On January 27, 2020, the French Supervisory Authority (“CNIL”) issued a guidance for developers of websites and applications which sets out the main principles of the General Data Protection Regulation (“GDPR”), expounds on their application in the online environment, and gives practical tips to help developers respect users’ privacy when deploying websites and apps. The … Continue Reading
Germany recently enacted a law that enables state health insurance schemes to reimburse costs related to the use of digital health applications (“health apps”), but the law requires the Federal Ministry of Health to first develop the reimbursement process for such apps. Accordingly, on January 15, 2020, the German government published a draft regulation setting … Continue Reading
While some state legislators are still putting away their holiday decorations, New Hampshire legislators introduced new data privacy legislation, New Hampshire House Bill 1680. The legislation is similar to the California Consumer Privacy Act (which we’ve written extensively about before, including here and here). It grants consumers access, portability, transparency, non-discrimination, deletion, and opt-out-of-sale rights … Continue Reading
On December 9, 2019, the German Federal Data Protection Supervisory Authority (BfDI) imposed a 9.55 million Euro fine on the telecommunications company 1&1 Telecom GmbH. The BfDI found that the authentication procedures used by 1&1’s customer helpline were insufficient and failed to satisfy the requirements of Art. 32 GDPR. The company announced that it will … Continue Reading
Last week, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) released a set of cyber readiness recommendations for small businesses. The recommendations, which CISA developed in collaboration with small businesses and state and local governments, are intended to assist smaller organizations in implementing organizational cybersecurity practices. While not binding requirements, the … Continue Reading
Over the past several months, many states, including Illinois, New York, Texas, and Washington, have passed significant amendments to their state data breach notification laws. Currently, most state data breach notification laws only require notification of residents (and possibly state regulators or others) following a “breach” of personally identifiable information (“PII”), which is often defined … Continue Reading
On July 25, New York Governor Andrew Cuomo signed two data security and breach notification bills into law. The first bill, the “Stop Hacks and Improve Electronic Data Security Act” or “SHIELD Act,” will impose specific data security requirements on businesses that own or license private information of New York residents, in addition to amending … Continue Reading
On June 13, 2019, the Cyberspace Administration of China (“CAC”) issued the draft Measures on Security Assessment of the Cross-border Transfer of Personal Information (“Draft Measures”) for public comment. (The official Chinese version of the Draft Measures is available here, and an unofficial English translation is available here.) The comment period ends on July 13, … Continue Reading
On May 28, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for Data Security Management (“Draft Measures”) for public comment. (An official Chinese version of the Draft Measures is available here and an unofficial English translation is available here.) The comment period ends on June 28, 2019. The release of these Draft Measures demonstrates … Continue Reading
On May 13, 2019, China’s State Administration for Market Regulation (“SAMR”) released three core national standards related to the country’s Cybersecurity Multi-level Protection Scheme (“MLPS”), describing technical and organizational controls that companies must follow when complying with MLPS-related obligations under the Cybersecurity Law (“CSL”). These standards, which are commonly referred to as the “MLPS 2.0 … Continue Reading
One week from today, Covington will host its first webinar in a series on connected and automated vehicles (“CAVs”). The webinar will take place on February 27 from 12 to 1 p.m. Eastern Time. During the webinar, Covington’s regulatory and legislative experts will cover developments in U.S. law and regulations relating to CAVs. Those topics … Continue Reading
The Governor of Massachusetts recently signed House Bill No. 4806 into law, which will amend certain provisions of the state’s data breach notification law. In addition to changing the information that must be included in notifications to regulators and individuals, the amendments will also require entities to provide eighteen months of free credit monitoring services … Continue Reading
Recent years have seen significant amounts of legislative activity related to state data breach notification laws, and 2018 was no exception. Not only did South Dakota and Alabama enact new data breach notification laws in 2018, becoming the last of 50 U.S. states to enact such laws, but other states also enacted changes to existing … Continue Reading
On December 6, 2018, the Australian Parliament passed a bill that aims to address concerns raised by national security and law enforcement agencies regarding encrypted communications. Introduced in September, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (the Act) may affect technology companies around the globe. As discussed in our previous post, … Continue Reading
On December 4, 2018, the Federal Trade Commission (“FTC”) announced that it is accepting public comments regarding its Identity Theft Detection Rules, 16 C.F.R. Part 681 (the “Rules”), as part of a systematic review of the Commission’s regulations and guidelines. The review of the Rules is particularly noteworthy because identity theft is among the top … Continue Reading
On June 11, 2018, the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) announced the launch of the CERES Forum, an information sharing initiative for central banks, regulators, and supervisors designed to strengthen responses to cyber and physical threats. The new forum will become operational on July 1, 2018. Although FS-ISAC primarily comprises private financial … Continue Reading
By Bruce Bennett, Carlo Kostka, Craig Pollack, Dan Cooper, Gemma Nash, Kristof Van Quathem, Mark Young, and Sophie Bertin The EU Payment Services Directive (PSD2), which took effect on January 13, 2018, puts an obligation on banks to give Third Party Providers (TPPs) access to a customer’s payment account data, provided the customer expressly consents to … Continue Reading
On December 12, 2017, the Federal Trade Commission (“FTC”) hosted a workshop examining “informational injury,” defined by Acting Chairman Maureen Ohlhausen in her opening remarks as the harm consumers suffer due to privacy and data security breaches. Chairman Ohlhausen emphasized three main purposes for the workshop: First, to better identify qualitatively different injuries; second, to … Continue Reading
Covington’s global cross-practice Digital Health team has posted an illuminating three-part series on the Covington Digital Health blog that covers key questions entities should be asking as they seek to fit together the regulatory and commercial pieces of the complex digital health puzzle. In the first part of the series, the Digital Health team answers key regulatory questions … Continue Reading
Earlier this year, the FTC’s staff released a series of blog posts entitled Stick with Security that updated and expanded upon the prior Start with Security best-practices guide for information security practices. The Stick with Security series draws from FTC complaints, consent orders, closed investigations, and input from companies around the country to provide deeper … Continue Reading
On September 19, 2017, the U.S. District Court for the Northern District of California dismissed three of the six counts in the Federal Trade Commission’s (“FTC’s”) January 2017 complaint against D-Link Systems, Inc., allowing the FTC until October 20, 2017 to amend its complaint. The FTC’s complaint alleged that D-Link engaged in unfair and deceptive … Continue Reading
Last week, in his annual State of the European Union Address, the President of the European Commission Jean-Claude Juncker called out cybersecurity as a key priority for the European Union in the year ahead. In terms of ranking priorities, President Juncker placed tackling cyber threats just one place below the EU leading the fight against … Continue Reading
Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive). The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or … Continue Reading
Delaware Gov. John Carney has signed into law a bill that will impose more stringent obligations for notifying affected Delaware residents in the event of a data breach, in addition to establishing requirements for Delaware businesses to maintain “reasonable” data security practices. In addition to expanding the types of information that would require notification of … Continue Reading
