Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Will Using “Apple Pay” Keep the Data Breach Away?

Posted in Data Breaches, Mobile Privacy

Recently Apple unveiled its latest iPhones and other new products. While the big screens on the new iPhones are making the splashy headlines, perhaps the most interesting reveal, from a data privacy perspective, is not a shiny gadget, but the new mobile payment service dubbed “Apple Pay”. Although mobile payment services aren’t new – Google introduced “Google Wallet” several years ago – Apple’s product has some interesting security features that could grab the attention of retailers and consumers, stung by recent large credit card breaches.

According to Apple, Apple Pay will use existing NFC technology (Near Field Communication), which enables contactless communication between devices. This allows an NFC capable smartphone to communicate with a merchant’s NFC compatible card reader to make a credit or debit card purchase. But will Apple Pay card transactions be secure?

Based on the information revealed thus far, there is a heavy emphasis on security in Apple Pay. To enable Apple Pay, the user scans their credit or debit cards into their iPhone. But the card number itself is not stored anywhere on the phone. Rather, a randomly generated and unique Device Account Number (DAN) is assigned in place of the card number, encrypted and stored in a separate chip called a secure element — which operates in a separate secure environment within the device.

Continue Reading

California Extends Deadline for Reporting Breaches to the CDPH from 5 to 15 Business Days

Posted in Data Breach Notification Laws, HIPAA/HITECH

On September 18, 2014, California Governor, Jerry Brown, signed Assembly Bill 1755 (“AB1755”) into law, amending breach notification provisions in the California Health and Safety Code applicable to licensed clinics, health facilities, home health agencies, and hospices. Under existing law, certain health care entities licensed by the California Department of Public Health (“CDPH”), including hospitals and clinics, are required to report any unlawful or unauthorized access to or use or disclosure of a patient’s medical information to the affected patient or their representative at their last known address and to the CDPH no later than five (5) business days after the unlawful or unauthorized access, use, or disclosure has been detected. The CDPH then has full discretion to consider all factors “when determining the amount of an administrative penalty” under the statute, including a penalty of $100 per day beyond the reporting deadline up to a maximum of $250,000 per reported event.

AB1755 extends the reporting deadline from five (5) business days to fifteen (15) business days after the unlawful or unauthorized access, use, or disclosure has been detected. AB1755 also allows entities to report the breach to affected patients or their representatives using alternative means, including email (pursuant to the patient’s written consent), or via confidential communication methods requested by patients under Section 164.522(b) of the HIPAA Privacy Rule. Finally, AB1755 adds language clarifying that the CDPH has full discretion to consider all factors “when determining whether to investigate [a reported incident] and the amount of an administrative penalty, if any,under the statute. These revisions are effective January 1, 2015. A redline demonstrating the revisions is available here.

Continue Reading

Mobilizing on Mobile Apps: The FTC’s Comment to the CFPB Signals its Priorities

Posted in Mobile Privacy

In recent months, the Federal Trade Commission (“FTC”) has been steadily ramping up its efforts to monitor, regulate, and provide best practice guidance in the rapidly expanding field of mobile applications. On September 10, 2014, the FTC issued a staff comment in response to the Consumer Financial Protection Bureau’s (“CFPB”) Request for Information on the issue of consumers’ use of mobile financial services, available here. This comment continues the FTC’s action in this space, which also includes increased enforcement action. For example, the recent Yelp! settlement following mobile app COPPA violation charges – for commentary seeYikes, Yelp! Targeted In FTC’s Stepped Up Enforcement of Children’s Privacy – General Audience Services Take Heed” and a series of FTC Reports, most recently, “What’s the Deal? An FTC Study on Mobile Shopping Apps.”

The CFPB was formed in July 2011, following the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act, as an independent regulatory agency responsible for consumer protection in the financial sector. With this focus on consumer protection, the FTC shares philosophical ideals with the CFPB, yet, the FTC has no jurisdiction over the banks, credit unions, securities firms, and other financial institutions under the purview of the CFPB. Thus, while this FTC staff comment is merely advisory to the CFPB, it offers a good primer on the FTC’s current thinking on mobile apps in general, and signals its own enforcement and regulatory priorities in the space.

Continue Reading

National Highway Traffic Safety Administration Considers Privacy Implications for New Vehicle-to-Vehicle Technology

Posted in Privacy

The Department of Transportation’s National Highway Traffic Safety Administration (“NHTSA”) announced in 2014 that it would begin steps toward implementing vehicle-to-vehicle (“V2V”) technology with an aim toward decreasing the number of traffic accidents on the nation’s roads.  V2V technology allows communication between cars on the road to alert drivers of potential accident situations.  However, with the new V2V technology come additional privacy concerns.  In August, the NHTSA released an advanced notice of proposed rulemaking for V2V technology.  In addition to key findings on privacy and security, the report included findings on the technical feasibility, and estimates of costs and safety benefits. The following is a review of the NHTSA’s key privacy findings for the V2V system.

The NHTSA report began with an emphasis that the V2V system:

  1. Would not collect or store data on individuals or individual vehicles, nor would it allow the government to do so;
  2. Would not contain data in safety messages exchanged between vehicles or collected by the V2V security system that could be used by law enforcement or private entities to personally identify speeding or erratic drivers;
  3. Would not permit tracking through space or time of vehicles linked to specific owners, drivers, or persons;
  4. Would not collect financial information, personal communications, or other information linked to individuals; and
  5. Would not provide access to the vehicle for extraction of data.

Continue Reading

BakerHostetler’s Privacy and Data Protection Team News and Upcoming Events

Posted in Events

Below is a list of upcoming speaking engagements of the members of our Privacy and Data Protection team. We hope you will be able to join us at a future event.

October 3:

Los Angeles partner Tanya Forsheit will speak on “#privacy” at the Valley Industry & Commerce Association (VICA) Business Forecast Conference in Burbank, California. More information.

October 7:

New York partner Ted Kobus will speak on “Data Breach Risk: Preventing and Mitigating the Exposure” at a complimentary conference sponsored by Marsh & McLennan. More information.

October 8:

Cincinnati partner Craig Hoffman will speak on “Advice from the Trenches: Preparing for the Challenges and Pressures of a Security Incident Investigation” at the 2014 Mandiant Incident Response Conference (MIRcon) in Washington, D.C. More information.

Continue Reading

California’s Latest Amendments to Its Data Security Breach Notification Law – Much Ado about Nothing?

Posted in Data Breaches, Privacy

Editor’s Note: The authors would like to thank Jaysen Borja for his contributions to this post.

On September 30, 2014, California Governor, Jerry Brown, signed Assembly Bill 1710 into law, amending California’s existing personal information privacy laws.  A.B. 1710 makes several changes to existing laws including: (1) the requirement that businesses that “maintain” personal information about California residents implement and maintain reasonable security measures to protect residents’ personal information; (2) the prohibition of the sale, advertisement, or offer to sell an individual’s social security number (“SSN”); and (3) certain requirements related to identity theft prevention and mitigation services in the event that an organization offered such remediation services to affected residents in connection with a data security breach.

As we explain below, the flurry of split opinions that emerged in the immediate wake of the signing of A.B. 1710 into law speaks volumes about the continuing problem of having 47 state data breach notification laws with ambiguous and inconsistent requirements. Further, at the end of the day, the substantive requirements of A.B. 1710 in its final form may not require anything beyond what most organizations already do as a matter of best practice and in accordance with state regulator expectations. Continue Reading

California Continues to Regulate Privacy and Advertising to Minors in New Law Regulating School-related Online Services

Posted in Cybersecurity, Education, Enforcement

On September 29, 2014, California Governor Jerry Brown signed SB 1177 into law, effective Jan 1, 2015.  See Governor Brown Issues Legislative Update.  The new privacy and advertising regulation goes beyond FERPA, the federal student privacy law, and existing state student privacy laws that govern schools and requires them to obtain privacy protections for student personal information from their vendors.  It also follows a trend to treat unique identifiers, such as IP address and device identifiers, as personal information.

SB 1177 applies privacy obligations directly to educational software and online services publishers, however, the scope of coverage of the final law is less comprehensive than initially proposed.  As originally introduced, SB 1177 would have applied prohibitions on collection, use and sharing of student personal information for purposes not necessary for core service operations, such as for promoting sales of add-on services or other products or services, to any service that was intended for K – 12 educational purposes, even if not licensed, mandated or promoted by schools or teachers, and it would prohibit any form of on-service advertising on services intended for K-12 educational purposes.  The final law only applies to operators “with actual knowledge that the site, service or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes.”  “K-12 school purposes” is defined now as “purposes that customarily take place at the direction of the K-12 school teacher, or school district, or aid in the administration of school activities, including without limitation, but not limited to, instruction in the class room or at home, administrative activities, and collaboration between students, school personnel, or parent, or are for the benefit of the school.”  The final law also permits some on-service, non-targeted advertising, but bans behavioral or targeted advertising on the covered services, or use of data collected on-service to target or retarget ads to parents or students on other sites or services.  Accordingly, the new law covers a smaller universe of educational services than originally proposed, permitting commercial services intended to be independent of schools to maintain a commercial business model that includes up-sale messaging and targeted and retargeted advertising, although the federal COPPA law prohibits behavioral or targeted advertising on sites for children under 13 or otherwise knowingly targeted to children under 13.  The final law also allows covered services to share student personal information in certain instances such as in connection with the sale of their business, to comply with legal process or to protect user safety.  While for services that are licensed to schools, or designed and marketed for schools to require or encourage, the new law applies new privacy and advertising restrictions that will need to be understood and complied with. Those licensed to schools are already under somewhat similar restrictions by contractual obligations schools are mandated to require under existing laws.  The new regulated category covers services that may not be formerly licensed to schools, but are designed and marketed for schools to use.  Also, notably, under the new California law there is no consent exception to the restrictions. Continue Reading

All Native Advertising is Not Equal: Why that Matters Under the First Amendment and Why it Should Matter to the FTC – Part V

Posted in Behavioral Advertising

In this five part series, originally published in the Summer 2014 edition of the Media Law Resource Center Bulletin,[1] we take an in-depth look at the native advertising phenomenon and the legal issues surrounding the practice.  After canvassing the many faces of native advertising and the applicable law, the series ultimately examines the pervasive assumption that all native advertising is, and should be regulated as, “commercial speech.”  This assumption presumes that all native advertising is equal under the eyes of the law, and we come to the conclusion that it probably isn’t. Native advertising that is closer to pure content than pure commercial speech may deserve greater or even full First Amendment protection, which would carry significant implications for government regulation[2].

Part 1: Introduction to Native Advertising

Part 2: Early Native Advertising and the Current FTC Regulatory Landscape

Part 3: Evolution of the Commercial Speech Doctrine

Part 4: Distinguishing Commercial versus Non-Commercial Speech

Part 5 applies the commercial speech doctrine to native advertising and asks whether certain forms of native may be protected by the First Amendment.

—PART V—

Not all Native Advertising May Be Commercial Speech under the First Amendment

If there is one thing clear from the case law, it is that the commercial speech analysis under the First Amendment is a fact intensive one that does not clearly lend itself to bright lines, especially when dealing with mixed commercial and noncommercial speech. Native advertising also does not lend itself to a single categorization as it can take a number of forms. See Part I.A., supra. As discussed below, the appropriate level of First Amendment protection for native advertising as commercial or noncommercial speech should turn on the nature of the communication as opposed to a catch-all net. [3]

Continue Reading

All Native Advertising is Not Equal: Why that Matters Under the First Amendment and Why it Should Matter to the FTC – Part IV

Posted in Behavioral Advertising

In this five part series, originally published in the Summer 2014 edition of the Media Law Resource Center Bulletin,[1] we take an in-depth look at the native advertising phenomenon and the legal issues surrounding the practice.  After canvassing the many faces of native advertising and the applicable law, the series ultimately examines the pervasive assumption that all native advertising is, and should be regulated as, “commercial speech.”  This assumption presumes that all native advertising is equal under the eyes of the law, and we come to the conclusion that it probably isn’t. Native advertising that is closer to pure content than pure commercial speech may deserve greater or even full First Amendment protection, which would carry significant implications for government regulation[2].

Part 1: Introduction to Native Advertising

Part 2: Early Native Advertising and the Current FTC Regulatory Landscape

Part 3: Evolution of the Commercial Speech Doctrine

Part 4 below examines the important legal distinction between “Commercial Speech” and “Non-Commercial / Inextricably Intertwined Speech” 

—PART IV—

Commercial and Noncommercial Inextricably Intertwined Speech

The Bolger court found that the mailings constituted commercial speech “notwithstanding the fact that [informational pamphlets] contain[ed] discussions of important public issues.”[3] Advertising that “links a product to a current public debate” is not automatically transformed into constitutionally protected noncommercial speech.[4] This is because “a company has the full panoply of protections available to its direct comments on public issues, so there is no reason for providing similar constitutional protection when such statements are made in the context of commercial transactions.”[5] And in that circumstance, “advertisers should not be permitted to immunize false or misleading product information from government regulation simply by including references to public issues.”[6] Continue Reading

Are you—or someone you love—a content hoarder?

Posted in Information Governance

Hoarding is defined clinically as embodying “a persistent difficulty discarding or parting with possessions because of a perceived need to save them.” That accumulation occurs regardless of the actual value associated with the possessions, and often stands in stark contrast to what an outsider or “normal” person’s perception.

The idea of accumulating vast quantities of useless things is so atypical—and so gut-wrenchingly abhorrent to most Americans—that it spawned its own cottage industry, where A&E bankrolled six seasons of “Hoarders,” and Discovery Health provides inside looks into the issue with its “Buried Alive” series. But part of the true impact of the show is the viewers’ self-reflections, whether those are, “at least my collections don’t function in the same way,” “at least I’m not hurting anyone with my habits,” and the ever popular, “why can’t those people just see how worthless that stuff is?”

Self-reflection is a powerful tool, but ingrained habits are difficult to appraise honestly, and even more difficult to address. And, ironically, people who would never dream of collecting Tupperware bowls, used wrapping paper, or soiled Beanie Babies™ fail to acknowledge those exact same tendencies when it comes to hoarding electronically stored information (“ESI”).

Continue Reading