Tag: data

Secure Sockets Layer (SSL) 3.0 Encryption Declared “No Longer Acceptable” to Protect Data

McDermott Will & Emery

On Friday, February 13, 2015, the Payment Cards Industry (PCI) Security Standards Council (Council) posted a bulletin to its website, becoming the first regulatory body to publicly pronounce that Secure Socket Layers (SSL) version 3.0 (and by inference, any earlier version) is “no longer… acceptable for protection of data due to inherent weaknesses within the protocol” and, because of the weaknesses, “no version of SSL meets PCI SSC’s definition of ‘strong cryptography.’” The bulletin does not offer an alternative means that would be acceptable, but rather “urges organizations to work with [their] IT departments and/or partners to understand if [they] are using SSL and determine available options for upgrading to a strong cryptographic protocol as soon as possible.” The Council reports that it intends to publish soon an updated version of PCI-DSS and the related PA-DSS that will address this issue. These developments follow news of the Heartbleed and POODLE attacks from 2014 that exposed SSL vulnerabilities.

Although the PCI standards only apply to merchants and other companies involved in the payment processing ecosystem, the Council’s public pronouncement that SSL is vulnerable and weak is a wakeup call to any organization that still uses an older version of SSL to encrypt its data, regardless of whether these standards apply.

As a result, every company should consider taking the following immediate action:

  1. Work with your IT stakeholders and those responsible for website operation to determine if your organization or a vendor for your organization uses SSL v. 3.0 (or any earlier version);

  2. If it does, evaluate with those stakeholders how to best disable these older versions, while immediately upgrading to an acceptable strong cryptographic protocol as needed;

  3. Review vendor obligations to ensure compliance with a stronger encryption protocol is mandated and audit vendors to ensure the vendor is implementing greater protection;

  4. If needed, consider retaining a reputable security firm to audit or evaluate your and your vendors’ encryption protocols and ensure vulnerabilities are properly remediated; and

  5.  Ensure proper testing prior to rollout of any new protocol.

ARTICLE BY

Heather Egan Sussman
Sarah T. Hogan
OF
McDermott Will & Emery

European Commission Discusses Big Data

Morgan Lewis logo

The European Commission (the Commission) recently issued a press release recognizing the potential of data collection and exploitation (or “big data”) and urging governments to embrace the positive aspects of big data.

The Commission summarized four main problems that have been identified in public consultations on big data:

  • Lack of cross-border coordination
  • Insufficient infrastructure and funding opportunities
  • A shortage of data experts and related skills
  • A fragmented and overly complex legal environment

To address these issues, the Commission proposed the following:

  • A public-private partnership to fund big data initiatives
  • An open big data incubator program
  • New rules on data ownership and liability for data provision
  • Mapping of data standards
  • A series of educational programs to increase the number of skilled data workers
  • A network of data processing facilities in different member states

The Commission stated that, in order to help EU citizens and businesses more quickly reap the full potential of data, it will work with the European Parliament and the European Council to successfully complete the reform of the EU’s data protection rules. The Commission will also work toward the final adoption of the directive on network and information security to ensure the high level of trust that is fundamental for a thriving data-driven economy.

Article By:

Barbara Murphy Melby
Doneld G. Shelkey
Of:
Morgan, Lewis & Bockius LLP

 

Wyndham Data Breach Ruling Cleared for Potential Appeal to Third Circuit

COV_cmyk_C

 

U.S. District Court Judge Esther Salas ruled on Monday that the U.S. Court of Appeals for the Third Circuit can review her conclusion that Section 5 of the Federal Trade Commission Act provides the FTC with authority to bring actions arising from companies’ data security violations.

In April of this year, Judge Salas denied Wyndham Hotels and Resorts’ motion to dismiss a FTC lawsuit that alleges that Wyndham violated the FTC Act’s prohibition against “unfair practices” by failing to provide reasonable security for its customers’ personal information. Although her order is not a final ruling and is not binding on any other judge, it received considerable attention because it was the first time that a court has weighed in on the scope of the FTC’s authority over data security and privacy matters.

Denials of motions to dismiss ordinarily are not immediately appealable, absent permission from both the district court and the court of appeals.  In her ruling on Monday, Judge Salas granted Wyndham’s motion to appeal her order to the Third Circuit.  Judge Salas reasoned that there is substantial grounds for differences of opinion on two issues: (1) whether the FTC can bring a Section 5 unfairness claim involving data security; and (2) whether the FTC must formally promulgate regulations before bringing its unfairness claim.

If the Third Circuit grants Wyndham’s Petition to Appeal, the appellate court will review the legal conclusions in Judge Salas’s April order.  If the Third Circuit denies the petition, the case will proceed in the district court.  Even if the Third Circuit denies this petition for review, it ultimately may hear an appeal of the outcome of summary judgment proceedings or a trial in this case.

Article By:

Jeff Kosseff
Of:
Covington & Burling LLP

Dealing with Personal Information at the Water’s Edge… Re: U.S. Safe Harbor Program

Jackson Lewis Logo

 

Privacy and data security issues and concerns do not stop at the water’s edge. Companies needing to share personal information, even when the sharing will take place inside the same “company,” frequently run into challenges when that sharing takes place across national borders. In some ways, the obstacles created by the matrix of federal and state data privacy and security laws in the U.S. are dwarfed by the matrix that exists internationally. Most countries regulate to some degree the handling of data, from access, to processing, to disclosure and destruction. And, the law continues to develop rapidly, sometimes due to unexpected events. Take, for example, the U.S. Safe Harbor programthat was designed to facilitate the transfer of personal data of individuals in the European Union (EU) to the United States. Because the EU believes that the law in some countries, including the U.S., fails to provide “adequate safeguards,” the general rule is that personal data of EU persons cannot be sent to the U.S. unless an exception applies. One exception is based on a negotiated deal between the EU and the U.S., commonly known as the U.S. Safe Harbor, a program which currently is in some jeopardy due to the recent reports of NSA monitoring, Snowden, etc.

data information EU European Union world

Currently, to meet the Safe Harbor, a company must take certain steps, including (i) appointing a privacy ombudsman; (ii) reviewing and auditing data privacy practices; (iii) establishing a data privacy policy that addresses the following principles: notice, choice, onward transfer of data, security, integrity, access and enforcement; (iv) implementing privacy and enforcement procedures; (v) obtaining consents and creating inventory of consents for certain disclosures; and (vi) self-certifying compliance to the U.S. Department of Commerce.

A recent statement from Viviane Reding, European Commissioner for Justice, Fundamental Rights and Citizenship, quoted in The Guardian, October 17, 2013, signals some changes may be in store for the Safe Harbor:

The Safe Harbour may not be so safe after all. It could be a loophole because it allows data transfers from EU to US companies, although US data protection standards are lower than our European ones,” said Reding. “Safe Harbour is based on self-regulation and codes of conduct. In the light of the recent revelations, I am not convinced that relying on codes of conduct and self-regulation that are not policed in a strict manner offer the best way of protecting our citizens.

At the same time, the EU continues to update and strengthen its protections for personal data. Companies that operate globally need to be sensitive to not only complying with the laws specific to activities within a jurisdiction, but also to activities between jurisdictions. Common business decisions such as deciding where data will be stored, setting up global databases for employees medical, personnel and other information, arranging for enterprise-wide employee benefits or monitoring programs, can face significant obstacles relating to the interplay of the data privacy and security laws of the countries involved.

Article by:

Joseph J. Lazzarotti

By:

Jackson Lewis P.C.