Translate this page RSS Share this page Print this page


Data, Privacy & Security Practice Report – March 21, 2017

21 Mar 2017

Illinois “Right to Know” Bill Passed Out Of Senate Judiciary Committee; Moves To Illinois State Senate—On March 14, 2017, the Illinois Senate Judiciary Committee passed a bill requiring websites and apps to notify their Illinois customers of the types of personally identifiable information they collect, disclose and sell.

The bill, titled the “Right to Know Act,” was sponsored by Illinois State Senator Michael E. Hastings (D-Tinley Park).  In his press release, State Senator Hastings stated: “The price of surfing the web shouldn’t mean sacrificing your privacy and personal information.  Every time someone simply engages on a website from the comfort of their home, commercial websites could possibly be storing and sharing this data.”

If enacted, the Right to Know Act would require operators of commercial websites or online services that collect “personal information” of Illinois customers through the internet to:

  • Disclose to its customers the categories of personal information that the operator collects about them;
  • Disclose to its customers all of the types or categories of third parties to which an operator may disclose a customer’s personal information; and
  • Provide a description of a customer’s rights under the Right to Know Act.

“Personal information” is defined fairly broadly in the Right to Know Act, and includes identity information, address information, telephone numbers, birthdate or age, physical characteristics, race, ethnicity, religious affiliation and professional and educational information. 

The Right to Know Act would also create an obligation on operators that disclose customer personal information to third parties to tell its customers all the categories of such personal information and the names of the third parties that received the information.  Customers would have a right to request this information, and operators would have 30 days to respond to  such requests.

In addition to disclosure obligations, the Right to Know Act creates a right of action for customers to pursue relief under the Illinois Consumer Fraud and Deceptive Business Practices Act and also to seek injunctive relief.

Illinois Judiciary Committee members who voted against the bill were concerned that it would create an undue burden on small and medium businesses and could stifle data analytics companies, a growing business sector in Chicago.

The bill now moves to the Illinois Senate floor for a vote. If passed, it would head to an Illinois House panel.

The text of the Right to Know Act bill can be found here.

Reporter, Stephen Abreu, San Francisco, +1 415 318 1219,

OMB Publishes Report On Cybersecurity In 2016—On March 10, 2017, the Office of Management and Budget (“OMB”) released its annual report to Congress under the Federal Information Security Modernization Act of 2014.  The report compiles fiscal year 2016 information from the Department of Homeland Security and executive branch Chief Information Officers and Inspectors General to assess “the state of Federal cybersecurity.”

In 2016, federal agencies experienced “30,899 cyber incidents that led to the compromise of information or system functionality in the federal agencies.”  Government-wide, these incidents stemmed primarily from the loss or theft of equipment, attacks from a website or web-based application, email phishing schemes, and improper use of information in violation of agency policy.  Thirty-eight percent of the incidents fell into the “other” category, where “[a]n attack method does not fit into any other vector or the cause of attack is unidentified.”

The 30,899 incidents included sixteen events “that met the threshold for a major incident, a designation that triggers a series of mandatory steps for agencies, including reporting certain information to Congress.”  Agencies assess incidents using the following criteria, and may determine that an event constitutes a “major incident” when it:

  • Involves information that is Classified, Controlled Unclassified Information (“CUI”) proprietary, CUI Privacy, or CUI Other;
  • Is not recoverable, not recoverable within a specified amount of time, or is recoverable only with supplemental resources; and
  • Has a high or medium functional impact to the mission of an agency; or
  • Involves the exfiltration, modification, deletion or unauthorized access or lack of availability to information or systems within certain parameters to include either:
    • 10,000 or more records or 10,000 or more users affected; or,
    • Any record that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in a significant or demonstrable impact on agency mission, public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.

Major incidents in FY2016 included a Department of Health and Human Services event that involved the “potential compromise of Personally Identifiable Information (PII);” a Housing and Urban Development incident in which PII “including Social Security numbers, were accessible via an internet-based Google search;” and ten major incidents from the Federal Deposit Insurance Corporation “which generally stemmed from employees taking PII or other sensitive information on removable media in an unauthorized fashion.”

The report also includes individual performance summaries for ninety agencies.  According to Acting Federal Chief Information Security Officer Grant Schneider, “a significant amount of work remains to implement . . . controls and protect Federal networks and data.”

Nevertheless, considerable progress in combatting cyber threats was made during 2016, with 81% of government users now using designated Personal Identification Verification credentials to access federal networks and over 70% of federal agencies having employed strong antiphishing and malware capabilities.  This year also saw the creation of the OMB and Office of Personnel Management Federal Cybersecurity Workforce Strategy and the revision of OMB Circular A-130, the document that “sets the overarching framework for managing Federal IT resources.”

Reporter, Elizabeth E. Owerbach, Washington, DC, +1 202 626 9223,

No Grace Period For GDPR Enforcement—On 15 March 2017, Steve Wood, the Head of International Strategy & Intelligence for the Information Commissioner’s Office (“ICO”) (the UK’s data protection authority), confirmed during a keynote speech at the International Association of Privacy Professionals’ Data Protection Intensive in London that there would be no grace period for enforcement under the General Data Protection Regulation (“GDPR”), which comes into force in May 2018.

His remarks are critical in warning relevant entities that penalties for non-compliance with the most powerful piece of data legislation to be introduced will be available immediately as it enters into force. The ICO acknowledges that organisations may still require time to prepare before the GDPR enters into force to clarify its requirements and to obtain guidance over the finer details, such as the changes around the requirements for giving consent and to avoid the severe consequences of non-compliance.

The ICO has responded to concerns about the scope of GDPR by focussing on “a common-sense, pragmatic approach to regulatory principles.” Accordingly, the ICO has stated that it will work with organisations by concentrating on risk, accountability and transparency. To that end, the ICO is currently holding a public consultation on its consent guidance which emphasises to data controllers that they must provide individuals with an explicit choice and effective control over their personal data in the form of fair and accessible consent mechanisms.

With regard to accountability, the ICO has published privacy notices on its website to help organisations meet the requirements under the GDPR on producing and organising accessible and multifaceted information. Wood declared that businesses should embed a comprehensive sense of responsibility for guarding data throughout their organisation and across members of staff in the event that the ICO investigates any potential non-compliance with the GDPR.

Reporter, Kim Roberts, London, +44 20 7551 2133,


King & Spalding’s 2017 Cybersecurity & Privacy Summit— On Monday, April 24, 2017, make plans to join the cybersecurity and privacy experts from King & Spalding and PwC, as well as representatives from the U.S. Department of Justice, the Federal Trade Commission, Georgia Institute of Technology, The Home Depot, and TSYS, to learn about the latest strategies for protecting your company against the legal and financial risks of cybersecurity breaches and other privacy incidents.  

Click here for more information regarding session topics and featured speakers.