In his last week in the Office, President Obama issued a report on data privacy and cybersecurity, “Privacy in Our Digital Lives: Protecting Individuals and Promoting Innovation” (January 2017). The report serves as a high-level overview on how people’s interaction with technology has changed in the last several years and what the government has done to protect individual privacy while advancing economy and national security. The report also highlighted the path forward. Many of the initiatives currently in the works or yet to come will require strong cooperation between the government and the private sector.

Some of the data-privacy highlights pointed out in the report are:

  • Financial Privacy. The BuySecure Initiative announced by President Obama in 2014, which encouraged the deployment of new security technology (e.g., chip-and-PIN cards) for payments made in the United States.
  • Broadband Privacy. New rules approved by the Federal Communications Commission (FCC) that give consumers more control over how Internet Service Providers (ISPs) use their data, requiring ISPs to obtain user consent before sharing sensitive information they collect with advertisers and other third parties.
  • Drone Privacy. Six Federal entities that use government-operated drones – the Departments of Defense, Homeland Security, the Interior, Justice and Transportation, and the National Aeronautics and Space Administration – have put in place privacy policies for their use of drones pursuant to President Obama’s 2015 Presidential Memorandum on safeguarding privacy in domestic use of unmanned aircraft systems.
  • Children’s Privacy. The Children’s Online Privacy Protection Act (COPPA), enacted in 1998, was modernized in 2012 to address changes in technology and better protect online privacy of children under the age of 13.
  • Student Privacy. President Obama’s Student Privacy Pledge has been signed by over 250 companies, including some of the Nation’s largest, that have agreed to limit collection and sharing of student data.
  • International Commercial Privacy. The Obama Administration has undertaken a big task of putting in place the EU-U.S. Privacy Shield framework, which involved months of drafting and negotiations with the EU authorities. The Privacy Shield’s provision of comprehensive privacy protections, backed by FTC enforcement, was key to ensure that cross-border commercial data transfers continued after the invalidation of Safe Harbor.
  • Legislative Reforms. In 2015, President Obama signed into law the USA Freedom Act, which ended the U.S. Intelligence Community’s collection of bulk telephony metadata under the USA Patriot Act. The USA Freedom Act creates a more targeted approach whereby the government would generally require judicial permission to access call records held by telecommunications providers.

The Report also included “Areas for Further Attention,” which the Obama Administration hoped the new Administration would focus upon. These Areas are as follows:


Continue Reading

This week, the European Commission released its proposal to repeal the existing Regulation on Privacy and Electronic Communication (the ePrivacy Directive (Directive 2002/58/EC)) and to replace it with a new Regulation. Unlike the current EU Data Directive and the new General Data Protection Regulation (GDPR) effective May 2018, the ePrivacy Directive primarily addressed practices of traditional telecommunication providers and new providers of electronic communication services (e.g., Gmail, and others listed below). The reason behind the proposal is to catch up the existing law to the realities of the technological evolution that occurred since the passage of the ePrivacy Directive. The proposal is also expected to ensure consistency in the protections afforded by the ePrivacy Directive, particularly with respect to confidentiality of communications, with the General Data Protection Regulation (GDPR), which will take effect in May 2018.

The two most impactful proposed changes are: (1) extension of the application of privacy rules from traditional telecommunications operators to the new providers of electronic communications services, such as Gmail, Facebook Messenger, WhatsApp, and others, and (2) simplification of the rules on cookies. The former proposal would prevent email services, such as Gmail, from scanning the contents of their users’ email for the purposes of delivering targeted advertising, without obtaining the users’ explicit consent. Obviously, this could significantly impact ad revenue of online email and messaging services that rely on targeted advertising for their funding.

The simplification of cookie rules, however, is a welcome relief to business. Article 5(3) of the current ePrivacy Directive requires websites to obtain prior informed consent from a user before storing cookies and similar technologies (e.g., web beacons, Flash cookies, etc.) or accessing information stored on the user’s terminal equipment. For consent to be valid, it must be informed, specific, freely given, and must constitute a real indication of the individual’s wishes. Certain cookies are exempt from the consent requirement, including user-input cookies (session ID first-party cookies), authentication cookies (to identify the user for the duration of a session), user-interface customization cookies (e.g., language or font preferences, for the duration of a session), and third-party social plug-in content-sharing cookies (for logged-in members of a social network). In other words, cookies that are used for the sole purpose of carrying out the transmission of a communication, or are necessary to provide the requested service are likely to be exempt. Some businesses, however, read this exemption narrowly and request user consent even for the use of these “experience-enhancing” cookies.


Continue Reading

As we begin the new year, companies are continuing to survey the ever-changing data-breach landscape and assess their own preparedness for the worst. And with data security threats becoming more complex, sophisticated, and diverse every year, it is no small task. For those of you wondering what data breach trends might look like this year, and what to do to avoid them, Experian Data Breach Resolution, drawing on its experience with over 17,000 data breaches over the last decade, offered the following five predictions in its 2017 Data Breach Industry Forecast:

Aftershock password breaches will expedite the death of the password.

  • What and Why: Companies will face the consequences of previous data breaches, as username and password information breached years prior (and often from an unrelated company) is continued to be sold through darknet markets.
  • The Takeaway: Companies should consider (1) using multi-factor authentication to verify users to help solve the password reuse problem; (2) accounting for aftershock breaches in their data-breach response plans; and (3) educating customers about resetting their passwords and about the broader risk associated with password reuse across websites.

Nation-state cyberattacks will move from espionage to war.

  • What and Why: Cyberattacks by hackers sponsored by foreign nations will likely continue to increase and escalate. Although these attacks are motivated by the desire to gain intelligence, they will lead to collateral damage to consumers and businesses through widespread outages or exposure of personal information.
  • The Takeaway: Businesses should prepare for large-scale attacks, particularly if they are a part of critical infrastructure, by staying vigilant about their security measures and by considering purchasing proper insurance protection.

Healthcare organizations will be the most targeted sector with new, sophisticated attacks emerging.

  • What and Why:
    • Medical identity theft will remain cybercriminals’ top target, as medical information is lucrative and easy to exploit.
    • Experian predicts that in the new year mega breaches will move on from focusing on healthcare insurers to distributed hospital networks, which might have more security challenges compared to centralized organizations.
    • Experian also predicts that electronic health records (EHRs) will likely be a primary target for attackers, since EHRs are widely used and are likely to touch a compromised computer.
    • The top breach vector will likely be ransomware because a disruption of healthcare system operations could be catastrophic and most organizations would rather opt to simply pay the ransom than fight the attack. According to the recent Office of Civil Rights (OCR) guidance, depending on the facts, ransomware attacks may be classified as breaches and require notification under the HIPAA Breach Notification Rule, in accordance with 45 CFR 164.404.
  • The Takeaway: Healthcare organizations need to ensure they have proper, up-to-date security measures in place, including data-breach response plans in the event of a ransomware attack and adequate employee training about the importance of security.


Continue Reading

The Article 29 Data Protection Working Party (WP29) recently held its December plenary meeting to discuss certain issues related to the implementation of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will take effect in May 2018, and of the Privacy Shield, which was opened for self-certification by companies in August.

During its December plenary meeting, WP 29 adopted three sets of guidelines and FAQs for controllers and processors of personal data (available for download on WP29’s website):

  • Guidelines and FAQs on the Right to Data Portability;
  • Guidelines and FAQs on Data Protection Officers (DPOs); and
  • Guidelines and FAQs on the Lead Supervisory Authority.

Below are the key takeaways from the three guidelines.

The Right to Data Portability

  • Scope.
    • Data portability is a data subject’s right to receive personal data processed by a data controller and to store it for further personal use on a private device, without transmitting it to another data controller. However, data subjects also have the right to transmit data from one controller to another controller “without hindrance.” As such, this right facilitates data subjects’ ability to move, copy or transmit personal data easily from one IT environment to another, thereby facilitating switching from one service provider to another and enhancing competition between services.
    • To fall within the scope of data portability, processing operations must be based (1) either on the data subject’s consent or (2) on a contract to which the data subject is a party (e.g., the titles of books purchased by an individual from an online bookstore).
    • Data portability applies only to data processing that is “carried out by automated means.” It does not apply to paper files.
    • Data portability covers the subject’s personal data that he or she provided to a data controller. This includes data actively and knowingly provided by the data subject (e.g., mailing address, user name, age) and observed data that is “provided” by the data subject by virtue of the use of the service or the device (e.g., search history, location data). This, however, does not include “inferred” data, i.e., data generated by the subsequent analysis of the data subject’s behavior.
  • Format. The data should be provided “in a structured, commonly used and machine-readable format” that supports re-use. Data controllers are expected to offer a direct download opportunity for the data subject but should also allow data subjects to directly transmit the data to another data controller. Furthermore, data controllers are expected to provide as many metadata with the data as possible to preserve the precise meaning of exchanged information.
  • Retention. Data portability does not impose an obligation on the data controller to retain personal data for longer than is necessary or beyond any specified retention period. (In fact, this right should encourage organizations to follow their records disposition policies to ensure that no data is kept once it outlives its usefulness or fulfills its preservation obligation.)
  • Notice.   Data controllers are required to inform the data subjects regarding the availability of the new right to portability.
  • Timing.  Data controllers must answer a portability request “without undue delay” and in any case “within one month of receipt of the request” or within a maximum of three months for complex cases, provided that the data subject has been informed about the reasons for such delay within one month of the original request.
  • Fees.  Data controllers are prohibited from charging a fee for the provision of the personal data, unless the data controller can demonstrate that the requests are manifestly unfounded or excessive, “in particular because of their repetitive character.”
  • Security. When transferring data, the data controller is responsible for taking “all the security measures” needed to ensure that personal data is securely transmitted (e.g., by use of encryption) to the right destination (e.g., by use of additional authentication information). When allowing data subjects to retrieve their personal data from an online service, the data controller, as a best practice, could recommend appropriate formats and encryption measures to help the data subject securely retrieve his data.


Continue Reading

The Irish Data Protection Commissioner (DPC) has issued guidance on compliance with the General Data Protection Regulation (GDPR), which will come into force on May 25, 2018 and replace the existing European data protection framework under the EU Data Protection Directive.  The new data privacy regime is expected to result in enhanced transparency, accountability, and individuals’ rights, while optimizing organizational approach to governance and management of data protection as a corporate issue.

The guidance, titled “The GDPR and You, General Data Protection Regulation, Preparing for 2018,” urges all organizations to not delay the preparation for the GDPR and to “immediately start preparing for the implementation of GDPR by carrying out a ‘review and enhance’ analysis of all current or envisaged processing in line with GDPR.”  Proper preparation for the GDPR may help avoid regulatory fines, which can range up to €20,000,000 or 4% of total annual global turnover, whichever is greater.

The guidance consists of a checklist that aims to provide clear direction on how organizations can prepare for compliance with the GDPR in Ireland.  However, organizations will find it useful when preparing for the GDPR anywhere in Europe.  The checklist is organized around the following twelve points.


Continue Reading

The Commission on Enhancing National Cybersecurity, established by President Obama, has released its much-awaited Report on Securing and Growing the Digital Economy (December 1, 2016). The Commission was tasked with assessing the state of our nation’s cybersecurity and developing actionable recommendations for securing the digital economy, while at the same time protecting privacy, ensuring public safety and economic and national security, and fostering the development of new technical solutions.

The Commission sought to examine what is working well, what represents a challenge, and what needs to be done to incentivize and cultivate a culture of cybersecurity in the public and private sectors. The Commission found that while the interconnectedness of the digital ecosystem creates unparalleled value for society, technological advancement is outpacing security and will continue to do so unless the government and the private sector change how they approach and implement cybersecurity strategies and practices.

Among the observed challenges, the Commission pointed out that technology companies are under significant market pressure to innovate and move to market quickly, often at the expense of cybersecurity. An example of this would be the widely-used Internet-of-Things (IoT) devices, ranging from pacemakers to fitness trackers to smart home devices, many of which do not provide sufficient security.

Another challenge is represented by mobile working environments. The Commission observed that gone are the days when employees performed work only at an office using an organization-issued (and controlled) desktop computer, but that many organizations fail to properly secure mobile devices. Moreover, today, no organization is an island, and few are able to function without connecting to vendors, customers, and partners in multiple global supply chains. These developments are making the classic concept of the security perimeter largely obsolete.


Continue Reading

shutterstock_196544378China has finalized a broad new Cyber Security Law, its first comprehensive data privacy and security regulation.  It addresses specific privacy rights previously adopted in the European Union and elsewhere such as access, data retention, breach notification, mobile privacy, online fraud and protection of minors.

There is plenty in the new law to irritate international businesses operating in China.  It requires in general that Chinese citizens’ data be stored only in China, for starters, possibly requiring global corporations to maintain separate IT systems for Chinese data.  Most of the privacy enhancements benefiting citizens align with those required in the European Union, but it is unclear how the Chinese will expect compliance, particularly since, as with many Chinese laws, its language is vague as to its scope, application and details.  This vagueness leaves interpretation to the State Council, the chief administrative authority in China, headed by Premier Li Keqiang.

The law expands Chinese authorities’ power to investigate even within a corporation’s Chinese data systems, and provides for draconian penalties for non-compliance by business entities or responsible individuals  include warnings, rectification orders, fines, confiscation of illegal gains, suspension of business operations or the revocation of the entity’s business license.
Continue Reading

Last Friday, Russia blocked LinkedIn based on a Russian court’s finding that LinkedIn violated Russian “localization” law that requires companies holding personal data of Russian citizens to store it on servers located within Russian borders.  This law came as an amendment to Russian data privacy laws, “Regarding information, information technologies and the protection of information,” “Regarding telecommunications,” and the Codex of Administrative Violations. The amendments, which came into law in September 2015, required websites and telecommunications providers to begin storing “on the territory of the Russian Federation information regarding the receipt, transfer, sending and/or processing of voice information, written text, images, sounds or other electronic messages of the users of Internet,” within six months after the law went into effect.

Russia took the position that the new requirements were necessary to ensure personal data on Russian consumers is properly protected, something the Russian government said can only be done if the servers are within Russian jurisdiction. The penalty for violating the law by companies was established at 500,000 roubles (approximately $8,000). The law also contemplated a punishment much worse than the monetary penalty. Specifically, the amendment empowered Roskomnadzor, the Russian federal agency charged with overseeing telecommunications services and information technologies, to investigate violations of the new law and to petition courts to block websites who refuse to comply.

Following the adoption of this law, many companies that collect and process Russian citizens’ information began working toward achieving compliance by ensuring that this data stayed on Russian soil. Some, however, decried the law as forcing businesses to needlessly invest in servers in Russia and rework established data workflows.

Soon after the law went into effect, Roskomnadzor began exercising its investigative powers and taking suspected violators to court. To keep track of the adjudicated violators, Roskomnadzor created a special registry of websites marked for blocking in case of continued noncompliance following the adjudication. LinkedIn, which has over 6 million registered Russian users, made Roskomnadzor’s “black list” registry and, on Friday, November 18, became the first website to be blocked in Russia for the violations of the localization law.


Continue Reading

The Article 29 Working Party has issued a statement about the so-called EU-U.S. Umbrella Agreement, which, while not providing legal basis for any data transfers, sets forth a high-level data protection framework for transatlantic cooperation on criminal law enforcement. The Agreement covers all personal data, including names, addresses, and criminal records, exchanged between the EU and the U.S. for the purposes of prevention, detection, investigation and prosecution of criminal offences, including terrorism. The Umbrella Agreement, signed by EU and the U.S. on June 2, 2016, after five years of negotiations, requires the consent of the European Parliament to be ratified.

In its statement, the Working Party cautiously welcomed the conclusion of the Umbrella Agreement. The Working Party expressed hope that the Agreement will complement the existing law enforcement treaties between the U.S. and EU and its Member States, aid the negotiation of future data sharing agreements, and set forth the minimum data protection standard for data transfers between criminal law enforcement in the U.S. and EU.


Continue Reading

shutterstock_414067906

At the end of September, the U.S. the U.S. District Court for the District of Kansas held that a warrant for an entire email mailbox did not violate the parameters of the Fourth Amendment in In re Microsoft Corp., 2016 BL 320715, D. Kan., No. 16-MJ-8036, 9/28/16.  Here, the court looked to balance an individual’s right to privacy and the government’s capability to effectively prosecute suspected criminals.


Continue Reading