Less than two weeks after the National Institute of Standards and Technology (NIST) published a draft version of NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, on November 28, the National Archives and Records Administration (NARA) announced today that the comment period has been extended to January 15, 2018. This gives interested
EU Data Protection Law Reform: Most of the General Data Protection Regulation (GDPR) text agreed in principle; Schrems’ second hit – Austrian citizen files three new complaints with EU Data Protection authorities to suspend data transfers outside the EU by Facebook; EU Privacy Regulators to Evaluate VTech Breach.
EU Data Protection Law Reform: Most of the General Data Protection Regulation (GDPR) text agreed in principle
Jan Philipp Albrecht, the European Parliament’s lead negotiator on November 30 stated that the European negotiators have agreed “in principle” on most of the text for the new General Data Protection Regulation (GDPR), which is aimed to be finalized by the end of 2015.
According to texts of the Luxembourg Presidency, which also include suggested compromise texts, important areas which still remain under discussion are the provisions on Data Breaches, the criteria for the appointment of a Data Protection Officer (“DPO”) and the amount of the Administrative Fines.
Target Settles Data Breach Claims with Banks and Insurers
On Thursday, Target agreed to settle claims with a group of financial institutions arising from its 2013 data breach involving customers’ credit card information. Target reportedly will pay $39 million to settle the class-action suit in federal court in Minnesota. This settlement follows a $67 million settlement with Visa in August and a $10 million settlement of a consumer class action in March.
Chinese Government Arrests Suspected OPM Hackers
The Washington Post reported Wednesday that Chinese officials arrested several hackers purportedly connected with the data breach of 22 million OPM personnel records earlier this year. The arrests occurred shortly before President Xi’s September state visit. The Post noted that one U.S. official responded that “[w]e don’t know that [sic] if the arrests the Chinese purported to have made are the guilty parties . . . [t]here is a history [in China] of people being arrested for things they didn’t do . . . .”
OMB Director Donovan Announces New Federal Privacy Council
In a speech Wednesday to the Federal Privacy Summit, Office of Management & Budget (OMB) Director Shaun Donovan announced the establishment of the Federal Privacy Council. The Council will be tasked with interagency integration and sharing of best-practices and to “professionalize the privacy profession.”
Record Fine: Belgium’s Court orders Facebook to stop Data Protection law violation under forfeiture of a penalty of € 250,000 per day; Big Data: Opinion of The European Data Protection Supervisor; Safe Harbor Topic 1: Hamburg DPA actively preparing enforcement actions; Data Protection vs. Terrorism: Belgium to push for Passenger Records Law following Paris attacks; Safe Harbor Topic 2: EU Chief Jourova confident about ongoing Safe Harbor negotiations; Safe Harbor Topic 3: Norwegian DPA requires authorization of US data transfers.
Penalties and Fines: Belgium’s Court orders Facebook to stop violations of Belgium Data Protection Act under forfeiture of a penalty of €250,000 per day
A Belgian Court has fined Facebook €250.000 per day for violations of the Belgian Data Protection Act.
Facebook had collected web data of millions of Belgians who are not members of Facebook’s social network page, but were simply visiting websites. The Court in its judgment of 9 November 2015 found that this way of collecting data is a “manifest” violation of Belgian data protection law. According to the court, this applies irrespective of the purposes Facebook uses this data after having collecting it. Facebook argued that European users of its social network are subject to the Irish Data Protection Law (instead of Belgian law). The court disagreed citing the well-known Google Spain case that ruled that a Member State law applies if the activities of a local establishment are inextricably linked to the activities of the data controller.
The Court ordered to stop the violations under forfeiture of a penalty of €250.000 per day. The court based this on the consideration that the penalty’s amount needs to be sufficiently deterrent. The Court pointed out that Facebook in 2014 realized a turnover of US-$ 12.4 billion and a profit of US-$ 2.9 billion, so that the amount of € 250,000 per day was considered adequate. Facebook has announced that it will file an appeal against the judgment, which however does suspend the initial judgment.
FCC’s expands data security enforcement; Sprint settles FCRA claims; $12.5M fine for background screening agencies; Congress considers auto cybersecurity study; No FCC “do not track” rules; Safe harbor alternatives; No SCA liability for inadvertent disclosure
FCC takes first enforcement action related to cable operator’s data security
The Federal Communications Commission fined Cox Communications $595,000 for failing to employ proper security and notification practices related to its 2014 data breach. The Communications Act of 1934 requires cable operators to protect subscribers’ personally identifiable information. Cox, the third-largest cable provider in the U.S., suffered a data breach when social engineering and phishing efforts resulted in unauthorized access to Cox’s customer database. Specifically, an unauthorized user pretended to be a Cox representative and convinced a contractor and tech support representative to provide access credentials into a fake Cox website. Cox notified the FBI and later sent notice to most of the affected customers, but never reported the breach to FCC. The FCC’s fine comes on the heels of an investigation into whether Cox properly protected customers’ proprietary information and provided prompt notice to affected customers and law enforcement authorities. In addition to paying the penalty, Cox must comply with requirements designed to improve its data security practices, notify all affected current and former customers of the breach, and provide those affected with free credit monitoring services. This is the FCC’s third enforcement action this year related to violations of the Communications Act, and its first action against a cable provider. Companies should review whether data security procedures account for attacks using social engineering. This may include multi-factor authentication for all employees, minimizing the number of employees with access to customers’ personal information, and procedures and sanctions governing third-party compliance with security procedures. Companies should also ensure their notice practices account for all affected individuals and the relevant government agencies.
“Safe Harbor 2.0” Agreement in Principle; Senate Passes Cybersecurity Bill; Target Breach Investigation Documents Privileged; Text Message Alert May Fall Within TCPA
U.S.-EU reach agreement in principle on data sharing rules
Last week, the U.S. and the European Union announced they reached an agreement in principle concerning transatlantic data transfers . This new deal, to which some refer as “Safe Harbor 2.0”, would address the concerns expressed in the October 6 European Court of Justice (“ECJ”) decision invalidating the original safe harbor agreement that had been in effect for fifteen years. The timing of a finalized new agreement is up in the air, and could come as late as January 2016. U.S. Commerce Secretary Penny Pritzker said that an announcement could come shortly, after the sides make “modest refinements” to an agreement that predated the ECJ decision. However, EU Justice Commissioner Věra Jourová indicated that the sides still need to engage in “intensive technical discussions” on a number of issues before finalizing the new agreement. The key unresolved issues are the provision of safeguards in the U.S. equal to those in Europe; an effective oversight and enforcement mechanism for privacy violations; and appropriate limitations on data access for purposes of law enforcement and national security. Until a final agreement is announced, companies transferring data between the U.S. and EU should continue to examine their policies and procedures to ensure compliance with the stated positions of the governing authorities. For more on what may constitute an appropriate transfer, see our recent client alerts on the positions of the EU authorities , the Swiss and Israeli authorities, and the German authorities.
Safe Harbor Fallout; Germany Rejects Safe Harbor Alternatives; Judicial Redress Act Passes House; Device IDs Not Personally Identifiable; Sony Settles Data Breach Suit
Safe Harbor repercussions in Switzerland, Israel
In light of the recent European Court of Justice (“ECJ”) Safe Harbor decision [link: ], the Swiss Data Protection and Information Commissioner has declared its safe harbor agreement with the U.S. “no longer sufficient” for governing data transfers between the two countries. Unless and until the countries agree upon a new framework, companies transferring data should rely on “contractual guarantees” as defined by the Swiss Data Protection Act. Similarly, the Israeli Law, Information and Technology Authority revoked authorization for data transfers to the U.S. that rely on the now-invalid Safe Harbor agreement. Companies seeking to transfer data from Israel to the U.S. must review and assess whether they may do so pursuant to other mechanisms. For more on both of these developments, see our recent client alert.
Germany rejects Safe Harbor alternatives
German privacy officials have declared insufficient the Safe Harbor alternatives suggested by the European Commission. German federal and state data protection authorities (“DPAs”) will not approve new transfers pursuant to binding corporate rules, one of the suggested Safe Harbor alternatives. Furthermore, the DPAs intend to exercise their audit powers in scrutinizing contractual clauses governing transfers to the U.S. to ensure compliance with the ECJ decision. The DPAs also call into doubt the validity of transfers based on consent. Consensual transfers of personal data should not occur repeatedly or “routinely,” and consensual transfer of employee data may occur “only in exceptional cases.” A DPA for one of the German states had previously advised companies to cancel contracts using standard model clauses governing data transfers. The German approach is a significant departure from statements by the European Commission and other EU members, such as Switzerland, that encourage the use of one or both of these alternative data transfer mechanisms. Companies transferring data from Germany to the U.S. should exercise great care in reviewing transfer rules and practices and ensuring their compliance with rules and principles announced by the European Commission and the ECJ. For more on this development, see our client alert on the position of the German DPAs .
Deadline for New Data Sharing Framework; Congress Considers Automobile Cybersecurity; No VPPA Violation for Free Apps; TCPA Standing Expands
January 2016 Deadline for New Approach to Transatlantic Data Transfers
European data protection agencies (DPAs) and members of the European Commission, operating collectively as “the Article 29 Working Party,” set a January 31, 2016 deadline for U.S. and European Union authorities to create a new foundation for EU-U.S. data transfers to replace the Safe Harbor pact that was struck down because of concerns over the extent of U.S. government access to personal information. If the January deadline passes with no agreement, the Article 29 Working Party made clear its commitment to further action, including “coordinated enforcement,” to ensure compliance with EU rules. Meanwhile, each DPA has independent authority to examine EU-U.S. data transfers. Until final resolution, which may include a “Safe Harbor 2.0”, the best methods for transferring data between the U.S. and EU are EU-approved contract clauses or, for those fortunate enough to already have them in place, binding corporate rules. These mechanisms were not directly affected by last week’s Safe Harbor decision, but they remain vulnerable to the same EU concerns about U.S. government surveillance. Companies should review their data transfer practices from a risk management perspective to determine whether implementing model contract clauses or other measures to replace their Safe Harbor certifications are an appropriate interim response to the uncertainty surrounding EU-U.S. data transfers. For more on the Article 29 Working Party’s statement, see our recent client alert.
15M T-Mobile Customers Exposed in Hack; Trump Hotels Hit With Data Breach; Privilege Covering Target Docs Challenged; HHS: OCR Should Strengthen HIPAA Oversight; 17.6M U.S. Victims of Identity Theft in 2014
15M T-Mobile Customers Exposed in Experian Breach
Experian has reportedly suffered a major data breach, potentially exposing anyone who applied for a regular T-Mobile USA postpaid plan between September 1, 2013 and September 16, 2015. T-Mobile had used Experian to conduct credit checks on its customers. Experian reports that hackers accessed a computer server and took data including T-Mobile customer names, addresses, Social Security numbers, birthdays and other highly sensitive information. Experian has stated that this was an isolated incident, but 15 million T-Mobile customers are affected. Experian is offering two years of free credit monitoring and identity protection to those customers. However, the compromised customer data is reportedly already being made available for sale on the dark web.
Trump Hotels Hit With Data Breach
Hackers reportedly may have had access to credit card information in Trump Hotels’ payment system for nearly a year due to malware. An advisory issued by Trump lists seven properties affected by the incident. The hotel chain currently reports that while there may have been an opportunity to access customer data, its forensics investigation has yet to uncover that any data had definitely been compromised, but they are offering one year of complimentary fraud resolution and identity protection services to affected customers.
5.6 Million Fingerprints Stolen in OPM Hack; US and China Agree to Economic Cyber Pact; SEC Charges Firm for Failing to Protect Against Hack; EU Court Advisor Says Safe Harbor Agreement Invalid; SEC Commissioner: Smaller Companies More Targeted for Hacks; NIST Awards 3 Cybersecurity Grants
OPM Cyberattack Update: 5.6 Million Fingerprints Stolen
The Office of Personnel Management (OPM) initially estimated that 1.1 million individuals’ fingerprints were stolen as part of the hacks first reported in June. That estimate has now grown to 5.6 million individuals’ fingerprints stolen. While the breach impacted 21.5 million individuals in total, biometric data like fingerprints are reportedly of particular concern to experts because of their permanence and uncertainty about the long-term effects as technology advances to allow further misuse.
US and China Agree to Deal Against Cyber Economic Espionage
The U.S. and China reportedly reached agreement on a pact that neither country will conduct economic espionage in cyberspace. The reported agreement also calls for a process to ensure compliance on an issue that has been a major source of tension between the countries. The U.S. has previously accused China of stealing billions of dollars’ worth of intellectual property and trade secrets from American companies, used for the benefit of Chinese firms. China has long denied such claims. The agreement did not address other cyber matters, such as traditional espionage.