On March 3, 2016, the UK’s Information Commissioner’s Office (“ICO”) released new guidance on encryption.  The guidance aims to provide advice to organizations on protecting personal data (such as customer and employee data) through the use of encryption.  There is no legally-binding requirement under UK data protection law to encrypt data, either when static or

A report released yesterday by the Berkman Center for Internet & Society at Harvard University addresses the recent debate over the use of encryption in communications technologies and its impact on government access to communication data.  The report focuses on the U.S. government’s use of the “going dark” metaphor to describe recent decisions by several major providers of communications services and products to enable end-to-end encryption on their applications, operating systems, and mobile devices.

According to the report, the government’s use of the “going dark” metaphor to describe this phenomenon dates back to at least 2010, when the FBI’s then-General Counsel Valerie Caproni used the term in testimony before the Senate Judiciary Committee.  The report acknowledges that views on encryption differ within the government, and that the Obama administration announced in October 2015 that it would not pursue legislative action to force companies to decrypt data in response to government requests.  It notes, however, that several recent statements by FBI Director James Comey and others in the law enforcement and intelligence communities have expressed concern that encryption technologies inhibit access to communications even when the government has the legal authority to access them.  This, in turn, could limit the government’s ability to prevent terrorist attacks or investigate and prosecute criminal activity. 
Continue Reading Report Questions Use of “Going Dark” to Describe Encryption Trends

By Lindsey Tonsager and Megan Rodgers

The FTC held its “Start with Security” conference in San Francisco, California, last week, launching an initiative to provide companies with practical resources for implementing effective data security strategies.

The event was targeted at tech start-ups and small- and medium-sized businesses, but the panelists included representatives from companies with mature and well-resourced data security programs.

The panelists agreed that achieving greater data security is cheaper and easier to accomplish when it is considered early in the secure app development lifecycle. At the same time, panelists also acknowledged that companies face a myriad of potential security risks that must be balanced and prioritized, and that it may be more difficult for larger companies with complicated systems to adapt their practices to address evolving security risks.

Below are some practical tips the panelists provided for building a culture of “security by design”:
Continue Reading Start With Security: Key Takeaways from the FTC’s Data Security Conference

Earlier this week, the FTC notified Verizon by letter that it has closed its investigation into whether Verizon violated Section 5 of the FTC Act by failing to secure certain routers supplied to the company’s broadband subscribers.  The FTC’s investigation centered on Verizon’s practice of supplying routers that incorporated an outdated default security setting, an encryption standard known as Wired Equivalent Privacy (“WEP”).  According to the FTC, flaws in WEP were identified by researchers in 2004, but Verizon continued until recently to ship some WEP router models.  According to the FTC, this left some Verizon subscribers vulnerable to hackers.

In its letter, the FTC explained that the following factors led it to close its investigation:

  • Verizon’s overall data-security practices related to its routers.
  • Verizon’s efforts to mitigate the risk that subscribers using WEP-model routers would be vulnerable to hackers, including:
  1. by removing the WEP model routers from distribution centers and setting them to Wi-Fi Protected Access 2 (“WPA2”), ensuring that future distributed routers would be set by default to WPA2;
  2. by implementing an outreach campaign to subscribers currently using WEP or no encryption, and requesting that those subscribers change their security settings to WPA2; and
  3. offering upgrades to WPA2-compatible units for subscribers in possession of older, incompatible routers.
    Continue Reading FTC Closes Investigation After Verizon Fixes Encryption Problems With FiOS and DSL Routers

On October 15, 2014, the UK Information Commissioner’s Office (ICO) published an updated code of practice for surveillance cameras.  Among other topics, the ICO uses the Code to begin to address privacy practices for drones. 

Drones are not new, but two factors are now making questions about drones and privacy practices more pressing.  First, many drones now include high quality cameras, sourced originally from smart phone technologies, which increases their potential impact on individual privacy.  Second, the price of drones has fallen dramatically in recent years — making them increasingly ubiquitous and available for both businesses and consumers.  Policymakers in the United Kingdom and in the European Union are currently gathering information and conducting impact assessments to determine whether new legislative rules are needed to deal with the privacy challenges posed by drones, or whether existing data protection rules are sufficient. 

The ICO guidance note makes clear that standard data protection rules (and rules governing the use of CCTV cameras) will, in the meantime, apply to the use of drones.  It explains that — as with organizations and individuals handling data more generally — drone users should be separated out into professional and commercial users, on the one hand, and hobbyists, on the other.  Hobbyists, using drones for purely domestic purposes, are unlikely to be covered by data protection rules — but use of drones for non-domestic purposes will be governed by data protection requirements.
Continue Reading ICO Releases Concrete Guidance on Privacy Requirements When Recording Video with Drones

The Federal Trade Commission (“FTC”) has approved final orders settling charges against Fandango and Credit Karma that the companies misrepresented the security of their mobile apps and failed to protect the transmission of consumers’ sensitive personal information.  The FTC specifically alleged that, although the companies made security promises to consumers that their information was adequately

Recently, HHS Office of Civil Rights (OCR) announced that it has entered into settlement agreements with two entities following enforcement actions, both arising from stolen laptops that were not encrypted in accordance with the Security Rule. 

According to HHS, an unencrypted laptop was stolen from a physical therapy center in Springfield, Missouri.  The center was part of a larger health system, Concentra Health Services.  Through conducting required HIPAA risk analyses, Concentra had previously recognized that the lack of encryption on its devices posed a security risk.  However, HHS found that Concentra’s efforts to address this risk were “incomplete and inconsistent over time.”  Concentra has agreed to pay over $1.7 million to settle potential violations, as well as to submit a corrective action plan.  This significant monetary penalty suggests HHS will not look favorably upon violations of the Security Rule that the covered entity has documented but not taken reasonable efforts to correct.

Continue Reading Two HIPAA Settlements Follow Stolen Laptops

California Attorney General Kamala Harris has sued the Kaiser Foundation Health Plan for failing to promptly notify employees about a 2011 data breach.  California’s breach notice law requires breaches of personal information to be disclosed “in the most expedient time possible and without unreasonable delay.” Harris alleges that Kaiser violated this requirement after taking too

Yesterday, the FTC announced that it has settled charges against Upromise, Inc., a company that enables consumers to receive rebates when shopping at partner merchants.  (The rebates are placed in college savings accounts—hence Upromise’s name.)  According to the Commission’s complaint, Upromise offered online users a toolbar feature, which, when downloaded, would highlight Upromise’s partners

According to the annual Ponemon Institute survey report released March 8, 2011 in 2010, U.S. companies affected by data breaches incurred an average cost of $7.2 million per incident.  (In comparison, in 2009, companies reported an average cost of $6.75 million).  The Ponemon survey identified a number of other interesting trends:

  • Companies are responding to data