Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

FCC Plans $10 Million Cybersecurity Fine Against Two Telecoms

Posted in Cybersecurity

On October 24, 2014, the Federal Communication Commission (“FCC”) took a big step into the cybersecurity regulatory space when it announced its intent to assess a $10 million fine against two telecoms, TerraCom and YourTel America (“Companies”), for failing to protect the privacy of personal information the Companies collected from consumers. According to the FCC, the Companies did not properly secure the personal information collected from applicants of the Lifeline program, which is designed to help low-income individuals and families receive communications services. The names, addresses, Social Security numbers, and other personal information of the applicants were stored on a server maintained by a third-party service provider that was publicly accessible from the Internet. A reporter discovered the consumer information using a Google search and notified the Companies, who in turn notified the FCC. The FCC also alleged that both Companies failed to notify all of the potentially affected consumers of the breach.

The FCC conducted an inquiry and charged the two Companies with four violations under the Communications Act of 1934, Sections 201(b) and 222(a):

  1. A violation under Section 222(a) for failing to protect the confidentiality of personal information that consumers provided to demonstrate their eligibility for the Lifeline program;
  2. A violation under Section 201(b) for failing to employ reasonable data security practices to protect consumers’ personal information;
  3. A violation under Section 201(b) by representing in the companies’ privacy policies that they protected consumers’ personal information, when in fact they did not; and
  4. A violation under Section 201(b) by failing to notify all consumers whose personal information could have been breached by the companies’ inadequate data security.

Continue Reading

California Attorney General Releases 2014 Data Breach Report and Recommendations, Finding More of the Same.

Posted in Breach Notification, Credit Card, Data Breaches, Identity Theft, Retail

Editor’s Note: The author thanks Jaysen Borja for his contributions to this post.

On October 28, 2014, Attorney General Kamala Harris released the second annual California Data Breach Report.  The report detailed the nature and scope of data breach notifications that her office received in 2013.  Her office has been analyzing notifications of data breaches since 2012, when S.B. 24 amended the state’s data breach notification law to require organizations to submit copies of their breach notifications to the Attorney General in any case in which the breach affects more than 500 California residents.  Notably, two of the five recommendations made by the Attorney General in last year’s report have already been signed into law. This year the Attorney General issued 12 recommendations to companies in various industries, and to the legislature, as to how to improve data security practices and better protect California consumers.

The following is a summary of the report’s key findings and the Attorney General’s recommendations based on those findings.

Findings

Number of Data Breaches

The report notes that the Attorney General’s office received 167 data breach notifications in 2013, a 28 percent increase from 2012. The reported data breaches involved 18.5 million records of California residents, a 600 percent increase in the number of Californians whose records were affected.  However, the report points out that a large portion of this increase is due to two massive retailer breaches, including the Target breach – which by itself affected 41 million customers, including 7.5 million Californians.

Continue Reading

Privacy Policies Going Digital: The CFPB’s Final Rule Ditches Requirement to Distribute Annual Paper Copies

Posted in Online Privacy, Privacy

On October 20, 2014, the Consumer Financial Protection Bureau (“CFPB”) announced that it had finalized a rule that alters the way that financial institutions provide privacy policies to their customers. Under the Gramm-Leach-Bliley Act of 1999 (“GLBA”), financial institutions are required under Regulation P to provide their customers with initial and annual notices regarding their privacy policies. The financial institutions are further required to provide notice and an opportunity to opt-out of information sharing where certain categories of customer information are shared with particular types of third parties. The Final Rule announced by the CFPB seeks to streamline the notification process by permitting financial institutions to post their privacy policies online, rather than providing paper copies annually, if the mandatory opt-out notifications are not required.

With the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2011, the CFPB was formed to centralize the rulemaking authority and enforcement of financial institutions. Under Dodd-Frank, the CFPB took over the rulemaking authority under the GLBA for all financial institutions, with the exception of securities and futures-related companies under the jurisdiction of the Securities and Exchange Commission and the Commodity Futures Trading Commission, and certain motor vehicle dealers under the jurisdiction of the Federal Trade Commission. Upon establishment, the CFPB inherited regulations from other federal agencies, and in December 2011 issued a Request for Information seeking comments and suggestions on opportunities for streamlining, particularly noting the annual privacy notice requirement as a potential opportunity. Industry members and consumer protection groups agreed, and following the publication of a Proposed Rule in May 2014 and a subsequent comment period, the CFPB has now adopted its Final Rule, creating an alternative delivery method for privacy policies where certain criteria are met. Continue Reading

How to Respond to SEC Inquiries Concerning Data Breach and Data Security Policies

Posted in Cybersecurity, Data Breaches

Every company, whether public or private, has exposure to potential data breach or theft of confidential information. When this occurs, various state and federal regulatory organizations have jurisdiction over ensuring that there is prompt, corrective, and remedial action taken by the company whose systems have been compromised. Much of the focus of articles and commentary has been on the Federal Trade Commission and its enforcement of these violations. However, another important agency to understand both its role and practices is that of the United States Securities and Exchange Commission.

The SEC has jurisdiction over the policies and practices of the securities industry to ensure the integrity of the securities exchanges, to assist in capital formation, and to provide investor protection. Pursuant to its statutory authority, it conducts periodic examinations of industry participants, such as investment banks, asset managers, hedge funds, and mutual funds. As such, the SEC requires these regulated entities to perform a risk assessment of various cybersecurity risks and then to adopt written policies and procedures to combat them. As part of this process, to assist the industry in assessing cybersecurity preparedness, the SEC’s Office of Compliance Inspections and Examinations on April 15, 2014, issued a Risk Alert concerning the “OCIE Cyber Security Initiative.” Parallel regulatory concerns have been expressed by FINRA, through its 2014 Annual Regulatory and Examination Priorities letter, in which cybersecurity is listed as a top priority for protecting “sensitive customer data.”

These regulatory concerns, however, are not limited to the securities industry. All public companies with shares trading on a U.S. securities exchange are likewise subject to the possibility of an SEC inquiry concerning its practices and policies, albeit not through the scrutiny of an SEC examination. It seems topical, therefore, to explain the processes of the SEC, to the extent to which the agency comes knocking for information about your company’s cyber security controls, practices, and breach response plan. Continue Reading

Company Claims “HIPAA Has No Teeth”, Will Start Notifying Affected Individuals of Security Breaches and Vulnerabilities that Have Not Been Disclosed by Organizations

Posted in Data Breaches, HIPAA/HITECH

A company named SLC Security, LLC (“SLC”), recently announced that it will begin notifying individuals if it believes it has identified a security breach or vulnerability of a company and it has not received a satisfactory response from the company to which it reported the issue.

On SLC’s blog, it claims it is providing “awareness to individuals and organizations that are leaking information and the information of their customers.”  SLC also claims it lists entities on its site who have been “verified to be leaking personal information” and that it “will include information [on the site] on what type of information is being leaked.”  On October 16, 2014, SLC announced in a posting that:

HIPAA Has No Teeth – Here’s what we are going to start doing

Starting today we will start mailing out notifications directly to the affected person[s] when we don’t get a response from the organization we report. It’s not fair that companies can choose to ignore issues that they know exist and it’s really not fair that they take the stance that if they are not aware of the issue that they can just ignore it while consumers are sitting by hoping nothing happens to their identities or their bank accounts…

Although the title of SLC’s posting indicates that it is concerned with healthcare organizations, the posting also states that SLC is allegedly concerned about individuals’ “identities or their bank accounts.”  This claim may mean that SLC’s notifications could include clients or consumers of organizations other than those in the healthcare industry.

Continue Reading

Partner Randy Gainer Named to National Law Journal’s Inaugural List of IP Trailblazers and Pioneers

Posted in Miscellaneous

BakerHostetler’s Renowned Privacy and Data Protection Team Scores Big Again

BakerHostetler Partner and Privacy and Data Protection team member Randy Gainer has been recognized in The National Law Journal’s inaugural list of “50 Intellectual Property Trailblazers and Pioneers.” His selection adds to the host of recognitions the practice and its attorneys have received as it continues to expand to meet client demands and secure major client victories in high-profile privacy and security matters. Read More >>

Will Using “Apple Pay” Keep the Data Breach Away?

Posted in Data Breaches, Mobile Privacy

Recently Apple unveiled its latest iPhones and other new products. While the big screens on the new iPhones are making the splashy headlines, perhaps the most interesting reveal, from a data privacy perspective, is not a shiny gadget, but the new mobile payment service dubbed “Apple Pay”. Although mobile payment services aren’t new – Google introduced “Google Wallet” several years ago – Apple’s product has some interesting security features that could grab the attention of retailers and consumers, stung by recent large credit card breaches.

According to Apple, Apple Pay will use existing NFC technology (Near Field Communication), which enables contactless communication between devices. This allows an NFC capable smartphone to communicate with a merchant’s NFC compatible card reader to make a credit or debit card purchase. But will Apple Pay card transactions be secure?

Based on the information revealed thus far, there is a heavy emphasis on security in Apple Pay. To enable Apple Pay, the user scans their credit or debit cards into their iPhone. But the card number itself is not stored anywhere on the phone. Rather, a randomly generated and unique Device Account Number (DAN) is assigned in place of the card number, encrypted and stored in a separate chip called a secure element — which operates in a separate secure environment within the device.

Continue Reading

California Extends Deadline for Reporting Breaches to the CDPH from 5 to 15 Business Days

Posted in Data Breach Notification Laws, HIPAA/HITECH

On September 18, 2014, California Governor, Jerry Brown, signed Assembly Bill 1755 (“AB1755”) into law, amending breach notification provisions in the California Health and Safety Code applicable to licensed clinics, health facilities, home health agencies, and hospices. Under existing law, certain health care entities licensed by the California Department of Public Health (“CDPH”), including hospitals and clinics, are required to report any unlawful or unauthorized access to or use or disclosure of a patient’s medical information to the affected patient or their representative at their last known address and to the CDPH no later than five (5) business days after the unlawful or unauthorized access, use, or disclosure has been detected. The CDPH then has full discretion to consider all factors “when determining the amount of an administrative penalty” under the statute, including a penalty of $100 per day beyond the reporting deadline up to a maximum of $250,000 per reported event.

AB1755 extends the reporting deadline from five (5) business days to fifteen (15) business days after the unlawful or unauthorized access, use, or disclosure has been detected. AB1755 also allows entities to report the breach to affected patients or their representatives using alternative means, including email (pursuant to the patient’s written consent), or via confidential communication methods requested by patients under Section 164.522(b) of the HIPAA Privacy Rule. Finally, AB1755 adds language clarifying that the CDPH has full discretion to consider all factors “when determining whether to investigate [a reported incident] and the amount of an administrative penalty, if any,under the statute. These revisions are effective January 1, 2015. A redline demonstrating the revisions is available here.

Continue Reading

Mobilizing on Mobile Apps: The FTC’s Comment to the CFPB Signals its Priorities

Posted in Mobile Privacy

In recent months, the Federal Trade Commission (“FTC”) has been steadily ramping up its efforts to monitor, regulate, and provide best practice guidance in the rapidly expanding field of mobile applications. On September 10, 2014, the FTC issued a staff comment in response to the Consumer Financial Protection Bureau’s (“CFPB”) Request for Information on the issue of consumers’ use of mobile financial services, available here. This comment continues the FTC’s action in this space, which also includes increased enforcement action. For example, the recent Yelp! settlement following mobile app COPPA violation charges – for commentary seeYikes, Yelp! Targeted In FTC’s Stepped Up Enforcement of Children’s Privacy – General Audience Services Take Heed” and a series of FTC Reports, most recently, “What’s the Deal? An FTC Study on Mobile Shopping Apps.”

The CFPB was formed in July 2011, following the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act, as an independent regulatory agency responsible for consumer protection in the financial sector. With this focus on consumer protection, the FTC shares philosophical ideals with the CFPB, yet, the FTC has no jurisdiction over the banks, credit unions, securities firms, and other financial institutions under the purview of the CFPB. Thus, while this FTC staff comment is merely advisory to the CFPB, it offers a good primer on the FTC’s current thinking on mobile apps in general, and signals its own enforcement and regulatory priorities in the space.

Continue Reading

National Highway Traffic Safety Administration Considers Privacy Implications for New Vehicle-to-Vehicle Technology

Posted in Privacy

The Department of Transportation’s National Highway Traffic Safety Administration (“NHTSA”) announced in 2014 that it would begin steps toward implementing vehicle-to-vehicle (“V2V”) technology with an aim toward decreasing the number of traffic accidents on the nation’s roads.  V2V technology allows communication between cars on the road to alert drivers of potential accident situations.  However, with the new V2V technology come additional privacy concerns.  In August, the NHTSA released an advanced notice of proposed rulemaking for V2V technology.  In addition to key findings on privacy and security, the report included findings on the technical feasibility, and estimates of costs and safety benefits. The following is a review of the NHTSA’s key privacy findings for the V2V system.

The NHTSA report began with an emphasis that the V2V system:

  1. Would not collect or store data on individuals or individual vehicles, nor would it allow the government to do so;
  2. Would not contain data in safety messages exchanged between vehicles or collected by the V2V security system that could be used by law enforcement or private entities to personally identify speeding or erratic drivers;
  3. Would not permit tracking through space or time of vehicles linked to specific owners, drivers, or persons;
  4. Would not collect financial information, personal communications, or other information linked to individuals; and
  5. Would not provide access to the vehicle for extraction of data.

Continue Reading