This note is a reminder of the expiration of the grandfather provision under the Massachusetts Data Security Regulations, summarized here, which expires on March 1, 2012. Any applicable third party service provider contract entered into prior to March 1, 2010 must incorporate the appropriate security measures for personal information as specified in the regulations. Companies should take steps immediately to ensure that their contracts with third party service providers who maintain, receive, or access personal information of Massachusetts residents conform with the regulation’s requirements.…
The Sedona Conference® recently published the International Principles on Discovery, Disclosure & Data Protection (“International Principles”) through its Working Group 6 on International Electronic Information Management, Discovery and Disclosure. The Sedona Conference® launched Working Group 6 in 2005 to bring the most experienced attorneys, judges, privacy and compliance officers, technology-thought leaders, and academics from around the world to discuss the management, discovery, and disclosure of electronically stored information (“ESI”) involved in cross-border disputes. The publication of the International Principles comes in light of a number of U.S. court decisions over the last two years ordering the disclosure of information in U.S. litigation despite the existence of foreign privacy laws that otherwise would have prohibited such disclosure. See, e.g., EnQuip Technologies Group, Inc. v. Tycon Technoglass, S.R.L., 2010-Ohio-28, 2010 WL 53151 (Jan. 8, 2010).…
In a statement published on December 8, 2011, the Association of German Data Protection Agencies known as the “Duesseldorfer Kreis,” (“DK”) issued an opinion summarizing the minimum compliance criteria for operators of social networks in Germany:
- Opt-out solutions are insufficient, all privacy settings must be on the basis of opt-in selections
- Users must have simple access to their stored personal data
- Facial recognition features require express, confirmed consent
- No tracking profiles without the informed consent of the user
- Obligation to delete data after the termination of the membership
- Social plug-ins on the websites of German operators are not compliant with data protection laws unless they are covered by informed consent and provide the opportunity for the user to prevent the data transfer
- Social networks must protect user data through implementation of suitable privacy controls; operators must be able to demonstrate that such measures were taken
- Minors require particular protection and information regarding the processing of personal data must be easily comprehensible to them
- Social networks located outside the EEA must nominate an agent in Germany who serves as the contact person for the DPAs
The opinion, however, is not limited to this rather generic list of minimum requirements. Instead, it takes the opportunity to address two of the most pressing issues which have dominated the discussion of social networks and their commitment to data privacy over the past several months.…
The Article 29 Working Party outlined its agenda for 2012 at a recent plenary meeting in Brussels. Not surprisingly, the top priority is a new legal framework for data protection. But other topics, some of interest for US data protection developments, were discussed as well.
- Revision of the EU data protection framework: To ensure that EU data protection authorities can consistently apply the EU data protection rules, the revisions to the current Data Privacy Directive will emphasize harmonization efforts to advance the cooperation and coordination between the various authorities.
- WADA: The EU has ongoing concerns related to the current legal framework and the protection of athletes’ personal information. The EU Commission, supported by the Working Party, will provide comments to the proposed revision of WADA’s World Anti-Doping Code, which is planned for 2013.
- Cooperation with the European Network and Information Security Agency (ENISA): The Working Party and ENISA share common interests with regard to data breach notifications and will intensify their cooperation.
- EU Agency for Fundamental Rights (FRA): While the discussion addressed projects of the near future such as redress mechanisms and the publication of a Handbook on European data protection case law, FRA has long been critical of Passenger Name Record (PNR) data transmissions and a cooperation with the Working Party may suggest that the use of PNR will come under scrutiny again.
Whether the newly harmonized EU data protection rules will be a curse or a blessing for US companies doing business in the EU remains to be …
In my last entry I stressed the importance of complying with the various consent requirements hidden in European data protection laws. To prove my point and to illustrate further the high standards imposed by the German Data Protection Law, a regional German DPA (das “Unabhängige Landeszentrum für Datenschutz” in Schleswig Holstein or “ULD”) has taken aim at Facebook’s data privacy practices by sending cease and desist letters to all website operators located in the area who incorporate the “like” button and other Facebook plugins on their pages. Operators have until the end of September to deactivate these features or face up to € 50,000 in fines.…
Any US company that receives data about individuals living in the European Union must be familiar with the basic principles of consent and data protection within the EU to avoid costly mistakes that are easily made in obtaining consent, should the validity of such consent be challenged by the EU data protection agencies. While certain exemptions may apply that allow receipt of data into the US without consent, companies need to analyze their receipt of such data in light of the new consent opinion discussed below.…
According to Javelin Strategy & Research’s 2011 Identity Fraud Survey Report, there was a 28% drop in the number of victims of identity fraud in 2010. Additionally, the number of reported data breaches dropped significantly (404 reported breaches in 2010, down from 604 in 2009). Finally, the report states that "only" 26 million records were reportedly exposed in 2010 compared to a whopping 221 million exposed in 2009. James Van Dyke, president and founder of Javelin Strategy & Research, attributed (i) increased educational efforts by business, the financial services industry, and government agencies and (ii) "[e]conomic conditions" as contributing factors in the reduction in identity fraud over the past year.
Not all metrics improved however. The report stated that the consumer out-of-pocket costs rose significantly from $387 in 2009 to $631 in 2010. The reason for the out-of-pocket increase may be attributed to more "focused" attacks on individuals and an increase in, what the report refers to as, "friendly fraud." What we don’t know is whether the fewer victims facing greater damages is solely the result of more effective, if less widespread, attacks, or if there are other factors at play. What is also unknown is what caused the almost 10 fold drop in the number of records reportedly exposed in 2010. Could this be due to more improved data security tools and practices, or an increased resistance by businesses to report breach events, especially in those instances where conclusively determining that a reportable breach occurred …
Please join us for this informative series focused on the technical, enforcement, and practical aspects of experiencing and responding to a data security incident. For the complete invitation and details on registration please click here.
IDENTITY THEFT, CORPORATE DATA SECURITY BREACHES AND LAW ENFORCEMENT: SHOULD I CALL THE COPS?
Learn How to Effectively Utilize Law Enforcement and Private Security Resources to Protect Yourself and Your Business From Computer Criminals
January 20, 2011 11:30 a.m. – 1:30 p.m. Lunch will be provided Capital Club – 41 South High Street, 7th Floor Columbus, Ohio
Focus issues: Trends in Identity Theft What Can Lead to a Data Breach Law Enforcement Identity Theft Investigations
As recently reported by the Washington Post and others, the FTC has ended an inquiry into privacy concerns over Google’s Street View service after Google pledged to stop gathering email, passwords, and other information from residential WiFi networks as its Street View cars creep through neighborhoods with computers on and cameras rolling. For some background on the issue, here is a timeline of related events and announcements:
- 4/27/2010: Peter Fleischer, Google’s global privacy counsel states in a blog entry in Google’s European Public Policy blog that while its Street View cars do collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router), Google does not collect payload data (information sent over the network).
- 5/5/2010: The data protection authority (DPA) in Hamburg, Germany asks Google to audit the WiFi data that Google’s Street View cars collect for use in location-based products like Google Maps for mobile, which enables people to find local restaurants or get directions.
- 5/14/2010: Google states in a blog entry that it has discovered that its statements in the 4/27 blog were inaccurate–specifically, that Google had been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though Google "never used that data in any Google products".
- 9/2010: The Czech Office for Personal Data Protection bans Street View in the Czech Republic after more than half a year of unsuccessful negotiation between the Czech Republic and Google.
- 10/19/2010: Canadian Privacy Commissioner’s
While nothing new by now, the practice of recording images or video of others without their knowledge and then disseminating the content on a worldwide basis has come under particular scrutiny over the past week. The tragic story of the Rutgers University student (as reported by ABC News here, where I first learned of it) has become the basis of a worldwide conversation regarding privacy and civility. Also in the news this week was the story reported by Jon Yates of the Chicago Tribune of a Chicago woman who discovered a photo of herself on a website called People of Public Transit and the woman’s efforts (and Jon Yates’ efforts) to get the photo removed from the site.
While videotaping someone in their own living quarters behind locked doors may seem a clear invasion of privacy, the capturing of someone’s image while that person is in a public space is generally not an invasion of privacy, as someone on a sidewalk or on a public transit bus would not have an expectation of privacy. Given the modern day implications of that lack of a right to privacy–witness the People of Public Transit website and many others like it–one could argue that there is something missing in the law.
This issue was well framed by the Chicago woman in that story noted above when she said, “Most people walking around just want to be left alone. That’s the nature of living in cities. It seems kind of peculiar to hold …
The Department of Health and Human Services (HHS) announced yesterday that it was temporarily withdrawing the breach notification final rule from review of the Office of Management and Budget (OMB) to allow HHS further time to consider these regulations. The breach notification rule, among other things, requires covered entities to notify individuals whose protected health information (as defined by HIPAA) has been compromised or breached. HHS’s explanation for the withdrawal was that breach notification was "a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur." HHS stated that it intends to publish a final rule in the coming months.
This week, the Identity Theft Resource Center released its 2010 data breach statistics report for data breaches through June 22, 2010. According to this weekly report, 2010 has already seen 325 reported data breaches exposing approximately 8.3 million records. Considering that the 2009 report shows 498 reported data breaches for all of last year, it looks like 2010 will see an increase in overall data breaches.
Companies collecting personal information should take proactive measures to avoid data breaches. Proactive measures include maintaining an up-to-date security policy, safeguarding sensitive data, encrypting data, turning on and monitoring system logs, and restricting access to only those who need it. (See our previous post for an example of why security implementations should be kept up to date.)
It is also important to have a preemptive response plan in place to deal with a data breach should one occur. A response plan should include means of investigating the data breach, notifying those whose records or information are potentially affected, addressing legal concerns, addressing public relations concerns, making other required notifications (such as those described here), and ensuring the data breach is not ongoing or recurring.…
Is your phone ringing off the hook? Then you’d better check your bank account. According to the Federal Bureau of Investigation, a new “telephone denial-of-service” attack is combining high-tech and low-tech fraud techniques to steal money from the bank accounts of unsuspecting victims.
As reported in the alert issued by the FBI, the scam begins with the suspect obtaining a victim’s personal and banking information, perhaps including bank account numbers, PINs, and passwords. Scammer can obtain a victim’s personal and banking information in a variety of ways, such as through phishing emails, social engineering tactics, or malware surreptitiously installed on a person’s computer.
Once the scammers have the victim’s personal information, they begin tying up the victim’s telephone line by using automated resources to place hundreds or thousands of calls to the victim’s telephone, not unlike a Distributed Denial of Service attack aimed at a computer network that overwhelms a computer with requests for information resulting in a slowing or failure of the network.
While the victim is busy dealing with the onslaught of telephone calls, the scammers quickly drain the victim’s bank account using the previously obtained personal and banking information to gain access to the account. If the banking institution calls its customer to verify the transactions they find the victim’s telephone line to be busy. In some cases, scammers are brazen enough to change a victim’s contact information listed with the bank. As a result, calls from a bank to verify fraudulent transactions are redirected to …
On Tuesday May 4, a new privacy bill, known as the Boucher-Stearns Bill was released by Representative Rick Boucher, Democrat of Virginia, and Representative Cliff Stearns, Republican of Florida. If the bill were to become law, it would represent a dramatic shift in U.S. Privacy governance. To date, privacy regulation in the U.S. has generally fallen along industry lines such as (i) HIPAA’s regulation of a hospital’s use of medical information or (ii) Gramm Leach Bliley’s regulation of a bank’s use of an individual’s financial information. The Boucher-Stearns Bill represents the first non-industry specific federal privacy law moving American regulation of personal information closer to that of the European Union and other countries. The impact on businesses and online commerce would be significant by adding broad-based constraints on how businesses collect, use, and disclose information related to individuals.
In general the Boucher-Stearns Bill, among other things, (i) requires businesses to provide notice and receive consent from individuals prior to the collection of various pieces of information from such individuals, (ii) obligates businesses to establish reasonable procedures to assure the accuracy, privacy, and security of information collected, and (iii) empowers the Federal Trade Commission to implement regulations to enforce the bill’s provisions.
A few of the bill’s key provisions are highlighted below:…
In January 2008, the Davidson Companies, a financial services holding company, announced that a database containing current and past customer records had been hacked during a SQL injection attack. On April 14, 2010—more than two years after the network intrusion—the Financial Industry Regulatory Authority (FINRA) fined the company $375,000 for the breach.…
A new Massachusetts data security regulation — the “Standards for the Protection of Personal Information of Residents of the Commonwealth” (.PDF) — has gone into effect as of March 1, 2010. The new regulation is intended to apply to any business that collects or retains personal information of Massachusetts residents.
Personal information, as defined under the regulation, includes a first name or first initial and last name in combination with any one of a (i) Social Security number; (ii) driver’s license number or state identification card number; or (iii) financial account or credit card number with access codes.…
According to an FTC press release on March 3, 2010 and as reported in various media outlet reports, like this one from The New York Times, LifeLock, Inc., an identity theft protection company, has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services.
The FTC claims and state attorneys general actions appear to have been centered around LifeLock’s representations that its protections against identity theft were complete, absolute, and guaranteed. FTC Chairman Jon Leibowitz noted in the FTC’s press release,
"While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it."…
Having your laptop or smartphone searched or detained by Customs on your way back from a business trip would be a nightmare for most travelers, including bankers and other finance professionals. However, this scenario is quite possible under new governmental policies.
In 2009, U.S. Customs and Border Protection (“CBP”) and U.S. Immigration and Customs Enforcement (“ICE”) both issued their respective new policies on border searches of electronic devices. This was a coordinated effort of CBP and ICE to update and harmonize their border policies to detect an array of illegal activities, including terrorism, cash smuggling, contraband, child pornography, copyright, and export control violations.
With all the technology innovations that allow business travelers to carry massive amounts of information in small electronic devices, CBP and ICE are facing an enormous challenge. On the one hand, travelers have a legitimate right to carry information on electronic devices. In that respect, there are serious concerns regarding the traveler’s expectation of privacy. On the other hand, the government has a duty to combat illegal activities and to enforce U.S. law at the border. The difficulty is finding the right balance between the government’s duty to enforce the law and the rights of travelers.
The legal basis for ICE and CBP policies is the border search exception to the Fourth Amendment requirement that officers obtain a warrant before searching someone’s property. But, assuming that they have this power, another key issue is exactly what CBP and ICE are allowed to do with one’s laptop. In …