On October 2, 2014, the Food and Drug Administration (FDA) released a final guidance document titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”. The FDA said that the “need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, and the frequent electronic exchange of medical device-related health information.” The FDA defines cybersecurity as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.” The cybersecurity of medical devices gained media attention last year when former Vice President Dick Cheney revealed that his doctor had the wireless function of Cheney’s implanted defibrillator replaced due to fears that a terrorist could hack the device and assassinate the Vice President.
The guidance document identifies cybersecurity issues that manufacturers should consider when designing and developing their medical devices and information they should include when preparing their FDA medical device premarket submissions.
At the International Conference of Data Protection and Privacy Commissioners in Mauritius this week, representatives of the private sector and academia joined together to discuss the positive changes and attendant risks that the internet of things and big data may bring to daily life. Attendees memorialized the observations and conclusions of their discussions in a Declaration on the Internet of Things and a Resolution on Big Data. The documents are not, of course, binding. But, the fact that the Declaration and Resolution drew the consensus of a large gathering of international data protection regulators renders them relevant indicators of direction of data privacy policies and trends. Continue Reading
By Caleb Skeath
You’ve added a passcode to your phone, checked your social network privacy settings (twice), and kept close tabs on the cookies in your web browser. But have you ever thought closely about the information your car collects about you?
New Jersey legislators are debating two identical bills that would provide additional safeguards against the disclosure of data contained in a car’s “black box,” which track a vehicle’s technical status and operational performance. These devices, often referred to as event data recorders or EDRs, are present on 90% of all cars and light trucks in the U.S. and may soon become mandatory on all new vehicles. In addition to assisting mechanics with car repairs, EDRs can assist law enforcement and insurance companies in crash investigations.
Yesterday, several big tech companies that offer educational and school services signed the “Student Privacy Pledge,” introduced by the Future of Privacy Forum (“FPF”) and The Software & Information Industry Association (“SIIA”) to safeguard student privacy as it relates to the collection, maintenance, and use of students’ personal information. Among the fourteen education tech companies representing the initial group to join SIIA and FPF in introducing the Pledge are Microsoft, Amplify, and Houghton Mifflin Harcourt. Notably, tech giants Google and Apple were absent from the list of signatories. As part of the Pledge, effective January 1, 2015, participating companies agree to the following commitments:
- Not to collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student
- Not sell student personal information
- Not to use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of ads to students
- Not to build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student
- Not to make material changes to school service provider consumer privacy policies without first providing prominent notice to the account holder(s) (i.e., the educational institution, or the parent/student when the information is collected directly from the student with student/parent consent) and allowing them choices before data is used in any manner inconsistent with terms they were initially provided; and not to make material changes to other policies or practices governing the use of student personal information that are inconsistent with contractual requirements
- Not knowingly retain student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student
- Collect, use, share, and retain student personal information only for purposes for which companies are authorized by the educational institution, teacher, or the parent/student
- Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student personal information is collected and the purposes for which the information maintained is used or shared with third parties
- Support access to and correction of students’ personally identifiable information by the student or their authorized parent, either by assisting the educational institution in meeting its requirements, or directly, when the information is collected from the student with student/parent consent
- Maintain a comprehensive security program reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information
- Require that vendors with whom students’ personal information is shared in order to deliver the educational service are obligated to implement these same commitments
- Allow a successor entity to maintain the students’ personal information, in the case of a merger or acquisition, provided the successor is subject to these same commitments for previously collected student personal information
When you encounter a website or mobile app that requires you to log in or register, do you use your social media account to do so? If you answered “yes,” you are part of a growing majority according to a Gigya survey, which found that social login use is on the rise as a result of consumers’ demands for convenience.
Gigya provides social login technology to web sites and mobile app developers. For its 2014 State of Consumer Privacy & Personalization survey, Gigya surveyed 2,000 US and 2,000 UK adults ages 18 to 55 about their social login usage. According to the survey, 77% of US respondents (up from 53% in 2012) and 60% of UK respondents have logged into a website or mobile app using a social network account. Unsurprisingly, the top two reasons driving respondents’ use of a social login are:
- “I don’t want to spend time filling in registration forms” (53% of US respondents, 60% of UK respondents)
- “I don’t want to create and remember another username and password” (47% of US respondents, 46% of UK respondents)
Social login users and non-users have different perceptions about the security of their information submitted through a social login. For US respondents who reported that they have “never” used a social login, the primary reason is the fear that the website or mobile app will sell their data. However, 21% of US respondents reported that they use social logins because they feel that their personal data is better protected when using a social login. Over 80% of both US and UK respondents reported abandoning an online registration form because of the amount and/or type of information requested.
By David Fagan and Sumon Dantiki
Last week the Antitrust Division of the Department of Justice (“DOJ”) issued a business review letter in response to a request by CyberPoint International LLC (“CyberPoint”). At issue in the request was whether a proposed cyber threat information sharing system among possible competitors (“the TruSTAR platform”) raised antitrust concerns. Following a review, DOJ announced in the letter that it had no intention of challenging the TruSTAR platform under antitrust laws.
The TruSTAR letter is significant for multiple reasons. First, the letter generally reaffirms the joint “Antitrust Policy Statement on Sharing of Cybersecurity Information,” set forth by the DOJ and Federal Trade Commission (FTC) earlier this year on April 10. In fact, in a press release accompanying the TruSTAR letter, the DOJ cited to the Policy Statement to emphasize that the “antitrust laws are not an impediment to legitimate private-sector initiatives to share specific information about cyber incidents and mitigation techniques.”
We don’t often talk about our group’s achievements on InsidePrivacy, but we were particularly proud to learn that the Legal 500 UK today awarded our London data protection group its technology, media, and telecoms (TMT) Firm of the Year Award (2014). Our London team, led by Dan Cooper, was recognized for its particular expertise in cross-border regulatory matters and international security breaches. This will not come as a surprise to those of you in our client community who work with Dan, Mark Young, Lisa Peets, and our other London colleagues, as well as the rest of our amazing pan-European team. We wish our London team heartfelt congratulations.
Continuing our coverage of the flurry of bills signed into law by California Governor Jerry Brown last week, we turn now to AB 1710, an amendment to California’s data breach legislation. The data breach amendment makes three notable changes to existing laws regarding personal information privacy:
1. Requires Companies that Maintain Personal Information to Implement and Maintain Reasonable Security Procedures and Practices.
California’s existing data breach law requires companies that own or license personal information to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information . . . .” Under existing law, the terms “own” and “license” include personal information retained as a part of a business’s internal customer accounts or for the purpose of using the information in transactions.
AB 1710 extends this requirement to companies that merely “maintain” personal information about Californians. The bill defines maintain information in the negative, as information that a business does not own or license.
For purposes of implementing and maintaining reasonable security procedures and practices, California defines “personal information” as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code. Cal. Civ. Code § 1798.81.5(d)(1). Continue Reading
The International Association of Privacy Professionals hosted its annual Privacy Academy, at which one panel, “Data Brokers Demystified,” specifically focused on regulation of the data-broker industry. The panelists included Janis Kestenbaum from the Federal Trade Commission, Jennifer Glasgow from Acxiom, and Pam Dixon from the World Privacy Forum. Emilio Cividanes from Venable also participated.
Major Conclusions of the FTC Report (Janis Kestenbaum)
- Data brokers operate with a fundamental lack of transparency. They engage in extensive collection of information about nearly every US consumer, profiles of which are composed of billions of data elements.
- Much data collection occurs without consumer awareness and uses a wide variety of online and offline sources, such as social networks, blogs, individual purchases and transactions with retailers, state and federal governments, events requiring registration, and magazine subscriptions.
- The practice of “onboarding”–where offline data is onboarded onto an online cookie and is used to market to consumers online–is increasingly common.
- Some data collected is sensitive, but even non-sensitive data is sometimes used to make “sensitive inferences” about (for example) health status, income, education, ethnicity, religion, and political ideology. Consumers are often segmented into “clusters” based on these inferred characteristics.
- For regulators, some of these clusters are concerning. For example, one cluster is entitled “Urban Scramble” and contains high concentrations of low-income ethnic minorities.
- Congress should create a centralized portal where consumers can go online and access individual data brokers’ websites to opt out and access and correct their information. For consumer-facing entities, like retailers, consumers must be given some kind of choice before data is sold to a data broker, and when that data is sensitive, the choice should be in the form of an opt in. Continue Reading
Last week, California enacted bills SB 1177 and AB 1584, strengthening student privacy protections in the State.
SB 1177 prohibits operators of online sites or mobile apps who know that their services are used primarily for K-12 school purposes and whose services designed and marketed as such (“operators”) from using K-12 student data in four specific ways. First, SB 1177 prohibits operators from engaging in targeted advertising on any website or mobile app (including their own) if the advertising would be based on any information obtained from the operations of its K-12 online site or mobile app. Second, SB 1177 prohibits operators from using information obtained from the operations of the K-12 online site or mobile app to create a “profile” about a K-12 student, unless the profile is created in furtherance of K-12 school purposes. Third, operators are prohibited from selling a student’s information. And, fourth, SB 1177 prohibits operators from disclosing personally identifiable information, unless certain special circumstances exist, such as responding to or participating in judicial process.
In addition to the four prohibitions listed above, SB 1177 places two affirmative requirements on operators. The bill requires that operators “[i]mplement and maintain reasonable security procedures and practices” appropriate to the information protected, and to specifically protect the information from “unauthorized access, destruction, use, modification, or disclosure.” In addition, SB 1177 requires operators to delete personally identifiable information regarding a K-12 student upon request by a school or school district.
AB 1584 addresses the access and use of K-12 student data by third party vendors. AB 1584 explicitly permits local educational agencies to enter into contracts with third parties to provide online services relating to management of pupil records or to otherwise access, store, and use pupil records in the course of performing contractual obligations. Continue Reading