Natalya Northrip, CIPP/US, CIPP/E

Subscribe to Natalya Northrip, CIPP/US, CIPP/E's Posts

Today, the Information Commissioner’s Office (“ICO”), the UK data protection authority, released for public comment its draft “Regulatory Action Policy,” a document in which the ICO seeks to set forth its objectives in taking regulatory action, present its new investigatory and enforcement powers, and explain how it aims to use them. The comment period will close on June 28, 2018.

With three weeks remaining until the General Data Protection Regulation (the “GDPR”) (Regulation (EU) 2016/679) takes effect, this draft document provides organizations with a much needed insight into how the ICO plans to proceed in the age of new data protection compliance realities. In addition to the GDPR, the ICO will be enforcing the upcoming update to UK’s national data protection law, the UK Data Protection Act 2018 (the “DPA”), which is still working its way through Parliament, but should be in place by May 25, 2018, as well as other established data protection legislation.

The “Regulatory Action Policy” explains that ICO will have the power to issue “urgent” information notices that will require a response within 24 hours, take notice recipients who fail to comply to court on contempt charges, inspect and assess compliance without notice, administer fines by way of penalty notices, and prosecute criminal offences in court. The ICO’s powers to prosecute failures to provide information and its ability to go to court to request a warrant to search premises will come from the DPA, not GDPR.

The DPA also will permit the ICO to issue “assessment notices” to data controllers and processors to allow the ICO to investigate whether the controller or processor is compliant with data protection legislation. The notice may require the organization to give the ICO access to premises and specified documentation and equipment. An “urgent” assessment notice may require access to non-domestic premises on less than 7 days’ notice, which in effect will allow the ICO to carry out a no-notice inspection. An organization that receives an “urgent” information notice, assessment notice, or enforcement notice may petition the court to overturn the urgency of that notice. Under the DPA, destruction or falsification of information the ICO is pursuing in its notice constitutes a criminal offence. However, similarly to the U.S. evidence spoliation principles, it appears that loss of information through routine operation of automated processes may be a defense to criminal charges.

Continue Reading UK’s ICO Explains Its Data Protection Enforcement Powers

Seyfarth eDiscovery attorneys Jason Priebe and Natalya Northrip will present “A Practical Roadmap for EU Data Protection and Cross-Border Discovery” at this year’s RelativityFest on October 24, 2017.

This presentation will provide attendees with practical tips for leveraging the new Sedona International Principles to help in your compliance with stringent GDPR requirements, and in seeking

On May 11, President Trump signed Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. This is a significant development for U.S. cybersecurity as it represents a concrete call to action for the government to modernize its information technology, beef up its cybersecurity capabilities, protect our country’s critical infrastructure from

On January 5, 2017, the Federal Trade Commission (FTC) sued for permanent injunction a Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that D-Link’s inadequate security measures left its wireless routers and IP cameras used to monitor private areas of homes and businesses vulnerable to hackers, thereby compromising U.S. consumers’ privacy.

In the complaint filed in the Northern District of California, Federal Trade Commission v. D-Link Systems Corp. et al., Case Number 3:17cv39, the FTC alleged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras. The FTC’s allegation of consumer injury is limited to the statement that due to the lack of security, consumers “are likely to suffer substantial injury” and that, unless stopped by an injunction, D-Link is “likely to injure consumers and harm the public interest.”

In seeking the requested relief, the FTC is relying on its powers under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The FTC’s Section 5 powers have largely gone unchallenged by companies subject to enforcement action until Wyndham hotels, which came under investigation after it suffered a series of data breaches, tried to curtail the FTC’s jurisdiction in 2015. That challenge failed when the Third Circuit held that the FTC did, in fact, have the authority to regulate cybersecurity practices under the unfairness prong of Section 5 of the FTC Act.

Continue Reading Lessons from the FTC’s First Enforcement Action Against an IoT Company

In January 2017, The Sedona Conference Working Group on International Electronic Information Management, Discovery, and Disclosure (WG6) issued the much-anticipated International Litigation Principles on Discovery, Disclosure & Data Protection in Civil Litigation (Transitional Edition). This publication updates the 2011  International Litigation Principles, which preceded the 2013 Snowden revelations and the Schrems decision invalidating the U.S.-EU Safe Harbor.  It also incorporates adoption and implementation of the EU-U.S. Privacy Shield, and the approval of the EU General Data Protection Regulation (GDPR), which is set to replace the 1995 EU Data Privacy Directive in May 2018.  Many of these developments are consistent with the focus on “proportionality” of discovery in the 2015 amendments of the U.S. Federal Rules of Civil Procedure.

Given the complex and dynamic EU data protection  landscape – where the new Privacy Shield has not been tested, and before the GDPR has even taken effect, – WG6 has aptly designated this as a “Transitional” edition.  This edition provides interim best practices and practical guidance for courts, counsel and corporate clients on safely navigating the competing and conflicting issues involved in cross-border transfers of EU personal data in the context of transnational litigation and regulatory proceedings.  Following are the publication’s Six Transitional International Litigation Principles:

Continue Reading The Sedona Conference WG6 Issues “Transitional” International Litigation Principles

The Sedona Conference Working Group on Electronic Document Retention & Production (WG1) has released its Commentary on Proportionality in Electronic Discovery. The public comment period on the Commentary closed on January 31, 2017. This Commentary was much anticipated given the revamping of Rules 26(b)(1) and 37(e) of the Federal Rules of Civil Procedure in December 2015, which directly affected the scope of eDiscovery in federal litigation. The 2015 amendments were aimed at curbing gamesmanship and abuses in eDiscovery by elevating the importance of “proportionality” as the guiding principle governing the entire discovery process and by setting forth the framework for addressing the loss of electronically stored information (ESI) that was required to be preserved.

Under the amended Rule 26(b)(1), “parties may obtain discovery regarding any nonprivileged matter that is relevant to any party’s claim or defense and proportional to the needs of the case….” (emphasis added). Rule 26(b)(1) also now includes the considerations that bear on proportionality, which were moved from the previous Rule 26(b)(2)(C)(iii), rearranged and expanded. The proportionality factors that courts will take into account are as follows: (1) the importance of the issues at stake; (2) the amount in controversy; (3) the parties’ relative access to relevant data; (4) the parties’ resources; (5) the importance of discovery for resolution; and (6) the burden or expense relative to benefit.

The amended Rule 37(e) provides guidance on the scope of the preservation effort that the court expects from litigants. Specifically, amendments to Rule 37(e) affected judicial analysis of sanctions for the loss of ESI (1) that “should have been preserved” in the anticipation or conduct of litigation (2) because a party failed to take “reasonable steps” to preserve it and (3) that cannot be restored or replaced through additional discovery. Upon making this finding, a court has to conduct additional analysis, the goal of which is to differentiate “bad faith” conduct from mere negligence, and order sanctions in accordance with the level of egregiousness. Under the amended Rule 37(e), courts will focus on a party’s intent to deprive its opponent of the benefits of the lost ESI and the resulting prejudice to the opponent. Where the court finds “bad faith” conduct, it may order the harsher sanctions, including adverse inference instruction, default judgment or dismissal. However, only measures limited to curing the prejudice are appropriate for cases where culpability is lacking.

Parties engaged in or preparing for litigation should consider how these amendments impact their overall litigation strategy, as well as their eDiscovery process. While the concepts of proportionality and good-faith discovery conduct are anything but new, the 2015 amendments provide the parties and courts with a more robust and defined framework for their application.

To help federal litigants and courts apply the new amendments in designing the eDiscovery process and resolving eDiscovery disputes, the Commentary on Proportionality offers Six Principles for consideration. The following are the key takeaways.

Continue Reading Key Takeaways from the Sedona Conference Commentary on Proportionality in Electronic Discovery

Earlier this month, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil money penalty of $3,217,000.00 against Children’s Medical Center of Dallas (Children’s), a pediatric hospital that is part of Children’s Health, the seventh largest pediatric health care provider in the nation. OCR based this penalty on its finding that Children’s failed to comply with HIPAA Security Rule over many years and that Children’s impermissibly disclosed unsecured electronic protected health information (ePHI) when it suffered two data breaches that were reportable to OCR.

The Breaches

  • On January 18, 2010, Children’s reported to OCR the loss of an unencrypted, non-password protected BlackBerry device at an airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals.
  • On July 5, 2013, Children’s reported to OCR the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. The device contained the ePHI of approximately 2,462 individuals.

Because Children’s devices were unencrypted, Children’s was obligated to report their loss, along with the unsecured ePHI they contained, to the HHS. Had Children’s devices been encrypted, it could have taken advantage of the “safe harbor” rule, pursuant to which covered entities and business associates are not required to report a breach of information that is not “unsecured.”

The Investigation

  • OCR’s investigation revealed that, in violation of HIPAA Rules, Children’s (1) failed to implement risk management plans, contrary to prior external recommendations to do so, and (2) knowingly and over the course of several years, failed to encrypt, or alternatively protect, all of its laptops, work stations, mobile devices, and removable storage media.
    • OCR’s investigation established that Children’s knew about the risk of maintaining unencrypted ePHI on its devices as far back as 2007.
    • Despite this knowledge, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.

The Takeaways
Continue Reading Key Takeaways from OCR’s Latest HIPAA Fine: Hospital to Pay $3.2 Million for Its Cybersecurity Violations

Last month, The Sedona Conference released the public comment version of The Sedona Conference Data Privacy Primer, a comprehensive catalog of U.S. data privacy issues, legislation, and resources, designed to provide “immediate and practical benefit” to organizations and practitioners dealing with privacy issues. The Primer is a work product of The Sedona Conference Working

President Trump is expected to sign soon Executive Order on Strengthening U.S. Cyber Security and Capabilities.   Reports about a “leaked draft” of the Executive Order on Cybersecurity surfaced on the Internet a few days ago, along with predictions that the Order will be signed on January 31.  The Order is yet to be signed and the publicized draft may undergo some changes.  The available draft orders three reviews:

  • Review of Cyber Vulnerabilities, which asks, within 60 days of the date of the Order, for a report of initial recommendations for the enhanced protection of the most critical civilian Federal Government, public, and private sector infrastructure.
  • Review of Cyber Adversaries, which asks, within 60 days of the date of the Order, for a first report on the identities, capabilities, and vulnerabilities of the principal U.S. cyber adversaries.
  • U.S. Cyber Capabilities Review, which asks for identification of an initial set of capabilities needing improvement to adequately protect U.S. critical infrastructure, based on the results of the other two Reviews.  As part of this review, the Secretary of Defense and Secretary of Homeland Security are directed to gather and review information from the Department of Education “regarding computer science, mathematics, and cyber security education from primary through higher education to understand the full scope of U.S. efforts to educate and train the workforce of the future.”  The Secretary of Defense is also directed to make recommendations “in order to best position the U.S. educational system to maintain its competitive advantage into the future.”


Continue Reading President Trump to Issue Executive Order on Cybersecurity