Category: Privacy Law

Are UK-to-US employee data transfers sunk by ECJ’s torpedoing of Safe Harbor regime?

So there it is – in a tremendous boost for transatlantic relations, the European Court of Justice has decided that America is not to be trusted with the personal data of EU residents.  That is not exactly the way the decision is phrased, of course, which (so far as relevant to UK HR) is more like this:

Under the Eighth Principle of the UK’s Data Protection Act (and all or most of its EU cousins) the personal data of your employees can be transferred outside the EU only where the recipient country ensures an adequate level of protection for the rights and freedoms of data subject.

Until now an EU employer has been able to rely in this respect on a US company’s registration with the Safe Harbor (sic) scheme, a series of commitments designed to replicate the safeguards of EU law for that data.  As of this week, however, that reliance has been deemed misplaced – the ability and tendency of the US security agencies to access personal data held by US employers has been found to compromise those commitments beyond immediate repair.  In addition, one of the EU “model clauses” which can legitimise international data transfers requires the US recipient to confirm that it is aware of no legislation which could compel it to disclose that personal data to third parties without the employee’s consent.  New US laws enacted to boost homeland security mean that this can simply no longer be said.  Therefore Safe Harbor has been comprehensively blown up and can no longer be used as automatic air-cover for employee data transfers to the US.

This creates two immediate questions for HR in the UK.  First, what exposure do we have for past data transfers to the US on a basis which is now shown to be illegitimate?  Second, what do we do about such transfers starting now?

  • Don’t panic! To make any meaningful challenge out of this issue, the UK employee would need to show some loss or damage arising out of that transfer.  In other words, even if the data has been used in the US as the basis for a negative decision about him (dismissal or demotion or no bonus), the employee would need to show that that decision would have been more favourable to him if it had been taken by the same people based on the same data but physically within the EU.  Clearly a pretty tough gig.

Second, all this case does is remove the presumption that Safe Harbor registrants are safe destinations – it does not prove that they are not, either now or historically.  The question of adequacy of protection is assessed by reference to all the circumstances of the case, including the nature of the personal data sent, why it is sent to the US and what relevant codes of conduct and legislative protections exist there.

Last, Schedule 4 of the DPA disapplies the Eighth Principle where the data subject (the employee) has given his consent to the international transfer, or where the transfer is necessary for the entering or performance of the employment contract between the employee and the UK employer.  It will rarely be the case that neither of these exceptions applies.

If you have not previously had complaints from your UK employees that their personal data has been misused/lost/damaged in the US, nothing in this decision makes that particularly likely now.

  • Still don’t panic.

  • However, do be aware that this case is likely to lead to stricter precautions being required to ensure that what is sent to the US is genuinely only the bare minimum.

  • On its face, Schedule 4 should allow most reasonable international transfers of employee data anyway, pretty much regardless of what level of protection is offered in the destination country. However, there is a strong body of opinion, especially in Continental Europe, that reliance on this provision alone is unsafe and that it is still appropriate for the EU employer to take specific steps (most usually, some form of data export agreement with its US parent) to satisfy itself that a reasonable level of protection for that data exists. It may also wish to be seen to reconsider how far those HR decisions need to be made in the US at all, and whether EU employee data could be kept on an EU-based server if that is not currently the case.

  • To the extent that employment contracts do not already include it, amend them to include an express consent to the transfer of relevant personal data to the US (but do note another possible avenue of attack much mulled-over in Europe, i.e. that consent in an employment contract is not freely given because the job hangs upon it). Last, be seen to prune the UK employee data you do hold in the US back to what is strictly necessary and get rid of stuff which is no longer (if it ever was) relevant to the performance of the employment contract.

Article By David Whincup of Squire Patton Boggs (US) LLP

© Copyright 2015 Squire Patton Boggs (US) LLP

ECJ Rules EU-US Safe Harbor Programme Is Invalid

The powers of EU data protection authorities are significantly strengthened by the decision, allowing them to suspend some or all personal data flows into the United States in certain circumstances.

In Maximillian Schrems v. Data Protection Commissioner (case C-362/14), the European Court of Justice (ECJ) has ruled[1] that the European Commission decision approving the Safe Harbor programme is invalid. Further, the ECJ ruled that EU data protection authorities do have powers to investigate complaints about the transfer of personal data outside Europe (whether by Safe Harbor-certified organisations or otherwise, but excluding countries deemed as having “adequate” data protection laws according to the EU). Finally, the ECJ ruled that data protection authorities can, where justified, suspend data transfers outside Europe until their investigations are completed.

Safe Harbor Programme

According to the European Commission, the United States is a country with “inadequate” data protection laws. The European Commission and the US Department of Commerce, therefore, agreed in 2000 to a self-certification programme for US organisations that receive personal data from Europe. Pursuant to the self-certification programme, a US organisation receiving personal data from Europe must certify that it adhered to certain standards of data processing comparable with EU data protection laws such that the EU citizens’ personal data was treated as adequately as if their personal data had remained in Europe. The Safe Harbor programme is operated by the US Department of Commerce and enforced by the Federal Trade Commission. Over 4,000 organisations have current self-certifications of adherence to Safe Harbor principles.[2]

The Schrems Case

Mr. Schrems complained in Irish legal proceedings that the Irish Data Protection Commissioner refused to investigate his complaint that the Safe Harbor programme failed to protect adequately personal data after its transfer to the US in light of revelations about the National Security Agency’s (NSA’s) PRISM programme. The question of whether EU data protection authorities have the power to investigate complaints about the Safe Harbor programme was referred to the ECJ. Yves Bot, Advocate General at the ECJ, said in an opinion released on 23 September 2015 that the Safe Harbor programme  does not currently do enough to protect EU citizens’ personal data because such data was transferred to US authorities in the course of “mass and indiscriminate surveillance and interception of such data” from Safe Harbor-certified organisations. Mr. Bot was of the opinion that the Irish Data Protection Commissioner, therefore, had the power to investigate complaints about Safe Harbor-certified organisations and, if there were “exceptional circumstances in which the suspension of specific data flows should be justified”, to suspend the data transfers pending the outcome of its investigation.

The ECJ followed Mr. Bot’s opinion and, further, declared that the European Commission’s decision to approve the Safe Harbor programme in 2000 was “invalid” on the basis that US laws fail to protect personal data transferred to US state authorities pursuant to derogations of “national security, public law or law enforcement requirements”. Furthermore, EU citizens do not have adequate rights of redress when their personal data protection rights are breached by US authorities.

The EU-US Data Protection Umbrella Agreement

In the last two years, the European Commission and various data protection working parties have discussed ways to improve the Safe Harbor programme and strengthen rights for EU citizens in cases where their personal data is transferred to the United States. Recently, the United States and European Union finalised a data protection umbrella agreement to provide minimum privacy protections for personal data transferred between EU and US authorities for law enforcement purposes. The umbrella agreement will provide certain protections to ensure that personal data is protected when exchanged between police and criminal justice authorities of the United States and the European Union. The umbrella agreement, however, does not apply to personal data shared with national security agencies.

The umbrella agreement also provides that EU citizens will have the right to seek judicial redress before US courts where US authorities deny access or rectification or unlawfully disclose their personal data. Currently, US citizens have the right to seek judicial redress in the European Union if their data—transferred for law enforcement purposes—is misused by EU law enforcement authorities. EU citizens, however, do not have corresponding rights of redress in the United States. A judicial redress bill has been introduced in the US House of Representatives; adoption of the bill would allow the United States and European Union to finalise the umbrella agreement.

Key Findings of the ECJ Decision

The key findings of the ECJ decision are as follows (quotes indicate excerpts from the ruling itself):

“The guarantee of independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the monitoring of compliance with the provisions concerning protection of individuals”.

The powers of supervisory authorities include “effective powers of intervention, such as that of imposing a temporary or definitive ban on processing of data, and the power to engage in legal proceedings”.

The Safe Harbor programme “cannot prevent persons whose personal data has been or could be transferred to a third country from lodging with the national supervisory authorities a claim. . .concerning the protection of their rights and freedoms”.

National courts can consider the validity of the Safe Harbor programme, but only the ECJ can declare that it is invalid.

Where the national data protection authorities find that complaints regarding the protection of personal data by Safe Harbor-certified companies are well-founded, they “must. . .be able to engage in legal proceedings”.

Organisations self-certified under the Safe Harbor programme are permitted to “disregard” the Safe Harbor principles to comply with US national security, public interest, or law enforcement requirements.

There is no provision in the Safe Harbor programme for protection for EU citizens against US authorities who gain access to their personal data transferred to the United States pursuant to the Safe Harbor programme. There is only a provision for commercial dispute resolution.

The EU Data Protection Directive[3] “requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary”, but there is no such requirement applicable in the United States following the transfer of personal data pursuant to the Safe Harbor programme.

The Safe Harbor programme “fails to comply with the requirements” to protect personal data to the “adequate” standard required by the EU Data Protection Directive and is “accordingly invalid”.

Other Options to Transfer Personal Data to the United States

Safe Harbor-certified organisations should note that there are other options to transfer personal data to the United States, including express consent and the use of Binding Corporate Rules or EU-approved model clause agreements. Organisations using Safe Harbor-certified vendors may wish to discuss these other options with their vendors. There is, however, a risk that this decision could affect these other options, as national security derogations are likely to override the protection of personal data regardless of how it is transferred, with the only exception being the specific and informed consent of an individual to the transfer of his or her personal data to governmental authorities for national security purposes.

Conclusion

The ECJ decision is likely to take the European Commission by surprise.

The powers of national data protection authorities are significantly strengthened by this decision. They could allow data protection authorities to suspend some or all personal data flows into the United States in serious circumstances and where there is a justifiable reason to do so. There is a risk that a data protection authority could order that the data transfers by an international organisation outside of Europe be suspended from that jurisdiction, whereas data transfers in other European jurisdictions are permitted. To mitigate this risk, the European Commission is entitled to issue EU-wide “adequacy decisions” for consistency purposes.

The European Commission has today announced that it intends to release guidance for Safe Harbor-certified companies within the next two weeks.

Article By Stephanie A. “Tess” BlairDr. Axel Spies & Pulina Whitaker of Morgan, Lewis & Bockius LLP
Copyright © 2015 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

[1] See Judgment of the Court (Grand Chamber) (6 October 2015)

[2] See Safe Harbor List.

[3] Directive 95/46/EC

EU Official Calls for Invalidation of EU–U.S. Safe Harbor Pact

A European Court of Justice (ECJ) advocate general, Yves Bot, has called for the European Union–U.S. Safe Harbor Agreement to be invalidated due to concerns over U.S. surveillance practices (press release here, opinion here). The ECJ has discretion to reject the recommendation, but such opinions are generally followed. A final decision on the issue is expected to be issued late this year or next year.

The issue arises out of the claims of an Austrian law student, Max Schrems, who challenged Facebook’s compliance with EU data privacy laws. (The case is Schrems v. (Irish) Data Protection Commissioner, ECJ C-362/14.) He claims that the Safe Harbor Framework fails to guarantee “adequate” protection of EU citizen data in light of the U.S. National Security Agency’s (NSA) surveillance activities. Although the Irish data protection authority rejected his claim, he appealed and the case was referred to the ECJ.

The European Data Protection Directive prohibits data of EU citizens from being transferred to third countries unless the privacy protections of the third countries are deemed adequate to protect EU citizens’ data. The U.S. and EU signed the Safe Harbor Framework in 2000, which permits companies self-certify to the U.S. Department of Commerce (DOC) annually that they abide by certain privacy principles when transferring data outside the EU. Companies must agree to provide clear data privacy and collection notices and offer opt-out mechanisms for EU consumers.

In 2013, former NSA contractor Edward Snowden began revealing large-scale interception and collection of data about U.S. and foreign citizens from companies and government sources around the globe. The revelations, which continue, have alarmed officials around the world, and already prompted the European Commission to urge more stringent oversight of data security mechanisms. The European Parliament voted in March 2014 to withdraw recognition from the Safe Harbor Framework. Apparently in response to the concern, the Federal Trade Commission (FTC) has taken action against over two dozen companies for failing to maintain Safe Harbor certifications while advertising compliance with the Framework, and in some cases claiming compliance without ever certifying in the first place. For more, see here (FTC urged to investigate companies), here (FTC settles with 13 companies in August 2015), and here (FTC settles with 14 companies in July 2014).

Advocate General Bot does not appear to have been mollified by the U.S. efforts, however. He determined that “the law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU,] which is transferred under the [S]afe [H]arbor scheme, without those citizens benefiting from effective judicial protection.” He concluded that this amounted to interference in violation of the right to privacy guaranteed under EU law, and that, notwithstanding the European Commission’s approval of the Safe Harbor Framework, EU member states have the authority to take measures to suspend data transfers between their countries and the U.S.

While the legal basis of that opinion may be questioned, and larger political realities regarding the ability to negotiate agreements between the EU and the U.S. are at play, if followed by the ECJ, this opinion would make it extremely difficult for companies to offer websites and services in the EU. This holds true even for many EU companies, including those that may have cloud infrastructures that store or process data in U.S. data centers. It could prompt a new round of negotiations by the U.S. and European Commission to address increased concerns in the EU about surveillance.

Congressional action already underway may help release some tension, with the House Judiciary Committee unanimously approving legislation that would give EU consumers a judicial right of action in the U.S. for violations of their privacy. This legislation was a key requirement of the EU in an agreement in principle that would allow the EU and U.S. to exchange data between law enforcement agencies during criminal and terrorism investigations.

Although the specific outcome of this case will not be known for months, the implications for many businesses are clear: confusion and continued change in the realms of privacy and data security, and uncertainty about the legal rules of the game. Increased fragmentation across the EU may result, with a concomitant need to keep abreast of varying requirements in more countries. Change and lack of harmonization is surely the new normal now.

Article By Sheila A. MillarTracy P. Marshall & Nathan A. Cardon of Keller and Heckman LLP

© 2015 Keller and Heckman LLP

Nothing to See in This Story about the Electronic Communications Privacy Act

Check out this story.  In it, we learn this:electronic privacy act

Andrew Ceresney, director of the Division of Enforcement at the Securities and Exchange Commission, [told] the Senate’s Committee on the Judiciary at a hearing on Wednesday morning that the pending Electronic Communications Privacy Act Amendments Act would impede the ability of the SEC and other civil law enforcement agencies to investigate and uncover financial fraud and other unlawful conduct. Ceresney testified that the bill, intended to modernize portions of the Electronic Communications Privacy Act which became law in 1986, would frustrate the SEC’s efforts to gather evidence, including communications such as emails, directly from an Internet services provider.

So.  Let’s talk about what’s really at issue here.  We’re not talking about emails collected from companies with their own domain names and servers.  If a company maintains its own emails for its own purposes, the company is not a “provider of electronic communication service” under the ECPA and those emails are subject to SEC subpoenas just like its other documents.

But take, say, Google and Yahoo, among many others.  They are providers of electronic communication services.  Here’s what 18 U.S.C. § 2703(a) says about them:

A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.

In plainer English, the SEC may require Google to disclose the contents of its customer’s emails if the emails have been in storage for 181 days.  For newer emails, the government must have a search warrant, which the SEC can’t get as a civil enforcement authority.

For the SEC, the ECPA typically comes up when it is investigating people who are not using corporate email addresses.  For example, Ponzi schemes and prime bank frauds are often going to be run on hotmail.com, not citigroup.com.  The problem for the SEC is, people running Ponzi schemes tend to have few issues with deleting incriminating emails.  And Google isn’t obligated to keep those deleted emails for any particular time period.  So if some guy defrauds a bunch of people and then quickly deletes the emails explaining how the fraud happened, there’s not a lot the SEC can do about it.  So it is very, very rare when the SEC is successful in using the ECPA to get emails from “providers of electronic communication service.”  And so . . . when Andrew Ceresney tells the Senate Judiciary Committee that amendments to the ECPA could impede civil law enforcement’s ability to uncover financial fraud and other unlawful conduct, he’s sort of right.  I might make the same argument if I were in his shoes.  But he’s also saying something that is almost inconsequential.  If the ECPA is not amended, the SEC will have a very hard time getting a hold of useful gmails.  If the ECPA is amended, it will have a very hard time getting a hold of useful gmails.  Just about every other issue in data privacy and securities enforcement is more significant than this one.

Article By David Smyth of Brooks, Pierce, McLendon, Humphrey & Leonard, LLP

Copyright © 2015, Brooks, Pierce, McLendon, Humphrey & Leonard LLP

UK Government Launches Cybersecurity Service For Healthcare Organizations

The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system.  The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016.

Acording to recent press releases, CareCERT will:

  • “Provide incident response expertise for the management of cyber security incidents and threats across health and care system”;

  • “Broadcast potential cyber threats and necessary actions to take across the sector, to ensure cyber threats are safely dealt with”;

  • “Be a central source of security intelligence for health and care by working with cross government monitoring partners such as GovCertUK and CERT-UK”;

  • “Support the analysis of emerging and future threats through unique analysis tools and reporting”; and

  • “Be a trusted source of security best practice and guidance”.

CareCERT will be run by the Health and Social Care Information Centre (HSCIC).  The HSCIC is an important offshoot of the UK Department of Health, overseeing information assurance and patient privacy within the NHS as part of its broader role in setting health IT standards, assisting IT rollout throughout the NHS, and managing the release of healthcare statistics for the NHS.

CareCERT is expected to be a natural evolution of HSCIC’s existing function and expertise.  In particular, under the HSCIC/Department of Health’s data breach reporting policy (imposed on NHS bodies and their suppliers through contract), HSCIC is already one of the bodies notified and involved in the event of serious data breaches in the public healthcare sector.  The creation of CareCERT will enhance the HSCIC’s incident response capabilities, and will give NHS suppliers an increased opportunity to engage with HSCIC proactively (for guidance and threat alerts), rather than only after serious incidents take place.

Article by Mark Young & Philippe Bradley-Schmieg of Covington & Burling

© 2015 Covington & Burling LLP

DOD Issues Interim Rule Addressing New Requirements for Cyber Incidents and Cloud Computing Services

On August 26, 2015, the Department of Defense (DoD) issued an interim rule that imposes expanded obligations on defense contractors and subcontractors with regard to the protection of “covered defense information” and the reporting of cyber incidents occurring on unclassified information systems that contain such information.  Nearly three years in the making, this interim rule replaces the DoD’s prior Unclassified Controlled Technical Information (“UCTI”) Rule, imposing new baseline security standards and expanding the information that is subject to safeguarding and can trigger the reporting requirements.  Additionally, the interim rule implements policies and procedures for safeguarding data and reporting cyber incidents when contracting for cloud computing services.

Article By Susan B. CassidyAlejandro L. SarriaPatrick Stanton & Catlin M. Meade of Covington & Burling LLP

© 2015 Covington & Burling LLP

Part II: Legal Insights on Ashley Madison Hack

As more names emerge from the dark web data dump of Ashley Madison customers, lawyers around the globe have found a very willing group of would-be plaintiffs. Interestingly, all of these plaintiffs are named “Doe,” which must only be a coincidence, and certainly has nothing to do with the backlash that certain well-known ALM clients have experienced. All kidding aside, the size of the claims against ALM is staggering with one suit alleging more than $500 million in damages. How these plaintiffs will prove their damages is a question for another day, but the fact that ALM — which reported earnings of $115 million in 2014 — may soon face financial ruin must give any spectator pause.

The plaintiffs’ bar is certainly not the lone specter haunting ALM’s corridors these days. Although the company touts its cooperation with government officials in attempting to bring criminal charges against the Impact Team, that cooperation will be punctuated by the all-but-certain FTC enforcement action to come — assuming that the FTC’s data breach enforcement team were not among the 15,000 email addresses registered to a .mil or .gov account.

How will that enforcement action proceed? In many cases, the FTC initiates its investigation with a letter, sometimes called an “Access Letter” or an “Informal Inquiry Letter.” Although there is no enforceable authority behind such a letter, companies typically conclude that cooperation is the best course. For more formal investigations (or when the access letter is ignored), the FTC will issue “Civil Investigative Demands,” which are virtually the same as a subpoena, and are enforceable by court order. After collecting materials, the investigators will – in order from best case scenario to worst – drop the matter altogether, negotiate a consent decree, or begin a formal enforcement action via a complaint.

There is, of course, a lot more to an action than what I’ve listed above, which deserves a series of posts of their own. For today, the pressing question is – what’s going to happen to ALM when the FTC calls? Under the circumstances, it would make sense for ALM to push as hard as it can for a consent order, given that the likelihood of succeeding in litigation against the Commission is vanishingly low – there is little doubt that ALM failed to comply with its own promised standards for protecting customer data. And, in light of recent revelations about what really happened when customers paid to “delete” their Ashley Madison accounts, ALM will want to forestall the threat of a separate, non-data breach related unfair business practices suit any way it can.

Every consent order looks different, but the FTC has made a few requirements staples of its agreements with offending businesses over the last two decades. These include:

  • Establishing and maintaining a comprehensive information security program to protect consumers’ sensitive personal data, including credit card, social security, and bank account numbers.

  • Establishing and reporting on yearly data security protocol updates and continuing education for decision makers and data security personnel.

  • Working to improve the transparency of data, so that consumers can access their PII without excessive burdens.

  • Guaranteeing that all public statements and advertisements about the nature and extent of a company’s privacy and data security protocols are accurate.

 ALM will undoubtedly offer to take all of these steps, and more, in negotiations with the Commission. But as I mentioned above, the torrent of lawsuits ALM faces in the next year or so may moot any consent decree with the FTC. If ALM liquidates in the face of ruinous lawsuits and legal bills, the FTC’s demands will be meaningless. ALM, then, is likely an example of a company that would have benefited from a more minor security breach and subsequent FTC imposition of the kind of remedial measures that may have stopped this summer’s catastrophic data breach. An ounce of prevention is worth a pound of cure, they say, and ALM may learn that lesson at the cost of its business.

Article By James J. Ward of Bilzin Sumberg Baena Price & Axelrod LLP

© 2015 Bilzin Sumberg Baena Price & Axelrod LLP

Legal Insights on the Ashley Madison Hack: Part I

Internet commenters and legal analysts alike are buzzing about the Ashley Madison hack. The website — which billed itself as a networking site for anyone who wanted to discretely arrange an extramarital affair — has already been named in several class action lawsuits, with claims ranging from breach of contract to negligence. As more names are unearthed (and more personal data divulged), additional lawsuits are sure to follow. For those lucky enough to be watching this spectacle from the sidelines, there are some important questions to ask. In the next few posts, I’ll consider some of these issues.

It seems clear that the Impact Team (the group responsible for breaking into Ashley Madison’s servers) were singularly focused on exposing embarrassing personal information as well as sensitive financial data. What is less clear is why they chose Ashley Madison’s parent company Avid Life Media (“ALM”) as the target. Certainly, the general public’s reaction to the data breach was muted if not downright amused, likely because the “victims” here were about as unsympathetic as they come. Still, the choice of Ashley Madison, and the way the hack was announced, demonstrates an important point about data security: self-described “hacktivists” may target secure information for reasons other than financial gain.

The Impact Team appears to be more motivated by shaming than any identifiable monetary benefit, although it is entirely possible that money was a factor. Interestingly, the intended damage from the leak was designed to flow in two directions. The first, and most obvious, was to Ashley Madison users, who clearly faced embarrassment and worse if their behavior were made public. The second direction was to ALM itself, for “fraud, deceit, and stupidity.” In particular, the Impact Team referred to ALM’s promises to customers that it would delete their data permanently, and keep their private information safe. Obviously, that didn’t happen. ALM made matters far worse for itself when it scrambled to provide a response to Impact Team’s threat, and made promises of security it could not keep. Now, in addition to a class action lawsuit alleging half a billion dollars in damages, ALM faces the wrath of a recently emboldened FTC.

One takeaway from this situation from a legal perspective is how ALM was targeted. Black hat groups often solicit suggestions for whom to attack, but typically in a secure fashion that would prevent early warning. LulzSec, responsible for the data breach at Sony Pictures in 2011, made a habit of seeking input as to what government entity or business to target, but kept those suggestions, and the contributors, secret. The Impact Team broke from that pattern, and announced before the breach, that they would release private information unless ALM shut down Ashley Madison and sister site “Established Men.” Other than a similar demand made to Sony Pictures Studios regarding the film The Interview, I can think of no other instances where hackers/hacktivists telegraphed that a cyber attack was coming.

Realizing this, a few questions immediately sprang to mind:

  • What do you do if your company gets a warning from a web group?
  • How many businesses have received such warnings and silently complied, just to avoid loss of sensitive information or damage to their reputation?
  • What happens to officers and directors who receive these warnings and do nothing? Is that a breach of fiduciary duties? Negligence? A civil conspiracy?

Ultimately, all of these questions merge into the two ongoing themes of data security: How do you protect critical information, and what do you do if you can’t?

In my upcoming articles I will get into the particulars of how some companies respond to cyberattacks, but for now, it makes sense to highlight the importance of planning ahead for your business. Even a basic cyber security protocol is better than a haphazard, post hoc response, and there are many resources that provide guidance about best practices. Longer-term planning requires expertise and commitment, but education can begin any time.

I’ll paraphrase Ashley Madison — Life is short: make a plan.

Article By James J. Ward of Bilzin Sumberg Baena Price & Axelrod LLP

© 2015 Bilzin Sumberg Baena Price & Axelrod LLP

Reasonable Expectation of Privacy: Are You Free To Eavesdrop on Pocket Dials?

Most people have experienced a “pocket dial” – be it as the sender or receiver – and some have found themselves in embarrassing situations as a consequence.  But should people reasonably expect that conversations overhead during a “pocket dial” call are private and protected? Should the recipient feel obligated to end the call?  The Sixth Circuit says no.

Yesterday, the Sixth Circuit decided whether a reasonable expectation of privacy exists with respect to “pocket dialed” communications.  Carol Spaw, assistant to the CEO of Cincinnati/Northern Kentucky International Airport, received a call from James Huff, chairman of the airport board.  It didn’t take long for Spaw to figure out that she had received a pocket dial, and that the conversation in the background was not intended for her ears.  Spaw stayed on the line for an hour and a half – taking notes and recording the audio as Huff discussed private business matters with another board member, and later with his wife. Spaw sent the recording to a third party company to enhance the quality, and shared the recording with other board members. Huff and his wife sued Spaw for intentionally intercepting their private conversation in violation of Title III of the Omnibus Crime Control and Safe Street Act of 1968. The district court granted summary judgement in favor of Spaw, finding no “reasonable expectation” that the conversation would not be heard.  On appeal, the Sixth Circuit affirmed in part, reversed in part, and remanded.

Title III only protects communication when the expectation of privacy is subjectively and objectively reasonable.  The Sixth Circuit agreed with the district court that James Huff did not have a reasonable expectation that his conversation was private. Although Mr. Huff did not deliberatelydial the call, he knew that “pocket dials” were possible, and did not take any precautions to prevent them.  The court analogized Huff’s situation to a homeowner who neglects to cover his windows with drapes; under the plain view doctrine, the homeowner has no expectation of privacy in his home when the windows are uncovered. Huff could have easily utilized protective settings on his phone to prevent pocket dials.

The Sixth Circuit reversed with respect to Bertha Huff’s claim.  Bertha Huff was communicating with her husband in the privacy of a hotel room. She had a reasonable expectation of privacy in that context, and she was not responsible for her husband’s pocket dial. The Sixth Circuit feared that affirming the district court’s decision with respect to Bertha’s claim would undermine what we currently consider a reasonable expectation of privacy in face-to-face conversations. The court remanded the case back to the district court to decide whether Spaw’s actions made her liable for “intentionally” intercepting oral communications.

The Sixth Circuit’s decision leaves us with this: if you receive a pocket-dialed call, feel free to listen, record, and share (but be wary of the privacy interest of the other participants in the conversation); if you are a pocket dialer, lock your phone.

ARTICLE BY Pierre H. Bergeron of Squire Patton Boggs (US) LLP
Lauren Maynard contributed to this article.

© Copyright 2015 Squire Patton Boggs (US) LLP

U.S., U.K. Governments Seek Cyber Innovations from Private Sector

The private sector is likely to produce critical cyber innovations—at least, that is what the U.S. Defense Advanced Research Projects Agency (“DARPA”) and the U.K. Centre for Defence Enterprise (“CDE”) would like to see.

In the United States, although the internet may have been invented at DARPA, DARPA is turning to a private sector competition to protect it.  In March 2014, DARPA solicited a “Cyber Security Grand Challenge”: an open competition to devise automated security systems that can defend against cyberattacks as fast as they are launched.  DARPA pitched the Grand Challenge as a “first of its kind,” “capture the flag”-style competition for computer security experts in academia, industry, and the broader security community.  Over 100 teams registered to compete.  Some likely saw the cash prizes—$2 million for first place, $1 million for second, and $750,000 for third—as nominal incentives compared to the value of shaping future cybersecurity efforts.  On July 8, 2015, DARPA announced its selection of seven finalists for the final round of the competition.  The finalists include computer security experts from industry, start-up incubators, and academia.

Not one of DARPA’s Grand Challenge finalists?  Take heart: DARPA is said to be developing technology that would allow spectators to watch the final contest in real time.  Or better yet, look to the United Kingdom, where the CDE has an open competition seeking “novel approaches to human interaction with cyberspace to increase military situational awareness.”  CDE is asking for “revolutionary approaches” to “rapidly convey” cyberspace information, events, and courses of action to military commanders, analysts, and decision-makers.  Just as DARPA officials acknowledged the limitations of existing cybersecurity strategy and technology, CDE officials have recognized that “the traditional human-computer interface” is inadequate for “current military information processing and sense-making in the cyber domain.”  Up to £500,000 in research funding will be awarded.  A July 9, 2015 presentation given by CDE is available online; slides from a July 16, 2015 webinar soon could be available, as well.  The competition closes on September 3, 2015.  Proposals must be submitted through CDE’s online portal.

ARTICLE BY Jade C. Totman & Alan A. Pemberton of Covington & Burling LLP

© 2015 Covington & Burling LLP