FCC Wades Back Into Data Privacy and Security for ISPs With Revised Privacy Proposal

bigstock-Internet-Concept-30269060Recently, Federal Communications Commission (FCC or Commission) Chairman Tom Wheeler circulated to the Commission a revised proposed order to regulate the data privacy and security practices of internet service providers (ISPs) (also known by the Commission as broadband internet access service (BIAS) providers). We previously wrote about the Commission’s initial proposal in this regard (available here), which was criticized by the industry and even the Federal Trade Commission (FTC) as inconsistent with data privacy standards applicable to the rest of the internet (e.g., social media platforms, search engines, etc.). Based on a fact sheet issued by Chairman Wheeler’s office (available here), the revised proposal, which is set to be voted on by the full Commission on Oct. 27, 2016, strives to be more consistent with the FTC approach to privacy and data security, but with special considerations for the telecom industry. The fact sheet previews the revised approach, including requirements for:

  • Clear notification regarding the collection, use and sharing of consumer information, including persistent notice in an online privacy policy.
  • Opt-in consent for any use or sharing of sensitive information, which the proposal defines as including geo-location, children’s information, health information, financial information, Social Security numbers, Web browsing history, app usage history and content of communications – a more expansive definition of sensitive data than under the historical FTC approach, at least so far as usage data is concerned (which will affect the ability to engage in interest-based advertising).
  • An opt out for use and sharing of nonsensitive information.
  • Strong protections for use and sharing of de-identified information.
  • Prohibition of “take-it-or-leave-it” offers requiring consent to data sharing and use that are not necessary to provide the service, as a condition of obtaining the service.
  • Heightened notice requirements for discounts and other incentives in exchange for consumers’ express affirmative consent to the use and sharing of their personal information to the extent not necessary to operate the service, and restrictions on pricing services for those who do not consent, because “[c]onsumers should not be forced to choose between inflated prices and maintaining their privacy.”

Continue Reading

New York Department of Financial Services Proposes First Rule of Its Kind for Financial Institutions

Fifty and Hundred Dollar BillsIn November, we reported on a proposal by the New York Department of Financial Services (NYDFS) for an extensive cybersecurity framework for its regulated financial institutions. Recently, Governor Cuomo announced a proposed rule requiring banks, insurance companies and other financial services institutions regulated by the NYDFS to establish and maintain a strong cybersecurity program. These regulations include several key requirements for these entities, including:

  • Establishment of a cybersecurity program. Institutions would be required to implement policies and procedures to protect against unauthorized use and access to sensitive information. The program should also focus on responsiveness to these incidents and recovery and restoration of business operations.
  • Adoption of a cybersecurity policy. The policies and procedures must address several key areas, including information security, data classification and governance, access controls, customer data privacy, risk assessments and incident response.
  • Designation of a Chief Information Security Officer (CISO). The CISO would be responsible for oversight and implementation of the cybersecurity program and enforcement of cybersecurity policy.
  • Third Party Service Provider oversight. The entity must have policies and procedures ensuring the security of information handled by third parties, including minimum standard cybersecurity practices and periodic assessments of the third party service provider.

Other key requirements of the proposed rule include annual penetration testing; timely destruction of private information, except where necessary; monitoring of authorized users; encryption of nonpublic information in transit and at rest; and a written incident response plan for cybersecurity incidents affecting the confidentiality, integrity or availability of information systems. In addition, regulated entities will be required to provide a yearly report to the NYDFS certifying compliance with the cybersecurity regulations. Continue Reading

Former SEC Commissioner Louis A. Aguilar Describes Corporate Directors’ Cybersecurity Duties

cyber security iStock_000041562536_LargeWhen Louis A. Aguilar was a commissioner at the Securities and Exchange Commission, he helped organize the SEC’s March 2014 roundtable to discuss the cyber risks facing public companies. The numerous data breaches that have occurred at public companies, from Target to Yahoo and many more, show that public companies have not yet succeeded in managing cyber risks.

On Sept. 22, 2016, Mr. Aguilar presented his current views in a talk titled “The Role of the Boards of Directors and CISOs in Overseeing Cyber-Risks” at the Security Alliance Advisors’ Annual Leadership Summit. A copy of Mr. Aguilar’s presentation is available here. His remarks provide useful guidance to board members and company managers about how to better manage cyber risks.

Mr. Aguilar points out that boards have long managed many types of risks, including credit risk, liquidity risk and operational risk. Cyber risk must become one of the risks that boards manage successfully. Continue Reading

Tales from the Trenches: Lessons Learned from the Ashley Madison Data Breach

Data Breach_GettyImages_515745835In July 2015, the online cheating website Ashley Madison was hacked and data pertaining to its 37 million users were published online. The story made headlines given the sensitive nature of the information exposed, the number of people affected and the sensational details of the hack, which included allegations of fraud, blackmail and extortion. The media outed several politicians and celebrities as paying customers, while some websites indexed the breached data, allowing people to search for email addresses to see if their spouses or significant others had accounts. Between lawsuits, resignations, suicides and countless stories of extortion and divorce, the fallout from the breach has been immense. Nearly one year later, a joint investigation by the Privacy Commissioner of Canada and the Australian Privacy Commissioner (collectively, “the Commission”) has issued a scathing report that provides remarkable insight into the breach and what qualifies as an appropriate information security framework.

Both the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and the Australian Privacy Act (APA) require organizations to protect personal information using appropriate physical, technical and organizational safeguards. However, neither act outlines the specific safeguards that must be in place, instead relying on industry guidelines or widely accepted practices. That is what makes this Joint Report so interesting. Here, the Commission found significant deficiencies with Ashley Madison’s security framework and described in detail the information security practices it found lacking. Continue Reading

Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity

credit card iStock_000009899701_LargeOn Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information.

According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an attacker infiltrated the e-retailer’s website. Nearly one year later, the e-retailer’s merchant bank notified it that fraudulent charges were appearing on customers’ credit card accounts. The e-retailer then hired a cybersecurity firm to conduct a forensic investigation, and the malware was discovered and removed from the e-retailer’s website.

The e-retailer, however, failed to take the next step, which should have been notification to affected customers. According to the attorney general’s office, the e-retailer never provided notice to its customers or law enforcement about the breach, in violation of New York General Business Law (GBL) § 899-aa, which requires that notice be provided to affected individuals and various government agencies, in the most expedient time possible and without unreasonable delay. Continue Reading

A Closer Look at the OCR’s Guidance on Ransomware

Hacker wearing black glove clicking on ransomware buttonIn the wake of several high-profile ransomware infections targeting hospitals and health care organizations, the Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance on the growing threat of ransomware.

Ransomware is a type of malware that denies access to systems and data. It uses strong cryptography to encrypt files to prevent access without a decryption key. To receive the decryption key and restore access, the entity must pay a ransom, typically in the form of a cryptocurrency such as Bitcoin. While this type of malware has been around for years, it has recently made headlines in the healthcare industry, most notably after Hollywood Presbyterian Medical Center was forced to use pen and paper when its computer systems were held hostage by ransomware back in February. Like an infectious disease, ransomware has spread throughout the healthcare industry, causing havoc and potentially jeopardizing patient care.

Given the publicity and the potential for harm, it should come as no surprise that the OCR has issued guidance in this area. As the regulatory agency that enforces HIPAA, when the OCR speaks, healthcare organizations should take heed. Continue Reading

OCR to Increase Efforts to Investigate Breaches Affecting Fewer Than 500 Individuals

HIPAA document magnifiedThe Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care executives everywhere. Data breaches have been occurring with disturbingly high frequency in the health care industry. If a covered entity experiences a data breach involving more than 500 affected individuals, a regulatory investigation by the OCR is virtually guaranteed.

On August 18, 2016, the OCR announced that it was increasing efforts to investigate smaller breaches, such as those involving fewer than 500 individuals. While the OCR has always had the authority to investigate smaller breaches, it has traditionally done so only when it had resources to spare. This new initiative announced by the OCR represents a concerted effort to investigate the root causes of breaches affecting fewer than 500 individuals.

Even with this new initiative, the OCR is unlikely to investigate every breach; there are simply too many to handle. Instead, each regional office will prioritize its investigations based on:

  • The size of the breach;
  • Whether it involves the theft of or improper disposal of unencrypted PHI;
  • Whether it involves unwanted intrusions to IT systems (for example, by hacking);
  • The amount, nature and sensitivity of the PHI involved; or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

The key takeaway from this announcement by the OCR is to treat every breach as if it will result in an OCR investigation. Do not become complacent, especially when dealing with smaller or routine incidents, because you never know when the OCR will come knocking.

Unanimous FTC Finds LabMD’s Data Security Practices Violated Section 5 of the FTC Act

Hard work brings rewardsOn July 29, 2016, a unanimous Federal Trade Commission (“FTC” or “Commission”) issued its Opinion and Final Order reversing the decision of an administrative law judge (“ALJ”) and holding that LabMD engaged in “unfair” practices in violation of Section 5 of the FTC Act because it failed to provide reasonable and appropriate security for personal information stored on its computer network. The FTC’s conclusion is significant because companies may face enforcement action for inadequate data security in connection with incidents in which there is no evidence that consumer information was accessed by unauthorized persons who likely intended to misuse the information.


As we previously reported, the FTC first began investigating LabMD’s data security practices in 2010, when Tiversa Holding Company, a cybersecurity consulting firm, informed the FTC that sensitive personal information held by LabMD may have been publicly disclosed on a peer-to-peer (“P2P”) file-sharing network. On Aug. 28, 2013, the FTC brought the administrative action against LabMD under Section 5 of the FTC Act, alleging, in part, that LabMD failed to provide reasonable and appropriate data security for personal information stored on its computer network and that its failure caused or was likely to cause substantial consumer injury, including identity theft, medical identity theft, and the disclosure of sensitive, private medical information. Section 5(n) of the FTC Act prohibits unfair acts or practices if: (1) the act or practice causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers themselves, and (3) not outweighed by countervailing benefits to consumers or to competition.

On Nov. 13, 2015, the ALJ concluded that the FTC failed to prove the substantial injury prong of the three-part test, holding that “[t]o impose liability for unfair conduct … , where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of ‘likely’ substantial consumer injury.” Counsel for the FTC appealed to the full Commission. Continue Reading

Automotive Industry Organization Releases Recommended Cybersecurity Best Practices

Auto-ISAC is not alone in its efforts to address potential cybersecurity risks imposed by connected vehicles. As we have previously discussed, in 2015 legislators introduced the SPY Car Act, which requires automakers to meet certain vehicle data security standards to combat potential hacking threats. The U.S. Department of Transportation (DOT) notes that it has been researching and testing vehicle communications for over a decade. In addition, through the Intelligent Transportation Systems Joint Program Office, the DOT has worked to fund almost $25 million in cyber security research between 2012 and 2014. The National Highway Traffic Safety Administration (NHTSA) also published information relating to its comprehensive approach to vehicle cybersecurity.

The Best Practices continue these efforts by promoting a self-regulation framework within the industry for vehicle cybersecurity. The Best Practices outlined by Auto-ISAC include: Continue Reading

Privacy Shield to Open for Business August 1

bigstock-Internet-Concept-30269060After more than two years of negotiations, on July 12, 2016, the European Commission formally adopted the EU-U.S. Privacy Shield (the “Privacy Shield”) framework as a valid mechanism for transfers of personal data from the EU to the U.S. Touting the Privacy Shield as “a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses,” the European Commission released an Adequacy Decision, along with accompanying Annexes, concluding that “the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the Union to self-certified organisations in the United States.” Continue Reading