Sensitive Information

Subscribe to Sensitive Information

By Ksenia Koroleva

On July 6, 2016, Russian President Vladimir Putin signed Federal Law No 374-FZ. This law is also known as the “Yarovaya” law (named after a Russian senator who was the main driving force for the law to come into existence).

The Yarovaya law introduces amendments to certain Russian federal laws. The majority of the amendments came into effect on July 20, 2016, however, some of the requirements relating to storage of metadata, as described below, will only come into force starting from July 1, 2018. A draft law which aims to postpone the effective date of such requirements due to their technical complexity from July 1, 2018 to July 1, 2023 is currently being considered by the Russian State Duma.

The Yarovaya law, which is political and primarily aimed at combating terrorism, contains new rules on data retention which need to be taken into account by telecom companies and other persons operating or assisting in the operation of communications services.

By Kevin Boyle & Alex Stout

heartbleed.pngHardly a day passes now without some new report of a security vulnerability with inevitable breaches that follow, but Monday’s news about the two-year old vulnerability in OpenSSL is (or should be) catching everyone’s attention.  The problem is a coding error in a widely used cryptographic software library for implementing secure connections between a website (or web interface on a hardware device) and its user (typically indicated by a reassuring padlock in the status

By Elizabeth Richards and Kevin Boyle

On June 14, 2013, the Food and Drug Administration (“FDA”) issued a draft guidance entitled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” (“Guidance”). The Guidance was issued in response to growing concerns about IT vulnerabilities due to the increased use of wireless, Internet and network-connected devices coupled with the frequent electronic exchange of health information. To that end, the Guidance identifies a series of cybersecurity considerations manufacturers should

By Kevin Boyle and Aryeh Richmond

Here is a reminder that the Federal Trade Commission’s revisions to its Children’s Online Privacy Protection Rule become effective on July 1.  If you haven’t already, now is the time to make sure you have revisions to meet the rule in place as FTC and state attorney general inquiries and formal investigations are sure to follow the extensive public notices about the new rule as well as the need to comply on time. 

First

By Jennifer Archie

On Friday, Feb. 1, 2013, following the now expected series of public workshops and roundtables and well-timed enforcement actions, the Federal Trade Commission Staff issued a new 36-page staff report, Mobile Privacy Disclosures: Building Trust Through Transparency.  The Report summarizes past actions and guidance, and makes new recommendations for clearly and transparently informing users about mobile data practices in the “rapidly expanding mobile marketplace.” 

The report makes distinct recommendations for meeting fair information practices for mobile

By Susan Ambler Ebersole

HHS today published the long-awaited HIPAA/HITECH omnibus final rule.  A pre-publication version of the Rule was released on January 17.  The Rule is effective March 26, 2013, but covered entities and business associates have until September 23, 2013 to comply.  While Latham & Watkins is still engaged in a comprehensive review of the entire final rule, some of the more notable changes and clarifications in the final rule, as compared to the interim final rule

An August 2 webcast on Compliance and Enforcement in the Hospitality Industry  looked at the FTC proceedings in the Wyndham Hotels matter and identified some key takeaways, while considering how similar issues might play out in the European Union. (For those unable to follow the live webcast, the full presentation is now available online.)

Some of the key points covered in the discussion include:

  • While attackers can be persistent and use sophisticated tools, most breaches result from the failure

As part of its cyber security legislative proposal unveiled on May 12, the Obama administration sent to Congress a proposed Data Breach Notification bill that would supersede similar state laws.  If enacted, the bill would dramatically simplify response to data breaches involving residents from multiple states—a process that is now a maze of requirements, often requiring near instant legal judgment under 50 or more statutes as to whether a single breach event is a covered notice event.  In short

Thumbnail image for iStock_Lock.jpgThe American Institute of Certified Public Accountants (“AICPA”) Statement of Auditing Standard No. 70, or SAS 70 as it is more commonly known, has been with us since April 1992. On 15 June 2011, it will effectively be replaced by two new standards: (i) a reporting standard for service organisations, the “Statement on Standards for Attestation Engagements No. 16” (or SSAE 16 as it will no doubt be referred to); and (ii) an audit standard for customers of

The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009.  During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.  HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866