Brexit effect on EU and UK Privacy rules; EU and U.S. to strengthen ‘Privacy Shield’; Ponemon Study on Healthcare Data Security; Mobile ad provider fined for deceptive conduct FTC comments on the Internet of Things

Brexit – what does it mean for EU and UK Privacy rules?

On June 23, 2016, the population of Great Britain in a historical referendum voted to leave the European Union with a majority of 52% vs 48%.  Although this decision does not have immediate impact on the membership of the United Kingdom in the EU (the UK is still a Member of the European Union and will remain so until at least 2018, see also FAQ on the further procedure by the European Commission), waves of discussion are rising high, among others about the future of UK Privacy laws and the implementation of the General Data Protection Regulation (GDPR).

In a statement of June 24, 2016, the UK’s Data Protection Authority (ICO) has stressed that “the Data Protection Act remains the law of the land irrespective of the referendum.” This means that on the short term, in principle nothing will change. This also applies with regard to the ongoing EU reform, as a result of which the GDPR will enter into force on May 25, 2018, and thus in any event before the earliest possible day for a definite exit of the UK out of the European Union.  It will therefore – at least for a short period of time – also apply to UK businesses.

What will certainly have an impact, however, is the moment in which the UK factually leaves the European Union. Although the ICO has stressed that it aims to stay as close to European Privacy laws as possible also post-Brexit, this situation would have an immediate impact on businesses sending data to the UK.  As soon as the UK would be no longer part of the European Union, due to the absence of an ‘Adequacy Decision’ of the European Commission relating to the UK, companies would have to put in place other transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules, in order to lawfully continue to transfer personal data from European countries to the UK as soon as the exit is completed. This could only be avoided if the UK would guarantee an adequate level of Data Protection standards, which would have to be acknowledged by the European Commission.

The ICO has made its position clear: “Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.” Continue Reading Privacy & Cybersecurity Weekly News Update- Week of June 20, 2016

A victory for net neutrality; U.S. may join Irish Facebook Data-Transfer case; EU-U.S. Privacy Shield by early July?; French Data Protection Authority opens GDPR consultation; FTC addresses proposed TCPA changes; DOJ and DHS cybersecurity sharing guidelines.

Federal appellate court upholds net neutrality

The U.S. Court of Appeals for the D.C. Circuit upheld “net neutrality” rules that require all broadband providers to treat internet traffic the same regardless of source.  Last year, the Federal Communications Commission (“FCC”) issued its net neutrality decision, which reclassified broadband service as common carriers under the Communications Act and thus brought Internet service within the FCC’s power to regulate common carriers under Title II of the Communications Act.  The FCC then issued rules banning providers from blocking, throttling, or otherwise degrading internet traffic lawful content, and also from engaging in paid prioritization of traffic.

A number of Internet service providers and other groups challenged the FCC’s authority to reclassify broadband service and promulgate such regulations. They also challenged the legality of the net neutrality rules.  In a 115-page opinion, the D.C. Circuit rejected each challenge and, in doing so, affirmed the FCC’s power to regulate broadband service under Title II of the Communications Act.  The court also rejected the argument that net neutrality impacts service providers’ First Amendment rights, explaining that a service provider “does not . . . ‘speak’ when providing neutral access to Internet content as common usage.”

The petitioners are expected to appeal the ruling to the Supreme Court. Unless the Court reverses this ruling, the FCC retains broad power to regulate Internet service providers as common carriers, and may use that power to continue implementing and enforcing regulations concerning open access to content as well as consumer privacy.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of June 13

$1M Fine for Morgan Stanley Data Breach; German DPA Issues Data Transfer Fines; FTC Critiques FCC Privacy Proposal; New Contractor Cybersecurity Rules; Drone Operations Best Practices

Morgan Stanley fined $1M for alleged failure to secure client data

The U.S. Securities and Exchange Commission (“SEC”) and Morgan Stanley Smith Barney LLC (“Morgan Stanley”) reached a settlement of $1 million for alleged cybersecurity failures that led to exposure of client information.  The SEC alleged that Morgan Stanley violated the Safeguards Rule, a federal regulation concerning customer data protection, by failing to implement written policies and procedures protecting confidential information.  These failures, combined with the failure to monitor employee access to data, ultimately led to a Morgan Stanley employee unlawfully downloading and selling confidential information of more than 730,000 clients between 2011 and 2014.

This may be a telling sign for the future of SEC involvement in data breaches. The SEC’s announcement reflects its expectation that “SEC registrants of all sizes [will] have policies and procedures that are reasonably designed to protect customer information.”  Presumably, failures to implement such policies may invite aggressive SEC scrutiny and investigation.  Companies within the SEC’s jurisdiction should ensure that their procedures comply with federal regulations.  If not, future data breaches may give rise to enforcement and fines by the SEC, in addition to other agency enforcement as well as civil damages available to affected parties under state or federal data breach laws.

German Data Protection Authority fines three companies for U.S. data transfers

The threat of enforcement action based on the invalidation of the former “U.S.-EU Safe Harbor Framework” for data transfers from Europe to the U.S. for a long time was a rather theoretical concern. The German Data Protection Authority (“DPA”) of Hamburg has now made this concern viral, announcing that it has fined three companies for continued transfers of personal data from Europe to the U.S. without additional safeguards.

Although the fines are comparatively low (€ 8,000 – € 11,000), this is definitely the last wake-up call for companies, who have not yet implemented additional safeguards for their EU-U.S. data transfers – the Hamburg DPA is continuing to investigate and has already announced that the next fines it will impose on companies can be expected to be higher. For more on this development, see our recent client alert.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of June 6

EU-U.S. Agreement on Law Enforcement Data; European Data Protection Supervisor Criticizes Privacy Shield; House Members Criticize FCC Privacy Proposal; NHTSA Targets Automotive Cybersecurity; Yahoo Releases National Security Letters; CareFirst Data Breach Lawsuit Dismissed; FDA Guidance on Data Protection in Investigations

EU and U.S. sign Umbrella Agreement on Law Enforcement Data

On June 2, 2016, Vera Jourová, European Commissioner for Justice and Consumer Protection, Dutch minister Ard van der Steur and U.S. Attorney General Loretta E. Lynch signed the “Umbrella Agreement”, a deal between the U.S. and the EU “on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offenses”. The agreement aims at enhancing the cooperation of the EU and the U.S. in criminal enforcement (including terrorism), while at the same time protecting personal data of European citizens, when transferred from the EU to the U.S. for criminal investigations.

The text of the agreement, which was negotiated over a long period due in part to a Court of Justice of the EU (ECJ) finding that European citizens lacked adequate rights of redress, includes provisions on purpose limitation, information security, data retention, rights of data subjects, breach notifications and onward transfers. A “fact sheet”-FAQ is available on the Commission’s website. Before the agreement can be finally concluded, the European Parliament will still need to give its consent.

European Data Protection Supervisor criticizes “EU-U.S. Privacy Shield”

On May 30, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued an opinion on the draft “EU-U.S. Privacy Shield (“Privacy Shield”), which is in line with the criticism previously raised by the Article 29 Working Party and the European Parliament.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of May 30, 2016

Data Breach Liability Requires Actual Misuse; More U.S.-EU Data Transfer Uncertainty; Airline App Exempt from State Privacy Law; Pending Cyber Bill Would Create Consortium; Encryption-Related Deceptive Advertising Settlement; PayPal Fined for Deceptive Trade Practices

The Spokeo effect: data breach claims require actual examples of information misuse

Last week, a federal court dismissed claims alleging harm from a hospital data breach, on the grounds that the plaintiff failed to allege more than the mere threat of injury.  In Khan v. Children’s National Health System, No. 8:15-cv-2125 (D. Md.), the plaintiff alleged that phishing attacks compromised hospital employees’ email accounts containing patient information, including social security numbers, addresses, dates of birth, and other private healthcare information.  The court held that the plaintiff lacked standing and could not proceed in federal court because the plaintiff failed to allege either specific instances of misuse from the particular breach at issue or “a clear indication that the data breach was for the purpose of using the plaintiffs’ personal data to engage in identity fraud.”

The court’s reasoning also demonstrates the favorable impact that this month’s Supreme Court decision in Spokeo v. Robbins may have for defendants in data breach actions.  The Khan opinion explained that mere violation of a statute does not necessarily create the “concrete harm,” such as actual misuse of information, required by Spokeo.  Although it remains to be seen what the Ninth Circuit does with Spokeo on remand and how Spokeo will impact future cases, it seems likely that federal courts will continue to be inclined to disfavor claims where the harm alleged is the “diminished value” of personal information, a general loss of privacy, or simply a technical statutory violation.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of May 23, 2016

The Panama Papers Leak – An overview on histories’ biggest data leak; Article 29 Working Party about to release opinion on EU-U.S. Privacy Shield; EU: GDPR and PCJ DPD about to be approved next week – final consolidated text published by Council; US: New HIPAA Audit Protocol Released as a Guidance Tool for phase two of Compliance Audits; U.S. Sneak News: Defend Trade Secrets Act, NPRM and Sony Settlement Approval. EU: GDPR, PCJ DPD and PNR Directive adoped by Parliament; U.S.: House Judiciary Committee approves E-Mail Privacy Act; Senate to require airlines to report cyberattacks; FTC issues online tool identifying applicable law for health apps; Global: Turkey releases first comprehensive Data Protection law; Connected cars found vulnerable for cyberattacks; Data Breaches May Waive Attorney-Client Privilege?; Encryption Continues to Dominate Privacy Headlines; Hospital Settles with HHS for $ 2.2 Million in HIPAA Action; Southern District of New York Adds Ransomware Conspirator to Hacking Case; European and Canadian Data Protection Authorities Investigate IoT Devices; Norway Requires Data Breach Notification for Individuals

The Panama Papers Leak – An overview on histories’ biggest data leak

On April 3, 2016, reports revealed that a set of 11.5 million confidential documents (“the Panama Papers”), providing detailed information about more than 200,000 offshore companies connected to Panamanian legal service provider Mossack Fonseca, had been made available to German Daily Newspaper Süddeutsche Zeitung by an anonymous source in 2015.

The documents, which form part of the biggest data leak in history, reveal aspects on (potential) exploitations of offshore tax regimes and other illegal purposes, such as fraud or drug trafficking. Among the people concerned are not only big companies, but also twelve national leaders among 143 politicians, celebrities, government officials or other law firms. The Süddeutsche Zeitung, given the scope of the leak, involved the International Consortium of Investigative Journalists (ICIJ) and about 400 other journalists in 76 different countries to investigate and analyze the documents. ICIJ has promised to publish a full list of companies involved in early May 2016.

Mossack Fonseca, the leaked firm, defended its commercial conduct, stating that itself would always comply with applicable laws and carry out thorough due diligence on its clients. However, the leak will have a huge impact on the offshore business, as the biggest selling point of this business, secrecy, has been massively cracked.Continue Reading Privacy & Cybersecurity News Update- 3 Week Summary

Following an April 11 ruling by the Fourth Circuit in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, Travelers must defend its policyholder, Portal Healthcare, in a class action lawsuit concerning a security breach.  For years, courts have wrestled with whether traditional commercial general liability (CGL) policies provide coverage in event of a data breach.  The results have been mixed.  This most recent decision highlights the uncertainty that remains over whether traditional insurance policies cover cyber liabilities and, if so, under what circumstances and to what extent.  This case appears to have been driven by specific policy language and the facts of the cyber incident, particularly the conduct of the policyholder, but highlights the increasing prevalence of cyber insurance issues.

Travelers had issued two CGL policies to Portal Healthcare, a medical records company.  In April 2013, a class action was filed in New York state court alleging that, as a result of Portal Healthcare’s failure to properly protect its server, confidential medical records for patients at a New York hospital were accessible on the Internet to unauthorized individuals.  The class action complaint  asserts counts for alleged negligence, breach of warranty, breach of contract, and also seeks injunctive relief against Portal Healthcare, the hospital, and others. 

In July 2013, Travelers filed the coverage action at issue here in the U.S. District Court for the Eastern District of Virginia.  Travelers sought a declaration that it was not obligated under its CGL policies to defend or indemnify Portal Healthcare against the underlying class action lawsuit.  Specifically, Travelers argued that it was entitled to declaratory judgment because the underlying class action does not allege “personal injury,” “publication of material,” “advertising injury” or “website injury,” as defined in the Travelers policies. Continue Reading Fourth Circuit Affirms Carrier’s Duty to Defend Against Security Breach Claims Under Traditional Insurance Policy

FCC Adopts a NPRM for Privacy Proposal; FTC Chairwoman Wants IoT Threat Addressed; Consumer Reports Hit with Privacy Class Action; DOJ Accesses Shooter’s Phone and Drops Apple Suit

FCC Adopts a NPRM for Privacy Proposal

On Thursday, March 31 in a 3-2 party-line vote, the FCC advanced a Notice of Proposed Rulemaking (NPRM) for broadband privacy. The proposed rules would restrict ISP’s use of basic consumer data and require consumer consent for certain types of data collection.  Although ISPs under the rule could still collect basic consumer data to market communications- related services to subscribers, ISPs would have to allow users to opt-out of that data collection.  On the other hand, ISPs would have to allow used to opt-in to the use and sharing of other types of data, such as browsing history and physical location.  Under the proposed rules, providers are also required to share how data is used or shared with consumers.  Some have criticized the proposed rules, arguing that they have the potential to create an uneven enforcement regime as companies have the potential to face varied FCC and FTC standards.

FTC Chairwoman Wants IoT Threat Addressed

On Thursday, March 31, FTC Chairwoman Edith Ramirez urged manufacturers of Internet of Things (IoT) devices to “design devices that take into consideration unexpected uses of their IoT data, and the potential for misuse.” In a speech at the American Bar Association’s conference on IoT in Washington, DC, Chairwoman Ramirez outlined a series of steps that she recommends manufacturers take as they develop new IoT technology.  Drawing on common privacy practices, Chairwoman Ramirez advised manufacturers to provide consumers with clear notice of data collection practices and to allow consumers to opt in or out of particular data collection practices.  She also encouraged manufacturers to build security into devices from the outset and keep track of issues through a device’s life cycle.   The FTC plans to hold a series of workshops this fall to look at a series of issues arising from new technology, such as smart televisions and UAVs.Continue Reading Privacy & Cybersecurity Weekly News Update

OCR Launches Next Round of HIPAA Audits; French Privacy Office Levies € 100,000 Fine on Google; SEC Reaches $18 Million Settlement for Alleged Hacker-Trader Conspiracy; FTC and Canadian Regulator Execute Anti-Spam MOU; FTC Commissioner Announces She Will Step Down

OCR Launches Next Round of HIPAA Audits

Last Monday, following much anticipation, the Department of Health and Human Services OCR announced Phase 2 of its audit program to measure compliance with the patient privacy provisions of HIPAA. This audit follows OCR’s pilot audit of 115 Covered Entities and will likely examine 200 additional Covered Entities. For more information about what entities can expect, read Elliot Golding’s March 23 post.

French Privacy Office Levies € 100,000 Fine on Google

The French data protection authority (CNIL), one of the most active privacy regulators in Europe, fined Google € 100,000 for “failure to comply with the obligation to respect the rights of individuals to erase data” under the European “right to be forgotten.”  In May 2014, the European Court of Justice ruled that the compilation of Google search result links were “data processing,” and, as such, search engines should remove links at the request of data subjects.  The CNIL faulted Google for only removing links from searches that originated from EU IP address and not delisting all “Google Search” extensions.

SEC Reaches $18 Million Settlement for Alleged Hacker-Trader Conspiracy

The SEC secured settlements, totaling almost $18 million, with seven defendants accused of participating in a scheme to trade on hacked newswire information. These seven defendants are part of a larger alleged scheme of 32 defendants who, over five years, hacked newswires to obtain earnings announcements before they were released and then distributed and traded on those stolen statements. The government has also brought a parallel criminal action against some of the 32 defendants in the District of New Jersey and has stayed a massive civil suit based on the same hacking scheme.  The $18 million in recent SEC settlements come on the heels of a $4.2 million SEC settlement with Concorde Bermuda Ltd., also accused of taking part in the scheme.Continue Reading Privacy & Cybersecurity Weekly News Update

OCR Announces a Settlement … Again; HHS Eases Restrictions on Mental Health Information Sharing to Facilitate Gun Control Efforts; Facebook: Users Lack Standing in Cookie MDL; Plaintiffs Argue for Summary Judgment in $5 Million Twitter TCPA Suit

OCR Announces a Settlement … Again

For the second time this week, OCR announced another huge settlement. The