Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Companies Face Uncertainty as Privacy Shield Encounters New Hurdles

Posted in International Privacy Law

connectivityThe Privacy Shield, proposed this past February and greeted with cautious optimism by European and U.S. regulators alike as a more robust “replacement” for the invalidated Safe Harbor framework, appears to be suffering death by a thousand paper cuts. Today’s European Parliament resolution (the “Resolution”) delivered the latest blow. The Resolution recommends that the European Commission continue to negotiate the terms of the Privacy Shield with U.S. officials to address certain “deficiencies.” Although the Resolution is non-binding, it is highly influential. Parliament’s major concerns include:

  • U.S. government surveillance. Parliament does not believe that the Privacy Shield adequately addresses the ability of U.S. law enforcement to access personal data transferred from the EU.
  • Bulk data collection. Parliament is concerned that the Privacy Shield will not prevent bulk data collection that may violate the “necessity” and “proportionality” requirements set forth in the EU Charter of Fundamental Rights.
  • U.S. Ombudsperson. The Privacy Shield calls for the appointment of a U.S. Ombudsperson who would work closely with the U.S. State Department and other agencies to coordinate responses to complaints regarding the U.S. government’s use of EU citizens’ personal data. Parliament welcomes the establishment of this role, but it does not believe the position will be “sufficiently independent” or “vested with adequate powers to effectively exercise and enforce its duty.”
  • Recourse. In addition to the appointment of a U.S. Ombudsperson, the Privacy Shield contemplates a system of binding arbitration for complaints and disputes. An arbitrator would be selected from a pool of 20 arbitrators designated by the U.S. Department of Commerce and the European Commission. Arbitrators would have the authority to provide individual-specific, nonmonetary equitable relief to complainants. Parliament finds these recourse mechanisms to be too complex and has urged the Commission and U.S. regulators to make the process more “user-friendly and effective.”
  • Periodic reviews. Parliament also called on the Commission to conduct periodic “robust reviews” of the Privacy Shield adequacy decision, particularly in light of the recently passed General Data Protection Regulation, which takes effect in May 2018 and will impose significant new data privacy and security requirements on U.S. companies doing business in Europe.

Continue Reading

PayPal Reaches Settlement With Texas Over Venmo Privacy and Security Disclosures

Posted in Financial Privacy

Fifty and Hundred Dollar BillsVenmo is a peer-to-peer mobile payments service that PayPal acquired in 2013. Users can transfer money to another person using a mobile or web application (e.g., send money to a friend to split the cost of dinner). On May 20, 2016, Texas Attorney General Ken Paxton announced that Texas had entered into an Assurance of Voluntary Compliance agreement with PayPal to resolve its investigation of Venmo regarding potential violations of Texas’ Deceptive Trade Practices – Consumer Protection Act. The resolution involved a $175,000 payment by PayPal and a commitment to implement certain business practices. There was no admission of wrongdoing and no allegations of actual harm to any individual.

Allegations by the Texas Attorney General’s Consumer Protection Division related to Venmo’s payment service included: (1) the application’s privacy and security disclosures to users were confusing and deficient; (2) Venmo used consumers’ phone contacts without clearly disclosing how the contacts would be used and how consumers’ transactions and interactions with other users would be shared (specifically, the “Add Friends When They Join” feature); and (3) there were misrepresentations that communications from Venmo were actually from Venmo users. Continue Reading

Deeper Dive: Integrating Physician Practices into a Health System’s HIPAA Privacy and Security Program


BH16067_DataSecurity_DataRisk_800The healthcare industry shift to a value-based business model is resulting in greater alignment between hospitals and physicians to provide quality, outcomes driven care in order to receive payment for health care services. Prior to implementation of the Affordable Care Act, physicians more often were independent practitioners who held medical staff privileges to care for patients at the hospital.  The pressure for health systems to develop clinically integrated networks and accountable care organizations, and the financial constraints placed on physician practices, necessitate alignment with physician practices and integrating them into the health system.

Improving alignment between hospitals and physicians is essential to change the way care is delivered. Properly structured, these alignments seek to reduce costs and duplication of services, improve the quality of patient care delivered, and improve patient satisfaction.  The health system’s IT infrastructure, data sharing, and data analytics are key to a successful integration. Continue Reading

Illinois Enacts Sweeping Changes to the Illinois Personal Information Protection Act

Posted in Cybersecurity

On May 6, 2016, Illinois joined a growing number of states that have strengthened their data breach notification requirements and expanded the definition of protected personal information. Effective January 1, 2017, HB1260 amends the Illinois Personal Information Protection Act (PIPA) to broaden the definition of protected personal information, which will now include an individual’s first name or first initial and last name in combination with medical information, health insurance information, or unique biometric data (such as “a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data”). Additionally, Illinois will join several other states in defining personal information to include a user name or email address (with a password or a security question and answer that would permit access to an online account). Under the current law, personal information is limited to an individual’s first name or first initial and last name in combination with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or state identification card number; or (3) account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. 815 ILCS § 530/5.

HB1260 also clarifies the existing encryption safe harbor. Under the new law, if personal information is encrypted or redacted but the keys to decrypt or otherwise read the data elements have been acquired, notification may be required. Continue Reading

TeslaCrypt Ransomware Developers Retire, Release Master Decryption Key

Posted in Cybersecurity

Binary code

Ransomware is a particularly nefarious type of malware that hijacks computers and forces victims to pay a ransom in order to access their files. One of the reasons it is so successful is because ransomware developers use strong encryption that is virtually unbreakable without a decryption key. As a result, individuals and businesses without a backup must either pay the ransom or risk losing their documents forever. This tactic has proven to be very effective based on reports by the FBI estimating that cyber criminals have extorted over $209 million in the first three months of 2016 alone. Recently, ransomware made headlines when it shut down hospitals in Los Angeles, Kentucky and Washington, D.C.

In a surprise turn of events, at least one ransomware developer has had a change of heart. For several weeks, a security researcher at ESET noticed that the developers of the TeslaCrypt ransomware were slowly shutting down their operations. The researcher reached out and asked if they were willing to release the master decryption key, which they did. A note posted to the former TeslaCrypt payment site now reads:

“Project closed! Master key for decrypt: 440A241DD80FCC5664E861989DB716E08CE627D8D40C7EA360AE855C727A49EE. Wait for other people make universal decrypt software. We are sorry!”

With the release of the master decryption key, victims can now download a tool from ESET to decrypt files encrypted by TeslaCrypt without paying the ransom.

While this is certainly a happy ending for those infected with the TeslaCrypt, ransomware remains a persistent threat, and organizations should take steps to safeguard against ransomware of all types. At a minimum, this development highlights the importance of preserving files encrypted by ransomware, even if you choose not to pay the ransom or are unable to decrypt the files.

TeslaDecoder from ESET

What Companies Need to Know About Cyber Threat Information Sharing Under CISA

Posted in Cybersecurity

Padlock circuit

Cyber threat information sharing has the potential to provide numerous benefits for organizations (both public and private) faced with cyberattacks, which are increasing in frequency and sophistication. Cyber threat information sharing can enable organizations to enhance their cyber preparedness and defenses by leveraging the knowledge and experience of a broader community and improve their awareness of the current threat landscape. Recognizing the benefits of threat information sharing, Congress passed the Cybersecurity Information Sharing Act of 2015 (CISA), which was signed into law on December 18, 2015, to encourage sharing of cybersecurity information by providing a safe harbor from unfounded litigation while at the same time protecting individuals’ privacy. As mandated by CISA to assist private entities and federal entities seeking to share cybersecurity information, the Department of Homeland Security (DHS) and Department of Justice (DOJ) recently released a series of reports explaining the types of information that can be shared and how to share that information. This post focuses on the guidance for private entities seeking to participate in information sharing under CISA provided in the DHS’s and the DOJ’s Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (the “Guidance”). Continue Reading

Deeper Dive: Plan for Regulatory Scrutiny in Financial Services Data Security Incidents

Posted in Cybersecurity, Financial Privacy

industryFinancial services industry companies were involved in 18% of the over 300 data security incidents we helped manage in 2015, and reported in our 2016 BakerHostetler Data Security Incident Response Report (the “Report”). After healthcare, the financial services industry was the second most affected industry according to the data we reported.

It is not surprising that cyber criminals target financial services companies. They do so for the same reason that Willie Sutton robbed banks – the financial services industry is where the money is.  But financial services companies should not be just looking at outside threats as they assess their risk profile.  The majority of incidents we reported – nearly a third – were caused by employee negligence or malfeasance, with hacking and malware a close second.

The Report also reveals an uptick in regulatory scrutiny of incidents involving financial services companies. In nearly all of the reported incidents requiring regulator notification, state regulators made further inquiries.  We also saw an increase in investigations into incidents by regulators, including regulators who have only in recent years become active in cyber security enforcement, such as the Security and Exchange Commission (SEC), National Credit Union Administration (NCUA), Financial Crimes Enforcement Network (FinCen), Financial Industry Regulatory Authority (FINRA). In some instances we are seeing detailed scrutiny by financial services regulators of incident involving small numbers of customers – approximately 500 or less – as regulators appear to be using incident investigations and a basis for developing a deeper understanding of the cyber-security practices of financial services companies. Continue Reading

Concrete and Particularized: What the Supreme Court’s Spokeo Ruling May Mean for Privacy Class Actions and Big Data – the First in a Series

Posted in Online Privacy, Privacy Class Actions

Data Breach_GettyImages_515745835This morning, the Supreme Court of the United States issued its decision in Robins v. Spokeo, No. 13–1339, 578 U. S. ____ (2016), putting to rest months of speculation as to whether the Court could come to a meaningful decision (that would be anything other than 4-4) in the aftermath of Justice Scalia’s passing in February. In a ruling that (predictably) defense and plaintiffs’ lawyers alike are heralding as a victory, the Court held that the Ninth Circuit erred in finding standing because “the injury-in-fact requirement requires a plaintiff to allege an injury that is both ‘concrete and particularized.’” The Court called out the Ninth Circuit’s analysis for overlooking the concreteness element. With that, the Court vacated the decision below and remanded for the Ninth Circuit to consider both aspects of the injury-in-fact requirement. My focus for purposes of this initial post will be why a privacy class action defense litigator like me should care about what the Court did here, and how it might impact other kinds of privacy class actions. This is just the first in a series of blog posts that BakerHostetler will publish on the implications of Spokeo. Continue Reading

Privacy Shield Update: A Recap of Recent Developments

Posted in International Privacy Law

On April 13, 2016, the Article 29 Working Party (WP29), an influential group of European data protection authorities, issued a non-binding opinion that criticized certain elements of the fledgling Privacy Shield framework. Although the Privacy Shield remains in limbo at this time, a flurry of speculation and Shield-adjacent legal maneuvers have colored the landscape and heightened concerns about its long-term viability.

The Privacy Shield was proposed in early February as a replacement for the EU-U.S. Safe Harbor framework following the Safe Harbor’s demise in October 2015. The invalidation of the Safe Harbor left thousands of companies in search of alternatives to meet their cross-border data transfer needs, and introduced new uncertainty regarding the long-term sustainability of other mechanisms such as binding corporate rules and model clauses.

While declaring the Privacy Shield to be a significant improvement over the Safe Harbor framework, the WP29 found that the European Commission’s draft adequacy decision concerning the Privacy Shield lacked clarity and was inconsistent. The opinion urged the Commission to clarify the text and to evaluate its provisions in light of the recently approved EU General Data Protection Regulation (GDPR).

Below we provide an overview of the proposed Privacy Shield, including a brief history, a summary of developments since the WP29’s opinion was issued in April, and what to expect in the coming weeks and months.  Continue Reading

Mobile Apps That Appeal to Children Face Increased Regulatory Scrutiny

Posted in Children’s Privacy, Cybersecurity

phone 183992313In September 2015, the Online Interest-based Advertising Accountability Program (Accountability Program) of the Advertising Self-regulatory Council (ASRC) began enforcing the Digital Advertising Alliance (DAA) Guidelines for Mobile Advertising (Mobile Guidance) and now the inevitable has happened: the Accountability Program has issued three compliance decisions with mobile app publishers whose apps allegedly failed to comply with the Mobile Guidance. Two of those decisions, the Bearbit Studios decision and the Top Free Games decision, reinforce the heightened duties that mobile app publishers take on when developing mobile apps that appeal to children under 13 (children). For more information on the third decision, the Spinrilla decision, and the Accountability Program’s stance on cross-app enhanced notice and precise location data, see our companion post here.

As a bit of an overview, further explored in our prior post, the Mobile Guidance incorporates the DAA’s Online Behavioral Advertising Self-Regulatory Principles (Principles) and covers entities engaged in interest-based advertising (IBA) across websites or mobile apps. If a mobile app publisher allows a third party to collect data through its mobile app, the mobile app publisher is considered a covered entity and must comply with the Mobile Guidance.

The Mobile Guidance provides, by reference to the “Sensitive Data Principle” in the Principles, that where a mobile app publisher has actual knowledge that children use its mobile app or has a mobile app directed to children, the mobile app publisher should not collect “personal information” as defined by the Children’s Online Privacy Protection Act (COPPA) (which definition includes device id, other unique id, geolocation, picture, audio file, phone number and more) for IBA purposes unless as compliant with COPPA. In order to comply with COPPA, as further discussed here, a mobile app publisher must first obtain verified parental consent before collecting children’s personal information for IBA or most other purposes not necessary to operate the basic service; or, if the mobile app publisher’s mobile app has a mixed audience that includes both children and adults, the mobile publisher may implement an age-gating mechanism to flag users under 13 (there are additional nuances to these requirements) and provide children a COPPA-compliant version. Whether a mobile app is directed or appeals to children is determined based on a multifactor test that considers factors such as subject matter, visual content, language, simplicity of operation, how and where the app is marketed, and use of animated characters and other content that appeals to children. Continue Reading