Feb 172018

From EPIC.org:

Rep. Luetkemeyer (R-MO) and Rep. Maloney (D-NY) circulated a draft bill, the “Data Acquisition and Technology Accountability and Security Act,” that would set federal requirements for companies collecting personal data and require prompt breach notification. The Federal Trade Commission, which has often failed to pursue important data breach cases, and state Attorneys General would both be responsible for enforcing the law. The law would only trigger liability if the personal data breached is “reasonably likely to result in identity theft, fraud, or economic loss” and would preempt stronger state data breach laws. Earlier this week, EPIC President Marc Rotenberg testified before the House, calling for comprehensive data privacy legislation that would preserve stronger state laws. Last fall, EPIC testified at a Senate hearing on the Equifax breach, calling it one of the worst in U.S. history.

See also Ted Knutson’s report on Forbes, No Requirement For Banks To Tell Customers Their Info Was Hacked In New Breach Notification Bill, for more negative reviews of the bill.

Feb 082018

Sean Tassi reports:

Until recently, colleges and universities that experienced a data breach had no unique reporting obligations to the U.S. Department of Education. Institutions were expected to analyze security incidents under applicable federal and state laws and, when appropriate, notify affected individuals and appropriate federal and state agencies. Because the Family Educational Rights and Privacy Act (FERPA) does not contain a breach reporting obligation, ED had taken the position that a report directly to ED was optional.

ED, however, has now changed its stance and has started levying Cleryesque fines — up to $56,789 per violation — against institutions that fail to report a data breach directly to ED. The importance of data security and the prevention of cybercrimes are unquestioned, but ED’s new stance on breach reporting raises practical problems.

Read more on Campus Technology.

Feb 052018

Jovee Marie de la Cruz reports on a Philippine bill working its way through their legislature:

The House of Representatives on Monday approved on third and final reading a measure declaring hacking of bank systems and stealing 50 or more ATM or credit-card details as economic sabotage.

Voting 224-0, lawmakers passed House Bill (HB) 6710, which aims to strengthen public trust on the electronic financial and trade and sectors. HB 6710 will be transmitted to the Senate for its own deliberations.

The bill seeks to further avert losses in the financial and trade sector due to illegal use of electronic access devices.

Read more about the bill on Business Mirror

Feb 032018

On January 23, 2018, the French data protection authority (the CNIL) published new guidelines on the security of personal data (updating its previous security guide published in 2010 available in English) , providing practical recommendations in the form of “Do’s and Dont’s” to help businesses implement appropriate measures to protect personal data in compliance with the General Data Protection Regulation (“GDPR”).

Denise Lebeau-Marianna and Caroline Chancé write:

Article 32 of the GDPR requires data controllers and processors to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. Although the GDPR provides some guidance as to the types of measures that may be considered appropriate (i.e., the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing), the CNIL acknowledges that such determination may be difficult for businesses that are unfamiliar with the risk management methods in terms of data processing.

The CNIL’s guide (available in French only at the date of this post – an English version will be made available by the CNIL in the near future) is aimed at (i) clarifying the basic precautions to be taken systematically when processing personal data and (ii) helping businesses verify their level of compliance thanks to a tick box evaluation form made available at the end of the guide.

Read more on DLA Piper Privacy Matters.

Jan 132018

Jennifer Martin and Calvin Cohen write:

On January 9, the House of Representatives passed the Cyber Vulnerability Disclosure Reporting Act by voice vote.  The Act directs the Secretary of the U.S. Department of Homeland Security (“DHS”) to prepare a report describing the policies and procedures that DHS developed to coordinate the cyber vulnerability disclosures.  Under the Homeland Security Act of 2002 and the Cybersecurity Information Sharing Act of 2015 (“CISA”), DHS is responsible for working with industry to develop DHS policies and procedures for coordinating the disclosure of cyber vulnerabilities.

Read more on Covington & Burling Inside Privacy.