Header graphic for print

Password Protected

Data Privacy & Security News and Trends

New Threat to Transatlantic Personal Data Transfers: Possible Invalidation of Standard Contractual Clauses

Posted in EU Data Protection, Legislation, Privacy, Surveillance

Since 2013 revelations about U.S. mass surveillance, the transfers of personal data between the EU and the U.S. have encountered regular legal threats: cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) in the Schrems case in October 2015, serious criticism from some EU institutions and national data protection authorities concerning the draft of the Privacy Shield, and a declaration by the Article 29 Working Party concerning the future review of standard contractual clauses (SCCs) and binding corporate rules as transfer mechanisms.

After the cancellation of the Safe Harbor, the Irish High Court, from which the referral to the CJEU originated, ordered in the same Schrems case, still pending at national level, an investigation concerning Facebook international transfers of personal data. The result of this investigation was revealed by Max Schrems himself in a May 25, 2016, press release where he declared:

In an unpublished draft decision of May 24th 2016 the Irish DPC followed the objections of the Complainant Mr. Schrems in the procedure between Mr. Schrems and Facebook Ireland Ltd. Mr. Schrems claimed that Facebook USA continues to be subject to U.S. mass surveillance laws, independent of the use of “model causes” or “Safe Harbor” and that his data continues to be subject to fundamental rights violations once it reaches the United States.

In consequence of this, the Irish Data Protection Commissioner (Irish data protection authority) has decided that it will again refer the case to the CJEU to determine the legal status of data transfers to the U.S. under SCCs.  The risk that the CJEU will declare that the transfers to the U.S. based on SCCs are vitiated for the same reasons as those relating to the cancellation of the Safe Harbor is very high.  Therefore, it is clear that both the EU and the U.S. have an important common interest to improve the draft of the Privacy Shield still under discussion.

EU-U.S. Privacy Shield: Better or Worse?

Replacing Safe Harbor: EU-U.S. Privacy Shield Announced

U.S. Chamber of Commerce and Business Europe Request Quick, Perennial Safe Harbor Fix

Safe Harbor Invalidated by the CJEU; Are There Other Solutions for Transatlantic Transfers?

Means, Other Than Safe Harbor, of Transferring Personal Data to the U.S. Potentially Vitiated?

CJEU Declares the EU Commission Safe Harbor Decision Invalid

Tracking The Elusive Consumer Data Breach Class Action

Posted in Data breach, Litigation, Retail

Following the Seventh Circuit’s recent decision in Lewert v. P.F. Chang’s China Bistro Inc., 2016 U.S. App. LEXIS 6766 (7th Cir. Ill. Apr. 14, 2016), many commentators quickly pronounced the Seventh Circuit fertile territory for consumer data breach class actions. But, suggesting that such claims will thrive there is a lot like saying the Sasquatch thrives in the Pacific Northwest. Maybe, but the evidence is, at best, grainy and inconclusive.

The Significance and Insignificance of Lewert

Last month in Lewert, the Seventh Circuit reversed the trial court’s dismissal of a putative class action brought by alleged victims of a 2014 data breach. For those following data breach jurisprudence, the conclusion was hardly a surprise. Just last July, the Seventh Circuit became the first federal court of appeals to find standing among data breach victims absent a showing of identity theft or unreimbursed fraud. Remijas v. Neiman Marcus Group LLC, 794 F.3d 688 (7th Cir. 2015). In Remijas, the court held that Article III’s “concrete and particularized injury” requirement was met by “the increased risk of fraudulent credit- or debit-card charges, and the increased risk of identity theft,” “time and money the class members predictably spent resolving fraudulent charges,” and “time and money customers spent protecting against future identity theft.” P.F. Chang’s attempted to distinguish Remijas, arguing that the nature of its breach created less risk of identity theft than in Remijas. Unlike Neiman Marcus, P.F. Chang’s also disputed that the named Plaintiffs’ data had been compromised. The Seventh Circuit brushed aside these distinctions as immaterial at the pleading stage where plaintiffs’ allegations are presumed true.

As a threshold matter, Lewert did not really change anything within the Seventh Circuit. Indeed, the most notable aspect of Lewert may be how closely it hewed to last year’s Remijas decision. The Seventh Circuit still believes that allegations of a payment card data breach can constitute a “certainly impending future harm” sufficient to satisfy the U.S. Supreme Court’s standing analysis in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147, 185 L. Ed. 2d 264 (2013). And, it believes that certain victim activities following a payment card data breach — such as purchasing credit monitoring or expending time and resources to guard against identity theft — constitute “present injuries” for Article III purposes. However, the court remained “skeptical” of the plaintiffs’ more creative standing theories, like the plaintiffs’ claim that they would not have dined at P.F. Chang’s had they known of its poor data security or that the plaintiffs had a property right in their personally identifiable data.

So, is Lewert a positive development for future retail data breach plaintiffs? Sure, to a point — it reaffirmed the Seventh Circuit’s divergence from the majority of post-Clapper data breach decisions, which have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing. Continue Reading

Supreme Court: Plaintiff Alleging Statutory Procedural Right Violation Must Show Concrete Injury

Posted in Litigation

On May 16, 2016, the U.S. Supreme Court held in Spokeo, Inc. v. Robins that a bare procedural violation of a statutory requirement, divorced from any concrete harm, does not establish the injury-in-fact necessary to maintain a lawsuit in federal court.  The Court acknowledged, however, that an alleged violation of a procedural statutory right could establish the requisite concrete injury if the violation creates “a risk of real harm.”

The Supreme Court’s ruling has been much anticipated by both sides of the class-action bar. All interested parties must continue to watch and wait, it appears, as the Ninth Circuit will now consider on remand whether the risks created by the alleged violations in this case are sufficient to make the harm to the plaintiff “concrete.”

Plaintiff Thomas Robins alleged that defendant Spokeo, Inc. compiled a personal information report on him that contained inaccurate information—wrongly listing him as married, affluent and holding a graduate degree. According to the plaintiff, that misinformation violated several provisions of the Fair Credit Reporting Act (FCRA), including a requirement to follow reasonable procedures to assure maximum possible accuracy of consumer reports.

The Supreme Court vacated the Ninth Circuit’s prior ruling that the plaintiff had established standing simply by alleging the defendant violated his individualized statutory rights under the FCRA. The law requires that an injury-in-fact be both concrete and particularized to support Article III standing, and the six-Justice majority of the Supreme Court held that the Ninth Circuit’s analysis focused solely on the “particularized” component, thus failing to determine whether the harm was “concrete.”

So what harms are “concrete”? The Supreme Court’s ruling does not preclude the possibility that the violation of a statutory procedural right could constitute an injury-in-fact—provided that it leads to concrete harm.  The Court emphasized that harm need not be “tangible” in order to be concrete, and that the risk of real harm may be sufficient to establish concreteness.

But what does “concrete” mean in this context? The Supreme Court left this issue to the Ninth Circuit to resolve, directing it to consider on remand “whether the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement.”  The Supreme Court provided further guidance by noting that a report containing an incorrect zip code, while undoubtedly inaccurate, may not create the risk of any real harm.

Under the facts alleged and the statute at issue, the steps of the Ninth Circuit’s analysis on remand seem fairly predictable. (Indeed, Justice Ginsburg’s dissent, joined by Justice Sotomayor, considered the analysis to be so straightforward that it did not require remand.)  The Ninth Circuit will likely examine the type of allegedly inaccurate information in the plaintiff’s personal report, and then determine whether it could create a risk of harm to the plaintiff.

The effect of this decision on class-action standing jurisprudence going forward is more difficult to ascertain, and will almost certainly be context-dependent. Some statutory procedural violations may readily suggest an ensuing risk of harm to the plaintiff.  On the other hand, plaintiffs bringing putative class actions arising from technical violations of a statute (e.g., noncompliance with the font-size requirements of the FCRA, or the inclusion of a reference number on the outside envelope of a debt collection letter under the Fair Debt Collection Practices Act) may have a bit more work to do in their pleadings to try to show a concrete harm.

Financial Industry Associations Agree on Common Cybersecurity Principles

Posted in Cybersecurity, Financial Services Information Management, Legislation, Privacy

On May 9, 2016, the International Swaps and Derivatives Association, the European Banking Federation, and the Global Financial Markets Association (comprised of three other industry associations, including the Securities Industry and Financial Markets Association) published a set of common principles to promote effective global policymaking on cybersecurity, data and technology (the Principles). These industry groups are seeking constructive cooperation with regulators on the principles by submitting them to the Financial Stability Board and the International Organization of Securities Commissions (IOSCO).

The Principles follow a report published in April 2016 by IOSCO that provided an overview of some of the different regulatory approaches related to cybersecurity that IOSCO members have implemented and the different practices that market participants have adopted to address cybersecurity issues.

The Principles appear to be an effort by the financial industry to promote greater international coordination among regulators in the ongoing dialogue regarding cybersecurity in the financial sector. For instance, the IOSCO report functioned primarily as a survey of various regulatory approaches in different jurisdictions, with little emphasis on any preferred approach. In contrast, the Principles highlight the crucial issue that effective policy-making requires recognizing that cybersecurity, data protection and technological advancement in the financial sector is an international issue that requires global solutions.

In addition, the Principles encourage global standards and cooperation in order to mitigate the problem of asking international firms with global platforms to comply with conflicting rules in different markets or jurisdictions, which could lead to increased costs of compliance and fragmented technology systems or risk management processes. The Principles also promote rules that go beyond simply assessing whether a particular institution is compliant with a particular standard and instead ensuring that sufficient resources are in place to manage risk and proactively interact with regulators to assess cyber threats and data protection.

Grappling with cybersecurity, data protection and appropriate technology policies remain ongoing projects for banks, asset managers, funds and insurance companies, as well as the regulators of those institutions. The costs related to these projects only increase for financial institutions that report to multiple regulators or operate across national boundaries. Encouraging standard-setting bodies to consider core, transparent policies and to receive meaningful input from market participants may help prevent duplicative or inconsistent standards across regulators.

FCC Faces Scrutiny Over Proposed Privacy Rules for Internet Service Providers

Posted in Consumer Privacy/FTC, Data Protection and Competition

The Federal Communications Commission (FCC) has faced intense opposition to its proposed privacy rules for internet service providers (ISPs) – and debate is expected to escalate very soon. The U.S. Senate Committee on the Judiciary begins its review of the proposal tomorrow.

Originally released April 1, 2016, the 147-page Notice of Proposed Rulemaking requires ISPs to acquire customer consent before using customers’ data for certain purposes and mandates that ISPs take additional steps to protect customers’ personal information. According to FCC Chairman Tom Wheeler, “[the] proposal would give all consumers the tools we need to make informed decisions about how our ISPs use and share our data, and confidence that ISPs are keeping their customers’ data secure.”

Under the proposed rule, customers’ data is separated into three categories with each category requiring a different type of consent from a customer in order for the ISP to share or use the information. According to the proposed rule, consumers inherently consent to allowing ISPs to use data necessary for the use and marketing of broadband services by creating a customer-ISP relationship. However, all other customer data would be subject to an opt-out or an opt-in consent. Specifically, ISPs would be allowed to share consumer data with its affiliates and use the data to market communications-related services unless the customer affirmatively opted out. But ISPs would be barred from using or sharing the customers’ data for all other purposes unless the customer affirmatively opted in.

Additionally, if enacted, the rule would also require ISPs to adopt reasonable safeguards to protect consumers’ information including mandatory reporting obligation for data breaches. Under the proposed rule, if a data breach occurs, ISPs would be required to inform the FCC within 7 days and the affected customers within 10 days of discovery. If the breach affected more than 5,000 customers, the ISP must inform the FBI and Secret Service with 7 days.

Since the FCC announced the proposed rule, the FCC has faced strong opposition from members of the telecommunications industry who believe the proposed rule undercuts ISPs’ ability to create and market new projects. Additionally, the proposed rule is seen as putting ISPs at a competitive disadvantage by requiring ISPs to obtain affirmative consent to use data when companies who host websites are not required to follow the same rules. According to a press release by the CTIA-The Wireless Association, “The FCC’s desired approach would distort competition, confuse consumers and undermine consumer privacy in the mobile economy.”

The debate over the FCC proposed rules is likely to intensify in the coming weeks. The U.S. Senate Committee on the Judiciary will be hosting a session examining the new rules on Wednesday, May 11, 2016, and the FCC will continue to accept comments on the proposed rule until May 27, 2016.

House Sends Email Privacy Act Amendments to Senate

Posted in Legislation, Privacy

Laptop-spying[1]On April 29, 2016, in a 419-0 vote, the U.S. House of Representatives passed a bill to amend the 30-year-old Electronic Communications Privacy Act of 1986 (ECPA) to eliminate an exception to the government warrant requirement for old emails stored by Internet service providers (ISPs), and make other changes.

In 1986, when President Reagan signed the ECPA into law, users of so-called “electronic mail” used dial-up modems to access and retrieve text messages transmitted through their ISPs. At the time, cloud computing options did not exist for typical end users, and it was nearly inconceivable that people would allow messages they intended to retrieve to be stored indefinitely by their ISPs.  Indeed, at the time, some ISPs would automatically convert the electronic messages into hard copy and mail them to the user if the messages were not accessed within a defined period.  Accordingly, at the time, some considered old emails on a third-party server to be abandoned, like yellowing letters in a forgotten mailbox.  The ECPA, which presciently extended Fourth Amendment protections to electronic communications held by third parties, therefore required the government to obtain a warrant for emails held by an ISP 180 days or less, but not for older emails. The Patriot Act left the ECPA’s 180-day distinction unchanged, and the 180-day distinction remains in effect today.

The proposed Email Privacy Act (EPA), H.R. 699, if signed into law, would eliminate the 180-day distinction and require a warrant for both old and recent emails stored by third-party ISPs, among other amendments. The EPA also would affect the ability of ISPs to notify users of government requests for information, including warrant receipts, and would extend the “exigent circumstances” delayed-notification period from 90 to 180 days in some cases.

With dramatic intervening changes to the manner in which people use and store emails, including the advent of cloud computing, the 30-year-old distinction between older and newer emails seems increasingly inconsistent with consumer expectations of privacy. The House of Representatives appears to agree. The Senate, which in the past has considered − but failed to pass − similar amendments, will now decide whether the EPA gets a trip to the president’s desk, or whether the 180-day distinction and existing consumer notification rules should survive the current administration.

Bypassing Encryption Under Court Orders: New Bill Scares the Privacy Community

Posted in Legislation, Privacy

Senators Diane Feinstein and Richard Burr have released a discussion draft on providing technical assistance to law enforcement seeking to gain access to encrypted information pursuant to a court order.  The draft has been available for a while, and the internet is littered with hot takes and reactions.   Some segments of law enforcement are supportive, while the privacy community is almost uniformly appalled.  In the interest of giving it a fair reading, let’s break down the important parts of the bill. Continue Reading

Microsoft Sues Justice Department Claiming Statute That Authorizes “Gag Orders” Is Unconstitutional

Posted in Litigation, Privacy

Adding to the number of recent, high-profile confrontations between the government and tech companies concerning the limits of government investigations and the protection of privacy interests, last week, Microsoft filed a declaratory suit against the U.S. Department of Justice and the Attorney General of the United States. Microsoft claims that a provision of the Electronic Communications Privacy Act enacted prior to the era of cloud computing violates the First and Fourth Amendments because it allows courts to issue “gag orders” that prevent tech companies from telling customers when federal agents have examined their data, including email content or other private information.

Specifically, under Section 2705(b) of the Electronic Communications Privacy Act of 1986, the government is permitted to apply to the court for an order commanding providers of electronic communications services or remote computing services not to notify “any other person” of the existence of a warrant, subpoena, or court order. Under this provision, the court “shall enter such an order” if it determines that there is “reason to believe” that notification will result in: (1) endangering the life or physical safety of an individual, (2) flight from prosecution, (3) destruction of or tampering with evidence, (4) intimidation of potential witnesses, or (5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.

Microsoft complains that the provision does not require the “reason to believe” to be grounded in the facts of the particular investigation, contains no time limit on the secrecy orders, and does not mandate that the orders be narrowly tailored to further the government’s asserted interests, including by not requiring that the court consider less restrictive alternatives. In its Complaint, Microsoft acknowledges that there may be exceptional circumstances when the government’s interest in investigating criminal conduct justifies an order temporarily barring notifying a customer that the government has obtained the customer’s private communications and data, but it contends that the provision at issue is too broad.

Microsoft explains that its customers are increasingly storing their emails and documents on remote servers owned by third parties – i.e., the cloud, using free web-based services, such as Microsoft Outlook, but that this transition does not alter the constitutional requirement that the government, with few exceptions, must give notice when it searches and seizes the private information or communications of individuals or businesses. Microsoft alleges that, as its customers increasingly store their private information in the cloud, the government increasingly seeks and obtains secrecy orders under this provision.  Between September 2014 and March 2016, Microsoft received 5,624 federal demands for customer information or data, of which nearly half − 2,576 − were accompanied by secrecy orders that forbid Microsoft from telling the affected customers that the government was looking at the information.  Of these secrecy orders, 1,752 contained no time limit, meaning Microsoft can never inform the affected customers.

Microsoft claims that, by subjecting cloud customers to a different standard by which they are entitled to notice, and not requiring the government to establish that the continuing restraint on speech is narrowly tailored to promote a compelling interest, the provision is facially overbroad under the First Amendment and violates the Fourth Amendment’s protection against unreasonable searches and seizures. Accordingly, Microsoft requests that a federal court in Seattle declare this provision unconstitutional.

This suit highlights the increasing conflicts between government and privacy interests in this new world of technology and the challenges of balancing those interests through the application of existing law. With this case, a court will have to define the boundaries of these balancing interests and the extent of privacy interests over emails, documents, photos, and other data stored in the cloud in company data centers.

Revenge of the Dorks: Their Time Has Come and They Might be Malicious

Posted in Cybersecurity, Data breach, Financial Services Information Management, Privacy

*******************************************************

Oxford English Dictionary:  ‘dork,’ informal, A dull, slow-witted or socially inept person.

Wikipedia: ‘Google Dorking,’ a computer hacking technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites use.

*******************************************************

A nerd. A dork. A geek. You’ve seen them. You know them. Maybe you are one of them. And you definitely know the type. In fact, it was way back in the 1980s when a group of bullied collegiate outcasts rose up to defeat an alpha-male fraternity using superior technological prowess and brain power. Pretty sure they became billionaires. Pretty sure they married supermodels. Yes, the nerds had their revenge. And it was glorious.

Time has passed. And that glory has faded. Faded into the dark abyss of something more nefarious, more sinister. Technological skills and capabilities are sought-after weapons. Yet the individuals that wield these powers are unlikely to be characterized by most as the hero protagonists of the stories featuring them.

In just another recent but dangerous example of the threats posed by the Internet of Things, a hacker with direct ties to Iran’s Islamic Revolutionary Guard, Hamid Firoozi, was charged by the U.S. Department of Justice for successfully hacking into a computer that controlled the “sluice gates” of the Bowman Avenue Dam in Rye, N.Y. In the Justice Department’s first public indictment against hackers tied to the Iranian government, Mr. Firoozi was also charged along with six other Iranians for conducting and coordinating a relentless campaign of distributed denial of service (DDoS) attacks against 46 major companies, primarily connected to the U.S. financial sector.

As fascinating and alarming as it is that hostile government agents were able to take control of a U.S. dam’s sluice gate, and thus potentially have the ability to control the dam’s water flow and levels, the more disturbing part of the story is the ease with which this can be accomplished using a decade-old hacking technique known as “Google dorking.”

Google dorking has apparently been used for years by white and black hat hackers alike because it is so simple and effective at identifying networks with inadequate security and points of entry for an intrusion. Mr. Firoozi allegedly used the Google dorking technique for months before he found an unprotected computer located at the Bowman Avenue Dam, a suitable infrastructure target near New York City.

Essentially, Google dorking involves manipulating Google’s search engines and search results by utilizing advanced text operators. It would appear that Google’s vast cataloguing of data has created often-misunderstood vulnerabilities that can be exploited with ease. Much like the threat HDTV poses to actors with skin issues, Google Search can seemingly highlight to those with the technological skills that your network security is vulnerable.

Revenge of the Nerds was a classic comedy. Clearly, “Revenge of the Dorks” is going to be a very dark comedy at best and will serve as a relentless reminder of the importance of data security.

New Tough and Harmonized Framework for EU Data Protection

Posted in EU Data Protection, Legislation

On April 8, 2016, the Council of the EU adopted the final text of the General Data Protection Regulation (GDPR). On April 14, the EU Parliament approved the Council’s decision. Twenty days after its publication in the Official Journal of the EU, the GDPR will enter into force (very likely in May 2016) and two years after this entry into force, it will be applicable and will replace the current Directive 95/46 (very likely in May 2018). What are the practical impacts of this new legislation?

First, the main principles of the current Directive will remain. Even if some changes will have great impacts in the day-to-day practice of companies, the GDPR mainly raises EU standards by recognizing previous best practices, case law and non-binding opinions of certain authorities. Major evolutions probably result from the legal form of the instrument: a Regulation, rather than a Directive. This means that the GDPR’s provisions will be directly invoked by individuals and directly enforced against companies without implementation through variable national legislations. Hence, contrary to the Directive, the text is totally consistent and comprehensive. This is progress for multinationals having subsidiaries in several member states.

Below are some key provisions of the GDPR:

  • Territorial scope. The GDPR applies, notably:
    • to processing carried out in the context of the activities of a controller/processor established in the EU, regardless of whether such processing takes place in the EU or not; and
    • to processing of personal data of data subjects who are in the EU, even if the controller/processor is not established in the EU, provided that the processing activities relate to (i) an offer of goods or services to data subjects in the EU, or (ii) the monitoring of their behavior as far as their behavior takes place within the EU.
  • Consent. If consent is the relevant legal basis for processing, the GDPR clearly states that it can never be implicit and must result from unambiguous and positive actions directly relating to the purpose of the processing.
  • Accountability. Data protection law is no more a simple declaratory or documental matter; controllers should be able to demonstrate concrete compliance and implementation of GDPR’s principles.
  • Privacy by design and by default. Controllers must implement technical and organizational measures ensuring that, from the determination of the means for processing, such processing complies with the GDPR and that, by default, only data that are necessary for each specific purpose are processed.
  • Data Protection Impact Assessment (DPIA). Where the processing relates to certain sensitive operations or data, the controller must carry out and must provide a documented DPIA to authorities, describing, assessing and preventing the risk associated with each processing.
  • Data Protection Officer (DPO). Where the processing relates to certain sensitive operations or data, the controller/processor must designate a DPO, mainly to ensure compliance with the GDPR and communicate with data subjects and authorities.
  • Controller/Processor. Regarding most of the GDPR’s requirements, the processor is severally and jointly liable with the controller.
  • Data breach. The GDPR provides details on criteria and delays for declaring data breaches to authorities and, in some cases, to data subjects.
  • Sanctions. In the case of infringement, the GDPR entitles national data protection authorities to impose fines that are greatly increased compared with the current national laws. These fines may amount to:
    • 2 percent of the total worldwide annual turnover for a minor offense, an
    • 4 percent of the total worldwide annual turnover for a major offense.

On April 14, the EU Parliament also adopted a new Directive on data transfers for police and judicial purposes.

As indicated above, the GDPR will be applicable in about two years, which is a sufficient (but not excessive) period of time to prepare for compliance and accountability.

For more information on the GDPR, please refer to the following prior Password Protected blog posts:

2016: A Turning Point For Personal Data Protection

EU Happy Holiday Present: The GDPR