As businesses increasingly work with various types of third parties that process sensitive information and, in some cases, access a company’s networks, there is an inherent risk:  these third parties create new avenues of attack against a company’s data, systems, and networks.   Covington attorneys David Fagan, Nigel Howard, Kurt Wimmer, and Elizabeth Canter describe these

In May 2015, reports about the German government’s plans to establish federal German cloud infrastructure (the “Bundes-Cloud”) raised concerns about the possible introduction of data localization requirements (preventing the storage and processing of data outside Germany).  The criteria for the use of cloud services by Germany’s federal administration, which have recently been published, now give shape to these concerns.
Continue Reading Data Localization Requirements Through the Backdoor? Germany’s “Federal Cloud”, and New Criteria For the Use of Cloud Services by the German Federal Administration

By Susan Cassidy and Alex Sarria

On August 26, 2015, the Department of Defense (DoD) issued an interim rule that significantly expands the obligations imposed on defense contractors and subcontractors to safeguard “covered defense information” and for reporting cyber incidents on unclassified information systems that contain such information.  The interim rule revises the Defense Federal

Yesterday, several big tech companies that offer educational and school services signed the “Student Privacy Pledge,” introduced by the Future of Privacy Forum (“FPF”) and The Software & Information Industry Association (“SIIA”) to safeguard student privacy as it relates to the collection, maintenance, and use of students’ personal information.  Among the fourteen education tech companies representing the initial group to join SIIA and FPF in introducing the Pledge are Microsoft, Amplify, and Houghton Mifflin Harcourt.  Notably, tech giants Google and Apple were absent from the list of signatories.  As part of the Pledge, effective January 1, 2015, participating companies agree to the following commitments:

  • Not to collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student
  • Not sell student personal information
  • Not to use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of ads to students
  • Not to build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student
  • Not to make material changes to school service provider consumer privacy policies without first providing prominent notice to the account holder(s) (i.e., the educational institution, or the parent/student when the information is collected directly from the student with student/parent consent) and allowing them choices before data is used in any manner inconsistent with terms they were initially provided; and not to make material changes to other policies or practices governing the use of student personal information that are inconsistent with contractual requirements
  • Not knowingly retain student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student
  • Collect, use, share, and retain student personal information only for purposes for which companies are authorized by the educational institution, teacher, or the parent/student
  • Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student personal information is collected and the purposes for which the information maintained is used or shared with third parties
  • Support access to and correction of students’ personally identifiable information by the student or their authorized parent, either by assisting the educational institution in meeting its requirements, or directly, when the information is collected from the student with student/parent consent
  • Maintain a comprehensive security program reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information
  • Require that vendors with whom students’ personal information is shared in order to deliver the educational service are obligated to implement these same commitments
  • Allow a successor entity to maintain the students’ personal information, in the case of a merger or acquisition, provided the successor is subject to these same commitments for previously collected student personal information


Continue Reading Microsoft and Other Leading K-12 School-Service Providers Pledge To Protect Student-Data Privacy

This summer, the International Standards Organization (ISO) adopted a new voluntary standard governing the processing of personal data in the cloud — ISO 27018.  Although this recent development has gone mostly unnoticed by the technology and media press to date, the new cloud standard provides a useful privacy compliance framework for cloud services providers that addresses key processor (and some controller) obligations under EU data protection laws.

ISO 27018 builds on existing information security standards, such as ISO 27001 and ISO 27002, which set out general information security principles (e.g., securing offices and facilities, media handling, human resources security, etc.).  By contrast, ISO 27018 is tailored to cloud services specifically and is the first privacy-specific international standard for the cloud.  ISO 27018 seeks to address such issues as keeping customer information confidential and secure and preventing personal information from being processed for secondary purposes (e.g., advertising or data analytics) without the customer’s approval.  ISO 27018 also responds directly to EU regulators’ calls for the introduction of an auditable compliance framework for cloud processors to increase trust in the online environment (see the European Commission’s 2012 Cloud Strategy here).

Continue Reading ISO’s New Cloud Privacy Standard

In his State of the Union message on Tuesday, President Obama announced that he had signed an Executive Order addressing the cybersecurity of  critical infrastructure.  President Obama emphasized that in the face of threats to corporate secrets, the power grid, and financial institutions, among others, “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

The Executive Order follows legislative efforts in the last Congress to pass comprehensive cybersecurity bills.  After the Cybersecurity Act of 2012 (S. 3414) failed to pass in August 2012, Deputy National Security Adviser John Brennan mentioned in an appearance at the Council on Foreign Relations that the President was considering issuing an Executive Order to implement portions of the cybersecurity legislation.  In the subsequent months, the White House sought industry input on the Order.

The Order has two main components: increasing information sharing from the government to the private sector and establishing a Cybersecurity Framework to buttress the security of critical infrastructure. 

Continue Reading President Obama Issues Cybersecurity Executive Order

On February 7, 2013, the Payment Card Industry (PCI) council released a supplement to the payment card industry data security standards (PCI-DSS) on the use of cloud technologies and considerations for maintaining PCI DSS controls in cloud environments.  The supplement is intended for merchants, service providers, assessors, and other entities in evaluating the use of

Last Friday, Rep. Zoe Lofgren (D-CA) introduced the ECPA 2.0 Act, H.R. 6529, which would strengthen the legal standards for law enforcement to gain access to electronic communications and location information.  The Electronic Communications Privacy Act (ECPA) is more than 25 years old and is widely seen as needing modernization to address changes in digital storage, the cloud, and location-based services.  As we’ve previously noted, government access to location information is an ongoing issue for legislators, courts, and government officials.  

Continue Reading Rep. Lofgren Introduces Legislation to Update ECPA

On July 10, the Federal Financial Institutions Examination Council (FFIEC) issued risk management guidance for depository institutions’ use of cloud computing.  The guidance defines cloud computing generally as “a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud.’”  The guidance also considers cloud computing to be a form of outsourcing subject to the risk management requirements set forth in the FFIEC Information Technology Examination Handbook for Outsourcing Technology Services.

Continue Reading FFIEC Issues Risk Management Guidance for Cloud Computing

As of March 1, 2012, all companies storing the personal information of Massachusetts residents with a third-party service provider must contractually require the service provider to maintain data security measures “consistent” with the Massachusetts data security regulations.  (You can read our overview of these regulations here.)

Among other things, those regulations—most of which took