Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Iowa Breach Notification Law Now Requires AG Notification, Applies to Paper Records

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Identity Theft, Information Security

Iowa recently joined an increasing number of states that require notification of state regulatory authorities following a breach, as well as a handful of states in which paper records can trigger notification obligations.  On April 3, 2014, Iowa Governor Terry Branstad signed S.F. 2259 into law, amending Iowa’s Personal Information Security Breach Protection statute (Iowa Code §§ 715C.1–715C.2) to require that written notice be provided to the director of the consumer protection division of the office of the Iowa Attorney General regarding a breach of security affecting 500 or more Iowa residents no later than five business days after providing notice of the breach to any affected Iowa residents under the statute.  S.F. 2259 also expands the scope of the statute’s definition of the term “breach of security” to include unauthorized acquisition of personal information “maintained by a person in any medium, including on paper, that was transferred by the person to that medium from computerized form.”  Further, S.F. 2259 clarifies that “personal information” includes information that is encrypted, redacted, or otherwise altered such that it is unreadable if the keys to unencrypt, unredact, or otherwise read the information have also been obtained through a breach of security, and specifies that an individual’s financial account number, credit card number, or debit card number in combination with a required “expiration date” or other password or security code that would permit access to an individual’s financial account can qualify as personal information capable of triggering notification obligations.

These changes take effect July 1, 2014.

For additional information regarding data breach notification statutes enacted in the United States and worldwide, please refer to BakerHostetler’s State-by-State Survey of Data Breach Notification Laws; Key Issues in State Data Breach Notification Laws; and International Compendium of Data Privacy Laws, all of which are available at www.dataprivacymonitor.com.

Kentucky Enacts Data Breach Notification Statute

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Education, Information Security, Privacy

On April 10, 2014, Kentucky Governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation.  Prior to H.B. 232, Kentucky was one of only four states—including Alabama, New Mexico, and South Dakota—that had not adopted data breach notification legislation.  H.B. 232 also includes a separate section addressing the protection and processing of student data by cloud computing service providers.

Data Breach Notification

A summary of H.B. 232’s data breach notification provisions, which generally mirror the statutes enacted in the other 46 states, as well as the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, is provided below.

Information Covered

H.B. 232 covers “personally identifiable information,” which is defined as an individual’s first name or first initial and last name in combination with one or more of the following data elements when the name or data element is not redacted: (1) Social Security number; (2) driver’s license number; or (3) account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.  H.B. 232 does not apply to paper records—only unencrypted, unredacted computerized data.

Persons/Entities Covered

H.B. 232 applies to an “information holder,” which is defined as any person or business entity that conducts business in Kentucky.  H.B. 232 does not apply to any person or entity subject to Title V of the Gramm-Leach-Bliley Act, any person or entity subject to HIPAA, or any Kentucky agencies, local governments, or political subdivisions.  In addition, any information holder that maintains its own notification procedures as part of an information security policy that is otherwise consistent with H.B. 232’s timing requirements is deemed to be in compliance with H.B. 232 so long as affected residents are notified in accordance with the policy.

Notification Trigger

Notification under H.B. 232 is triggered on a “risk of harm” basis.  Specifically, H.B. 232 defines a “breach of the security of the system” as the unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that causes or leads the information holder to believe has caused or will cause identity theft or fraud against a Kentucky resident.  Upon notification or discovery of a breach of the security of the system, an information holder must notify any resident of Kentucky whose unencrypted information was or is reasonably believed to have been acquired by an unauthorized person.

Notification Content and Method

H.B. 232 does not include any specific notification content requirements.  Notification may be provided in writing, or, if the information holder can demonstrate that the cost of providing notice would exceed $250,000, that the number of individuals to be notified exceeds 500,000, or that they do not have sufficient contact information for those affected, via substitute notice, which must include e-mail notification if the information holder has e-mail addresses for the affected individuals, a conspicuous posting regarding the incident on the information holder’s website, and notification to major statewide media.

Timing

Notification should occur “in the most expedient time possible and without unreasonably delay” subject to the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Regulatory Notification

H.B. 232 does not require notification to the Kentucky Attorney General or any other state regulatory authority.  However, if the information holder discovers circumstances requiring notification of more than 1,000 persons at one time, consumer reporting agencies must be notified without unreasonably delay.

Protections for Student Data in the Cloud

Section 2 of H.B. 232 is intended to address ongoing debate regarding how cloud computing service providers, such as Google, Facebook, or Microsoft, should handle the increasing amount of student data school districts maintain in the cloud, particularly in light of recently published findings from a Fordham Law School study highlighting security risks to cloud-based student data.

Specifically, Section 2 of H.B. 232 prohibits cloud computing service providers from processing “student data” for any purpose other than providing, improving, developing, or maintaining the integrity of their cloud computing services unless they receive express permission from the student’s parent.  H.B. 232 also prohibits cloud computing service providers from using student data in advertising and from selling, disclosing, or otherwise processing student data for any commercial purpose.  “Student data” is defined broadly as any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services or by an employee or agent of an educational institution, including a student’s name, e-mail address, e-mail messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student.  The term “processing” is also defined broadly to include use, access, collection, manipulation, scanning, modification, analysis, transformation, disclosure, storage, transmission, aggregation, or disposal or student data.  H.B. 232 does allow cloud computing service providers to assist educational institutions with research permitted under FERPA.

For additional information regarding data breach notification statutes enacted in the United States and worldwide, please refer to BakerHostetler’s State-by-State Survey of Data Breach Notification Laws; Key Issues in State Data Breach Notification Laws; and International Compendium of Data Privacy Laws, all of which are available at www.dataprivacymonitor.com.

 

With OpenSSL Compromised by Heartbleed, an Opportunity for Companies to Diversify Cyber Security Efforts

Posted in Data Breaches, Hacking

The recent discovery of the “Heartbleed” online bug has sent shockwaves through the internet, causing companies and individuals alike to question very basic assumptions about cyber security. The bug has allegedly existed for the past two years and was only recently inadvertently discovered by the software developer Codenomicon. Heartbleed renders useless Open Secure Socket Layer (SSL) encryption, a software program that implements the SSL protocol, most commonly used when a web browser needs to securely connect to a web server over the internet. OpenSSL encrypts the traffic, log-in credentials and content of communications transmitted over the internet. The error in OpenSSL makes it possible for hackers to access sensitive material, including a server’s private key, as well as any data that is in memory on the server. This data can include customer information such as usernames, passwords, and credit card information. Access to this type of sensitive data creates a serious vulnerability because attackers can use it to decrypt past communications, steal critical data, and in the case of a private key compromise, enable the attacker to impersonate the associated server.

SSL has long been considered a necessary component of securing private data online. About two thirds of websites use OpenSSL, both to protect user data and comply with existing privacy law frameworks. Many state data breach reporting laws and federal statues, such as the Health Insurance Portability and Accountability Act (HIPAA), provide safe harbors for companies that can prove their data was properly encrypted. The FTC has also considered the SSL protocol to be necessary, made clear in its recent settlement of a pair of enforcement actions against Fandango LLC and Credit Karma, Inc. for their failure to properly implement SSL encryption software.

With OpenSSL compromised, what is a company to do? The FTC’s response to the Heartbleed bug suggests that the SSL encryption protocol is still a necessary component of cyber security. It advises companies affected by the bug complete the following steps:

  1. Update to the newest version of OpenSSL and reboot servers.
  2. Generate new encryption keys according to your systems’ instructions.
  3. Get a new SSL Certificate from a trusted certificate authority to signal to web browsers that your site is safe and secure.
  4. Notify your employees and customers. Once your systems have been secured, tell your employees and customers to change their passwords for any system that was affected. If they use the same passwords on any other sites, they should change those, too.
  5. Talk to your IT staff. Determine whether your websites, networks, or other applications use OpenSSL. Remember that even if your public website isn’t vulnerable, you might have other applications that are — like your email server.

Companies should not, however, take this bug lightly. The potential widespread harm created by Heartbleed represents the vulnerabilities inherent in relying on a single software system for cyber security. Companies may want to use this as an opportunity to reassess their data security procedures and ensure that there are multiple layers of security in place. Diversifying the types of software used to protect data is the best way to safeguard against bugs to individual systems.

Additionally, in light of this massive security threat, the Justice Department and FTC recently released a joint policy statement allowing and encouraging the sharing of real-time data on cyber security threats and attack information, assuring companies that “as long as the information exchanged was limited to physical and cyber security issues, the proposed interdictions on price, purchasing and future product innovation discussions” will not be in violation of antitrust laws.

Ill Conceived California Privacy Bill Threatens Viability Of Commercial Educational Online Services

Posted in Education, Privacy

SB 1177, the Student Online Privacy Protection Act was recently introduced in the California legislature.  This is a bad bill for the private educational industry, and ultimately for parents and students.  It would drastically expand the privacy protections of the Federal Educational Rights and Privacy Act (FERPA), and state equivalents, which impose reasonable limits on schools on disclosure of student information, which schools then impose on their licensors (such as educational online services the school pays for and provides to students).   A CA Senate Committee Report summarizes FERPA and its exceptions, and other children’s and student privacy laws, and quotes the sponsor’s intent to “close loopholes” to capture also services that are merely “marketed to teachers” or “marketed for school purposes” .  This bill would seem to effectively preclude data collection and use for commercial purposes (other than site operation) by K – 12 educational sites and services, even if not licensed by schools.  While, the intent seems to be arguably more narrow, “designed and marketed for K-12 School purposes”, that term is vague and undefined and every educational site or service could potentially be caught up in that, even if they never license to a school or intentionally promote it to schools or educators.  It also applies to secondary services like social media plug-ins.  It further  bans ads.  In addition, there is not even an ability for parents to consent.  The ultimate result could be less, or at least more expensive, educational content available for parents and their children to supplement what online services schools can afford to license themselves.  This will have a disproportional effect on public school students and middle class and low income families.  Presumably, that is not the goal of the author.

CA passed a minors’ privacy bill last year, also introduced by this bill’s author, President Pro Tem Steinberg, which prohibits knowingly advertising age restricted products to minors and giving minors the right to have their own social media posts removed upon request.  That law goes into effect January 1, 2015.  So, there is real risk that this could get passed.  Hopefully, if it cannot be killed, there can be a parental consent exception and that consent can be a condition of use where schools are not the parties licensing the service.  BakerHostetler represents companies that provide educational online services to children and students, both through schools and independently to parents, and is working with industry to respond to this bill.  For more information on how you can support that effort contact the author.

Privacy Law in a Nutshell

Posted in Cybersecurity, Federal Legislation, Information Security, International Privacy Law, Marketing, Privacy

BakerHostetler Privacy and Data Protection Partner Erica Gann Kitaev is a co-author of the recently published Privacy Law in a Nutshell, Second Edition, through West Academic Publishing.

Legal issues related to privacy are exploding in the U.S., and virtually all businesses face privacy considerations, particularly as technology and the law evolves.  The Privacy Nutshell is an excellent introductory guide to privacy law.  The book is a concise summary of privacy law from its constitutional origins, to its genesis in the early-19th century privacy torts, to the current sectoral privacy regime in the U.S., including laws such as GLBA, HIPAA/HITECH,  and TCPA, to name a few.  In addition, the Privacy Nutshell provides an overview of the international privacy landscape, including discussion of the OECD guidelines, the EU Directive, and several other jurisdictions of interest to the US practitioner, including India.

The new edition of Privacy Law in a Nutshell was co-authored by Kitaev with Professor John T. Soma of the University of Denver Sturm College of Law, and fellow practitioner, Stephen P. Rynerson.  The long-running Nutshell series is a staple for both law students and practitioners looking for a concise, plain English introduction to any legal topic.  Privacy Law in a Nutshell is available through Amazon.

ONC’s Security Risk Assessment Tool Is Useful but Could Be Improved

Posted in HIPAA/HITECH, Privacy

The Office of the National Coordinator for Health Information Technology (ONC) released a Security Risk Assessment Tool (SRA Tool) on March 28.  According to the User Guide for the SRA Tool (available here), the Tool is designed to help small and medium-sized healthcare practices “evaluate risks, vulnerabilities, and adherence to the HIPAA Security Rule.”  User Guide, 1.  ONC defines small and medium-sized practices as those including 1-10 healthcare providers.  Id.  The SRA Tool can be downloaded from the HealthIT.gov website here.  ONC asks that users submit comments here by June 2 to help improve the Tool.

The SRA Tool is impressive in many ways.  It downloads quickly, includes information about each Security Rule requirement it evaluates, provides useful definitions of key words and phrases, stores and retrieves information quickly, and produces reports that can be exported in.pdf and Excel formats.  The challenges of developing well-working software should not be minimized.  (Consider the initial rollout of the healthcare.gov website).  ONC should be recognized for building a well-functioning tool.

The User Guide for the Tool notes that a provision of the HIPAA Security Rule, 45 CFR 164.308(a)(1)(ii)(A), requires covered entities and business associates to conduct risk assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.  User Guide, 2.  The Guide states that the purpose of the SRA Tool is to support the risk assessment process.  Id. 

 The Guide cautions, however, that using the Tool does not guarantee compliance with the Security Rule and that “[s]tatements of compliance are the responsibility of the covered entity and the HIPAA Security Rule regulatory and enforcement authority.”  Id. 

The HHS Office for Civil Rights’ recent HIPAA enforcement actions show that it intends to enforce the risk assessment requirement:  OCR’s settlements in several recent matters include references to covered entities’ failure to conduct risk assessments and the settlement amounts imposed by OCR presumably take into account potential fines that the agency could have imposed for the entities’ failure to perform risk assessments.  See, e.g., Adult and Pediatric Dermatology (Dec. 24, 2013); Affinity Health Plan (Aug. 7, 2013); Idaho State University (May 13, 2013); Hospice of Northern Idaho (Dec. 31, 2012); and Massachusetts Eye and Ear Infirmary (Sept. 17, 2012).  If small and midsized healthcare practices use the Tool in good faith and document their use of the Tool, they should be able to demonstrate they complied with the risk assessment requirement.

The ONC suggests that covered entities will need to do more to meet all their responsibilities under the Security Rule than simply to complete reports using the Tool.  For example, if the Tool shows that a healthcare practice has not complied with a Security Rule requirement, the practice must take steps to correct that non-compliance.  If the healthcare practice fails to do so and OCR has reason to investigate the healthcare practice, perhaps in response to a patient complaint following a data breach, reports generated by the Tool could be used to show the practice knowingly failed to address noncompliance with a Security Rule requirement.  Although the Tool cannot help a covered entity comply with all HIPAA Security (or Privacy) Rule requirements, it provides a user-friendly mechanism to conduct a form of a HIPAA Security Rule risk assessment.

The risk-rating features of the SRA Tool, however, need to be improved.  The Tool allows users to rate as “Low,” “Medium”, or “High” the “Likelihood of harm” and the “Impact of harm” related to each Security Rule requirement the Tool evaluates.  Yet the Tool offers incomplete guidance regarding why the risks associated with each requirement should fall into the “Low” category as opposed to the “Medium” or “High” category.  Users are left to guess whether failing to comply with a requirement would have a low, medium, or high likelihood of affecting the confidentiality, integrity, or availability ePHI, and whether the impact of such an effect would be “Low,” “Medium,” or “High.”

For example, SRA Tool question T34 asks:

§164.312(d) – Required

Does your practice have policies and procedures for verification of a person or entity seeking access to ePHI is the one claimed?

 Yes □ No □ Flag □

The “Threats and Vulnerabilities” information included for this question states:

Some potential impacts include:

• Human threats, such as an unauthorized user, can vandalize or compromise the confidentiality, availability, and integrity of ePHI.

• Unauthorized disclosure (including disclosure through theft and loss) of ePHI can lead to identity theft.

This information does not identify recognized threats, such as “An employee or contractor without authorization to access ePHI may access and copy confidential information, such as patients’ insurance or payment information, and use the information to commit insurance fraud or to make fraudulent charges on patients’ accounts.”

Threat-based risk assessments, such as those described in NIST SP 800-30, include a step that requires users to determine which threats are most likely to impact the business and which threats would be most harmful to the business.  Such threat-based assessments help users prioritize remediation efforts.  Resources to counter threats (and risks) to ePHI are limited, of course, especially for small and medium-sized healthcare entities such as those that ONC intends to use the Tool.  If the SRA Tool gave more guidance about how to rate the likelihood and impacts of harm, e.g., by explaining the threats and impacts each Security Rule provision is intended to address, the risk ratings would better serve their purpose.  Although the Tool currently allows users to generate colorful charts showing the number and relative amounts of “Low,” “Medium,” and “High” risks, the lack of guidance in the Tool regarding how to apply the ratings will cause the charts to have little meaning.

The SRA Tool does not enable a threat-based approach and instead suggests that an entity must focus equally on all of the Security Rule requirements identified in the Tool.  The text reports generated by the Tool, which are stated in the sequence of Security Rule requirements, reinforce this suggestion by listing whether the entity is in compliance with the listed Security Rule requirements rather than showing which real-world threats to ePHI are most likely to cause harm to the entity and its patients.

In short, the current version of the SRA Tool will provide an efficient way for small and medium-sized healthcare practices to gauge their compliance with the Security Rule requirements included in the Tool.  The risk-rating features of the Tool should be improved by identifying threats to ePHI to help entities prioritize their remediation efforts.

Healthcare entities and other businesses that plan to conduct information security risk assessments should consult their information technology managers, information security officers, and the heads of the business units that process and store sensitive data.  These individuals should know where confidential data is stored and where it is most vulnerable.  The company’s general counsel should also be included in planning the assessment.  A lawyer who is a Certified Information System Security Professional (CISSP) can be a valuable member of the team to guide the assessment, to retain technical consultants to perform penetration tests and vulnerability scans, to provide confidential legal advice regarding potential liability related to assessment findings, and to help plan security improvements needed to address any gaps identified in an assessment.

FTC Says That Sponsors of Pinterest Contests Should Require Users to Post Pins with Hashtags Warning When Pins are Posted for a Prize

Posted in Marketing, Social Media

In a March 20, 2014 closing letter sent to fashion company Cole Haan, the FTC warned that use of the hashtag #WanderingSole in conjunction with a recent Pinterest contest did not adequately communicate the “material connection” between Pinterest contestants and Cole Haan and violates Section 5 of the FTC Act. Although the FTC declined to bring an enforcement action against Cole Haan, the findings of the letter have important implications for brands running contests and promotions on social media.

Cole Haan’s contest rules instructed contestants to create Pinterest boards titled “Wandering Sole” and pin five Cole Haan shoe images to the board. Contestants were also required to post their “favorite places to wander” and include the hashtag #WanderingSole in each pin description. The most creative qualifying entry would receive a $1,000 shopping spree from Cole Haan.

In the FTC’s closing letter, the FTC found that each Pinterest board was in fact an endorsement of Cole Haan products. Prior to sending the closing letter, the FTC had conducted an investigation into whether Cole Haan’s contest violated Section 5 of the FTC Act by soliciting these entries. Pursuant to its authority under Section 5 of the FTC Act, the FTC requires the disclosure of any material connection between a marketer and an endorser when their relationship is not otherwise apparent. According to the FTC, the financial incentive to pin Cole Haan products (i.e. the $1,000 prize) was a material connection between Cole Haan and contestants. The FTC stated that it did not believe that the use of “#WanderingSole” adequately disclosed this material connection to others who may view the entry boards.

Ultimately, the FTC declined to bring an enforcement action against Cole Haan. The FTC cited, among other considerations, the fact that the FTC had yet to publically address whether an entry into a contest is a form of material connection or whether a pin on Pinterest may constitute an endorsement.

Although the FTC did not bring an enforcement action in this case, it has now given clear notice to the business community on this issue. It is likely that the FTC will pursue enforcement actions against brands that fail to adequately disclose such material connections in the future. Accordingly, brands running contests on social media should be cautioned to clearly and conspicuously display contest rules and notices on any social media pages where they host and promote their contests. Further, brands may be advised to include the word “contest” or “sweep” in any hashtags associated with their sweepstakes or contest entries.

For more information on complying with the FTC’s rules on endorsements, see the FTC’s revised Guides Concerning the Use of Endorsements and Testimonials in Advertising.

License to Hack? DOJ Seeks Expanded Authority to Use Hacking Techniques

Posted in Hacking

As part of its increased focus on combating cybercrime, the U.S. Department of Justice is pushing to loosen requirements for obtaining search warrants in order to allow them greater freedom to hack into the computers of criminal suspects.  Late last year, DOJ submitted a request to modify Federal Rule of Criminal Procedure 41, which governs the issuance of search warrants.  DOJ wants to be able to obtain a single warrant authorizing remote access searches of multiple computers or electronic storage media wherever they are located.  DOJ’s proposal would modify the current rule in two significant ways: (1) it would eliminate the territorial limitations on authorized searches to allow for searches outside of the district where the warrant is issued; and (2) it would require agents to only make “reasonable efforts” to notify a person whose property was searched or information was seized.

In pressing for the changes, DOJ cited to three potential investigative problems caused by the current geographic limitation.  First, DOJ pointed to the difficulty of locating a computer believed to obtain evidence of a crime when the user employs anonymizing tools to disguise the computer’s IP address.  A warrant for a remote access search under the proposed rule would enable an agent to send an email to the computer and remotely install software on the device receiving the email, which would allow the agent to determine the true IP address.  Second, in an investigation involving multiple computers in various locations, such as a “botnet,” the proposal would eliminate the need for agents to obtain multiple warrants in the numerous different districts where the computers are located and even allow for the remote search of networked computers in unknown locations.   Third, the proposed change would permit a search for electronic information accessible from a computer at a known location but stored remotely in another district. For example, under the amended rule, the government could obtain a warrant that allows agents searching a business to access cloud-based storage used by computers at that business.

Opponents of the rule change have raised both policy based and constitutional concerns.   Among other issues, critics have argued that allowing for multiple-computer and multiple-district searches could lead to forum-shopping by the government and reduced judicial oversight of cybercrime investigations. Furthermore, by allowing for searches of unidentified computers at unknown locations, and for searches of multiple computers simultaneously, warrants issued under the proposed rule may nevertheless violate the Fourth Amendment.

DOJ’s proposal has now passed the first obstacle on its way to becoming law.  The proposed amendments have been approved (over a strenuous dissent) by a subcommittee of the Criminal Rules Committee.  The proposed rule is scheduled to be debated by the full Criminal Rule Committee of the Judicial Conference on April 7, 2014 before being opened for public comment.

The FTC Takes a Closer Look at Alternative Scoring Products

Posted in Online Privacy, Privacy

The Federal Trade Commission (“FTC”) hosted a panel discussion, in late March on “Alternative Scoring Products” as part its 2014 Spring Privacy Series, signaling the Commission’s increased attention on this burgeoning industry. The FTC has indicated that its “goal is to study what is happening in the alternative scoring space, what may be on the horizon and what potential privacy concerns these products may raise”. Alternative scoring products use consumer data to predict future products or services in which consumers may be interested. Predictive modeling is based on the concept that algorithms learn from data. While the FTC itself did not offer any guidance as to particular legislative or enforcement courses of action, the panel’s focus on privacy concerns further reinforces the idea that big data is an industry in which the FTC has shown increasing interest.  Representatives from public interest groups voiced concerns over the transparency of the data models used in alternative scoring products, while those from the data analytics industry reasoned that current privacy regulations and industry self-regulation provide the necessary oversight for data analytics.  All of the panelists agreed that the use of alternative scoring products was here to stay, and will only become more prevalent in the future.

Public Interest Groups Want to “Peek in the Black Box”

One of the main concerns voiced by public interest groups was the lack of transparency of data used in data analytics models, and in alternative scoring technology in particular.  Greater transparency, they reasoned, would demonstrate to the public and regulators that companies do not use alternative scoring in a discriminatory manner.  While consumers may prefer advertisements that are more relevant to their needs and desires, public interest groups worry that predictive data analytic models may limit offers and opportunities to certain consumers due to the data used in those predictive models. Representatives from public interest groups contrasted new alternative scoring methods used by companies to the long established credit score.  The representatives cautioned that while the Fair Credit Reporting Act (“FCRA”) prohibits the use of discriminatory factors – i.e. race, religion, gender – in computing consumer credit scores, alternative scoring products may not fall under the law’s purview, and escape regulation to the detriment of consumers. Consumer advocates were also concerned with the use of aggregate scores – information gathered on individuals from the communities in which they reside– to potentially deny opportunities to individuals based on the characteristics of their surroundings instead of individual characteristics.

The panel discussed the effects of predictive scoring by debating the findings of a Wall Street Journal investigation that studied whether online retailers varied offers or product pricing based on consumer information extracted from online profiles.  Some of the elements contained in the online profiles included web browser type, user location, and browsing history, amongst others.  The study found that certain retailers offered different prices for the same product based on the location of the consumer, and that some credit card companies presented different card offers based on differing user profiles.  Representatives from the data analytics industry countered that several factors affect pricing, including customer loyalty, which can decrease the prices paid by frequent customers.

Industry Groups Tout the Pro-Competitive Benefits of Predictive Analytics

Representatives of the data analytics community emphasized the ways in which predictive analytic tools can be used as a force for inclusion of consumers in the marketplace, rather than exclusion.  Panelists promoted the industry’s use of multiple sources of consumer data to better target consumers based on specific characteristics, leading to better consumer offers and increased competition to the benefit of consumers.  They also discussed how new data analytic technology can help detect fraud at an early stage by verifying the device a consumer uses in a transaction as his or her own.

Downplaying the discriminatory risks associated with alternative scoring products, industry representatives argued that the technology is used only for advertising purposes, and is not used to determine whether a consumer qualifies for a particular product. They also noted that many existing laws, including FCRA, the Health Insurance Portability and Accountability Act (“HIPAA”) and the Graham-Leach-Bliley Act (“GLBA”), already regulate the field of predictive analytics, and argued for greater industry self-regulation, as opposed to the creation of new legislation.

A Look towards the Future of Alternative Scoring Products and Best Practices

Despite the panelists’ diverging views, one thing on which all agreed is that alternative scoring products are here to stay.  The tension between the convenience of targeted ads and the risk to consumer privacy remains, and is certainly on the FTC’s radar.  In a time of increased scrutiny on these tools, panelists proposed solutions and best practices:

  • Ensure existing predictive analytic tools are in compliance with existing privacy law frameworks.
  • Be especially cautious about the use of consumer data relating to health, finances, and children.
  • Create a privacy policy that is explicit and transparent in the ways in which consumer data will be used.
  • Be aware of the types of consumer data your company collects and ensure that data is not used to discriminate against certain groups of consumers.

 

BakerHostetler adds Privacy and Security Pro Randy Gainer to Privacy and Data Protection Team

Posted in Information Security

BakerHostetler is proud to announce that Randy Gainer has joined the firm as partner, resident in the Seattle office and practicing in the Intellectual Property Group, and as a key member of the Privacy and Data Protection team. Gainer’s practice focuses on data breach response, compliance counsel and risk assessment, and computer-related litigation involving intellectual property claims and contract disputes. He joins BakerHostetler from Davis Wright Tremaine.

Gainer has experience representing clients in all aspects of data breach response work, including counseling clients regarding their notification duties, responding to state and federal government investigations, and representing clients in litigation. As a Certified Information System Security Professional (CISSP), a globally recognized information security certification governed by the International Information Systems Security Certification Consortium, Gainer is uniquely positioned to conduct attorney-client privileged data security risk assessments and compliance reviews. He has advised banks, telecommunications companies, retail businesses, and hospital systems regarding compliance with computer network security laws, data breach notification statutes, and privacy requirements, and helped businesses conduct information system risk assessments.

“This is proving to be a big year for our privacy team. Randy’s arrival follows three recent additions to what is already considered one of the leading security incident response and privacy teams in the country,” said Theodore Kobus, co-chair of BakerHostetler’s national Privacy and Data Protection practice team. “Our privacy team has the practical experience clients need to prepare for a data breach, regulatory investigation, or class action lawsuit. Recent breaches and enforcement actions have captured attention at the board level, and Randy’s credentials will be invaluable as we respond to their rapidly increasing compliance needs.”

Privacy and Data Protection Partner and practice Co-Chair Pamela Jones Harbour joined BakerHostetler’s Washington D.C. and New York offices in January, followed soon after by Counsel Eric Packel in Philadelphia. Earlier in March, the firm added well-known media convergence and privacy attorney Alan Friel to the firm’s Los Angeles office. BakerHostetler’s Privacy and Data Protection team has gained national attention for the quality and magnitude of its data breach work. In 2014, legal trade publication Law360 named the team a “Practice Group of the Year,” and in 2013, Kobus was one of only three attorneys named an MVP by Law360 for Privacy & Consumer Protection.

In addition to his breach response and compliance work, Gainer is experienced advising tech companies on potential privacy issues related to new technologies, including state, federal, and privacy-related statutes, including the Computer Fraud and Abuse Act, the Telephone Consumer Protection Act, and the Electronic Communications Privacy Act. He has also litigated software development disputes, including matters for the State of California and the State of Washington, and computer-related patent cases.

“Randy’s addition to the firm further demonstrates BakerHostetler’s commitment to expand legal services offered in the Seattle market,” said Michael J. Swope, partner-in-charge of the firm’s Seattle office. “Privacy compliance is a hot issue for high tech companies, and Randy’s experience will help us meet our clients’ needs.”

“I am very excited to join this well-recognized and thriving practice,” said Gainer. “This privacy team has the experience, momentum, and platform that feeds success and attracts clients.”

Gainer is a prolific speaker on data security best practices, reducing liability for data breaches, and security risks in emerging payment markets, as well as many other topics. He is a member of several data security professional organizations, including the Information Systems Security Association, the Cloud Security Alliance, ISACA (previously known as the Information Systems Audit and Control Association), and Agora, an organization of Northwest information security professionals. Gainer received his J.D., with honors, from Indiana University Maurer School of Law in 1981, and his B.A., with honors, in Political Science from University of California, Berkeley in 1978.