EDPS Issues Opinion on Big Data and Enforcement

As announced last week, the European Data Protection Supervisor (“EDPS”) released on September 23, 2016 an opinion on “coherent enforcement of fundamental rights in the age of big data.”  This opinion follows an earlier Preliminary Opinion on privacy and competitiveness in the age of big data, published in 2004 (see our previous blog post here).

According to the EDPS, data-driven technologies and services are important for economic growth, but the users of those services are generally unaware of the nature and extent of the “covert tracking”  that fuels the sector.  The growing imbalance between consumers and service providers would diminish choice and innovation and threaten the privacy of individuals.  In fact, the rights of individuals enshrined in the EU Charter of Fundamental Rights would be threatened by “normative behavior and standards that now prevail in cyberspace.”    At the same time, EU rules on data protection, consumer protection, and antitrust and merger control are applied in silos, despite their common objectives. Continue Reading

FTC Hosts “Putting Disclosures to the Test” Workshop

By Sari Sharoni

On September 16, 2016, the Federal Trade Commission (“FTC”) hosted a workshop on the factors that may contribute to the effect disclosures have on consumer behavior. The workshop, “Putting Disclosures to the Test,” included speakers from a wide range of disciplines and industries, who remarked on aspects of disclosure such as consumer cognition, recognition, and comprehension, methodologies for measuring disclosure effectiveness, the impact of disclosures on consumer decision-making, and disclosure design.

In her introductory remarks, Lorrie Cranor, Chief Technologist at the FTC, espoused the benefits to privacy disclosures of studying research in other areas. Edith Ramirez, Chairwoman of the FTC, then opened the workshop with remarks on issues that are important to the FTC. The FTC’s primary task, she stated, is to ensure consumers have access to truthful and accurate information, to enable them to make decisions in the marketplace. Their focus, with respect to disclosure of information, is on the effect of disclosure on consumer welfare. They consider some disclosures necessary to prevent deception in advertising, or to communicate the risks of products, or choices consumers may have. With respect to privacy, the FTC encourages companies to disclose their data practices, so consumers have greater control over how their data is used. They require disclosures to be clear and conspicuous, so consumers can understand them and make informed decisions. Continue Reading

Report: EDPS to Recommend Clearing House to Increase Coordination Among EU Regulators

On September 19, 2016, PaRR reported that the European Data Protection Supervisor (“EDPS”) is working on guidelines to increase coordination on the interface between data protection and competition law.  The guidelines would be released later this month.

According to the report, the EDPS will recommend the creation of a “digital clearing house” in which regulators from the different disciplines, such as data protection, consumer protection and competition law, could exchange views on trends and recent developments and even allocate cases  to increase the coherence of their activities.

As the adequacy of notification thresholds for mergers are being assessed and competition authorities increasingly consider the value of personal data, the EDPS reportedly believes the time has come for increased coordination among relevant enforcement bodies.

New York State Proposes Cybersecurity Regulation for Financial Services Institutions

On September 13, 2016, New York Governor Andrew Cuomo announced a proposed regulation that would require financial service institutions to develop and implement cybersecurity programs to prevent and mitigate cyber-attacks.  The proposed regulation will be subject to a 45-day comment period once it is published in the New York State Register. The regulation will become effective January 1, 2017.

The proposed regulation would impose several obligations on “covered entities,” which the proposed regulation defines as financial institutions regulated by New York’s banking, insurance, or financial services laws, such as banks and insurance companies. Specifically, the entities must annually submit to the Superintendent of Financial Services a written certification that the entity complies with the following requirements of the regulation:

(1) Notify the Superintendent of Financial Services of Cyber Events

Covered entities will be required to notify the Superintendent of any cybersecurity event with a “reasonable likelihood of materially affecting the [entity’s] normal operation or that affects [n]onpublic [i]nformation” within 72 hours of becoming aware of the event. A “cybersecurity event” is defined as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an [i]nformation [s]ystem or information stored on such [i]nformation [s]ystem.”

(2) Establish a Cybersecurity Program

Covered entities will be required to assess their specific risk profile to design a cybersecurity program that performs the following cybersecurity functions:

  • Identification of internal and external cyber risks;
  • Implementation of policies and procedures to protect against unauthorized access or malicious acts;
  • Detection of cybersecurity events;
  • Mitigation of any identified cybersecurity events;
  • Recovery from cybersecurity events; and
  • Fulfillment of regulatory reporting requirements.

(3) Adopt a Cybersecurity Policy

Covered entities will be required to implement and maintain a written policy setting forth the procedures for protecting its information systems. The policy must address, at a minimum, the following fourteen areas:

  • Information security;
  • Data governance and classification;
  • Access controls and identity management;
  • Business continuity and disaster recovery planning and resources;
  • Capacity and performance planning;
  • Systems operations and availability concerns;
  • Systems and network security;
  • Systems and network monitoring;
  • Systems and application development and quality assurance;
  • Physical security and environmental controls;
  • Customer data privacy;
  • Vendor and third-party service provider management;
  • Risk assessment; and
  • Incident response.

(4) Appoint a CISO

Covered entities will be required to designate a Chief Information Security Officer (“CISO”), who will be responsible for overseeing and implementing the cybersecurity program and enforcing the cybersecurity policy. The CISO is required to report to the entity’s governing body, at least bi-annually, regarding the assessed integrity of the information systems, exceptions to the entity’s cybersecurity policies and procedures, cyber risks to the entity, the effectiveness of the cybersecurity program, proposed remediation of deficiencies in the program, and all material cybersecurity events in the time period covered by the report.  The regulation contemplates that entities may fulfill the CISO requirement using third-party service providers.

(5) Require Third-Party Service Providers to Secure Certain Information

Covered entities who do business with third-party service providers will be required to have policies and procedures in place to ensure the security of information systems and nonpublic information accessible by, or held by, those third parties. Such policies must set forth the identification and risk assessment of third-party providers, the minimum security requirements third-party service providers must meet, due diligence processes used to assess the cybersecurity practices of the third parties, and terms for annual periodic assessment of the third party’s cybersecurity practices.

(6) Implement Certain Controls

Covered entities will be required to deploy certain controls on its information systems—including, among others, multi-factor authentication for remote access, privileged user access, and web-based access to nonpublic information; privileged access limitations; and encryption of all nonpublic information at rest and in transit.

(7) Test and Monitor Information Systems

Covered entities will be required to include in their cybersecurity program a provision for annual penetration testing and vulnerability assessments of the entity’s information system(s). They must also implement and maintain an audit trail that captures and stores specific types of information for no less than six years.

(8) Conduct Cyber Awareness Training

Covered entities will be required to employ and regularly train cybersecurity personnel to manage the cybersecurity program and policies. The cybersecurity personnel must stay abreast of changing cybersecurity threats.

The proposed regulation does provide for limited exemptions that are available for smaller businesses—such as businesses with (i) fewer than 1,000 customers in each of the last three calendar years; (ii) less than $5 million in gross annual revenue in each of the last three fiscal years; and (iii) less than $10 million in year-end total assets (calculated in accordance with GAAP).

Ninth Circuit Upholds CDA Immunity Against Plaintiff’s Attempt to “Push[] the Envelope of Creative Pleading”

On Monday, a panel of the Ninth Circuit unanimously ruled that Section 230 of the Communications Decency Act (“CDA”) protected Yelp from liability relating to an allegedly defamatory user-generated review.  In doing so, the Court rejected several attempts by the Plaintiff to plead around the CDA’s broad immunity provisions by accusing Yelp of playing a more direct role in the review’s creation and dissemination.  By dismissing Plaintiff’s arguments at the pleading stage, this case helps to cabin the Ninth Circuit’s Roomates.com opinion, which opened an exception to CDA protection that plaintiffs’ lawyers regularly try to allege.

The Plaintiff is a locksmith.  After a third party, Sarah K, left a negative Yelp review of the Plaintiff’s business, the Plaintiff sued Yelp on a pro se basis.

The CDA immunizes “providers” of “interactive computer services” against liability arising from content created by third parties, and as such, user-generated content like Yelp reviews fall squarely within the CDA’s wheelhouse.  However, under previous Ninth Circuit precedent in Fair Housing Council of San Fernando Valley v. Roommates.Com, LLC, the CDA does not protect parties who are also an “information content provider,”—that is, if the defendant is themselves responsible for the creation or development of the offending content.  521 F.3d 1157, 1162 (9th Cir. 2008).  The Plaintiff attempted to plead into this exception by alleging that Yelp made the user’s post its own by (1) actively pulling Sara K.’s review from another website, and/or fabricated the review under Sara K.’s identity; (2) contributing to the review by designing and providing its 5-star system; and (3) republishing the review as a promotion on Google’s search engine.  Using strong language, the Ninth Circuit panel “declined to open the door to such artful skirting of the CDA’s safe harbor provision.”

First, the Court refused to credit Plaintiff’s allegation that Yelp found the relevant review on another website and appropriated the review for its own website.  Citing to both Iqbal and Congress’s intent to promote “free exchange of information and ideas over the Internet” through the CDA, the Court concluded that the Plaintiff failed to allege any facts plausibly suggesting that the review was not posted by Sarah K. onto Yelp’s platform.

Second, turning to Yelp’s 5-star rating system, the Ninth Circuit followed its sister Circuit Courts to find that the CDA’s exception to immunity only applies when a party helps to create or develop the allegedly illegal or actionable elements of the user-created content.  Thus, because Yelp’s five-star rating system is a neutral tool that aggregates individual users’ input, Yelp’s involvement in creating the five-star rating does “absolutely nothing” to enhance the defamatory aspects of the user’s post and cannot expose Yelp to liability.

Third, and finally, the Court rejected Plaintiff’s argument that Yelp sacrificed its CDA immunity by republishing its user’s review on third-party platforms such as Google.  Notably, this was true even if, as Plaintiff alleged, Yelp leveraged its user’s reviews as advertisements to drive traffic to the Yelp website, at least so long as the content is republished “in essentially the same format.”

All told, while it is not surprising that the CDA shielded Yelp from potential liability for its user’s content, the strong language in this case will likely provide similarly situation defendants with ample ammunition to challenge artful pleadings and resolve CDA immunity issues in an early motion to dismiss.

FTC Announces it will Provide Guidance on Ransomware

The FTC has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware.

Ransomware is a malicious software (“malware”) designed to encrypt information on a computer system, which can only be decrypted upon the payment of a sum of money (the ransom) to the attackers. Ransomware has been used against businesses and government agencies to render sensitive information unavailable and to disrupt normal business functions. As the FTC Chairwoman mentioned in her rollout, the healthcare industry, including hospitals, has been specifically targeted by ransomware attacks. In response, the Office of Civil Rights within the Department of Health and Human Service announced in July that it considers the encryption of PHI by ransomware a “breach” subject to HIPAA notification requirements.

The increased use of ransomware by hackers has similarly prompted the FTC to issue the forthcoming guidance to organizations on their responsibilities to protect their systems and consumer data from ransomware attacks. In addition, the FTC Chairwoman made clear that the FTC intends to bring Section 5 enforcement actions against companies that fail to protect personal data from ransomware attacks, possibly even when there is no evidence of data loss or theft.  Currently, the FTC expects companies to implement reasonable security measures, including deploying current antivirus tools, to mitigate against data breaches as a result of known malware and other malicious activity; whether additional security measures are expected with respect to ransomware may be made more clear once the guidance has been released.

FTC Maps Its Cybersecurity Requirements to NIST Cybersecurity Framework Core Functions

By Catlin Meade and Jenny Martin

On August 31, 2016 the FTC posted a blog addressing whether compliance with the NIST Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) necessarily constitutes compliance with FTC cybersecurity practices.

The FTC answers this question with a resounding “No” and specifically states:  “there’s really no such thing as ‘complying with the Framework[]’” because the “[t]he Framework is not, and isn’t intended to be, a standard or checklist.”  The FTC further explains that the Framework does not provide a one-size-fits-all checklist of security practices; rather, it provides an organized approach and broad guidance, collected from a variety of existing industry standards, guidelines, and best practices, for organizations to follow to identify and manage cyber risk.   Continue Reading

FTC Requests Comments on the Safeguards Rule

The Federal Trade Commission (“FTC” or “Commission”) is soliciting public comments on its Standards for Safeguarding Customer Information (“Safeguards Rule”) as part of the systematic review of all FTC rules and guides on a 10-year schedule.  The Safeguards Rule was promulgated by the Commission pursuant to the Gramm-Leach-Bliley Act’s (“GLBA”) directive for federal agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for certain information.

The notice requests comment on a variety of general issues, including the costs and benefits of the Safeguards Rule and what modifications, if any, should be made to the rule.  It also requests comment on several specific issues.  These include whether information security plans should include a breach response plan or other more specific and prescriptive requirements and whether the rule should incorporate other information security standards or frameworks (such as the NIST Cybersecurity Framework or PCI-DSS).

Finally, the FTC seeks comment on whether the  definitions in the Safeguards Rule should be amended to include  (1) activities that are “incidental” to financial activities within the scope of the rule; or (2) activities determined to be financial in nature or incidental to financial activities after the enactment of the GLBA in 1999.  Comments are due on or before November 7, 2016.

FAA Drone Rules Take Effect; Commercial Use of Drones Permitted with Certain Conditions

By Stephen Kiehl

Welcome to the Drone Age.

The Federal Aviation Administration’s (“FAA”) long-awaited rule on the commercial use of small unmanned aircraft systems (“UAS” or “drones”) took effect Monday, August 29, 2016, providing a comprehensive and generally applicable set of rules for anyone wishing to operate a small drone for commercial purposes. Continue Reading

Ninth Circuit Dismisses FTC’s Throttling Suit Against AT&T

In an opinion released today, the Ninth Circuit dismissed the Federal Trade Commission’s (“FTC”) lawsuit against AT&T for violating Section 5 of the FTC Act due to its throttling practices.  AT&T’s practice of throttling the speed of customers with unlimited data plans once they reached a certain data usage threshold had been challenged by the FTC as both unfair and deceptive under Section 5.  The Ninth Circuit reversed the district court’s prior ruling denying AT&T’s motion to dismiss on the ground that AT&T was a common carrier and therefore exempt from Section 5 of the FTC Act. Continue Reading

LexBlog