Russians Hack Clinton Campaign System; FTC: LabMD Liable in Data Security Suit; EU Member States issue statement on Privacy Shield; NIS Directive published – Implementation into national law by May 2018; EU Data Protection Supervisor: e-Privacy directive should meet GDPR-requirements.
Clinton Campaign Data Breach brings data security into 2016 campaign yet again
On July 29, an F.B.I. official told the New York Times that computer systems used by the Clinton presidential campaign were hacked in the latest in a string of cybersecurity attacks targeting political entities. The Times noted the attacks appeared to have been carried out by the Russian intelligence services. These revelations follow news of similar attacks carried out earlier in the summer, including a Russian government hack of the Democratic National Committee’s computer network. Investigations into both attacks are ongoing.
FTC Reasserts Data Security Enforcement Powers in suit against LabMD
Late last week, the FTC issued its long-awaited final order in its investigation of LabMD’s alleged unfair data security practices. FTC filed charges against LabMD, a clinical laboratory used by physicians, for allegedly failing to protect sensitive personal information for over 750,000 patients. An ALJ had earlier dismissed FTC’s charges, holding that LabMD’s data security practices failed to cause substantial consumer injury. The Commission unanimously reversed that decision.
FTC claimed that LabMD “lack[ed] even basic precautions to protect . . . sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.” Firms collecting personal information should note that future FTC enforcement is likely to note the absence of any of these systems as evidence of sub-par data security practices.
This suit follows the FTC’s 2014 victory in the Wyndham case, which validated the FTC’s authority to regulate data security. For more information on the Wyndham decision, see the Crowell Data Law blog post on the subject.
EU Member States appear to condone EU-U.S. Privacy Shield until first annual review
Following the adoption of the European Commission’s adequacy decision acknowledging the new EU-U.S. Privacy Shield (“Privacy Shield”) on July 12, 2016, the Article 29 Working Party (“WP29”), an advisory body comprising representatives of the EU Member States, has issued a statement which seems to indicate that European Data Protection Authorities (“DPAs”) will not immediately challenge the new framework for EU-U.S. data transfers.
Referring to the WP29’s opinion on the initial draft of the Privacy Shield, the statement makes clear that a number of concerns remain, despite several improvements introduced by the Commission and the U.S. authorities on the basis of that criticism. In particular, the WP29 still criticizes the lack of specific rules on the rights of data subjects, the application of the Privacy Shield to processors as well as strict rules for the Ombudsperson mechanism. Concerns remain as well with regard to bulk collection and mass surveillance, even though WP29 acknowledges the additional commitments given by the U.S.
Nevertheless, the statement also indicates that WP29 apparently intends to wait for the first annual review under the Framework in order to raise these remaining issues. While many sources interpret this as a “preliminary approval” or an assurance that the Member States’ DPAs will not challenge the new Framework within its first year, at a closer look this rather seems to be a logic approach as regards timing: a formal challenge to the Framework would require a lot of additional time and efforts (a decision of the European Court, which could to date only be initiated by a complaint of an individual, would take at least 1-2 years), whereas influencing the review under the Framework itself would already be possible in May 2017.
Whilst companies may therefore quite certainly be able to rely on the new Framework for at least one year, it still remains uncertain if and for how long it may ultimately last. Also, it remains to be seen how individual DPAs will react when they are confronted with individual complaints about the Privacy Shield.
European “NIS Directive” published – Implementation by Member States due in May 2018
On May 19, 2018, the Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union, better known as “NIS Directive”, has been published in the Official Journal of the European Union. Member States now have until May 9, 2018 to transpose the Directive into national law.
The “NIS Directive” establishes the first Union-wide comprehensive cybersecurity legislation. It aims to provide a high level of security for “critical infrastructures”, requiring operators of “essential” and “digital” services to implement appropriate security measures and to report incidents to the national authorities. This covers industries such as energy, transport, banking, finance, health, water and digital services, although it remains up to the Member States to provide for an ultimate definition.
Being a Directive, the new law still needs to be transposed into national law by the EU Member States. This obviously leaves some discretion to the Member States in how to design the respective provisions. While some countries, such as France or Germany, already pursue some “Cyber laws” such as i.a. the German IT Security Act, other Member States will have to implement entirely new legislation.
EU Data Protection Supervisor recommends aligning revision of e-Privacy Directive with GDPR-requirements
In an opinion of July 25, 2016, the European Data Protection Supervisor Giovanni Buttarelli has recommended that a revision of the European Union’s Directive No. 2002/58/EC on privacy and electronic communications, also known as “e-Privacy Directive” or “cookies directive”, should take into account the requirements under the new General Data Protection Regulation (“GDPR”). The “GDPR” will enter into force on May 25, 2018 whereas a draft for the new Directive is foreseen to be published by the end of 2016.
In its opinion, Buttarrelli inter alia recommended that the revised Directive should contain a widened scope of application, clear rules on the use of cookies and data breach notifications, as well as strong rules for consent. Apart from that, it should also include provisions on voice over internet protocol (VoiP) services, communication applications and the “Internet of Things”.