Tag: data privacy

2016 Cybersecurity Year in Review, and Data Privacy Trends to Watch in 2017

cybersecurity data privacyWith 2016 in the rear-view mirror, we have been reflecting on the many data privacy and cybersecurity legal developments of the past year, both in the U.S. and internationally, as well as focusing on trends to watch in the new year. With best wishes for a Happy New Year from all of us, we present a number of highlights from 2016, and suggest a few areas to watch in 2017.

U.S. Courts Wrestle With Law Enforcement Access to Data

Debate over law enforcement access to data stored by technology companies was perhaps the most visible privacy and cybersecurity issue of 2016, with far-reaching implications in both the U.S. and abroad. In July, the Second Circuit issued a decision in Microsoft’s challenge to a warrant issued under the Electronic Communications Privacy Act (ECPA), seeking email content stored in Ireland. The Second Circuit unanimously held that ECPA warrants cannot compel U.S. providers to disclose the contents of customer communications stored on foreign servers. In 2017, we expect that decision to have significant implications for U.S. technology companies, as well as consumers and companies that store data with U.S.-based providers. The government has sought rehearing en banc, and also has indicated that it intends to submit legislation to Congress to address the implications of the decision.  Congress has considered related issues in the International Communications Privacy Act.

Apple also engaged in a high-profile court battle with the government early in 2016 when the company refused the FBI’s request to unlock a terror suspect’s iPhone, though the dispute ended in March without a court decision when the FBI announced it had accessed the device without Apple’s assistance.  Congress continues to grapple with the consequences of that case to include considering several encryption-related legislative proposals.

U.S. Supreme Court Addresses Privacy Standing in Spokeo

The U.S. Supreme Court issued its highly anticipated decision in Spokeo in May, addressing whether plaintiffs have standing to pursue statutory damages even in the absence of harm under the Fair Credit Reporting Act (FCRA). The Court reaffirmed that constitutional standing in federal court requires “concrete” (i.e., actual) harm and offered several guiding principles to assist lower courts in determining whether standing requirements have been met.  Although the case specifically dealt with the FCRA, Spokeo has significant implications in privacy and data breach litigation because numerous federal privacy laws have been construed to allow statutory damages even in the absence of actual harm.  Lower courts have begun applying the decision in data breach cases, including a recent district court ruling that a named plaintiff’s allegations that stolen personal information was used to file a false tax return were sufficient to impart standing under Spokeo.  In 2017, we expect this process to continue, as lower courts continue to interpret the Supreme Court’s decision.

A New Framework for EU-U.S. Data Transfers

The EU-U.S. Privacy Shield, a new framework for the transfer of personal data between the EU and the U.S., was announced in February and finalized in July.  Negotiators in the EU and U.S. worked on an accelerated timeline following the invalidation of the Safe Harbor in late 2015 resulting in the Privacy Shield—a significantly more stringent framework than its predecessor.  Companies began self-certifying adherence to the Privacy Shield in August, and as of this post more than 1,300 companies have signed up at the Department of Commerce’s website.  In 2017, we see continued uncertainty in this area.  The Privacy Shield faces a legal challenge in the European Court of Justice, and another cross-border mechanism—standard contractual clauses—also is subject to an EU court action.  The Privacy Shield itself was based, in part, on an exchange of letters between the Obama Administration and the European Commission relating to mass surveillance, and it remains to be seen if the Trump Administration will continue the commitments made in those letters.  Relatedly, the European Parliament approved the EU-U.S. Umbrella Agreement in December—a framework for the exchange of personal data for law-enforcement (including anti-terrorism) purposes between the EU and U.S.

Sweeping New Data Protection Laws Approved in Europe

The European Parliament passed into law the General Data Protection Regulation (GDPR) in April, a sweeping new set of privacy and data security rules that will take effect in mid-2018.  Unlike the EU Data Protection Directive which it replaces, the GDPR for the most part will have direct effect throughout the EU without requiring national implementation legislation.  Companies doing business in (or with companies operating in) the EU have begun preparing for compliance with the new requirements, and the Article 29 Working Party released the first set of guidance on the GDPR in December.  In 2017, we expect the Article 29 Working Party to continue to fill in some of the blanks left in the GDPR, and we also expect companies to intensify their preparation for the mid-2018 effective date of this landmark legislation.

FTC’s Data Security Authority Tested (Again) in LabMD

 Following the Third Circuit’s decision affirming the FTC’s authority to regulate corporate data security in Wyndham last year, the FTC sought to further bolster its data security authority in LabMD.  In July, the Commission unanimously vacated a prior Administrative Law Judge decision and found that LabMD’s actions were “unfair” under Section 5 of the FTC Act.  In November, however, the Eleventh Circuit stayed enforcement of the FTC’s LabMD order, finding that LabMD was likely to succeed on the merits because the FTC’s interpretations of aspects of the FTC Act relating to its data security authority were likely not reasonable. The case will now proceed on the merits, but the grant of the stay suggests that the Eleventh Circuit may be receptive to LabMD’s arguments for ultimate reversal of the LabMD order.  This could produce a circuit split between the Eleventh Circuit and the Third Circuit (which decided the Wyndham case), and thereby provide a basis for an attempt to secure Supreme Court review of the FTC’s jurisdiction.  Moreover, this case could provide a vehicle for a new FTC, with a Republican majority, to reconsider the agency’s current aggressive approach on “unfairness” as applied to data security.

Newly Established Cybersecurity Requirements and Guidelines

A number of U.S. states and standard-setting organizations issued broadly applicable cybersecurity requirements and guidelines in 2016.  In February, as part of the release of its 2016 Data Breach Report, the Office of the Attorney General for California established a de facto standard that companies doing business in California must, at a minimum, adopt twenty specific security controls established by the Center for Internet Security in order to have “reasonable” security practices in California.  And New York State proposed first-in-the-nation cybersecurity regulations that contain several mandatory security requirements for financial services institutions—those institutions that are regulated by New York banking, insurance, or financial services laws—which are currently being revised following industry comments and are scheduled to take effect in March 2017.

At the federal level, in October, the Department of Defense (DoD) finalized its safeguarding and cyber incident reporting obligations, requiring DoD contractors to implement specific security controls for information systems that store, process, or transmit DoD’s data and to report actual or possible cybersecurity incidents involving such data to DoD within 72 hours.  And in the coming year, similar security controls and reporting requirements will likely be required for all government contractors, as a September rule promulgated by the National Archives and Record Administration (NARA) set the stage for a Federal Acquisition Regulation (FAR) clause that will likely mirror DoD’s requirements.  In November, the National Institute of Standards and Technology (NIST) released guidance for small businesses on cybersecurity preparedness, including a list of “recommended practices” that are applicable not just to small businesses, but entities of all sizes.

New Cybersecurity and Privacy Laws and Regulations in China

As expected, authorities in China were active in passing a new Cybersecurity Law and proposing new cybersecurity and privacy regulations in 2016.  In November, the Standing Committee of China’s National People’s Congress passed China’s first Cybersecurity Law (the “Law”), which will take effect starting June 1, 2017.  Described as China’s “fundamental law” in the area of cybersecurity, the new Law articulates the government’s priorities with respect to “cyberspace sovereignty,” consolidates existing network security-related requirements (covering both cyber and physical aspects of networks), and grants government agencies greater power to regulate cyber activities.  It is the first Chinese law that systematically lays out the regulatory requirements on cybersecurity, subjecting many previously under-regulated or unregulated activities in cyberspace to government scrutiny.  At the same time, it seeks to balance the dual goals of enhancing cybersecurity and developing China’s digital economy, which relies heavily on the free flow of data.

China’s National Information Security Standardization Technical Committee (NISSTC) drafted a Personal Information Security Standard, a non-binding standard for data privacy and security practices of companies operating in China.  The NISSTC also released seven draft standards for comment in December, with a public comment period running until February 2, 2017.  The Cyberspace Administration of China (CAC) has also been active in 2016, issuing new rules for mobile apps in July, and draft regulations aimed at protecting minors in cyberspace in October. Finally, in August China’s State Administration of Industry and Commerce (SAIC) released draft regulations for public comment that would amend consumer protection laws to, among other things, supplement existing privacy obligations for companies operating in China.

FCC Releases Broadband Privacy Rules

The FCC’s increasing focus on privacy issues continued in 2016 with the release of broadband privacy rules.  The new rules, which were formally proposed in April, regulate the privacy practices of broadband Internet Service Providers (ISPs), including requirements to obtain consent for certain uses of consumer data and to adhere to certain data security practices.   The rules were adopted by the Commission in a 3-2 party-line vote in October, so their fate is quite uncertain under the incoming Republican administration.  Given that petitions for reconsideration currently are pending before the FCC and will remain so until the change in Administration, these rules could be one of the first areas in which the new FCC makes its mark on the policies of the Obama-era Commission.

Connected Devices and The Internet of Things

2016 saw several developments relating to the Internet of Things (IoT), such as internet-connected refrigerators and thermostats, which present unique opportunities and challenges from a privacy and cybersecurity perspective.  In April, the U.S. Department of Commerce issued a request for public comment on the benefits, challenges, and potential government roles for IoT, and the U.S. Senate Commerce Committee approved a bill (which remains pending) to establish a working group to study and facilitate IoT growth.  Around the same time, the European Commission released a series of industry-related initiatives addressing IoT, among other things.  And in November, NIST released cybersecurity guidance for IoT, and the Broadband Internet Technical Advisory Group released another report detailing the unique security and privacy challenges posed by IoT.  In 2017, we expect the focus on connected devices to escalate, particularly given the emergence of driverless cars and other innovative technologies.

Healthcare Quarterly Update: Cybersecurity and Health Data Privacy by Bloomberg BNA

Washington, DC

Join Bloomberg BNA for this essential event that explores concerns relating to cyber-security and health data privacy. Healthcare industry experts Kirk Nahra and David Holtzman will join HHS’s Iliana Peters for a comprehensive examination of:
• Big data in the healthcare sector and how to protect information
• Protecting patient and organization information
• Federal enforcement of HIPAA Privacy, Security, Data Breach rules
• Practical up to date information on current issues
• And so much more.

Click here to register today!

Identify actionable issues, secure your organization, and earn CLE credits.

A breakfast panel with accomplished scholars and an HHS representative. This conversation will address practical considerations for ensuring that patient’s data is being properly handled in full compliance with all regulations and ethical responsibilities. Healthcare practitioners are increasingly required to address concerns of Data privacy and Cyber-security; attending this panel will assist you in identifying actionable points in the law common to many legal practices.

Register for the Thomson Reuters Legal Executive Institute 5th Annual Law Firm CFO/CIO/COO Forum – NYC June 3

The 5th Annual Law Firm CFO/CIO/COO Forum
Data Privacy, Security & the Globalized Law Firm

Early Bird Rate Ends 5-14!

LawFirmCFO-CIO-COO-banner

Register Now

The Thomson Reuters Legal Executive Institute proudly presents the 5th Annual Law Firm CFO/CIO/COO Forum on June 3, 2015 in New York City at the Crowne Plaza Times Square Manhattan.

Our program will address the twin specters of data privacy and cyber security and their impact on US and international law firms in 2015. Delegates will hear from non-legal industry CISOs and world-renowned cyber security experts on emerging threats and innovative strategies affecting modern day law firm operations. Come prepared with questions and ideas as you engage both thought leaders and peers throughout a series of collaborative discussions.

This year’s program highlights include:

  • Enemies at the Gate: Responses to Data Security Threats Across Industries
  • Red Corner: The Rise of Corporate Espionage & the Problem with China
  • From Russia with Love: APT28 and the Soviet Spector
  • Preparing for a Client Security Audit: A Peer-to-Peer Workshop
  • A Briefing on Data Security Concerns in the Cloud and Tablet Technology
  • And more

Special Offers

Early Bird Discount: Save 15% when you enter CFO15 at checkout for individual registrations.  Expires 05.14.15

Group Discounts: Save 30% on when you register 2 or more delegates, please call 1-800-308-1700

Why You Should Attend

  • This is the only professional conference in existencedevoted to the unique cyber security concerns of law firms.
  • Stay Informed about the current threats to enterprise security at your firm from our elite faculty of thought leaders.
  • Network across industries as we welcome Chief Information Security Officers (CISOs) from numerous sectors to the Forum.
  • Gain Practical Takeaways for adoption at your firm or organization and build powerful connections with the premier thought leaders in the profession.
  • Be prepared to handle any future incidents at the completion of the Forum.
  • Did you know? Many law firm CIOs and security analysts believe that mobile technology and tablet technology will be the primary target of attacks in 2015. Our forum dispenses crucial advice on how to avoid falling prey to such forces.
  • Did you know? Many analysts believe international law firms will easily double their operation and insurance costs in 2015 as a result of increased data security attacks on US and Western businesses. Are you well-versed in the latest threats from Asia, Russia and beyond?
  • Did you know? The 2015 federal regulatory, legislative and enforcement landscape will force many organizations to thoroughly assess their current security infrastructure and comply with myriad new quality controls. Have you done your proper due diligence?

Data Privacy and Data Security; Two Sides of the Same Coin A Conversation with Patrick Manzo, Executive Vice President, Global Customer Service and Chief Privacy Officer of Monster Worldwide, Inc

The National Law Review - Legal Analysis Expertly Written Quickly Found

Cybersecurity is an important issue facing companies and legal departments across the country.  With high profile, and sometimes embarrassing, data breaches dominating news coverage, data security and privacy have become major concerns.  Patrick Manzo, Executive Vice President, Global Customer Service and Chief Privacy Officer of Monster Worldwide, Inc. will be speaking at the Inside Counsel SuperConference on May 12th, 2015 to give insight into these very important issues.  He will speak on a panel entitled: Cybersecurity Regulations: What you Need to Know.

Manzo says, “There is a drumbeat of data security issues permeating both the mainstream and legal press, and while individuals may have different levels of understanding and engagement, I’m sure that awareness of these issues is high.” There are differing perspectives and approaches on the issue– risk management and policy on one end of the spectrum, technical issues on the other–but importantly, the conversation is underway and there is cognizance at companies, at all levels, of the important of these issues.

Manzo believes a discussion of cybersecurity must consider both data security and data privacy.  He defines data security as, simply, knowing where your data is located, and who may access the data. Data privacy is predicated on data security and requires further understanding how personal data is being collected, processed (and by whom), and transferred, and the consistency of these practices with applicable laws, regulations, and the reasonable expectations of the relevant consumers.   Manzo says, “Data security and data privacy are two sides of the same coin, and we trade that coin for consumer trust.”

Since our modern world is so dominated by data, by its collection, its use, and its analysis, both companies and consumers realize that who we share information with and what they do with it is an important issue.  Manzo uses the term “good data hygiene” to describe what consumers and companies should work towards, and how it is both a company and a consumer’s responsibility to be aware of these issues.  Consumers would do well to acquire a basic understanding of what data they’re sharing and with whom, while companies, Manzo says, “need to be responsible stewards of consumers’ personal information.”

Manzo says, “Data security and privacy should be part of the DNA of a company.”

Data security and privacy are clearly not just IT issues anymore, but instead, Manzo says, “extend into all areas of an organization.”  From a company perspective, good data hygiene requires a strong command of data security and a robust privacy program.  Manzo also advocates that companies be transparent with consumers and customers about their data security and privacy practices.  Transparency requires a company to be aware of what data is being collected and from whom, and what is done with that data–who processes the information, if it is not done in house, and where the information is stored or transferred.  Beyond that, a company should have rules and policies in place to protect the information, and should incorporate data security and privacy into employee training, so that all employees are aware of the issues and concerns.

Manzo says, “Transparency allows you to be upfront and clear with consumers.  You can say, here’s what data I collect, here’s how I use and protect your data, and here’s what might happen to that data.”  Consumers, in turn, need to understand the data they are sharing and reasonably evaluate the attendant risks and benefits, and thereby make an informed decision about sharing their information.

However, it is not just between consumers and companies.  Legislation and regulation have a role to play as well.  “The Federal Trade Commission has a significant role to play in data privacy and security issues, and they have raised consumer and industry awareness of the responsibilities that go hand in hand with using personal information,” Manzo says.  Looking forward, legislation and regulation will play a major role in how companies manage data privacy and security. A clearer, more unified set of rules and laws governing data security and privacy practices, as well as breach notifications, likely enacted on the federal level, would be helpful for consumers and companies.

Right now, companies struggle with a patchwork of laws and regulations.  For example, Manzo says, “to respond to a breach, a company must first pull out a matrix of laws and regulations and determine which apply to the situation.  The patchwork of rules creates unnecessary complexity and slows breach response and notification efforts.”  Moving forward, Manzo says, “more unification of breach response and breach notification laws will be a benefit to consumers and industry.”

Our data soaked society is here to stay, and most have accepted that the risks of having our information available is outweighed by the benefits and the convenience it affords.  That said, more understanding, transparency, awareness and clarification can help consumers and companies move forward in this brave, new, information-saturated world.

You can find more information about the Inside Counsel Super Conference here.

ARTICLE BY

Eilene Spear
The National Law Review / The National Law Forum LLC

Join Thomson Reuters Legal Executive Institute for their The 5th Annual Law Firm CFO/CIO/COO Forum Early Bird Rate Ends 5-14!

The 5th Annual Law Firm CFO/CIO/COO Forum
Data Privacy, Security & the Globalized Law Firm

Early Bird Rate Ends 5-14!

LawFirmCFO-CIO-COO-banner

Register Now

The Thomson Reuters Legal Executive Institute proudly presents the 5th Annual Law Firm CFO/CIO/COO Forum on June 3, 2015 in New York City at the Crowne Plaza Times Square Manhattan.

Our program will address the twin specters of data privacy and cyber security and their impact on US and international law firms in 2015. Delegates will hear from non-legal industry CISOs and world-renowned cyber security experts on emerging threats and innovative strategies affecting modern day law firm operations. Come prepared with questions and ideas as you engage both thought leaders and peers throughout a series of collaborative discussions.

This year’s program highlights include:

  • Enemies at the Gate: Responses to Data Security Threats Across Industries
  • Red Corner: The Rise of Corporate Espionage & the Problem with China
  • From Russia with Love: APT28 and the Soviet Spector
  • Preparing for a Client Security Audit: A Peer-to-Peer Workshop
  • A Briefing on Data Security Concerns in the Cloud and Tablet Technology
  • And more

Special Offers

Early Bird Discount: Save 15% when you enter CFO15 at checkout for individual registrations.  Expires 05.14.15

Group Discounts: Save 30% on when you register 2 or more delegates, please call 1-800-308-1700

Why You Should Attend

  • This is the only professional conference in existencedevoted to the unique cyber security concerns of law firms.
  • Stay Informed about the current threats to enterprise security at your firm from our elite faculty of thought leaders.
  • Network across industries as we welcome Chief Information Security Officers (CISOs) from numerous sectors to the Forum.
  • Gain Practical Takeaways for adoption at your firm or organization and build powerful connections with the premier thought leaders in the profession.
  • Be prepared to handle any future incidents at the completion of the Forum.
  • Did you know? Many law firm CIOs and security analysts believe that mobile technology and tablet technology will be the primary target of attacks in 2015. Our forum dispenses crucial advice on how to avoid falling prey to such forces.
  • Did you know? Many analysts believe international law firms will easily double their operation and insurance costs in 2015 as a result of increased data security attacks on US and Western businesses. Are you well-versed in the latest threats from Asia, Russia and beyond?
  • Did you know? The 2015 federal regulatory, legislative and enforcement landscape will force many organizations to thoroughly assess their current security infrastructure and comply with myriad new quality controls. Have you done your proper due diligence?

It’s Data Privacy Day 2015

Mintz Levin Law Firm

Today is Data Privacy Day, and as you might expect, we have a few bits and bytes for you.

Use the Opportunity

Data Privacy Day is another opportunity to push out a note to employees regarding their own privacy and security — and how that can help the company.

The Federal Trade Commission Issues IoT (Internet of Things) Report

Following up on its November 2013 workshop on the Internet of Things, the Federal Trade Commission (“FTC”) has released a staff report on privacy and security in the context of the Internet of Things (“IoT”), “Internet of Things: Privacy & Security in a Connected World” along with a document that summarizes the best practices for businesses contained in the Report.  The primary focus of the Report is the application of four of the Fair Information Practice Principles (“FIPPs”) to the IoT – data security, data minimization, notice, and choice.

Data PrivacyThe report begins by defining IoT for the FTC’s purposes as “‘things’ such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet,” but limits this to devices that are sold to or used by consumers, rather than businesses, in line with the FTC’s consumer protection mandate.  Before discussing the best practices, the FTC goes on to delineate several benefits and risks of the IoT.  Among the benefits are (1) improvements to health care, such as insulin pumps and blood-pressure cuffs that allow people avoid trips to the doctor the tools to monitor their own vital signs from home; (2) more efficient energy use at home, through smart meters and home automation systems; and (3) safer roadways as connected cars can notify drivers of dangerous road conditions and offer real-time diagnostics of a vehicle.

The risks highlighted by the Report include, among others, (1) unauthorized access and misuse of personal information; (2) unexpected uses of personal information; (3) collection of unexpected types of information; (4) security vulnerabilities in IoT devices that could facilitate attacks on other systems; and (5) risks to physical safety, such as may arise from hacking an insulin pump.

In light of these risks, the FTC staff suggests a number of best practices based on four FIPPs. At the workshop from which this report was generated, all participants agreed on the importance of applying the data security principle.  However, participants disagreed concerning the suitability of applying the data minimization, notice, and choice principles to the IoT, arguing that minimization might limit potential opportunities for IoT devices, and notice and choice might not be practical depending on the device’s interface – for example, some do not have screens.  The FTC recognized these concerns but still proposed best practices based on these principles.

Recommendations

Data Security Best Practices:

  • Security by design.  This includes building in security from the outset and constantly reconsidering security at every stage of development. It also includes testing products thoroughly and conducting risk assessments throughout a product’s development

  • Personnel practices.  Responsibility for product security should rests at an appropriate level within the organization.  This could be a Chief Privacy Officer, but the higher-up the responsible part, the better off a product and company will be.

  • Oversee third party providers.  Companies should provide sufficient oversight of their service providers and require reasonable security by contract.

  • Defense-in-depth.  Security measures should be considered at each level at which data is collected stored, and transmitted, including a customer’s home Wi-Fi network over which the data collected will travel.  Sensitive data should be encrypted.

  • Reasonable access control.  Strong authentication and identity validation techniques will help to protect against unauthorized access to devices and customer data.

Data Minimization Best Practices:

  • Carefully consider data collected.  Companies should be fully cognizant of why some category of data is collected and how long that data should be stored.

  • Only collect necessary data.  Avoid collecting data that is not needed to serve the purpose for which a customer purchases the device. Establish a reasonable retention limit on data the device does collect.

  • Deidentify data where possible.  If deidentified data would be sufficient companies should only maintain such data in a deidentified form and work to prevent reidentification.

Notice and Choice Best Practices:  The FTC initially notes that the context in which data is collected may mean that notice and choice is not necessary. For example, when information is collected to support the specific purpose for which the device was purchased.

When notice or choice are necessary, the FTC offers several suggestions for how a company might give or obtain that, including (1) offer choice at point of sale; (2) direct customers to online tutorials; (3) print QR codes on the device that take customers to a website for notice and choice; provide choices during initial set-up; (4) provide icons to convey important privacy-relevant information, such a flashing light that appears when a device connects to the Internet; (5) provide notice through emails or texts when requested by consumers; and (6) make use of a user experience approach, such personalizing privacy preferences based on the choices a customer already made on another device.

Legislation.  The FTC staff recommends against IoT-specific legislation in the Report, citing the infancy of the industry and the potential for federal legislation to stifle innovation.  Instead, the FTC recommends technology-neutral privacy and data security legislation.  Without saying it explicitly, this appears to be a recommendation for something akin to the Consumer Privacy Bill of Rights recently proposed by the President, along with giving the FTC authority to enforce certain privacy protections, including notice and choice, even in the absence of a showing of deceptive or unfair acts or practices.

In the meantime, the FTC notes that it will continue to provide privacy and data security oversight of IoT as it has in other areas of privacy.  Specifically, the FTC would continue to enforce the FTC Act, the Children’s Online Privacy Protection Act, and other relevant statutes.  Other initiatives would include developing education materials, advocating on behalf of consumer privacy, and participating in multi-stakeholder groups to develop IoT guidelines for industry.

To Track or Not to Track Re: Digital Advertising

McDermottLogo_2c_rgb

Digital advertising based on tracking users’ interests and related privacy concerns have been the subject of many recent news articles.  What does this mean for businesses?  Evolving industry practices and new legislation relating to online privacy and user tracking likely require changes to online privacy practices and policies.

Online privacy and user tracking are in the news almost daily.  Consider these highlights from the past few weeks about online tracking of California minors, big data brokers, California legislation addressing “do not track,” new mobile and online interest-based advertising technology, and a warning to all website operators from the Better Business Bureau:

New Privacy Rights for California Minors

On September 23, 2013, Governor Brown signed into law new Sections 22580 through 22582 of the California Business and Professions Code titled “Privacy Rights for California Minors in the Digital World.”  The new law, which goes into effect January 1, 2015, requires an operator of a website (including online services and applications, such as a social media site) or mobile application that is “directed to minors” to allow minors (defined as anyone younger than 18 years old residing in California) who are registered users the opportunity to un-post or remove (or request removal of) their posted online content.  The operator also must provide minors with notice and “clear instructions” about how to remove their posted content.  The operator is not, however, required to remove posted content in certain specific circumstances, such as when the content was posted by a third party.

This new law also prohibits website and mobile app operators from advertising to California minors certain products and services that minors cannot legally purchase, such as alcoholic beverages, firearms, ammunition, spray paint, tobacco products, fireworks, tanning services, lottery tickets, tattoos, drug paraphernalia, electronic cigarettes, “obscene matter” and lethal weapons.  Operators also are prohibited from using, disclosing or compiling certain personal information about the minor for the purpose of marketing these products or services.

Senator Rockefeller Expands Investigation of Data Brokers

On September 25, 2013, Governor Rockefeller (W.VA) announced that he sent letters to 12 operators of popular family-, health- and personal-finance-related consumer websites requesting details about whether and what information collected from consumers is shared with data brokers.  In his letter to the operator of self.com, for example, Rockefeller noted that “[w]hile some consumers may not object to having their information categorized and used for marketing purposes, before they share personal information it is important that they know it may be used for purposes beyond those for which they originally provided it.”

California Adds Do-Not-Track Disclosure Requirements Effective January 1, 2014

On September 27, 2013, California Governor Brown signed into law amendments to the California Online Privacy Protection Act (CalOPPA), a 2004 law requiring all commercial websites and online service providers collecting personally identifiable information about California residents to “conspicuously” post a “privacy policy.”  The amendments to CalOPPA, which take effect on January 1, 2014, add two new disclosure requirements for privacy policies required by CalOPPA:

  • The privacy policy must explain how the website “responds to ‘Do Not Track’ signals from web browsers or other mechanisms that provide California residents the ability to exercise choice” about collection of their personally identifiable information (Cal Bus and Prof Code §22575(b)(5)).
  • The privacy policy must disclose whether third parties use or may use the website to track (i.e., collect personally identifiable information about) individual California residents “over time and across third-party websites” (Cal Bus and Prof Code §22575(b)(6)).

The “Bill Analysis” history indicates that CalOPPA amendments are not intended to “prohibit third-party or any other form of online tracking” but rather to “implement a uniform protocol for informing Internet users about tracking . . . and any options they may have to exercise choice . . .” (6/17/13 – Senate Judiciary).

A website operator may meet the “do not track” disclosure requirement by including a link in the privacy policy to “an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice” (Cal Bus and Prof Code §22575(b)(7)).

The reference in §22575(b)(7) to “an online location” suggests that businesses already complying with the “enhanced notice link” requirements of the Self-Regulatory Program for Online Behavioral Advertising of the Digital Advertising Alliance (DAA) will comply with amended CalOPPA.  Among other requirements, the DAA’s self-regulatory program requires website owners/operators (called “First Parties”) to provide “clear, meaningful and prominent” disclosure about data collection and use for advertising purposes, and to offer consumers a way to opt out of tracking, such as through the DAA’s consumer choice page.  As noted in the Bill Analyses, while the DAA’s consumer choice mechanism enables consumers to opt out of receiving advertising based on online tracking data, it only works for companies that participate in the DAA’s program and “does not allow consumers not to be tracked.”

User Credentials Subject to California Breach Laws Effective January 1, 2014

Governor Brown also signed into law amendments to California’s breach notification laws on September 27, 2013.  As amended, the definition of “personal information” that triggers breach notification requirements includes consumers’ online credentials: “user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

Mobile Advertising: Mobile Telephone as Tracking Device

In the October 6, 2013, edition of the New York Times, an article titled “Selling Secrets of Phone Users to Advertisers” describes sophisticated profiling techniques for mobile phone users that feed on data collected through partnerships with other various online service providers.  These companies are developing alternatives for cookies, which do not work on mobile devices and, as the new California law illustrates, are increasingly irrelevant as an online tracking technique because users can block or delete them.

New Tracking Technology from Microsoft and Google

On October 9, 2013, AdAge reported that Microsoft is developing a new kind of tracking technology to replace cookies.  The new technology would function as a “device identifier,” allowing user tracking across devices that use Microsoft Windows, Xbox, Internet Explorer, Bing and other Microsoft services.  Similarly, USA Today reported that Google is developing its own digital tracking mechanism known as “AdID.”  While both of these new trackers will be used to collect and aggregate date for advertising and marketing purposes, they purportedly will offer users more control over how and what online activity is tracked and who has access to their personal data.

Better Business Bureau Issues Compliance Warning to Website Operators

On October 14, 2013, the Better Business Bureau issued a Compliance Warning noting that a “significant minority of website operators” are omitting the “enhanced notice link” (as required by the DAA’s Self-Regulatory Program for Online Behavioral Advertising) when ad networks and other third parties collect data for interest-based advertising purposes but cannot provide their own notice on the website on which the data collection occurs.  The Better Business Bureau operates the Online Interest-Based Advertising Accountability Program, through which it monitors businesses’ advertising practices and enforces the DAA’s self-regulatory program, even for companies that are not participating in it.

All of this news has created consumer confusion.  While consumers are increasingly aware of being tracked, they don’t know what exactly it means or which websites are doing it—and they are not happy about it.  A study from data privacy company TRUSTe found that 80 percent of consumers are aware of being tracked and 52 percent don’t like it.

What to Do?

A check-up for the privacy policy (or “privacy statement,” which is the increasingly popular industry term) posted on your company’s website is a good way to start evaluating your company’s digital advertising and privacy practices.  The online privacy statement is the primary means by which website operators (also known as “publishers”) communicate their privacy practices to users.

These Four steps can help you successfully evaluate your company’s privacy statement:

First, find out if your company’s marketing strategy includes advertising based on consumer information collected through cookies or other tracking technology.  Even if this type of advertising is not part of current plans, your company’s website still may have third-party tracking activities occurring on it, and these activities must be disclosed in the privacy statement as of January 1, 2014.

Second, review the privacy statement displayed on your company’s website(s) and/or mobile application(s) and make sure it accurately, clearly and completely discloses the information collected from users, how it is collected (e.g., by your company or by third parties), how your company uses the information, and whether and how the information is disclosed to third parties.  If you use information that you collected from consumers for targeted advertising, make sure the privacy statement says so.  A federal judge in the Northern District of California recently reviewed a company’s online privacy policy to evaluate whether users reading the privacy policy would understand that they were agreeing to allow user profiles and targeted advertising based on the contents of their e-mails.  The court found that the lack of specificity in the company’s privacy policy about e-mail interception meant that users could not and did not consent to the practices described in the online privacy policy.

Third, find out when and how the privacy statement is or was presented to users who provide personal information through the company website(s) and/or mobile application(s).  Is the privacy statement presented as a persistent link in the footer of each webpage?  Are users required to agree to the privacy statement?  If not, consider implementing a mechanism that requires users to do so before providing their personal information.

Finally, if your privacy statement needs to be updated, make sure you notify all consumers in advance and ensure that the changes you propose are reasonable.  Unreasonable and overbroad changes made after the fact can cause reputational harm.  Instagram learned this at the end of 2012 when it tried to change its terms of service so that users’ photos could be used “in connection with paid or sponsored content or promotions, without any compensation to [the user].”  After a hail of consumer complaints, Instagram withdrew the revised terms and publicized new, more reasonable ones.

Article By:

of

California Enacts New Data Privacy Laws

Sheppard Mullin 2012

As part of a flurry of new privacy legislation, California Governor Jerry Brown signed two new data privacy bills into law on September 27, 2013: S.B. 46 amending California’s data security breach notification law and A.B. 370 regarding disclosure of “do not track” and other tracking practices in online privacy policies. Both laws will come into effect on January 1, 2014.

New Triggers for Data Security Breach Notification

California law already imposes a requirement to provide notice to affected customers of unauthorized access to, or disclosure of, personal information in certain circumstances. S.B. 46 adds to the current data security breach notification requirements a new category of data triggering these notification requirements: A user name or email address, in combination with a password or security question and answer that would permit access to an online account.

Where the information subject to a breach only falls under this new category of information, companies may provide a security breach notification in electronic or other form that directs affected customers to promptly change their passwords and security questions or answers, as applicable, or to take other steps appropriate to protect the affected online account and all other online accounts for which the customer uses the same user name or email address and password or security question or answer. In the case of login credentials for an email account provided by the company, the company must not send the security breach notification to the implicated email address, but needs to provide notice by one of the other methods currently provided for by California law, or by clear and conspicuous notice delivered to the affected user online when the user is connected to the online account from an IP address or online location from which the company knows the user ordinarily accesses the account.

Previously, breach notification in California was triggered only by the unauthorized acquisition of an individual’s first name or initial and last name in combination with one or more of the following data elements, when either the name or the data elements are unencrypted: social security number; driver’s license or state identification number; account, credit card or debit card number in combination with any required security or access codes; medical information; or health information. S.B. 46 not only expands the categories of information the disclosure of which may trigger the requirement for notification, it also—perhaps unintentionally—requires notification of unauthorized access to user credential information even if that information is encrypted. Thus, S.B. 46 significantly expands the circumstances in which notification may be required.

New Requirements for Disclosure of Tracking Practices

A.B. 370 amends the California Online Privacy Protection Act (CalOPPA) to require companies that collect personally identifiable information online to include information about how they respond to “do not track” signals, as well as other information about their collection and use of personally identifiable information. The newly required information includes:

  • How the company responds to “do not track” signals or other mechanisms that provide consumers the ability to exercise choice over the collection of personally identifiable information about their online activities over time and across third-party websites or online services, if the company collects such information; and
  • Whether third parties may collect personally identifiable information about a consumer’s online activities over time and across different websites when a consumer uses the company’s website.

These disclosures have to be included in a company’s privacy policy. In order to comply with the first requirement, companies may provide a clear and conspicuous hyperlink in their privacy policy to an online description of any program or protocol the company follows that offers the user that choice, including its effects.

It’s important to note that the application of CalOPPA is broad. It applies to any “operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service.” As it is difficult to do business online without attracting users in technologically sophisticated and demographically diverse California, these provisions will apply to most successful online businesses.

What to Do

In response to the passage of these new laws, companies should take the opportunity to examine their data privacy and security policies and practices to determine whether any updates are needed. Companies should review and, if necessary, revise their data security breach plans to account for the newly added triggering information as well as the new notification that may be used if that information is accessed. Companies who collect personally identifiable information online or through mobile applications should review their online tracking activities and their privacy policies to determine whether and what revisions are necessary. The California Attorney General interprets CalOPPA to apply to mobile applications that collect personally identifiable information, so companies that provide such mobile apps should remember to include those apps in their review and any update.

Article By:

 of

Will a New California Ballot Initiative Usher in the Next National Shift in Privacy Law?

Poyner Spruill

Just 10 years ago, California enacted the first breach notification law and unwittingly transformed the landscape of American privacy and data security law. To date, 45 other states, multiple federal agencies, and even local governments have followed suit. California residents may soon find themselves voting on a ballot initiative that could have an equally dramatic effect on this area of law.

computer broadcast world

The ballot initiative, known as the California Personal Privacy Initiative, is designed to remove barriers to privacy and data security lawsuits and also would promote stronger data security and an “opt-in” standard for the disclosure of personal information. Specifically, the initiative would amend the California Constitution to:

  1. Create a presumption that “personally identifying information” collected for a commercial or governmental purpose is confidential

  2. Require the person collecting such information to use all reasonably available means to protect it from unauthorized disclosure

  3. Create a presumption of harm to a person whenever her confidential personally identifying information has been disclosed without her authorization.

Notwithstanding the presumption of harm, the amendment would permit the disclosure of confidential personally identifying information without authorization “if there is a countervailing compelling interest to do so (such as public safety or protected non-commercial free speech) and there is no reasonable alternative for accomplishing such compelling interest.”

Turning first to the impact on litigation, plaintiffs have largely been unsuccessful in privacy and data security litigation because they have failed to show harm resulting from an alleged unlawful privacy practice or security breach. The obligation to show harm arises at two stages when a case is litigated in federal court: first, the plaintiff must establish that he has suffered an “injury in fact” in order to meet the requirements for Article III standing, and second, the plaintiff must satisfy the harm requirement that applies to the relevant cause of action (e.g., negligence). If the case is litigated in state court, the standing requirement does not apply, but most, if not all, privacy and data security breach class actions have been litigated in federal court.

The ballot initiative would create a presumption of harm that could allow more lawsuits to satisfy the injury-in-fact standard (step one, above) and the harm requirement for the underlying cause of action (step two, above). Without that barrier, business would be stripped of the most effective means of prevailing on a motion to dismiss for certain causes of action. And in some scenarios, business would be forced to rely on untested or tenuous defenses, making companies more likely to settle, rather than fight, previously unsustainable causes of action.

Other components of the initiative would exacerbate the uptick in litigation, including the presumption that personally identifying information collected for a commercial purpose is confidential and the requirement that organizations use reasonable measures to prevent unauthorized disclosure of that information. Plaintiffs’ claims are sometimes based on an allegation that promises made in the defendant’s privacy notice regarding security measures are deceptive. Currently, companies can protect themselves against these claims by making only conservative representations about privacy and security. But the ballot initiative could create a general duty to adopt reasonable privacy and security measures, raising the prospect that plaintiffs could more successfully pursue negligence-style claims, which companies cannot deter solely by adopting conservative privacy notices.

The initiative also employs a very broad definition of personally identifying information: “any information which can be used to distinguish or trace a natural person’s identity, including but not limited to financial and/or health information, which is linked or linkable to a specific natural person.” (The definition does not cover publicly available information lawfully made available to the public from government records.) This expansive definition would force organizations to apply stricter security to types of information that might not otherwise receive those protections. Furthermore, the definition is particularly problematic when considered in conjunction with the presumption of harm discussed above because identifiable data such as names, email addresses, and device identifiers are routinely shared by businesses without consent. If this initiative succeeds, the increased threat of litigation will incentivize businesses to default to an opt-in standard for disclosures of information.

There is, however, at least one reason to believe that the initiative may not be as detrimental to business interests as some are predicting. Showing a nominal harm for the underlying cause of action does not necessarily equate to an award of damages so, even if the ballot initiative is successful, there would in some cases remain a practical limitation on the plaintiff’s ability to recoup money damages. Where statutory damages are available, or where a plaintiff can show some actual monetary harm, money awards would be possible. But in cases where statutory damages are not available and a plaintiff must show actual monetary harm to procure a monetary award, the ballot initiative may not save such claims. For example, the damages award flowing from a negligence claim is generally based on the actual damages incurred by a plaintiff. Therefore, even if the plaintiff could state a cause of action for the purpose of defeating a motion to dismiss, the plaintiff may not be entitled to anything more than a nominal damages award if the plaintiff cannot demonstrate monetary damage such as the cost of credit monitoring, identity theft insurance, or perhaps even therapy bills. On the other hand, courts could interpret the amendment as requiring recognition of a new type of harm, similar to emotional distress, that is compensable through money damages—even without a showing of some concrete financial harm to the plaintiff.

The ballot initiative’s proponents must obtain 807,615 signatures before Californians would have the opportunity to vote on it. If the signatures are collected, then the initiative will appear on the ballot without further opportunity to seek amendments to address business concerns. If the initiative appears on the ballot, it would require only a simple majority vote to pass. Interested organizations should work to ensure that public debate over the initiative includes a discussion of the heavy burden on business that could result from the initiative.

 
 of

Data Privacy Day 2013 – Passwords

The National Law Review recently featured an article on Passwords written by Cynthia J. Larose with Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

MintzLogo2010_Black

 

Something everyone can do for Data Privacy Day:  make it a point to change at least one password and make it “long and strong.”

Here are some tips for building strong passwords from David Sherry, Chief Information Security Officer at Brown University:

To create a strong password, you should use a string of text that mixes numbers, letters that are both lowercase and uppercase, and special characters. Best practice says it should be eight characters, but the more the better. The characters should be random, and not follow from words, alphabetically, or from your keyboard layout.

So how do you make such a password?

Spell something backwards. Example: Turn “New York” into “ kroywen ”

Use “l33t speak”: Substitute numbers for certain letters.  Example: Turn “kroywen” into kr0yw3n

Randomly throw in some capital letters.  Example: Turn “kr0yw3n” into Kr0yW3n

Don’t forget the special character.  Example: Turn “Kr0yW3n” into       !Kr0y-W3n$

So, you say you can’t remember “complex” passwords…

One suggestion: create one, very strong, password and “append” it with an identifier:

!Kr0y-W3n$Bro

!Kr0y-W3n$Ama

!Kr0y-W3n$Boa

!Kr0y-W3n$Goo

!Kr0y-W3n$Yah

©1994-2013 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.