European Commission Adopts EU-US Privacy Shield as Replacement for EU-US Safe Harbor Framework

What this is about 
On July 12, 2016, the European Commission formally adopted the EU-US Privacy Shield (the “Privacy Shield”) which will provide organizations a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. This new privacy framework reflects the requirements set out by the European Court of Justice in its October 2015 landmark decision in Maximillian Schrems vs. Data Protection Commissioner, which declared the EU-US Safe Harbor privacy regime invalid.
Privacy Shield overview: The framework provides a set of robust and enforceable protections for the personal data of EU individuals, as well as transparency regarding the use of such data by participating companies, strong US government oversight, and increased cooperation with EU data protection authorities. For more information, see US Department of Commerce (“DOC”) factsheet and FAQs.
Joining the program: 
The DOC will start accepting self-certifications beginning August 1, 2016. Organizations must identify and register with an independent dispute resolution provider prior to submitting their self-certification.
About self-certification:
The decision to participate in the program is voluntary; however, once an organization publicly commits to comply with the framework’s principles through self-certification, that commitment is enforceable under US law by the relevant authority–either the US Federal Trade Commission or the Department of Transportation. To receive the Privacy Shield’s benefits, an organization must self-certify annually to the DOC that it agrees to adhere to the framework’s requirements, based on the privacy principles that include notice, choice, access, and transfer accountability. See the DOC’s guide for more information about participation and compliance requirements.

Disclaimer: This communication is for general informational purposes only, and does not constitute legal advice. No recipient should act, or refrain from acting, on the basis of any information provided here without advice from a qualified attorney licensed in the applicable jurisdiction.

For further information, please contact us at 1-866-723-2287.
July 14th, 2016|Business Transactions, European Union, Security|

California’s A.B. 1710 enhances privacy protections for sensitive personal information

Effective January 1, 2015, A.B. 1710 amends California’s breach notification, security procedures, and Social Security number (SSN) laws, generally outlined as follows:

  • provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information;
  • provides that if the person or business issuing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, be made at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached, if the breach exposed or may have exposed SSN and driver’s license numbers;
  • provides that a person or entity may not sell, advertise for sale, or offer to sell an individual’s SSN, except as permitted.
October 15th, 2014|Legislation, Security|

The FFIEC issues “shellshock” vulnerability alert to financial institutions

The Federal Financial Institutions Examination Council (the “FFIEC”) issued an alert advising financial institutions about a material security vulnerability in the Bourne-again shell (Bash) system software widely used in servers and other computing devices that could allow attackers to access and gain control of operating systems. The vulnerability, nicknamed “shellshock,” could expose organizations and individuals to potential fraud, financial loss, or access to confidential information. Any financial institution that provides secure services with Linux or nix variants running a vulnerable version of the Bash shell could be at risk no matter what their vendor mix. Given the widespread use of Bash and the evolving nature of the risk, the FFIEC said that regulators expect financial institutions to perform a risk assessment and address the shellshock vulnerability not only in their own systems, but also with their third-party service providers.

October 15th, 2014|Educational Series, Security|