Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

Internet of Things Raises Complex Insurance Coverage Issues

Posted in Cybersecurity / Data Security, Data Breach, Insurance
Rachel RaphaelEllen MacDonald Farrell

In a recent Law360 publication, C&M attorneys Rachel Raphael and Ellen Farrell discuss how the Internet of Things (IOT) can present complex insurance coverage issues.  As they explain, the tangible and intangible nature of IOT products can cause particular confusion between traditional general liability policies (which may exclude coverage for cyber incidents) and stand-alone cyber policies (which tend to focus on data loss and coverage for breach notification instead of physical damage).  Read the full article, entitled “Insurance Implications Of ‘The Internet Of Things,’” here.


Privacy & Cybersecurity Weekly News Update – Week of Oct 8

Posted in Cybersecurity / Data Security
Charles AustinElliot GoldingJodi G. Daniel

Guidance on HIPAA & cloud computing; Senators question FTC enforcement standards

HHS publishes guidance on HIPAA’s impact on cloud computing

This week, the Department of Health and Human Services issued guidance for HIPAA-covered entities and business associates regarding cloud computing.  When a covered entity seeks to use cloud services in connection with the use and/or storage of electronic personal health information (“ePHI”), the cloud services provider (“CSP”) is a business associate of the covered entity and must enter into a HIPAA complaint business associate agreement. Thus, the HHS publication aims to “assist HIPAA regulated CSPs and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain or transmit ePHI using cloud products and services.” Given both the ever-increasing use of cloud services and an increased focus on data security, this is necessary reading for providers and other covered entities to ensure they remain compliant with their HIPAA obligations.

For more on this release, see our recent client alert.

Senators question FTC enforcement standards

A pair of senators sent a letter to FTC Chairwoman Ramirez questioning both the agency’s LabMD decision and whether FTC’s enforcement regime complies with constitutional due process requirements.  The letter was authored by Sen. Jeff Flake, chair of the Subcommittee on Privacy, Technology, and the Law, and Sen. Michael Lee, chair of the Subcommittee on Antitrust, Competition and Consumer Rights.  Relying on a recent Third Circuit decision’s discussion of fair notice in the cybersecurity space, the senators questioned how the FTC’s enforcement practices afford fair notice on cybersecurity standards; how the disclosure of health information constitutes cognizable injury; and whether the FTC has provided guidance on the cost-benefit analysis discussed by the Third Circuit.  Some of these questions may be addressed by LabMD’s recent appeal to the Eleventh Circuit.  We may continue to see increased attention on the FTC’s role in cybersecurity enforcement, from both the judiciary and the legislature, in the coming months.

Privacy & Cybersecurity Weekly News Update – Week of October 3

Posted in Cybersecurity / Data Security
Charles AustinFrederik Van RemoortelLisa Weinert

FCC broadband privacy proposal; Potential challenge to FTC privacy enforcement power

FCC to consider broadband privacy proposal

On October 6, the Chairman of the Federal Communications Commission (FCC) issued proposed rules that would impose on broadband providers privacy regulations similar to those implemented and enforced by the Federal Trade Commission (FTC).  The proposal calls for increased disclosure regarding collection and use of consumer information, as well as greater consumer input on what information is shared.  The proposed rules require opt-in consent for sharing “sensitive” information, which includes regarding geolocation, health and financial information, browsing history, and social security numbers, while an opt-out scheme would govern “non-sensitive” data such as home and IP addresses.  Broadband providers would also be required to comply with data security requirements consistent with FTC requirements and the National Institutes of Standards and Technology’s (NIST) cyber-security framework.

If adopted, the proposal would effectively require that in most cases, providers must obtain consumer permission before sharing data.

However, there is the potential for some inconsistencies with the FTC’s scheme.  Critics of the revised proposal find it does not go far enough in mirroring the FTC’s scheme.  One overarching criticism is that the FCC proposal unnecessarily burdens broadband providers through, among other things, regulatory mandates that are more restrictive than the FTC’s flexible, guideline-based approach.

The FTC’s commissioners will vote on the proposal at the end of October.

FTC data security enforcement authority likely to be challenged in federal appeal

An appeal filed last week will likely challenge the FTC’s authority with respect to data security.  The FTC issued an opinion finding a medical testing company’s data security practices unreasonable, thus constituting an unfair act or practice under Section 5 of the FTC Act.  The FTC ruling reversed an administrative law judge’s finding that evidence failed to show the company’s data security practices—which included storing patient information on a peer-to-peer file-sharing network and failing to implement “even basic precautions to protect the sensitive consumer information” on the network—did or were likely to cause substantial injury to patients.  The FTC also denied a petition by the company, LabMD Inc., to stay the FTC’s enforcement pending the appeal to the U.S. Court of Appeals for the Eleventh Circuit.  In its petition, LabMD challenged both the FTC’s data security enforcement authority and the adequacy of the FTC’s definitions of what constitutes reasonable security practices and substantial injury.

It is likely both issues will be briefed on appeal, and a ruling by the court on any of these questions may alter the current state of data security enforcement.  Without any specific grant of authority to enforce data security compliance, the FTC has relied on the FTC Act’s general grant of authority to prohibit unfair and deceptive practices.  Furthermore, the FTC has not issued any global standards defining what constitutes reasonable data security practices.  Instead, companies have been urged to discern reasonableness based on consent decrees entered into by the FTC and companies found to have unreasonable data security practices.

Privacy & Cybersecurity Weekly News Update

Posted in Cybersecurity / Data Security, Health IT, Privacy
Danielle RowanFrederik Van RemoortelLisa Weinert

Hamburg DPA orders WhatsApp to stop sharing data with Facebook; GAO: HHS Needs to Improve is Digital Health Protection Rules; Notice and Choice Becoming Par for the Course for Interest-Based-Ads in Apps

German Data Protection Authority of Hamburg orders WhatsApp to stop sharing data with Facebook

On September 27, 2016, the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg DPA) has issued an order against WhatsApp to immediately stop the companies’ data sharing plans. The order comes shortly after a German consumer group, VZBW, had given WhatsApp an ultimatum until September 21, 2016 to stop sharing user’s mobile phone numbers with Facebook.

According to the Press Release of the Hamburg DPA, it is prohibited to Facebook with immediate effect to collect and store data of German WhatsApp users and Facebook has to delete all relevant data that had already been forwarded. The main accusation of the Hamburg DPA: Facebook has neither obtained effective approval from the WhatsApp users for the sharing of the data, nor does any other legal basis for the receipt of the data exist.

In the course of the acquisition of Whatsapp by Facebook in 2014, both companies had originally assured not to share data or to lower the thresholds in WhatsApp’s strong privacy policy. That the companies now have decided to do otherwise, in the eyes of the authority constitutes “not only a misleading of their users and the public, but also […] an infringement of national data protection law.”

The order of the Hamburg DPA is limited to the data of German WhatsApp users. Nevertheless, it can be expected that other Member States’ data protection authorities might follow the German example, in particular should complaints be raised by individuals.

GAO: HHS Needs to Improve its Digital Health Protection Rules

Following a review of HHS, the US Government Accountability Office (GAO), instructed HHS to improve its security and privacy guidance. Specifically, the GAO admonished HHS for failing to ensure that its regulations are implemented properly and for not properly addressing how covered entities should tailor implementations to NIST standards. The GAO also criticized HHS for the technical assistance that it provided to audited entities, writing that the “assistance was not pertinent to the identified problems.”

Covered entities can expect more clarity, more assistance, and more robust standards as a result of the GAO report. HHS is also likely to incorporate NIST standards into revised regulations. Government agencies have long been subject to NIST standards, and recently government contractors have been expected to adhere to NIST standards as well. Given the recent recommendations, it is likely HHS will follow this trend.

Notice and Choice Becoming Par for the Course for Interest-Based-Ads in Apps

Recent actions by self-regulatory agencies and FTC signal that notice and choice may now be required when app developers allow the collection of information for interest-based-advertisements (IBAs) in mobile applications. The Council of Better Business Bureaus’ Online Interest-Based Advertising Accountability Program issued two decisions finding that mobile app developers must provide “enhanced notice,” in addition to (1) notice in a privacy policy and (2) notice in the applications’ settings, when apps collect information for IBA purposes. Developers should provide this “enhanced notice,” before a user downloads the app (for example in the app store), during download, on first opening the app, or at the time that data is first collected.

The Accountability Program also made clear that developers should craft different forms of notice based on the type of information collected. It explicitly stated that when an app allows third parties to collect precise location data for IBA purposes, the app must specifically disclose the fact that location data will be passed to third parties for IBA purposes. Additionally, the Accountability program will review specific disclosure practices for other types of sensitive data collection such as personal directory data, health data, and data for users under. This summer FTC also brought an enforcement action against a mobile advertising network for allegedly allowing third parties to collect location information by bypassing users’ location settings.

These actions show an increased interest in mobile privacy. Based on this increased scrutiny, developers should (1) examine how and what information their apps collect, (2) whether the app authorizes third parties to collect this information, (3) when and how their apps provide notice to consumers about data collected for IBA, and (4) how the app provides notice to users of the collection of particularly sensitive information – location information, data about children, and personal directory data.

Privacy & Cybersecurity Weekly News Update

Posted in Cybersecurity / Data Security, Privacy
Danielle RowanFrederik Van RemoortelLisa Weinert

NHTSA Issues Voluntary Driverless Car Guidelines; European Privacy Supervisor proposes Digital Clearing House for coherent handling of Big Data cases; Facebook and Power Ventures Battle Over the Scope of the CFAA; Arizona Supreme Court: Police Cannot Search Unlocked, Unattended Phone; German consumer group urges Whatsapp to stop sharing data with Facebook; German DPA issues guidelines on Privacy Shield

NHTSA Issues Voluntary Driverless Car Guidelines

On Tuesday, September 20th, NHTSA issued its long-awaited voluntary automated vehicles policy. The voluntary guidelines include provisions for all levels of autonomous vehicles – from fully automated to semi-automated – and are divided into four parts: (1) Vehicle Performance Guidelines (VPG), (2) Model State Policy, (3) NHTSA’s Current Regulatory Tools, and (4) Modern Regulatory Tools. The first two parts of the guidance contain the bulk of NHTSA’s recommendations.

The VPG address both privacy and cybersecurity, incorporating many recommendations from other privacy and cybersecurity standards. For example, the recommendations explicitly incorporate the White House Consumer Privacy Bill of Rights. Not surprisingly, the recommendations encourage manufacturers to incorporate cybersecurity best practices from across several industries. The VPG also requests that manufacturers voluntarily provide a Safety Assessment Letter to NHTSA, certifying compliance with the VPG. This Letter will likely become a mandatory reporting requirement once manufacturers release autonomous vehicles for use on public roads.

The Model State Policy makes clear that NHTSA hopes for uniform regulation in this area. It explicitly encourages states to allow the Department of Transportation alone to regulate here. However, with an eye towards uniformity, NHTSA has included the Model State Policy. The latter two portions of the guidance highlight that regulation in this area is in its infancy and will evolve over time.

Manufacturers should expect that these guidelines, or a regime that is similar to them, will become mandatory in the near future and plan accordingly. Moreover, especially where cybersecurity is so closely tied to physical safety, as it is with automated vehicles, plaintiffs will be keen to point to these voluntary standards as the “standard of care” in future class actions.

European Privacy Supervisor proposes Digital Clearing House for coherent handling of Big Data cases

The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, has announced in a non-binding opinion of September 23, 2016 that he proposes setting up a ‘Digital Clearing House’ in order to better protect the rights of individuals in Big Data mergers.

According to Buttarelli, the ‘Digital Clearing House’ should be set up as a voluntary network of regulators working together more closely by sharing information and ideas. This should help protect individuals’ rights to privacy, to freedom of expression and non-discrimination by making sure that web-based services providers are more accountable for their conduct.

Buttarelli’s approach is in line with the policy discussions and ongoing investigations of the EU and national competition law authorities, who are already trying to assess privacy issues in competition-law contexts: among others, the German Federal Cartel Office is currently looking into Facebook’s Privacy Policy and Competition Commissioner Vestager is having a second look into the Facebook-Whatsapp merger due to WhatsApp’s data sharing plans.

For data-related businesses, this means both an increased need for awareness of potential privacy and/or consumer law obstacles when preparing the notification of a proposed transaction to the competition authorities, but also with regard to potential antitrust infringements.

Facebook and Power Ventures Battle Over the Scope of the CFAA

Power Ventures, Inc., a media aggregation company, pushed for a rehearing of a 9th Circuit ruling in its dispute with Facebook over the Computer Fraud and Abuse Act (CFAA), a statute that provides for both civil and criminal liability. Power Ventures runs a service that allows users to see all of their social media activity in one place. To execute this service, Power Ventures accessed users’ Facebook accounts in violation of Facebook’s terms of use and a cease and desist letter that the social media giant sent Power Ventures. Power Ventures argues that by holding that this type of behavior violates the CFAA, the 9th Circuit could create criminal and civil liability for a couple that shares an online bank account or academic researchers studying an online platform. Facebook disagrees. It argues that Power Ventures’ conduct is easily distinguishable from these scenarios.

The outcome of this case will further define the notoriously ambiguous CFAA. It also solidifies the 9th Circuit’s status as one of the key interpreters of the law. Further, it will establish how far the 9th Circuit is willing to take its holding in Nosal, a 2012 en banc decision that held that an employee violating the scope of his access could not face criminal liability under the statute. Given the criminal reach of the CFAA, the court may be cautious about interpreting it broadly.

Arizona Supreme Court: Police Cannot Search Unlocked, Unattended Phone

The Arizona Supreme Court in Peoples v. Arizona has ruled that a person has a limited expectation of privacy in his or her mobile phone, even when it is unlocked and not in the same room as the person. Because of this reasonable expectation of privacy, police must secure a search warrant before searching the phone. The reasoning in Peoples closely tracks the reasoning in Riley v. California, where the Supreme Court held that police could not search a mobile phone without a warrant in a search incident to arrest. Generally, courts have taken a harder look at law enforcement’s ability to search mobile devices. The Arizona case here could be part of a wave of court decisions providing expanded Fourth Amendment protection.

German consumer group urges Whatsapp to stop sharing data with Facebook

The German Federation of Consumer Organisations (VZBW) has given WhatsApp a September 21 deadline to sign a cease and desist declaration and to discontinue the company’s plans to share data (more precisely: mobile phone numbers of its users) with Facebook. If Whatsapp doesn’t comply, the organization is planning to look into legal action.

A potential claim of VZBW would be based on a new consumer litigation law, which complements the German Act on Applications for an injunction and gives consumer organizations such as VZBW the right to sue companies for unlawful use of consumer data, and privacy issues related to relationships with consumers. It also allows for legal actions related to consent disputes, unauthorized advertising or market research.

The German Press statement of VZBW can be found here.

Regardless of how the current action of the VZBW continues, it certainly shows that companies with huge customer groups have to be aware of the risk of consumer group claims when planning their privacy law compliance. Such claims are currently possible under i.a. German or Austrian law. This will in particular apply once the new European General Data Protection Regulation will apply, which will grant increased rights to individuals.

German DPA issues guidelines on Privacy Shield

The German Data Protection Authority of North Rhine Westphalia (LDI) has issued a guidance paper (German only) which outlines and explains what companies and/or affiliates established in the German state have to take into account when transferring Data to a ‘Privacy Shield’-certified U.S. company.

The paper first stresses that apart from the legitimization of the transfer as such, the transfer, which constitutes a processing action, also has to be legitimized under Article 4 of the German Data Protection Act. Additionally, according to the LDI, the exporter has additional due diligence obligations related to the Privacy Shield. These obligations involve an “assessment of whether the data importer is duly certified and whether it actually complies with its obligations”. In addition, companies are also recommended to ask for “proof, that the US-company is fulfilling its information duties towards the data subjects” [translations by author].

Strictly speaking this means that, in the view of the LDI, German businesses cannot just enter into data processing agreement with Privacy Shield certified companies, but that they have to carry out additional due diligence efforts. Apart from that, the LDI has made clear that it reserves the right to suspend data transfers based on Privacy Shield if the annual reviews raise doubts as to the compliance of Privacy Shield with European Fundamental Rights.

It remains to be seen how other German state DPAs will see these issues. However, the paper of the LDI yet seems to confirm former consistent assessments and interpretations of all German DPAs raised in the course of the Safe Harbor debates, so it might be expected that other German DPAs will issue similar papers.

Privacy & Cybersecurity Weekly News Update

Posted in Cybersecurity / Data Security, Data Breach, Government Agencies, Privacy
Danielle RowanFrederik Van RemoortelLisa Weinert

Privacy law meets antitrust – EU Commissioner Vestager on data in competition law; ECJ to rule on admissibility of Privacy class actions; Northern District of California Sends Yelp Privacy Suit to the Jury; EU Advocate General finds EU-Canadian PNR pact unlawful; New York Unveils New Cyber Security Rules for Financial Services Organizations; New Jersey Senate Passes Shopping Privacy Bill; NIST Issues Mobile Threat Guidance

Privacy law meets antitrust – EU Commissioner Vestager on when privacy issues can lead to antitrust concerns

European Competition Commissioner Margarethe Vestager has commented on the relevance of privacy issues with regard to EU antitrust rules. According to Vestager, current investigations of the German Federal Cartel Office regarding Facebook’s “privacy issues” would “not necessarily” lead to competition law concerns, even though both fields of law might correlate under certain circumstances.

In the investigations at issue, the German Federal Cartel Office is alleging Facebook of abusing an alleged ‘dominant position’ in the market for social networks by imposing unfair conditions regarding the privacy settings for Facebook accounts on its users. The German antitrust regulator is arguing that users would have “no choice” whether to accept the conditions or to terminate their account, because there is no real alternative to the well-known social network. Under Article 102 of the Treaty on the Functioning of the European Union (‘TFEU’), “dominant companies are subject to special obligations. These include the use of adequate terms of service as far as these are relevant to the market.”

It still remains to be seen whether Facebook will ultimately be found in breach of EU antitrust rules relating to its Privacy Policy. On a more general matter, however, the Commissioner’s statements seem to confirm that indeed, companies controlling vast amounts of data may be considered able to prevent market entry by withholding this data from potential competitors who could not reproduce comparable datasets themselves and therefore might violate Article 102 TFEU. Companies that might fall in this category should therefore be prepared that not only privacy regulators, but also antitrust authorities might potentially be questioning them regarding their use of data in the future. Nevertheless, “simply holding a lot of data” would not be enough to raise antitrust suspicions, Vestager appeased.

Continue Reading

Insider Threats Meet Litigation

Posted in Cybersecurity / Data Security, Data Breach, Government Contracting, Information Management
Kate M. Growley

Last week, we highlighted our colleagues’ post in Crowell’s Trade Secrets Trends focusing on recent comments submitted by the U.S. Chamber of Commerce regarding the need to stem the cyber theft of intellectual property.  Today, we once again turn to our sister blog to highlight an example of how that theft plays out in the private sector.  The post overviews a recent trade secrets case that stems from an all too frequent fact pattern – the insider threat.  Cases like this serve as useful reminders about the benefits of an insider risk program and data loss prevention tools.

U.S. Chamber of Commerce on Trade Secrets Protections

Posted in Cybersecurity / Data Security, Government Agencies, Information Management
Kate M. Growley

Earlier this month, the U.S. Chamber of Commerce submitted comments in response to the National Institute of Standards & Technology’s request for information regarding cybersecurity and the digital economy. The Chamber’s comments focused on specifics such as the NIST Cybersecurity Framework and the Cybersecurity Information Sharing Act of 2015, but it also discussed more generally the benefits of norms and deterrence in the cyber age. In our sister blog Trade Secrets Trends, our colleagues highlight how those norms and deterrents could help further trade secrets protections.

Privacy & Cybersecurity Weekly News Update – Week of September 12

Posted in Cybersecurity / Data Security, Privacy
Jodi G. DanielDanielle RowanFrederik Van RemoortelLisa Weinert



HHS Jumps on the Cybersecurity Information Sharing Bandwagon; Third Circuit on Economic Loss as a basis for Negligence Claim; FTC workshop on Ransomware; German draft implementing law for GDPR revealed.

HHS Jumps on the Cybersecurity Information Sharing Bandwagon

Because of recent news reports confirming that cyberattacks against healthcare agencies have increased 125 % in the past five years, HHS is encouraging HIPAA Covered Entities and Business Associates to share information to combat future attacks.

HHS, based on authority from Executive Order 13591 and the Cybersecurity Information Security Act (CISA), is urging Covered Entities and Business Associates to join Information Sharing and Analysis Organizations (ISAOs) to share security threat and vulnerability information related to electronic protected health information (ePHI).

Ideally, ISAOs will provide a mechanism for sharing information bi-directionally “between HHS and the Health Care and Public Health (HPH) sector regarding cyber threats and will also provide outreach and education to the HPH sector.” This press release from HHS follows a similar measure by the Department of Homeland Security, which also encourages information sharing to mitigate the risk of cyberattacks.

In developing ISAOs in the health care sector, it is critical to consider three things:

  • the standards and best practices for the creation of ISAOs to ensure that covered entities and business associates that participate gain the protections of such information sharing under CISA;
  • the data that is shared in light of what is permitted under the HIPAA Privacy Rule; and
  • how participation in an ISAO can support compliance with the HIPAA Security Rule.

Crowell & Moring is a leading expert in the creation of ISAOs and HIPAA compliance and can help stakeholders that seek to comply with HHS’s call to action to consider the intersection of these various legal frameworks

Continue Reading

Privacy & Cybersecurity Weekly News Update – Week of August 28

Posted in Cybersecurity / Data Security, Privacy
Matthew B. WellingLisa WeinertHarvey Rishikof

Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group; ICO publishes report on data security incident trends.

Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group

On September 01, 2016, the German Data Protection Authority of Bavaria (BayLDA) has announced that according to their understanding, sanctions under the GDPR will be calculated based on the revenue of a whole company group. According to the authority, this should apply even when only one single entity is responsible for an incident.

In its position paper, the BayLDA elaborates that fines under the GDPR have to be “effective, proportionate, and dissuasive.” For most infringements, the fine can amount up to a maximum of either € 10 million, or 2% of the company’s annual global turnover (the higher will apply). For serious infringements, the fine can even amount up to the higher of € 20 Million or 4% of the respective turnover. The turnover will comprise of the turnover of the whole company group a company belongs to, according to recital 150 of the preamble, which relates to the “economic concept of an undertaking”.

Although the BayLDA’s position paper is non-binding, the interpretations and views published can nevertheless be considered very important hints on how in particular the German Data Protection authorities will interpret and enforce the new Regulation, which will enter into force on 25 May 2018. The European Data Protection Board, a group of representatives of the EU Member States (currently known as Article 29 Working Party), is expected to issue guidelines on the calculation of fines.

Continue Reading