Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

What Now? What Next? FAQs and Answers Regarding the Safe Harbor Decision

Posted in Enforcement, International Privacy Law

connectivityAs we discussed in our blog post last week, on October 6, 2015, the Court of Justice of the European Union issued a judgment that invalidated the EU-U.S. Safe Harbor Framework. For the past 15 years, thousands of companies have been using the Safe Harbor Framework to transfer personal data from the EU to the U.S. in accordance with EU data protection law.

Although many unanswered questions remain at this time, we have prepared the following list of frequently asked questions to offer insights on what affected organizations can expect, and how such companies may begin to address the practical effects of the decision while awaiting further guidance from regulators.

We will discuss these issues in greater depth during our upcoming October 14 webinar, co-presented with UK counsel from Holman Fenwick & Willan LLP.

  1. Does this decision apply retroactively to personal data that our company previously transferred to the U.S. from the EU under the Safe Harbor Framework?

Unclear, but unlikely. Several EU data protection authorities, including the UK Information Commissioner’s Office, have indicated that they intend to issue compliance guidance and will not take rash enforcement action. Regarding retroactivity specifically, on October 8, a German attorney wrote that German data protection authorities (among the most aggressive, historically) have stated “unofficially” that the invalidity of Safe Harbor will apply going forward, and not retroactively, in line with paragraph 52 of the CJEU decision. Paragraph 52 states:

“…Measures of the EU institutions are in principle presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality [citing authorities].”

Continue Reading

California Amends Its Breach Notification Statute

Posted in Data Breach Notification Laws

Data Breach_GettyImages_515745835For the third time in as many years, California has once again amended its breach notification statute. This time it expanded the definition of “personal information,” clarified the term “encryption,” and mandated additional formatting and content requirements for individual notification letters. These amendments impact both companies and agencies and will go into effect on January 1, 2016.

In 2003, California became the first state in the country to require security breach notification. Since then, nearly every state has followed California’s lead in enacting laws that require entities who experience a security breach to notify affected individuals. On October 6, 2015, Governor Jerry Brown continued the tradition of leadership by signing into law three separate bills, each one amending a different aspect of California’s breach notification framework.

Expansion of Personal Information Definition

The first amendment, Senate Bill 34, expands the definition of “personal information” to include data collected through the use of an automated license plate recognition system. License plate recognition (LPR) systems use optical character recognition on video images to read license plates on motor vehicles and then store that data in a searchable computerized database. The use of this technology has skyrocketed in recent years, with nearly 70 percent of local police departments utilizing LPR systems to some extent. This amendment, which applies to both public and private entities, will require entities that use LPR systems to implement reasonable safeguards to protect LPR data from unauthorized use or disclosure. In addition, S.B. 34 provides a private right of action to individuals harmed by a violation of these security requirements.

Continue Reading

New PCI Guidance Provides Businesses With Security Incident Response Assistance

Posted in Data Breaches, Payment Card Industry, Retail Industry

Credit Card Smart Chip_481796867A security event involving payment card data, especially card present data, can be one of the most costly events a company may face. Not only did a recent study report the average total cost of a data breach as $3.8 million, large payment card incidents such as those that occurred at Target and Home Depot involve hundreds of millions of dollars. To assist merchants and service providers in preparing for and responding to a potential data compromise, the Payment Card Industry (PCI) Security Standards Council recently published new guidance, titled “Responding to a Data Breach: A How-to Guide for Incident Management.” The guidance was developed with a focus on how a business can prepare for an incident and effectively work with a Payment Card Industry Forensic Investigator (PFI), an independent investigator that a business may be required by its acquirer or the card brands to engage following a suspected data compromise. The PCI Security Standards Council publishes a list of approved PFI companies.

The guidance focuses specifically on what a business can do to prepare for an incident and immediate steps a business should take in response to an incident in order to facilitate a thorough and effective investigation by a PFI. The specific recommendations are:

Continue Reading

EU High Court Invalidates Safe Harbor Framework for Cross-Border Data Transfers

Posted in Enforcement, International Privacy Law

connectivityOn October 6, 2015, the Court of Justice of the European Union (CJEU) issued a highly anticipated judgment that has the potential to impact how thousands of companies transfer data from the EU to the United States. The Court’s decision effectively invalidates the European Commission’s “adequacy” determination with respect to the U.S.-EU Safe Harbor Framework, which was established in 2000 as a mechanism to allow for the lawful transfer of EU citizens’ personal data to the U.S.

The ruling comes on the heels of a recent controversial opinion from the CJEU’s Advocate General, Yves Bot, who called for a suspension of the Safe Harbor Framework in light of findings regarding the U.S. government’s widespread collection of personal data and the lack of judicial redress available for EU citizens affected by such activities.


Following the 2013 Snowden revelations concerning the scope of U.S. government access to personal data, Max Schrems, an Austrian citizen and Facebook user since 2008, lodged a complaint with the Irish data protection authority (the DPC) with respect to Facebook’s transfer of his personal data from Facebook’s Irish subsidiary to Facebook in the United States.

The Irish DPC rejected Schrems’ complaint on the grounds that Facebook’s transfers were permitted pursuant to the U.S.-EU Safe Harbor Framework. Schrems then challenged that decision before the Irish High Court, which ultimately stayed its proceedings and applied to the CJEU for a determination regarding whether the Irish DPC (and other EU data protection authorities) could investigate claims concerning the validity of the European Commission’s adequacy determination pertaining to the Safe Harbor Framework. Continue Reading

CA AG Requires Chief Privacy Officer and Privacy Compliance Program

Posted in Cybersecurity, Enforcement

Data_Security_100392496California’s Attorney General, Kamala Harris, has required Houzz, a home décor information and e-commerce website and mobile app publisher, to hire a chief privacy officer (CPO), conduct a company-wide privacy assessment, and maintain a privacy compliance program to settle a lawsuit that alleged Houzz failed to follow California law that requires disclosure of the recording of customer service calls. Although part of a settlement and thus not binding on other companies, the requirement illustrates what regulators believe is reasonably necessary for companies to do to ensure they are meeting privacy and data security obligations. The CPO is required to “ensure that Houzz develops privacy policies and procedures for Houzz that are consistent with applicable state and federal privacy laws,” “oversee Houzz’s compliance with such policies and procedures,” and “have authority and autonomy to perform these responsibilities and to report any significant privacy concerns to the Chief Executive Officer….” The required privacy assessment is required to “evaluate: (1) issues … that are implicated by the Company’s business processes, use of technology, and (if applicable) related to any business partners with whom Houzz shares personal information; and (2) Houzz’s efforts to mitigate or avoid any adverse effects of such issues on individuals in the United States.” Any company that does not have a robust privacy and data protection program, overseen by a senior-level executive, should take note of this settlement and undertake to evaluate their data practices, ensure legal compliance, and implement best practices.

For more information on how to do so, see:  An Ounce of Prevention Is Better (and Cheaper) Than a Pound of Cure: It’s time for a data protection checkup.

Read a copy of the Houzz Final Judgment and Permanent Injunction, here

DAA Begins Enforcing Its Guidelines for Mobile Advertising This Month: What You Should Know in Order to Prepare

Posted in Behavioral Advertising
Application of Self-Regulatory Principles to the Mobile Environment

Application of Self-Regulatory Principles to the Mobile Environment

Effective September 1, 2015, the Digital Advertising Alliance (DAA) is now enforcing its Self-Regulatory Principles for Online Behavioral Advertising and Multi-Site Data (collectively, the “Principles”) in the mobile ecosystem. The DAA, a cross-industry, self-regulatory group of advertising and media companies, has until now focused its enforcement of the Principles exclusively on the desktop browser environment. The Principles will be applied to mobile in accordance with the DAA’s previously released guidelines, Application of Self-Regulatory Principles to the Mobile Environment (“Mobile Guidelines”), issued in July 2013. The move to begin enforcement follows the DAA’s release earlier this year of two new consumer protection tools for mobile – the “AppChoices” mobile app and the “DAA Consumer Choice Page for Mobile Web.”

For those unfamiliar with the DAA’s Principles and their role in the online advertising industry, the Principles apply to “interest-based advertising” (IBA), or “the collection of data from a particular computer or device regarding Web viewing behaviors over time and across non-Affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors.” For first and third parties involved in the delivery of IBA (e.g., publishers, advertisers, and ad networks), the Principles require certain levels of “transparency” and “choice.” Transparency must be provided through visible disclosures and “enhanced notice” (often through the AdChoices tag), and choice must be provided to consumers through a meaningful, easy-to-use way to exercise control over collection of data for IBA purposes.

With the DAA commencing enforcement of the Principles on mobile, advertisers, publishers, mobile developers, and ad networks are encouraged to review the Mobile Guidelines and the Principles. As the DAA emphasized in a webinar earlier this year, all parties working together to conduct IBA share in the responsibility for compliance.

Continue Reading

The SEC OCIE Announces Increased Scrutiny of Broker-Dealers’ and Investment Advisers’ Cybersecurity Programs

Posted in Cybersecurity

cyber security iStock_000041562536_LargeOn September 15, 2015, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert (2015 Risk Alert) to provide broker-dealers and investment advisers with information on the focus areas of its upcoming round of cybersecurity examinations. OCIE is building on its previous cybersecurity examinations to increase scrutiny of firms’ cybersecurity practices, policies, and procedures. While the primary objective of last year’s initial cybersecurity initiative was gathering information on industry practices, this year OCIE will perform more testing to assess firms’ implementation of these policies and procedures. Given the increased regulatory scrutiny, as well as the rapidly evolving cyber-threat landscape, firms are well-advised to assess their current level of cybersecurity preparedness and be prepared to show the appropriateness of, and compliance with their cybersecurity policies and procedures, with a particular focus on vendor management and preparation for incident response.

Background on OCIE’s Cybersecurity Initiative

OCIE administers the SEC’s examinations of registered entities, including approximately 4,500 broker-dealers and more than 10,000 investment advisers in the United States, to ensure compliance with the federal securities laws. As part of the examination process, OCIE typically submits requests to the examined firm for information, or requests information while on-site, and may then hold interviews with key personnel at the firm. On April 15, 2014, OCIE launched its inaugural Cybersecurity Examination Initiative as part of its effort to “assess cybersecurity preparedness in the securities industry.” OCIE then sent questionnaires to, and conducted cybersecurity examinations of, 57 broker-dealers and 49 investment advisers. These initial examinations were designed to discern basic distinctions in the level of preparedness among the examined firms and focused on cybersecurity governance, network and information security policies and procedures, vendor management policies, and online customer access. After completing its initial cybersecurity examinations, OCIE released a Risk Alert summarizing its observations, including the percentage of broker-dealers and advisers that (i) experienced cyberattacks (88 percent and 74 percent, respectively); (ii) maintained written information securities policies (93 percent and 83 percent); (iii) conducted risk assessments (94 percent and 79 percent); and (iv) incorporated cybersecurity into vendor risk management (72 percent and 24 percent). Although the SEC did not provide any commentary when it published its observations (other than to say it will continue to focus on cybersecurity using risk-based examinations), the alert suggested that certain policies and practices are emerging as industry standards.

Continue Reading

State Data Breach Notification Requirements Specifically Applicable to Insurers

Posted in Data Breach Notification Laws, Data Breaches

Data_Security_100392496Almost all U.S. states and territories have enacted breach notification laws requiring private and/or government entities to notify individuals when their personal information is compromised. These laws vary, and much has been written about the challenges caused by the differences, including who must comply with the law (e.g., persons, businesses, information brokers, government entities, covered entities); definitions of “personal information” (e.g., first name or first initial and last name combined with a Social Security number, driver’s license or state ID, financial account numbers, or health information); what constitutes a breach (e.g., unauthorized acquisition of data or access to data, risk of harm); requirements for notice (e.g., timing or method of notice and who must be notified); whether notification of a state regulator (e.g., attorney general’s office) is required; and exemptions (e.g., for encrypted information). We have created a chart describing each law as well as a chart summarizing key issues. Separate and apart from these laws, eight states—California, Connecticut, Maine, New Hampshire, Ohio, Rhode Island, Vermont, Washington, and Wisconsin—have breach notification requirements that specifically apply to insurers. These breach notification requirements also vary and are discussed in detail below.

California. Under California Civil Code § 1798.82, any entity conducting business in California that owns or licenses computer data that includes personal information must disclose any data security breach to California residents whose unencrypted personal information “was, or is reasonably believed to have been, acquired by an unauthorized person.” Under that same statute, any entity required to notify more than 500 California residents must also notify the attorney general of the state of California. On May 16, 2014, and later updated on February 5, 2015, the California Insurance Department issued a notice requesting all insurers, insurance producers, and insurance support organizations to provide the insurance commissioner any notices or information submitted to the attorney general’s office.[1] Copies of notices must be sent to the California Department of Insurance, Attention Susan Bernard, Division Chief, Field Examinations, 45 Fremont Street, 24th Floor, San Francisco, California 94105; e-mail:

Connecticut. On August 10, 2010, the Connecticut Insurance Department issued Bulletin IC-25 to all licensees and registrants of the department, including insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants, casualty claim adjusters, property and casualty insurers, life and health insurers, healthcare centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers, and medical discount plans.[2] Bulletin IC-25 requires all registrants and licenses to notify the department of any information security incident which affects any Connecticut residents. “Information security incident” is broadly defined as “any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder, or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well-being of the affected insureds, members, subscribers, policyholders or providers.” The requirement to notify the department when information is encrypted is contrary to most existing breach notification laws, including Connecticut’s own breach notification law.

Continue Reading

Court Dismisses TCPA Claim Against WhisperText Where Text Messages Sent at App Users’ Direction

Posted in Mobile Privacy

phone 183992313Last week, in McKenna v. WhisperText et al., No. 5:14-CV-00424-PSG, 2015 WL 428728 (N.D. Cal. Sept. 9, 2015), the U.S. District Court for the Northern District of California dismissed a purported Telephone Consumer Protection Act (“TCPA”) class action on grounds that the plaintiff failed to allege that the defendant used an Automatic Telephone Dialing System (“ATDS”). The ruling is one of the first to consider the human intervention issue following the issuance of the FCC’s July 2015 omnibus TCPA order (“2015 Order”), which we previously discussed here.

Under the TCPA, it is “unlawful for any person … (A) to make [or initiate] any call … using [an ATDS] … to any telephone number assigned to a … cellular telephone service” without prior express permission. 47 U.S.C. § 227(b)(1). An ATDS is defined as “equipment which has the capacity–(A) to store or produce telephone numbers to be called using a random or sequential number generator; and (B) to dial such numbers.” Id. at § 227(a)(1). The FCC has interpreted calls to include text messages and that an ATDS must have the capacity to dial numbers without human intervention. The 2015 Order rejected any formal test for establishing human intervention and rather advocated that courts evaluate human intervention on a case-by-case basis. The 2015 Order also clarified that the maker or initiator of a text message may be a third party and that courts should consider the totality of the circumstances to determine: (1) who took the steps necessary to physically place the text; and (2) whether another person or entity was so involved in placing the text as to be deemed to have made it, considering the goals and purposes of the TCPA.

Continue Reading

Incident Response Practice Tip: Balance Meeting Breach Notification Deadlines With Securing Your Network

Posted in Breach Notification, Data Breach Notification Laws, Incident Response

Data_163916964State breach notification statutes are being amended on almost a monthly basis. Several laws have, or will soon have, a mandatory notification deadline for notifying affected individuals after the discovery of the incident. Washington’s new law, which went into effect on July 24, includes a 45-day deadline for notification but goes further to allow for extra time “to determine the scope of the breach and restore reasonable integrity of the data system.” This is an excellent approach to a difficult issue. Many legislators believe that the “law enforcement delay” provisions in most breach notification statutes is sufficient to allow a company to delay notification when appropriate; however, the reality is that law enforcement is reluctant in the vast majority of incidents to state in writing that public notice of the incident would impede their investigation.

A company may want to rush to provide notification, fearing it will be criticized for moving too slowly by the press, regulators, and customers. Unfortunately, this pressure results in many incident response teams making the fatal mistake of not conducting a proper investigation, not properly containing the incident and remediating affected systems, and making public statements that may not be accurate when the investigation is actually finished (causing the company to update their message and sometimes lose the confidence of their customers, stakeholders, and regulators).

If a company believes that its credibility will be impacted if it does not notify “immediately,” it should consider that rushing to announce a breach “to be transparent” can result in making mistakes potentially more costly than poor communications and not having mitigation services in place. According to Ann Barron-DiCamillo, a director of the Department of Homeland Security U.S. Computer Emergency Readiness Team, companies should call in outside experts to help extricate the attackers and block them.  Continue Reading