Inside Privacy - Updates on Developments in Global Privacy & Data Security

Yesterday Senator John McCain (R-AZ) introduced the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 (SECURE IT Act). The bill’s cosponsors include Senators Kay Bailey Hutchison (R-TX), Chuck Grassley (R-IA), Saxby Chambliss (R-GA), Lisa Murkowski (R-AK), Dan Coats (R-IN), Ron Johnson (R-WI), and Richard Burr (R-NC).

In a hearing in the Senate Committee on Homeland Security and Governmental Affairs last month, Senator McCain expressed procedural and substantive concerns about the “Cybersecurity Act of 2012,” S. 2105, which was sponsored by Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), Dianne Feinstein (D-CA), and John D. Rockefeller, IV (D-WV), and he announced his intention to put forward a competing cybersecurity bill.

One of the main differences between the two bills is the amount of government regulation they envision. The Cybersecurity Act of 2012 proposes that the Department of Homeland Security (DHS) make risk-based designations of covered critical infrastructure (CCI) and establish cybersecurity performance requirements for CCI, in consultation with the CCI owners and operators. The SECURE IT Act, on the other hand, does not propose any government regulation of privately owned critical infrastructure, nor does it include identification or designation of such infrastructure. In a statement released yesterday by the co-sponsors of the SECURE IT Act, Senator Murkowski emphasized that the bill employs “a partnership approach between the government and private entities.”

Continue Reading

As we've previously noted (here and here), California and Illinois recently enacted amendments to their data security breach notification laws.  The amendments took effect this week. 

California’s changes are the more notable.  For example, businesses that are required by California’s breach notice statute to notify more than 500 California residents now must also notify the state attorney general.  Although more than a dozen states have laws with similar regulator notice requirements, California’s is unique in that it requires the notice to be submitted electronically.  The California attorney general has created an online reporting form that seeks basic information about the incident and a sample copy of the notice letter that is provided to individuals. 

Also noteworthy is the fact that both laws now require that notices to individuals contain specific contents, including, for example, the contact information for major consumer credit reporting agencies.  California’s law requires that the individual notice be written in “plain language,” another unprecedented requirement in this area. 

Sen. John Rockefeller (D-WV), chair of the Senate Commerce Committee, is still working to reach consensus on the data security bill that he and Sen. Mark Pryor (D-AR) introduced in June.  A scheduled markup was canceled in September, and the committee decided not to consider the bill at yesterday’s executive session.  Nonetheless, a spokesman for Sen. Pryor said Tuesday that lawmakers are “hoping to resolve any disagreements so the bill can be on a December markup.”

The bill, S. 1207, requires firms to establish information security policies for safeguarding personal information and to provide notice in the event of a security breach. Sens. Rockefeller and Pryor are reportedly reworking the bill in the hopes of securing bipartisan support.  A draft amendment circulated last week would, among other things:

• expressly exempt entities that are subject to information security requirements under the Gramm-Leach-Bliley Act, HIPAA or HITECH, or the Communications Act;
• delete special requirements for information brokers;
• restrict the remedies available to state attorneys general when bringing suit on behalf of state residents; and
• expand the definition of “personal information” to include unique biometric data and information about an individual when combined with authentication credentials for any financial account, but eliminate the FTC’s ability to modify the definition.

As we previously discussed, data security remains a subject of interest in both chambers of Congress.  Three other data security bills were approved by the Senate Judiciary Committee in September. Rep. Mary Bono Mack (R-CA) met with other lawmakers yesterday to discuss her breach notification bill and is confident that the legislation has enough support to pass the House Energy and Commerce Committee in the next few weeks, although the decision to schedule a full committee markup will be up to committee chairman Rep. Fred Upton (R-MI).

By David Fagan & Steve Satterfield

Yesterday, the SEC’s Division of Corporation Finance issued a guidance document regarding public companies’ disclosure obligations relating to cybersecurity risks and breaches.  The guidance responds to a request by Sen. Jay Rockefeller that the SEC clarify its position on this increasingly important issue. 

The Division noted that as companies have turned to digital technologies to conduct their operations, cybersecurity risks--and incidents--have increased.  Although there is no disclosure requirement under the federal securities laws that specifically addresses cybersecurity, the Division explained that existing regulations may require disclosure of cyber risk assessments and the costs stemming from incidents.  It is important to note, as the Division does, that this is guidance, not a rule, regulation, or order (as some headlines have suggested).

We provide an overview of the guidance after the jump.  For additional information please see this E-Alert prepared by members of our Global Privacy & Data Security and Securities & Corporate Finance practice groups. 

Continue Reading

Last Thursday, the Senate Judiciary Committee began its consideration of the several pending data security bills by marking up S. 1151, the legislation introduced by Sen. Patrick Leahy (D-VT). 

S. 1151 would require business entities to develop a data privacy and security plan for protecting sensitive personally identifiable information, require agencies and business entities to notify U.S. residents in the event of a security breach involving such information, and impose criminal penalties for intentionally and willfully failing to provide notice of a security breach.

The original version of the bill also contained separate privacy requirements for data brokers, but a substitute amendment deleting that title was adopted by the Committee on Thursday.  The panel also accepted an amendment proposed by Sen. Chuck Grassley (R-IO), which clarified that the definition of “exceeds authorized access” in the Computer Fraud and Abuse Act does not include violations of Internet terms of service agreements or employment agreements restricting computer access, and a separate manager’s amendment which limited civil liability and penalties.

Continue Reading

Earlier this week, California Governor Jerry Brown signed into law an amendment to California’s breach notice law (S.B. No. 24).  Former Governor Arnold Schwarzenegger vetoed similar legislation in 2008, 2009, and 2010. 

As Inside Privacy noted when the legislation first moved through the California Senate on April 14, the legislation will amend California’s existing security breach notification requirements by:

• Requiring businesses subject to California’s security breach notification law to send an electronic copy of a breach notification to the California Attorney General, if more than 500 Californians are affected by a single breach.
• Establishing standard content requirements for data breach notifications to California residents, including the type of information breached, the date of the breach, and a toll-free telephone number of major credit reporting agencies; and
• Clarifying that a covered entity under the Health Insurance Portability and Accountability Act of 1996 that complies with applicable breach notice requirements will be deemed to comply with the new content requirements for breach notifications in California.

The new law goes into effect January 1, 2012.  It makes California one of more than a dozen states that require notice to state regulators in the event of a breach that triggers notification to individuals, with some variation among the states with respect to the threshold of affected individuals that triggers notice to the regulator.

The bill’s author, California Senator Joe Simitian (D-Palo Alto), was the original sponsor of California’s landmark data breach notification law, first enacted in 2003.  California’s breach notice bill has been amended on prior occasions, including a 2007 amendment that added health information to the type of data that may trigger a notification obligation.

By David Fagan and Libbie Canter

Yesterday, the House Subcommittee on Commerce, Manufacturing, and Trade voted to report the Secure and Fortify Electronic Data Act (H.R. 2577) — the SAFE Data Act — to the full House Energy & Commerce Committee, moving the legislation one step closer to passage. The legislation creates a national breach notification standard that would preempt the 46 state laws (plus District of Columbia and Puerto Rico laws) that presently require entities to notify consumers of breaches of their personal information.

The legislation was introduced formally on July 19 by Rep. Mary Bono Mack (R-CA) and was approved by the Subcommittee by a voice vote that appeared to track party lines. Rep. Bono Mack had circulated a discussion draft of the SAFE Data Act last month that we discussed here.

Prior to voting the bill out of the Subcommittee, members considered several amendments to the legislation, focusing in particular on issues relating to the rulemaking authority of the Federal Trade Commission and the scope of the definition of personal information. The Subcommittee took the following actions on proposed amendments:

• It approved an amendment offered by Rep. Bobby Rush (D-IL) that is intended to clarify that the Act's information security obligations apply to paper records in addition to electronic records. 
• It approved an amendment offered by Reps. Marsha Blackburn (R-TN) and Pete Olson (R-TX) that appears designed to make it more difficult for the Federal Trade Commission to expand the definition of personal information. Prior to the amendment, the bill expressly authorized the FTC to modify the definition of personal information through an Administrative Procedures Act rulemaking process.

Continue Reading

In light of the number of privacy and data security-related bills currently being considered by Congress, we thought it might be helpful to provide a roundup of the legislation introduced or circulated to date:

Comprehensive privacy legislation:

• BEST PRACTICES Act, H.R. 611 (Rep. Rush): introduced Feb. 10, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 
• Commercial Privacy Bill of Rights Act of 2011, S. 799 (Sens. Kerry and McCain):  introduced Apr. 12, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation.
• Consumer Privacy Protection Act of 2011, H.R. 1528 (Reps. Stearns, Matheson, Bilbray, and Manzullo):  introduced Apr. 13, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 

Do Not Track:

• Do Not Track Me Online Act, H.R. 654 (Rep. Speier):  introduced Feb. 11, 2011.  Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 
• Do-Not-Track Online Act of 2011, S. 913 (Sen. Rockefeller): introduced May 9, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation. 

Children’s privacy:

• Do Not Track Kids Act of 2011, H. R. 1895 (Reps. Markey and Barton):  introduced May 13, 2011.  Referred to the House Committee on Energy and Commerce. 

Data security and breach notification:

• Data Accountability and Trust Act, H.R. 1707 (Reps. Rush, Barton, and Schakowsky):  introduced May 4, 2011.  Referred to the House Committee on Energy and Commerce. 
• Data Accountability and Trust Act of 2011, H.R. 1841 (Reps. Stearns and Matheson): introduced May 11, 2011.  Referred to the House Committee on Energy and Commerce. 
• Personal Data Privacy and Security Act of 2011, S. 1151 (Sens. Leahy, Schumer, Cardin, and Franken):  introduced June 7, 2011.  Referred to the Senate Committee on the Judiciary. 
• Secure and Fortify Electronic Data Act, H.R. ___ (Rep. Bono Mack): discussion draft released June 13, 2011.  Hearing held by the House Subcommittee on Commerce, Manufacturing, and Trade.
• Data Security and Breach Notification Act, S. 1207 (Sens. Pryor and Rockefeller): introduced June 15, 2011.  Referred to the Senate Committee on Commerce, Science, and Transportation. 

Geolocation privacy:

• Geolocation Privacy and Surveillance Act, H.R. 2168 (Reps. Chaffetz and Goodlatte): introduced June 14, 2011.  Referred to the House Committee on the Judiciary and the House Committee on Intelligence (Permanent Select). 
• Geolocation Privacy and Surveillance Act, S. 1212 (Sen. Wyden): introduced June 15, 2011.  Referred to the Senate Committee on the Judiciary. 
• Location Privacy Protection Act of 2011, S. 1223 (Sens. Franken and Blumenthal): introduced June 16, 2011.  Referred to the Senate Committee on the Judiciary. 

ECPA:

• Electronic Communications Privacy Act Amendments Act of 2011, S. 1011 (Sen. Leahy):  introduced May 17, 2011.  Referred to the Senate Committee on the Judiciary. 

Financial privacy:

• Financial Information Privacy Act of 2011, H.R. 653 (Reps. Speier, Hastings, and Filner): introduced Feb. 11, 2011.  Referred to the House Subcommittee on Financial Institutions and Consumer Credit. 

Yesterday, the House Subcommittee on Commerce, Manufacturing and Trade held its second hearing on data security in the past month.  The hearing featured the testimony of top executives from Sony and Epsilon, companies that recently have been the victims of large-scale cyber attacks.  The hearing focused mainly on the specifics of the recent attacks, the companies' notification of affected individuals, and the steps the companies have since taken to improve the security of their networks.  The prospect of federal data security legislation was discussed briefly, however, and both the members and the witnesses agreed that such legislation would ease the burdens on businesses, which currently must navigate a complex (and sometimes inconsistent) terrain of state data security laws. 

As we have previously noted, two members of the Subcommittee, Reps. Rush and Stearns, have introduced comprehensive data security legislation in this Session.  At yesterday's hearing, Subcommittee Chairman Mary Bono Mack reaffirmed her intention to do the same.  In her opening statement, she explained that her bill would be based on three guiding principles: 

• First, companies and entities that hold personal information must establish and maintain security policies to prevent the unauthorized acquisition of that data.
• Second, information considered especially sensitive, such as credit card numbers, should have even more robust security safeguards.
• Third, consumers should be promptly informed when their personal information has been jeopardized. 

It is unclear whether Rep. Bono Mack's bill will differ substantially from those introduced by Reps. Rush and Stearns (which are themselves very similar to each other).  But based on this brief statement, it appears that the bill might distinguish between the security requirements for different types of data, which neither the Rush nor the Stearns bill does. 

By David Fagan and Josephine Liu

The Obama Administration today sent Congress its long-awaited legislative proposal for improving U.S. cybersecurity.  The proposal is in the form of individual legislative amendments tackling various issues, packaged together as a comprehensive legislative framework.  As we previously discussed, cybersecurity is a subject of interest in both chambers of Congress.  Senate Majority Leader Harry Reid and six Senate committee chairs requested last July that President Obama provide input on cybersecurity legislative reforms; today’s proposal responds to that request. 

While the legislative proposals are extensive – the complete section-by-section analysis is, on its own, more than 20 pages – the following provisions are likely to be of particular interest for businesses operating in this space:

• National data breach notification.  The proposals would seek to create, for the first time, a unified federal standard for notification to customers in the event of a security breach.  Specifically, business entities would be required to notify customers following the discovery of a security breach involving sensitive personally identifiable information, and also to notify law enforcement and national security authorities under certain circumstances.  These provisions would preempt the 47 existing state data breach notification laws, and would be enforced by the FTC and state attorneys general. 
• Development of critical infrastructure cybersecurity plans.  DHS would work with industry, through a rulemaking process, to identify core critical infrastructure operators and specific risks.  An entity would not be designated as a critical infrastructure operator unless (1) disruption of the entity’s operations would have a debilitating effect on national security, national economic security, or national public health or safety; and (2) the entity depends on information infrastructure to operate.  Operators designated under this process would be responsible for developing cybersecurity risk mitigation plans, which would be assessed by third-party auditors.  DHS would be authorized to enter into discussions or take other action if operators’ plans are insufficient. 
• Voluntary sharing of cybersecurity threat information.  The proposal would authorize private entities to share cybersecurity threat information with DHS, and would provide them with immunity for doing so.  DHS would be tasked with developing policies and procedures to minimize the impact on privacy and civil liberties and to prevent misuse of the shared information. 

Continue Reading

By David Fagan & Libbie Canter

Last week, Congressman Bobby Rush (D-Ill.) reintroduced the Data Accountability and Trust Act (H.R. 1707).  During the 111th Congress, the House of Representatives approved the same measure by voice vote, but the legislation, introduced in the Senate by Senators Jay Rockefeller (D-WV) and Mark Pryor (D-Ark.), did not make it out of the Senate Commerce Committee before the end of the session.  The legislation would create a federal breach notification standard and authorize the FTC to promulgate information security and data disposal regulations.

• Scope.  The legislation covers persons engaged in interstate commerce, with certain additional requirements applicable to information brokers.  The provisions generally apply to the ownership or possession of personal information, which is defined as a person’s “first name or initial and last name, or address, or phone number, in combination with any 1 or more of [certain] data elements.”  Those data elements include social security number, driver’s license number, other government-issued identification numbers, and financial account numbers. 
• Breach Notification.  Following discovery of any unauthorized acquisition or access to electronic data containing personal information, businesses typically would be required to notify the FTC and any resident of the United States whose personal information was acquired or accessed.  Where notice is required to 5,000 or more individuals, the major credit reporting agencies would also need to be notified.
  • Timing.  Under the bill, notification would be required not later than 60 days following discovery of the breach, with a limited number of exceptions available.
  • Content Requirement.  Consumer notifications would be required to include the date of the breach; a description of the personal information accessed; a telephone number for further inquiries; notice that the individual is entitled to receive certain credit protection products at no charge (which the Act would require businesses to furnish); and contact information for the major credit reporting agencies and the FTC.
  • Obligation to Furnish Credit Products.  The bill indicates businesses will be required to provide or arrange for the provision of free consumer credit reports on a quarterly basis and credit monitoring to affected individuals for a period of two years following a breach.  The bill directs the FTC to promulgate rules with respect to the circumstances in which such credit products will be required to be offered.
  • Risk of Harm.  There is no notification requirement or other obligations on a business if it determines there is no reasonable risk of identity theft, fraud, or other unlawful conduct.  This is presumed to be the case if the data is encrypted or otherwise unreadable, although the bill directs the FTC to promulgate regulations on the technologies that adequately render data unreadable.
  • Service Providers.  Third parties contracted to maintain or process data and service providers would be required to notify the owner of the information, which would then have the obligation to notify the FTC and consumers.

Continue Reading

The FTC has announced settlements with both Ceridian Corporation and Lookout Services, Inc., which the FTC charged with committing unfair and deceptive trade practices. According to the FTC, Ceridian and Lookout claimed they would take reasonable measures to secure the sensitive consumer data they maintained, but failed to do so. The FTC appears to have become aware of security inadequacies after both companies experienced data breaches that affected tens of thousands of consumers.

The security problems cited by the FTC included the indefinite retention of sensitive data in readable text without a business need, the failure to require strong user passwords that are periodically changed, and the failure to provide adequate employee training.

The settlement orders prohibit misrepresentations about the privacy, confidentiality, or integrity of any personal information collected from or about consumers. They further require the companies to implement a comprehensive information security program and to obtain independent, third party security audits every other year for 20 years.

California state Senator Joe Simitian (D-Palo Alto) certainly can be credited with persistence when it comes to expanding California’s data breach notification law, and with Jerry Brown replacing Arnold Schwarzenegger as governor, the fourth time may be the charm.  On April 14, 2011, the California State Senate voted to approve Senate Bill 24, which now moves to the State Assembly for consideration.

The new legislation would amend California’s existing security breach notification requirements by:

• Establishing standard content requirements for data breach notifications to California residents, including the type of information breached, the time of breach, and a toll-free telephone number of major credit reporting agencies; and
• Requiring public agencies, business, and individuals subject to California’s security breach notification law to send an electronic copy of the breach notification to the California Attorney General, if more than 500 Californians are affected by a single breach.

Continue Reading

Email marketing company Epsilon announced last week that its databases had been hacked, compromising customer names and e-mail addresses for a number of major companies that outsource their marketing communications to Epsilon.

The Epsilon data breach illustrates some of the security challenges when dealing with cloud computing environments.  Although there are security risks associated with any outsourcing solution, the potential effect of a breach is magnified in a multi-tenant cloud.  Only 2% of Epsilon’s estimated 2,500 clients were affected by the attack, and that still amounted to millions of exposed records.  According to one estimate, the total number of affected individuals could be as high as 100 million. 

Dave Frankland of Forrester Research observes that this incident may cause companies to question whether a multi-tenant deployment model is the best way to process customer data, given that a single breach can give a perpetrator access to a wealth of data. 

Continue Reading

According to the annual Ponemon Institute survey report released March 8, 2011 in 2010, U.S. companies affected by data breaches incurred an average cost of $7.2 million per incident.  (In comparison, in 2009, companies reported an average cost of $6.75 million).  The Ponemon survey identified a number of other interesting trends:

• Companies are responding to data breaches and notifying individuals more quickly than in years past, but that corresponds to higher costs for companies.
• There are fewer breaches due to systems failures, lost or stolen devices and third-party mistakes, but more than a third of all breaches involve malicious or criminal attacks. 
• The drop in breaches from systems failures may be related to increasing efforts on the part of companies to prevent and mitigate breaches through new and increased use of security technologies, such as encryption, and compliance with security policies. Additionally, more organizations are putting Chief Information Security Officers in charge of breach response.

Parallel with industry efforts to respond to data breaches, a number of state legislatures -- including Colorado, Hawaii, and Illinois -- have been reviewing and considering amendments to their breach notice laws.  We will continue to monitor and provide updates on those developments.

Taiwan's revised Data Protection Act, which is not yet formally effective, is the first privacy-specific statute in the APAC region to contain an enforceable requirement to notify individuals of a data breach incident.  To date, no other privacy legislation in the Asia region has imposed an enforceable legislative requirement to communicate a data breach incident to individuals.  

A few notable aspects of the legal obligations are as follows:

• The relevant provision requires that, where a public or private sector agency "violates any provision" of the Act, "such that personal data is stolen, disclosed, altered or otherwise impaired," then "the agency, after investigating shall notify the subjects by appropriate means."
• The requirement does not extend to every breach occurrence, only those that constitute an actual violation of the Data Protection Act. 
• Certain aspects of the data breach provision remain unclear, such as the extent to which organizations may delay the issuance of notices while investigating an incident.
• There does not appear to be any requirement to notify any supervisory body of the breach incident.  Indeed, the Data Protection Act does not name any a single body with oversight over or enforcement responsibility for the Data Protection Act.  It appears that enforcement has been left to individual industry ministries, as is the case in Japan.

A total of 225 breaches of protected health information (PHI) affecting 6,067,751 individuals have been recorded since the HIPAA breach notification rule was issued in August 2009 pursuant to the HITECH Act, according to a report by Redspin, a provider of HIPAA risk analysis and IT assessment services.

According to the report:

• Single breaches affecting over 500 individuals have taken place across 43 states, the District of Columbia, and Puerto Rico.
• 27,000 individuals, on average, are affected by a single breach.
• 82 days, on average, pass between breach discovery and notification/update to HHS.
• 40% of records breached involve business associates.
• 61% of breaches are a result of malicious intent.

To reduce the risk and impact of a future breach, the report recommends that covered entities and business associates should: (1) implement encryption on all PHI in storage and transit; (2) strengthen information security user awareness and training programs; (3) implement a mobile device security policy; and (4) ensure that business associate due diligence includes a periodic review of implemented controls.

The report also warns that “business associates are data rich targets that are consequently likely to see an increase in malicious activity,” underscoring the need for covered entities carefully to select and contract with their business associates and for business associates to implement robust physical, administrative and technical safeguards.

The full report is available here.

The EU’s 'cyber security' agency ENISA has issued a report on data breach notifications in the EU.  The report is in response to the 2009 amendments to the ePrivacy Directive requiring telecom and Internet service providers to issue notifications for personal data breaches, which Member States must transpose into national legislation by May 2011. 

The ENISA report reviews best practices in countries where data breaches already are required or are expected to be notified (e.g., Germany, Spain and Ireland), highlights concerns of providers and regulatory authorities regarding the new EU-wide mandatory notification regime, and identifies areas where further EU level or local guidance is needed. 

Continue Reading

In 2009, 12 percent of EU businesses suffered security incidents due to hardware or software failures, according to a study released by Eurostat, the statistical office of the European Commission.  By contrast, incidents involving the destruction or corruption of data due to malicious software infection or unauthorized access were only reported by five percent of enterprises.  One percent of enterprises suffered a loss of data because of intrusion, pharming or phishing attacks.  The study also found that 50 percent of EU companies use a strong password (8 or more characters that are a mix of uppercase, lowercase, alphanumeric and special characters) or a hardware token to protect data.

The report has been issued as network and information security is once again moving onto the agenda of EU policy makers.  Parliament is expected to begin considering beefed-up legislation on cyber crime in the new year.  A breach notification provision applicable to all EU businesses is also widely anticipated to be included in the Commission's proposals to amend the Data Protection Directive, which are expected in the summer of 2011.