Personal Information

The second annual study on data breach preparedness was released by the Ponemon Institute on September 24, and the study indicates that the number of companies that have had a data breach is on the rise.

Ponemon Institute conducts independent research on privacy, data protection, and information security policy.  For the September 2014 study, Is Your Company Ready for a Big Data Breach?, Ponemon Institute surveyed 567 U.S. executives from organizations ranging in size from less than 500 to more than 75,000 employees about how prepared they think their companies are to respond to a data breach.

It appears that for an overwhelming number of the study’s participants, the answer to “Is your company ready for a big data breach?” is, unfortunately, “No.”Continue Reading Ponemon Institute Releases Second Annual Study on Data Breach Preparedness

The Federal Trade Commission (“FTC”) has approved final orders settling charges against Fandango and Credit Karma that the companies misrepresented the security of their mobile apps and failed to protect the transmission of consumers’ sensitive personal information.  The FTC specifically alleged that, although the companies made security promises to consumers
Continue Reading FTC Settlement Requires Fandango and Credit Karma to Establish Comprehensive Security Programs to Protect Consumers’ Sensitive Personal Information

The Organization for Economic Cooperation and Development (“OECD”) has revised its Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data. The revision has been triggered by changes in personal data usage as well as new approaches to privacy protection since the adoption of the first Guidelines back in 1980, which were the first set of internationally agreed privacy principles. Whereas the eight basic principles of the 1980 Guidelines (namely the collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, accountability principles) are maintained, the revised Guidelines introduce a number of new concepts and changes to the OECD privacy framework, implementing a risk based approach. These include: 

  • implementing privacy management programs – essential elements discussed in this respect include privacy policies, employee training and education, provisions for sub-contracting, audit process and privacy risk assessment;
  • introducing mandatory data security breach notification – requiring notification to the privacy enforcement authority where there is a significant security breach affecting personal data and notification to individuals where such a breach is likely to adversely affect individuals;
  • the need for privacy enforcement authorities and national privacy strategies – the revised Guidelines recognize the need to establish authorities with the governance, resources and technical expertise necessary to exercise their powers effectively and to make decisions on an objective, impartial and consistent basis; they also promote the development of a coordinated approach across governmental bodies up to the highest levels; Member countries should also consider complementary measures, including education and awareness raising, skills development and the promotion of technical measures;
  • improving global interoperability – to be improved through international arrangements (examples mentioned include the U.S.-EU Safe Harbor framework, the EU Binding Corporate Rules and the Council of Europe Convention 108 on the Automated Processing of Personal Data) and global cooperation among privacy enforcement authorities.

Continue Reading Revised OECD Privacy Guidelines Strengthen Accountability Principle

Under the so-called e-Privacy Directive, providers of publicly available electronic communications services (primarily telecom providers and ISPs) are obliged to notify the competent national authorities and, in certain cases also the subscribers and individuals concerned, of personal data breaches. In order to ensure consistency in the implementation of this notification obligation by the EU Member States the European Commission has adopted technical implementing measures in form of a Regulation No 611/2013 on the notification of personal data breaches in the electronic communication sector which entered into force on 25 August.

The Regulation, which has direct effect in all EU Member States, specifies the circumstances, the format and procedures applicable to these notification requirements under the e-Privacy Directive in case of personal data breaches (that is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the EU).Continue Reading Data Breach Notification within 24 hours in the Electronic Communication Sector – An Example to Follow in the Reform of the EU Data Protection Directive?

By Eric Carlson & Scott Livingston

On August 27, 2013, state-run China Central Television broadcast a taped confession of detained British fraud investigator Peter Humphrey confessing to having used “illegal means” to obtain the personal information of Chinese citizens.  This highly unusual broadcast of a confession made by a foreigner in China, along with other recent actions against data privacy violations, suggests an increasing focus by Chinese authorities on enforcement of laws and regulations relating to the protection of an individual’s personal information, and underscores the growing need for companies with operations in China to ensure their personal data collection, handling, and transfer policies comply with national laws and regulations.Continue Reading British Fraud Investigator Admits on Chinese State TV to Illegally Purchasing and Selling Personal Information

On July 16, 2013, China’s Ministry of Industry and Information Technology (“MIIT”) promulgated the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (“Internet Provisions”).  The Internet Provisions, which take effect September 1, 2013, provide specific implementation rules for telecommunication and internet information service provider’s (“TSPs” and “IISPs,” respectively) collection and use of “user’s personal information,” based on a more generally addressed national law protecting “personal electronic information” issued in December 2012 and entitled Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection (see our previous client alert here).

“IISPs” is a broad category that includes all companies utilizing a mainland-based website (i.e. a website registered with or licensed by MIIT) to collect personal information (“PI”) from their customers or site visitors.  “TSPs” are those entities providing access to telecommunications services, such as China Mobile.Continue Reading China Issues Comprehensive Regulation on Collection and Use of Personal Information by Websites and Telecommunication Service Providers

A bill titled the “Right to Know Act of 2013” (AB 1291), which was first introduced by Assembly Member Bonnie Lowenthal this past February, continues to gather momentum in the California legislature.  The Right to Know Act would repeal and re-write Cal. Civ. Code § 1798.83 (often referred to as the California Shine the Light law) to contain a new requirement.

The new proposed Section 1798.83 would require any business (either online or offline) that retains the personal information of a California resident to provide, upon request by that resident, a copy of all retained personal information pertaining to that resident.  It also would require businesses to provide the categories of the resident’s personal information that were disclosed to third parties over the past twelve months as well as the names and contact information of these third parties.  Disclosures made to third party service providers for purposes of performing a specified service would not be included in this requirement.  Notably, the revisions to the statute would require businesses to produce personal information collected about a California resident in a variety of contexts, including data collected from that resident in the course of “purchasing, viewing, accessing, renting, leasing, or otherwise using real or personal property, or any interest therein, or obtaining a product or service from the business including advertising or any other content.”  Only California residents would be eligible to make a request; and businesses would be required to comply with such requests free of charge and within 30 days.Continue Reading Proposed California “Right to Know” Act Would Require Broad Disclosures To CA Residents

On Monday, the California Supreme Court, by a slim 4-3 majority, held that California’s Song-Beverly Credit Card Act of 1971 (“Song-Beverly”) does not apply to online purchases in which a product is downloaded electronically, finding that Apple was not liable under the statute for collecting plaintiff Krescent’s telephone number and address in order to complete credit card purchases of various digital downloads from the iTunes store.

In a lengthy opinion that considered the statutory text and legislative history, the Court overturned a lower court’s finding that Song-Beverly prohibited Apple from collecting personal identification information (“PII”) in connection with an online transaction.  Song-Beverly generally prohibits retailers from requesting or requiring as a condition to accepting credit card payment, that the cardholder be required to provide PII upon a credit card transaction form or otherwise.  In Pineda v. Williams Sonoma Stores—decided in early 2011—the California Supreme Court held that ZIP codes were PII, and that the defendant had violated Song-Beverly by requesting the plaintiff’s ZIP code during a credit card transaction that took place in a traditional brick-and-mortar retail store, a decision that spurred a wave of Song-Beverly litigation in California.

In Krescent, the California Supreme Court determined that Song-Beverly was enacted by the California legislature with the intent of safeguarding consumer privacy while also protecting consumers and retailers from undue risk of fraud.  It then reasoned that online purchases are different from brick-and-mortar purchases: 

The safeguards against fraud that are provided in section 1747.08(d) are not available to the online retailer selling an electronically downloadable product.  Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card, or the customer‘s photo identification.  Thus, … the key antifraud mechanism in the statutory scheme . . . has no practical application to online transactions involving electronically downloadable products.”

Continue Reading CA Supreme Court Holds That Song-Beverly Does Not Apply To Online Purchases For Electronic Downloads

China’s Standardization Administration recently released a long-awaited national standard related to personal information.  Entitled Information Security Technology — Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems (信息安全技术公共及商用服务信息系统个人信息保护指南) (“Guidelines”), the new standard will take effect February 1, 2013.  The Guidelines are voluntary and lack the force of law.  They nevertheless clarify key expectations for relevant actors collecting personal information (“PI”) and outline how PI is to be handled in four phases: collection, processing, transfer, and deletion, with voluntary requirements for each phase.  The Guidelines also set out eight “basic principles” for handling of PI within China.

China has two types of standards: mandatory and voluntary.  As a voluntary standard, the Guidelines may impact companies operating in China in two principal ways.  First, while the Guidelines lack the force of law, they might serve as a regulatory baseline for PRC judicial and law enforcement authorities to judge a company’s data privacy efforts in criminal or civil litigation or in administrative proceedings. The Guidelines also may reflect an evolving consensus by China’s policy-makers regarding data privacy that may be further extended in subsequent binding legislation.  In particular, the voluntary nature of the Guidelines, along with the creation of the industry self-regulatory group discussed below, may indicate that China intends to place greater emphasis on self-regulatory efforts in its emerging data privacy protection framework.Continue Reading China Releases National Standard for Personal Information Collected Over Information Systems; Industry Self-Regulatory Organization Established

A recent decision by a Shanghai court sheds new light onto a vague provision of the PRC Criminal Law and highlights the challenges faced by foreign companies overseeing local operations in China.

On September 28, 2012, Dun & Bradstreet’s local operating subsidiary Shanghai Roadway D&B Marketing Services Co., Ltd. (“Roadway”) was charged by the Shanghai public prosecutor with “illegally obtaining private information from Chinese citizens.”  As reported by the Chinese press, the private information included the personal data of 150 million Chinese citizens, including their income, job titles, and addresses.

On January 9, 2013, the Wall Street Journal reported that the Shanghai Zhabei District Court found Roadway guilty of illegally purchasing the personal information of private citizens and fined the company RMB $1 million (US $160,648).  Four employees involved in the illegal purchase were also sentenced to up to two years in jail and each fined between RMB $5,000 to RMB $10,000 (US $800 to $1600).Continue Reading Dun & Bradstreet Reportedly Fined RMB $1 Million for Illegally Obtaining Personal Information in China; Four Employees Imprisoned