Aug 082018

From Hunton Andrews Kurth:

On August 3, 2018, California-based Unixiz Inc.(“Unixiz”) agreed to shut downits “i-Dressup” website pursuant to a consent order with the New Jersey Attorney General, which the company entered into to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the New Jersey Consumer Fraud Act. The consent orderalso requires Unixiz to pay a civil penalty of $98,618.

The charges stemmed from a 2016 data breach in which hackers compromised more than 2.2 million unencrypted usernames and passwords, including those associated with over 24,000 New Jersey residents’ accounts. The New Jersey Attorney General alleged that Unixiz had actual knowledge that the i-Dressup website (which allowed users to “dress, style and make-up animated characters in various outfits” and featured children’s games) had collected the personal information of over 10,000 children and failed to obtain verifiable parental consent for such collection, in violation of COPPA.

Read more on their Privacy & Information Security Law Blog.

Jul 212018

Scott Ikeda reports:

On June 12th the Vietnamese National Assembly voted in a new cybersecurity law. The legislation did not come easily having gone through more than 12 drafts and much debate in government and the business sector. The claimed purposes of the legislation are to increase Vietnam’s Internet sovereignty, that is the data of Vietnamese people should remain within and under the control of Vietnam, and to improve the cybersecurity of the country by controlling what and how people communicate online.

The Law on Cybersecurity regulates all companies, both domestic and foreign with online activities used by customers in Vietnam.

Highlights of the new cybersecurity law

  1. Website owners, no matter what their type, must not allow people to post any material that might be considered ‘anti-state’, inciting opposition or offensive. Owners must have mechanisms for monitoring, verifying, and removing such content from their sites.
  2. Vietnamese or foreign businesses that offer service over the Internet or other telecom networks must:
  • authenticate user information when they register
  • keep that user information confidential
  • cooperate with the Vietnamese authorities and share user information during investigations or users breach cybersecurity law

Read more on CPO Magazine.

Jun 012018

Denise Lebeau-Marianna and Caroline Chancé of DLA Piper write:

…. In order to help organizations perform secure personal data processing and improve the overall digital security in France, the ANSSI has made available on its website (in French), a practical tool supplementing the French data protection supervisory authority’s (CNIL) own guidelines and recommendations on how to implement the GDPR.

The toolkit is composed of a series of information sheets, videos, infographics, guides, simulators, training courses and other documents covering many topics from risk management to best practice in terms of IT hygiene, employee awareness, trusted digital services, etc. organized in 5 main themes:

  • Understanding the digital risk
  • Protection
  • Employee awareness
  • Choosing trusted experts and solutions
  • What to do in case of security incident

Read more on Privacy Matters.

May 102018

Katharine Goodloe writes:

As policymakers weigh the many policy implications associated with the Internet of Things (“IoT”), U.S. lawmakers have put forward a variety of proposals for studying—and regulating—IoT devices.  Although the likelihood of current proposals becoming law this term remain uncertain at best, existing legislative proposals provide important context and insight into the ways that lawmakers view IoT and the government’s role in fostering and regulating the technology.

Below, we summarize five draft bills in the U.S. that approach IoT from different perspectives—including seeking to develop IoT technologies, imposing contractual requirements on companies that provide IoT devices to the government, regulating specific security standards, and creating new resources for consumers to better understand the security and reliability of their IoT devices.

Read more on Covington & Burling Inside Privacy.

Apr 102018

There is yet another really informative post by Jeff Drummond of Jackson Walker.  This one is about a CE’s responsibility to actively monitor a BA’s compliance.  Jeff writes, in part:

Lexology today led me to this article by Adam Green’s crew at Davis Wright Tremaine.  It turns out, there is specific language in the December 2000 Privacy Final Rule that removed a more active monitoring requirement in the proposed regs from 1999 (the regs I famously read on the beach in Destin, Florida in June of 2000).  The 2000 Final Rule says, “In the final rule, we reduce the extent to which a covered entity must monitor the actions of its business associate and we make it easier for covered entities to identify the circumstances that will require them to take actions to correct a business associate’s material violation of the contract. . . .  [T]his standard relieves the covered entity of the need to actively monitor its business associates. . . .”

Read more on HIPAA Blog.