NY Data Breaches Reached Record Levels in 2016

New York Attorney General Eric T. Schneiderman announced this week that there were a record number of data breach notices in New York in 2016, with nearly 1,300 reported data breaches exposing the personal records of 1.6 million New Yorkers.  These numbers represented a 60 percent year-over-year increase in the number of data breaches reported, and a threefold increase in the number of records exposed.

According to an analysis conducted by the Attorney General’s office, which builds on a 2014 report, most of the exposed records consisted of social security numbers and financial account information, and the leading causes of data security breaches in New York were hacking and inadvertent disclosures.  Schneiderman’s statement cautioned that these record numbers make it “all the more important for companies and citizens alike to take precaution when sharing and storing personal data” as “these breaches too often jeopardize the financial health of New Yorkers and cost the public and private sectors billions of dollars.” Continue Reading

Legislation Introduced in House and Senate to Establish Drone Privacy Rules

By Stephen Kiehl

Continuing their focus on drone privacy issues, Senator Edward J. Markey (D-Mass.) and Rep. Peter Welch (D-Vt.) introduced legislation in the House and Senate this month that would require drone operators to create policies covering data collection and retention and require warrants for law enforcement agencies to conduct surveillance by drone.

The Drone Aircraft Privacy and Transparency Act, available here, is similar to legislation Markey and Welch introduced last year, which did not become law.  The lawmakers said they are concerned about the potentially “sensitive and personally identifiable information” about Americans drones (“UAS”) collect as they are operated.  Continue Reading

Senators Reintroduce Cybersecurity Legislation for Cars and Planes

Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) reintroduced a pair of bills today relating to the cybersecurity of cars and aircraft, which would impose affirmative security, disclosure, and consent requirements on manufacturers and air carriers.  The Security and Privacy in Your Car (“SPY Car”) Act and Cybersecurity Standards for Aircraft to Improve Resilience (“Cyber AIR”) Act were each introduced but not enacted in a previous session of Congress.  In a joint press release, the Senators noted that the legislation was designed to “implement and improve cybersecurity standards for cars and aircraft.”

The SPY Car Act

The SPY Car Act would require cars manufactured for sale in the U.S. to comply with “reasonable measures to protect against hacking attacks,” including measures to isolate critical software systems from non-critical systems, evaluate security vulnerabilities, and “immediately detect, report, and stop attempts to intercept driving data or control the vehicle.”  It would also require “driving data” collected by cars to be “reasonably secured to prevent unauthorized access,” including while such data is in transit to other locations or subsequently stored elsewhere.  Violations of these cybersecurity requirements are subject to civil penalties of up to $5,000 per violation. Continue Reading

FTC Announces June Workshop on Connected and Automated Cars

The FTC announced today that it will hold a joint workshop on June 28, 2017 with the National Highway Traffic Safety Administration (NHTSA) to “examine the consumer privacy and security issues posed by automated and connected motor vehicles.”  The announcement lists several discussion topics for the upcoming workshop:

  • the types of data vehicles with wireless interfaces collect, store, transmit, and share;
  • potential benefits and challenges posed by such data collection;
  • the privacy and security practices of vehicle manufacturers;
  • the role of the FTC, NHTSA, and other government agencies with regard to these issues; and
  • potentially applicable self-regulatory standards.

The FTC and NHTSA are inviting public comments on these topics, which are due on April 20, 2017.  Further details are available in the Commission’s public notice on the workshop.

UK Company Fined For Buying And Selling Non-Compliant Marketing Databases

The UK Information Commissioner’s Office (ICO), which enforces data protection legislation in the UK, has fined a company £20,000 (approximately 24,000 USD / 23,000 EUR) for not exercising sufficient due diligence when buying and using marketing databases.

The ICO found that over 580,000 individuals’ contact details had been obtained by The Data Supply Company Ltd (“TDSC”) from sources such as financial institutions and competition websites, and then sold on to third parties.  This had led to at least 21,045 unsolicited text messages and 174 complaints.

Because the data was used for direct electronic marketing (by email, SMS, etc.), TDSC was not entitled to rely on its data sources’ generic consent requests, such as “We may share your information with carefully selected third parties where they are offering products or services that we believe will interest you”, nor even fuller notices that disclosed “long lists” of general categories of possible recipients of the data. Continue Reading

Italian DPA Issues Record Data Privacy Fine

By Luca Tosoni and Dan Cooper

On 2 February 2017, the Italian DPA (“Garante”) imposed a record fine of 5,880,000 Euros on a UK company operating in Italy for its violation of the data privacy consent rules contained in Italian law.  This is the largest data privacy fine ever issued by a European data protection authority for a breach of the EU’s data protection framework.

The Garante imposed the fine on a company that allegedly made money transfers to China on behalf of individuals without their knowledge or agreement, and therefore did not obtain the individuals’ consent to the processing of their data.

The size of the fine reflects, in part, the fact that a significant number of data subjects were impacted by the breach.  In fact, the Garante concluded that the company had committed a separate privacy violation for each data subject whose data was used without consent.  The fine therefore reflects the sum total obtained from adding up the fine for each individual breach committed by the company. Continue Reading

CJEU Limits Public Record ‘Right to Be Forgotten’

On March 9, 2017, the Court of Justice of the EU (“CJEU”) handed down a ruling limiting the reach of its prior “right to be forgotten” jurisprudence, by holding that the right does not prevail over society’s interest in access to official public records of company details required by law. Continue Reading

UK Information Commissioner’s Office Publishes Draft Guidance on Consent under the GDPR

By Dan Cooper and Rosie Klement

On March 2, 2017, the Information Commissioner’s Office (“ICO”) released draft guidance for UK organizations on how the notion of consent will be interpreted and applied when the General Data Protection Regulation (“GDPR”) comes into force in May 2018.

The ICO is currently engaging in a public consultation on the draft guidance, which expires on March 31, 2017.  Stakeholders and the public can review the guidance and provide their views on the ICO’s website.  The ICO is expected to release a final version in May 2017, but will continue to revise the guidance to take account of developments at the European level.

The GDPR sets a high standard for consent, which goes beyond the current standard under the Data Protection Directive 95/46/EC and implementing Member State legislation, such as the UK Data Protection Act 1998.  The guidance notes that the basic concept of consent is not new to the EU data protection framework, but warns that the concept of consent under the GDPR will bring about many practical changes in how organizations procure consents.

The ICO guidance offers some practical recommendations on how to comply with the GDPR consent standard, and explains what counts as valid consent and how to obtain it.  Going forward, organizations are advised to take note of the following:

  • consent must involve a clear affirmative action and be unambiguous;
  • consent to processing an individual’s data should not generally be a precondition for signing up to a service;
  • consent should appear separate from other terms and conditions;
  • pre-ticked checkboxes will not secure an effective consent;
  • clear records should be kept to demonstrate that individuals have furnished consent; and
  • data subjects should have the right to easily withdraw their consent at any time.

Organizations are encouraged to review their existing consents and consent mechanisms to ensure they meet the GDPR standard.  If the standard is not met, fresh consents must be obtained.

This is the ICO’s first topic-specific guidance on the GDPR, with guidance on contracts and liability expected later this year.  More guidance is also expected from the Article 29 Working Party, which intends to release guidance on such topics as transparency, certification, breach notification and data transfers, which will supplement their previous guidance on Data Portability, Data Protection Officers and the One Stop Shop.  More details can be found in our recent article on the Article 29 Working Party guidance.

InsidePrivacy will be tracking and reporting on these developments.

House Democrats Propose Three Bills that Would Bolster FCC Influence over Cybersecurity

On March 2nd, Democratic members of the House Energy and Commerce Committee introduced three pieces of legislation that would expand the Federal Communications Commission’s (FCC) authority over the cybersecurity practices of communications network providers.

The first bill, the “Securing IoT Act of 2017” (introduced by Rep. Jerry McNerney (D-CA)), would expand the FCC’s certification authority by amending Section 303 of the Communications Act of 1934 to require that radio frequency equipment meet certain cybersecurity standards. Such cybersecurity standards would be established by the FCC, in consultation with the National Institute of Standards and Technology (NIST), no later than 180 days after the date of the Security IoT Act’s enactment, and would cover cybersecurity standards “throughout the lifecycle of the equipment” (from design and installation to retirement). The standards would apply to equipment for which certification is submitted at least one year after the bill’s enactment.

The second bill, the “Interagency Cybersecurity Cooperation Act” (introduced by Rep. Eliot Engel (D-NY)), would require the FCC to establish an advisory committee known as the “Interagency Communications Security Committee.” The Committee’s eight members would be tasked with reviewing communications security reports submitted to the Committee, recommending investigation into any such security reports to relevant agencies, and issuing reports containing the results of any investigation, findings following each security incident, and any policy recommendations that may arise to the House and Senate Commerce, Intelligence, Armed Services, Homeland Security, and Foreign Affairs committees. The bill requires the head of each agency to submit to the Committee a report of each communications security incident every three months, but notes that the Committee will consider security reports from communications network providers, as well.

In addition, the Interagency Cybersecurity Cooperation Act would amend the Homeland Security Act of 2002 to designate “Communications Networks” as “Critical Infrastructure” and the FCC as a “covered federal agency” capable receiving Critical Infrastructure information pertaining to communications networks under the same protections currently afforded to information received by the Department of Homeland Security (DHS). “Communications Networks” is defined broadly, and includes any network for providing “wireline or mobile telephone service, Internet access service, radio or television broadcasting, cable service, direct broadcast satellite service, or any other communications service.”

Finally, the third bill, the “Cybersecurity Responsibility Act” (introduced by Rep. Yvette Clarke (D-NY)), would direct the FCC, in consultation with the Secretary of Homeland Security, to issue rules to secure Communications Networks “through managing, assessing, and prioritizing cyber risks and actions to reduce such risks.” The rules would include provisions regarding the treatment of Critical Infrastructure information relating to Communications Networks and, like the Interagency Cybersecurity Cooperation Act, would designate Communications Networks as “Critical Infrastructure” and provide the same protections to the sharing of cybersecurity information with the FCC as is currently provided to the sharing of such information with DHS.

Next Steps

The future of these three Democrat-sponsored bills in the current Republican Congress is unclear. Further, unlike former FCC Chairman Tom Wheeler, who published a white paper detailing the FCC’s cybersecurity priorities, then-Commissioner Pai has opined that the FCC’s role in the cybersecurity realm is meant to be “consultative,” rather than one that involves actively regulating the cybersecurity practices of communications providers. Chairman Pai has yet to comment on the three pieces of legislation in the House, which would not only enable, but also require, the FCC to take on a more active regulatory role when it comes to cybersecurity and the communications sector.

Release of Cybersecurity EO May Have Notable Impact in Communications, Energy, and Defense Industrial Base Critical Infrastructure Sectors

The Trump Administration appears likely to release an Executive Order on Cybersecurity.  The most recent draft suggests this Executive Order may have notable impact in the Communications, Energy, and Defense Industrial Base sectors.  However, it remains unclear if and when the current draft will be signed.

President Trump originally was scheduled to sign an Executive Order on Cybersecurity on February 1, 2017, but the signing was postponed.  The original draft Order, titled “Strengthening U.S. Cyber Security and Capabilities,” (the “first draft Order”) articulated a general policy focused on enhancing the nation’s cybersecurity defenses and capabilities, particularly with respect to specified federal systems and critical infrastructures.  Specifically, the first draft Order directed the Department of Defense (“DOD”) and Department of Homeland Security (“DHS”)—in coordination with representatives of the intelligence community—to accomplish three main goals.  First, to conduct a review of cybersecurity vulnerabilities in national security systems, federal networks, and critical civilian infrastructure systems.  Second, to identify the United States’ cyber adversaries.  Third, to conduct a review of the United States’ cybersecurity capabilities, including a review of “U.S. efforts to educate and train the workforce of the future.”

On Friday, February 10, 2017, a revised draft of the Executive Order was circulated.  The revised draft Order, now retitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” (the “Revised Order”) is significantly different from the first draft Order and more closely aligns with Executive Order 13636, “Improving Critical Infrastructure Security,” signed by President Obama on February 12, 2013.  Like Executive Order 13636, the Revised Order focuses on an agency-led, risk-based approach to cybersecurity and, in particular, requires federal agencies to adopt the NIST Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”) to manage cybersecurity risk.  The Revised Order also delegates primary responsibility for developing a comprehensive risk management plan to the Executive Branch, specifically the Office of Management and Budget (“OMB”) and DHS. Continue Reading