Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

FCC Shows Hand on Regulation of Edge Providers

Posted in Online Privacy

bigstock-Internet-Concept-30269060In a prior post, we commented on how the recent expansion of the FCC’s authority to regulate the privacy practices of Internet service providers (ISPs) has ignited calls for further expansion of the FCC’s authority to cover “edge providers” – online companies that offer services, content, products, and applications over the broadband Internet service provided by the ISPs and that track user activity and collect personal information. Just last week, the FCC provided hints that it might just answer these calls by exercising authority over the privacy practices of edge providers.

In a recent interview, FCC Commissioner Mike O’Rielly indicated that the FCC intends to expand its authority to include edge providers. O’Rielly stated, “I don’t know if it’s immediately in the next six months . . . I just know that the commission is going to continue to creep toward edge providers, and I’m very confident that eventually we will capture edge providers under one form or another.” O’Rielly added, “I just don’t see a possibility where we stop at an imaginary line . . . If I was an edge provider today, I would be extremely concerned that the FCC will be involved in my day-to-day activity.”

Implications of Extending FCC Authority to Edge Providers

The FCC’s expressed intent to expand its authority to regulate the privacy practices of edge providers could have significant ramifications for nearly all companies operating online. Edge providers could be subject to enforcement actions by both the FTC and FCC and could potentially face dual fines – a situation that has already manifested itself in the ISP context with an established broadband telecommunications company facing an enforcement action by the FTC and a $100 million proposed fine from the FCC. In addition, edge providers would likely face some uncertainty surrounding how the FCC will exercise its authority. The FCC may look to extend its existing authority over ISPs under Section 222 of Title II of the Communications Act to further include edge providers. However, Section 222, which was established to govern the privacy practices of telephone companies and the types of data collected from telephone users, doesn’t fit neatly over edge providers that collect unique data elements that differ from the typical customer proprietary network information (CPNI) collected by telephone companies. The FCC has yet to adopt more Internet service-focused rules, and until it does, it will presumably advise edge providers in a manner similar to how it has advised ISPs, which is to take “reasonably, good-faith steps to comply with the “core customer privacy protections” set forth under Section 222. Such an approach can cause uncertainty about what privacy practices the FCC deems compliant. This uncertainty, coupled with the aggressive approach to enforcement exhibited by the FCC in privacy actions so far, could create a precarious environment for online companies to operate in. Continue Reading

2015 BakerHostetler Security Incident Response Report Provides Insight Beyond Technical Incidents

Posted in Cybersecurity, Data Breaches, HIPAA/HITECH, Incident Response, Information Security, Infrastructure, Retail Industry

Log OnThere is no longer a debate – security incidents are inevitable. Organizations are working to be better prepared to respond when the first sign of an incident is detected (often at 4:30 p.m. on a Friday). So what kind of incidents should they prepare for and how should they prepare? Annual reports from forensic investigation firms provide good information on threat vectors, industry targets, and response trends. However, not every incident requires a forensic investigation, and there are few sources that cover the other types of incidents (e.g., lost unencrypted backup tapes, inadvertent disclosures, device theft).

This gap was one of the reasons that drove BakerHostetler’s Privacy and Data Protection team to review statistics from more than 200 incidents we worked on with clients in 2014 and release our inaugural 2015 Data Security Incident Response Report, which shares some of the insight gained from those matters. We followed that with a series of eight “deeper dive” blog posts, using the benefit of our experience from responding to more than 1,000 potential incidents to explore issues identified by the report in greater detail. Data security and incident response preparedness, as well as privacy and information governance, are among the most challenging issues confronting companies. In our experience, the companies that are best positioned to respond are those that accept and plan for the inevitable through defense in depth, segmentation, and rapid detection and containment; ongoing efforts to monitor threat intelligence and adapt to changing risks; and testing and refining incident response plans by conducting mock-breach exercises in tabletop sessions.

Ultimately, we believe our incident response report can be used to enhance efforts by companies to become “compromise ready” – an incremental and continuous process of identifying threats, prevention and mitigation, and response preparedness. Continue Reading

Federal Trade Commission Joins with Industry Experts to Provide Start-Ups and Developers with Practical Advice at “Start with Security” Conference

Posted in Enforcement

Data_Security_100392496The FTC has a history of offering practical advice to organizations and consumers to protect against security threats and related concerns, and is continuing this practice with the upcoming – and very first – “Start with Security” conference, taking place at the University of California’s Hastings College of the Law on September 9, 2015.

The conference will begin at 10:00 a.m., and will be held at Hastings’ Alumni Reception Center, 200 McAllister Street in San Francisco. While all are encouraged to attend, the conference is specifically focused on providing guidance to start-ups and developers. The conference will present panels that provide real-world advice, and will combine FTC personnel with experts on information security from market and industry leaders in the commercial and security fields.

The Start with Security conference is firmly focused on providing an exploration of what it means to build a “culture of security,” and each subsequent panel incorporates that theme. The panels focus on the lifecycle of modern organizations, building off of the concept of a security culture and introducing the audience to additional and related concepts throughout the day, which include:

  • The means to define and consider core and related concepts, including “security by design,” common security vulnerabilities, strategies for secure development, and vulnerability response
  • How to scale security practices as the organization grows
  • The importance of treating security practices as investments rather than costs
  • Why security is much more than reacting to or troubleshooting issues as they arise

In case the topics are not incentive enough, the Start with Security conference is free and open to the public. No preregistration is necessary, and lunch is provided. Finally, the FTC will webcast the conference; interested parties should check this page on the day of the event for details.

Federal Trade Commission Continues Its Enforcement Campaign Against False Safe Harbor Claims

Posted in Enforcement, International Privacy Law

connectivityReiterating its commitment to enforcing the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks, the Federal Trade Commission announced on Monday that it has reached settlements with 13 companies alleged to have misled consumers either by claiming Safe Harbor membership despite never having applied, or by allowing their Safe Harbor certifications to lapse.

A related FTC Business Center blog post concerning the settlements provided tips for companies to help avoid Safe Harbor compliance violations, including reminders that:

  • Privacy policy representations regarding the handling of personal information must be truthful and may be subject to FTC enforcement;
  • Using templates can be risky – every statement in a privacy policy must reflect that company’s specific practices, so any “form” document must be reviewed line by line for accuracy; and
  • Safe Harbor certification must be renewed annually, so adding a calendar reminder to review (and update, as appropriate) the company’s policy a few weeks before the recertification deadline can help avoid lapses.

Just three months ago, the FTC announced similar settlements with two companies that had allowed their Safe Harbor certifications to lapse, but continued to represent on their websites that they were members of the framework. In one of those cases, the FTC further alleged that the company misled consumers regarding its dispute resolution procedures, and “deceptively claimed to be a licensee of the TRUSTe Privacy program.”

The FTC was active in the Safe Harbor enforcement arena last year as well. In June 2014 the Commission announced settlements with 14 companies that were alleged to have falsely claimed Safe Harbor membership. In addition, the FTC has brought Safe Harbor charges stemming from alleged privacy violations, such as in its settlements with Google in 2011, and Facebook and Myspace in 2012.

EMV Liability Shift Update – What Liability Actually Shifts?

Posted in Retail Industry

Credit Card Smart Chip_481796867With the October 1, 2015 liability shift deadline looming, merchants who have not yet made the change continue to evaluate the cost of accepting EMV cards versus the liability that will shift from the issuer to the merchant if they do not. The costs of implementation are fairly straightforward—buy EMV-enabled terminals and work with the terminal vendor, payment application vendor, and processor to implement and certify. It has been much more difficult to determine the type and amount of liability that will shift. First, if you read the card network operating regulations, EMV FAQs, or attend payment industry events, you can come away with two competing answers on what liability shifts—either all counterfeit fraud liability (regardless of card type) will shift or only fraud that occurs when the magnetic stripe data of an EMV card is used to make a counterfeit card. Second, pre-shift, there is no source of data accessible to a merchant to determine the dollar amount of fraudulent transactions that occur at the merchant using a counterfeit card.

In a May 18, 2015, blog, I answered 18 common questions about EMV, including the following that highlighted the confusion about what fraud the shift applied to:

Does the liability shift apply to card-present counterfeit fraud on just EMV cards or on all cards? Most believe that the liability shift applies to counterfeit fraud on both magnetic stripe and EMV cards, not just EMV cards. However, there are confusing statements and FAQs issued by acquiring processors as to what transactions the shift applies to. On its face, Visa’s rule indicates that it applies to all transactions. For American Express, its press release states: “American Express will institute a Fraud Liability Shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology.” Discover has similar language to American Express regarding a hierarchy of liability shifting.

Continue Reading

A Deeper Dive: Data Security Incident? Don’t Panic

Posted in Cybersecurity, Data Breaches, Incident Response

Log OnIt’s 6 p.m. on a Friday and you get a call from your IT department. They have detected that an intruder has gained access to your company’s network. At this point, the headlines from the major data breaches of recent years may be flashing before you. You may be assuming the worst: regulatory investigations … class actions … congressional testimony. Keep calm and gather the essential facts. As illustrated by the BakerHostetler Data Security Incident Response Report 2015 (the Report), many data security incidents are just that – incidents. If managed properly, many data security incidents can be resolved with minimal impact on your company.

As a starting point, you should not assume that you are going to have notification obligations just because you have experienced a data security incident. The Report distills data from more than 200 data security incidents where BakerHostetler assisted clients in 2014. Notification to affected individuals was provided in only 75 of these incidents. Notification obligations are not triggered by every data security incident, but only by incidents involving the unauthorized access to and/or acquisition of specific types of personal information that are identified as protected under applicable state and federal laws. Many data breach notification laws also permit a company not to give notice when it determines after reasonable investigation that the incident does not present a risk of harm to the affected individuals. Through careful forensic investigation, it is often possible to conclude that an incident triggered no notification obligations.

Continue Reading

FTC to Host Workshop on Online Lead Generation

Posted in Enforcement

Software protectionThe FTC has increasingly focused its attention on the online lead generation industry by bringing enforcement actions against payday loan lead generators (lead generators alleged to have engaged in advertising that lacked disclosures required by the Truth in Lending Act), mortgage lead generators (lead generators alleged to have deceptively advertised mortgage products by misrepresenting their terms and conditions), and even companies that use lead generators to subvert telemarketing laws (a home security company alleged to have bought phone numbers from lead generator companies that made illegal robocalls to homeowners in violation of telemarketing laws). Following this trend, the FTC recently announced its upcoming workshop, Follow the Lead: An FTC Workshop on Lead Generation. The workshop will be held on October 30, 2015, at the FTC’s D.C. Office, located at 400 7th Street SW, Washington, DC 20024.  Continue Reading

Does the Government Have Carte Blanche to Retain Seized Data Indefinitely? In Amicus Brief to the Second Circuit, Policy Groups Argue No

Posted in Information Security

Data_163916964On July 29, 2015, BakerHostetler filed an amicus brief with the Second Circuit on behalf of the Center for Democracy and Technology, joined by five prominent nonprofit public interest groups, for the en banc rehearing of United States v. Ganias, Case No. 12-240. In Ganias, the Court will grapple with arguments centering on whether the government, after seizing a large volume of digital data pursuant to a warrant, may retain that data indefinitely and later use it in ways outside the scope of the original warrant, including bringing charges against individuals not originally under investigation. Recognizing the huge impact the Second Circuit’s en banc decision will have for anyone subject to a warrant, the amicus brief urges the Court to ensure that Fourth Amendment protections remain strong in the face of ever-evolving technologies.

In this case, the Army was investigating two companies that the Army had hired to provide maintenance and security at a vacant Army facility. In the course of its investigation, the Army obtained a warrant in 2003 to search the offices of Stavros Ganias, the accountant for the actual targets of the Army’s investigation. When executing the warrant, the Army made forensic mirror images of the hard drives of all three of Ganias’s computers, collecting all data on those computers, including data beyond the scope of the warrant.

Continue Reading

A Kinder, Gentler Spanish Data Protection Authority?

Posted in International Privacy Law

Spanish Flag - 480896529As of July 24, Spain has a new director for its Data Protection Authority (Agencia Española de Protección de Datos — AEPD). The AEPD is the agency responsible for conducting investigations and bringing disciplinary actions concerning data protection issues, including compliance with Spain’s Data Protection Act of 1999 (called the “LOPD” in Spain), which implemented the EU’s Data Protection Directive 95/46/EC.

The new director at the helm of the AEPD, for a four-year term, is Mar España Martí. In what may be a change in tone at the AEPD, Martí acknowledged upon taking office that the perception of the AEPD was that it was a sanctioning body. Martí stated that the AEPD needed to engage more with public and private stakeholders to foster a respect for privacy. Martí said that she will be aiming to establish the appropriate balance between the right to privacy and the demands for information.

Continue Reading

State Law Roundup: Legislatures Across the U.S. Revamp Data Breach Notification Laws

Posted in Breach Notification, Data Breach Notification Laws

connectivityAs the number of highly publicized data breaches continues to skyrocket and proposals for a federal data breach notification law stagnate, state legislatures around the country have been busy amending their own breach notification statutes. So far, 2015 has been a banner year for state breach law makeovers, with nine states formalizing amendments to their laws, and several others poised to follow suit.

Since California took the lead by enacting the first data breach statute back in 2003, 46 other states (plus D.C., Puerto Rico, Guam, and the Virgin Islands) have passed their own security breach notification requirements. And California could be credited with having started another trend in 2013 when it expanded the definition of personal information in its breach notification law to include email addresses and passwords used to access an individual’s online account. California made further revisions to its law in 2014, and since then there has been a steady stream of state law changes, many of which have followed California’s example to some extent. Continue Reading