2013 Hot Topics in Privacy & Data Protection


We recently attended an insightful and informative International Association of Privacy Professionals (IAPP) KnowledgeNet seminar, "2013 Hot Topics in Privacy & Data Protection," in Boston. The speakers were:

  1. Agnes Bundy Scanlan, CIPP/US, Senior Advisor, Treliant Risk Advisors
  2. Allison Dolan, Privacy Project Specialist, Massachusetts General Hospital
  3. Ann Killilea, Counsel, McDermott Will & Emery LLP
  4. Web Hull, CIPP/US, CIPP/G, Senior Privacy and Compliance Specialist, Iron Mountain

The highlights of this interesting seminar are below.

United States Developments

The Consumer Financial Protection Bureau (CFPB) is a federal agency that was founded as a result of the Dodd-Frank Wall Street Reform and Consumer Protection Act, and began operating in July 2011. The CFPB regulates financial institutions and enforces laws relating to the fairness and treatment of customers, including consumer financial information and credit reports.

The HIPAA/HITECH Act Final Rule was published on January 18, 2013 and will become effective on March 23, 2013. The more significant changes under the rule include:

  1. more data breaches will have to be reported-the threshold for reporting breaches has been lowered (it previously required reporting only if the potential breach posed a "significant risk of financial, reputational, or other harm to the individual");
  2. stronger penalties for HIPAA violations-since the enactment of the HITECH Act in 2009, the U.S. Department of Health & Human Services has imposed several multimillion dollar fines for HIPAA violations;
  3. HIPAA violation liability is extended to "business associates" to whom protected health information is disclosed (e.g., third-party administrators, accounting firms providing services to health care providers); and
  4. the interim HITECH rule extended HIPAA violation liability to business associates, but "business associate" is now more broadly defined to include subcontractors of business associates (thus, business associates themselves must obtain business associate agreements from their subcontractors).

Enforcement of data privacy laws has ramped up in the U.S. The U.S. Department of Health & Human Services has been increasingly active in investigations and enforcement actions, as have the state attorneys general offices, including the Massachusetts Attorney General's office. The Federal Trade Commission has also been active in enforcing Section 5 of the FTC Act, 15 U.S.C. § 45.

There have been a number of recent legislative proposals relating to cybersecurity, particularly those relating to information sharing among the private sector and government. The panel emphasized the importance of responsible oversight, management, and contracting with third-party services providers. This has been a difficult area for many companies lately. There are significant privacy and cyber risk concerns relating to mobile applications, including mobile payment applications, as well as BYOD (bring your own devices) issues and issues related to social media in the workplace.

European Union Developments

There has been significant activity in the European Union relating to cloud computing. On September 27, 2012, the European Commission published guidance on cloud computing entitled "Unleashing the Potential of Cloud Computing in Europe." The guidance recommends a responsible cloud computing approach and describes further steps that will be taken in the EU, including developing safe and fair contract terms/conditions, and establishing an EU cloud partnership to drive innovation.

The official draft of the EU Data Protection Regulation was published on January 25, 2012. It is intended to harmonize the data protection laws of the 27 EU member states and is stronger than the current EU Data Protection Directive. The Regulation builds upon the fundamental principles of the Directive. Its more significant changes include:

  1. European Data Protection Board will be a "one stop shop" regulator;
  2. data processors may be subject to direct enforcement action;
  3. non-resident data controllers are within the scope of the Regulation;
  4. enhanced rights of data subjects;
  5. demanding breach notification requirements (where feasible, within 24 hours);
  6. new emphasis on binding corporate rules; and
  7. increased enforcement and possibly significant fines (up to 2% of global turnover/revenue).

Please contact Corey M. Dennis ([email protected]) or Nancy Kelly ([email protected]) for further information on compliance with data privacy and security laws.