Category: Consumer Protection

New Data Security Bill Seeks Uniformity in Protection of Consumers’ Personal Information

Morgan, Lewis & Bockius LLP.

Last week, House lawmakers floated a bipartisan bill titled the Data Security and Breach Notification Act (the Bill). The Bill comes on the heels of legislation proposed by US President Barack Obama, which we recently discussed in a previous post. The Bill would require certain entities that collect and maintain consumers’ personal information to maintain reasonable data security measures in light of the applicable context, to promptly investigate a security breach, and to notify affected individuals of the breach in detail. In our Contract Corner series, we have examined contract provisions related to cybersecurity, including addressing a security incident if one occurs.

Some notable aspects of the Bill include the following:

  • Notification to individuals affected by a breach would generally be required within 30 days after a company has begun taking investigatory and corrective measures (rather than based on the date of the breach’s discovery).

  • Notification to the Federal Trade Commission (FTC) and the Secret Service or the Federal Bureau of Investigation would be required if the number of individuals whose personal information was (or there is a reasonable basis to conclude was) leaked exceeds 10,000.

  • To advance uniform and consistently applied standards throughout the United Sates, the Bill would preempt state data security and notification laws. However, the scope of preemption continues to be discussed, and certain entities would be excluded from the Bill’s requirements, including entities subject to existing data security regulatory regimes (e.g., entities covered by the Health Insurance Portability and Accountability Act).

  • Violations of the Bill would be enforced by the FTC or state attorneys general (and not by a private right of action).

ARTICLE BY

Michael L. Pillion
A. Benjamin Klaber
Morgan, Lewis & Bockius LLP

Online Behavioral Advertising: Industry Guides Require Real Time Notice When Data Are Collected or Used for Personalized Ads

Greenberg Traurig Law firm

WHAT’S COVERED?

Online behavioral advertising (OBA) has become a very common tool for commercial websites. OBA can be defined as follows:

the collection of data online from a particular computer or device regarding web viewing behaviors over time and across Web sites for the purpose of using such data to predict preferences or interests and to deliver advertising to that computer or device presumed to be of interest to the user of the computer/device based on observed Web viewing behaviors.

OBA might be implemented by use of cookies directly on a company’s website by the company itself. Or it might occur through technology embedded in ads from other parties displayed on the company’s site. Either way, the operators of commercial websites need to be aware when OBA is occurring on their sites and should be taking steps to provide greater transparency about OBA occurring on their sites.

WHAT’S THE CONCERN?

While the use of OBA is largely unregulated by law in the U.S. at this time, its spread has generated concern among privacy advocates. Of particular concern is the gathering of data about consumers without their knowledge where such information is supposed to be anonymous but advances in technology make it more and more possible to link that information to individuals (not just devices) through combination with other information. Examples can include information about health conditions and other sensitive information gleaned by watching the sites a user visits, the searches he/she conducts, etc. Key characteristics of OBA include that it is: (a) invisible to the user; (b) hard to detect; and (c) resilient to being blocked or removed.

In an effort to stave off government regulation of OBA in the United States, the Digital Advertising Alliance (DAA), a consortium of the leading advertising trade associations, has instituted a leading set of guidelines. Based on standards proposed by the Federal Trade Commission, the DAA Self-Regulatory Program is designed to give consumers enhanced control over the collection and use of data regarding their Internet viewing for OBA purposes.

WHAT’S REQUIRED?

The key principles of the DAA’s guides are to provide greater transparency to consumers to allow them to know when OBA is occurring and to provide the ability to opt out. For commercial website operators that allow OBA on their sites, the compliance implications are as follows:

  1. First Party OBA. First Parties are website operators/publishers. If a company simply gathers information for its own purposes on its own site, it is generally not covered by the guidelines. However, as soon as the First Party allows others to engage in OBA via the site, it has a duty to monitor and make sure that proper disclosures are being made and even to make the disclosures itself if the others do not do so, including assuring that “enhanced notice” (usually the icon discussed below or a similar statement) appears on every page of the First Party’s site where OBA is occurring.

  2. Third-Party OBA. Third parties are ad networks, data companies/brokers, and sometimes advertisers themselves, who engage in OBA through ads placed on other parties’ sites. These Third Parties should provide consumers with the ability to exercise choice with respect to the collection and use of data for OBA purposes. (See below on how to provide recommended disclosures.)

  3. Service Providers. These are providers of Internet access, search capability, browsers, apps or other tools that collect data about sites a user visits Service Providers generally are expected to provide clear disclosure of OBA practices which may occur via their services, obtain consumer consent for such practices, and provide an easy-to-use opt-out mechanism.

HOW TO COMPLY

Generally, Third Parties and Service Providers should give clear, meaningful, and prominent notice on their own websites that describes their OBA data collection and use practices. Such notice should include clear descriptions that include:

  • The types of data collected online, including any PII for OBA purposes;

  • The uses of such data, including whether the data will be transferred to a nonaffiliate for OBA purposes;

  • An easy to use mechanism for exercising choice with respect to the collection and use of the data for OBA purposes or to the transfer of such data to a nonaffiliate for such purpose; and

  • The fact that the entity adheres to OBA principles.

In addition, “enhanced notice” should appear on each and every ad (or page) where OBA is occurring. The “enhanced notice” means more than just traditional disclosure in a privacy policy. It means placement of a notice on the page/ad where OBA is occurring. The notice typically is given in the form of the following icon (in blue color) which should link to a DAA page describing OBA practices and providing an easy-to-use opt-out mechanism:

online behavioral advertising

The icon/link should appear in or around each ad where data are collected. Alternatively, it can appear on each page of a website on which any OBA ads are being served. It is normally the duty of the advertisers (Third Parties) to deploy the icon. However, if they fail to do so, then the operator of the site where the OBA ads appear has the duty to make appropriate real-time disclosures about OBA on each page where OBA activity is occurring, including links to the DAA page describing OBA practices and providing an easy-to-use opt-out mechanism.

ENFORCEMENT

The DAA is taking its OBA guidelines seriously. It has issued sets of “compliance warnings” to many major U.S. companies. While DAA has no direct authority to impose fines or penalties, its issuance of a ruling finding a violation of its guidelines could create a tempting target for the FTC or plaintiffs’ class action lawyers to bring separate actions against a company not following the DAA guidelines. For all these reasons, operators of websites employing OBA (either first party or third party) should pay heed to the DAA Guidelines.

ARTICLE BY

Ed Chansky
David A. Wheeler
OF
Greenberg Traurig, LLP

California To Expand Its Data Breach Notification Rules

Sheppard Mullin Law Firm

California has broadened its data breach notification statutes in response to the increasing number of large data breaches of customer information.  AB 1710, which Governor Jerry Brown signed into law, amends California’s Data Breach Notification Law to (1) ban the sale, advertising for sale or offering for sale of social security numbers, (2) extend the existing data-security law and obligations applicable to entities that own or license customer information to entities that “maintain” the information, and (3) require that if the person or business providing notification of a breach under the statute was the source of the breach then the notice must include an offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost for 12 months along with any information necessary to take advantage of the offer.  The last of these amendments has spurned some debate over whether the statute actually mandates an offer of credit monitoring or other services given its use of the phrase “if any.”  It is also unclear what exactly is intended by or who qualifies as “the source of the breach.”

The use and placement of the phrase “if any” in the statute does create some ambiguity.  The statute, however, speaks in mandatory terms when it states the notification “shall include” an offer of these services.  Its plain language also suggests the phrase “if any” is directed to the question of whether appropriate identity theft or mitigation services exist and are available – not whether or not they must be offered.  A review of the measure’s legislative history confirms this.  The Committee analyses all discuss this element of the statute as “requiring” an offer of services.  Indeed, the legislative analysis immediately following the addition of the phrase “if any” defined the problem under existing law to be that it does not require any prevention or mitigation steps and states that this measure (AB 1710) addresses this issue by requiring an offer of appropriate “identity theft prevention and mitigation services, if any are available,…”  This interpretation is also consistent with the fact that an offer is only required when the breach involves disclosure of highly sensitive information that tends to lead to identity theft or credit card fraud, i.e., the customer’s social security, driver’s license or California identification number.

The standard of whether or not such services would, to some degree, be appropriate will not likely be the primary conversation that this amendment sparks.  The more lively topic will likely be who is the “source of the breach” (and even then the offer is only required when you are both the source of the breach and the party giving notice under the statute) and what standards apply for determining “appropriate” services.  The legislative history is not as equally helpful on these questions.  Thus, until the scope of this new requirement becomes more clear, businesses involved in a breach under the statute need to carefully think through the risks of offering certain services when providing notice.

These new rules take effect on January 1, 2015.  To review the amended statute or its legislative history click here.

ARTICLE BY

Brian R. Blackman
OF
Sheppard, Mullin, Richter & Hampton LLP

Dodd-Frank Whistleblower Litigation Heating Up

Barnes Thornburg

The past few months have been busy for courts and the SEC dealing with securities whistleblowers. The Supreme Court’s potentially landmark decision in Lawson v. FMR LLC back in March already seems like almost ancient history.  In that decision, the Supreme Court concluded that Sarbanes-Oxley’s whistleblower protection provision (18 U.S.C. §1514A) protected not simply employees of public companies but also employees of private contractors and subcontractors, like law firms, accounting firms, and the like, who worked for public companies. (And according to Justice Sotomayor’s dissent, it might even extend to housekeepers and gardeners of employees of public companies).

Since then, a lot has happened in the world of whistleblowers. Much of the activity has focused on Dodd-Frank’s whistleblower-protection provisions, rather than Sarbanes-Oxley. This may be because Dodd-Frank has greater financial incentives for plaintiffs, or because some courts have concluded that it does not require an employee to report first to an enforcement agency. The following are some interesting developments:

What is a “whistleblower” under Dodd-Frank?

This seemingly straightforward question has generated a number of opinions from courts and the SEC. The Dodd-Frank Act’s whistleblower-protection provision, enacted in 2010, focuses on a potentially different “whistleblower” population than Sarbanes-Oxley does. Sarbanes-Oxley’s provision focuses particularly on whistleblower disclosures regarding certain enumerated activities (securities fraud, bank fraud, mail or wire fraud, or any violation of an SEC rule or regulation), and it protects those who disclose to a person with supervisory authority over the employee, or to the SEC, or to Congress.

On the other hand, Dodd-Frank’s provision (15 U.S.C. §78u-6 or Section 21F) defines a “whistleblower” as “any individual who provides . . . information relating to a violation of the securities laws to the Commission.”  15 U.S.C. §78u-6(a)(6).  It then prohibits, and provides a private cause of action for, adverse employment actions against a whistleblower for acts done by him or her in “provid[ing] information to the Commission,” “initiat[ing], testif[ing] in, or assist[ing] in” any investigation or action of the Commission, or in making disclosures required or protected under Sarbanes-Oxley, the Exchange Act or the Commission’s rules.  15 U.S.C. §78u-6(h)(1). A textual reading of these provisions suggests that a “whistleblower” has to provide information relating to a violation of the securities laws to the SEC.  If the whistleblower does so, an employer cannot discriminate against the whistleblower for engaging in those protected actions.

However, after the passage of Dodd-Frank, the SEC promulgated rules explicating its interpretation of Section 21F. Some of these rules might require providing information to the SEC, but others could be construed more broadly to encompass those who simply report internally or report to some other entity.  Compare Rule 21F-2(a)(1), (b)(1), and (c)(3), 17 C.F.R. §240.21F-2(a)(1), (b)(1), and (c)(3). The SEC’s comments to these rules also said that they apply to “individuals who report to persons or governmental authorities other than the Commission.”

Therefore, one issue beginning to percolate up to the appellate courts is whether Dodd-Frank’s anti-retaliation provisions consider someone who reports alleged misconduct to their employers or other entities, but not the SEC, to be a “whistleblower.” The only circuit court to have squarely addressed the issue (the Fifth Circuit in Asadi v. G.E. Energy (USA) LLC) concluded that Dodd-Frank’s provision only applies to those who actually provide information to the SEC.

In doing so, the Fifth Circuit relied heavily on the “plain language and structure” of the statutory text, concluding that it unambiguously required the employee to provide information to the SEC.  Several district courts, including in Colorado, Florida and the Northern District of California, have concurred with this analysis.

More, however, have concluded that Dodd-Frank is ambiguous on this point and therefore have given Chevrondeference to the SEC’s interpretation as set forth in its own regulations. District courts, including in the Southern District of New York, New Jersey, Massachusetts, Tennessee and Connecticut, have adopted this view. The SEC has also weighed in, arguing (in an amicus brief to the Second Circuit) that whistleblowers should be entitled to protection regardless of whether they disclose to their employers or the SEC.  The agency said that Asadi was wrongly decided and, under its view, employees that report internally should get the same protections that those who report to the SEC receive. The Second Circuit’s decision in that case (Liu v. Siemens AG) did not address this issue at all.

Finally, last week, the Eighth Circuit also decided not to take on this question. It opted not to hear an interlocutory appeal, in Bussing v. COR Securities Holdings Inc., in which an employee at a securities clearing firm provided information about possible FINRA violations to her employer and to FINRA, rather than the SEC, and was allegedly fired for it. The district court concluded that the fact that she failed to report to the SEC did not exclude her from the whistleblower protections under Dodd-Frank. It reasoned that Congress did not intend, in enacting Dodd-Frank, to encourage employees to circumvent internal reporting channels in order to obtain the protections of Dodd-Frank’s whistleblower protection.  In doing so, however, the district court did not conclude that the statute was ambiguous and rely on the SEC’s interpretation.

A related question is what must an employee report to be a “whistleblower” under Dodd-Frank. Thus far, if a whistleblower reports something other than a violation of the securities laws, that is not protected. So, for example, an alleged TILA violation or an alleged violation of certain banking laws have been found to be not protected.

These issues will take time to shake out. While more courts thus far have adopted, or ruled consistently with, the SEC’s interpretation, as the Florida district court stated, “[t]he fact that numerous courts have interpreted the same statutory language differently does not render the statute ambiguous.”

Does Dodd-Frank’s whistleblower protection apply extraterritorially?

In August, the Second Circuit decided Liu. Rather than focus on who can be a whistleblower, the Court concluded that Dodd-Frank’s whistleblower-protection provisions do not apply to conduct occurring exclusively extraterritorially. In Liu, a former Siemens employee alleged that he was terminated for reporting alleged violations of the FCPA at a Siemens subsidiary in China.  The Second Circuit relied extensively on the Supreme Court’s Morrison v. Nat’l Aust. Bank case in reaching its decision. In Morrison, the Court reaffirmed the presumption that federal statutes do not apply extraterritorially absent clear direction from Congress.

The Second Circuit in Liu, despite Liu’s argument that other Dodd-Frank provisions applied extraterritorially and SEC regulations interpreting the whistleblower provisions at least suggested that the bounty provisions applied extraterritorially, disag
reed. The court concluded that it need not defer to the SEC’s interpretation of who can be a whistleblower because it believed that Section 21F was not ambiguous.  It also concluded that the anti-retaliation provisions would be more burdensome if applied outside the country than the bounty provisions, so it did not feel the need to construe the two different aspects of the whistleblower provisions identically.  And finally, the SEC , in its amicus brief, did not address either the extraterritorial reach of the provisions or Morrison, so the Second Circuit apparently felt no need to defer to the agency’s view on extraterritoriality.

Liu involved facts that occurred entirely extraterritorially. He was a foreign worker employed abroad by a foreign corporation, where the alleged wrongdoing, the alleged disclosures, and the alleged discrimination all occurred abroad. Whether adding some domestic connection changes this result remains for future courts to consider.

The SEC’s Use Of The Anti-Retaliation Provision In An Enforcement Action

In June, the SEC filed, and settled, its first Dodd-Frank anti-retaliation enforcement action. The Commission filed an action against Paradigm Capital Management, Inc., and its principal Candace Weir, asserting that they retaliated against a Paradigm employee who reported certain principal transactions, prohibited under the Investment Advisers Act, to the SEC. Notably, that alleged retaliation did not include terminating the whistleblower’s employment or diminishing his compensation; it did, however, include removing him as the firm’s head trader, reconfiguring his job responsibilities and stripping him of supervisory responsibility. Without admitting or denying the SEC’s allegations, both respondents agreed to cease and desist from committing any future Exchange Act violations, retain an independent compliance consultant, and pay $2.2 million in fines and penalties.  This matter marks the first time the Commission has asserted Dodd-Frank’s whistleblower provisions in an enforcement action, rather than a private party doing so in civil litigation.

The SEC Announces Several Interesting Dodd-Frank Bounties

Under Dodd-Frank, whistleblowers who provide the SEC with “high-quality,” “original” information that leads to an enforcement action netting over $1 million in sanctions can receive an award of 10-30 percent of the amount collected. The SEC recently awarded bounties to whistleblowers in circumstances suggesting the agency wants to encourage a broad range of whistleblowers with credible, inside information.

In July, the agency awarded more than $400,000 to a whistleblower who appears not to have provided his information to the SEC voluntarily.  Instead, the whistleblower had attempted to encourage his employer to correct various compliance issues internally. Those efforts apparently resulted in a third-party apprising an SRO of the employer’s issues and the whistleblower’s efforts to correct them. The SEC’s subsequent follow-up on the SRO’s inquiry resulted in the enforcement action. Even though the “whistleblower” did not initiate communication with the SEC about these compliance issues, for his efforts, the agency nonetheless awarded him a bounty.

Then, just recently, the SEC announced its first whistleblower award to a company employee who performed audit and compliance functions. The agency awarded the compliance staffer more than $300,000 after the employee first reported wrongdoing internally, and then, when the company failed to take remedial action after 120 days, reported the activity to the SEC. Compliance personnel, unlike most employees, generally have a waiting period before they can report out, unless they have a reasonable basis to believe investors or the company have a substantial risk of harm.

With a statute as sprawling as Dodd-Frank, and potentially significant bounty awards at stake, opinions interpreting Dodd-Frank’s whistleblower provisions are bound to proliferate. Check back soon for further developments.

 
ARTICLE BY

Brian E. Casey
 
OF 
Barnes & Thornburg LLP

Google, the House of Lords and the timing of the EU Data Protection Regulation

Mintz Levin Law Firm

(LONDON) Could the European Court of Justice’s May 13, 2014 Google Spain decision delay the adoption of the EU Data Protection Regulation?

In the Google Spain “Right to be Forgotten” case, the ECJ held that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant.  The Google Spain decision has given a much sharper focus to the discussion about the Right to be Forgotten that may soon be adopted as part of the new Data Protection Regulation that is expected to be passed sometime in 2015.  With the advent of the Google Spain decision, an issue that was on the sideline for most businesses – and which was expected by some to be quietly dropped from the draft Data Protection Regulation – has become a hot political issue.  The Right to be Forgotten as interpreted by the ECJ has garnered international attention, deepened the UK/continental EU divide, and ultimately could delay the adoption of a final form of the Data Protection Regulation.

The Google Spain case has been controversial for various reasons.  The decision takes an expansive approach to the long-arm reach of EU data protection law.  It holds search engine providers liable to comply with removal requests even when the information in the search results is true, was originally published legally and can continue to be made available by the original website.  The decision makes the search engine provider the initial arbiter of whether the individual’s right to have his or her information removed from publically available search results is outweighed by the public’s interest in access to that information.   (For a pithy analysis of the “public record” aspects of the case, see John Gapper’s “Google should not erase the web’s memory” published in the Financial Times.)

Google started implementing the ruling almost immediately, but only with respect to search results obtained through the use of its country-specific versions of its search engine, such aswww.google.es or www.google.co.uk.  The EU-specific search engine results notify users when some results have been omitted due to EU’s Right to be Forgotten.  (See the Telegraph’s ongoing list of the stories it has published that have been deleted from Google.co.uk’s search results to get a flavor of the sort of search results that have been deleted.)  However, the “generic” version of Google (www.google.com), which is also the default version for users in the US, does not omit the banned results.

Google has been engaged in an ongoing dialogue with EU data protection authorities regarding Google’s implementation of the Google Spain ruling.  According to some media reports, EU officials have complained that Google is implementing the ruling too broadly, allegedly to make a political point, while other commentators have noted that the ruling give Google very few reference points for performing the balancing-of-rights that is required by the ruling.  Perhaps more interestingly, some EU officials want Google to apply the Right to be Forgotten globally (including for google.com results) and without noting that any search results have been omitted (to prevent any negative inferences being drawn by the public based on notice that something has been deleted).  If the EU prevails with regard to removing personal data globally and without notice that the search results contain omissions, critics who are concerned about distortions of the public record and censorship at the regional level will have an even stronger case.   Of course, if truly global censorship becomes legally required by the EU, it seems likely that non-EU governments and organizations will enter the dialogue with a bit more energy – but even more vigorous international debate does not guarantee that the EU would be persuaded to change its views.

The ongoing public debate about the potentially global reach of the Right to be Forgotten is significant enough that it could potentially delay agreement on the final wording of the Data Protection Regulation.  Recently, an important committee of the UK’s House of Lords issued a report deeply critical of the Google Spain decision and the Right to be Forgotten as enshrined in the draft Data Protection Directive. Additionally, the UK’s Minister of Justice, Simon Hughes, has stated publically that the UK will seek to have the Right to be Forgotten removed from the draft Data Protection Regulation.  The impact of the UK’s stance (and the efforts of other Right to be Forgotten critics) on the timing of the adoption of the Regulation remains to be seen.  In the meantime, search companies will continue to grapple with compliance with the Google Spain decision.  Other companies that deal with EU personal data should tune in as the EU Parliament’s next session gets underway and we move inevitably closer to a final Data Protection Regulation. 

ARTICLE BY

Hope S. Foster
 
OF 
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

European Commission Discusses Big Data

Morgan Lewis logo

The European Commission (the Commission) recently issued a press release recognizing the potential of data collection and exploitation (or “big data”) and urging governments to embrace the positive aspects of big data.

The Commission summarized four main problems that have been identified in public consultations on big data:

  • Lack of cross-border coordination
  • Insufficient infrastructure and funding opportunities
  • A shortage of data experts and related skills
  • A fragmented and overly complex legal environment

To address these issues, the Commission proposed the following:

  • A public-private partnership to fund big data initiatives
  • An open big data incubator program
  • New rules on data ownership and liability for data provision
  • Mapping of data standards
  • A series of educational programs to increase the number of skilled data workers
  • A network of data processing facilities in different member states

The Commission stated that, in order to help EU citizens and businesses more quickly reap the full potential of data, it will work with the European Parliament and the European Council to successfully complete the reform of the EU’s data protection rules. The Commission will also work toward the final adoption of the directive on network and information security to ensure the high level of trust that is fundamental for a thriving data-driven economy.

Article By:

Barbara Murphy Melby
Doneld G. Shelkey
Of:
Morgan, Lewis & Bockius LLP

 

HEARTBLEED: A Lawyer’s Perspective on the Biggest Programming Error in History

Jackson Lewis Logo

By now you have probably heard about Heartbleed, which is the biggest security threat to the Internet that we have ever seen. The bottom line of Heartbleed is that for the past two years most web sites claiming to besecure, shown by the HTTPS address (the S added to the end of the usual HTTP address was intended to indicate a web secured by encryption), have not been secure at all. Information on those webs could easily have beenbled out by any semi-skilled hacker who discovered the defect. That includes your user names and passwords, maybe even your credit card and bank account information.

For this reason every security expert that I follow, or have talked to about this threat, advises everyone to change ALL of their online passwords. No one knows who might have acquired this information in the past two years. Unfortunately, the nature of this software defect made it possible to steal data in an untraceable manner. Although most web sites have upgraded their software by now, they were exposed for two years. The only safe thing to do is assume your personal information has been compromised.

Change All of Your Passwords

After you go out and change all of your passwords – YES – DO IT NOW – please come back and I will share some information on Heartbleed that you may not find anywhere else. I will share a quick overview of a lawyer’s perspective on a disaster like this and what I think we should do about it.

Rules of the Internet

One of the things e-discovery lawyers like me are very interested in, and concerned about, is data security. Heartblead is the biggest threat anyone has ever seen to our collective online security, so I have made a point of trying to learn everything I could about it. My research is ongoing, but I have already published on detailed report on my personal blog. I have also been pondering policy changes, and changes in the laws governing the Internet that be should made to avoid this kind of breach in the future.

I have been thinking about laws and the Internet since the early 1990s. As I said then, the Internet is not a no-mans-land of irresponsibility. It has laws and is subject to laws, not only laws of countries, but of multiple independent non-profit groups such as ICANN. I first pointed this out out as a young lawyer in my 1996 book for MacMillan, Your Cyber Rights and Responsibilities: The Law of the Internet, Chapter 3 of Que’s Special Edition Using the Internet. Anyone who commits crimes on the Internet must and will be prosecuted, no matter where their bodies are located. The same goes for negligent actors, be they human, corporate, or robot. I fully expect that several law suits will be filed as a result of Heartbleed. Time will tell if any of them succeed. Many of the facts are still unknown.

One Small Group Is to Blame for Heartbleed

The surprising thing I learned in researching Heartbleed is that this huge data breach was caused by a small mistake in software programming by a small unincorporated association called OpenSSL. This is the group that maintains the open source that two-thirds of the Internet relies upon for encryption, in other words, to secure web sites from data breach. It is free software and the people who write the code are unpaid volunteers.

According to the Washington Post, OpenSSL‘s headquarters — to the extent one exists at all — is the home of the group’s only employee, a part timer at that, located on Sugarloaf Mountain, Maryland. He lives and works amid racks of servers and an industrial-grade Internet connection. Craig Timberg, Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass (Washington Post, 4/9/14).

The mistake that caused Heartbleed was made by a lone math student in Münster, Germany. He submitted an add-on to the code that was supposed to correct prior mistakes he had found. His add on contained what he later described as a trivial error. Trivial or not, this is the biggest software coding error of all time based upon impact. What makes the whole thing suspicious is that he made this submission at one minute before midnight on New Year’s Eve 2011.

Once the code was received by OpenSSL, it was reviewed by it before it was added onto the next version of the software. Here is where we learn another surprising fact, it was only reviewed by one person, and he again missed the simple error. Then the revised code with hidden defect was released onto an unsuspecting world. No one detected it until March 2014 when paid Google security employees finally noticed the blunder. So much for the basic crowd sourcing rationale behind the open source software movement.

Conclusion

Placing the reliance of the security of the Internet on only one open source group, OpenSSL, a group with only four core members, is too high a risk in today’s world. It may have made sense back in the early nineties when an open Internet first started, but not now. Heartbleed proves this. This is why I have called upon leaders of the Internet, including open source advocates, privacy experts, academics, governments, political leaders and lawyers to meet to consider various solutions to tighten the security of the Internet. We cannot continue business as usual when it comes to Internet data security.

Article By:

Ralph C. Losey
Of: 
Jackson Lewis P.C.

Target Becomes a Target: Proposed California Bill Aims to Make Retailers Liable for Data Breach Incidents

MintzLogo2010_Black

Following a string of high-profile data breaches and new data suggesting that approximately 21.3 million customer accounts have been exposed by data breach incidents over the past two years, the California legislature has introduced legislation aimed at making retailers responsible for certain costs in connection with data breach incidents.  If passed in its current form, Assembly Bill 1710, titled the Consumer Data Breach Protection Act, would have a substantial impact on retailers operating in California.

Among the major changes proposed in the bill:

  • Stricter Notification Requirements.  The proposed bill would create stricter time-frames and specific requirements for notification of affected consumers following a data breach incident.  In addition to current requirements to notify consumers individually in the most expedient time possible, a retailer affected by a data breach will be required, within 15 days of the breach incident, to provide email notification to affected individuals, post a general notice on the retailer’s web page and notify statewide media.
  • Retailer Liability for Costs Associated with Data Breach Incidents.  A.B. 1710 would amend California’s Civil Code to make retailers liable for reimbursement of expenses incurred in providing the notices described above, as well as the cost of replacing payment cards of affected individuals.
  • Mandatory Provision of Credit Monitoring Services.  If the person or business required to provide notification under the Civil Code is the source of the breach incident, A.B. 1710 will require that person or business to offer to provide identity theft prevention and mitigation services at no cost to affected consumers for not less than 24 months.
  • Prohibitions Against Storing Payment-Related Data.  Under a new section to be added to the Civil Code, persons or businesses who sell goods or services and accept credit or debit card payments would be prohibited from storing payment-related data unless that person or business stores and retains the data in accordance with a payment data retention and disposal policy that limits retention of the data to only the amount of time required for business, legal and regulatory purposes.  In addition, A.B. 1710 imposes further restrictions on the retention and storage of certain sensitive authentication information, such as social security numbers, drivers’ license numbers and PIN numbers.
  • Authorization of Civil Penalties.  As amended by A.B. 1710, the Civil Code would authorize a prosecutor to bring an action in response to a data breach incident to recover civil penalties of up to $500 per violation, or up to $3,000 for a willful or reckless violation.

Historically measures like A.B. 1710 have faced a difficult road.  Similar bills passed by the California legislature were vetoed twice by Governor Schwarzenegger, and the proposal of A.B. 1710 has already caused the California Retailers Association to speak out against the bill.  However, there may be a critical difference in the current climate because consumer awareness of the danger and reality of breach incidents has never been higher and, as shown by the recent Harris Poll, consumers overwhelmingly believe that merchants are to blame.

Article By:

Jake Romero
Of:
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

California Proposes Enhanced Prop. 65 Warnings and Possible Online Disclosures – Dietary Supplements and Foods Specially Targeted

GT Law

The California Office of Environmental Health Hazard Assessment (OEHHA)announced on March 7, 2014, that it is considering implementation of the most significant changes to Prop. 65 regulations in more than two decades.  OEHHA has posted the draft regulation and Initial Statement of Reasons on its website.

Passed by voters in 1986, Prop. 65 requires warnings prior to exposures to chemicals listed by OEHHA as “known to the State” to cause cancer or reproductive harm.  The law, which carries the potential penalty of $2,500 for each violation, may be and routinely is enforced by entrepreneurial private plaintiffs who are permitted to bring legal actions against alleged violators with minimal evidence.  OEHHA’s proposed regulations will affect almost every industry subject to Prop. 65 and nearly every aspect of compliance.  In all but a few cases, OEHHA’s changes have the capacity to make compliance with Prop. 65 costlier, riskier, and more disruptive to companies doing business in California.

Four Important Provisions Affecting Food and Dietary Supplements

In its far-reaching proposal, OEHHA aims a number of significant changes directly at food and dietary supplement manufacturers, distributors, and retailers.  Four specific proposals stand out as impactful for the industry:

  1. Chemical Identification: Under OEHHA’s proposal, warning labels would have to specifically identify the chemical in question if it is on a proposed list of 12 “common” substances.  One substance on OEHHA’s list, lead, is sometimes naturally occurring in the ingredients used to produce dietary supplements and has been the source of considerable litigation and expense for the industry.  In OEHHA’s draft regulation, products requiring a warning for lead would have to “conspicuously” state its presence in the product.
  2. Display Requirements: For foods not already subject to a consent judgment, the “safe-harbor” warning language must also be enhanced with specific information about the chemical in question, specific text sizing, and the phrase “Cancer [and/or] Reproductive Hazard.” Even where a food supplier has data showing that the chemical poses no actual health threat, a private plaintiff may still litigate knowing that the costly burden of showing no significant risk is borne by defendants.  Unless modified or declared preempted by federal law, OEHHA’s regulation would virtually ensure that this language will be required for food and supplement packaging in California.
  3. Online Reporting: OEHHA would also mandate reporting of exposure data to the agency for its website if a new Prop. 65 warning does not contain 10 details specified by OEHHA.  The details include, among others, the name of the chemical at issue, anticipated exposure routes, exposure levels, and options for minimizing exposure.  Businesses that fail to provide the required detail, no matter how misleading it might be to the consumer, must disclose the additional information to OEHHA and will likely see such data published online.
  4. More Litigation: Despite statements from the agency to the contrary, OEHHA’s complex rules would encourage even more litigation from an already active community of plaintiffs.  OEHHA’s draft litigation reform, a “cure” or fix-it period for retailers with fewer than 25 employees, would do little to stem the current tide of lawsuits, the vast majority of which are ultimately directed at and defended by suppliers.  Additionally, by replacing the generic safe-harbor warning with specific requirements, a regulatory safe-harbor warning would no longer provide a safe harbor from liability or deter plaintiffs from alleging violations for exposures to unspecified or newly listed chemicals.

What You Can Do

Businesses which stand to be affected by OEHHA’s plans, including those operated out of state, have an opportunity to voice their concerns to the agency.

OEHHA will hold a public workshop on April 14, 2014 to discuss the proposed regulations.  In addition, OEHHA is accepting written comments from the public until May 14, 2014.  Unless OEHHA is convinced to delay or withdraw its plans, formal regulations will likely be proposed in the summer of 2014.

Because OEHHA’s proposals are currently in the preliminary stages, interested parties have a time critical opportunity to engage the agency and encourage it to address specific concerns.  Companies that manufacture distribute, or retail dietary supplements in California should consider retaining experienced counsel to analyze the impact of the proposals on their business and to participate in the public comment period on their behalf.   Given the potentially far-reaching consequences of the proposed changes on the individual companies and the industry at large, interested parties should be diligent in bringing their concerns to OEHHA as early and as persuasively as possible.

Article By:

James Mattesich
Justin J. Prochnow
Anthony J. Cortez
Greg Sperla
Of:
Greenberg Traurig, LLP

California Announces Initial Draft Priority Products Under California Safer Consumer Products Regulations

Beveridge Diamond Logo

On March 13, 2014, the California Department of Toxic Substances Control (“DTSC”) announced the first set of draft priority products that, if finalized, will be subject to the requirements of the California Safer Consumer Products (“SCP”) Regulations.

Notably, while DTSC had legal authority to identify up to five products, it chose to identify only three draft priority products at this time. The three products are:

  1. Children’s Foam Padded Sleeping Products containing the flame-retardant chemical, Tris (1,3-dichloro-2-propyl phosphate) or (“TDCCP”). Such products include nap mats and cots, travel beds, bassinet foam, portable crib mattresses, play pens, and other children’s sleeping products. In its press release announcing the draft priority products, DTSC asserted that TDCCP is a known carcinogen, is released from products into air and dust where it can be absorbed, inhaled, or transferred from hand to mouth, and has been found in California waters and sediments. DTSC also noted that there is no legal requirement applicable to these products that would require them to be made with flame retardants. For more information on DTSC’s selection of this draft priority product, click here.
  2. Spray Polyurethane Foam (“SPF”) Products containing Unreacted Diisocyanates. SPF products are used for home and building insulation, weatherizing and sealing, and roofing. DTSC asserted in its press release that exposure to wet or “uncured” SPF materials can contribute to occupational asthma and noted that unreacted diisocyanates are a “suspected” carcinogen. DTSC expressed its concern for populations using these products that are not protected by Occupational Safety & Health Administration regulations, such as independent contractors and people performing their own home repairs. In its press release, DTSC noted that currently there are no alternatives to unreacted diisocyanates for spray-foam applications. For additional information from DTSC on this draft priority product, click here.
  3. Paint and Varnish Strippers containing Methylene Chloride. Methylene chloride is a well-known and widely used solvent in paint strippers. According to DTSC, when metabolized, methylene chloride converts to carbon monoxide, which is acutely toxic to the brain and nervous system. DTSC claimed that alternative products without methylene chloride are readily available. For more information on this draft listing, click here.

In announcing the “draft list” of proposed priority products, DTSC emphasized that the naming of these products does not constitute a ban on the products, but rather the initiation of process to examine whether the chemicals of concern used in these products are “necessary” or may be replaced with safer alternatives. To put the draft priority products announcement in context, this announcement begins the second of four steps established by California’s SCP Regulations for identifying, prioritizing, and evaluating the use of chemicals and their alternatives in consumer products. The four steps include:

  1. Identification of Candidate Chemicals. The final SCP Regulations promulgated by DTSC include an initial list of candidate chemicals (~1,200), which DTSC later pared down to an informational “initial” list of fewer than 200 candidate chemicals that exhibit a hazard trait and/or environmental or toxicological endpoint.
  2. Identification of Priority Products. The SCP Regulations require DTSC to evaluate and prioritize product/candidate chemical combinations and to develop a list of priority products for which alternatives analyses must be conducted. Once a candidate chemical is the basis for a priority product listing, it is considered a chemical of concern. March 13’s announcement identifies the first product/candidate chemical combinations that DTSC is proposing to subject to the procedural process outlined in the SCP Regulations.
  3. Alternatives Analysis. Responsible entities of a product listed as a priority product must perform an alternatives analysis to determine how best to limit exposures to, or the level of adverse public health and environmental impacts posed by, the chemicals of concern in the product.
  4. DTSC Regulatory Response. The SCP Regulations provide a range of potential regulatory responses that DTSC may require after review of the alternatives analysis. These include provision of information for consumers (such as safe handling or instructions to limit exposure), restrictions on the use of chemicals of concern in the products, sales prohibition, engineered safety measures, and end-of-life management requirements. DTSC may require regulatory responses for a priority product (if the responsible entity decides to continue producing and distributing the priority product to the California market), or for an alternative product selected to replace the priority product.

Applicability

The SCP regulatory requirements apply to businesses (“responsible entities”) that manufacture, import, distribute, sell or assemble consumer products[1] identified by DTSC as priority products that are placed into the stream of commerce in California. Responsible entities are defined to include manufacturers, importers, retailers and assemblers. The SCP Regulations assign the principal duty to comply with the requirements to manufacturers. If a manufacturer does not comply with its obligations with regard to a priority product, DTSC may notify an importer, retailer or assembler of its duty to meet the requirements with respect to the priority product. Even if not called on to conduct an alternatives analysis, importers, assemblers and/or retailers of priority products may be impacted by regulatory responses selected by DTSC after the manufacturer’s completion of the alternatives analysis (e.g., if DTSC imposes a sales prohibition or requires additional information to be provided to the consumer at the point of sale) .

Requirements for Responsible Entities

Once the draft priority products are formally proposed and finalized through a public rulemaking process (which may take up to one year), responsible entities will be required to:

  • Within 60 days after finalization of the final priority products list, notify DTSC that the responsible entity makes or sells a priority product (DTSC will post information obtained from notifications, including the names of the responsible entities as well as the product names, on its web site);
  • Within 180 days after finalization of the final priority products list, prepare a Preliminary Alternatives Analysis[2] to determine how best to limit exposures to, or the level of adverse public health and environmental impacts posed by, the chemicals of concern in the product; and
  • Within one year after DTSC issues a Notice of Compliance for the Preliminary Alternatives Analysis, prepare a Final Alternatives Analysis.

Next Steps

Those that manufacture, sell, use, or otherwise have an interest in the draft priority products may wish to submit comments to DTSC as part of the priority product listing process. DTSC will follow a formal rulemaking process to finalize the draft priority products, which will take up to a year after the products are formally proposed. DTSC plans to hold several workshops in May and June of 2014 before publishing the notice of proposed rulemaking and opening the public comment period. Stakeholders will then have the opportunity to weigh in on whether, and how, the proposed priority products will be regulated by DTSC.

If your products were not among the three proposed priority products,stay tuned: By October 1, 2014, DTSC is required to issue a Priority Product Work Plan that identifies and describes the product categories that DTSC will evaluate to select priority products for the three years following the issuance of the Work Plan (roughly from 2015 to 2017). DTSC intends the Work Plan to serve as a signal to consumers and the regulated community as to the categories of products it will examine next.

Once DTSC finalizes the initial priority product listings (anticipated late summer or early fall of 2015), responsible entities will be required to meet a series of deadlines for notification and submission of alternatives analysis reports outlined above. Manufacturers of draft priority products should engage their supply chain partners to evaluate options prior to finalization of the priority product listings. Note that manufacturers that choose to reformulate products prior to finalization of the priority product listing will not be subject to the DTSC notification or alternatives analysis requirements.

[1] “Consumer product” is defined for purposes of the California Safer Consumer Products regulations to mean “a product or part of the product that is used, brought, or leased for use by a person for any purposes.” Cal. Health & Safety Code § 25251(e). Certain limited products, such as dental restorative material or its packaging, prescription drugs or devices and their packaging, medical devices and their packaging, food, and federally registered pesticides, and mercury containing lights are excluded from the definition of consumer product.

[2] DTSC is currently developing an alternatives analysis guidance document to assist responsible entities in carrying out their obligations under the SCP Regulations. As of March 13, 2014, the guidance is still in development. DTSC anticipates that it will be released sometime before the first set of priority products is finalized.

Article By:

 
Of: