Data Protection: How important is it to know what to do if there is a data breach?

Grupo Financiero Banorte, Mexico’s third largest bank, suffered a data breach earlier this year and is now reportedly being fined 32 million pesos ($1.98 million) by the Mexican data protection authority, the National Institute of Transparency, Access to Information and Protection of Personal Data, for failing to inform all of its clients immediately after the hack occurred.  Mexico’s National Banking and Securities Commission is also investigating the matter  and is expected to issue corrective measures.

To formulate and implement an effective incident response solution, including but not limited to an attorney and forensic experts on stand buy, contact Gerrie van Gaalen

International: The Right To Forget Metadata

The UK’s Information Commissioner’s Office (ICO) has enforced the European cyber law’s “right to be forgotten” against Google over search results linked to a minor crime committed by an individual ten years ago.  Last month, the ICO released an enforcement notice ordering the search engine to remove within 35 days nine links associated with the individual’s crime.  In some respects, the decision represents an expansion of the right as it involves removing links to articles about Google's removal of articles about the individual. 

If you need assistance on submitting a request to remove certain information about you from the search engines, then contact Gerrie van Gaalen

© Copyright 2015 Steptoe & Johnson LLP

International: China Seeks To Tighten Control Over Internet With Draft Cybersecurity Law

The Chinese parliament has issued a draft cybersecurity law aimed at “safeguarding China’s sovereignty over cyberspace and national security and public interests.”  The law outlines a plan for a multi-level system to prevent unauthorized network access, and calls for Internet-related industry associations, ISPs, and businesses to strengthen their cybersecurity standards.  It also establishes specific security requirements for operators and suppliers of networks and critical information infrastructure, including a provision that requires ISPs to store on Chinese territory any data collected within China and to obtain government approval before storing data overseas for business purposes.  If enacted, the draft law would allow the Chinese government to expand its online censorship practices and its control over Internet service providers and foreign firms operating in the country.

Sounds like certain movements in South Africa...worrying movements.

© Copyright 2015 Steptoe & Johnson LLP

Russia Extends Deadline For Data Localization Law

Russian President Vladimir Putin approved a deadline of September 1, 2015, for companies to relocate their computer servers containing Russian citizens’ #personalinformation within the country’s borders.  The new timeframe for compliance with Russia’s data localization law was approved last month by both the upper house of Parliament and the Duma.  The Duma had previously passed a bill that would have moved the deadline up to January 1, 2015, over a year ahead of the law’s original effective date of September 1, 2016.  Lawmakers agreed to change the date after hearing from affected businesses concerned about the feasibility of setting up the necessary IT infrastructure in time to meet the law’s requirements.

© Copyright 2015 Steptoe & Johnson LLP

US: Boston Hospital Settles Data Breach Suit Over Unencrypted Laptop

Beth Israel Deaconess Medical Center in Boston has agreed to pay $100,000 to settle the Massachusetts Attorney General’s lawsuit over a 2012 data breach involving the theft of a physician’s unencrypted laptop.  In addition to the financial penalty, the hospital will also have to revise its data security measures to ensure compliance with state and federal law.  The consent agreement requires BIDMC to track and encrypt all hospital-purchased devices and to implement ActiveSync or other technology that prevents unencrypted smartphones and tablet devices from accessing personal information on the hospital’s email servers.  BIDMC must also review its policies and procedures regarding portable device security and train employees on how to handle personal and protected health information.  

© Copyright 2014 Steptoe & Johnson LLP. Steptoe & Johnson LLP 

How to avoid a similar risk at your organisation?

i) establish your current position against the applicable legislation

ii) determine realistic goals to achieve the recommended position in terms of data protection

iii) Implement appropriate deliverable, including but not limited to a Data Protection Policy, IT Security Policy, Mobile Device policy and BYOD policy

iv) Implement standard training and audit procedures at your oganisation.

Adobe Breach Victims Have Standing To Sue Based On Risk Of Future Harm

The U.S. District Court for the Northern District of California has ruled in In Re Adobe Systems, Inc. Privacy Litigation that customers affected by Adobe’s 2013 data breach have standing to sue based on the increased risk of future harm caused by hackers who gained unauthorized access to their personal information.  The decision is in some tension with other court rulings that have interpreted the Supreme Court’s ruling in Clapper vs. Amnesty International USA as foreclosing standing where the plaintiffs’ claims were based on the risk of future harm.  But the opinion is well reasoned, and may help plaintiffs establish standing in other breach suits.

© Copyright 2014 Steptoe & Johnson LLP. Steptoe & Johnson LLP 

US: Protection of Personal Information

HHS Announces Record HIPAA Settlement

New York-Presbyterian Hospital (NYP) and Columbia University have agreed to pay a combined $4.8 million – the largest HIPAA settlement ever involving a single incident – to settle charges that they violated the HIPAA Privacy and Security Rules by accidentally making the electronic protected health information of their patients accessible to Internet search engines.  The Department of Health and Human Services’ Office for Civil Rights (OCR) launched its investigations after the entities – which operate a shared data network and firewall – notified it of the breach.  As part of the settlement, NYP will pay $3.3 million, and Columbia will pay $1.5 million. The entities also agreed to undertake risk analyses, develop risk management plans, revise their existing policies and procedures, and provide training on privacy and security awareness. 

(c) Steptoe & Johnson LLP