Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

Privacy-Cybersecurity Weekly News Update—Week of November 13

Posted in Cybersecurity / Data Security, Internet of Things
Elliot GoldingLeigh Colihan

Discussion headlines:  New guidelines for IoT; Russia blocks access to LinkedIn; Standing under the TCPA; Long distance search warrant power

The DHS and NIST Release Guidelines for the IoT

This week, both the Department of Homeland Security and the National Institute of Standards and Technology released a set of guidelines intended to secure the IoT.  Both the DHS and NIST offered standards and other security principles that focused on redesigning the main infrastructure of the device and emphasized the need to incorporate security practices early on in the design of an IoT device.

On November 16th, a joint hearing of two House Energy and Commerce subcommittees was held to investigate ways to better secure internet-connected devices and to mitigate future attacks.  Experts testified that internet-connected devices are compromised by a minimal interest in security by both the manufacturers and the consumers.  The overall lack of incentive to implement security mechanisms on these goods can be rectified by an increased regulatory presence in this industry.    Rep. Jan Schakowsky (D-Ill.), the ranking member of the Commerce, Manufacturing and Trade Subcommittee, suggested that the Federal Trade Commission needs to take on a larger role in this industry to protect the consumers.  Rep. Michael C. Burgess (R-Texas) wanted to shy away from creating hard and fast rules and, instead, develop a set of best practices or industry standards for the IoT industry to follow.  He believed regulations could be an “innovation killer.”  Regardless of the approach adopted, the comments made at the hearing echoed the incentive behind DHS’s and NIST’s guidelines:  cybersecurity must be part of the early design of an internet-connected device.  The new guidelines and joint hearing on the IoT reflect a new focus on the security of IoT devices.

LinkedIn is Shown the Door in Russia

On November 10th, after determining that LinkedIn Corp. violated Russia’s data localization law, a Moscow court affirmed an August district court decision that blocked the company from providing online services within Russia.  The law, which went into effect in September 2015, requires websites to store Russians’ personal information on servers located in Russia.  This ruling was the first time a Russian court enforced the law.  Even though LinkedIn does not have any offices or personnel located within Russia, the company still has to comply with the law simply because Russians can sign up to use its services.  Consequently, if multinational companies want to engage with Russian users, they will likely need to build data centers in Russia or store their data with local storage centers.  Adhering to this law will likely grant Russian officials a more direct and easier access to customer and corporate data.  One week after the decision, Russia’s communications regulator ordered access to LinkedIn’s website to be blocked to users in Russia.  As companies look to expand their businesses, data localization laws could prove to be an obstacle to expansion.

A Single Text Constitutes an Injury-in-Fact under the TCPA

On Nov. 15th, U.S. District Judge Leigh Martin May ruled that an alleged violation of the Telephone Consumer Protection Act (TCPA) is enough to file suit in federal court.  Under the TCPA, a company cannot use automated telephone dialing systems to send unsolicited calls or text messages to a consumer without prior consent.  The plaintiff claimed that Hooters knowingly violated the TCPA by sending a text message to diners who had opted out of receiving the messages.  In applying the recent Supreme Court ruling in Spokeo, Inc. v. Robins, the judge concluded that a per se violation of the TCPA is suffice to establish standing.  And, in fact, “sending a single text message in violation of the TCPA constitutes an injury-in-fact.”  This ruling could be a significant business risk for many companies as it makes it easier for plaintiffs to satisfy the initial standing requirement

Long Distance Search Warrant Power

On December 1st, the revised Federal Rule of Criminal Procedure 41 will take effect, which allows federal judges, with authority in any district, to issue a warrant requesting remote access to search electronic devices.  Rule 41 would apply in two circumstances: first, if a suspect uses technological means to hide the location of his or her computer and; second, if, in an investigation of a crime that involves criminals hacking computers, the computer is located in five or more judicial districts, Rule 41 would only require one judge to review an application for a search warrant rather than submitting separate applications in each district where a computer is affected.  A judge can grant a warrant even if the owner is not aware of how the computer is being misused—for example, an infected personal laptop that has been used in a cyberattack.  Companies will have to wait to see how prosecutors will utilize Rule 41 warrants.  In the interim, Rule 41 could make it increasingly difficult for companies to protect users’ information.

Alabama District Court Relieves Carrier of a Duty to Defend or Indemnify Policyholder Following Data Breach

Posted in Cybersecurity / Data Security, Data Breach, Insurance, Privacy
Rachel Raphael

On October 25, in the case of Camp’s Grocery, Inc. v. State Farm Fire & Casualty Company, the District Court for the Northern District of Alabama granted summary judgment in favor of State Farm Fire and Casualty Company (“State Farm”), concluding that State Farm did not have to defend or indemnify its policyholder, Camp’s Grocery Inc. (“Camp’s”) in an underlying lawsuit brought by credit unions following a breach of Camp’s computer network.  Camp’s Grocery illustrates the importance of carefully evaluating an insurance policy terms and conditions and having a complete understanding as to which losses are covered and which are not.  Additionally, this case highlights the different entities (here, credit unions) that may sue a policyholder after a data breach.

In August 2015, three credit unions sued Camp’s in an Alabama circuit court alleging that a hack of Camp’s computer network compromised customers’ confidential data, such as credit card, debit card, and check card information.  The credit unions argued they suffered losses as a result of the breach.  For example, the credit unions had to reissue cards to customer and reimburse customers for fraud losses.  Among other things, the credit unions also incurred administrative expenses associated with investigating, correcting and preventing fraud.

State Farm had issued a business owners insurance policy to Camp’s.  This policy covered damages because of “bodily injury, “property damage,” or “personal and advertising injury.”  However, “property damage” was limited to harm to “tangible property.” And “tangible property” was defined not to include “electronic data.”  The policy also expressly excluded “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

The State Farm policy also included two endorsements: (1) Inland Marine Conditions (“IMC”), and (2) Inland Marine Computer Property Form (“IMCPF).  The IMCPF specifically covered accidental direct physical loss to computer equipment and removable data storage media used in Camp’s business.

In February 2016, Camp’s sued State Farm in an Alabama federal district court seeking a declaration that State Farm had a duty to defend and indemnify Camp’s in the credit unions’ lawsuit.  Both Camp’s and State Farm filed motions for summary judgment.  State Farm argued that coverage was not available under the policy because the Credit Unions’ claims in the underlying suit did not allege “bodily injury”, “property damage,” or “personal and advertising injury” as defined in the policy.  It also argued that, to the extent, Camp’s was relying on IMCPF for coverage, the endorsement was a “first party” insuring agreement, not a “third party” insuring agreement.  As a result, the endorsement only covered losses sustained directly by Camp’s, not claims brought by third parties.

Camp’s relied primarily on the two endorsements to argue that State Farm was obligated to provide defense and indemnity. It argued that State Farm assumed a duty to defend the underlying lawsuit based on a provision in the IMC which stated that State Farm “may elect to defend” Camp’s at State Farm’s expense, “against suits arising from claims of owners of property.” According to Camp’s, the phrase “may elect to defend” was ambiguous.

The district court agreed with State Farm. The court explained that IMCPF covered “accidental direct physical loss.” This phrase unambiguously afforded first-party coverage.  It did not impose a duty to defend or indemnify Camp’s against claims for harm allegedly suffered by third parties.  The court also explained that coverage was not otherwise available under the policy because the underlying suit was brought by plaintiffs alleging purely economic loss (not “bodily injury” or “personal and advertising injury”).  The court also rejected Camp’s argument that the phrase “may elect to defend” obligated State Farm to defend Camp’s in the underlying suit.  The court concluded that on its face this phrase unambiguously vested discretion in the insurance carrier.  As a result, the carrier had the option to defend Camp’s but it did not have a duty to do so.

Camp’s had also argued that physical debit cards were “tangible property” that could be “touched and handled,” and as a result, the credit unions’ loss in connection with replacing these cards was covered “property damage” under the State Farm policy.  Again, the court disagreed, explaining that (1) the credit unions’ claims were based on the compromised intangible electronic data contained on the cards that rendered the cards unusable, and (2) the policy specifically excluded damages arising out of the loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”

For years courts have grappled with and have been split on the issue of whether cyber-related losses constitute harm to tangible property; the court in this case came down on the side of a data breach not constituting harm to tangible property.  This case also emphasizes the importance of policy wording (particularly exclusions concerning electronic data) and, as mentioned above, it highlights the different entities that may sue policyholders following a data breach.

Privacy & Cybersecurity Weekly News Update – Week of October 22

Posted in Cybersecurity / Data Security
Charles AustinJudith BusséFrederik Van Remoortel

FCC adopts privacy rules; Privacy Shield challenge; Amendments to EU data transfer decisions; FTC data breach guidance; DOT vehicle cybersecurity best practices; HHS guidance on HIPAA and FTC compliance

FCC approves privacy rules for broadband providers

In a 3-2 vote, the Federal Communications Commission approved new rules governing internet service providers’ collection and use of consumer data.  The largest impact may be the requirement that providers obtain affirmative consent before collecting and sharing data that could previously be collected without consumer permission.  In a fact sheet released earlier this month, the FCC stated that its new privacy rules were intended to create an approach similar to the one used by the FTC.  However, some criticize the FCC for veering too far off the path blazed by the FTC.  The FCC’s rules require opt-in consent for using and sharing data categorized as sensitive.  In addition to including the financial information and geolocation data, the FCC rules differ from the FTC’s approach in that the FCC also considers web browsing and mobile application usage data “sensitive.”  The FCC also set forth requirements for breach notifications, conspicuous notice of collection and usage policies, data security practices, and exceptions to opt-in consent.

Digital Rights Ireland challenges Privacy Shield

Although it does not come as a surprise, the Irish privacy advocacy group Digital Rights Ireland ( “DRI”) has filed an action for annulment of the Privacy Shield with the General Court of the European Union (case number T-670/16).  The new EU-U.S. Privacy Shield was agreed earlier this year to replace the Safe Harbor agreement allowing the transfer of personal data from the EU to the United States, which had been invalidated by the European Court of Justice in the Schrems case.  To date, about 600 companies have signed up for the Privacy Shield agreement, including Google, Facebook, and Microsoft.

Based on public comments, the DRI contends that the Privacy Shield does not contain adequate privacy protections, but its specific legal grounds or concerns are not yet available, as the request has not yet been made public.

A threshold hurdle is the admissibility question, given that natural or legal persons may only challenge EU regulatory acts before the European Courts if they are of a direct concern to them (Article 263 (4) TFEU).  Having regard to the restrictive interpretation of the required standing before the EU courts, it is questionable whether the annulment action by the DRI can overcome this hurdle.   Only afterwards, the General Court will rule on the merits of this case, which is expected to easily take a year.

EU Commission to amend existing adequacy decisions for international transfer of personal data

It appears from the “Summary record of the 72nd meeting of the Committee on the Protection of Individuals with regard to the Processing of Personal Data (Article 31 Committee)” that the EU Commission presented two draft Commission Implementing Decisions amending the existing adequacy decisions and the decisions on standard contractual clauses (“SCCs”).   The purpose of both draft decisions is to cure the illegality that follows from the findings in the Court of Justice’s (“ECJ”) Schrems ruling.

In Schrems, the ECJ invalidated Article 3 of the Safe Harbor adequacy decision after finding that the Commission exceeded its powers in imposing limitations on the powers of national supervisory authorities (“DPAs”) to suspend and prohibit data flows.  Because, according to the Article 31 Committee communication, a comparable provision restricting the powers of DPAs is present in the existing adequacy and SCCs decisions, the main objective of the proposed draft amending decisions is to remove any such restriction, thereby ensuring that the DPAs can use all the powers provided under EU and national law.

The text of the two draft decisions has not been released yet.  While a number of the Member States present at the meeting expressed favorable views on them, others were not yet ready to take a decision. The Article 29 Working Party will also be asked to present its views.

FTC issues guidance on handling data breaches

The Federal Trade Commission released a guide on responding to data breaches.  Titled “Data Breach Response: A Guide for Businesses,” the FTC publication outlines steps businesses can take in the immediate wake of a security incident to minimize damage and comply with breach notice obligations.  The FTC describes best practices for securing business operations, addressing already exploited or potentially exploitable vulnerabilities, and notifying the appropriate regulatory and enforcement entities as well as affected individuals and other entities.  The publication also includes a model notice letter, which may be useful for both firms that need to create such a template and firms that have an existing notice template but want to ensure their notices satisfy FTC requirements.

DOT releases guidance on vehicle cybersecurity best practices

The Department of Transportation published best practices for improving vehicle cybersecurity and preventing malicious attacks on and unauthorized access to vehicles.  The DOT recommends “risk-based prioritized identification and protection of critical vehicle controls and consumers’ personal data,” and also encourages manufacturers to provide rapid response to cybersecurity incidents throughout the life of a vehicle.  DOT further includes guidance on researching, developing, and testing cybersecurity measures.

HHS guidance on sharing health information

A short publication from the Health and Human Services Office of Civil Rights confirms that businesses sharing health information must comply with both HIPAA and the FTC Act.  OCR’s guidance explains that for businesses that share health information, compliance with HIPAA alone is not sufficient; firms must ensure that HIPAA-compliant disclosures are not deceptive under the FTC Act.  OCR also provides recommended steps for complying with the FTC Act.  One step is to draft disclosures in a manner that considers how consumers review the material, such that critical information is not “buried” in other documents linked to disclosures.  A second recommendation is that businesses consider how consumers will review disclosures; a good practice is create an interface that avoids requiring extensive “scrolling” to locate key facts and information.  OCR also recommends eliminating contradictions as to how data will be used.

Privacy & Cybersecurity Weekly News Update – Week of October 15

Posted in Cybersecurity / Data Security
Charles AustinFrederik Van RemoortelJudith Bussé

Hospital pays $2.1MM HIPAA settlement; Dynamic IP addresses protected under EU laws; EU guidance on GDPR coming soon; California’s new privacy compliance tool; banking regulators consider cybersecurity; FCC privacy proposal comments; OMB’s new privacy office; DFARS finalizes Safeguarding Rule

Hospital pays $2.1M to settle alleged HIPAA violations

St. Joseph Health, a California-based health system, reached an agreement this week to pay $2.1 million to settle alleged HIPAA violations based on the public exposure of patients’ health records in 2011 and 2012.  The HHS Office of Civil Rights (OCR) investigated the potential violation in 2012, after St. Joseph reported that a server malfunction inadvertently caused protected health information to be accessible and searchable via online search engines such as Google.  According to OCR, the server St. Joseph purchased to store patient information included a file sharing application that, by default, permitted access by “anyone with an internet connection.”  This settlement with HHS follows a $7.5 million settlement, reached earlier this year, of a class action filed on behalf of the affected patients.

This is yet another example of HHS’ focus on privacy and cybersecurity compliance.  Perhaps more importantly, and in light of the recent HHS guidance regarding HIPAA and cloud computing, the underlying facts illustrate the importance of actively managing cloud storage and other vendor services to minimize potential information exposure, data breaches, and regulatory violations.

ECJ rules that IP addresses are protected personal data under EU laws

On October 19, 2016, the European Court of Justice decided on a preliminary request in the framework of proceedings between Mr. Patrick Breyer and Germany concerning the registration and storage by the German authorities of the dynamic internet protocol address (“IP address”) allocated to Mr Breyer when he accessed certain internet websites of German Federal institutions.

One of the questions raised was whether an IP address which an online media service provider stores when his website is accessed constitutes “personal data” for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject.

This question concerns the definition of “personal data,” which is “any information relating to an identified or identifiable natural person (“data subject”).”

According to the Court, it is common ground that a dynamic IP address does not constitute information relating to an “identified” natural person, since such an address does not directly reveal the identity of the natural person who owns the computer from which a website was accessed, or that of another person who might use that computer.

It therefore had to be assessed whether such an IP address may be treated as data relating to an “identifiable” natural person.

German law does not seem to allow the internet service provider to transmit directly to the online media services provider the additional data necessary for the identification of the data subject, but, subject to verifications to be made in that regard by the referring court, it appears that, in particular, in the event of cyber-attacks legal channels exist so that the online media services provider is able to contact the competent authority, so that the latter can take the steps necessary to obtain that information from the internet service provider and to bring criminal proceedings.  Hence, according to the Court, it appears that the online media services provider who operates the website has the means which “may likely reasonably be used” in order to identify the data subject, with the assistance of other persons, namely the competent authority and the internet service provider.  The dynamic IP address is therefore to be considered “personal data” for the service provider.

The European Court’s decision confirms the broad reach of the concept of “personal data” in the EU.  Online companies, such as search engines, social media platforms and others should therefore reassess their policies and consider that, even though they may not be able to identify the visitor on the basis of that information alone, the collected data may be considered personal in view of the possible additional information of third parties that renders the data subjects “identifiable.”

EU guidance on the GDPR coming soon

Isabelle Falque-Pierrotin, the chairwoman of the Article 29 Working Party, has confirmed that the Article 29 Working Party’s initial guidance on specific topics of the new EU General Data Protection Regulation (GDPR), more in particular with respect to enforcement, the appointment of a DPO and data portability, are expected to be released before the end of 2016.  In 2017, there will likely be further guidance on consent and the Privacy Shield.

California creates online portal for reporting privacy violations

The California Attorney General’s office announced a new online form that consumers can use to report companies that violate the California Online Privacy Protection Act (CalOPPA) by failing to conspicuously post privacy policies governing use of websites and mobile applications.  Under CalOPPA, website and app operators must identify information collection, third parties with whom the operator may share information, instructions on how consumers can request changes to the information, how the operator treats “do not track” requests, and whether third parties can collect personally identifiable information from users.  According to the California Attorney General’s office, this “online tool allows consumers to ‘crowdsource’ privacy policy violations, exponentially increasing the California Department of Justice’s ability to identify and notify those in violation of CalOPPA.”

In conjunction with this online reporting form, the California Attorney General is also partnering with an initiative at Carnegie Mellon University to identify mobile applications that violate CalOPPA.  The joint effort is focused on creating a tool that compares policies of mobile apps and the apps’ actual data collection practices.

This two-pronged approach is likely to lead to increased scrutiny in California.  Companies that fall within CalOPPA’s reach should continue to be proactive and ensure their privacy policies are clear, conspicuous, and actually reflect the operation of the relevant website or app.

Federal banking regulators consider cybersecurity rules

A proposal by three federal banking agencies suggests the agencies may establish requirements aimed at preventing and mitigating the effects of cyberattacks on financial institutions.  The Federal Reserve, Federal Deposit Insurance Corp., and the Office of the Comptroller of the Currency jointly drafted an advance notice of proposed rulemaking (ANPR) that takes a significant step toward imposing on “the largest and most connected entities under their supervision” certain standards designed to prevent cyberattacks from spreading to other firms and allow compromised firms to recover from an attack within hours.

The ANPR suggests the standards would be imposed in a “tiered” manner, such that more stringent rules would apply to entities “that are critical to the functioning of the financial sector.”  Any enhanced standards “would be designed to increase covered entities’ operational resilience and reduce the potential impact on the financial system in the event of a failure, cyber-attack, or the failure to implement appropriate cyber risk management.”

These potential rules would address various aspects of cybersecurity planning.  One proposal is that institutions have a written cyber risk management strategy approved by the board and implemented into the institution’s overall business strategy.  Another proposal would require covered entities to create and implement a plan to have sector-critical systems recover from disruptive or destructive attacks within two hours.  Covered entities may also be required to identify and implement methods of preventing malware from spreading from a compromised system to any other connected system.  The period for public comment ends January 17, 2017.

Given the debate about the propriety of creating standards that may be too restrictive or quickly outdated, there will likely be comments that push back on some of the specific proposals.  Even so, there may be great value in revisiting—or creating, if necessary—cyber risk management plans to ensure they consider and address concerns identified in the ANPR.  Before following any of the proposed rules, however, potentially affected companies may be well served in waiting to see how, if at all, the proposals are finalized and implemented.

Legislators, stakeholders weigh in on FCC broadband privacy proposal

Multiple parties are weighing in on the Federal Communications Commission’s (FCC) proposed rules for broadband providers regarding collection and use of consumers’ information.  Earlier this month, Sen. Edward Markey of Massachusetts expressed his support of the proposal’s requirement that internet service providers obtain consumer consent before sharing sensitive data.  Sen. Markey also agreed with the FCC’s proposal to consider as sensitive data information regarding web browsing and app usage.  Privacy advocates and interest groups also support these aspects of the FCC proposal.

In the last week, representatives from broadband providers and trade associations expressed the opposite view, stating that the category of sensitive information is too broad in its inclusion of, among other things, geolocation and app usage data.  Opponents of the proposal also believe the FCC’s rules would effectively create a rigid opt-in regime that overly restricts providers in offering services to consumers.

OMB announces new privacy office

The Office of Management and Budget (OMB) announced the creation of a privacy branch in the Office of Information and Regulatory Affairs (OIRA), which is part of OMB.  The OIRA’s office will focus on coordinating federal privacy policies and strategies, identify areas requiring government-wide solutions, and oversee and evaluate initiatives that concern government collection of private information from the public.

New DFARS Safeguarding Rule Published

On October 21, 2016, the Department of Defense finalized the Defense Federal Acquisition Regulation Supplement’s (DFARS) Safeguarding Rule regarding the protection of “covered defense information” provided to or generated by defense contractors.  The Final Rule mostly aligns with the interim rule first issued almost three years ago.  The significant changes include:  (a) the expansion of “covered defense information” to include all “controlled unclassified information,” (b) the application of FedRAMP security requirements to any external cloud service that houses covered defense information, and (c) a requirement that subcontractors notify prime contractors when requesting variance from NIST security controls.


Internet of Things Raises Complex Insurance Coverage Issues

Posted in Cybersecurity / Data Security, Data Breach, Insurance
Rachel RaphaelEllen MacDonald Farrell

In a recent Law360 publication, C&M attorneys Rachel Raphael and Ellen Farrell discuss how the Internet of Things (IOT) can present complex insurance coverage issues.  As they explain, the tangible and intangible nature of IOT products can cause particular confusion between traditional general liability policies (which may exclude coverage for cyber incidents) and stand-alone cyber policies (which tend to focus on data loss and coverage for breach notification instead of physical damage).  Read the full article, entitled “Insurance Implications Of ‘The Internet Of Things,’” here.


Privacy & Cybersecurity Weekly News Update – Week of Oct 8

Posted in Cybersecurity / Data Security
Charles AustinElliot GoldingJodi G. Daniel

Guidance on HIPAA & cloud computing; Senators question FTC enforcement standards

HHS publishes guidance on HIPAA’s impact on cloud computing

This week, the Department of Health and Human Services issued guidance for HIPAA-covered entities and business associates regarding cloud computing.  When a covered entity seeks to use cloud services in connection with the use and/or storage of electronic personal health information (“ePHI”), the cloud services provider (“CSP”) is a business associate of the covered entity and must enter into a HIPAA complaint business associate agreement. Thus, the HHS publication aims to “assist HIPAA regulated CSPs and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain or transmit ePHI using cloud products and services.” Given both the ever-increasing use of cloud services and an increased focus on data security, this is necessary reading for providers and other covered entities to ensure they remain compliant with their HIPAA obligations.

For more on this release, see our recent client alert.

Senators question FTC enforcement standards

A pair of senators sent a letter to FTC Chairwoman Ramirez questioning both the agency’s LabMD decision and whether FTC’s enforcement regime complies with constitutional due process requirements.  The letter was authored by Sen. Jeff Flake, chair of the Subcommittee on Privacy, Technology, and the Law, and Sen. Michael Lee, chair of the Subcommittee on Antitrust, Competition and Consumer Rights.  Relying on a recent Third Circuit decision’s discussion of fair notice in the cybersecurity space, the senators questioned how the FTC’s enforcement practices afford fair notice on cybersecurity standards; how the disclosure of health information constitutes cognizable injury; and whether the FTC has provided guidance on the cost-benefit analysis discussed by the Third Circuit.  Some of these questions may be addressed by LabMD’s recent appeal to the Eleventh Circuit.  We may continue to see increased attention on the FTC’s role in cybersecurity enforcement, from both the judiciary and the legislature, in the coming months.

Privacy & Cybersecurity Weekly News Update – Week of October 3

Posted in Cybersecurity / Data Security
Charles AustinFrederik Van RemoortelLisa Weinert

FCC broadband privacy proposal; Potential challenge to FTC privacy enforcement power

FCC to consider broadband privacy proposal

On October 6, the Chairman of the Federal Communications Commission (FCC) issued proposed rules that would impose on broadband providers privacy regulations similar to those implemented and enforced by the Federal Trade Commission (FTC).  The proposal calls for increased disclosure regarding collection and use of consumer information, as well as greater consumer input on what information is shared.  The proposed rules require opt-in consent for sharing “sensitive” information, which includes regarding geolocation, health and financial information, browsing history, and social security numbers, while an opt-out scheme would govern “non-sensitive” data such as home and IP addresses.  Broadband providers would also be required to comply with data security requirements consistent with FTC requirements and the National Institutes of Standards and Technology’s (NIST) cyber-security framework.

If adopted, the proposal would effectively require that in most cases, providers must obtain consumer permission before sharing data.

However, there is the potential for some inconsistencies with the FTC’s scheme.  Critics of the revised proposal find it does not go far enough in mirroring the FTC’s scheme.  One overarching criticism is that the FCC proposal unnecessarily burdens broadband providers through, among other things, regulatory mandates that are more restrictive than the FTC’s flexible, guideline-based approach.

The FTC’s commissioners will vote on the proposal at the end of October.

FTC data security enforcement authority likely to be challenged in federal appeal

An appeal filed last week will likely challenge the FTC’s authority with respect to data security.  The FTC issued an opinion finding a medical testing company’s data security practices unreasonable, thus constituting an unfair act or practice under Section 5 of the FTC Act.  The FTC ruling reversed an administrative law judge’s finding that evidence failed to show the company’s data security practices—which included storing patient information on a peer-to-peer file-sharing network and failing to implement “even basic precautions to protect the sensitive consumer information” on the network—did or were likely to cause substantial injury to patients.  The FTC also denied a petition by the company, LabMD Inc., to stay the FTC’s enforcement pending the appeal to the U.S. Court of Appeals for the Eleventh Circuit.  In its petition, LabMD challenged both the FTC’s data security enforcement authority and the adequacy of the FTC’s definitions of what constitutes reasonable security practices and substantial injury.

It is likely both issues will be briefed on appeal, and a ruling by the court on any of these questions may alter the current state of data security enforcement.  Without any specific grant of authority to enforce data security compliance, the FTC has relied on the FTC Act’s general grant of authority to prohibit unfair and deceptive practices.  Furthermore, the FTC has not issued any global standards defining what constitutes reasonable data security practices.  Instead, companies have been urged to discern reasonableness based on consent decrees entered into by the FTC and companies found to have unreasonable data security practices.

Privacy & Cybersecurity Weekly News Update

Posted in Cybersecurity / Data Security, Health IT, Privacy
Danielle RowanFrederik Van RemoortelLisa Weinert

Hamburg DPA orders WhatsApp to stop sharing data with Facebook; GAO: HHS Needs to Improve is Digital Health Protection Rules; Notice and Choice Becoming Par for the Course for Interest-Based-Ads in Apps

German Data Protection Authority of Hamburg orders WhatsApp to stop sharing data with Facebook

On September 27, 2016, the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg DPA) has issued an order against WhatsApp to immediately stop the companies’ data sharing plans. The order comes shortly after a German consumer group, VZBW, had given WhatsApp an ultimatum until September 21, 2016 to stop sharing user’s mobile phone numbers with Facebook.

According to the Press Release of the Hamburg DPA, it is prohibited to Facebook with immediate effect to collect and store data of German WhatsApp users and Facebook has to delete all relevant data that had already been forwarded. The main accusation of the Hamburg DPA: Facebook has neither obtained effective approval from the WhatsApp users for the sharing of the data, nor does any other legal basis for the receipt of the data exist.

In the course of the acquisition of Whatsapp by Facebook in 2014, both companies had originally assured not to share data or to lower the thresholds in WhatsApp’s strong privacy policy. That the companies now have decided to do otherwise, in the eyes of the authority constitutes “not only a misleading of their users and the public, but also […] an infringement of national data protection law.”

The order of the Hamburg DPA is limited to the data of German WhatsApp users. Nevertheless, it can be expected that other Member States’ data protection authorities might follow the German example, in particular should complaints be raised by individuals.

GAO: HHS Needs to Improve its Digital Health Protection Rules

Following a review of HHS, the US Government Accountability Office (GAO), instructed HHS to improve its security and privacy guidance. Specifically, the GAO admonished HHS for failing to ensure that its regulations are implemented properly and for not properly addressing how covered entities should tailor implementations to NIST standards. The GAO also criticized HHS for the technical assistance that it provided to audited entities, writing that the “assistance was not pertinent to the identified problems.”

Covered entities can expect more clarity, more assistance, and more robust standards as a result of the GAO report. HHS is also likely to incorporate NIST standards into revised regulations. Government agencies have long been subject to NIST standards, and recently government contractors have been expected to adhere to NIST standards as well. Given the recent recommendations, it is likely HHS will follow this trend.

Notice and Choice Becoming Par for the Course for Interest-Based-Ads in Apps

Recent actions by self-regulatory agencies and FTC signal that notice and choice may now be required when app developers allow the collection of information for interest-based-advertisements (IBAs) in mobile applications. The Council of Better Business Bureaus’ Online Interest-Based Advertising Accountability Program issued two decisions finding that mobile app developers must provide “enhanced notice,” in addition to (1) notice in a privacy policy and (2) notice in the applications’ settings, when apps collect information for IBA purposes. Developers should provide this “enhanced notice,” before a user downloads the app (for example in the app store), during download, on first opening the app, or at the time that data is first collected.

The Accountability Program also made clear that developers should craft different forms of notice based on the type of information collected. It explicitly stated that when an app allows third parties to collect precise location data for IBA purposes, the app must specifically disclose the fact that location data will be passed to third parties for IBA purposes. Additionally, the Accountability program will review specific disclosure practices for other types of sensitive data collection such as personal directory data, health data, and data for users under. This summer FTC also brought an enforcement action against a mobile advertising network for allegedly allowing third parties to collect location information by bypassing users’ location settings.

These actions show an increased interest in mobile privacy. Based on this increased scrutiny, developers should (1) examine how and what information their apps collect, (2) whether the app authorizes third parties to collect this information, (3) when and how their apps provide notice to consumers about data collected for IBA, and (4) how the app provides notice to users of the collection of particularly sensitive information – location information, data about children, and personal directory data.

Privacy & Cybersecurity Weekly News Update

Posted in Cybersecurity / Data Security, Privacy
Danielle RowanFrederik Van RemoortelLisa Weinert

NHTSA Issues Voluntary Driverless Car Guidelines; European Privacy Supervisor proposes Digital Clearing House for coherent handling of Big Data cases; Facebook and Power Ventures Battle Over the Scope of the CFAA; Arizona Supreme Court: Police Cannot Search Unlocked, Unattended Phone; German consumer group urges Whatsapp to stop sharing data with Facebook; German DPA issues guidelines on Privacy Shield

NHTSA Issues Voluntary Driverless Car Guidelines

On Tuesday, September 20th, NHTSA issued its long-awaited voluntary automated vehicles policy. The voluntary guidelines include provisions for all levels of autonomous vehicles – from fully automated to semi-automated – and are divided into four parts: (1) Vehicle Performance Guidelines (VPG), (2) Model State Policy, (3) NHTSA’s Current Regulatory Tools, and (4) Modern Regulatory Tools. The first two parts of the guidance contain the bulk of NHTSA’s recommendations.

The VPG address both privacy and cybersecurity, incorporating many recommendations from other privacy and cybersecurity standards. For example, the recommendations explicitly incorporate the White House Consumer Privacy Bill of Rights. Not surprisingly, the recommendations encourage manufacturers to incorporate cybersecurity best practices from across several industries. The VPG also requests that manufacturers voluntarily provide a Safety Assessment Letter to NHTSA, certifying compliance with the VPG. This Letter will likely become a mandatory reporting requirement once manufacturers release autonomous vehicles for use on public roads.

The Model State Policy makes clear that NHTSA hopes for uniform regulation in this area. It explicitly encourages states to allow the Department of Transportation alone to regulate here. However, with an eye towards uniformity, NHTSA has included the Model State Policy. The latter two portions of the guidance highlight that regulation in this area is in its infancy and will evolve over time.

Manufacturers should expect that these guidelines, or a regime that is similar to them, will become mandatory in the near future and plan accordingly. Moreover, especially where cybersecurity is so closely tied to physical safety, as it is with automated vehicles, plaintiffs will be keen to point to these voluntary standards as the “standard of care” in future class actions.

European Privacy Supervisor proposes Digital Clearing House for coherent handling of Big Data cases

The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, has announced in a non-binding opinion of September 23, 2016 that he proposes setting up a ‘Digital Clearing House’ in order to better protect the rights of individuals in Big Data mergers.

According to Buttarelli, the ‘Digital Clearing House’ should be set up as a voluntary network of regulators working together more closely by sharing information and ideas. This should help protect individuals’ rights to privacy, to freedom of expression and non-discrimination by making sure that web-based services providers are more accountable for their conduct.

Buttarelli’s approach is in line with the policy discussions and ongoing investigations of the EU and national competition law authorities, who are already trying to assess privacy issues in competition-law contexts: among others, the German Federal Cartel Office is currently looking into Facebook’s Privacy Policy and Competition Commissioner Vestager is having a second look into the Facebook-Whatsapp merger due to WhatsApp’s data sharing plans.

For data-related businesses, this means both an increased need for awareness of potential privacy and/or consumer law obstacles when preparing the notification of a proposed transaction to the competition authorities, but also with regard to potential antitrust infringements.

Facebook and Power Ventures Battle Over the Scope of the CFAA

Power Ventures, Inc., a media aggregation company, pushed for a rehearing of a 9th Circuit ruling in its dispute with Facebook over the Computer Fraud and Abuse Act (CFAA), a statute that provides for both civil and criminal liability. Power Ventures runs a service that allows users to see all of their social media activity in one place. To execute this service, Power Ventures accessed users’ Facebook accounts in violation of Facebook’s terms of use and a cease and desist letter that the social media giant sent Power Ventures. Power Ventures argues that by holding that this type of behavior violates the CFAA, the 9th Circuit could create criminal and civil liability for a couple that shares an online bank account or academic researchers studying an online platform. Facebook disagrees. It argues that Power Ventures’ conduct is easily distinguishable from these scenarios.

The outcome of this case will further define the notoriously ambiguous CFAA. It also solidifies the 9th Circuit’s status as one of the key interpreters of the law. Further, it will establish how far the 9th Circuit is willing to take its holding in Nosal, a 2012 en banc decision that held that an employee violating the scope of his access could not face criminal liability under the statute. Given the criminal reach of the CFAA, the court may be cautious about interpreting it broadly.

Arizona Supreme Court: Police Cannot Search Unlocked, Unattended Phone

The Arizona Supreme Court in Peoples v. Arizona has ruled that a person has a limited expectation of privacy in his or her mobile phone, even when it is unlocked and not in the same room as the person. Because of this reasonable expectation of privacy, police must secure a search warrant before searching the phone. The reasoning in Peoples closely tracks the reasoning in Riley v. California, where the Supreme Court held that police could not search a mobile phone without a warrant in a search incident to arrest. Generally, courts have taken a harder look at law enforcement’s ability to search mobile devices. The Arizona case here could be part of a wave of court decisions providing expanded Fourth Amendment protection.

German consumer group urges Whatsapp to stop sharing data with Facebook

The German Federation of Consumer Organisations (VZBW) has given WhatsApp a September 21 deadline to sign a cease and desist declaration and to discontinue the company’s plans to share data (more precisely: mobile phone numbers of its users) with Facebook. If Whatsapp doesn’t comply, the organization is planning to look into legal action.

A potential claim of VZBW would be based on a new consumer litigation law, which complements the German Act on Applications for an injunction and gives consumer organizations such as VZBW the right to sue companies for unlawful use of consumer data, and privacy issues related to relationships with consumers. It also allows for legal actions related to consent disputes, unauthorized advertising or market research.

The German Press statement of VZBW can be found here.

Regardless of how the current action of the VZBW continues, it certainly shows that companies with huge customer groups have to be aware of the risk of consumer group claims when planning their privacy law compliance. Such claims are currently possible under i.a. German or Austrian law. This will in particular apply once the new European General Data Protection Regulation will apply, which will grant increased rights to individuals.

German DPA issues guidelines on Privacy Shield

The German Data Protection Authority of North Rhine Westphalia (LDI) has issued a guidance paper (German only) which outlines and explains what companies and/or affiliates established in the German state have to take into account when transferring Data to a ‘Privacy Shield’-certified U.S. company.

The paper first stresses that apart from the legitimization of the transfer as such, the transfer, which constitutes a processing action, also has to be legitimized under Article 4 of the German Data Protection Act. Additionally, according to the LDI, the exporter has additional due diligence obligations related to the Privacy Shield. These obligations involve an “assessment of whether the data importer is duly certified and whether it actually complies with its obligations”. In addition, companies are also recommended to ask for “proof, that the US-company is fulfilling its information duties towards the data subjects” [translations by author].

Strictly speaking this means that, in the view of the LDI, German businesses cannot just enter into data processing agreement with Privacy Shield certified companies, but that they have to carry out additional due diligence efforts. Apart from that, the LDI has made clear that it reserves the right to suspend data transfers based on Privacy Shield if the annual reviews raise doubts as to the compliance of Privacy Shield with European Fundamental Rights.

It remains to be seen how other German state DPAs will see these issues. However, the paper of the LDI yet seems to confirm former consistent assessments and interpretations of all German DPAs raised in the course of the Safe Harbor debates, so it might be expected that other German DPAs will issue similar papers.

Privacy & Cybersecurity Weekly News Update

Posted in Cybersecurity / Data Security, Data Breach, Government Agencies, Privacy
Danielle RowanFrederik Van RemoortelLisa Weinert

Privacy law meets antitrust – EU Commissioner Vestager on data in competition law; ECJ to rule on admissibility of Privacy class actions; Northern District of California Sends Yelp Privacy Suit to the Jury; EU Advocate General finds EU-Canadian PNR pact unlawful; New York Unveils New Cyber Security Rules for Financial Services Organizations; New Jersey Senate Passes Shopping Privacy Bill; NIST Issues Mobile Threat Guidance

Privacy law meets antitrust – EU Commissioner Vestager on when privacy issues can lead to antitrust concerns

European Competition Commissioner Margarethe Vestager has commented on the relevance of privacy issues with regard to EU antitrust rules. According to Vestager, current investigations of the German Federal Cartel Office regarding Facebook’s “privacy issues” would “not necessarily” lead to competition law concerns, even though both fields of law might correlate under certain circumstances.

In the investigations at issue, the German Federal Cartel Office is alleging Facebook of abusing an alleged ‘dominant position’ in the market for social networks by imposing unfair conditions regarding the privacy settings for Facebook accounts on its users. The German antitrust regulator is arguing that users would have “no choice” whether to accept the conditions or to terminate their account, because there is no real alternative to the well-known social network. Under Article 102 of the Treaty on the Functioning of the European Union (‘TFEU’), “dominant companies are subject to special obligations. These include the use of adequate terms of service as far as these are relevant to the market.”

It still remains to be seen whether Facebook will ultimately be found in breach of EU antitrust rules relating to its Privacy Policy. On a more general matter, however, the Commissioner’s statements seem to confirm that indeed, companies controlling vast amounts of data may be considered able to prevent market entry by withholding this data from potential competitors who could not reproduce comparable datasets themselves and therefore might violate Article 102 TFEU. Companies that might fall in this category should therefore be prepared that not only privacy regulators, but also antitrust authorities might potentially be questioning them regarding their use of data in the future. Nevertheless, “simply holding a lot of data” would not be enough to raise antitrust suspicions, Vestager appeased.

Continue Reading