‘Privacy Shield’ certifications possible since August 1, 2016; Hamburg DPA aims to challenge ‘Privacy Shield’; EU Court rules on applicability of EU privacy laws to online companies; Pokémon Go violating EU Privacy Laws?; Norwegian DPA criticizes ‘Facebook at Work’; Advocate Health to Pay Largest HIPAA Settlement Ever; FTC Overrules LabMD Dismissal; Banner Health Cyberattack Affects 3.7M; HHS Announces Grant for Healthcare Sector Information Sharing Organization

Privacy Shield’ certifications possible since August 1, 2016

On Monday, August 1, 2016, the U.S. Department of Commerce has opened up the registration process for multinationals so that they can self-certify their compliance with the newly adopted ‘EU-U.S. Privacy Shield’ (‘Privacy Shield’) for transfers of personal data from Europe to the U.S.

The ‘Privacy Shield’, which had been formally approved via the European Commission’s adequacy decision on July 12, 2016, is replacing the formerly invalidated ‘U.S.-EU Safe Harbor’ Framework that had been struck down before the European Court of Justice in October 2015. The national Data Protection Authorities (‘DPAs’), in their function as Article 29 Working Party (‘WP29’), had also okayed the new Framework, by stating that they would not seek to challenge it “at least until the next annual review”.

Companies, who decide to sign up with the new framework as from now, may therefore rely on it at least until next May. For more details, see also our Client Alert on Privacy Shield as well as our previous week’s blog post.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of July 31

Russians Hack Clinton Campaign System; FTC: LabMD Liable in Data Security Suit; EU Member States issue statement on Privacy Shield; NIS Directive published – Implementation into national law by May 2018; EU Data Protection Supervisor: e-Privacy directive should meet GDPR-requirements.

Clinton Campaign Data Breach brings data security into 2016 campaign yet again

On July 29, an F.B.I. official told the New York Times that computer systems used by the Clinton presidential campaign were hacked in the latest in a string of cybersecurity attacks targeting political entities. The Times noted the attacks appeared to have been carried out by the Russian intelligence services.  These revelations follow news of similar attacks carried out earlier in the summer, including a Russian government hack of the Democratic National Committee’s computer network. Investigations into both attacks are ongoing.

FTC Reasserts Data Security Enforcement Powers in suit against LabMD

Late last week, the FTC issued its long-awaited final order in its investigation of LabMD’s alleged unfair data security practices. FTC filed charges against LabMD, a clinical laboratory used by physicians, for allegedly failing to protect sensitive personal information for over 750,000 patients.  An ALJ had earlier dismissed FTC’s charges, holding that LabMD’s data security practices failed to cause substantial consumer injury. The Commission unanimously reversed that decision.

FTC claimed that LabMD “lack[ed] even basic precautions to protect . . . sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.” Firms collecting personal information should note that future FTC enforcement is likely to note the absence of any of these systems as evidence of sub-par data security practices.

This suit follows the FTC’s 2014 victory in the Wyndham case, which validated the FTC’s authority to regulate data security.  For more information on the Wyndham decision, see the Crowell Data Law blog post on the subject.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of July 24

Article 31 Committee approves Privacy Shield; House Cuts FCC Funding Over Attempted Broadband Privacy Regulations; No Charges for Clinton in Data Security Probe; European Commission launches public-privacy partnership on cybersecurity; European Parliament adopts NIS Directive; Privacy Code of Conduct for mHealth app providers finalized; French parliament about to make French Privacy act more severe; Russia introduces new data retention obligations.

Article 31 Committee approves Privacy Shield

On July 8, 2016, the Article 31 Committee has finally given its support for the adoption of the “EU-U.S. Privacy Shield”, the new framework for cross-Atlantic data transfers.

For more details, please see our latest client alert here.

House Defunds FCC’s Data Privacy Efforts for Broadband Providers

On July 7, the House of Representatives voted to cut off funding for the FCC’s proposed privacy regulations of broadband service providers. The measure, attached as an amendment to the 2017 Financial Services and General Government Appropriations Bill, cut the FCC’s funding by more than 17%. Calling the FCC’s proposed rules “extreme,” Rep. Marsha Blackburn (R-TN), the amendment’s author, claimed the measure was necessary to reassert the Federal Trade Commission’s status as the go-to federal data privacy regulator. The FCC, Rep. Blackburn asserted, “simply doesn’t have the requisite technical expertise to regulate privacy.”

The proposed regulations, which the FCC announced in March 2016, would require ISPs to disclose how data regarding customers’ online activities could be collected and recorded. These proposed rules represented the FCC’s first major attempt to regulate broadband providers in the aftermath of the agency’s February 2015 decision to treat broadband as a public utility. Several broadband providers had expressed public reservations about the FCC’s proposed rulemaking and actively lobbied legislators to act. The bill, which passed in a 239-185 vote, next heads to the Senate for consideration.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of July 3

Adoption of Privacy Shield expected in early July; Federal Court limits VPPA liability; Belgian Court overturns Facebook fine; FTC robocall crackdown; A rare HIPAA criminal conviction; UK’s ICO fines Brexit campaigners for mass text messages; House report calls for national encryption commission.

European Commission expects adoption of Privacy Shield for beginning of July

European officials are hoping to finally formalize the “EU-U.S. Privacy Shield”, the cross-Atlantic data transfer pact aiming at replacing the formerly invalidated “U.S.-EU Safe Harbor” Framework, on July 5. The initial draft agreement has been amended to include new explanations of U.S. governmental entities and further limitations on the bulk collection of data and mass surveillance. The European Commission is now confident that also the Article 31 Committee will give its approval to the draft framework.

Many European Privacy regulators and EU bodies, such as the European Parliament and the European Data Protection Supervisor, had argued that the initial draft did not sufficiently protect the fundamental rights of European data subjects. The revised version now “only” allows bulk collection “exceptionally”, where targeted collection is “not feasible”, although it remains open how ‘feasibility’ should be determined.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of June 26

On May 26, 2016, in the case of P.F. Chang’s v. Federal Insurance Co., the U.S. District Court for the District of Arizona held that a stand-alone cyber insurance policy did not cover fees assessed by a third party credit card processing company against P.F. Chang’s following a June 2014 data breach.  This decision is notable because it is one of the first involving the scope of coverage under a stand-alone cyber insurance policy.  Furthermore, since hiring a credit card processing company is a common practice among restaurants and retailers, if and when a data breach occurs, policyholders that use these third party companies may encounter similar fees.

At the core of this dispute was P.F. Chang’s decision to hire a third-party company to process credit card payments instead of dealing directly with credit card associations.  After the 2014 data breach, in which computer hackers obtained and posed to the Internet about 60,000 credit card numbers belonging to P.F. Chang’s customers, the credit card associations imposed fees on the third-party processing company, Bank of America Merchant Services (“BAMS”).  BAMS then passed these fees on to P.F. Chang’s pursuant to the service contract.

Federal Insurance Company (“Federal Insurance”) had sold a CyberSecurity by Chubb Policy (the “Cyber Policy”) to P.F. Chang’s corporate parent, Wok Holdco LLC, which was in effect from January 1, 2014 to January 1, 2015.  After learning of the data breach, P.F. Chang’s tendered its claim to Federal Insurance.  Federal Insurance reimbursed P.F. Chang’s for over $1.7 million in costs incurred as a result of the data breach, including a forensic investigation and a third-party lawsuit.  However, Federal Insurance refused to reimburse P.F. Chang’s for fees assessed by BAMS in connection with the data breach, and P.F. Chang’s filed suit.Continue Reading Arizona District Court Determines Scope of Coverage Provided by Cyberinsurance Policy

Brexit effect on EU and UK Privacy rules; EU and U.S. to strengthen ‘Privacy Shield’; Ponemon Study on Healthcare Data Security; Mobile ad provider fined for deceptive conduct FTC comments on the Internet of Things

Brexit – what does it mean for EU and UK Privacy rules?

On June 23, 2016, the population of Great Britain in a historical referendum voted to leave the European Union with a majority of 52% vs 48%.  Although this decision does not have immediate impact on the membership of the United Kingdom in the EU (the UK is still a Member of the European Union and will remain so until at least 2018, see also FAQ on the further procedure by the European Commission), waves of discussion are rising high, among others about the future of UK Privacy laws and the implementation of the General Data Protection Regulation (GDPR).

In a statement of June 24, 2016, the UK’s Data Protection Authority (ICO) has stressed that “the Data Protection Act remains the law of the land irrespective of the referendum.” This means that on the short term, in principle nothing will change. This also applies with regard to the ongoing EU reform, as a result of which the GDPR will enter into force on May 25, 2018, and thus in any event before the earliest possible day for a definite exit of the UK out of the European Union.  It will therefore – at least for a short period of time – also apply to UK businesses.

What will certainly have an impact, however, is the moment in which the UK factually leaves the European Union. Although the ICO has stressed that it aims to stay as close to European Privacy laws as possible also post-Brexit, this situation would have an immediate impact on businesses sending data to the UK.  As soon as the UK would be no longer part of the European Union, due to the absence of an ‘Adequacy Decision’ of the European Commission relating to the UK, companies would have to put in place other transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules, in order to lawfully continue to transfer personal data from European countries to the UK as soon as the exit is completed. This could only be avoided if the UK would guarantee an adequate level of Data Protection standards, which would have to be acknowledged by the European Commission.

The ICO has made its position clear: “Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.” Continue Reading Privacy & Cybersecurity Weekly News Update- Week of June 20, 2016

A victory for net neutrality; U.S. may join Irish Facebook Data-Transfer case; EU-U.S. Privacy Shield by early July?; French Data Protection Authority opens GDPR consultation; FTC addresses proposed TCPA changes; DOJ and DHS cybersecurity sharing guidelines.

Federal appellate court upholds net neutrality

The U.S. Court of Appeals for the D.C. Circuit upheld “net neutrality” rules that require all broadband providers to treat internet traffic the same regardless of source.  Last year, the Federal Communications Commission (“FCC”) issued its net neutrality decision, which reclassified broadband service as common carriers under the Communications Act and thus brought Internet service within the FCC’s power to regulate common carriers under Title II of the Communications Act.  The FCC then issued rules banning providers from blocking, throttling, or otherwise degrading internet traffic lawful content, and also from engaging in paid prioritization of traffic.

A number of Internet service providers and other groups challenged the FCC’s authority to reclassify broadband service and promulgate such regulations. They also challenged the legality of the net neutrality rules.  In a 115-page opinion, the D.C. Circuit rejected each challenge and, in doing so, affirmed the FCC’s power to regulate broadband service under Title II of the Communications Act.  The court also rejected the argument that net neutrality impacts service providers’ First Amendment rights, explaining that a service provider “does not . . . ‘speak’ when providing neutral access to Internet content as common usage.”

The petitioners are expected to appeal the ruling to the Supreme Court. Unless the Court reverses this ruling, the FCC retains broad power to regulate Internet service providers as common carriers, and may use that power to continue implementing and enforcing regulations concerning open access to content as well as consumer privacy.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of June 13

$1M Fine for Morgan Stanley Data Breach; German DPA Issues Data Transfer Fines; FTC Critiques FCC Privacy Proposal; New Contractor Cybersecurity Rules; Drone Operations Best Practices

Morgan Stanley fined $1M for alleged failure to secure client data

The U.S. Securities and Exchange Commission (“SEC”) and Morgan Stanley Smith Barney LLC (“Morgan Stanley”) reached a settlement of $1 million for alleged cybersecurity failures that led to exposure of client information.  The SEC alleged that Morgan Stanley violated the Safeguards Rule, a federal regulation concerning customer data protection, by failing to implement written policies and procedures protecting confidential information.  These failures, combined with the failure to monitor employee access to data, ultimately led to a Morgan Stanley employee unlawfully downloading and selling confidential information of more than 730,000 clients between 2011 and 2014.

This may be a telling sign for the future of SEC involvement in data breaches. The SEC’s announcement reflects its expectation that “SEC registrants of all sizes [will] have policies and procedures that are reasonably designed to protect customer information.”  Presumably, failures to implement such policies may invite aggressive SEC scrutiny and investigation.  Companies within the SEC’s jurisdiction should ensure that their procedures comply with federal regulations.  If not, future data breaches may give rise to enforcement and fines by the SEC, in addition to other agency enforcement as well as civil damages available to affected parties under state or federal data breach laws.

German Data Protection Authority fines three companies for U.S. data transfers

The threat of enforcement action based on the invalidation of the former “U.S.-EU Safe Harbor Framework” for data transfers from Europe to the U.S. for a long time was a rather theoretical concern. The German Data Protection Authority (“DPA”) of Hamburg has now made this concern viral, announcing that it has fined three companies for continued transfers of personal data from Europe to the U.S. without additional safeguards.

Although the fines are comparatively low (€ 8,000 – € 11,000), this is definitely the last wake-up call for companies, who have not yet implemented additional safeguards for their EU-U.S. data transfers – the Hamburg DPA is continuing to investigate and has already announced that the next fines it will impose on companies can be expected to be higher. For more on this development, see our recent client alert.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of June 6

EU-U.S. Agreement on Law Enforcement Data; European Data Protection Supervisor Criticizes Privacy Shield; House Members Criticize FCC Privacy Proposal; NHTSA Targets Automotive Cybersecurity; Yahoo Releases National Security Letters; CareFirst Data Breach Lawsuit Dismissed; FDA Guidance on Data Protection in Investigations

EU and U.S. sign Umbrella Agreement on Law Enforcement Data

On June 2, 2016, Vera Jourová, European Commissioner for Justice and Consumer Protection, Dutch minister Ard van der Steur and U.S. Attorney General Loretta E. Lynch signed the “Umbrella Agreement”, a deal between the U.S. and the EU “on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offenses”. The agreement aims at enhancing the cooperation of the EU and the U.S. in criminal enforcement (including terrorism), while at the same time protecting personal data of European citizens, when transferred from the EU to the U.S. for criminal investigations.

The text of the agreement, which was negotiated over a long period due in part to a Court of Justice of the EU (ECJ) finding that European citizens lacked adequate rights of redress, includes provisions on purpose limitation, information security, data retention, rights of data subjects, breach notifications and onward transfers. A “fact sheet”-FAQ is available on the Commission’s website. Before the agreement can be finally concluded, the European Parliament will still need to give its consent.

European Data Protection Supervisor criticizes “EU-U.S. Privacy Shield”

On May 30, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued an opinion on the draft “EU-U.S. Privacy Shield (“Privacy Shield”), which is in line with the criticism previously raised by the Article 29 Working Party and the European Parliament.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of May 30, 2016

Data Breach Liability Requires Actual Misuse; More U.S.-EU Data Transfer Uncertainty; Airline App Exempt from State Privacy Law; Pending Cyber Bill Would Create Consortium; Encryption-Related Deceptive Advertising Settlement; PayPal Fined for Deceptive Trade Practices

The Spokeo effect: data breach claims require actual examples of information misuse

Last week, a federal court dismissed claims alleging harm from a hospital data breach, on the grounds that the plaintiff failed to allege more than the mere threat of injury.  In Khan v. Children’s National Health System, No. 8:15-cv-2125 (D. Md.), the plaintiff alleged that phishing attacks compromised hospital employees’ email accounts containing patient information, including social security numbers, addresses, dates of birth, and other private healthcare information.  The court held that the plaintiff lacked standing and could not proceed in federal court because the plaintiff failed to allege either specific instances of misuse from the particular breach at issue or “a clear indication that the data breach was for the purpose of using the plaintiffs’ personal data to engage in identity fraud.”

The court’s reasoning also demonstrates the favorable impact that this month’s Supreme Court decision in Spokeo v. Robbins may have for defendants in data breach actions.  The Khan opinion explained that mere violation of a statute does not necessarily create the “concrete harm,” such as actual misuse of information, required by Spokeo.  Although it remains to be seen what the Ninth Circuit does with Spokeo on remand and how Spokeo will impact future cases, it seems likely that federal courts will continue to be inclined to disfavor claims where the harm alleged is the “diminished value” of personal information, a general loss of privacy, or simply a technical statutory violation.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of May 23, 2016