The 2017 edition of The Legal 500 United States recommends Seyfarth Shaw’s Global Privacy & Security Team as one of the best in the country for Cyber Law (including data protection and privacy). In addition, based on feedback from corporate counsel, the co-chairs of Seyfarth’s group, Scott A. Carlson and John P. Tomaszewski, and Seyfarth partners Karla Grossenbacher (head of Seyfarth’s National Workplace Privacy Team) and Richard D. Lutkus were recommended in the editorial. Richard Lutkus is also listed as one of 14 “Next Generation Lawyers.”

The Legal 500 United States is an independent guide providing comprehensive coverage on legal services and is widely referenced for its definitive judgment of law firm capabilities.

In January 2017, The Sedona Conference Working Group on International Electronic Information Management, Discovery, and Disclosure (WG6) issued the much-anticipated International Litigation Principles on Discovery, Disclosure & Data Protection in Civil Litigation (Transitional Edition). This publication updates the 2011  International Litigation Principles, which preceded the 2013 Snowden revelations and the Schrems decision invalidating the U.S.-EU Safe Harbor.  It also incorporates adoption and implementation of the EU-U.S. Privacy Shield, and the approval of the EU General Data Protection Regulation (GDPR), which is set to replace the 1995 EU Data Privacy Directive in May 2018.  Many of these developments are consistent with the focus on “proportionality” of discovery in the 2015 amendments of the U.S. Federal Rules of Civil Procedure.

Given the complex and dynamic EU data protection  landscape – where the new Privacy Shield has not been tested, and before the GDPR has even taken effect, – WG6 has aptly designated this as a “Transitional” edition.  This edition provides interim best practices and practical guidance for courts, counsel and corporate clients on safely navigating the competing and conflicting issues involved in cross-border transfers of EU personal data in the context of transnational litigation and regulatory proceedings.  Following are the publication’s Six Transitional International Litigation Principles:

Continue Reading The Sedona Conference WG6 Issues “Transitional” International Litigation Principles

Earlier this month, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil money penalty of $3,217,000.00 against Children’s Medical Center of Dallas (Children’s), a pediatric hospital that is part of Children’s Health, the seventh largest pediatric health care provider in the nation. OCR based this penalty on its finding that Children’s failed to comply with HIPAA Security Rule over many years and that Children’s impermissibly disclosed unsecured electronic protected health information (ePHI) when it suffered two data breaches that were reportable to OCR.

The Breaches

  • On January 18, 2010, Children’s reported to OCR the loss of an unencrypted, non-password protected BlackBerry device at an airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals.
  • On July 5, 2013, Children’s reported to OCR the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. The device contained the ePHI of approximately 2,462 individuals.

Because Children’s devices were unencrypted, Children’s was obligated to report their loss, along with the unsecured ePHI they contained, to the HHS. Had Children’s devices been encrypted, it could have taken advantage of the “safe harbor” rule, pursuant to which covered entities and business associates are not required to report a breach of information that is not “unsecured.”

The Investigation

  • OCR’s investigation revealed that, in violation of HIPAA Rules, Children’s (1) failed to implement risk management plans, contrary to prior external recommendations to do so, and (2) knowingly and over the course of several years, failed to encrypt, or alternatively protect, all of its laptops, work stations, mobile devices, and removable storage media.
    • OCR’s investigation established that Children’s knew about the risk of maintaining unencrypted ePHI on its devices as far back as 2007.
    • Despite this knowledge, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.

The Takeaways Continue Reading Key Takeaways from OCR’s Latest HIPAA Fine: Hospital to Pay $3.2 Million for Its Cybersecurity Violations

Last month, The Sedona Conference released the public comment version of The Sedona Conference Data Privacy Primer, a comprehensive catalog of U.S. data privacy issues, legislation, and resources, designed to provide “immediate and practical benefit” to organizations and practitioners dealing with privacy issues. The Primer is a work product of The Sedona Conference Working Group Eleven on Data Security and Privacy Liability (WG11). The Primer is open for public comment until April 16, 2017.

A quick read through the Primer makes clear that this publication will become a practical reference book for any attorney seeking to understand basic privacy issues in the United States. At over 100 pages, the Primer is organized much like a treatise, with chapters devoted to the basic data privacy concepts, federal and state government privacy protection, general consumer protection, protection of health and financial information, and workplace and student privacy.

With the United States having a multitude of national, local, and industry-specific privacy statutes and regulations, it can be a challenge to identify all the issues and applicable laws that might apply to a particular legal situation. The Primer conveniently gathers everything in one place and includes discussion of the protections provided by all major federal laws, including the Federal Trade Commission (FTC) Act, Children’s Online Privacy Protection Act (COPPA), Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), Telemarketing and Consumer Fraud and Abuse Prevention Act (Telemarketing Act), Communications Act of 1934, Telephone Consumer Protection Act of 1991, Health Insurance Portability and Accountability Act of 1996 (HIPAA) and The Health Information Technology for Economic and Clinical Health Act (HITECH), The Gramm–Leach–Bliley Act (GLBA), The Fair Credit Reporting Act (FCRA), The Right to Financial Privacy Act of 1978 (RFPA), Family Educational Rights and Privacy Act, Protection of Pupil Rights Amendment, as well as a variety of state laws, proposed legislation, and best practices for approaching various data privacy issues.

Employers will find helpful the discussion of Workplace Privacy, in which the Primer touches upon use of company equipment and email, bring your own device (BYOD) policies, and social media privacy issues. Educational institutions will benefit from the discussion of Student Privacy, which covers FERPA, COPPA, consent requirements and exceptions, right of access, parental rights, and proposed legislation.

The Primer also includes “Side Bar” discussions for each section with practice pointers and best practices related to each area that could help increase compliance with privacy laws and mitigate risk. Most importantly, the Primer points out the interplay among different laws as they might bear on a particular situation, thereby minimizing the risk that some relevant considerations might be overlooked when organization makes a decision on how to discharge its privacy obligations.

Beginning on April 12, 2017, U.S. organizations that are subject to the investigatory and enforcement powers of the FTC or the Department of Transportation will be able to self-certify to the newly adopted Swiss–U.S. Privacy Shield Framework (“Swiss Privacy Shield”). The Swiss Privacy Shield will allow transfers of Swiss personal data to the United States in compliance with Swiss data protection requirements. The Swiss Privacy Shield will replace the U.S.–Swiss Safe Harbor Framework and will impose similar data protection requirements established last summer for cross-border transfers of personal data from the EU under the EU–U.S. Privacy Shield (“Privacy Shield”).

With the adoption of the Swiss Privacy Shield, transfers of personal data from Switzerland under the Swiss Safe Harbor Framework will no longer be permitted. Organizations currently registered with the Swiss Safe Harbor would need to certify under the Swiss Privacy Shield or implement alternative methods for complying with Swiss data transfer restrictions, such as Standard Contractual Clauses and Binding Corporate Rules. To join the Swiss Safe Harbor, organizations would need to ensure that their privacy policies, notices, statements, and procedures are in compliance with the new framework. The Department of Commerce provides sample language that can be used in an organization’s privacy policy to signify its participation in the Swiss Privacy Shield.

Organizations with active Privacy Shield certifications will be able to add the Swiss Privacy Shield registration to their existing Privacy Shield accounts, at a separate annual fee. Similarly to the Privacy Shield, the fee for participation in the Swiss Privacy Shield will be tiered based on the organization’s annual revenue. The exact fee structure will be made available sometime before April 12.

Notably, organizations with dual registrations, would need to recertify under both the Privacy Shield and the Swiss Privacy Shield one year from the date the first of their two certifications was finalized. That means, for instance, that an organization that registered for the Privacy Shield on September 1, 2016, which then registers for the Swiss Privacy Shield on May 1, 2017, would need to complete its annual recertification under both frameworks by September 1, 2017.

While the requirements of the two frameworks are nearly identical, there are a few differences:

Continue Reading The Swiss Privacy Shield Opens for Business on April 12

The EU Article 29 Data Protection Working Party (WP 29) is continuing its work in preparation for the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will take effect in May 2018. Last month, the WP29 released three sets of guidelines for controllers and processors of personal data, including guidelines on the right to data portability, on data protection officers, and on the lead supervisory authority. Key takeaways from these three guidelines can be found on our blog.

This month, WP29 announced that it adopted its “2017 GDPR Action Plan.” The Plan identifies two areas of focus: (1) follow up on 2016 topics, and (2) new 2017 priorities. The follow-up work will include finalizing guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments, administrative fines, the setting up of the European Data Protection Board (EDPB), and the preparation of the one-stop-shop” and EDPB consistency mechanism.

This year, WP29 plans to prepare and release guidelines on the topics of consent, profiling, and transparency. The WP29 will also work on the update of already existing opinions on data transfers to third countries and data breach notifications. This year, companies that rely on transfers of personal data from the EU may have the following three opportunities to engage with the WP29 and EU Data Protection Authorities (DPAs):

  • On April 5-6, 2017, the WP29 will hold a Fablab meeting, where interested stakeholders will have an opportunity to present their views and comments on the identified 2017 priorities.
  • On May 18-19, 2017, the WP29 will organize an interactive workshop where non-EU counterparts will be invited to exchange views on the GPDR and its implementation by the WP29.
  • The press release also states that relevant public consultations “may be” launched at a national level by local DPAs.

The WP29 plans to review its 2017 plan periodically and prepare a new plan for 2018 to finish the preparation work. We will be commenting on the forthcoming GDPR guidelines as they are released by the WP29.

Yesterday, President Trump signed Executive Order: Enhancing Public Safety in the Interior of the United States (Jan. 25, 2017). The Order states as its purpose “interior enforcement of our Nation’s immigration laws.” Section 14 of the Order calls for denial of any rights under the Privacy Act of 1974 to any non-U.S. citizen, “to the extent consistent with applicable law.”

Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

Over the course of last year, the Obama Administration undertook a big task of putting in place the new cross-border data transfer framework, EU-U.S. Privacy Shield, which involved months of drafting and negotiations with the EU authorities and the validity of which is still being challenged by various EU privacy groups. The Privacy Shield’s provision of comprehensive privacy protections was key to ensure that cross-border commercial data transfers continued after the invalidation of the Safe Harbor framework in October 2015. The Privacy Shield was open for self-certification to business on August 1, 2016, and hundreds of companies have joined the framework since that time.

Continue Reading President Trump’s Executive Order May Impact the Privacy Shield

In his last week in the Office, President Obama issued a report on data privacy and cybersecurity, “Privacy in Our Digital Lives: Protecting Individuals and Promoting Innovation” (January 2017). The report serves as a high-level overview on how people’s interaction with technology has changed in the last several years and what the government has done to protect individual privacy while advancing economy and national security. The report also highlighted the path forward. Many of the initiatives currently in the works or yet to come will require strong cooperation between the government and the private sector.

Some of the data-privacy highlights pointed out in the report are:

  • Financial Privacy. The BuySecure Initiative announced by President Obama in 2014, which encouraged the deployment of new security technology (e.g., chip-and-PIN cards) for payments made in the United States.
  • Broadband Privacy. New rules approved by the Federal Communications Commission (FCC) that give consumers more control over how Internet Service Providers (ISPs) use their data, requiring ISPs to obtain user consent before sharing sensitive information they collect with advertisers and other third parties.
  • Drone Privacy. Six Federal entities that use government-operated drones – the Departments of Defense, Homeland Security, the Interior, Justice and Transportation, and the National Aeronautics and Space Administration – have put in place privacy policies for their use of drones pursuant to President Obama’s 2015 Presidential Memorandum on safeguarding privacy in domestic use of unmanned aircraft systems.
  • Children’s Privacy. The Children’s Online Privacy Protection Act (COPPA), enacted in 1998, was modernized in 2012 to address changes in technology and better protect online privacy of children under the age of 13.
  • Student Privacy. President Obama’s Student Privacy Pledge has been signed by over 250 companies, including some of the Nation’s largest, that have agreed to limit collection and sharing of student data.
  • International Commercial Privacy. The Obama Administration has undertaken a big task of putting in place the EU-U.S. Privacy Shield framework, which involved months of drafting and negotiations with the EU authorities. The Privacy Shield’s provision of comprehensive privacy protections, backed by FTC enforcement, was key to ensure that cross-border commercial data transfers continued after the invalidation of Safe Harbor.
  • Legislative Reforms. In 2015, President Obama signed into law the USA Freedom Act, which ended the U.S. Intelligence Community’s collection of bulk telephony metadata under the USA Patriot Act. The USA Freedom Act creates a more targeted approach whereby the government would generally require judicial permission to access call records held by telecommunications providers.

The Report also included “Areas for Further Attention,” which the Obama Administration hoped the new Administration would focus upon. These Areas are as follows:

Continue Reading The White House Report on Data Privacy Identifies “Areas for Further Attention”

 

This week, the European Commission released its proposal to repeal the existing Regulation on Privacy and Electronic Communication (the ePrivacy Directive (Directive 2002/58/EC)) and to replace it with a new Regulation. Unlike the current EU Data Directive and the new General Data Protection Regulation (GDPR) effective May 2018, the ePrivacy Directive primarily addressed practices of traditional telecommunication providers and new providers of electronic communication services (e.g., Gmail, and others listed below). The reason behind the proposal is to catch up the existing law to the realities of the technological evolution that occurred since the passage of the ePrivacy Directive. The proposal is also expected to ensure consistency in the protections afforded by the ePrivacy Directive, particularly with respect to confidentiality of communications, with the General Data Protection Regulation (GDPR), which will take effect in May 2018.

The two most impactful proposed changes are: (1) extension of the application of privacy rules from traditional telecommunications operators to the new providers of electronic communications services, such as Gmail, Facebook Messenger, WhatsApp, and others, and (2) simplification of the rules on cookies. The former proposal would prevent email services, such as Gmail, from scanning the contents of their users’ email for the purposes of delivering targeted advertising, without obtaining the users’ explicit consent. Obviously, this could significantly impact ad revenue of online email and messaging services that rely on targeted advertising for their funding.

The simplification of cookie rules, however, is a welcome relief to business. Article 5(3) of the current ePrivacy Directive requires websites to obtain prior informed consent from a user before storing cookies and similar technologies (e.g., web beacons, Flash cookies, etc.) or accessing information stored on the user’s terminal equipment. For consent to be valid, it must be informed, specific, freely given, and must constitute a real indication of the individual’s wishes. Certain cookies are exempt from the consent requirement, including user-input cookies (session ID first-party cookies), authentication cookies (to identify the user for the duration of a session), user-interface customization cookies (e.g., language or font preferences, for the duration of a session), and third-party social plug-in content-sharing cookies (for logged-in members of a social network). In other words, cookies that are used for the sole purpose of carrying out the transmission of a communication, or are necessary to provide the requested service are likely to be exempt. Some businesses, however, read this exemption narrowly and request user consent even for the use of these “experience-enhancing” cookies.

Continue Reading Goodbye Cookie Banners? The European Commission Proposes to Simplify the Cookie Law

As we begin the new year, companies are continuing to survey the ever-changing data-breach landscape and assess their own preparedness for the worst. And with data security threats becoming more complex, sophisticated, and diverse every year, it is no small task. For those of you wondering what data breach trends might look like this year, and what to do to avoid them, Experian Data Breach Resolution, drawing on its experience with over 17,000 data breaches over the last decade, offered the following five predictions in its 2017 Data Breach Industry Forecast:

Aftershock password breaches will expedite the death of the password.

  • What and Why: Companies will face the consequences of previous data breaches, as username and password information breached years prior (and often from an unrelated company) is continued to be sold through darknet markets.
  • The Takeaway: Companies should consider (1) using multi-factor authentication to verify users to help solve the password reuse problem; (2) accounting for aftershock breaches in their data-breach response plans; and (3) educating customers about resetting their passwords and about the broader risk associated with password reuse across websites.

Nation-state cyberattacks will move from espionage to war.

  • What and Why: Cyberattacks by hackers sponsored by foreign nations will likely continue to increase and escalate. Although these attacks are motivated by the desire to gain intelligence, they will lead to collateral damage to consumers and businesses through widespread outages or exposure of personal information.
  • The Takeaway: Businesses should prepare for large-scale attacks, particularly if they are a part of critical infrastructure, by staying vigilant about their security measures and by considering purchasing proper insurance protection.

Healthcare organizations will be the most targeted sector with new, sophisticated attacks emerging.

  • What and Why:
    • Medical identity theft will remain cybercriminals’ top target, as medical information is lucrative and easy to exploit.
    • Experian predicts that in the new year mega breaches will move on from focusing on healthcare insurers to distributed hospital networks, which might have more security challenges compared to centralized organizations.
    • Experian also predicts that electronic health records (EHRs) will likely be a primary target for attackers, since EHRs are widely used and are likely to touch a compromised computer.
    • The top breach vector will likely be ransomware because a disruption of healthcare system operations could be catastrophic and most organizations would rather opt to simply pay the ransom than fight the attack. According to the recent Office of Civil Rights (OCR) guidance, depending on the facts, ransomware attacks may be classified as breaches and require notification under the HIPAA Breach Notification Rule, in accordance with 45 CFR 164.404.
  • The Takeaway: Healthcare organizations need to ensure they have proper, up-to-date security measures in place, including data-breach response plans in the event of a ransomware attack and adequate employee training about the importance of security.

Continue Reading Top Five Data Breach Trend Predictions for 2017