Automotive Industry Organization Releases Recommended Cybersecurity Best Practices

Auto-ISAC is not alone in its efforts to address potential cybersecurity risks imposed by connected vehicles. As we have previously discussed, in 2015 legislators introduced the SPY Car Act, which requires automakers to meet certain vehicle data security standards to combat potential hacking threats. The U.S. Department of Transportation (DOT) notes that it has been researching and testing vehicle communications for over a decade. In addition, through the Intelligent Transportation Systems Joint Program Office, the DOT has worked to fund almost $25 million in cyber security research between 2012 and 2014. The National Highway Traffic Safety Administration (NHTSA) also published information relating to its comprehensive approach to vehicle cybersecurity.

The Best Practices continue these efforts by promoting a self-regulation framework within the industry for vehicle cybersecurity. The Best Practices outlined by Auto-ISAC include: Continue Reading

Privacy Shield to Open for Business August 1

bigstock-Internet-Concept-30269060After more than two years of negotiations, on July 12, 2016, the European Commission formally adopted the EU-U.S. Privacy Shield (the “Privacy Shield”) framework as a valid mechanism for transfers of personal data from the EU to the U.S. Touting the Privacy Shield as “a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses,” the European Commission released an Adequacy Decision, along with accompanying Annexes, concluding that “the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the Union to self-certified organisations in the United States.” Continue Reading

Business Associates in the Crosshairs: Catholic Health Care Services Settles for $650,000 for Failure to Safeguard PHI

Stethoscope on Computer KeyboardCatholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to enter into a $650,000 resolution agreement and a two-year corrective action plan (CAP) with the Office for Civil Rights (OCR). CHCS provides management and information technology services as a business associate to six nursing homes. The OCR settlement follows a finding that CHCS violated the HIPAA Security Rule, which requires business associates to conduct enterprise-wide security risk analyses and to prepare corresponding risk management plans.

OCR initiated its investigation upon notification by CHCS of the theft of an employee’s unencrypted company iPhone containing Social Security numbers, diagnosis and treatment information, medications, and names of family members and legal guardians. This resulted in separate notifications from each of the six nursing homes regarding a breach of e-PHI, which, according to OCR, affected some 412 individuals. Continue Reading

$90 Million Cyber Thefts From Banks Using SWIFT Network Raise Security Issues

Security Breach_465738902In February 2016, attackers stole $81 million from the Bangladesh central bank’s account at the New York Federal Reserve Bank by hacking into the Bangladesh bank’s computer network and sending fraudulent messages through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment network. In January 2015, attackers netted $9 million in funds from an Ecuadorian bank through fraudulent SWIFT messages. Information about the attacks and documents from a lawsuit related to the theft from the Ecuadorian bank reveal the challenging data security issues banks face when they use the SWIFT network.

How SWIFT operates. SWIFT, founded in 1973,[1] is a cooperative owned by 3,000 financial institutions from around the world.[2] SWIFT’s message platform is used by more than 11,000 banks[3] in 200 countries.[4] Those banks sent approximately 25 million SWIFT messages per day in April 2016.[5] To use the SWIFT network, a person or business that wants to transfer funds internationally, referred to as the “sender,” asks an “originator bank” to send a SWIFT message to a bank in another country directing the “receiving bank” to pay funds to a “beneficiary bank” for the account of the person or entity to receive the funds, the “beneficiary.”[6] Each bank using the SWIFT network is assigned an eight-character identification code and a SWIFT message can be sent only from a SWIFT terminal at the originator bank; the SWIFT terminal authenticates to the SWIFT network using smart-card technology.[7] Receiving banks verify that each payment message contains the originator bank’s code and was sent from the originator bank’s SWIFT terminal.[8] Continue Reading

Mobile Ad Co Settles with FTC Over Allegations of Deceptive Geolocation Tracking And Children’s Privacy Violations for $4 Million


On June 22, 2016, mobile advertising company InMobi Private Ltd. settled Federal Trade Commission (“FTC” or “Commission”) claims of violations of Section 5 of the FTC Act, and the Children’s Online Privacy Protection Act and Rule (COPPA), for $4 million.  The violations of COPPA supported the monetary penalty since, unlike Section 5, COPPA provides for civil penalties.  However, there are lessons here for the mobile app industry beyond that geolocation services for children require verified parental consent.  In addition, this action reinforces the FTC’s position that device location information is sensitive and thus justifies heightened consumer notice and choice, and that providing notice of an opt-out method that is not completely effective could be a deceptive practice if the limitations are not clearly explained — a common mistake we see clients making.

The Commission’s Allegations and the InMobi’s Settlement

InMobi is ranked among the top 10 mobile advertising companies in the world, said to reach over one billion unique mobile devices, of which 19 percent are located in North America. InMobi’s advertising platform allows app developers/publishers to serve third party ads within their apps.  The ads can be customized for app users based on physical location as determined by checking device geolocation, including based on location history over up to a two month period. Continue Reading

Privacy Shield Developments and UK Data Transfers Post-Brexit

connectivityWith the UK’s Brexit referendum dominating the news out of Europe over the past week, it may have been easy to miss a key development in the continuing Privacy Shield negotiations. On Friday, June 24, news outlets reported that U.S. regulators and the European Commission had agreed on a finalized version from the Privacy Shield, a proposed “replacement” of the Safe Harbor framework that was invalidated last October. The revised draft is said to address concerns voiced by the European Parliament, Article 29 Working Party, and European Data Protection Supervisor in recent months.

The latest draft of the Privacy Shield, which the European Commission sent to EU Member States for review, has not yet been made public, but reports have sketched out the following updates:

  • Bulk data collection: The U.S. has provided further details on its bulk data collection practices, specifying the preconditions for “targeted and focused” personal data collection and safeguards for how the data may be used.
  • U.S. Ombudsperson: The Privacy Shield calls for the appointment of a U.S. Ombudsperson to address complaints regarding the U.S. government’s use of EU citizens’ personal data. The revised draft specifies that this Ombudsperson will be independent from U.S. national security services.
  • Data retention: The revised draft includes more explicit data retention restraints, requiring that personal data be deleted when it no longer serves the purpose for which it was collected.

The revised draft is now in the hands of the Article 31 Working Party (WP31) – a group composed of EU Member State representatives with veto power – which is expected to hold a vote in early July. The WP31 was unable to reach an agreement on the adequacy of the Privacy Shield during its meeting on May 19. If the WP31 approves the European Commission’s revised Privacy Shield, it would then need to be formally adopted by the European Commission’s College of Commissioners. With alternative data transfer mechanisms under continued scrutiny, the fate of the Privacy Shield is of great interest to U.S. companies seeking to lawfully transfer personal data from the EU. Continue Reading

Deeper Dive: When it Comes to Data Breaches, Size Matters

As part of our ongoing series analyzing the 2016 BakerHostetler Data Security Incident Response Report,report-2016 this article takes a closer look at the factors that play a role in whether an entity will face a regulatory investigation or litigation as a result of a data breach. As the title suggests, the size of breach is a key factor.

Of all the potential ramifications of a data breach, none causes a greater level of stress than the possibility of a regulatory investigation or class action lawsuit. They are time consuming, disruptive to business operations, and can result is significant financial liability in the form of fines, assessments and damages. And yet, not every data breach results in an investigation or litigation. To answer this question, we analyzed a multitude of factors from over 300 incidents that occurred in 2015, including the nature of the breach, the client’s size and industry, how and when the breach was discovered, and the type of information affected and how the breach occurred. In the end, the number of affected individuals was the strongest indicator of whether a regulatory investigation or litigation would occur. Continue Reading

Court of Appeals Upholds FCC’s Net Neutrality Rules and Regulatory Authority

On June 14, 2016, the D.C. Court of Appeals ruled 2-1 in favor of the Federal Communication Commission’s (FCC) net neutrality rules, which the commission approved on February 26, 2015 (published March 12, 2015). This reclassified broadband internet access service (BIAS) as a telecommunications service under Title II of the Communications Act, affording the FCC greater regulatory authority over Internet Service Providers (ISPs) or BIAS providers. In response to the reclassification, the United States Telecom Association, a trade group representing various telecomm giants, joined by other companies and groups, filed a Protective Petition for Review of FCC’s net neutrality rules. The D.C. Circuit Court of Appeals rejected the petition, siding with the FCC’s position on a number of issues raised, including the following: Continue Reading

Balancing Innovation With Privacy Concerns: The FTC Provides Comment on the Internet of Things

On June 3, 2016, the Federal Trade Commission (FTC) responded to a Request for Comments issued by the Department of Commerce, National Telecommunications and Information Administration (NTIA) regarding the Internet of Things (IoT). The NTIA, which issued its Request for Comments on April 5, 2016, stated that it will use commentary to expand on its “broader agenda promoting economic growth and opportunity to help develop an approach that will foster IoT innovation.”

The FTC has consistently taken an active role in setting forth a framework for protection of consumer privacy and bringing enforcement actions against companies that it alleges have failed to protect consumer privacy rights. In January 2016, the FTC announced that it had brought nearly 60 enforcement actions related to consumer data privacy and security since 2002. During that time, the FTC also issued preliminary comments, followed by its final report on best practices for businesses to protect consumer privacy. The recently filed Comment provides additional detail to its previous recommendations regarding mobile device privacy, and continues to reflect ever-increasing consumer concerns about online privacy. Continue Reading

German Data Protection Authority Issues Fines for Unlawful Cross-Atlantic Data Transfers

The Data Protection Authority of Hamburg, Germany has made good on its promise to audit cross-Atlantic data transfers in the wake of the October 2015 Safe Harbor decision.  On June 6, the Hamburg DPA announced that it had fined three companies for unlawful transfers of personal data from the EU to the United States.  According to the press release, over the past few months the Hamburg DPA has reviewed the data transfers of 35 multinational organizations to verify compliance with European data protection laws.  The Court of Justice of the European Union’s decision invalidating the Safe Harbor framework expressly empowered European DPAs to undertake such reviews, but did not invalidate alternative data transfer methods such as standard contractual clauses (SCCs) and binding corporate rules (BCRs).  Continue Reading