By Gail Crawford and Ulrich Wuermeling

On October 19, 2016, the Court of Justice of the European Union (CJEU) issued a ruling on the question of whether IP addresses constitute personal data. The ruling has direct implications on the general question of when data can be regarded as anonymous and, thus, fall outside the scope of data protection law. Many statistical applications rely on the assumption that they only use anonymous data (for example for online behavioral advertising, web analytics, security monitoring or health research). Whilst the CJEU has come to the conclusion that in this specific case IP addresses can be used to identify individuals, it provides helpful guidance in other cases where there is no real likelihood of the “key” to the data that is anonymised ever ending up in the hands of the processor in question.

In the case before the CJEU, the institutions of the German Federal Government stored logfiles of users of their internet websites in order to prevent attacks and to make it possible to prosecute “pirates.” The logfiles were kept by the institutions after the user ended the session. A German data protection activist sued the Government with the aim to block such storage. He argued that the data should be regarded as personal data since the internet service provider used by the activist had knowledge about his identity and the dynamic IP addresses he used. The logfiles should be regarded as “personal data” because the internet services provider, as a third party, was able to identify the users.

On Wednesday, April 8, the Federal Communications Commission (FCC) entered a consent decree and levied a $25 million civil penalty against AT&T to settle a data breach that exposed the information of nearly 280,000 customers.  This order comes on the heels of other recent FCC enforcement actions for privacy violations, demonstrating an invigorated effort by the FCC to “exercise its full authority” against companies that fail to secure customer data.

Until last week’s AT&T decision, the October 2014

The SEC today published in the Federal Register its Regulation SCI (Regulation Systems Compliance and Integrity), which requires key market participants to have and implement written policies and procedures reasonably designed to ensure the availability, confidentiality and integrity of their systems as necessary to assure the fair and orderly operation of the markets.  Among the specific requirements are periodic testing, annual systems review and disclosure of “SCI events” – including both functional and security issues.  In addition to security issues,

The State of California, long the most proactive U.S. state in enacting data privacy laws, has again modified its breach notification and data protection laws.  This week, Governor Jerry Brown signed two privacy bills into law:  SOPIPA (SB 1177), aimed at regulating the use of student data, and AB 1710, targeting data protection more broadly.  Taken together, these bills highlight the continuing compliance challenges facing American businesses which must conform not only to state-specific privacy standards, but also monitor

By Kevin Boyle and Alex Stout

On Monday, the data security firm CrowdStrike released a new report pointing a digital finger at the Chinese Army for cyber espionage against western technology companies. It has long been known that some of the most serious cyber challenges stem from state-sponsored attacks using encryption, customized tools that anti-virus software cannot detect, and sophisticated means to bypass or compromise legitimate access controls.  The CrowdStrike report joins a spate of recent revelations that have uncovered

By Elizabeth Richards and Kevin Boyle

On June 14, 2013, the Food and Drug Administration (“FDA”) issued a draft guidance entitled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” (“Guidance”). The Guidance was issued in response to growing concerns about IT vulnerabilities due to the increased use of wireless, Internet and network-connected devices coupled with the frequent electronic exchange of health information. To that end, the Guidance identifies a series of cybersecurity considerations manufacturers should

By Susan Ambler Ebersole

HHS today published the long-awaited HIPAA/HITECH omnibus final rule.  A pre-publication version of the Rule was released on January 17.  The Rule is effective March 26, 2013, but covered entities and business associates have until September 23, 2013 to comply.  While Latham & Watkins is still engaged in a comprehensive review of the entire final rule, some of the more notable changes and clarifications in the final rule, as compared to the interim final rule

By Jennifer Archie, Kevin Boyle, and Gail Crawford

What are the data breach risks that are of the most concern to the hospitality industry? What is the US Federal Trade Commission’s jurisdictional authority and what enforcement tools do they have available when it comes to data security? Learn more about these issues and other top data security matters affecting the hospitality industry in Latham & Watkins’ on-demand webcast. The webcast is moderated by Latham & Watkins partner

An August 2 webcast on Compliance and Enforcement in the Hospitality Industry  looked at the FTC proceedings in the Wyndham Hotels matter and identified some key takeaways, while considering how similar issues might play out in the European Union. (For those unable to follow the live webcast, the full presentation is now available online.)

Some of the key points covered in the discussion include:

  • While attackers can be persistent and use sophisticated tools, most breaches result from the failure

By Brian Murray

The Federal Communications Commission (“FCC”) is examining privacy and security issues raised by customer information stored on mobile communications devices. In a public notice released on May 25, 2012, the FCC sought comment on the privacy and data-security practices of mobile wireless service providers with respect to such information, as well as the application of existing privacy and security requirements to it–subjects on which the FCC last solicited public input five years ago. As the FCC acknowledged