Category: cybersecurity

Zappos and It's Effect On "Browswrap" Agreements

Lewis & Roca

Key Takeaways For An Enforceable Terms of Use Agreement

In light of the recent Nevada federal district court decision In re Zappos.com, Inc., ‎Customer Data Security Breach Litigation, companies should review and update their ‎implementation of browsewrap agreements to ensure users are bound to its terms. MDL No. ‎‎2357, 2012 WL 4466660 (D.Nev. Sept. 27, 2012).

A browsewrap agreement refers to the online Terms of Use agreement that binds a web ‎user merely by his continued browsing of the site, even when he is not aware of it. Any ‎somewhat experienced web user is no stranger to the Terms of Use link that leads to the ‎browsewrap agreement. Yet, the users tend to ignore the link’s existence, and rarely think of it ‎as a “contract” with any practical effects. In Zappos, the court questioned the browsewrap ‎agreement’s validity particularly because of this tendency among web users. The court ruled the ‎arbitration clause in Zappos’ browsewrap Terms of Use was unenforceable because the users did ‎not agree to it and Zappos had the right to modify the terms at any time. ‎

Background of the Case

Founded in 1999, Zappos.com is a subsidiary of Amazon.com and one of the nation’s ‎biggest online retailers for footwear and apparel. Currently headquartered in Henderson, ‎Nevada, the company has more than 24 million customer accounts. In mid-January 2012, its ‎computer system experienced a security breach in which hackers attempted to access the ‎company’s customer accounts and personal information.

After Zappos notified its customers about the incident, customers from across the country ‎filed lawsuits against Zappos, seeking relief for damages arising from the breach. The cases were ‎transferred to and consolidated in Nevada. Zappos then sought to enforce the arbitration clause ‎contained in its Terms of Use, which would stay the litigation in federal court and compel the ‎case for arbitration. The court denied Zappos’ motion on two grounds: there was no valid ‎agreement to arbitrate due to the lack of assent by the plaintiffs and the contract was ‎unenforceable because it reserved to Zappos the right to modify the terms at any time and ‎without notice to its users.

Lessons Learned from the Browsewrap

Mutual Assent Must Be Clear 

Arbitration provisions are a matter of contract law, and the traditional elements of a ‎contract must be met even though Zappos’ Terms of Use was presented in electronic, ‎browsewrap form on the website. An essential element of contract formation is mutual assent by ‎the parties to the contract, which the court found was missing in this case as there was no ‎evidence of the plaintiffs’ assent.

The court compared the browsewrap agreement with another popular form of online terms ‎of use agreement, the “clickwrap” agreement. Clickwrap agreements require users to take ‎affirmative actions, such as clicking on an “I Accept” button, to expressly manifest their assent to ‎the terms and conditions.‎

Since Zappos’ browsewrap agreement did not require its users to take similar affirmative ‎action to show their assent to the terms and conditions, there was no direct evidence showing ‎that the plaintiffs consented to or even had actual knowledge of the agreement, including the ‎arbitration clause.‎

Link It Front and Center 

Furthermore, the court found Zappos’ Terms of Use hyperlink was inconspicuous and ‎thus did not provide reasonable notice to its users. The link was a) “buried” in the middle or ‎bottom of each page and became visible when a user scrolls down, b) appeared “in the same size, ‎font, and color as most other non-significant links,” and c) the website did not “direct a user to ‎the Terms of Use when creating an account, logging in to an existing account, or making a ‎purchase.” The court concluded that under ordinary circumstances, users would have no reason ‎to click on the link.‎

Unilateral Right to Modify or Terminate Won’t Work

Another problem with Zappos’ browsewrap agreement was that it was illusory and thus ‎unenforceable. In the agreement, the company “retain[ed] the unilateral, unrestricted right to ‎terminate the arbitration agreement” and had “no obligation to receive consent from, or even ‎notify, the other parties to the contract.” Users would unsuspectingly agree to the changes by ‎continuing to use the site. Under this provision, Zappos could seek to enforce the arbitration ‎clause, as it did here, or not enforce it by modifying the clause without notice to its users when it ‎was no longer in its interest to arbitrate. In either circumstance, the users would still be bound to ‎the agreement.

Implications for Companies

As a result of this decision, companies should carefully reassess the display and content ‎of the online terms of use they adopt to ensure their enforceability. In a narrow sense, the ‎decision means an arbitration clause in a browsewrap agreement similar to Zappos’ may be ‎deemed unenforceable. More broadly, this decision threatens the validity and enforceability of ‎other terms and conditions contained in a browsewrap agreement, which may deprive the ‎company of the agreement’s protection and favorable terms. ‎

Clickwrap agreements seem to provide the solution to Zappos’ problem. The court ‎suggested a clickwrap agreement could obtain a user’s assent to the terms and conditions. A ‎company may implement the clickwrap agreement through account registration or purchase ‎check-out, tailored to the nature of the company’s business and user interaction. The system may ‎require a user to click “I Accept” to secure the user’s assent to be bound by the agreement before ‎he can proceed further on the website. ‎

On the other hand, the court did not conclude that browsewrap agreements are never ‎enforceable. Other courts have held that browsewrap agreements are generally enforceable. ‎Enforceability largely depends on how the company presents the link and terms to the users such ‎that the users would have reasonable notice of the information. Accordingly, a browsewrap ‎agreement may be enforceable if the hyperlink is conspicuously located and displayed. ‎

In addition, companies should communicate and secure a user’s assent to any ‎modification when the user has previously accepted the terms and conditions. The user may ‎consent through another clickwrap agreement showing the modified terms. With a browsewrap ‎agreement, notice of the changes should, at the minimum, be conspicuously displayed on the ‎webpage. ‎

What This Means 

The Zappos decision reflects a change in the public policy on web activities, and users ‎who do not affirmatively agree to the online Terms of Use may no longer be bound. Consumers ‎are increasingly turning to the web for goods and services. In reaction, courts are beginning to ‎look closer into the transactions and resulting issues that occur online. In this process, courts are ‎testing and requiring new standards for these Terms of Use agreements. Companies should be ‎aware of the court’s evolving attitude towards the different types of agreements. You are ‎encouraged to seek legal guidance to properly adapt your implementation of Terms of Use ‎agreements. Failure to update your Terms of Use agreements may leave you exposed to ‎unfavorable terms that the Terms of Use is designed to prevent.‎

Recent Data Breach Reports: And the Hits Keep on Coming….

Mintz Logo

The ”hits” to data bases, in any event.   Here is a rundown of some of the most recent data breach reports –

Oregon Health & Science University Data Breach Compromises 3,000 Patients’ Records in the Cloud.

Modern Healthcare (subscription may be required) reports that the Oregon Health & Science University announced it is “notifying more than 3,000 of its patients of a breach of their personally identifiable information after their data were placed by OHSU resident physicians on a pair of Google’s cloud-based information-sharing services.” The data breach, which involves “patients’ names, medical record numbers, dates of service, ages, diagnoses and prognoses and their providers’ names” posted to Gmail or Google Drive, was discovered in May by an OHSU faculty member.  According to  Healthcare IT News, this is OHSU’s “fourth big HIPAA breach since 2009 and third big breach just in the past two years, according to data from the Department of Health and Human Services.”

Citigroup Reports Breach of Personal Data in Unredacted Court Filings; Settles with Justice Department

American Banker reports that Citigroup recently admitted having failed to safeguard the personal data (including birthdates and Social Security numbers) of approximately 146,000 customers who filed for bankruptcy between 2007 and 2011. Citi apparently failed to fully redact court records placed on the Public Access to Court Electronic Records (PACER) system. “The redaction issues primarily resluted from a limitation in the technology Citi had used to redact personally identifiable information in the filings,” Citi said in a statement. “As a result of this limitation in technology, personally identifiable information could be exposed and read if electronic versions of the court records were accessed and downloaded from the courts’ online docket system and if the person downloading the information had the technical knowledge and software to restore the redacted information.”

In a settlement with the Justice Department’s U.S. Trustee Program, Citi has agreed to redact the customer information, notify all affected debtors and third parties, and offer all those affected a year of free credit monitoring.

University of Delaware Reports Cyberattack – 72,000 Records Affected

The University of Delaware is notifying the campus community that it has experienced a cyberattack in which files were taken that included confidential personal information of more than 72,000 current and past employees, including student employees. The confidential personal information includes names, addresses, UD IDs (employee identification numbers) and Social Security numbers.

Stanford University Reports Hack – Investigating Scope

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.”

Japan’s Railway Company Apologizes for Unauthorized “Sharing”

The Wall Street Journal reported yesterday (registration may be required) that Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent, The Wall Street Journal reports. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states.

Article By:

 of

In Largest Known Data Breach Conspiracy, Five Suspects Indicted in New Jersey

DrinkerBiddle

On July 25, 2013, the United States Attorney for the District of New Jersey announced indictments against five men alleging their participation in a global hacking and data breach scheme in which more than 160 million American and foreign credit card numbers were stolen from corporate victims, including retailers, financial institutions, payment processing firms, an airline, and NASDAQ.  The scheme is the largest of its kind ever prosecuted in the United States.

The Second Superseding Indictment alleges the defendants (four Russian nationals and one Ukrainian national) and other uncharged co-conspirators targeted corporate victims’ networks using “SQL [Structured Query Language] Injection Attacks,” meaning the hackers identified vulnerabilities in their victims’ databases and exploited those weaknesses to penetrate the networks.  Once the defendants had access to the networks, they used malware to create “back doors” to allow them continued access, and used their access to install “sniffers,” programs designed to identify, gather and steal data.

Once the defendants obtained the credit card information, they allegedly sold it to resellers all over the world, who in turn sold the information through online forums or directly to individuals and organizations.  The ultimate purchasers encoded the stolen information on blank cards and used those cards to make purchases or withdraw cash from ATMs.

The defendants allegedly used a number of methods to evade detection.  They used web-hosting services provided by one of the defendants, who unlike traditional internet service providers, did not keep records of users’ activities or share information with law enforcement.  The defendants also communicated through private and encrypted communication channels and tried to meet in person.  They also changed the settings on the victims’ networks in order to disable security mechanisms and used malware to circumvent security software.

Four of the defendants are charged with unauthorized access to computers (18 U.S.C. §§ 1030(a)(2)(C) and (c)(2)(B)(i)) and wire fraud (18 U.S.C. § 1343).  All of the defendants are charged with conspiracy to commit these crimes.

Two of the defendants have been arrested, with one in federal custody and the other awaiting an extradition hearing.  The other three defendants, two of whom have been charged in connection with hacking schemes, remain at large.

This conspiracy is noteworthy for its massive scale, and for the patience the hackers demonstrated in siphoning data from the networks.  The U.S. Attorney “conservatively” estimates more than 160 million credit card numbers were compromised in the attacks, and alleges that the hackers had access to many victims’ computer networks for more than a year.  Many prominent retailers were targets, including convenience store giant 7-Eleven, Inc.; multi-national French retailer Carrefour, S.A.; American department store chain JCPenney, Inc.; New England supermarket chain Hannaford Brothers Co.; and apparel retailer Wet Seal, Inc.  Payment processors were also heavily targeted, including one of the world’s largest credit card processing companies, Heartland Payment Systems, Inc., as well as European payment processor Commidea Ltd.; Euronet, Global Payment Systems and Ingenicard US, Inc. The hackers also targeted financial institutions such as Dexia Bank of Belgium, “Bank A” of the United Arab Emirates; the NASDAQ electronic securities exchange; and JetBlue Airways.  Damages are difficult to estimate with precision, but they total several hundred million dollars at least.  Just three of the corporate victims suffered losses totaling more than $300 million.

Article By:

of

Survey Says: Fortune 500 Disclosing Cyber Risks

Mintz Logo

Ever since our 2013 prediction, an ever increasing number of public companies are adding disclosure related to cybersecurity and data breach risks to their public filings.  We previously analyzed how the nation’s largest banks have begun disclosing their cybersecurity risks.   Now, it appears that the rest of the Fortune 500 companies are catching on and including some level of disclosure of their cyber risks in response to the 2011 SEC Guidance.

The recently published Willis Fortune 500 Cyber Disclosure Report, 2013 (the “Report”), analyzes cybersecurity disclosure by Fortune 500 public companies.  The Report found that as of April 2013, 85% of Fortune 500 companies are following the SEC guidance and are providing some level of disclosure regarding cyber exposures.  Interestingly though, only 36% of Fortune 500 companies disclosed that such risk was “material”, “serious” or used a similar term, and only 2% of the companies used a stronger term, such as “critical”.

Following the SEC’s recommendation in its guidance, 95% of the disclosing companies mentionedspecific cyber risks that they face.  The top three cyber risks identified by those companies that disclosed cyber risks were:

1)      Loss or theft of confidential information (65%).

2)      Loss of reputation (50%).

3)      Direct loss from malicious acts (hackers, viruses, etc.) (48%).

Surprisingly, 15% of Fortune 500 companies indicated that they did not have the resources to protect themselves against critical attacks and only 52% refer to technical solutions that they have in place to defend against cyber risks.

The Report notes that despite the large number of Fortune 500 companies that acknowledge cyber risks in their disclosure, only 6% mentioned that they purchase insurance to cover cyber risks.  This number runs contrary to a survey published by the Chubb Group of Insurance Companies in which Chubb indicates that about 36% of public companies purchase cyber risk insurance.  For whatever reason, it appears that many of the Fortune 500 companies are simply not disclosing that they purchase cyber risk insurance as a means of protecting against cyber risk.

Almost two years after its issuance, the Report findings indicate that the 2011 SEC Guidance is in full swing and making its way into reality.  As more large companies disclose cyber risks in their public filings, this will continue to trickle down to the smaller companies that rely on those filings for precedent and guidance.  The Report provides a clear snapshot of where things stand in cyber risk disclosure by Fortune 500 public companies.  The scope of the Report is expected to expand to include Fortune 1000 companies, and it will be interesting to see how this data changes, if at all, when comprised of a larger pool of public companies.

Stay tuned!

Article By:

 of

Basic Guidelines for Protecting Company Trade Secrets

Lewis & Roca

Under the Uniform Trade Secrets Act (UTSA), “trade secrets” are generally defined as confidential proprietary information that provides a competitive advantage or economic benefit. Trade secrets are protected under the Economic Espionage Act of 1994 (EEA) at the federal level, and the vast majority of states have enacted statutes modeled after the UTSA (note that some jurisdictions, such as California, Texas and Illinois, have adopted trade secret laws that differ substantially from the UTSA; thus, businesses should research laws in the relevant jurisdiction(s).). Under the UTSA, to be protectable as a trade secret, information must meet three requirements:

i. the information must fall within the statutory definition of “information” eligible for protection;

ii. the information must derive independent economic value from not being generally known or readily ascertainable by others using appropriate means; and

iii. the information must be the subject of reasonable efforts to maintain its secrecy.

Trade secret theft continues to accelerate among U.S. companies, and can have drastic consequences. To combat this threat, Congress and certain state legislatures have recently enacted legislation to broaden trade secret protection. As a result, it is paramount that companies safeguard all proprietary information that may qualify as protectable trade secrets. This blog post explains some key trade secrets concepts, and offers pointers on how to identify and protect trade secrets.

(1) Determine Which Data Constitutes “Information”

The UTSA-type statutes generally define “information” to include:

Financial, business, scientific, technical, economic, and engineering information;

Computer code, plans, compilations, formulas, designs, prototypes, techniques, processes, or procedures; and

Information that has commercial value, such as customer lists or the results of expensive research.

Courts have similarly interpreted “information” to cover virtually any commercially valuable information. Examples of information that has been found to constitute trade secrets includes pricing and marketing techniques, customer and financial information, sources of supplies, manufacturing processes, and product designs.

(2) “Valuable” and “Not Readily Ascertainable” Information

To be protectable, information must also have “economic value” and not be “readily ascertainable” by others. Courts generally determine whether information satisfies this standard by considering the following factors:

Reasonable measures have been put in place to protect the information from disclosure;

The information has actual or potential commercial value to a company;

The information is known by a limited number of people on a need-to-know basis;

The information would be useful to competitors and would require a significant investment to duplicate or acquire the information; and

The information is not generally known to the public.

(3) Take Reasonable Measures to Maintain Secrecy

Businesses should implement technical, administrative, contractual and physical safeguards to keep secret the information sought to be protected. Companies should identify foreseeable threats to the security of confidential information; assess the likelihood of potential harm flowing from such threats; and implement security protocols to address potential threats. Examples of security measures might include restricting access to confidential information on a need-to-know basis, employing computer access restrictions, circulating an employee handbook that outlines company policies governing confidential information, conducting entrance interviews for new hires to determine whether they are subject to restrictive covenants with former employers, conducting exit interviews with departing personnel to ensure that the employee has returned all company materials and agrees to abide by post-employment obligations, encrypting confidential information, limiting access to confidential information through passwords and network firewalls, track all access to network resources and confidential information, restrict the ability to email, print or otherwise transfer confidential information, employ security personnel, limit visitor access, establish surveillance procedures, and limit physical access to areas that may have confidential information.

Conclusion

This blog post is intended to provide some broad guidelines to identifying and protecting company trade secrets. Most if not all companies have confidential information that may be protectable as a trade secret. But certain precautions need to be in place to ensure that the information is protectable. Because each company and situation is different, you should seek advice about your specific circumstances.

Article By:

 of

New Data Breach Class Action has Two Million Plaintiffs

RaymondBannerMED

Cyber breaches resulting in the release of personal identifiable information (PII) are increasingly common and now we are starting to see class action lawsuits filed as a result. In what will likely be the beginning of a wave of lawsuits filed as a result of cyber breaches, Schnucks Markets, operator of 100 supermarkets across the Midwest, recently removed a class action lawsuit filed against it to federal court stemming from a data breach that occurred in March in which 2.4 million credit card numbers were stolen.

The Class action complaint alleges Schnucks failed to properly and adequately safeguard its customer’s personal and financial data. In addition to common law negligence and disclosure, the plaintiffs allege a violation of the Illinois Personal Information Protection Act which requires a data collector of personal information to notify individuals in the most expedient manner possible and without unreasonable delay. The complaint alleges Schnucks waited over two weeks to notify its customers and then did so only through a press release as opposed to providing actual notice to individual consumers. Apparently Schnucks struggled to find the source of the breach and this delay may have continued to expose the PII of people who shopped at its stores.

cybercrime graphicSchnuck’s notice of removal to federal court states the grounds for removal include a class size of more than 100 people and damages at issue are greater than $5 million. Schnucks also explains that the data breach was the result of criminals hacking into its electronic payment systems at 23 stores. Further, during the relevant period, 1.6 million credit or debit card transactions took place at these stores. Schnucks calculates that 500,000 unique credit or debit cards were involved thus the putative class has at least 500,000 members.

Damages alleged by the plaintiffs include having their credit card data compromised, incurring numerous hours cancelling their compromised cards, activating replacement cards and re-establishing automatic withdrawal payment authorizations as well as other economic and non-economic harm. Given that data breaches are becoming increasingly common it is likely that there will be more lawsuits filed similar to Schnucks in the near future. Legal counsel experienced in cyber risk and insurance can assist retailers and insurance companies with handling such problems as they arise.

Round Up – Intellectual Property and Cyber Security Things You May Have Missed (Including Some Good Summer Cocktail Banter Material)

Giordano Logo

Cyber Security Report – Earlier this year, Verizon released its 2013 Data Breach Investigations Report.  The report analyzes and presents data regarding the current state of various data breaches and network attacks.  Some of the results are surprising.

  •             92% of breaches are perpetrated by outsiders
  •             19% of breaches are attributed to state-affiliated actors
  •             76% of network intrusions exploit weak or stolen credentials
  •             66% took months or more to discover

Do Trademark Lawyers Matter? – An empirical study, published in the Stanford Technology Law Review, provided the results of a grueling analysis of 25 years worth of data from the United States Patent and Trademark Office records on whether being represented by a trademark attorney makes a difference in the likelihood of success in getting your mark registered.  The results?  YES!  It turns out that, overall, trademark applicants who are represented by an attorney are 50% more likely to have their marks registered.  The results are even more dramatic when an application faces an obstacle (e.g., an office action).  In those instances, applicants were found to be 68% more likely to proceed to publication when represented by counsel.  Perhaps its time for a national trademark lawyer appreciation day! (I’m not holding my breath).

Does Keyword Advertising Really Work?  eBay recently released a study, entitled “Consumer Heterogeneity and Paid Search Effectiveness: A Large Scale Field Experiment” which analyzed the effectiveness of eBay’s keyword advertising efforts.  So does keyword advertising really work?  Not so much.  According to the study, for well known brands (like eBay), new and infrequent users may be more influenced by keyword triggered advertisements.  But more experienced searchers and otherwise loyal brand users are not influenced by the ads.  When eBay stopped its keyword advertising, almost all of the traffic lost from the absence of the ad was picked up in the native search results.  It’s important to note, however, that this study was focused on a single well known brand.  The results may be quite different for other brands or for less well known brands.  Moreover, the study says nothing about the use of a trademark by a competitor as a keyword to drive traffic to the competitor’s website.

Marketing Your Mobile App – The FTC has released guidelines for mobile app developers when advertising their software.  The plain language guide is very high level, but does include some helpful tid bits to remember.  Highlights include:

  • Advertising is everything a company tells a prospective buyer about its app (whether its in the formal ad campaign or in other communications).
  • Don’t bury key disclosures in “dense blocks of legal mumbo jumbo” or behind hyperlinks.
  • Build in privacy by design, including principles used in selecting default settings.
  • If you change your privacy policy, you need to get user’s consent.  Merely editing the language of the policy isn’t enough.

Effective Disclosures in Digital Advertising – The FTC also released guidelines for online advertising.  This new guidance focuses on the peculiarities and challenges associated with online advertising.  Where this adds new value is in its analysis and detail (with examples!) of the following areas:

  • Proximity and Placement – where disclosures have to be placed to be effective
  • Hyperlinks – including proper labeling and placement
  • Prominence – including use of size, color and graphics
  • Distractions – risks from graphics, sounds and links that may distract from disclosures
  • Multimedia – use of audio and video

Attack on “Happy Birthday” Copyright.  Salon.com reported yesterday that a class action suit has been filed to attack the copyright in the popular birthday celebration tune.  According to the report, the lawsuit was prompted by a documentary uncovering evidence that the song was originally published as early as 1893 and that the current copyright is based on a 1924 publication date which grants the work 95 years of copyright protection.  Based on my count, there’s only about 6 years left in the alleged copyright to begin with.  Hopefully the lawsuit gets resolved before then.

Article By:

 of

New Cybersecurity Guidance Released by the National Institute of Standards and Technology: What You Need to Know for Your Business

Mintz Logo

The National Institute of Standards and Technology (“NIST”)1 has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations2 (“SP 800-53 Revision 4”), and this marks a very important release in the world of data privacy controls and standards. First published in 2005, SP 800-53 is the catalog of security controls used by federal agencies and federal contractors in their cybersecurity and information risk management programs. Developed by NIST, the Department of Defense, the Intelligence Community, the Committee on National Security Systems as part of the Joint Task Force Transformation Initiative Interagency Working Group3over a period of several years with input collected from industry, Revision 4 “is the most comprehensive update to the security controls catalog since the document’s inception in 2005.”4

Taking “a more holistic approach to information security and risk management,5” the new revision of SP 800-53 also includes, for the first time, a catalog of privacy controls (the “Privacy Controls”) and offers guidance in the selection, implementation, assessment, and ongoing monitoring of the privacy controls for federal information systems, programs, and organizations (the “Privacy Appendix”).6 The Privacy Controls are a structured set of standardized administrative, technical, and physical safeguards, based on best practices, for the protection of the privacy of personally identifiable information (“PII”)7 in both paper and electronic form during the entire life cycle8of the PII, in accordance with federal privacy legislation, policies, directives, regulations, guidelines, and best practices.9 The Privacy Controls can also be used by organizations that do not collect and use PII, but otherwise engage in activities that raise privacy risk, to analyze and, if necessary, mitigate such risk.

Description of the Eight Families of Privacy Controls

The Privacy Appendix catalogs eight privacy control families, based on the widely accepted Fair Information Practice Principles (FIPPs)10 embodied in the Privacy Act of 1974, Section 208 of the E-Government Act of 2002, and policies of the Office of Management and Budget (OMB). Each of the following eight privacy control families aligns with one of the eight FIPPs:

  1. Authority and Purpose. This family of controls ensures that an organization (i) identifies the legal authority for its collection of PII or for engaging in other activities that impact privacy, and (ii) describes the purpose of PII collection in its privacy notice(s).
  2. Accountability, Audit, and Risk Management. This family of controls ensures that an organization (i) develops and implements a comprehensive governance and privacy program; (ii) documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from collection of PII and/or other activities that involve such PII; (iii) conducts Privacy Impact Assessments (“PIAs”) for information systems, programs, or other activities that pose a privacy risk; (iv) establishes privacy requirements for contractors and service providers and includes such requirements in the agreements with such third parties; (v) monitors and audits privacy controls and internal privacy policy to ensure effective implementation; (vi) develops, implements, and updates a comprehensive awareness and training program for personnel; (vii) engages in internal and external privacy reporting; (viii) designs information systems to support privacy by automating privacy controls, and (ix) maintains an accurate accounting of disclosures of records in accordance with the applicable requirements and, upon request, provides such accounting of disclosures to the persons named in the record.
  3. Data Quality and Integrity. This family of controls ensures that an organization takes reasonable steps to validate that the PII collected and maintained by the organization is accurate, relevant, timely, and complete.
  4. Data Minimization and Retention. This family of controls addresses (i) the implementation of data minimization requirements to collect, use, and retain only PII that is relevant and necessary for the original, legally authorized purpose of collection, and (ii) the implementation of data retention and disposal requirements.
  5. Individual Participation and Redress. This family of controls addresses implementation of processes (i) to obtain consent from individuals for the collection of their PII, (ii) to provide such individuals with access to the PII, (iii) to correct or amend collected PII, as appropriate, and (iv) to manage complaints from individuals.
  6. Security. This family of controls supplements the security controls in Appendix F and are implemented in coordinating with information security personnel to ensure that the appropriate administrative, technical, and physical safeguards are in place to (i) protect the confidentiality, integrity, and availability of PII, and (ii) to ensure compliance with applicable federal policies and guidance.
  7. Transparency. This family of controls ensures that organizations (i) provide clear and comprehensive notices to the public and to individuals regarding their information practices and activities that impact privacy, and (ii) generally keep the public informed of their privacy practices.
  8. Use Limitation. This family of controls addresses the implementation of mechanisms that ensure that an organization’s scope of use of PII is limited to the scope specified in their privacy notice or as otherwise permitted by law.

Some of the Privacy Controls, such as Data Quality and Integrity, Data Minimization and Retention, Individual Participation and Redress, and Transparency also contain control enhancements, and while these enhancements reflect best practices which organizations should strive to achieve, they are not mandatory.11 The Office of Management and Budget (“OMB”), tasked with enforcement of the Privacy Controls, expects all federal agencies and third-party contractors to implement the mandatory Privacy Controls by April 30, 2014.

The privacy families must be analyzed and selected based on the specific operational needs and privacy requirements of each organization and can be implemented at various operational levels (e.g., organization level, mission/business process level, and/or information system level12). The Privacy Controls and the roadmap provided in the Privacy Appendix will be primarily used by Chief Privacy Officers (“CPO”) or Senior Agency Officials for Privacy (“SAOP”) to develop enterprise-wide privacy programs or to improve an existing privacy programs in order to meet an organization’s privacy requirements and demonstrate compliance with such requirements. The Privacy Controls supplement and complement the security control families set forth in Appendix F (Security Control Catalog) and Appendix G (Information Security Programs) and together these controls can be used by an organization’s privacy, information security, and other risk management offices to develop and maintain a robust and effective enterprise-wide program for management of information security and privacy risk.

What You Need to Know

The Privacy Appendix is based upon best practices developed under current law, regulations, policies, and guidance applicable to federal information systems, programs, and organizations, and by implication, to their third-party contractors. If you provide services to the federal government, work on government contracts, or are the recipient of certain grants that may require compliance with federal information system security practices, you should already be sitting up and paying attention. This revision puts privacy up front with security.

Like other NIST publications, this revision will be looked at as an industry standard for best practices, even for commercial entities that are not doing business with the federal government. In fact, over the last few years, we have seen increasing references to compliance with NIST 800-53 as setting a contractual baseline for security. We expect that this will continue, and now will include both the Security Controls and the Privacy Controls. As such, general counsel, business executives and IT professionals should become familiar with and conversant in the Privacy Controls set forth in the new revision to SP 800-53. At a minimum, businesses should undertake a gap analysis of the privacy controls at their organization against these Privacy Controls to determine if they are up to par or if they have to enhance their current privacy programs. And, if NIST 800-53 appears in contract language as the “minimum standard” to which your company’s policies and procedures must comply, the gap analysis will at least inform you of what needs to be done to bring both your privacy and security programs up to speed.

1 The National Institute of Standards and Technology is a non-regulatory agency within the U.S. Department of Commerce, which, among other things, develops information security standards and guidelines, including minimum requirements for federal information systems to assist federal agencies in implementing the Federal Information Security Management Act of 2002.

2 See Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53,
Rev. 4 (April 30, 2013), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

3 The Joint Task Force Transformation Initiative Interagency Working Group is an interagency partnership formed in 2009 to produce a unified security framework for the federal government. It includes representatives from the Civil, Defense, and Intelligence Communities of the federal government.

4 See NIST Press Release for SP 800-53 Revision 4 at http://www.nist.gov/itl/csd/201304_sp80053.cfm. Revision 4 of
SP 800-53 adds a substantial number of security controls to the catalog, including controls that address new technology such as digital and mobile technologies and cloud computing. With the exception of the controls that address evolving technologies, the majority of the cataloged security controls are policy and technology neutral, focusing on the fundamental safeguards and countermeasures required to protect information during processing, while in storage, and during transmission.

5 See NIST Press Release for SP 800-53 Revision 4 at http://www.nist.gov/itl/csd/201304_sp80053.cfm.

6 See Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. Appendix J was developed by NIST and the Privacy Committee of the Federal Chief Information Officer (CIO) Council.

7 Personally Identifiable Information is defined broadly in the Glossary to SP 800-53 Revision 4 as “Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or likable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). See page B-16 of Appendix B, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. However, as stated in footnote 119 in Appendix J, “the privacy controls in this appendix apply regardless of the definition of PII by organizations.”

8 Collection, use, retention, disclosure, and disposal of PII.

9 See page J-4 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

10 See NIST description and overview of Fair Information Practice Principles at http://www.nist.gov/nstic/NSTIC-FIPPs.pdf.

11 See pages J-4 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

12 See page J-2 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

“Actually, Someone Knows You are a Dog”– the Chinese Regulation Efforts on Private Data Protection

Sheppard Mullin 2012

Do you have privacy in the era of information?

“On the Internet, nobody knows you’re a dog.” First published in The New Yorker on July 5, 1993, this widely known and recognized saying has been quoted many times to describe the anonymous feature of Internet. However, now this description has been drifting from the truth.

The truth is that, some people using the Internet may know you better than yourself. When you log on Amazon, not only will the site greet you by name, the homepage will also suggest certain purchases. Surprisingly, you will be interested in at least one third of them. Your addresses have been recorded and Amazon will automatically calculate the delivery period. Besides those online shopping sites, getting visitors’ information is the common practice of online service and/or information providers. Youku and Netflix suggest videos to watch. Weibo and Facebook suggest friends to follow. Douban and IMDB suggest movie tickets to buy and parties to attend.

On one hand, these recommendations might give you convenience in your life and entertainment; while on the other hand, this can be really intruding and make you anxious by knowing you so much. For example, you just bought an apartment and even did not get the keys. However, decoration companies and contractors give you calls telling you the decoration designs for the new apartment have been done. You just submitted some resumes for a job. Even before the interview, insurance companies and training companies give you calls and emails to make sales. Have you wondered how strangers know your private, personal information?

Every time you log on a website, make a call or buy a ticket by showing ID card, computer systems will track you down, and record everything you have clicked and purchased. Data analyzing systems will collect, characterize, store your information, and take further actions based on the information. Some entities even purchase and resell personal data for profit. The reason why personal data become commodities is because direct marketing based on private data is profitable. Marketing communications are only classified as “direct marketing” where they are addressed to a specific person by name or where a phone call is made to a specific person, and the use of private data is the foundation of direct marketing. The newly issued Hong Kong Personal Data (Privacy) Amendment Ordinance contains a number of new provisions regulating the use of personal data in connection with direct marketing activities in Hong Kong, which has come into force since April 1, 2013. Apart from Hong Kong, there are over fifty countries and regions which have laws and regulations protecting personal data.

What is the new trend in China to protect personal data?

In order to safeguard the legitimate rights and interests of Chinese citizens concerning private data protection, the Ministry of Industry and Information Technology of China (“MIIT”) announced the Provisions on the Protection of Personal Information of Telecommunication and Internet Users (Draft for Comments) (“PPI Rules”) and the Provisions on the Registration of True Identity Information of Telephone Users (Draft for Comments) (“RTII Rules”) and sought for public comments. The deadline for submitting comments is May 15, 2013.

The PPI Rules and RTII Rules are a breakthrough with respect to legislation of personal information protection. Although these two rules are not officially a personal information protection law, they are a good beginning and call for a complete set of rules.

The PPI Rules and RTII Rules are designed to protect personal information from two perspectives. While the PPI Rules regulates the collection and utilization of users’ private information, the RTII Rules requests “real-name registration” of telephone users for the prohibition of direct or indirect marketing using no-name telephone numbers. Specifically, the PPI Rules requires that telecommunication service providers and Internet information service providers (“Service Providers”) shall not collect or use the users’ personal information without their consent. Service Providers shall also clearly notify the users of the purpose, method and scope of collection and utilization of the users’ personal information, retention period of such information, ways to access and modify such information, and consequences of refusal to provide such information.

Meanwhile, the “real-name registration” required by RTII Rules is a double-edged sword. Not only are telephone users required to supply their true identity information, some Internet services, for example, the Chinese Twitter Weibo, also require users’ true identity information. On one hand, it will reduce the risk of private information abuse by no-name telephones and Weibo bloggers. One the other hand, the “real-name registration” regime means it is legitimate for telephone and some Internet service providers to collect their users’ information. Although RTII Rules prohibits the sales and illegal provision of users’ information, it doesn’t mean those providers will not utilize the users’ information to make profits and provide such information to government or other compulsive entities. This “real-name registration” may limit the health development of Internet and even harm users’ right to free speech. Is “real-name registration” the only way to protect personal information? This is a controversial topic.

What can enterprises do to avoid violations of personal data protection rules in China?

Putting the controversial topic aside, let’s talk about what the enterprises doing business in China can do regarding new rules to protect personal information. Those enterprises may not be limited to Internet/telecommunication service providers, because the regime may expand in the future to regulate more entities that may get access to citizens’ personal data.

First, the concerned enterprises can log on MITT official websites and submit comments if any. They can make their voice heard since the rules are in the “draft for comments” period.

Second, thorough study of the new rules and other anticipated rules in this area is needed. The concerned enterprises need to provide proper training to their employees regarding the users’ information protection, since this is not only required by the new rules, but the enterprises might also have joint and several obligations with the employees who abuse the users’ information.

Third, proper drafts of disclaimer/declaration/agreement are needed when the enterprises want to collect and utilize the users’ private information. The enterprises need to make sure that they have obtained the users’ consents concerning the information collection and utilization. Proper preparations are needed to avoid future risks.

 of

The “Reasonable” Perils of Data Security Law

Your House Counsel Logo

The following is drawn from the materials to be presented at the 17th Annual America’s Claims Event 2013 conference in the “Cyber-Liability and Data Loss Claims: A Case Study from Notice of Occurrence Through Conclusion” session on June 20, 2013 in Austin, Texas.

NEGLIGENCE. “The omission to do something which a reasonable man, guided by those ordinary considerations which ordinarily regulate human affairs, would do, or the doing of something which a reasonable and prudent man would not do.”1

“When we think about data breaches, we often worry about malicious minded computer hackers exploiting software flaws, or perhaps Internet criminals seeking to enrich themselves at our expense. But the truth is that errors and negligence within the workplace are a significant cause of data breaches that compromise sensitive personal information.”2

According to a recent privacy institute study by the Ponemon Institute, only 8% of the surveyed data breach incidents were due to external cyber attack, while 22% could be attributed in part to malicious employees or other insiders. Loss of laptops or other mobile devices containing sensitive data topped the survey, while mishandling of data “at rest” or “in motion” were also major contributors.3 A later study showed that 39% of surveyed organizations identified negligence as the root cause of their data breaches, while 37% were attributed to malicious or criminal attack.4

Negligent document disposal is a clear source of preventable negligence. On December 7, 2012, at least eight garbage bags were left unattended on a dirt road in Hudson, Florida, containing credit applications to Rock Bottom Auto Sales with names, driver’s license information, and Social Security numbers. Three days later, in Pittsburgh, Pennsylvania, job placement documents were found in a dumpster from the West Pittsburgh Partnership, all containing names and SSN’s.5 For that matter, the Internal Revenue Service in 2008 was found to have disposed of taxpayer documents in regular waste containers and dumpsters, and that a follow-up investigation revealed that IRS officials failed to consistently verify whether contract employees who have access to taxpayer documents had passed background checks.6

Convincing users to back up their laptops has been difficult enough in practice; getting them to encrypt them voluntarily is much more daunting a task. A 2010 Ponemon Institute study, admittedly biased towards large corporations, concluded that of those surveyed typically 46% of the laptops held confidential data, while only 30% had their contents encrypted. A startlingly low 29% of the laptops had backup/imaging software installed, which implies that more than two thirds of all laptops if lost or stolen would leave no backup of work in progress.7

Even though more devices are coming to market with built-in encryption capabilities, these features may simply be left switched off by their users despite the fact that lost laptops, tablets, smartphones, USB “thumb” drives and other portable devices with unencrypted contents continue to provide a wealth of information to identity thieves.

On March 22, 2013, a laptop used by clinicians at the University of Mississippi Medical Center was discovered to be missing. It contained patient names, social security numbers, addresses, diagnoses, birthdates and other personal information, protected only by a password.8

On January 8, 2013, an unencrypted flash drive was stolen from a Hephzibah Georgia middle school teacher’s car, containing student SSN’s and other information.9 TD Bank had two unencrypted backup tapes with customer and their dependent names, SSN’s, addresses, account, credit and debit card numbers go missing while being transported between two TD Bank offices in March 2012, but public notice was not made until March 4, 2013.10

An examination of reported data security incidents with potential or actual data privacy breaches reveals that the scope of what is deemed “reasonable” ranges from ordinary care in the disposal of documents containing personally identifiable information (“PII”) and personal health information (“PHI”), to sophisticated data encryption, access authentication and other highly technical data security practices that the “reasonably prudent” persons, companies and governmental agencies are now expected to employ to protect the personal data that they have collected.

On October 10, 2012, the South Carolina Department of Revenue was informed of a potential cyber attack involving the personal information of taxpayers.11 The origin of the attack was traced to a state Department of Revenue employee who clicked on an embedded link in a “salacious” email and compromised his computer.12 The subsequent investigation revealed that “outdated computers and security flaws at the state’s Department of Revenue allowed international hackers to steal 3.8 million tax records”, according to Governor Nikki R. Haley. Apparently South Carolina did not encrypt Social Security Numbers, and once the outer perimeter security was compromised the hackers were able to log in as tax officials and read the data.13

Users of online services will routinely provide personal information as a matter of course to shop or obtain other services, all of which gets recorded and tracked. Data privacy laws are intended to promote and enforce a number of fair information practices to give individuals the ability to find out what personal information is being kept and by whom, opportunities to correct or remove such information, assurances that reasonable measures will be undertaken to protect such information from disclosure and to properly dispose of such information when appropriate, and may include remedial measures to be undertaken in the event of a data breach.

In the United States, there is no single comprehensive statute for data privacy laws.14 Instead, a number of sector-specific federal laws have been enacted to address the particular sensitivity of information generally recorded by companies in that market sector, and forty six states have enacted data breach notification statutes. If there is a data breach, you may be liable under state law to provide notice to those affected.15 In some jurisdictions, you may be required to provide notice to all consumer credit reporting agencies as well.16

The financial exposure to a data breach by a company may be insurable to some degree using various forms of “cyber liability” insurance, which expand and supplement many forms of more standard insurance coverages underwritten today. Policy premiums for such policies, however, are dependent upon the extent of data security practices implemented.

Conducting a data security risk assessment before encountering a data breach should identify measures that can be taken at the corporate level to provide additional protection not only to sensitive data, but also mitigate the consequences of a security incident where company data is disclosed, lost or stolen. Encrypted data in many cases may not be considered “exposed” for purposes of mandated notice to affected individuals.

In the event of a data security incident, please consider obtaining a data forensic team to not only identify the source and extent of the breach, but to preserve evidence in the event that a potential prosecution may be possible.

We will discuss a data breach case study from inception through enforcement, resolution and potential mitigation through cyber liability insurance at our presentation at ACE 2013. We hope to see you then.

1 BLACK’S LAW DICTIONARY 1184 (4th ed. 1968).

2 Privacy Rights Clearinghouse, Are the Businesses You Frequent or Work For Exposing You to an Identity Thief?, (Mar. 6, 2012), https://www.privacyrights.org/workplace-identity-theft-quiz-alert-2012

3 The Human Factor in Data Protection, 3 PONEMON INSTITUTE LLC (January 2012), available athttp://www.ponemon.org/local/upload/file/The_Human_Factor_in_data_Protection_WP_FINAL.pdf.

4 2011 Cost of Data Breach Study: United States, 7 PONEMON INSTITUTE LLC (March 2012),available at http://   www.ponemon.org/local/upload/file/2011_US_CODB_FINAL_5.pdf.

5 http://www.privacyrights.org/data-breach/new (check Breach Type “PHYS”, Organization Type “BSR” and Year “2012”).

6 Increased Management Oversight of the Sensitive but Unclassified Waste Disposal Process Is Needed to Prevent Inadvertent Disclosure of Personally Identifiable Information, TREASUR INSPECTOR GENERAL FOR TAX ADMINISTRATION (May 8, 2009), http://www.treas.gov/tigta/auditreports/2009reports/200930059fr.pdf.

7 The Billion Dollar Lost Laptop Problem 6 PONEMON INSTITUTE LLC (Sept. 30, 2010), availableat http://newsroom.intel.com/servlet/JiveServlet/download/1544-8-3132/The_Billion_Dollar_Lost_Laptop_Study.pdf.

8 http://www.privacyrights.org/data-breach/new (check Breach Type “PORT”, Organization Type “EDU” and Year “2013”).

9 http://www.privacyrights.org/data-breach/new (check Breach Type “PORT”, Organization Type “EDU” and Year “2013”).

10 http://www.privacyrights.org/data-breach/new (check Breach Type “PORT”, Organization Type “BSF” and Year “2013”).

11 Kara Durrette, SC Department of Revenue hacked; millions of SC residents affected, http://www.midlandsconnect.com/sports/story.aspx?id=817902#.UVyOdheYu7w (posted Oct. 26, 2012, updated Oct. 27, 2012).

12 Matthew J. Schwartz, How South Carolina Failed To Spot Hack Attack, INFORMATION WEEK, Nov. 26, 2012, http://www.informationweek.com/security/attacks/how-south-carolina-failed-to-spot-hack-a/240142543.

13 Robbie Brown, South Carolina Offers Details of Data Theft and Warns It Could Happen Elsewhere, N.Y. TIMES, Nov. 20, 2012, available at http://www.nytimes.com/2012/11/21/us/more-details-of-southcarolina-hacking-episode.html?_r=0.

14 PETER P. SWIRE & KENESA AHMAD, FOUNDATIONS OF INFORMATION PRIVACY AND DATA PROTECTION 41 (International Association of Privacy Professionals) (2012).

15 NYC Administrative Code § 20-117(c) (2013); NY CLS State Technology Law § 208(2) (NY state residents only); 73 Pa. Stat. § 2303 (PA residents).

16 73 Pa. Stat. § 2305; NY CLS State Technology Law §208(7)(b).

Article By:

of