Inside Privacy - Updates on Developments in Global Privacy & Data Security

Companies are increasingly allowing employees to access work email and apps on their personal devices, according to a new Gartner survey of chief information officers.  But employers confront many tough policy and legal questions when they adopt Bring Your Own Device (“BYOD”) programs.

Thirty-eight percent of the CIOs said that their organizations will stop providing laptops, smartphones, and tablets to workers by 2016.  Those employees will have to access work networks via their personal devices through BYOD programs.  Forty-five percent of the CIOs expect to require BYOD by 2020.

“Everybody in every industry is looking at how they can leverage the Bring Your Own Device program,” David Willis, Gartner’s Chief of Research for Mobility and Communications, stated on a web conference today.

According to the survey, employers in the United States and Asia-Pacific region lead BYOD adoption, while Europe lags behind.

BYOD programs present substantial savings for employers, Willis said.  Although employers typically reimburse employees for part of their monthly smartphone bills, those payments are not nearly as high as the costs of employer-issued devices, he said.  Additionally, he noted that many employers offer BYOD programs to meet the “incredibly employee demand for using the device they prefer in work.”

Before offering BYOD, Willis said, employers should carefully examine all legal implications, including the taxation of device stipends, whether labor laws prohibit hourly employees from responding to work emails after-hours, and data security and privacy laws.  In particular, Willis noted that employees must be aware that if litigation arises, the employees may be required to turn over their devices during discovery.

In a vote Wednesday afternoon, the House Permanent Select Committee on Intelligence passed the Cyber Intelligence Sharing and Protection Act (“CISPA”).  Eighteen Representatives voted in favor of the bill, and two--Rep. Adam Schiff (D-CA) and Rep. Jan Schakowsky (D-IL)--voted against.

The Committee adopted amendments that Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) outlined on Monday in response to privacy and other concerns voiced about the bill.  In particular, amendments were adopted to eliminate a provision enabling the government to use shared information for broad “national security purposes,” to require the government to remove personally identifiable information from information shared pursuant to the bill, and to clarify that the bill does not allow companies to “hack back” entities that engage in cyber theft.

The panel did not adopt amendments offered by Representatives Schiff and Schakowsky.  Those amendments would have required private sector entities to remove personally identifiable information before sharing data with the government, limited liability protection available to companies that share information, and required information to be shared first with a civilian agency, rather than the National Security Agency.

By David N. Fagan and Kristen E. Eichensehr 

On March 28, our firm hosted an event, co-sponsored with The Chertoff Group, on Legal and Policy Developments in Cybersecurity.  The event featured keynote addresses by former Secretary of Homeland Security Michael Chertoff, now Senior Of Counsel with Covington and founder of The Chertoff Group, and Representative Mike Rogers (R-MI), Chairman of the House Permanent Select Committee on Intelligence (“HPSCI”) and principal sponsor of the Cyber Intelligence Sharing and Protection Act (“CISPA”), which passed the House last year and is expected to be re-introduced and voted upon in HPSCI soon. 

The program also included a panel discussion examining the scope of the cybersecurity threat confronting the government and private sector; how law, regulation, and policy may address the threat; and certain competing policy imperatives, including balancing security and economic considerations.  The panel included three partners at Covington -- David Fagan (who moderated), John Veroneau (international trade), and Robert Nichols (government contracting) -- along with Prescott Winter, Managing Director of the Chertoff Group; James Mulvenon of Defense Group, Inc.; and Scott Aaronson of the Edison Electric Institute. 

As Congress moves toward votes on cybersecurity legislation, we thought it would be timely to offer some reflections on the program and panel discussion.  In particular, while cybersecurity is a topic du jour in Washington and the press, the program sought to dig deeper than the headlines, unpack the complexity of cybersecurity, and explore how the interconnection of systems and the related threats impact various legal, policy, and business considerations.  The following are some observations from the event:

Continue Reading

At a recent forum in New York, a team of Covington lawyers addressed the growing concern among companies that their most valuable assets could leave the building on a thumb drive in an employee’s pocket or be disclosed through an employee’s use of a social media site.  Addressing this threat involves many disciplines beyond trade secret law, including employment, employee benefits and executive compensation, white collar crime, corporate and securities, insurance coverage, and crisis management.  This post identifies five proactive ways in which companies can use comprehensive privacy programs and robust data security measures to help prevent and respond to an insider’s intentional or inadvertent disclosure of confidential company information.

1. Internal Privacy and Data Security Principles:  By specifying how the company collects, uses, discloses, and protects personal data of its customers and employees, internal privacy and data security policies can help companies identify who needs access to confidential data, how this data should be secured, and procedures for effectively deleting or destroying data once it is no longer needed by the company. 
2. Internet Access and Use Policies:  Many companies implemented employee policies in the 90s governing how employees may access and use the Internet and the company’s computer networks.  However, these policies should be updated as new technologies that may increase the disclosure of confidential company information, such as peer-to-peer programs and third-party mobile applications, emerge.   
3. Social Media Policies:  Social media policies typically govern how employees may use social media for work purposes, and, in some cases, set forth guidelines for employee use of personal social media accounts as well.  While these policies help to remind employees that they should be cautious when using social media to avoid the disclosure of confidential or proprietary company information, employers need to ensure that these policies are consistent with federal labor laws and state laws restricting an employer’s ability to request access to an employee’s personal online accounts.
4. Robust Protections in Service Provider Agreements:  Confidentiality clauses and nondisclosure agreements with service providers are common and important.  But robust privacy and data security provisions can provide additional protection and mitigate the risk of a breach, especially where the service provider will handle your customer’s personal information.   
5. Bring Your Own Device (“BYOD”) Policies:  Employers increasingly are allowing employees to use their personal smartphones, tablets, and other devices to access work e-mail accounts and the employer’s computer network.  While both employers and employees can benefit from this approach, companies need to make sure that their bring-your-own-device policies provide employees adequate notice and allow employers to implement appropriate data security measures, such as remote wiping tools.

On 7 March 2013, the UK Information Commissioner’s Office (ICO) issued new guidance on the use of personal devices for business purposes. The guidance is largely informed by a survey commissioned by the ICO and carried out by the market research firm YouGov. According to the survey, 47% of adults in the UK use personal smart mobile phones, laptops or tablets for work purposes, but less than 30% are given guidance on secure use and the risks relating to personal data loss or theft.

UK companies have in recent years been increasingly amenable to allowing employees to use personal devices for business purposes, a practice known as “bring your own device” to work, or BYOD. The driving forces behind the trend for BYOD include cost considerations and a rise in flexible working practices. The ICO guidance reminds employers that their responsibilities as data controllers apply equally in the context of BYOD. In other words, employers remain liable for any data loss, theft, or damage to personal data that occurs, regardless of whether processing takes place in their secure corporate IT environment or on the personal devices of their employees.

Continue Reading

Mobile device manufacturer HTC America has settled Federal Trade Commission (“FTC”) charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.  The settlement requires HTC America to develop and release software patches to fix vulnerabilities found in the HTC devices.  The settlement also requires the company to establish a comprehensive security program designed to address security risks relating to the development of HTC devices and to undergo an independent security assessment every other year for the next 20 years.

HTC America develops and manufactures mobile devices based on the Android, Windows Mobile, and Windows Phone operating systems.  The FTC charged that the company failed to employ reasonable and appropriate security practices in both the design and customization of the software on its mobile devices. Among other things, the complaint alleged that HTC America failed to: provide its engineering staff with adequate security training; review or test the software on its mobile devices for potential security vulnerabilities; follow well-known and commonly accepted secure coding practices; and establish a process for receiving and addressing vulnerability reports from third parties.

Because of these alleged failures, the FTC’s complaint details several vulnerabilities found on HTC’s devices, including the insecure implementation of two logging applications—Carrier IQ and HTC Loggers—as well as programming flaws that would allow third-party applications to bypass Android’s permission-based security model.  Due to these vulnerabilities, the FTC charged that millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumer’s device without the user’s knowledge or consent.

In his State of the Union message on Tuesday, President Obama announced that he had signed an Executive Order addressing the cybersecurity of  critical infrastructure.  President Obama emphasized that in the face of threats to corporate secrets, the power grid, and financial institutions, among others, “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

The Executive Order follows legislative efforts in the last Congress to pass comprehensive cybersecurity bills.  After the Cybersecurity Act of 2012 (S. 3414) failed to pass in August 2012, Deputy National Security Adviser John Brennan mentioned in an appearance at the Council on Foreign Relations that the President was considering issuing an Executive Order to implement portions of the cybersecurity legislation.  In the subsequent months, the White House sought industry input on the Order.

The Order has two main components: increasing information sharing from the government to the private sector and establishing a Cybersecurity Framework to buttress the security of critical infrastructure. 

Continue Reading

Yesterday, California Attorney General Kamala Harris continued her efforts to promote privacy best practices in the mobile app ecosystem by issuing a number of recommendations in her report, “Privacy on the Go.”  The report encourages app developers, platform providers, ad networks, OS developers, and even mobile carriers to incorporate privacy by design into their products and services and provides detailed suggestions on how to do so.  Importantly, the report notes that its recommendations in many cases go beyond what’s currently required by law; they are, for the most part, best practices. 

As the report explains, “[t]he basic approach . . . is to minimize surprises to users from unexpected privacy practices.”  A practice is “unexpected” when it’s not “related to an app’s basic functionality” or when it involves “sensitive information.”  Minimizing surprises means limiting the collection and retention of data that is unrelated to the app’s core functionality; giving users “enhanced notice” (i.e., notice beyond what is provided in the developer’s general privacy policy) of unexpected practices; and giving users control over those practices.  (These concepts, if not the precise terminology, will be familiar to those who have read the FTC’s March 2012 report, which recommended that companies provide consumers with robust notice and meaningful choices for practices that were “inconsistent with the context” of a particular transaction or with the company’s relationship with the consumer.)

The report goes onto make a number of specific recommendations that build on these basic propositions.  After the jump, we discuss a few that struck us as particularly noteworthy.

Continue Reading

By Jacqueline Clover and Ezra Steinhardt

In December 2012, the European Network and Information Security Agency (ENISA) published a set of (non-binding) Guidelines titled, “Appropriate security measures for smart grids; Guidelines to assess the sophistication of security measures implementation”.  The Guidelines are intended to help EU Member States and smart grid stakeholders improve the resilience of smart grid cyber security systems against cyber threats and attacks, and follow on from a pair of European Commission initiatives that have called for improved security of European electricity networks:  the Commission’s Standardization Mandate to support European Smart Grid Deployment, released in March 2011, and the Commission’s Recommendation on the roll-out of smart metering systems, released in March 2012.  The latter document encourages EU Member State electricity network providers to consult the ENISA Guidelines when implementing smart grid security measures.

The Guidelines stress the importance of data privacy for smart grid stakeholders, and note that many such stakeholders “still have little experience in these areas”.  The Guidelines do not set out to address data privacy concerns per se, but the information security measures proposed by the Guidelines will also be of use to controllers, who must take adequate organizational and technical measures to protect personal data under European data protection law. 

The Guidelines aim to harmonise and establish minimum cyber security standards and best practices for European smart grids.  The Guidelines identify ten smart grid security issue areas and make security recommendations for each area.  To take into account different smart grid characteristics, such as the size of the grid or the types of services provided, and correspondingly different risk profiles, the Guidelines accommodate varying degrees of security measure implementation (“sophistication levels”).  Some security measures (or security issues) discussed by the Guidelines include:

• Protection of sensitive information processing facilities;
• Encryption methods for sensitive data during storage and transmission;
• Controlling access to critical asset information, and the use of secure remote access methods;
• Precautions against malware and viruses;
• Timely technical upgrades to smart grid information systems;
• Segregation of information services and information systems into groups and networks;
• Protection of security audit information;
• Security policies and monitoring of grid information systems;
• Staff cyber security training programs, personnel risk assessments, and staff security responsibilities and oversight;
• Third party agreements (e.g., with external suppliers and contractors) and monitoring of third parties to preserve confidentiality;
• Communication with relevant authorities and cyber security interest groups (i.e., to stay ahead of the latest vulnerabilities and threats);
• Maintaining updated inventories of all smart grid components and systems;
• Management of authentication credentials, user names, etc.; and 
• Policies for secure disposal of smart grid components and systems.

The smart grid provider should conduct a risk assessment when determining how to implement and maintain the above measures. 

On Thursday, the Federal Trade Commission (“FTC”) hosted a workshop to explore the practices and privacy implications of comprehensive data collection. The event gathered consumer protection groups, academics, privacy professionals, and business and industry representatives to examine the current state of comprehensive data collection, its risks and potential benefits, and what the future holds for consumers and their choices.

In her opening remarks, FTC Commissioner Julie Brill indicated the agency was open to revising its consumer privacy framework if comprehensive data collection warranted heightened restrictions or enhanced consent to protect and inform users: “We know that comprehensive data collection allows for greater personalization and other benefits, but there may be other contexts in which it does not lead to desirable results.”

The workshop was one of five main action items adopted by the FTC as part of its March 2012 report, Protecting Consumer Privacy In an Era of Rapid Change.  In the report, the commission told companies that consent was not required for the collection and use of information that was consistent with a particular transaction or the company's relationship with the consumer. But the agency said it needed more information to determine how this principle applied to technologies that could capture large amounts of consumer information, such as deep packet inspection (DPI).

Continue Reading