Inside Privacy - Updates on Developments in Global Privacy & Data Security

Last week, the ABA’s Commission on Ethics 20/20 recommended a series of changes to the Association’s Model Rules of Professional Conduct that are intended to bring the Rules more in line with the realities of law practice in the 21st Century.  The recommendations are the result of the Commission’s three-year study that revealed two overarching trends in the legal profession: (1) the increasing importance of technology -- particularly, electronic communications -- to the performance of legal services and (2) the growing proportion of legal work that involves multiple jurisdictions. 

Particularly noteworthy is the Commission’s proposal that Model Rule 1.6 -- which describes the duty to protect client confidences -- be updated to make clear that a lawyer has a duty to provide “reasonable” data security measures for client information.  The Commission notes that the reasonableness of particular security measures will depend on factors such as the cost of safeguards and the sensitivity of the client information at issue.  Although Comments to the Rule currently reference the obligation to protect client information, the Commission believes that changes in technology have “so enhanced the importance of this duty that it should be identified in the black letter of Rule 1.6.”

The Commission also recommended that comments elaborating on the duty of competence (Rule 1.1) be amended to clarify that “maintaining competence” in the practice of law includes staying current on the “benefits and risks associated with relevant technology.”       

The ABA’s House of Delegates will take up the proposals at the Association’s annual meeting in August. 

On Thursday, the House voted on and passed two cybersecurity bills.

The Cyber Intelligence Sharing and Protection Act (CISPA) (H.R. 3523), sponsored by Rep. Mike Rogers (R-MI) and more than a hundred other Congressmen, passed by a vote of 248-168. As previously discussed on this blog, CISPA would facilitate information sharing between private entities and the intelligence community via the Department of Homeland Security’s National Cybersecurity and Communications Integration Center and would provide liability protection for entities that share cyber threat information. 

Despite a formal statement by the White House threatening a Presidential veto of CISPA in its then-current form, the bill garnered bipartisan support, with 42 Democrats and 206 Republicans voting in favor. Before the final vote, the House adopted several amendments. One of the amendments limits the federal government to using shared cyber threat information for five enumerated purposes: cybersecurity, investigation and prosecution of cybersecurity crimes, protection of individuals from death or serious bodily harm, protection of minors from sexual exploitation or physical threat, and protection of national security.

The House also passed by a voice vote the Federal Information Security Amendments Act of 2012 (H.R. 4257), sponsored by Rep. Darrell Issa (R-CA). The bill would reform the Federal Information Security Management Act of 2002 to provide for automated and continuous monitoring of the security of government information systems. FISMA reform is also included in the two cybersecurity bills pending in the Senate, the Cybersecurity Act of 2012 (S. 2105), introduced by Sen. Joseph Lieberman (I-CT), and the SECURE IT Act (S. 2151), introduced by Sen. John McCain (R-AZ).

On April 4, 2012, Fiserv, one of the largest payment processing service providers for the banking industry, released a white paper analyzing the current state of multi-channel banking, which is a consumer’s use of more than one channel to conduct banking activities.  The white paper, titled “Snacking, Lunching and Fine Dining: How Mobile is Reshaping Every Banking Channel,” argues that mobile banking’s evolution from informational services, such as balance inquiries and ATM locations, to transactional services, such as bill payment and funds transfers, impacts all three of the primary banking channels: branch banking, online banking, and mobile banking. 

The white paper analogizes mobile banking to snacking, online banking to lunching, and branch banking to fine dining based on the consumer’s level of interaction with the bank.  A consumer’s use of mobile banking is akin to snacking because the consumer’s interaction is quick and may have a sense of urgency.  For example, a consumer may use mobile banking to check his or her balance or pay a bill immediately before its due date.  Online banking is similar to lunching in that the interaction is more structured and routine than mobile banking.  Online banking is conducive to in-depth and periodic self-service banking activities, including managing budgets and finances.  Branch banking is comparable to fine dining because consumers now only rarely visit their local bank branches to conduct banking activities.  Typically, consumers visit their bank branches for infrequent consultative services that require substantial interaction. 

Optimizing consumers’ multi-channel banking experiences ultimately will provide a number of benefits to banks and consumers, including increased efficiency from focusing on the delivery of specific services in the particular channel that is the most used by consumers.  Privacy and security are one impediment to consumers' adoption of mobile banking services.  Accordingly, banks' ability to enhance privacy and security in connection with services delivered through the mobile channel ultimately will help determine the extent to which they profit from multi-channel banking.     

Yesterday Senator John McCain (R-AZ) introduced the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 (SECURE IT Act). The bill’s cosponsors include Senators Kay Bailey Hutchison (R-TX), Chuck Grassley (R-IA), Saxby Chambliss (R-GA), Lisa Murkowski (R-AK), Dan Coats (R-IN), Ron Johnson (R-WI), and Richard Burr (R-NC).

In a hearing in the Senate Committee on Homeland Security and Governmental Affairs last month, Senator McCain expressed procedural and substantive concerns about the “Cybersecurity Act of 2012,” S. 2105, which was sponsored by Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), Dianne Feinstein (D-CA), and John D. Rockefeller, IV (D-WV), and he announced his intention to put forward a competing cybersecurity bill.

One of the main differences between the two bills is the amount of government regulation they envision. The Cybersecurity Act of 2012 proposes that the Department of Homeland Security (DHS) make risk-based designations of covered critical infrastructure (CCI) and establish cybersecurity performance requirements for CCI, in consultation with the CCI owners and operators. The SECURE IT Act, on the other hand, does not propose any government regulation of privately owned critical infrastructure, nor does it include identification or designation of such infrastructure. In a statement released yesterday by the co-sponsors of the SECURE IT Act, Senator Murkowski emphasized that the bill employs “a partnership approach between the government and private entities.”

Continue Reading

By David Fagan and Kristen Eichensehr

Yesterday, the Senate Committee on Homeland Security and Governmental Affairs held a hearing on the “Cybersecurity Act of 2012.” Senator Joseph Lieberman (I-CT) introduced the bill, S. 2105, on Tuesday with co-sponsors Senators Susan Collins (R-ME), Dianne Feinstein (D-CA), and John D. Rockefeller, IV (D-WV). S. 2105 builds on prior cybersecurity bills introduced in this and prior Congresses and resulted from a lengthy consultation process -- shepherded by Senate Majority Leader Reid and Minority Leader McConnell -- with private sector stakeholders, the Executive Branch, and other interested parties. Upon introducing the bill earlier this week, Majority Leader Reid and Committee Chairman Lieberman said that they intended not to hold any committee mark-up and instead would bring the bill directly to the floor for a full vote in March.

As currently drafted, S. 2105 would centralize responsibility for cybersecurity of civilian infrastructure in the Department of Homeland Security (DHS) and require the Secretary of Homeland Security, in consultation with owners and operators of covered critical infrastructure, to conduct risk-based assessments of cybersecurity threats to covered critical infrastructure. The Secretary would have the authority to designate “systems or assets” as covered critical infrastructure if a cyber attack on the system or asset could “reasonably result” in “the interruption of life-sustaining services . . . sufficient to cause” a “mass casualty event” or mass evacuations, or “catastrophic economic damage to the United States.” The bill also would require the Secretary, based on the risk assessments and working with owners and operators of covered critical infrastructure, to establish cybersecurity performance requirements. Owners and operators would have flexibility to determine how best to meet the performance requirements.

Continue Reading

As of March 1, 2012, all companies storing the personal information of Massachusetts residents with a third-party service provider must contractually require the service provider to maintain data security measures “consistent” with the Massachusetts data security regulations.  (You can read our overview of these regulations here.)

Among other things, those regulations—most of which took effect in March 2010— require companies to implement a written information security program containing certain elements, including a requirement that personal information be encrypted when transmitted wirelessly or across public networks, and when stored on portable computing devices (including laptops).  The regulations also require companies to take “reasonable steps” when selecting a service provider to ensure that the provider is capable of maintaining appropriate measures for the protection of personal information.  

To be clear, the service provider contract provision has been in effect since March 2010 for all contracts entered into after that date.  But the provision contains a grandfather clause that exempted pre-March 2010 contracts from the requirement.  This exemption expires on March 1, 2012.

Following more than two years of consultations and intense speculation in recent weeks, the European Commission today proposed comprehensive measures to reform the European data protection framework.  We currently are analysing the proposed reforms in detail, but it appears that the proposal for a General Data Protection Regulation largely mirrors earlier leaked drafts. 

For example, key measures include:

Continue Reading

A putative class action was filed on Monday against Amazon.com following an online hacking attack that potentially compromised the personal information of up to 24 million customers of its online shoe retailer Zappos.com.  An email sent to customers from Zappos.com’s CEO on Sunday assured users that full credit card information and other payment information was not impacted, but stated that names, email address, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and/or cryptographically scrambled passwords (but not actual passwords) may have been improperly accessed.

The complaint, filed in the United States District Court for the Western District of Kentucky (the location of the purportedly compromised servers), includes claims for violation of the Fair Credit Reporting Act, negligence, and invasion of privacy.  The complaint alleges that the named plaintiff and proposed class members now are subject to a heightened risk of identity theft and will have to spend time changing the passwords on their Zappos.com accounts as well as other accounts with the same or similar passwords.

Yesterday, the FTC announced that it has settled charges against Upromise, Inc., a company that enables consumers to receive rebates when shopping at partner merchants.  (The rebates are placed in college savings accounts—hence Upromise’s name.)  According to the Commission’s complaint, Upromise offered online users a toolbar feature, which, when downloaded, would highlight Upromise’s partners in search engine results.  The toolbar feature also enabled users to choose to receive tailored advertising.  In connection with this aspect of the toolbar, the FTC alleged that Upromise (through an unnamed service provider) collected the names of all websites a user visited and all links clicked, as well as information that users entered into some webpages (which, in some cases, included credit card and financial account numbers, security codes, expirations dates and Social Security numbers). 

The Commission charged that the scope and frequency of the data collection was much broader than Upromise represented in its privacy statement.  The FTC contended that despite using a filter intended to limit the collection of PII, Upromise sometimes collected sensitive information, such as PIN numbers and security codes.  Finally, the FTC alleged that Upromise collected this information by causing the user’s browser to transmit it in clear text, which left it vulnerable to interception—particularly when users were connected to the Internet through unsecured wireless networks.  The FTC stated that by engaging in these practices, Upromise failed to adequately disclose the extent of its data collection and also “failed to provide reasonable and appropriate security for [the] consumer information” that was collected. 

Notably, the Commission described these alleged shortcomings in terms of Upromise’s failure to integrate privacy protections into the design and implementation of the toolbar feature (i.e., its failure to sufficiently adhere to the principle of “privacy by design,” which the Commission described in its December 2010 preliminary staff report).  For example, the complaint faulted Upromise for not testing the ad-tailoring feature or monitoring its collection of information after implementation to ensure that the collection was consistent with Upromise’s policies.  The complaint also alleged that Upromise had failed to ensure that employees responsible for creating and operating the feature received adequate training about security risks and Upromise's privacy and security policies.  Similarly, the Commission alleged that Upromise did not take appropriate steps to ensure that its service provider implemented the feature in a manner that was consistent with Upromise’s policies and the contractual provisions designed to protect consumer information. 

As in recent FTC settlements involving privacy and data security issues, the Upromise consent decree (among other things) would require the company to implement privacy by design in the form of a comprehensive information security program and obtain third-party audits for 20 years. 

A bill introduced in the House of Representatives Thursday would require the Department of Homeland Security to take a lead role in identifying and developing cybersecurity standards for systems that control critical infrastructure. The bill also would create a non-profit clearinghouse for the sharing of cybersecurity threat information between government agencies and the private sector. Unlike some other pending data-security proposals, the bill does not include provisions requiring businesses to establish comprehensive data-security programs or to provide breach notifications.

H.R. 3674, titled the “PRECISE Act” and introduced by Rep. Dan Lungren (R-Calif.), directs the Department of Homeland Security to identify and evaluate cybersecurity risks to critical infrastructure, including private infrastructure; to identify existing standards for mitigating those risks, or to develop such standards if necessary; to create market incentives to encourage the use of the identified performance standards; and to work with the relevant agencies to incorporate “the most effective and cost-efficient” of the identified standards into the regulatory regimes governing covered critical infrastructure. The bill defines “covered critical infrastructure” as facilities or functions in which a disruption could cause significant loss of life, major economic disruption, mass evacuations for an extended length of time, or a severe degradation of national security.

Continue Reading

Employees whose personal information might have been accessed in a data breach cannot sue the breached company in federal court based only on the possibility that the breach might lead to identity theft, a federal appeals court ruled Monday.

The case, Reilly v. Ceridian Corporation, is a proposed class action brought by employees whose companies used Ceridian Corporation to process company payrolls. An unknown hacker breached Ceridian’s firewall in December 2009, potentially gaining access to payroll information such as names, Social Security numbers, birth dates and bank account numbers. However, the lawsuit did not allege that the hacker actually accessed, copied, or misused the data. Instead, the plaintiffs based their claim on their allegedly increased risk of identity theft, their emotional distress, and the credit-monitoring costs they incurred.

Continue Reading

Sen. John Rockefeller (D-WV), chair of the Senate Commerce Committee, is still working to reach consensus on the data security bill that he and Sen. Mark Pryor (D-AR) introduced in June.  A scheduled markup was canceled in September, and the committee decided not to consider the bill at yesterday’s executive session.  Nonetheless, a spokesman for Sen. Pryor said Tuesday that lawmakers are “hoping to resolve any disagreements so the bill can be on a December markup.”

The bill, S. 1207, requires firms to establish information security policies for safeguarding personal information and to provide notice in the event of a security breach. Sens. Rockefeller and Pryor are reportedly reworking the bill in the hopes of securing bipartisan support.  A draft amendment circulated last week would, among other things:

• expressly exempt entities that are subject to information security requirements under the Gramm-Leach-Bliley Act, HIPAA or HITECH, or the Communications Act;
• delete special requirements for information brokers;
• restrict the remedies available to state attorneys general when bringing suit on behalf of state residents; and
• expand the definition of “personal information” to include unique biometric data and information about an individual when combined with authentication credentials for any financial account, but eliminate the FTC’s ability to modify the definition.

As we previously discussed, data security remains a subject of interest in both chambers of Congress.  Three other data security bills were approved by the Senate Judiciary Committee in September. Rep. Mary Bono Mack (R-CA) met with other lawmakers yesterday to discuss her breach notification bill and is confident that the legislation has enough support to pass the House Energy and Commerce Committee in the next few weeks, although the decision to schedule a full committee markup will be up to committee chairman Rep. Fred Upton (R-MI).

Over the past month, a number of White House officials and key House and Senate members have discussed the importance of moving cybersecurity legislation forward.  Highlights include the following:

• On October 4, White House Cybersecurity Coordinator Howard Schmidt said that he has “a high level of confidence that something will move forward” at an event hosted by the Center for Strategic and International Studies.  Department of Commerce General Counsel Cameron Kerry echoed those comments.
• On October 7, at a University of Washington School of Law Cybercrime Conference, federal officials including FBI Assistant Director Gordon Snow highlighted the severity of online threats against financial and defense targets. 
• On October 18, Senator Joe Lieberman (I-CT) said he remains optimistic about the possibility of getting cybersecurity legislation to the floor this year.
• On October 19, an interagency team of senior administration officials, Senator Majority Leader Harry Reid (D-NV), and the chairmen and ranking members of the relevant committees met on Capitol Hill.  The parties indicated that it was “an extremely useful and constructive discussion, ending with agreement that all involved need to work together to pass a cybersecurity bill as quickly as possible.” 
• Last week, Rep. Jim Langevin (D-RI), co-chairman of the bipartisan House Cybersecurity Caucus, called for Congress to move forward with cybersecurity legislation at a Brookings Institution event. 

This remains a legislative area to watch as Congress wraps up 2011 and looks at the legislative agenda for 2012.

By David Fagan & Steve Satterfield

Yesterday, the SEC’s Division of Corporation Finance issued a guidance document regarding public companies’ disclosure obligations relating to cybersecurity risks and breaches.  The guidance responds to a request by Sen. Jay Rockefeller that the SEC clarify its position on this increasingly important issue. 

The Division noted that as companies have turned to digital technologies to conduct their operations, cybersecurity risks--and incidents--have increased.  Although there is no disclosure requirement under the federal securities laws that specifically addresses cybersecurity, the Division explained that existing regulations may require disclosure of cyber risk assessments and the costs stemming from incidents.  It is important to note, as the Division does, that this is guidance, not a rule, regulation, or order (as some headlines have suggested).

We provide an overview of the guidance after the jump.  For additional information please see this E-Alert prepared by members of our Global Privacy & Data Security and Securities & Corporate Finance practice groups. 

Continue Reading

In a report released on September 28, 2011, Verizon concluded that only 21 percent of organizations subject to the payment card industry’s data security standards (PCI-DSS) were fully compliant with PCI-DSS.  Verizon’s prior report found that 22 percent of organizations were fully compliant with PCI-DSS.  The PCI-DSS consist of 12 requirements relating to an organization’s information security for cardmember data.  The report is based on PCI assessments conducted by Verizon’s team of qualified security assessors and investigations of security breaches.  Verizon found that organizations most often struggled with Requirements 3 (protection of stored data), 11 (testing security systems and processes), and 12 (maintain a policy that addresses information security).   The report contains a number of interesting observations about the industry’s approach to complying with the 12 PCI-DSS requirements.

PCI compliance is essential for merchants and payment processors that accept, store, or transmit cardmember data.  PCI compliance routinely is assessed in the context of strategic transactions and becomes a focal point in the event of a data breach.

Earlier this month, the Payment Card Industry Council (“PCI”) unveiled the first set of point-to-point encryption (“P2PE”) standards designed for providers of P2PE hardware-based encryption and decryption solutions.  P2PE providers develop for merchants point-of-sale hardware such as payment card readers and electronic cash registers that completely encrypt payment card data from the point the card is swiped at the point of sale to the point when the payment card data is transmitted to the merchant’s payment card processor.  P2PE hardware appeals to merchants because the hardware minimizes the extent to which merchants must store and transmit unencrypted cardholder data.  The PCI P2PE standards provide requirements that are intended to standardize and enhance P2PE hardware solutions. 

For merchants, the P2PE standards have the potential to reduce the scope of compliance and self-assessments under PCI-DSS, which governs merchants' data security practices for cardholder information from credit cards and similar payment mechanisms.  Merchants that use a PCI-validated P2PE hardware solution will have less of a compliance burden vis-à-vis PCI requirements pertaining to the encryption of sensitive cardholder information.  Merchants will remain responsible for complying with PCI requirements governing the education of employees handling account data, security policies, third-party relationships, and physical security of media.  PCI intends to release a list of PCI-validated P2PE hardware solutions in the spring of 2012. 

Last Thursday, the Senate Judiciary Committee began its consideration of the several pending data security bills by marking up S. 1151, the legislation introduced by Sen. Patrick Leahy (D-VT). 

S. 1151 would require business entities to develop a data privacy and security plan for protecting sensitive personally identifiable information, require agencies and business entities to notify U.S. residents in the event of a security breach involving such information, and impose criminal penalties for intentionally and willfully failing to provide notice of a security breach.

The original version of the bill also contained separate privacy requirements for data brokers, but a substitute amendment deleting that title was adopted by the Committee on Thursday.  The panel also accepted an amendment proposed by Sen. Chuck Grassley (R-IO), which clarified that the definition of “exceeds authorized access” in the Computer Fraud and Abuse Act does not include violations of Internet terms of service agreements or employment agreements restricting computer access, and a separate manager’s amendment which limited civil liability and penalties.

Continue Reading

Earlier this week, California Governor Jerry Brown signed into law an amendment to California’s breach notice law (S.B. No. 24).  Former Governor Arnold Schwarzenegger vetoed similar legislation in 2008, 2009, and 2010. 

As Inside Privacy noted when the legislation first moved through the California Senate on April 14, the legislation will amend California’s existing security breach notification requirements by:

• Requiring businesses subject to California’s security breach notification law to send an electronic copy of a breach notification to the California Attorney General, if more than 500 Californians are affected by a single breach.
• Establishing standard content requirements for data breach notifications to California residents, including the type of information breached, the date of the breach, and a toll-free telephone number of major credit reporting agencies; and
• Clarifying that a covered entity under the Health Insurance Portability and Accountability Act of 1996 that complies with applicable breach notice requirements will be deemed to comply with the new content requirements for breach notifications in California.

The new law goes into effect January 1, 2012.  It makes California one of more than a dozen states that require notice to state regulators in the event of a breach that triggers notification to individuals, with some variation among the states with respect to the threshold of affected individuals that triggers notice to the regulator.

The bill’s author, California Senator Joe Simitian (D-Palo Alto), was the original sponsor of California’s landmark data breach notification law, first enacted in 2003.  California’s breach notice bill has been amended on prior occasions, including a 2007 amendment that added health information to the type of data that may trigger a notification obligation.

For the fifth consecutive session of Congress, Sen. Dianne Feinstein (D-CA) has introduced legislation that would establish a federal data breach notification standard.  Sen. Feinstein’s legislation — the Data Breach Notification Act of 2011 (S. 1408) — is one of a number of breach notice proposals circulating on Capitol Hill that would preempt state breach notice laws and replace them with a federal standard.  In the Senate alone, Sens. Jay Rockefeller (D-WV) and Mark Pryor (D-AR) have introduced the Data Security and Breach Notification Act of 2011 (S. 1207), and Sen. Patrick Leahy has introduced the Personal Data Privacy and Security Act of 2011 (S. 1151). 

We have heard from several sources that Sen. Rockefeller, Chairman of the Senate Committee on Commerce, Science & Transportation, is planning to markup S. 1207 in the near future.  And last week, the House Subcommittee on Commerce, Manufacturing, and Trade marked up and voted to report the SAFE Data Act (H.R. 2577) (introduced by Rep. Mary Bono Mack (R-CA)) to the full House Energy & Commerce Committee. 

Unlike many of the breach bills that are circulating, Senator Feinstein’s bill is limited to breach notification obligations and does not include information security requirements.  Generally, S. 1408 is much more similar to the breach notice provisions of S. 1151 (Leahy) than S. 1207 (Rockfeller/Pryor) or H.R. 2577 (Bono Mack).

Continue Reading

On July 19, 2011, the European Commission announced that it sent formal requests for further information to 20 Member States regarding their failure to implement the EU's new package of telecoms rules.  The rules, which include amendments to the E-Privacy Directive to create new consent requirements for the use of most web cookies, were required to be enacted by the Member States by May 25, 2011.

As we described here previously, the new measures have been delayed in many Member States over questions regarding how such consent requirements and breach notifications will work in practice.  Some Member States are also clearly hoping that new browser settings will be developed in order to facilitate adequate user consents.  Meanwhile, other Member States have implemented the new rules but subsequently also adopted a cautious stance over enforcement of the new rules.  As reported previously, the UK's rules are now in force, but the UK ICO has indicated that it will not substantively enforce the new cookie rules until May 2012.  Although the UK does not appear to be in the firing line, the Commission is clearly taking a dim view of such ongoing concerns.  It is unusual for enforcement proceedings to be launched so quickly and against so many Member States.

This enforcement action comes on the heels of other significant Commission activity in relation to the e-Privacy amendments.  On July 14, 2011, Commissioner Neelie Kroes launched a new consultation on how the new data breach notification requirements for electronic communication service providers should be carried out in practice.  The consultation will focus on the circumstances that trigger a data breach notification obligation, the practical procedures that should be followed when making a notification, and the information that such notifications will include.  Responses can be submitted until September 9, 2011.

By Katie Keith

Yesterday, two Subcommittees of the House Energy and Commerce Committee (Commerce, Manufacturing and Trade and Communications and Technology) held a joint hearing entitled “Internet Privacy:  The Views of the FTC, the FCC, and NTIA” that featured testimony from FCC Chairman Julius Genachowski, FTC Commissioner Edith Ramirez, and NTIA Assistant Secretary Lawrence Strickling.  Topics discussed included the need for privacy and data security legislation, the development of baseline governing principles, and current efforts by each agency to engage stakeholders on these issues. 

Legislators from both Subcommittees recognized the economic and social value of the Internet throughout the hearing and emphasized that nearly every aspect of our daily lives now has an online component.  Despite its “incalculable value,” the Chairwoman of the Subcommittee on Commerce, Manufacturing and Trade, Rep. Mary Bono Mack (R-Cal.), characterized the Internet as a “work in progress” and expressed concerns shared by many Members of the two Subcommittees over the collection, use, sharing and protection of online data and the need to improve consumer education.  The witnesses generally shared these concerns, and although their testimony did not reflect a shift in policy at the FTC, FCC, or NTIA, the dialogue between the legislators and regulators did shed light on the current state of thinking about privacy regulation at the federal level. 

Continue Reading

In light of the number of privacy and data security-related bills currently being considered by Congress, we thought it might be helpful to provide a roundup of the legislation introduced or circulated to date:

Comprehensive privacy legislation:

• BEST PRACTICES Act, H.R. 611 (Rep. Rush): introduced Feb. 10, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 
• Commercial Privacy Bill of Rights Act of 2011, S. 799 (Sens. Kerry and McCain):  introduced Apr. 12, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation.
• Consumer Privacy Protection Act of 2011, H.R. 1528 (Reps. Stearns, Matheson, Bilbray, and Manzullo):  introduced Apr. 13, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 

Do Not Track:

• Do Not Track Me Online Act, H.R. 654 (Rep. Speier):  introduced Feb. 11, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 
• Do-Not-Track Online Act of 2011, S. 913 (Sen. Rockefeller): introduced May 9, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation. 

Children’s privacy:

• Do Not Track Kids Act of 2011, H. R. 1895 (Reps. Markey and Barton):  introduced May 13, 2011.  Referred to the House Committee on Energy and Commerce. 

Data security and breach notification:

• Data Accountability and Trust Act, H.R. 1707 (Reps. Rush, Barton, and Schakowsky):  introduced May 4, 2011.  Referred to the House Committee on Energy and Commerce. 
• Data Accountability and Trust Act of 2011, H.R. 1841 (Reps. Stearns and Matheson): introduced May 11, 2011.  Referred to the House Committee on Energy and Commerce. 
• Personal Data Privacy and Security Act of 2011, S. 1151 (Sens. Leahy, Schumer, Cardin, and Franken):  introduced June 7, 2011.  Referred to the Senate Committee on the Judiciary. 
• Secure and Fortify Electronic Data Act, H.R. ___ (Rep. Bono Mack): discussion draft released June 13, 2011.  Hearing held by the House Subcommittee on Commerce, Manufacturing, and Trade.
• Data Security and Breach Notification Act, S. 1207 (Sens. Pryor and Rockefeller): introduced June 15, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation. 

Geolocation privacy:

• Geolocation Privacy and Surveillance Act, H.R. 2168 (Reps. Chaffetz and Goodlatte): introduced June 14, 2011.  Referred to the House Committee on the Judiciary and the House Committee on Intelligence (Permanent Select). 
• Geolocation Privacy and Surveillance Act, S. 1212 (Sen. Wyden): introduced June 15, 2011.  Referred to the Senate Committee on the Judiciary. 
• Location Privacy Protection Act of 2011, S. 1223 (Sens. Franken and Blumenthal): introduced June 16, 2011.  Referred to the Senate Committee on the Judiciary. 

ECPA:

• Electronic Communications Privacy Act Amendments Act of 2011, S. 1011 (Sen. Leahy):  introduced May 17, 2011.  Referred to the Senate Committee on the Judiciary. 

Financial privacy:

• Financial Information Privacy Act of 2011, H.R. 653 (Reps. Speier, Hastings, and Filner): introduced Feb. 11, 2011.  Referred to the House Subcommittee on Financial Institutions and Consumer Credit. 

The Commerce Department is calling for the creation of nationally recognized, voluntary codes of conduct to help strengthen cybersecurity protections for online businesses.  The Department issued its recommendations in a green paper on “Cybersecurity, Innovation and the Internet Economy,” which was released on June 8, 2011.  As noted in today’s Federal Register, the Department will be accepting comments on the green paper until August 1, 2011. 

As we discussed last month, one element of the White House’s recent legislative proposal for cybersecurity focuses on core critical infrastructure operators such as the electricity grid, the financial sector, the water system, and transportation networks.  The Commerce Department’s report complements the legislative proposal by concentrating on another sector of the economy – what the report calls the Internet and Information Innovation Sector (“I3S”).  The I3S encompasses businesses that create or utilize the Internet or networking services and have a large potential economic impact, including electronic retailers, social networking sites, cloud computing firms, and online transactional service providers.

Continue Reading

The House Energy and Commerce Commerce has announced plans for a “comprehensive review” of privacy and data security regulation.  The announcement explained that the “first phase” of the Committee’s review would be devoted to an assessment of the need for data security legislation.  The committee will then consider what Chairman Fred Upton referred to as “the more complex questions about individual privacy in the digital era.” 

There has already been considerable activity on the data security front in the Committee, with members Cliff Stearns and Bobby Rush proposing broad legislation and Mary Bono Mack pledging to do the same.  Much of this activity has taken place in the Subcommittee on Commerce, Manufacturing and Trade Subcommittee (of which Stearns and Rush are members and Bono Mack is chair).  But in the press release outlining the agenda , Rep. Greg Walden, who chairs the Communications and Technology Subcommittee, also weighed in on the importance of the issues surrounding data protection.   It remains to be seen whether this Subcommittee-- which has been involved in privacy and data security issues in past Congresses--will become more involved in this Congress. 

On a related note, the Commerce, Manufacturing and Trade Subcommittee held a hearing on data security yesterday.  We will discuss that hearing in a subsequent post. 

The Federal Communications Commission (FCC) recently launched a website devoted to helping small businesses with cybersecurity.  The site offers tips for small businesses facing online security issues and provides links to other sources of guidance.  The tips apply to all small businesses, not just those operating in fields subject to FCC regulation.  The launch coincides with the growing attention being paid to cyber-threats to small businesses.

By David Fagan and Josephine Liu

The Obama Administration today sent Congress its long-awaited legislative proposal for improving U.S. cybersecurity.  The proposal is in the form of individual legislative amendments tackling various issues, packaged together as a comprehensive legislative framework.  As we previously discussed, cybersecurity is a subject of interest in both chambers of Congress.  Senate Majority Leader Harry Reid and six Senate committee chairs requested last July that President Obama provide input on cybersecurity legislative reforms; today’s proposal responds to that request. 

While the legislative proposals are extensive – the complete section-by-section analysis is, on its own, more than 20 pages – the following provisions are likely to be of particular interest for businesses operating in this space:

• National data breach notification.  The proposals would seek to create, for the first time, a unified federal standard for notification to customers in the event of a security breach.  Specifically, business entities would be required to notify customers following the discovery of a security breach involving sensitive personally identifiable information, and also to notify law enforcement and national security authorities under certain circumstances.  These provisions would preempt the 47 existing state data breach notification laws, and would be enforced by the FTC and state attorneys general. 
• Development of critical infrastructure cybersecurity plans.  DHS would work with industry, through a rulemaking process, to identify core critical infrastructure operators and specific risks.  An entity would not be designated as a critical infrastructure operator unless (1) disruption of the entity’s operations would have a debilitating effect on national security, national economic security, or national public health or safety; and (2) the entity depends on information infrastructure to operate.  Operators designated under this process would be responsible for developing cybersecurity risk mitigation plans, which would be assessed by third-party auditors.  DHS would be authorized to enter into discussions or take other action if operators’ plans are insufficient. 
• Voluntary sharing of cybersecurity threat information.  The proposal would authorize private entities to share cybersecurity threat information with DHS, and would provide them with immunity for doing so.  DHS would be tasked with developing policies and procedures to minimize the impact on privacy and civil liberties and to prevent misuse of the shared information. 

Continue Reading

By David Fagan & Libbie Canter

Last week, Congressman Bobby Rush (D-Ill.) reintroduced the Data Accountability and Trust Act (H.R. 1707).  During the 111th Congress, the House of Representatives approved the same measure by voice vote, but the legislation, introduced in the Senate by Senators Jay Rockefeller (D-WV) and Mark Pryor (D-Ark.), did not make it out of the Senate Commerce Committee before the end of the session.  The legislation would create a federal breach notification standard and authorize the FTC to promulgate information security and data disposal regulations.

• Scope.  The legislation covers persons engaged in interstate commerce, with certain additional requirements applicable to information brokers.  The provisions generally apply to the ownership or possession of personal information, which is defined as a person’s “first name or initial and last name, or address, or phone number, in combination with any 1 or more of [certain] data elements.”  Those data elements include social security number, driver’s license number, other government-issued identification numbers, and financial account numbers. 
• Breach Notification.  Following discovery of any unauthorized acquisition or access to electronic data containing personal information, businesses typically would be required to notify the FTC and any resident of the United States whose personal information was acquired or accessed.  Where notice is required to 5,000 or more individuals, the major credit reporting agencies would also need to be notified.
  • Timing.  Under the bill, notification would be required not later than 60 days following discovery of the breach, with a limited number of exceptions available.
  • Content Requirement.  Consumer notifications would be required to include the date of the breach; a description of the personal information accessed; a telephone number for further inquiries; notice that the individual is entitled to receive certain credit protection products at no charge (which the Act would require businesses to furnish); and contact information for the major credit reporting agencies and the FTC.
  • Obligation to Furnish Credit Products.  The bill indicates businesses will be required to provide or arrange for the provision of free consumer credit reports on a quarterly basis and credit monitoring to affected individuals for a period of two years following a breach.  The bill directs the FTC to promulgate rules with respect to the circumstances in which such credit products will be required to be offered.
  • Risk of Harm.  There is no notification requirement or other obligations on a business if it determines there is no reasonable risk of identity theft, fraud, or other unlawful conduct.  This is presumed to be the case if the data is encrypted or otherwise unreadable, although the bill directs the FTC to promulgate regulations on the technologies that adequately render data unreadable.
  • Service Providers.  Third parties contracted to maintain or process data and service providers would be required to notify the owner of the information, which would then have the obligation to notify the FTC and consumers.

Continue Reading

The FTC has announced settlements with both Ceridian Corporation and Lookout Services, Inc., which the FTC charged with committing unfair and deceptive trade practices. According to the FTC, Ceridian and Lookout claimed they would take reasonable measures to secure the sensitive consumer data they maintained, but failed to do so. The FTC appears to have become aware of security inadequacies after both companies experienced data breaches that affected tens of thousands of consumers.

The security problems cited by the FTC included the indefinite retention of sensitive data in readable text without a business need, the failure to require strong user passwords that are periodically changed, and the failure to provide adequate employee training.

The settlement orders prohibit misrepresentations about the privacy, confidentiality, or integrity of any personal information collected from or about consumers. They further require the companies to implement a comprehensive information security program and to obtain independent, third party security audits every other year for 20 years.

California state Senator Joe Simitian (D-Palo Alto) certainly can be credited with persistence when it comes to expanding California’s data breach notification law, and with Jerry Brown replacing Arnold Schwarzenegger as governor, the fourth time may be the charm.  On April 14, 2011, the California State Senate voted to approve Senate Bill 24, which now moves to the State Assembly for consideration.

The new legislation would amend California’s existing security breach notification requirements by:

• Establishing standard content requirements for data breach notifications to California residents, including the type of information breached, the time of breach, and a toll-free telephone number of major credit reporting agencies; and
• Requiring public agencies, business, and individuals subject to California’s security breach notification law to send an electronic copy of the breach notification to the California Attorney General, if more than 500 Californians are affected by a single breach.

Continue Reading

On Friday, the Obama Administration unveiled the final draft of its ambitious National Strategy for Trusted Identities in Cyberspace (NSTIC), which seeks to develop new and more secure systems for identity authentication online, creating  new “Identity Ecosystem.”  Secretary of Commerce Gary Locke as well as other officials unveiled the NSTIC (pronounced “en-stick”), which is signed by President Obama, at an event at the U.S. Chamber of Commerce.

As the NSTIC explains, on the Internet as it exists today, individuals must maintain numerous passwords for different websites which they use.  This imposes risks and burdens on consumers and businesses alike.  Moreover, the NSTIC describes how the absence of highly reliable authentication methods has hindered the ability of high-risk sectors like health and finance to migrate their services online.

Continue Reading

Email marketing company Epsilon announced last week that its databases had been hacked, compromising customer names and e-mail addresses for a number of major companies that outsource their marketing communications to Epsilon.

The Epsilon data breach illustrates some of the security challenges when dealing with cloud computing environments.  Although there are security risks associated with any outsourcing solution, the potential effect of a breach is magnified in a multi-tenant cloud.  Only 2% of Epsilon’s estimated 2,500 clients were affected by the attack, and that still amounted to millions of exposed records.  According to one estimate, the total number of affected individuals could be as high as 100 million. 

Dave Frankland of Forrester Research observes that this incident may cause companies to question whether a multi-tenant deployment model is the best way to process customer data, given that a single breach can give a perpetrator access to a wealth of data. 

Continue Reading

A few months ago, the Obama Administration introduced its National Strategy for Trusted Identities in Cyberspace (NSTIC), an ambitious proposal to implement public-private partnerships to implement a new mechanism for identity verification and information sharing online.  The plan has been controversial.  Although there have been many legitimate criticisms of the proposal, other objections, such as that the plan would mandate a single national online ID, appear to be based on misunderstandings.

To help combat the latter set of objections, the National Institute of Standards and Technology (NIST), which will help implement the plan, released a brief and helpful animation explaining the proposal:

The government's efforts at forwarding the NSTIC come at a time when there are signs of increasing private interest in data portability involving sensitive information.  For instance, tech news blog TechCrunch recently described a new startup called "Stripe," reportedly backed by Silicon Valley heavy-hitters, as a new competitor with PayPal, Google Checkout, and similar services that offer centralized sources for consumers to make payments to websites and online applications.

Speaking at today’s Senate Commerce Committee hearing on “The State of Online Consumer Privacy,” Assistant Secretary of Commerce Lawrence E. Strickling stated that the Obama administration supports comprehensive privacy legislation.  As we noted in yesterday’s post, this announcement represents a shift in Administration policy.  Although in its December 2010 “Green Paper,” Commerce recommended that consumers’ online activities be subject to greater protections, the Department stopped short of embracing baseline legislation as the way to ensure such protections.  Strickling explained today that after reviewing the dozens of comments submitted in response to the Green Paper, the Department concluded that privacy legislation should be the foundation of the U.S. privacy framework.

Continue Reading

According to the annual Ponemon Institute survey report released March 8, 2011 in 2010, U.S. companies affected by data breaches incurred an average cost of $7.2 million per incident.  (In comparison, in 2009, companies reported an average cost of $6.75 million).  The Ponemon survey identified a number of other interesting trends:

• Companies are responding to data breaches and notifying individuals more quickly than in years past, but that corresponds to higher costs for companies.
• There are fewer breaches due to systems failures, lost or stolen devices and third-party mistakes, but more than a third of all breaches involve malicious or criminal attacks. 
• The drop in breaches from systems failures may be related to increasing efforts on the part of companies to prevent and mitigate breaches through new and increased use of security technologies, such as encryption, and compliance with security policies. Additionally, more organizations are putting Chief Information Security Officers in charge of breach response.

Parallel with industry efforts to respond to data breaches, a number of state legislatures -- including Colorado, Hawaii, and Illinois -- have been reviewing and considering amendments to their breach notice laws.  We will continue to monitor and provide updates on those developments.

Taiwan's revised Data Protection Act, which is not yet formally effective, is the first privacy-specific statute in the APAC region to contain an enforceable requirement to notify individuals of a data breach incident.  To date, no other privacy legislation in the Asia region has imposed an enforceable legislative requirement to communicate a data breach incident to individuals.  

A few notable aspects of the legal obligations are as follows:

• The relevant provision requires that, where a public or private sector agency "violates any provision" of the Act, "such that personal data is stolen, disclosed, altered or otherwise impaired," then "the agency, after investigating shall notify the subjects by appropriate means."
• The requirement does not extend to every breach occurrence, only those that constitute an actual violation of the Data Protection Act. 
• Certain aspects of the data breach provision remain unclear, such as the extent to which organizations may delay the issuance of notices while investigating an incident.
• There does not appear to be any requirement to notify any supervisory body of the breach incident.  Indeed, the Data Protection Act does not name any a single body with oversight over or enforcement responsibility for the Data Protection Act.  It appears that enforcement has been left to individual industry ministries, as is the case in Japan.

Hawaii legislators have introduced several bills to amend the state’s data breach notice law.  Two of these legislative measures would eliminate the “risk of harm” trigger for breach notification in Hawaii.  Currently, notice to Hawaii consumers is required only “where illegal use of the [breached] personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.” 

A number of state breach notice laws have such provisions, and industry commenters responding to the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework” have argued that breach notice should be required only when there is a significant risk of harm to individuals.  These commenters argue that breach notice should be limited in this manner to prevent unduly alarming consumers and to avoid the dilution of breach notification for those cases in which a significant risk of harm does exist.  In contrast to this approach, legislative measures in Hawaii would eliminate any “risk of harm” trigger for breach notification. 

Specifically, these legislative measures would amend Hawaii’s breach notification requirements in the following respects:

Continue Reading

In testimony before a House Judiciary subcommittee on Tuesday, Jason Weinstein (Deputy Assistant Attorney General for the DOJ Criminal Division) emphasized the importance of data retention from internet and cell phone service providers in fighting crime.  He invited Congress to consider legislation that would strengthen data retention standards.  Weinstein offered several examples of federal and state investigations that were stymied due to service providers’ inability to produce user records.  In many instances, service providers had short or non-existent retention periods. 

Currently, service providers are required to preserve user records only after receiving a request from law enforcement.  There is no independent obligation to preserve user records for a fixed amount of time.  Weinstein acknowledged that data retention requirements can be costly for service providers, but he said that leaving the decision up to providers did not properly account for the public safety interest in data retention.  Chairman of the Judiciary Committee Lamar Smith (R-TX) was generally supportive of the DOJ’s request.

Hot on the heels of its report on data breach notifications in the EU, the EU's cyber security regulator, ENISA, published yesterday a new report on cloud computing in the government.  The report is targeted at senior managers of public bodies who are considering cloud computing platforms and services, and it aims to highlight the pros and cons of different cloud models with regard to information security and resilience.  The report summarizes relevant legal and regulatory considerations, and bases its analysis and conclusions on the examples of a healthcare authority and local public administration migrating to the cloud, and the creation of a governmental cloud infrastructure.

The report acknowledges that cloud computing has the potential to offer public administrations substantial benefits and improvements over current IT provisioning, such as increased availability and reliability, stronger security and better value.  However, the report recommends private and community clouds over public clouds, and ultimately urges European governments to adopt a staged approach in integrating cloud computing into their operations.

The White House is establishing a new office to work with industry to develop an online “identity ecosystem” in which consumers and businesses can transact securely and privately without the need for passwords.  U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard Schmidt recently announced plans to create the new “National Program Office,” which will be housed within the Department of Commerce.  The new office’s goals will be to support the creation of privately-implemented identity standards in collaboration with industry and the public. 

According to the announcement, the Administration envisions that users could choose to use login credentials from competing private providers and select a level of disclosure appropriate for a particular transaction.  For instance, a user could, employing the same credential provider, choose a pseudonym to write a blog comment but reveal key identity-verifying information to her medical care provider.  Contrary to some overheated headlines, Secretary Locke took pains to emphasize that the plan will not create a single “national ID,” nor will participation be mandatory. 

The new National Program Office will be in charge of implementing the forthcoming National Strategy for Trusted Identities in Cyberspace (NSTIC), which will detail the Obama Administration’s plan.  (A draft [PDF] of the NSTIC was released in June 2010.)  In the upcoming months, the Commerce Department will release the final version of the NSTIC and host a conference on the topic.

The “identity ecosystem” has the potential to eliminate the need for website-specific passwords online, facilitating new forms of interaction and shifting responsibilities and roles in data storage.  Social networking, advertising, online health and financial services, and user-generated content may especially be affected.  However, the proposal also implicates issues of privacy, cybersecurity, and civil liberties, and some early reactions have questioned whether it is appropriate for the government, as distinguished from private industry, to have a significant role in establishing uniform online identities.  Apparently to address that criticism, the Administration has signaled that it is eager for suggestions from industry in developing rules to shape the identity ecosystem.  As the National Program Office begins to offer opportunities for input, businesses should consider accepting the invitation.

Michigan Governor Jennifer Granholm has signed a legislative measure [PDF] that amends the state’s 2004 Identity Theft Protection Act (the “ITPA”).  The measure, which was enacted to combat phishing scams and other online fraud, amends the ITPA in several significant respects:

• The new legislation makes it unlawful to gather personally identifying information through e-mail, a website, altered computer settings, or a software program under false pretenses or by misrepresenting one's association with a business.  This conduct is proscribed regardless of whether the violator intends to commit identity theft or another crime.  However, there is an exception for law enforcement officers engaged in lawful investigation.
• The enactment strengthens criminal penalties under the ITPA and creates a civil right of action with statutory damages for the Attorney General and any interactive computer service provider harmed by a violation.
• The law also exempts interactive computer service providers from liability under any Michigan law for removing or disabling access to an Internet domain name or to Internet content that the provider believes in good faith is engaged in a violation of the ITPA.

In 2009, 12 percent of EU businesses suffered security incidents due to hardware or software failures, according to a study released by Eurostat, the statistical office of the European Commission.  By contrast, incidents involving the destruction or corruption of data due to malicious software infection or unauthorized access were only reported by five percent of enterprises.  One percent of enterprises suffered a loss of data because of intrusion, pharming or phishing attacks.  The study also found that 50 percent of EU companies use a strong password (8 or more characters that are a mix of uppercase, lowercase, alphanumeric and special characters) or a hardware token to protect data.

The report has been issued as network and information security is once again moving onto the agenda of EU policy makers.  Parliament is expected to begin considering beefed-up legislation on cyber crime in the new year.  A breach notification provision applicable to all EU businesses is also widely anticipated to be included in the Commission's proposals to amend the Data Protection Directive, which are expected in the summer of 2011.

Last week, the Ninth Circuit issued two opinions in connection with the theft of an unencrypted laptop that contained personal information about Starbucks employees.  First, the court held in a published opinion that Starbucks employees whose names, addresses and Social Security numbers were on the stolen computer could show that they had suffered enough injury to sustain their claim for purposes of getting into federal court.  Specifically, the court found that the increased risk of identity theft satisfies the requirement that plaintiffs show an injury so long as there is a “credible threat of harm” that is “both real and immediate, not conjectural or hypothetical.”  The court also found that “generalized anxiety and stress” are other kinds of harm that could satisfy the requirement.

Although the Starbucks employees satisfied the injury requirement, a second, unpublished Ninth Circuit opinion issued the same day indicated that they had not shown damages -- a key issue in privacy litigation.  “The mere danger of future harm, unaccompanied by present damage, will not support a negligence action,” held the court. (We have elsewhere reported on the challenges that individuals affected by security breaches face in establishing damages.)  The Ninth Circuit also found that the Starbucks employees failed to show the existence of an implied contract under Washington law.