New Mexico passes data breach notification and protection bill

Data_Security_100392496Then there were two.

On March 16, 2017, the New Mexico state legislature passed a bill requiring that New Mexico residents be notified if their “personal identifying information” was affected by a breach of electronic data. Upon signature of the bill, New Mexico will join 47 other states requiring such notification, and the only states remaining without notification laws will be Alabama and South Dakota.

The New Mexico law is similar to many other state data breach notification laws. Here are some of the bill’s particulars. Continue Reading

Unexpected Consumer Data Collection Concerns FTC

Federal Trade Commission Doorway SignThe Federal Trade Commission (FTC) has been turning its attention to consumer data collection and use that consumers may not expect, such as tracking of TV viewing by smart TVs, and use of cross-device technologies and techniques to try to associate users and households to multiple devices (e.g., TVs, mobile phones, tablets, computers, and other Internet-connected devices).  We recently blogged about the FTC’s settlement with Vizio regarding it’s collection of TV viewing data and selling of that information to advertisers and others.  Now, the FTC staff has issued a report recommending transparency and choice regarding cross-device tracking and targeting.  Click here for more details.

Australia’s New Breach Notification Law Set to Take Effect February 2018

Australia MapOn February 13, 2017, the Australian Senate passed a bill establishing a mandatory requirement to notify the Privacy Commissioner and affected individuals of “eligible” data breaches. The Privacy Amendment (Notifiable Data Breaches) Act 2016, which was passed by the House of Representatives the previous week, amends Australia’s Privacy Act 1988 and is slated to take effect on February 22, 2018 if no earlier date is proclaimed.

The new law introduces a data breach notification scheme that obligates all agencies and businesses that are regulated by the Privacy Act to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of certain data breaches that are “likely” to result in “serious harm.”

An explanatory memorandum accompanying the law indicates that “serious harm” is “likely” if it is more probable than not, and lists factors to consider when making the determination, such as the sensitivity of the information involved, whether the information was protected, who may have obtained the information, and the nature of the harm that could result. Although “serious harm” is not defined, the explanatory memorandum states that serious physical, psychological, emotional, economic, reputational or financial harm may qualify, as well as other types of serious harm that reasonably could result from the breach. Continue Reading

FCC Broadband Privacy Rule On Hold, Likely Dead

bigstock-Internet-Concept-30269060The new Federal Communications Commission (FCC) Privacy and Data Security Rule for broadband internet access service (BIAS) providers (Privacy Rule) was set to start phased implementation on March 2, 2017. We have previously detailed what the Privacy Rule would require and when in prior blog posts available here and here. However, on March 1, 2017, the new Republican majority issued a temporary stay of the Privacy Rule, in a joint statement from Acting Federal Trade Commission (FTC) Chairwoman Maureen K. Ohlhausen and FCC Chairman Ajit Pai posted here.

This Privacy Rule stemmed from the FCC’s 2015 Open Internet Order, which may also be subject to revision under the new administration. The FCC’s Open Internet Order applied Section 222 of the federal Communications Act to BIAS providers for the first time. This order gave the FCC jurisdiction over BIAS providers such as internet service providers (ISPs), but the FCC declined requests to take jurisdiction over edge networks (online service providers that do not offer internet access but offer services that look like a communications provider, such as Facebook, Google and Yahoo). As a result, the FCC took jurisdiction over the BIAS industry – which had previously been regulated by the FTC – on matters of privacy and data security, among other things. This essentially split the internet industry between the two regulators. Continue Reading

FTC’s $2.2m Smart TV Settlement Signals Continued IoT Enforcement Focus

Federal Trade Commission Doorway SignOn February 6, 2017, the Federal Trade Commission announced that it had settled charges against VIZIO, Inc., a consumer electronics manufacturer of Internet-connected televisions. The FTC alleged that VIZIO unfairly tracked sensitive TV viewing data of millions of American consumers, and deceptively failed to disclose how the collected data was being used. This action was announced just a month after the FTC filed a complaint against the maker of various IoT devices, such as networked routers and IP cameras, which the FTC alleges suffer from security vulnerabilities that threaten consumer privacy.

This marks the first time consumer television viewing data has been brought within the FTC’s definition of “sensitive” information and emphasizes that companies should provide clear, comprehensive disclosures regarding data collection, use and sharing, especially when such practices may be unexpected. Continue Reading

Finalized New York Department of Financial Services Cybersecurity Regulation to Take Effect March 1

DollarOn February 16, 2017, the New York Department of Financial Services (NYDFS) announced the release of its finalized Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Regulation”), which will take effect on March 1, 2017. This final iteration, issued following an additional 30-day comment period, is in large part the same as the revised version dated December 28, 2016, which we reported on in early January. Although most of the edits focused on relatively inconsequential wordsmithing, a few material changes were made, including the following:

  • Section 500.06(b) reduces the records retention requirement for audit trails designed to detect Cybersecurity Events (down to three years from five years).
  • Section 500.19(a)(1) specifies that the limited exemption for Covered Entities with fewer than 10 employees relates to employees that are “located in New York or responsible for business of the Covered Entity.”
  • Section 500.19(a)(2) clarifies that the limited exemption for Covered Entities that have less than $5 million in gross annual revenue in each of the last three fiscal years relates to revenue “from New York business operations.”
  • Section 500.19(f) exempts charitable annuity societies (subject to Insurance Law Section 1110), risk retention groups not chartered in New York (subject to Insurance Law Section 5904), and any accredited reinsurer or certified reinsurer pursuant to 11 NYCRR 125 – provided that these organizations do not otherwise qualify as a Covered Entity.

The Cybersecurity Regulation likely will have implications far beyond New York and the Covered Entities that are directly subject to the NYDFS’s enforcement authority. Given the significant number of financial institutions that will be required to comply, other regulators, clients, customers and counterparties may begin to view these new requirements as a baseline standard for cybersecurity in the financial industry.

Will the proposed “Countering Russian Hostilities Act” stop Russian cyberattacks?

connectivityOn Jan. 10, 2017, a bipartisan group of five Republican and five Democratic senators announced their support for the Countering Russian Hostilities Act of 2017. Lindsey Graham, one of the senators who announced the proposed legislation, told The Wall Street Journal that he is confident the bill will get overwhelming support.[1] One reporter agreed, stating the bill “has a good chance of being passed in the Senate.”[2]

Title I of the Countering Russian Hostilities Act would codify the sanctions imposed by President Barack Obama in the April 1, 2015, Executive Order 13694, as amended on Dec. 28, 2016. Title II of the legislation would codify sanctions imposed on Russia in response to its annexation of Crimea, its occupation of South Ossetia and Abkhazia, its invasion of Ukraine, and its actions in Syria.

Obama promulgated Executive Order 13694 in response to hacking by Chinese state-supported groups against U.S. government agencies and private businesses.[3] The executive order directed the secretary of the Treasury, in consultation with the attorney general and the secretary of state, to take actions against individuals and organizations that engaged in cyber-enabled activities originating from persons located outside the United States that were likely to result in or contribute to a threat to the national security, foreign policy, economic health or financial stability of the United States. The authorized actions included barring such individuals from traveling to the United States and blocking the transfer of U.S.-based funds and other assets of such persons. Continue Reading

FINRA Seeks Comment on Blockchain

DollarOn Jan. 18, 2017, the Financial Industry Regulatory Authority (FINRA) became the latest organization to weigh in on distributed ledger technology (DLT), also known as blockchain. Recognizing the growing interest and potential benefits surrounding the implementation of DLT, FINRA published a report examining the impact of blockchain on the financial services industry.

Blockchain is essentially an online database that is stored in a distributed, peer-to-peer fashion that employs cryptography, which ensures that only users with a unique, private key can edit the parts of the blockchain that they own while also ensuring that each user’s copy of the blockchain is kept in sync. DLT can be used to store any kind of digital information, and it serves as the foundation for the virtual currency Bitcoin. In the financial services industry, DLT has the potential to be a cost-saving, efficiency-gaining technology. By providing an immutable record of transactions and party identities, DLT could speed up transactions, cut operations costs, secure infrastructure and help prevent fraud. The emerging technology also could be adapted to carry out processes such as the clearing and settlement of securities. Continue Reading

Federal agencies given new breach response and preparation guidelines

Data Breach_GettyImages_515745835The White House has made a step toward implementing in federal agencies some breach response best practices currently used in the private sector. On Jan. 3, the White House issued a memorandum (Memo) updating for the first time in almost a decade guidelines on how federal agencies should prepare for and respond to a breach of personally identifiable information. The Memo comes on the heels of a 27 percent increase (between 2013 and 2015) in the number of incidents reported by federal agencies and addresses certain “changes to laws, policies, and best practices that have emerged since the Office of Management and Budget first required agencies to develop plans to respond to a breach.”

The Memo first cites the all-too-familiar grim statistics concerning overall bad behavior in the digital privacy world. The identified bad behavior includes the familiar (e.g., identity theft and credit card fraud) and the relatively new (e.g., using stolen information to seek medical treatment and obtain prescription drugs). To address the ever-growing concern for protection in the digital world, the Memo lays out minimum agency requirements for responding to a breach, while allowing agencies to impose stricter standards at their discretion to address an agency’s particular mission and risks. As the Memo recognizes, an “effective detection and expeditious response to a breach is important to reduce the risk of harm to potentially affected individuals and to keep the public’s trust in the ability of the Federal Government…” Continue Reading

Swiss-U.S. Privacy Shield Framework to Launch April 12

connectivityOn January 11, 2017, the U.S. Department of Commerce, the Swiss Federal Council and the Swiss Federal Data Protection and Information Commissioner (FDPIC) issued press releases announcing that an agreement has been reached on a new cross-border data transfer mechanism, the Swiss-U.S. Privacy Shield Framework (the Swiss Privacy Shield).

The Swiss Privacy Shield replaces its predecessor, the U.S.-Swiss Safe Harbor Framework, more than a year after the European Court of Justice (the “EJC”) invalidated the U.S.-EU Safe Harbor agreement. The ECJ’s decision led the Swiss government to conclude that the analogous U.S.-Swiss Safe Harbor program no longer provided a sufficient legal basis to protect Swiss personal data being transferred to the United States. Continue Reading