  Under the amended Vermont law, businesses generally will be required to notify the Vermont attorney general within 14 business days of a security breach and to provide the attorney general with a general description of the incident and certain other information.  Vermont law continues to require businesses to notify consumers of breaches that trigger the notification obligation “in the most expedient time possible and without unreasonable delay.”  However, the amendment imposed an outside window of 45 days to notify consumers. 

The amendments also amended the definition of “security breach.”   Prior to the amendments, “security breach” was defined as the “unauthorized acquisition or access of computerized data that compromises the security, confidentiality, or integrity” of the data.  The amended language defines a “security breach” as the “unauthorized acquisition of electronic data or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security, confidentiality, or integrity” of the data.  This language is more narrow insofar as access to data is no longer sufficient to trigger a notice obligation―which is now tied only to the acquisition of data.  It is also more broad, however, insofar as either the acquisition or a reasonable belief of the acquisition of data may trigger a notification obligation. Continue Reading Vermont Amends Breach Notice Requirements