Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

As FCC Flexes New Consumer Protection and Privacy Regulatory Enforcement Muscles Against ISPs, Some Call for Expanded Authority Over Online Services

Posted in Big Data, Information Security, Mobile Privacy

bigstock-Internet-Concept-30269060The Federal Communications Commission (FCC) has imposed a record $100M forfeiture fine against a global telecommunications company for alleged deceptive data plan promotions. The FCC’s fine comes on the heels of revisions to its 2010 Open Internet rules that expanded its enforcement authority over “telecommunications service” providers to cover broadband Internet service providers (ISPs). Under this expanded authority the FCC is expected to continue to pursue enforcement actions against telecommunications service providers not only for deceptive business practices, but increasingly to enforce data privacy and security principles against telecommunications service providers that collect certain data on their customers, as illustrated by the $35M in aggregate fines issued by the FCC against TerraCom, Inc., YourTel America, Inc., and a global telecommunications company in the past year. Consumer groups are calling for the FCC’s authority to be expanded even further to those companies that offer services, products, and applications over broadband Internet service – “edge providers” – such as Facebook, Google, and Amazon. The expansion of the FCC’s enforcement authority to ISPs and potential expansion to edge providers, coupled with its ability to levy fines, suggests that the FCC has the potential to emerge as a major enforcer in the privacy and online consumer protection arena, usurping power traditionally reserved for the primary regulator of online advertising, privacy, and data security – the Federal Trade Commission (FTC).

FCC Expands Its Role

In its most recent and significant enforcement action, the FCC alleged that a global telecommunications company (“Company”) violated its 2010 Open Internet Transparency Rule by offering customers an “unlimited” mobile broadband data plan without clearly disclosing that connection speed would be reduced by up to 20 times its normal speed if the customer used more than 5 GB of data in a billing cycle. The FCC found the Company’s disclosures were deceptive and inadequate to allow customers to make an informed decision and imposed a $100M forfeiture on the Company “as a deterrent to future violations.” At a minimum, the fine evidences the FCC’s most important power that is distinct from that of the FTC – a broader ability to levy fines. Continue Reading

Canada Moves Forward with Mandatory Federal Security Breach Notification Law

Posted in Data Breach Notification Laws, International Privacy Law

Canada-Stampbigstock--11720258On June 18, 2015, the Canadian Minister of Industry announced that the Digital Privacy Act, which amends Canada’s foundational Personal Information Protection and Electronic Documents Act (PIPEDA), has received royal assent and is now law. Although the Act contains a number of provisions that are likely to impact organizations doing business in Canada, certain key features—notably, the security breach notification requirements—will not come into effect until regulations are issued by the Canadian government.

Pursuant to amendments contained in the Digital Privacy Act, organizations will be required to notify the Privacy Commissioner and affected individuals of “any breach of security safeguards involving personal information under [the organization’s] control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”

  • The Act’s definition of “significant harm” is broad and includes “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
  • Factors to be considered when assessing the risk of “significant harm” to an individual include the sensitivity of the personal information at issue and the probability of that information being misused.

Continue Reading

FTC Clarifies Native and Online Ad Obligations

Posted in Marketing, Retail Industry, Social Media

Advertising_536878397The FTC, in recent staff statements, has sought to clarify advertisers’ and publishers’ obligations regarding native advertising and social media promotions, particularly regarding when and how to clarify to readers that a message is promotional and that the speaker has a material connection to the brand mentioned in the content. Further, the FTC has announced that in a departure from its historical approach to publisher liability, it will be holding publishers who are involved in creating native advertising as equally liable as the advertiser since they are going beyond mere distribution by creating or co-creating the content. This new guidance was in the form of new FAQs published on the FTC’s website and in a recent speech by a senior FTC lawyer to an ad industry trade conference.

On June 1, 2015, the Federal Trade Commission (FTC) staff updated its Frequently Asked Questions (FAQs) guidance to the FTC’s 2009 revised Endorsement Guidelines (Guidelines). The FTC’s latest update provides helpful comment on how to apply the agency’s endorsement guideline standards to evolving forms of digital marketing and promotion. Continue Reading

Connecticut May Become First State to Require Identity Theft Protection

Posted in Data Breaches, Identity Theft

Hartford iStock_000006892404_LargeA bill currently before Connecticut Governor Dannel P. Malloy would make the state the first in the nation to require identity theft protection for data breach victims. Senate Bill 949 was approved by both the Connecticut Senate and House on June 1, 2015. If passed, it would amend existing state law to require companies to provide at least one year of free identity theft protection to victims of data breaches involving personal information. The law does not explicitly state the type of protections businesses must offer. Connecticut Attorney General George Jepsen has stated he will continue to seek up to two years of identity theft protection for breaches of “highly sensitive information,” including Social Security numbers.

The law would also require businesses to notify affected Connecticut residents and the Connecticut attorney general within 90 days of discovery of a breach. This would clarify the existing law, which requires companies to notify victims only “without unreasonable delay.” This would make Connecticut only one of six states (the others being Florida, Iowa, Louisiana, Vermont, and Washington) to explicitly state a time period for breach notification.

If passed, the law would go into effect October 1, 2015. Connecticut would be the fifth state to make significant changes to its data breach notification laws this year, following Montana, Nevada, North Dakota, and Washington.

Deeper Dive: Healthcare Incidents Involving More Than 500 Individuals Are Investigated 100 Percent of the Time

Posted in HIPAA/HITECH, Incident Response, Medical Privacy

Stethoscope on Computer KeyboardWe have released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. The report confirms the prevalence of healthcare data breaches stemming from the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule. Since healthcare organizations and their business associates are required to notify affected individuals in the event of a breach under HIPAA, we continue to see a high frequency of healthcare breaches in the report. While healthcare incidents are disclosed more frequently due to the presumption of a breach under the HIPAA Omnibus rule, the severity when measured by number of affected individuals is often low, with many incidents affecting fewer than 10 people.

Our experience in healthcare breaches is that the causes run the gamut. They may be paper breaches caused by employee negligence, the loss or theft of unencrypted electronic devices, insider theft of patient information, phishing, or malware. The report confirmed the trend that has continued into 2015 of healthcare organizations being the target of sophisticated phishing email campaigns, some of which resulted in the rerouting of physician paychecks, exfiltration of large volumes of patient data, and others emails that were accessed/viewed but not acquired. This year, we have continued to see phishing as the entry point into healthcare organizations and expect it to continue since it is difficult to prevent. Healthcare organizations are encouraged to continuously educate their staff on phishing emails and their impact, and to put in technical safeguards to protect against such attacks.

Continue Reading

An Ounce of Prevention Is Better (and Cheaper) Than a Pound of Cure: It’s time for a data protection checkup.

Posted in Cybersecurity, Incident Response, Information Governance, Online Privacy

cyber security iStock_000041562536_LargeWe recently released the first BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our law firm advised on in 2014. The report shows that human error was the number one cause of data security incidents we worked on last year, with employee negligence responsible for incidents 36 percent of the time. Other leading causes were theft by outsiders (22 percent), theft by insiders (16 percent), malware (16 percent), and phishing attacks (14 percent). Yesterday, Randy Gainer explained how to use information security assessments to identify and mitigate security vulnerabilities. However, as our report demonstrates, preventing unauthorized access is just part of the solution. Further, our report is limited to security incidents and does not even address data privacy and data hygiene (retention and destruction) issues. To fully address data privacy and security, companies should develop a comprehensive Information Governance (IG) program for managing their data. This blog post will outline a 10-step process to develop and maintain an IG program by (1) Identifying Data Assets; (2) Conducting Privacy and Security Assessments; (3) Regularly Reassessing; (4) Identifying Responsive and Mitigating Measures; (5) Implementing the Measures; (6) Monitoring the Operation and Evaluating the Effectiveness of the Program: (6) Conducting Education and Training; (7) Addressing Data in the Hands of Third Parties; (9) Preparing for Incidents; and (10) Considering Insurance. IG programs mature over time, but if your organization is not committed to developing and maturing an IG program, it will be inadequately prepared for the inevitable data privacy and security incidents that it will incur. Conversely, starting the process of good IG management will reduce the likelihood of incidents and better prepare a company for addressing them when they occur.

Continue Reading

YouTube Offers Owners Way to Age-Restrict Content

Posted in Children’s Privacy

Businessman with social media conceptsEarlier this year Google launched an app called YouTube Kids, which it describes as offering “popular children’s programming, plus kid-friendly content from filmmakers, teachers, and creators all around the world.” See About YouTube Kids. In addition to limiting data collection and interest-based advertising to comply with the Children’s Online Privacy Protection Act, YouTube explains that it makes efforts to limit the content available to what is age-appropriate for “younger audiences” through “a mix of automated analysis, manual sampling, and input from our users to categorize and screen out videos and topics that may make parents nervous.” However, they explain that this will not be completely effective, and concerned parents may want to disable the content search function in a parental settings section.

National advertisers are obligated under the industry self-regulatory rules administered by the Children’s Advertising Review Unit (CARU) of the Advertising Self-Regulatory Council not to distribute advertising inappropriate for children under 12 or via sites or services directed to children. Google recently informed CARU that it has launched a new tool that can be used by advertisers and other content owners that populate content to YouTube to alert YouTube not to make that content available to users of YouTube Kids, including through its search YouTube function. Click here to request that content be removed from YouTube Kids.

A Deeper Dive: Risk Assessments Are a Necessary Step in Creating Layered Cyber Defenses

Posted in Cybersecurity, Incident Response, International Privacy Law

connectivityWe have released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014.

Tens of thousands of cyber attackers employed by Chinese People’s Liberation Army and other employees and contractors of the Chinese Ministry of State Security work diligently every day to steal information from U.S. businesses. Attackers from Russian and Eastern European organized crime groups also extract valuable personal and commercial data from U.S. corporate networks. Together these groups steal terabytes of valuable data from U.S. businesses each year, including hundreds of millions of records about U.S. residents.

If Chinese soldiers and spies, and Russian and European organized crime gangs, were physically breaking into U.S. corporate offices and stealing valuable physical property, corporate boards and managers would make sure that enough barriers and guards were deployed to defend the company’s property. Many business leaders fail, however, to ensure that their cyber defenses are adequate to defend against cyber thieves.

Continue Reading

Lost, Unencrypted Laptop Leads FINRA to Fine a Broker-Dealer $225,000 for Violating Reg S-P

Posted in Cybersecurity

laptopWith the recent focus by the SEC and FINRA on cybersecurity for broker-dealers and investment advisers as a backdrop, FINRA recently brought and settled an enforcement action under SEC Regulation S-P against broker-dealer Sterne, Agee & Leach, Inc. The case arose from a May 2014 incident in which a Sterne information technology employee inadvertently left an unencrypted laptop in a restroom and it was lost. The laptop is believed to have contained account numbers, names, addresses, and in some cases tax identification numbers for over 352,000 clients. FINRA’s Acceptance, Waiver and Consent charging and settlement document (“AWC”), and comments by senior FINRA executives last week at FINRA’s annual conference, demonstrate that FINRA’s focus was the failure of Sterne’s supervisory system, not the actions of the individual employee.

Rule 30 of Reg S-P provides that every broker and dealer “must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”

Continue Reading

A Deeper Dive: Regulatory Investigations Following a Reported Breach

Posted in Breach Notification, Incident Response, Information Security

Data Breach_GettyImages_515745835In our inaugural Data Security Incident Response Report (the Report), we found that regulators inquired about a company’s breach 31% of the time and multi-state state Attorneys General investigations were launched less than 5% of the time.

A post-breach investigation is not guaranteed. Certainly, in large, highly public incidents, companies can expect at least an inquiry if not a full-blown investigation. A second exception is healthcare industry. In large breaches, defined by the Health Insurance Portability and Accountability Act (HIPAA) defines those which affect more than 500 people, healthcare companies and their business associates can expect an in-depth investigation. In other cases, and outside of healthcare, if the company displays a willingness to cooperate and a desire to be transparent, and it is apparent that the incident was taken seriously and reviewed at the C-suite level, oftentimes the inquiry is short-lived. One of the ways a company can achieve this is by being prepared to answer the following questions:

  1. What happened?
  2. How did it happen?
  3. Has it been contained?
  4. What is being done to protect the individuals affected?
  5. What is being done to help stop this from happening in the future?

Continue Reading