Category: Privacy Law

Espionage and Export Controls: iPhone Hack Highlights New World of Warfare

iPhone HackLast week, researchers at Citizen Lab uncovered sophisticated new spyware that allowed hackers to take complete control of anyone’s iPhone, turning the phone into a pocket-spy to intercept communications, track movements and harvest personal data. The malicious software, codenamed “Pegasus,” is believed to have been developed by the NSO Group, an Israeli company (whose majority shareholder is a San Francisco based private equity firm) that describes itself as a “leader in cyber warfare” and sells its software — with a price tag of $1 million – primarily to foreign governments. The software apparently took advantage of three previously unknown security flaws in Apple’s iOS software, and was described by experts as “the most sophisticated” ever seen on the market. Apple quickly released a patch of its software, iOS 9.3.5, and urged users to download it immediately.

Citizen Lab learned about Pegasus from Ahmed Mansoor, a UAE human rights activist, who received text messages baiting him to click on a link to discover “new secrets about the torture” of Emirati prisoners. Mr. Mansoor had been prey to hackers before, so he contacted Citizen Lab. When researchers tested the link, they discovered software had been remotely implanted onto the phone, and brought in Lookout, a mobile security firm, to reverse-engineer the spyware. Citizen Lab later identified the same software as having been used to track a Mexican journalist whose writings have criticized Mexico’s President. Citizen Lab and Lookout also determined that Pegasus could have been used across Turkey, Israel, Thailand, Qatar, Kenya, Uzbekistan, Mozambique, Morocco, Yemen, Hungary, Saudi Arabia, Nigeria, and Bahrain, based on domains registered by NSO.

NSO Group, the architect of Pegasus, claims to  provide “authorized governments with technology that helps them combat terror and crime,” insisting that its products are only used in lawful ways., NSO spokesperson Zamir Dahbash told reporters that the company “fully complies with strict export control laws and regulations.” The Citizen Lab researcher who disassembled the malicious program, however, compared it to “defusing a bomb.” All of which raises the question – what laws or regulations govern the export of cyber-weapons by an Israeli firm (likely controlled by U.S. investors) to foreign governments around the world?

Cyber weapons are becoming increasingly interchangeable with traditional weapons. Governments (or terrorists) no longer need bombs or missiles to inflict large-scale destruction, such as taking down a power grid, since such attacks can now be conducted from anywhere there is a computer. Do export controls – which have long been used as foreign policy and national security tools, and which would regulate the transfer of traditional weapons – play any real role in regulating the transfer of weapons of cyber-surveillance or destruction? In fact, the legal framework underlying current export controls has not caught up (and maybe never will) to the capabilities of technological tools used in cyberwarfare. Proposals to regulate malware have been met with resistance from the technology industry because malware technology is often dual-use and the practical implications of requiring licenses would impede technological innovation and business activities in drastic ways.

The Wassenaar Arrangement

The Wassenaar Arrangement (WA) was established in 1996 as a multilateral nonproliferation regime to promote regional security and stability through greater transparency and responsibility in the transfer of arms and sensitive technologies. The United States is a member. Israel is not, but has aligned its export controls with Wassennaar lists.

In December 2013, the list of export controlled technologies under WA was amended to include commercial surveillance software, largely to curb human rights abuses by repressive governments’ use of spyware on citizens. Earlier this year, the Department of Commerce issued recommendations that the definition of “intrusion software” in the WA be modified to encompass the concept of “authorization” so that malware such as Pegasus, in which the user does not truly understand the nature of the consequences, would be controlled. Those proposals have not been implemented.

U.S. Export Controls of Malware

In 2015, following data breaches at the Officer of Personnel Management and several private companies, the Department of Commerce published proposed rules to harmonize concepts embedded in the WA into the U.S. regulatory framework for export controls. One critical proposal was a definition of “intrusion software” to require a license for the export and use of malware tools. But the definition covered much more than malware. Cybersecurity experts were alarmed by the rule’s over-inclusive and vague language. The rules would have impeded critical business activities, stifled international research and cross-border exchanges of technology, and hindered response to cyber threats.

NSO Group has been described by researchers as “incredibly committed to stealth, and  reportedly has close partnerships with other Israeli surveillance firms that seek to sell spyware, suggesting an inevitable increase in cyber mayhem. As malware becomes more sophisticated, widespread, and threatening, the need for strictly tailored export controls is not going to go away.

Regulating software is challenging at least in part, because there is no workable legal definition of what constitutes a cyber weapon. Because malware is largely dual-use, the only way to determine whether particular software constitutes a cyber weapon is retroactively. If software has been used as a weapon, it is considered a cyber weapon. But that definition arrives far too late to control the dissemination of the code. Moreover, controlling  components of that software would likely be over-inclusive, since the same code that can exploit flaws to break in to devices can also have benign uses, such as detecting vulnerabilities to help manufacturers like Apple learn what needs patching. Another challenge is that requiring  export licenses can take months, which, in the fast-moving tech world is as good as denial.

The revelation of the Pegasus iPhone spyware highlights questions that have perplexed national security and export control experts in recent years. As the use and sophistication of malware continue their explosive growth, not only must individuals and governments face the  chilling realities of cyber warfare, but regulators must quickly understand the technological issues, address the risks, and work with the cyber security and technological communities to find a path forward.

ARTICLE BY Fatema K. Merchant & Laura E. Jehl  of Sheppard, Mullin, Richter & Hampton LLP
Copyright © 2016, Sheppard Mullin Richter & Hampton LLP.

Location Data Gathering Under Europe’s New Privacy Laws

location dataThe rise in popularity of apps and services that use location data (technology that pinpoints a consumer’s location automatically), like the smash-hit Pokémon Go, have EU privacy regulators calling on companies to ‘mind the gap.’ The much-anticipated General Data Protection Regulations (the “GDPR), as well as other EU privacy laws, aim to tighten up the rules for obtaining consent from consumers about what data they are sharing and to restrict how companies can use the data they are mining from consumers. There has been much speculation about how these new regulations, not directives, coupled with a much higher potential for fines, will impact U.S. companies that operate or plan to operate in the EU. Those using location data in apps and for passive tracking should pay close attention to EU regulators as GDPR implementation draws near.

Why are EU regulators particularly concerned about location data?

Location-specific data can reveal very specific and intimate details about a person, where they go, what establishments they frequent and what their habits or routines are. Some location-specific data garners heightened protections, such as where and how often a person obtains medical care or where a person attends religious services.

In the U.S., consumers typically agree to generalized privacy policies by clicking a box prior to purchase, download or use of a new product or service. But the new EU regulations may require more informed notice and consent be obtained for each individual use of the data that a company acquires. For example, a traffic app may collect location data to offer geographically-focused traffic reports and then also use that data to better target advertisements to the consumer, a so-called “secondary use” of the data.

The secondary use is what is concerning to EU regulators. They want to give citizens back control over their personal data, which means meaningfully and fully informing them of how and when it is used. For example, personal data can only be gathered for legitimate purposes, meaning companies should not continue to collect location data beyond what is necessary to support the functionality of their business model; also additional consent would need to be obtained each time the company wants to re-purpose or re-analyze the data they have collected. This puts an affirmative obligation on companies to know if, when and how their partners are using consumer data and to make sure such use has been consented to by the consumer.

What should a company do that collects location data in the EU? 

  1. Consumers should be clearly informed about what location information is being gathered and how it will be used, this does not just mean the primary use of the data, but any ancillary uses such as to target advertisements, etc.;

  2. Consumers should be given the opportunity to decline to have their data collected, or to be able to “opt-out” of any of the primary or secondary uses of their data;

  3. Companies need to put a mechanism in place to make consumers aware if the company’s data collection policies change, for example, a company may not have a secondary use for the data now, but in 2 years it plans on packaging and reselling that data to an aggregator; and

  4. Companies must have agreements in place with their partners in the “business ecosystem” to ensure their partners are adhering to the data collection permissions that the company has obtained.

ARTICLE BY Kathryn T. Allen of Polsinelli PC

© Polsinelli PC, Polsinelli LLP in California

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

ransomwareOn July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

What Is Ransomware?

Ransomware is a type of malware (malicious software). It is deployed through devices and systems through spam, phishing messages, websites and email attachments, or it can be directly installed by an attacker who has hacked into a system. In many instances, when a user clicks on the malicious link or opens the attachment, it infects the user’s data. Ransomware attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware. After the user’s data is encrypted, the ransomware attacker directs the user to pay a ransom in order to receive a decryption key. However, the attacker may also deploy ransomware that destroys or impermissibly transfers information from an information system to a remote location controlled by the attacker. Paying the ransom may result in the attacker providing the key necessary needed to decrypt the information, but it is not guaranteed. In 2016, at least four hospitals have reported attacks by ransomware, but additional attacks are believed to go unreported.

HIPAA Security Rule and Best Practices

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

HHS has suggested that covered entities and business associates frequently back up their documents because ransomware denies access to the covered entity’s and business associate’s data. Maintaining frequent backups and ensuring the ability to recover data from a separate backup source is crucial to recovering from a ransomware attack. Test restorations should be periodically conducted to verify the integrity of backed-up data and provide confidence in an organization’s data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and inaccessible from their networks.

Covered entities and business associates should also install malicious software protections and educate its workforce members on data security practices that can reduce the risk of ransomware, including how to detect malware-type emails, the importance of avoiding suspicious websites and complying with sound password policies.

Lastly, each covered entity or business associate should ensure that its incident response plan addresses ransomware incidents. Many entities have crafted their policies and incident response plans to focus on other more typical daily personal information risks, such as the lost laptop or personal device. A ransomware event should expressly trigger the activities required by the incident response plan, including the requirement to activate the response team, initiate the required investigation, identify appropriate remediation, determine legal and regulatory notification obligations, and conduct post-event review.

Indications of a Ransomware Attack

Indicators of a ransomware attack could include:

  • The receipt of an email from an attacker advising that files have been encrypted and demanding a ransom in exchange for the decryption key
  • A user’s realization that a link that was clicked on, a file attachment opened or a website visited may have been malicious in nature
  • An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason (due to the ransomware searching for, encrypting and removing data files)
  • An inability to access certain files as the ransomware encrypts, deletes and renames and/or relocates data
  • Detection of suspicious network communications between the ransomware and the attackers’ command and control server(s) (this would most likely be detected by IT personnel via an intrusion detection or similar solution)

What to Do if Subject to a Ransomware Attack?

A covered entity or business associate that is subject to a ransomware attack may find it necessary to activate its contingency or business continuity plans. Once the contingency or business continuity plan is activated, an entity will be able to continue its day-to-day business operations while continuing to respond to, and recover from, a ransomware attack. The entity’s robust security incident procedures for responding to a ransomware attack should include the following processes to:

Activate the entity’s incident response plan and follow its requirements;

  • Notify the entity’s cyber liability insurer as soon as enough information is available to indicate a possible ransomware attack and within any time period required under the applicable policy;
  • Detect and conduct an analysis of the ransomware, determining the scope of the incident and identifying what networks, systems or applications are affected;
  • Determine the origin of the incident (who/what/where/when), including how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited);
  • Determine whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment;
  • Contain and eradicate the ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;
  • Recover from the ransomware attack by restoring data lost during the attack and returning to “business-as-usual” operations; and
  • Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.

Additionally, it is recommended that an entity infected with ransomware consult, early on, with legal counsel who can assist with reporting the incident to the extent it is a criminal matter to law enforcement. Counsel frequently have ongoing contacts within the cybercrime units of the Federal Bureau of Investigation (FBI) or the United States Secret Service that may deploy appropriate resources to address the matter and to supply helpful information. These agencies work with federal, state, local and international partners to pursue cyber criminals globally and assist victims of cybercrime. Counsel can advise on the type of information appropriate to disclose to law enforcement, while taking steps to establish and maintain the attorney-client privilege and, if appropriate, the attorney work product protection. Counsel also can assist in preparing communications (e.g., mandatory notifications and reports to senior executives and boards), advise on potential legal exposure from the incident and provide representation in connection with government inquiries or litigation.

If Ransomware Infects a Covered Entity’s or a Business Associate’s Computer System, Is It a Per Se HIPAA Breach?

Not necessarily. Whether or not the presence of ransomware would be a breach under the HIPAA Privacy Rule or HIPAA Security Rule (the HIPAA Rules) is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” A covered entity or business associate should, however, perform a risk assessment after experiencing a ransomware incident to determine if a reportable breach has occurred and to determine the appropriate mitigating action.

If the ePHI was encrypted prior to the incident in accordance with the HHS guidance, there may not be a breach if the encryption that was in place rendered the affected PHI unreadable, unusable and indecipherable to the unauthorized person or people. If, however, the ePHI is encrypted by the ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Thus, in order to determine if the information was acquired and accessed in the incident, additional analysis will be required. Unless the covered entity or business associate can demonstrate that there is a “[l]ow probability that the PHI has been compromised,” based on the factors set forth in the HIPAA breach notification rule, a breach of PHI is presumed to have occurred. If a breach has occurred, the entity must comply with the applicable breach notification provisions under HIPAA and, if applicable, state law.

Does a Ransomware Event Trigger State Data Breach Notification Obligations?

Possibly. In a majority of states, data breach notification requirements are triggered when there is both “unauthorized access” to and “acquisition” of personally identifiable information. Whether a ransomware event meets the access and acquisition elements of these statutes is, as in the HIPAA analysis, a fact-specific determination. If, for example, the hackers were able to move the personally identifiable information from the entity’s network to their own, it is clear that the hackers achieved unauthorized access to and acquisition of the information. State data breach notification laws pertaining to the affected individuals would need to be analyzed and factored into the entity’s overall notification requirements.

Ransomware though is usually designed to extort money from victim entities rather than steal personally identifiable information. If the forensics team can present credible evidence that no personally identifiable information was acquired by the hackers, then these obligations may not be triggered. The forensics team, consistent with the incident response team requirements, should document findings that support a defensible decision under these statutes, in case of a subsequent regulatory investigation or litigation, not to notify affected individuals.

In a minority of states, the data breach notification requirements are triggered when there is simply “unauthorized access” to personally identifiable information. This lower standard may mean that the entity must notify its customers of a data breach even when no personally identifiable information is acquired by a hacker. Entities that maintain personally identifiable information of residents of Connecticut, New Jersey and Puerto Rico, for example, may find themselves in the unfortunate position of having to provide data breach notifications even when the information is not acquired by a hacker.

Finally, if the entity is providing services to a business customer, it will need to determine whether it is obligated to notify the business customer (as owner of the affected personal information) of the ransomware attack, taking into account state data breach notification requirements, contractual obligations to notify the business customer and the overall value of the commercial relationship.

ARTICLE BY Amy GordonAnn KillileaMichael G. MorganSusan M. Nash & Angela M. Stockbridge of
McDermott Will & Emery
© 2016 McDermott Will & Emery

Pokémon Go – Staying Ahead of Game and Avoiding Unexpected HIPAA Risks

HIPAA RisksIt was inevitable – Pokémon Go fever has swept the nation, and now little cartoon creatures have found their way into your health care facility.

Wait, what!?

Yes, you read that right, those pesky (or beloved, depending on your point of view) creatures are popping up literally everywhere, and unfortunately hospitals and other health care facilities are no exception. As a result, in addition to keeping up with the various advances in mobile technology related to health care and patient management, health care facilities across the country must now add keeping up with virtual and augmented reality to their to-do lists.

So why should this matter to your health care facility?

Currently, industry trends suggest that hospitals and other health care facilities are taking two divergent views when it comes to this new frontier – (a) asking to be taken off the “map” (i.e., having Pokémon removed from their property), or (b) embracing the game, as it motivates the young (and old) to be active. While the latter could be tempting – and for some facilities with proper controls it could be successful – for most, we recommend taking whatever steps possible to prohibit game play within your health care facility.

Regardless of the road taken by your facility, there are a few key considerations to keep in mind when evaluating potential HIPAA risks related to virtual and augmented reality games, which are only likely to grow substantially in number in the future.

How do Pokémon Go and augmented reality games work?

On first glance, this specific game (which is fairly primitive as augmented reality) doesn’t appear problematic from a HIPAA perspective. However, there are some hidden risks. The Pokémon game’s functionality allows for a user to switch between a virtual map and camera mode which literally shows the Pokémon in the world around the player. The images seen on the player’s phone do not appear to be saved or shared automatically – however, the mobile application does offer the option of letting you take a photo of what you see from within the app. In a world dominated by social media, this is where the problem arises.

Pokémon Go and other augmented realty games allow a player to engage in a virtual game which takes place in the real world around them. Pokémon Go players are motivated to take photos of their surroundings and share them with third parties and on social media. In a health care environment, this could easily result in a player – whether patient, employee or third-party gamesman – inadvertently sharing protected health information (PHI) with all of his or her followers in as little as four clicks from taking a screenshot.

Many hospitals are already dealing with the unintended consequences of individuals playing Pokémon Go and wandering into areas containing sensitive information. Even if photographs are not taken, the mere presence of individuals who are only on premises for the purpose of playing a game heightens potential information privacy and security risks.

What is this picture worth?

Hospitals have learned the hard way the high cost of a HIPAA violation. In April of this year the Department of Health and Human Services, Office for Civil Rights (OCR) reached a $2.2 Million settlement with New York Presbyterian Hospital for the filming of “NY Med” on the premises, which resulted in the unauthorized sharing of two patients’ images. OCR also determined that the hospital failed to safeguard health information when it offered the film crew access to an environment where PHI could not be effectively protected.

OCR is likely to follow the same logic in the context of augmented reality games and the potential exposure of PHI to unauthorized parties. Having Pokémon Go players on hospital premises – including patients, visitors, employees and, most especially, those present solely for the purpose of playing the game – could lead to unnecessary HIPAA risks.

Best practices for Pokémon Go and its successors:

  • Take yourself off the “map,” but remember this is not where the story ends: To alleviate the a number of risks, you can, of course, submit an online request to Niantic Labs – the creator of Pokémon Go – to be removed as an in-game location. However, this step alone will not be sufficient to end all possible risks related to Pokémon Go, and the universe of augmented realty that could pop up next. It is also notable the removal process to be a stop has proven lengthy, therefore it would be advisable to also take additional steps regarding your stance on Pokémon Go and augmented realty games. To speed up the process, consider writing a formal demand – above and beyond the online system – to have your coordinates removed from game play.

  • Determine your stance on patient play: Aside from hospital policies on visitor and patient cell phone use, determine if your establishment wants to promote patient use of Pokémon Go. Many facilities are finding Pokémon Go to be a valuable tool in promoting exercise and activity – especially post procedures. If your hospital wants to take that approach – consider limited play to “Pokémon Zones” where PHI is less accessible and adequately protected. However, keep in mind that significant risks remain related to permitted access to PHI to unauthorized individuals.

  • Determine if health care providers and hospital staff should be prohibited from playing: Reevaluate your social media and bring-your-own-device policies to determine if augmented reality games such as Pokémon Go need to be specifically addressed. The player base of Pokémon Go appears to be growing exponentially, and it is highly unlikely that facilities’ employees are not among those playing or considering playing. While taking photographs is often prohibited in hospital settings, make sure the policy is clear that the prohibition applies to photos in the augmented reality space. Take the opportunity to clarify and reiterate acceptable social media practices. Also, if your hospital is creating “Pokémon Zones,” stress to health care providers and staff that this applies to them as well.

While Pokémon Go took over the scene almost literally overnight, this is just a glimpse of what the future holds. As augmented reality mobile applications and games become even more popular, and more immersive, these issues are bound to come up again and reinvent themselves in the form of new challenges. Now is the time to determine your organization’s policy on augmented reality and revisit social media and BYOD policies. Pokémon Go may or may not be here to stay – but it is definitely not one of a kind.

ARTICLE BY Mita K. Lakhia of Drinker Biddle & Reath LLP
©2016 Drinker Biddle & Reath LLP. All Rights Reserved

Pokémon GO – Next Stop: Regulation & Litigation

pokemon go litigationAs everyone is aware, the Pokémon GO craze has taken the world by storm in the past month. Reports estimate there have been over 75 million downloads of the digital game since the program became available on July 6.  Apple has not issued any concrete numbers, but has confirmed that it was the most downloaded app ever in its first week of availability.

When the game was first offered, users were required to grant permission not only to use a player’s smartphone camera and location data but also to gain full access to the user’s Google accounts — including email, calendars, photos, stored documents and any other data associated with the login. The game’s creator, Niantic, responded to a public outcry – including a letter from Minnesota Senator Al Franken – stating that the expansive permission requests were “erroneous” and that Pokémon GO did not use anything from players’ accounts other than basic Google profile information.  The company has since issued a fix to reduce access only to users’ basic Google account profile information.

As is often the case, remarkable success naturally attracts critics who take aim. In a letter dated July 22, 2016, the Electronic Privacy Information Center (EPIC) wrote to the Federal Trade Commission (FTC) requesting government oversight on Niantic’s data collection practices. EPIC is a non-profit public interest research center in Washington, D.C., focusing public attention on privacy and civil liberties issues.

Niantic’s Privacy Policy

EPIC’s letter highlighted a number of alleged issues with Niantic’s privacy policy:

  • Niantic does not explain the scope of information gathered from Google profiles or why this is necessary to the function of the Pokémon GO app.

  • Niantic collects users’ precise location information through “cell/mobile tower triangulation, wifi triangulation, and/or GPS.” The Company’s Privacy Policy states Niantic will “store” location information and “some of that location information, along with your … user name, may be shared through the App.” The Privacy Policy does not indicate any limitations on how long Niantic will retain location data or explain how indefinite retention of location data is necessary to the functionality of the Pokémon GO app.

  • With Pokémon GO, Niantic has access to users’ mobile device camera. The Terms of Service for Pokémon GO grant Niantic a “nonexclusive, perpetual, irrevocable, transferable, sublicensable, worldwide, royalty-free license” to “User Content.” The Terms do not define “User Content” or specify whether this includes photos taken through the in-app camera function.

  • The Pokémon GO Privacy Policy grants Niantic wide latitude to disclose user data to “third-party service providers,” “third parties,” and “to government or law enforcement officials or private parties as [Niantic], in [its] sole discretion, believe necessary or appropriate.” Niantic also deems user data, including personally identifiable information, to be a “business asset” that it can transfer to a third party in the event the company is sold. This issue has been identified as a particular concern to another non-profit organization – Common Sense Media, an independent non-profit organization focusing on children and technology. According to Common Sense Media, location information and history of children should not be considered a “business asset.”

EPIC’s Request to the FTC

Based on the issues highlighted above, EPIC requested that the FTC use its authority to regulate unfair competition under the Federal Trade Commission Act (15 U.S.C. § 45) to prohibit practices by Niantic and other similar apps that fail to conform with FTC’s Fair Information Practices and the principles set forth in The White House 2012 report, “Consumer Data Privacy In A Networked World.”

According to EPIC, Niantic’s unlimited collection and indefinite retention of detailed location data, violates 15 U.S.C. § 45(n) because it is “likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

EPIC also contends that the unlimited collection and indefinite retention of detailed location data violate the data minimization requirements under the Children’s Online Privacy Protection Act (COPPA), which requires providers to “retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” 16 C.F.R. § 312.10.

Private Lawsuit Filed Against Niantic

Subsequently, a Pokémon GO user has filed suit in Florida State Court alleging that the terms of service and privacy policy are deceptive and unfair, which violates the Florida Deceptive and Unfair Trade Practices Act. Beckman v. Niantic Inc., case number 50-2016-CA-008330, Fifteenth Judicial Circuit for Palm Beach County, Florida.

Practice Pointer

The issue of consumer privacy continues to garner significant attention. Whether you are an app developer or any other company that collects and retains personal information, it is time to review your applicable policies and take appropriate steps to ensure that your company is not the subject of government agency inquiry, litigation, or a data breach.

For employers whose employees may be bumping into each other in the hallway while playing the game, consideration should be given to ban or otherwise regulate employee involvement. Certainly a drop in productively is a concern. However, even if accessing the game during work time is barred, employers should be concerned about the potential compromise to proprietary and confidential information that could occur as the result of data breaches or through counterfeit games that are designed to allow hackers access to your protected information.

ARTICLE BY Jeffrey M. Schlossberg of Jackson Lewis P.C.

Jackson Lewis P.C. © 2016

EU-US Privacy Shield to Launch August 1, Replacing Safe Harbor

general data protection privacy shieldI. Introduction: Privacy Shield to Go Live August 1 (at Last)

The replacement for Safe Harbor is finally in effect, over nine months after Safe Harbor was struck down by the Court of Justice of the EU in the Schrems case. As most readers will be aware, Privacy Shield provides an important legal mechanism for transferring personal information from the EU to the US. The Department of Commerce (Commerce) has promised to launch a Privacy Shield website on August 1, 2016 that will allow companies to certify compliance with Privacy Shield.

The Privacy Shield documents are comprised of a 44-page “Adequacy Decision” and 104 pages of “Annexes” that contain key information concerning Privacy Shield’s standards and enforcement mechanisms. Companies that are considering certifying under Privacy Shield should review the entire Adequacy Decision and its Annexes, as well as the promised FAQs and other documents that the Department of Commerce will provide on the new Privacy Shield website. A good starting point for companies is Annex II, which contains the essential Privacy Shield “Principles” and a set of “Supplemental Principles” that clarify certain points and provide useful examples for putting Privacy Shield into practice.

Our summary aims to highlight key points and provide a basic roadmap as companies start to get to grips with the new Privacy Shield requirements.

II. Privacy Shield Principles

The Principles set out in Privacy Shield will be largely familiar to companies that had certified under Safe Harbor, but Privacy Shield contains a lot more detail and occasionally demands more stringent standards and actions than Safe Harbor.

1. Notice. Notice must be provided as soon as possible to the individual – preferably at the time the individual is asked to provide personal information. Notice must be given in “clear and conspicuous language.” The company must tell the individual that it participates in Privacy Shield, and must link to the Privacy Shield list that will be published on the Web by Commerce. The company must tell individuals what types of personal information are being collected, for what purposes, and with whom it may be shared. Individuals must be told how to make complaints to the company and its options for resolving disputes (which the company must select from a menu of limited alternatives, as discussed further below). The company must inform the individual of the company’s obligation to disclose personal information in response to lawful requests by public authorities, including for national security or law enforcement. A new requirement calls for the company to describe its liability with regard to transfers of the personal information to third parties (also discussed further below).

2. Choice. Choice comes into play primarily when the data controller wants to disclose personal information to a third party (other than agents under a contract) or use it for a purpose that is materially different than the purpose for which it was collected (which would have been communicated to the individual under the Notice principle). In many instances, consent can be obtained on an opt-out basis, provided that the new use or transfer has been disclosed clearly and conspicuously, and the individual is given a “readily available” means to exercise her choice. Critically, however, the transfer and processing of “sensitive” information requires the affirmative express consent of the individual, subject to a short list of exceptions described in the Supplemental Principles. An opt-out is not sufficient for sensitive information, which includes medical/health, race/ethnicity, political opinions, religious or philosophical beliefs, trade union membership, and information about sexuality. (As before, financial information is not considered sensitive, but companies should recall that risk-based security measures still need to be taken even if opt-out consent is used.)

3. Accountability for Onward Transfer. This Principle contains  some key differences from Safe Harbor and should be carefully reviewed by companies looking at Privacy Shield. Privacy Shield has tightened up the requirements for transferring personal information to a third party who acts as a data controller. It is not possible simply to rely on the transferee being Privacy Shield-certified. The transferor company must enter into a contract with the transferee company that specifies that the information will only be processed for “limited and specified purposes consistent with the consent provided by the individual” and that the transferee will comply with the Principles across the board. If the transferee is acting as the transferor’s agent (i.e., as a “data processor” in EU terminology) then the transferor must also take “reasonable and appropriate steps” to ensure that the transferee is processing the personal information consistently with the Principles. In all cases, the transferee must agree to notify the transferor if the transferee can no longer meet its privacy obligations. Commerce can request a summary or copy of the privacy provisions of a company’s contracts with its agents.

4. Security. The standard for data security is “reasonable and appropriate measures” to protect personal data from being compromised, taking into account the nature of the personal information that is being stored. It’s strongly implied that companies need to perform a risk assessment in order to determine precisely what measures would be reasonable and appropriate. The risk assessment and security measures should be documented in the event of an investigation or audit, and for purposes of the required annual internal review.

5. Data Integrity and Purpose Limitation. Indiscriminate collection of personal information is not permitted under Privacy Shield. Instead, personal information should be gathered for particular purposes, and only information that is relevant to those purposes can be collected. It’s not always possible to anticipate every purpose for which certain personal information might be used, so Privacy Shield allows use for additional purposes that are “not incompatible with the purpose for which it has been collected or subsequently authorized by the individual.” The benchmark for compatible processing is “the expectations of a reasonable person given the context of the collection.” Generally speaking, processing personal information for common business risk-mitigation reasons, such as anti-fraud and security purposes, will be compatible with the original purpose. Personal information cannot be retained for longer than it is needed to perform the processing that is permitted under this Principle. Additionally, companies have an affirmative obligation to take “reasonable steps” to ensure that the personal information they collect and store is “reliable for its intended use, accurate, complete, and current.” These requirements imply that periodic data cleaning may be necessary for uses that extend over a significant period of time.

6. Access. Individuals have the right to know what personal information a company holds concerning them, and to have the information corrected if it is inaccurate, or deleted if it has been processed in violation of the Privacy Shield Principles. There are a couple of exceptions: If the expense providing access is disproportionate to the risks to the individual’s privacy, or if another person’s rights would be violated by giving access, then a company can decline. Companies should use this option sparingly and document its reasons for refusing any access requests.

7. Recourse, Enforcement & Liability. One of the EU Commission’s main objectives in negotiating Privacy Shield was to ensure that the program had sharper teeth than Safe Harbor. Privacy Shield features more proactive enforcement by Commerce and the FTC, and aggrieved individuals who feel their complaints haven’t been satisfactorily resolved can bring the weight of their local DPA and Commerce to bear on the offending company. We describe the recourse, enforcement and liability requirements below in a separate section.

III. Privacy Shield Supplemental Principles

The Supplemental Principles in Annex 2 elaborate on some of the basic Principles (summarized above) and, in some cases, qualify companies’ obligations. The summary below highlights some significant points – but again, companies should read the Supplemental Principles in full to appreciate some of the nuances of the Privacy Shield requirements.

1. Sensitive Personal Data. This section sets out some exceptions to the affirmative opt-in consent requirement that mirror the exceptions in the EU Data Protection Directive.

2. Journalistic Exceptions. Privacy Shield acknowledges the significance of the First Amendment in US law. Personal information that is gathered for journalistic purposes, including from published media sources, is not subject to Privacy Shield’s requirements.

3. Secondary Liability (of ISPs, etc.) Companies acting as mere conduits of personal information, such as ISPs and telecoms providers, are not required to comply with Privacy Shield with regard to the data that travels over their networks.

4. Due Diligence and Audits. Companies performing due diligence and audits are not required to notify individuals whose personal information is processed incidental to the diligence exercise or audit. Security requirements and purpose limitations would still apply.

5. Role of the Data Protection Authorities. The Supplemental Principles describe the role of the DPA panels and the DPAs generally in greater detail. As discussed above, companies processing their own human resources information will be required to cooperate directly with the DPAs, and the Supplemental Principles seem to imply that cooperation includes designating the DPA Panels as those companies’ independent recourse mechanism. In addition to the fees attendant on this choice (capped at $500/year), companies will have to pay translation costs relating to any complaints against them.

6. Self-certification. This section outlines what the self-certification process should look like when the Privacy Shield enrollment website launches. It also contains information about what will happen when a Privacy Shield participant decides to leave the program.

7. Verification. Privacy Shield-certified companies must back up their claims with documentation. We discuss this further in the section below on enforcement.

8. Access. This section describes access requirements in more detail and also gives some guidance as to when access requests can be refused.

9. Human Resources Data. Companies planning to use Privacy Shield for the transfer of EU human resources data will want to review this section carefully. Privacy Shield does not replace or relieve companies from EU employment law obligations. Looking beyond the overseas transfer element, it’s critical to ensure that employee personal information has been collected and is processed in full compliance with applicable EU laws concerning employees.

10. Contracts for Onward Transfers.  US companies are sometimes unaware that all EU data controllers are required to have data processing contracts in place with any data processor, regardless of the processor’s location. Participation in Privacy Shield, by itself, is not enough. If a Privacy Shield-certified data controller wants to transfer the EU-origin personal information to another data controller, it can do so under a contract that requires the transferee to provide the same level of protection as Privacy Shield, except that the transferee can designate an independent recourse mechanism that is not one of the Privacy Shield-specific mechanisms. Companies will need to review their existing and new contracts carefully.

11. Dispute Resolution and Enforcement. We discuss this separately below.

12. Choice – Timing of Opt Out (Direct Marketing). This section focuses on opt-out consent for direct marketing. Companies should provide opt-out choices on all direct marketing communications. The guidance states that “an organization may use information for certain direct marketing purposes when it is impracticable to provide the individual with an opportunity to opt out before using the information, if the organization promptly gives the individual such opportunity at the same time (and upon request at any time) to decline (at no cost to the individual) to receive any further direct marketing communications and the organization complies with the individual’s wishes.” However, companies should keep in mind that the European standard for impracticability here may be tougher than we would expect in the US. In particular, US companies should consider EU requirements for direct marketing via e-mail or text, which typically requires advance consent unless the marketing is to an existing customer and is for goods or services that are similar to the ones previously purchased by the customer.

13. Travel Information. Common sense prevails with regard to travel data – when travel arrangements are being made for an EU employee or customer, the data transfer can take place outside of the Privacy Shield requirements if the customer has given “unambiguous consent” or if the transfer is necessary to fulfill contractual obligations to the customer (including the terms of frequent flyer programs).

14. Pharmaceutical and Medical Products. Pharma companies will want to review the fairly lengthy discussion of how Privacy Shield applies to clinical studies, regulatory compliance, adverse event monitoring and reporting, and other issues specific to the pharma industry. Privacy Shield is broadly helpful – and in some respects clearer than the pending GDPR.

15. Public Record and Publicly Available Information. Some, but not all, of the Principles apply to information obtained from public records or other public sources, subject to various caveats that make this section important to read in full.

16. Access Requests by Public Authorities. Privacy Shield companies have the option of publishing statistics concerning requests by US public authorities for access to EU personal information. However, publishing such statistics is not mandatory.

III. Recourse, Enforcement and Liability

A significant change in Privacy Shield from Safe Harbor is the addition of specific mechanisms for recourse and dispute resolution. One of the major perceived failings of Safe Harbor was that EEA citizens had no reasonable means to obtain relief or even to lodge a complaint. In order to satisfactorily self-certify, US companies will need to put processes in place to handle complaints.

Under Privacy Shield, at a minimum, such recourse mechanisms must include:

1. Independent Investigation and Resolution of Complaints: Readily available independent recourse mechanisms by which each individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual … and damages awarded where the applicable law or private-sector initiatives provide;

2. Verification that You Do What You Say: Follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented, and in particular, with regard to cases of non-compliance; and

3. You Must Fix the Problems: Obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.

Prompt response to complaints is required and if a company uses an EU Data Protection Authority as a third party recourse mechanism and fails to comply with its advice within 25 days, the DPA may refer the matter to the FTC and the FTC has agreed to give priority consideration to all referrals of non-compliance from EU DPAs.

The verification requirement is more robust than under Safe Harbor. Companies may choose to either self-assess such verification or engage outside compliance reviews. Self-assessment includes certifying that its policies comply with the Principles and that it has procedures in place for training, disciplining misconduct and responding to complaints. Both outside compliance reviews and self-assessment must be conducted once a year.

Privacy Shield certifying organizations have responsibility for onward transfers and retains liability under the Principles if its third party processor violates the Principles, with some exceptions. Third party vendor management and contractual requirements for compliance with the Principles will be important components to manage the risk.

Dispute Resolution

There is ample ground for operational confusion under Privacy Shield, but none more so than with respect to dispute resolution. There are multiple methods available to data subjects (individuals) to lodge complaints, and companies subscribing to Privacy Shield must be prepared to respond through any of those. When companies certify under Privacy Shield, they need to choose an independent enforcement and dispute resolution mechanism. The choices are either:

  • Data Protection Authority Panels
  • Independent Recourse Mechanism

a. IndividualsIndividual data subjects may raise any concerns or complaints to the company itself, which is obligated to respond within 45 days. Individuals also have the option of working through their local DPA, which may in turn contact the company and/or the Department of Commerce to resolve the dispute.

b. Independent RecourseAs discussed above, the Privacy Shield requires that entities provide an independent recourse mechanism, either a private sector alternative dispute resolution provider (such as the American Arbitration Association, BBB, or TRUSTe) or a panel of European DPAs. NOTE THAT THE DPA PANEL IS MANDATORY IF YOU ARE APPLYING TO PRIVACY SHIELD TO PROCESS/TRANSFER HR DATA. For disputes involving HR data that are not resolved internally by the company (or any applicable trade union grievance procedures) to the satisfaction of the employee, the company must direct the employee to the DPA in the jurisdiction where the employee works.

c. Binding ArbitrationA Privacy Shield Panel will be composed of one or three independent arbitrators admitted to practice law in the US, with expertise in US and EU privacy law. Appeal to the Panel is open to individuals who have raised complaints with the organization, used the independent recourse mechanism, and/or sought relief through their DPA, but whose complaint is still fully or partially unresolved. The Panel can only impose equitable relief, such as access or correction. Arbitrations should be concluded within 90 days. Further, both parties may seek judicial review of the arbitral decision under the US Federal Arbitration Act.

Enforcement

In addition to the above discussion on the multiple avenues available to data subjects for complaints, there are other expanded types of enforcement under Privacy Shield. A certifying organization’s compliance may be directly or indirectly monitored by the US Department of Commerce, the FTC (or Department of Transportation), EU DPAs, and private sector independent recourse mechanisms or other privacy self-regulatory bodies.

Privacy Shield brings an expanded role to the Department of Commerce for monitoring and supervising compliance. If you have following Safe Harbor, one of the EU grounds for disapproval was the apparent lack of actual enforcement by US regulatory authorities against self-certifying organizations. The Department of Commerce has committed to a larger role and has greatly increased the size of the program staff.

Some of the new responsibilities of the Department of Commerce under Privacy Shield include:

  • Serving as a liaison between organizations and DPAs for Privacy Shield compliance issues;
  • Conducting searches for false claims by organizations that have never participated in the program and taking the aforementioned corrective action when such false claims are found.
  • Conducting ex officio investigations of those who withdraw from the program or fail to recertify to verify that such organizations are not making any false claims regarding their participation. In the event that it finds any false claims, it will first issue a warning, and then, if the matter is not resolved, refer the matter to the appropriate regulator for enforcement action; and
  • Conducting periodic ex officio compliance reviews which will include sending questionnaires to participating organizations to identify issues that may warrant further follow up action. In particular, such reviews will take place when the Department has received complaints about the organization’s compliance, the organization does not respond satisfactorily to its inquiries and information requests, or there is “credible” evidence that the organization does not comply with its commitments. Organizations will be required to provide a copy of the privacy provisions in their service provider contracts upon request. The Department of Commerce will consult with the appropriate DPAs when necessary;
  • Verifying self-certification requirements by evaluating, among other things, the organization’s privacy policy for the required elements and verifying the organization’s registration with a dispute resolution provider;

Private sector independent recourse mechanisms will have a duty to actively report organizations’ failures to comply with their rulings to the Department of Commerce. Upon receipt of such notification, the Department will remove the organization from the Privacy Shield List.

The above overview illustrates the complexity of Privacy Shield vs. Safe Harbor and the multiplication of authorities in charge of oversight, all of which is likely to result in greater regulatory scrutiny of and compliance costs for participating organizations. By way of contrast, when an organization relies on alternative transfer mechanisms such as the Standard Clauses, the regulatory oversight is performed by EU regulators against the EU company (as data exporter). Therefore, before settling on a transfer mechanism, organizations will want to consider the regulatory involvement and compliance costs associated with each option.

IV. Choosing Your Next Steps

Privacy Shield may not appeal to all US companies. Privacy Shield allows for a degree of flexibility in handling new data flows. However, that comes at the costs of fees, rigorous internal reviews and arguably much more onerous audits and enforcement than the two main alternatives, Binding Corporate Rules for intra-group transfers, and Standard Clauses for controller-to-controller or controller-to-processor transfers (regardless of corporate affiliation). Data transfers within corporate groups may be better addressed by Binding Corporate Rules that speak specifically to the groups’ global privacy practices – or even by the Standard Clauses, particularly for smaller corporations with only a few affiliates. Even outside corporate groups, the Standard Clauses may be adequate if the data flows are straightforward and unlikely to change much over time. An important point to note is that, in comparison to Safe Harbor, Privacy Shield requires more detailed company-to-company contracts when personal information is to be transferred – it’s no longer enough that both companies participate in the program. US companies should consider the potential operational benefits of Privacy Shield against its increased burdens.

It is important to consider timing. The Commerce Department Privacy Shield website will be “open for business” as of August 1. Lest you despair about the possibility of analyzing and updating those contracts that implicate the Accountability for Onward Transfer Principle in order to certify to Privacy Shield, Annex II has provided a bit of a “grace period” for what have been called early joiners.

The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework’s effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles.

If your company determines that Privacy Shield is the right choice, and you are diligent about the ground work required to accurately certify before that two-month window closes, you will be able to take advantage of the nine-month grace period to get those third party relationships into line.

Finally, US companies should stay alert to the legal challenges that the Standard Clauses are currently facing (again driven by concerns about mass surveillance), the possibility that EU regulators may start exacting further commitments when approving BCRs, and the very high likelihood that new legal challenges will be mounted against Privacy Shield shortly after it is implemented. Even if a company adopts Privacy Shield, or instead elects to stick with the Standard Clauses, it may want to get ready to switch if one or the other is struck down by the Court of Justice of the EU. Of course, if the Court of Justice strikes down both Privacy Shield and the Standard Clauses, it will be back to the drawing board for EU and US government negotiators.

Celebrities And Snapchat Feuds: Are Recording Phonecalls Legal?

Snapchat Kim Kardashian Taylor SwiftAs most people know, there has been on-going feud between Taylor Swift and Kayne West. Last night, more fuel was added to the fire when Kayne’s wife, Kim Kardashian, went to Snapchat and posted recordings of a conversation between Ms. Swift and Mr. West which purport to show that Taylor was aware of off-colored lyrics in one of Mr. West’s songs, and gave her blessing to include before the album released. To date, Taylor denies giving such approval. Taylor went to her Instagram account soon after, writing: “That moment when Kanye West secretly records your phone call.”

Besides the tabloid juiciness of the story, there is an interesting and very serious issue regarding the legality of the recordings. In many states it is illegal to record a telephone conversation without the consent of both parties participating in the telephone conversation. California, where it is believed Mr. West and Ms. Kardashian reside, is one of these “two-party consent states.” In fact, California has some of the strictest laws when it comes to secretly recording telephone conversations. California provides criminal penalties for not gaining consent from all parties, and additional penalties for disseminating or publishing a recording. In addition, California allows for civil remedies for recording a communication without prior consent.

One of the biggest issues is which state Mr. West and Ms. Kardashian were located when they made the recording. For example, in New Jersey, we are a “one-party” consent state. The New Jersey Wiretapping and Electronic Surveillance Control Act N.J.S.A. 2A:156A-3 permits a party who is participating in the conversation to record the conversation. In my practice as a matrimonial attorney in New Jersey, the issue of recording telephone communications is very common, as estranged spouses often want to record communications of abuse and/or misconduct on the part of the spouse. In those cases, a spouse who is participating in a conversation with their spouse is legally permitted to record said conversation.

That all being said, even if the Mr. West was lucky enough to have initiated the telephone call from a “one-party consent” state, such as New Jersey, Ms. Kardashian may still not be in the clear. New Jersey law is clear in that the party recording the communication must be a party to a communication; in other words, they must participate in the conversation. In the recordings posted by Ms. Kardashian, it does not appear that she participated in the conversation and therefore was not a party to the conversation, making her recording illegal.

At this time, it is too soon to know what if any civil and/or criminal ramifications Mr. West and Ms. Kardashian might face, but I am sure we will all keep a close eye as the drama unfolds.

ARTICLE BY Kevin A. Falkenstein of Stark & Stark
COPYRIGHT © 2016, STARK & STARK

Will Brexit Undermine U.K. Participation in the General Data Protection Regulation and the U.S./E.U. Privacy Shield?

The June 23, 2016 Brexit referendum outcome in the U.K. does create uncertainty about whether the U.K. will continue to follow EU data protection laws, including implementation of the E.U.’s new General Data Protection Regulation (“GDPR”), scheduled to become effective on May 25, 2018. Furthermore, the recently negotiated new U.S./E.U. Privacy Shield, intended to replace the E.U.-invalidated Safe Harbor, faces an uncertain future in the U.K. as well if it is not an available framework for multinational businesses to do business in the U.K. For example, Microsoft stated in an open letter in May, 2016 to its 5000 U.K. employees before the Brexit vote that the U.K.’s EU membership was one of the factors that attracted Microsoft to make investments in the U.K., including in a new data center. One important future signal will be whether the U.K. opts to join the European Economic Area, or otherwise maintains significant trade with the EU, in which case the U.K. would necessarily need to comply with EU privacy regulations. If not, the U.K. would still need to develop its own data pgeneral data protectionrotection network. However, because at least two years must elapse before the U.K. can formally exit the EU under Article 50 of the Treaty of Lisbon, and even that two year period does not commence until formal notice is given, both the GDPR (in May 2018) and the Privacy Shield are likely to be in place in the U.K. before any actual exit from the EU occurs. And many observers believe that any law that Britain adopts will likely be similar to the GDPR, since a non-member country’s data protection regime must be deemed “adequate” by the EU for businesses in that non-member country to exchange data and to do business within the EU. In short, nothing is going to change immediately, and because Brexit won’t likely be completed for years, the Privacy Shield could well be implemented in the U.K. for personal data transfers from the U.K. to the U.S. well before actual withdrawal is completed. It also may take years to negotiate and complete agreements, and enactment of alternative U.K. data privacy laws.

See our previous post regarding the text of the U.S./EU Privacy Shield

Article by Douglas Bonner of Womble Carlyle Sandridge & Rice

Copyright © 2016 Womble Carlyle Sandridge & Rice, PLLC. All Rights Reserved.

Fiduciary Risk in Data Privacy and Cybersecurity? You Bet!

Health plan administrators are (or certainly should be) well-versed in their obligations under the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH). Failure to secure protected health information (PHI) from disclosure can result in civil monetary penalties of up to $1.5 million and potential criminal penalties of up to 10 years’ imprisonment. Penalties of this size have the tendency to get people’s attention. But, if you are a retirement plan fiduciary or administrator (which likely includes officers and other senior-level executives at a company), are you aware of your obligations to protect sensitive data and other personal information in your control and the control of your vendors?

Retirement plans store extensive personal data on each participant and beneficiary. This data ranges from Social Security numbers and addresses to dates of birth, bank account and financial information, and other records and is stored physically and in electronic forms for years, if not decades. The term often used for this type of information is “personal identifiable information” (PII). While stored, numerous human resources and benefits department personnel, participants, beneficiaries, recordkeepers, trustees, consultants, and other vendors have access to some or all of this highly sensitive information. The extensive trove of PII presents an attractive, and often undersecured and easily exploitable, opportunity for criminals intent on stealing identities or on the outright theft of plan assets and benefit payments.

Federal laws similar to HIPAA but applicable to retirement plans have not (yet) been enacted. However, this does not mean that retirement plan fiduciaries and administrators are off the hook. Under the Employee Retirement Income Security Act of 1974 (ERISA), as amended, a fiduciary is required to discharge his or her duties solely in the interests of plan participants and beneficiaries, and, in doing so, must adhere to a standard of care frequently described as the “prudent expert” standard. Under this standard, it is not difficult to conclude that a retirement plan fiduciary who does not take certain precautions with regard to the protection of PII may be in breach of his or her fiduciary duty. And, although a breach of an ERISA fiduciary duty does not trigger clear statutory penalties like those applicable under HIPAA and HITECH, under ERISA, fiduciaries are personally liable for their fiduciary breaches.

So, what precautions should retirement plan fiduciaries take to help ensure that they have fulfilled their fiduciary duties with respect to data privacy and cybersecurity? What should a fiduciary do in the event of a data privacy or cybersecurity breach? Presently, 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted some form of breach notification law, and it is unsettled whether these breach notification laws are preempted by ERISA.

Article By Matthew H. Hawes & Patrick Rehfield of Morgan, Lewis & Bockius LLP
Copyright © 2016 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Announcement of “Privacy Shield” Gives Hope for U.S. Companies Who Previously Relied on Safe Harbor

We have previously discussed the EU Court of Justice’s invalidation of the long-standing Safe Harbor program, previously relied on by many organizations as a means of authorizing transfers of EU citizens’ private data to the United States. U.S. companies eagerly awaited news of a replacement for Safe Harbor and kept a close watch as the January 31, 2016, grace period on enforcement announced by the EU Article 29 Working Party expired. News of a new framework  broke in early February and the European Commission released extensive documentation revealing the details of Safe Harbor’s proposed replacement – the EU-U.S. Privacy Shield program (Privacy Shield) – on February 29, 2016.

Privacy Shield encompasses seven principles for assuring adequate protection when transferring and processing personal data originating in the European Union. Similar to Safe Harbor, organizations can self-certify their compliance with these principles, provided they (1) commit to the U.S. Department of Commerce that they will adhere to the Privacy Shield Principles, (2) publicly declare their commitment to the Privacy Shield Principles, and (3) actually implement the Principles. Once compliance is certified, organizations may seek inclusion on the Department of Commerce’s list of certified organizations, effectively authorizing them to transfer the personal data of EU residents to the United States.

Privacy Shield Principles

  1. Notice. Privacy Shield requires organizations to provide notice regarding the type of data collected, the purposes for which it is collected, any third parties to which the data may be transferred, individuals’ right to access their data, and how individuals can limit use and disclosure of personal data. The organization also must provide notice of its participation in Privacy Shield, acknowledge applicable enforcement authorities and describe recourse mechanisms available.

  2. Choice. Organizations must provide clear, conspicuous and readily available mechanisms allowing individuals to opt out of any disclosure of their personal data to third parties, or use of their personal data other than the purpose(s) for which it was initially collected or subsequently authorized by the individual. Certain sensitive information will require individuals to opt in affirmatively.

  3. Security. As under Safe Harbor, participating organizations must take “reasonable and appropriate measures,” based on the risks involved and the nature of the personal data, to protect the data “from loss, misuse and unauthorized access, disclosure, alteration and destruction.”

  4. Access. Privacy Shield–certified organizations must provide individuals with access to and the opportunity to correct, amend or delete inaccurate or improperly processed personal data. Individuals also must be allowed to confirm that their personal data is being processed. An organization may restrict access to data “in exceptional circumstances.”

  5. Data Integrity and Purpose Limitation. Privacy Shield requires not only that any data collected be “relevant for the purposes of processing” but also that organizations limit collection to relevant data only. Participating organizations also must “take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.”

  6. Accountability for Onward Transfer. Certified organizations’ contracts with third parties receiving personal data must require that such data “may only be processed for limited and specified purposes” consistent with the level of consent given by the data subject. Third-party transferees also must agree to “provide the same level of protection as the [Principles].” Certified organizations also must “take reasonable and appropriate steps” to ensure third-party agents adhere to the Principles, and are required to stop and remediate any unauthorized processing by third parties, if necessary. Importantly, with limited exceptions, certified organizations remain liable to data subjects for any vendor’s violation of the Principles.

  7. Recourse, Enforcement and Liability. Perhaps Privacy Shield’s most significant new features are its recourse and dispute resolution provisions. Complaint-handling processes must be implemented to obtain Privacy Shield certification. To ensure effective enforcement, Privacy Shield requires (1) procedures for verifying representations made about privacy practices, (2) recourse for data subjects and (3) remedies for failures to comply with the Principles. These newly required “independent recourse mechanisms” are empowered to provide remedies separate from regulators’ enforcement authority.

Legal Safeguards

Because the extent of U.S. government surveillance of personal data was a primary reason why the Safe Harbor program was invalidated, in support of Privacy Shield the U.S. Office of the Director of National Intelligence and the U.S. Department of Justice have furnished letters outlining the legal safeguards that will limit U.S. government access to personal data transferred pursuant to Privacy Shield. In addition, the U.S. Secretary of State is set to appoint a Privacy Shield Ombudsperson, who will be responsible for handling European complaints regarding whether personal data transferred under Privacy Shield has been accessed by U.S. intelligence activities.

In addition, the Judicial Redress Act of 2015, signed into law on February 24, 2016, allows EU citizens to bring civil actions against U.S. government agencies under the Privacy Act of 1974 to access, amend or correct records about them or seek redress for the unlawful disclosure of those records.

Certification and Compliance

Privacy Shield is expected to be approved by the European Commission later this year and published in the Federal Register shortly thereafter. Organizations that self-certify within the first two months following publication will be given nine months to bring all third-party relationships into compliance. Two months after the effective date, the Principles become binding on an organization immediately upon certification. Privacy Shield will thereafter undergo annual joint reviews by EU and U.S. authorities.

All organizations that intend to become Privacy Shield certified are strongly encouraged to immediately begin updating their policies to meet Privacy Shield’s heightened obligations, including reviewing their third-party agreements to ensure compliance.

Article By Gregory Bautista & James F. Monagle of Wilson Elser Moskowitz Edelman & Dicker LLP
© 2016 Wilson Elser