Header graphic for print

Password Protected

Data Privacy & Security News and Trends

Pokémon Go: Catching More Than Just Users

Posted in Consumer Privacy/FTC, Cybersecurity, Data breach, Privacy, Social Media

Since its release on July 6, 2016, Pokémon Go has unofficially become the most successful mobile app to date.  Generating over 2 million dollars in revenue per day, it already has more daily users than Twitter, and the highest average time spent per day– more than WhatsApp, Instagram and Snapchat.  But that level of success does not come without data challenges. MediatedReality_on_iPhone2009_07_13_21_33_39

Pokémon Go is a free, location based augmented mobile reality game developed by Niantic and published by The Pokémon Company. To play the game, a user downloads the app, creates an account, logs in, and based on their physical location the app alerts the user to nearby Pokémon available for capture. The app accesses a user’s camera and GPS to allow a player to capture and battle Pokémon in virtual reality.

It was not long after its release that Pokémon Go was caught up in its first data privacy problem. By downloading the app, Pokémon Go users had given the app full access to their personal Google account, meaning the app was granted access to see and modify Google user account information, including everything stored in Google Drive.

When this error came to light, just six days after the app was released, the Pokémon Company and Niantic released a joint statement that the app “erroneously request[ed] full access permission for the user’s Google account.” The statement went on to say that the app “only accesses basic Google profile information (specifically, your User ID and e-mail address) and no other Google account information is or has been accessed or collected.”

After discovering the problem, Niantic released a security patch to correct the problem and limit the data collection to the more basic e-mail and User ID information. A review of Pokémon Go’s current Privacy Policy and Terms of Use do not reveal any unusual or unexpected data collection policies. In fact, the data security concerns were pushed aside as the app, which forces the user to physically move around to find and capture Pokémon, has been applauded for successfully intergrading mobile phones with physical activity. Nevertheless, the app’s unprecedented popularity has opened it up to extreme scrutiny, including catching the attention of Senator Al Franken, ranking member on the Senate Privacy, Technology, and the Law Subcommittee.

Senator Franken sent a letter to Niantic about the app’s privacy policy. The letter outlines seven specific questions about the app’s privacy policy including why Pokémon Go collects location data and asks for a list of Pokémon Go service providers with access to user information. The Senator requested a response by August 12, 2016.

While there are no official investigations into the app’s data policies, given the Federal Trade Commission’s interest in mobile privacy, location tracking and consumer protection, it is likely the agency will be keeping a close eye on the app to ensure Pokémon Go has followed appropriate consumer protection measures. There is also an opportunity for the Federal Communication Commission to get involved.  Using Pokémon Go can quickly consume a user’s data plan.  In response to that concern, telecommunication carriers are already considering a new kind of data plan – offering customers unlimited, or free data plans for a period time while using Pokémon Go. The practice of not charging a customer for specific data is known as zero-rating. The FCC’s net neutrality rules prevent access providers from prioritizing content but they do not ban zero-rating policies. Zero-rating is not new to telecommunications, but its application to Pokémon Go comes at an interesting time because of its similarity to net neutrality.

Despite the questions surrounding the app’s data policies, there is no obvious damage to Pokémon Go’s success. Within a week of release Pokémon Go faced, and arguably recovered from, its first major privacy data problem. But that is just the beginning for Pokémon Go.  Internet hackers have already targeted the app as a potential target, claiming to have shut down the app for a period of time on July 16th and July 17th.  Nevertheless, nothing seems to be slowing down the growth of Pokémon Go, which has caught the attention of millions of users worldwide and a few lawmakers as well.

Time Will Tell: Implications of the Recently Adopted EU – U.S. Data Transfer Framework

Posted in EU Data Protection, Legislation, Privacy

The EU-U.S. Privacy Shield has been formally adopted by the European Commission, enabling U.S. companies who sign up to the framework to receive personal data from the EU. The new deal replaces the previous Safe Harbor framework, which was invalidated by the Court of Justice of the European Union (CJEU) last October.

The new framework includes enhanced privacy protections, including stronger rules regarding onward transfers, data retention and redress. One key development is that the Privacy Shield will be reviewed on an annual basis allowing it to evolve and adapt to future technological and legal developments.

Time will tell as to whether companies have confidence in the Privacy Shield and decide to rely on it as a means to justify their personal data transfers to the U.S. Major technology companies are already showing their commitment with Microsoft issuing a statement welcoming the decision and announcing that they will sign up to the new framework as soon as possible. Digital Europe, a group representing the European digital technology industry have also commended the approval.

The Privacy Shield will undoubtedly face legal challenge with privacy activists already threatening to take the agreement to court. Max Schrems, the individual responsible for bringing forward the CJEU case C-362/14 that invalidated the Safe Harbor decision, has criticized the deal and said that it is “very likely to fail again, as soon as it reaches the CJEU”.

Nevertheless, the Privacy Shield is an important step and provides some legal certainty for companies that have been left in limbo since the Safe Harbor invalidation. Without Safe Harbor, businesses have relied on Model Clauses and Binding Corporate Rules, both of which have their limitations. This approval is ever more important in light of the legal challenge against the Model Clauses. In addition, a key uncertainty is how the UK will participate in the Privacy Shield in light of Brexit.

This decision means, subject to any successful challenges, U.S. internet giants and cloud businesses will be able to continue to operate in Europe and retain EU data on servers in the U.S.  It also enables the thousands of small and medium-sized businesses to continue sending EU citizens’ personal data to the U.S. which is critical for everyday business. U.S. businesses will be able to self-certify their compliance with the Privacy Shield from 1st August and an annual re-certification system will be in place.

For more information on the Privacy Shield and Safe Harbor, please refer to the following prior Password Protected blog posts:

Criticisms over the Draft Adequacy Decision by the European Data Protection Supervisor: Final Lap for the Privacy Shield?

EU-U.S. Privacy Shield: Better or Worse?

Replacing Safe Harbor: EU-U.S. Privacy Shield Announced

U.S. Chamber of Commerce and Business Europe Request Quick, Perennial Safe Harbor Fix

Safe Harbor Invalidated by the CJEU; Are There Other Solutions for Transatlantic Transfers?

Means, Other Than Safe Harbor, of Transferring Personal Data to the U.S. Potentially Vitiated?

Save the Date: McGuireWoods Annual European Data Protection and Security Conference

Posted in Data Protection and Competition, Data Security, EU Data Protection

EU Data Privacy

September 27, 2016 | London

Learn more about data protection laws in light of BREXIT. The conference is designed for in-house counsel, risk managers, security officers, regulatory and compliance officers, directors, financial officers, information officers, human resource officers and managers of corporations with cross-border operations. A full agenda is under development, but topics and speakers from last year’s event can be viewed here.

Click here to ensure you receive an invitation to our 2016 conference.

EU-US Data Protection: the Safe Harbor is dead, long live the Privacy Shield!

Posted in EU Data Protection, Legislation

The European Commission adopted on July 12, 2016 its long-awaited decision recognizing the U.S. Privacy Shield as providing adequate protection for personal data of EU citizens transferred to the United States. The Privacy Shield is a set of rules and commitments issued by the U.S. Department of Commerce (DOC) and State Department primarily. This new framework will become operational on August 1, 2016.

It replaces the Safe Harbor, an earlier scheme that the European Commission had considered to provide adequate protection to personal data transferred to the United States and that many operators relied on to transfer data across the Atlantic. The Commission decision recognizing Safe Harbor as providing adequate protection was declared invalid on October 6, 2015 by the Court of Justice of the European Union (the Highest Court of the EU) in the Schrems case.

The Court of Justice annulled the Safe Harbor decision on the ground that Safe Harbor did not provide “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union.” More specifically, the Court of Justice took issue with the fact that companies subscribing to the Safe Harbor and receiving personal data from the EU were bound to disregard the Safe Harbor principles anytime they would conflict with U.S. national security, public interest, or law enforcement requirements, without any limitation.  It also criticized the fact that there was no rule or procedure to limit interferences with fundamental rights and freedoms of EU data subjects to what is strictly necessary to national security, public interest, or law enforcement; and no procedures to enable data subjects to exercise their right to know what data relating to them is being processed, and to have that data corrected or erased.

The Privacy Shield was negotiated between the European Commission and the U.S. authorities in order to reintroduce a scheme facilitating the transfer of personal data from the EU to U.S., which businesses need, while at the same time addressing the concern of the Court of Justice, which was necessary in order for the new scheme to withstand legal challenge. Before being formally adopted by the Commission, the new scheme was submitted to the data protection authorities of EU’s member states, which approved it on July 8th.

The Privacy Shield introduces significant changes to the defunct Safe Harbor. It imposes new obligations on the companies in the US receiving and processing personal data, in particular by restricting the onward transfer of personal data to third parties and by explicitly requiring companies to delete data once the purpose for which it was obtained expires.

Effective enforcement of EU data protection principles is ensured through regular reviews by the DOC of how companies subscribing to the Privacy Shield really comply with the rules and by more effective supervision mechanisms. Data subjects will also have the opportunity to file complaints with their home data protection authority in the EU, which will then forward them to the DOC or the International Trade Commission in the US for proper resolution.  If this fails, disputes will be resolved through a binding arbitration mechanism (the Privacy Shield Panel).

The Privacy Shield also sets out limits on the bulk processing of personal data by the US authorities for intelligence and law enforcement purposes. Complaints of EU data subjects will be handled by an Ombudsman in the State Department, independent from the US intelligence services.

For more information about the Privacy Shield, see the Commission’s press release here, or feel free to contact our data protection team.

Continue Reading

CFPB Issues Proposed Revisions to GLBA Annual Privacy Notice Requirement

Posted in Financial Services Information Management, Privacy

Earlier this month, the Consumer Financial Protection Bureau (CFPB) issued its proposed rule amending the Gramm-Leach-Bliley Act’s annual privacy notice requirement set forth in Regulation P.

The rule is in response to Congress’ December 2015 amendment to the act, which eliminated the need for certain companies to provide annual privacy disclosures to consumers.  Under the amendment, the annual notice requirement is eliminated for any financial institution that:

  1. Limits it sharing so the customer does not have the right to opt out; and
  2. Has not changed its privacy notice since the one most recently delivered to the customer.

If adopted, the proposed rules would create a 60-day deadline for financial institutions to provide an annual notice if they have changed their policies and practices so as to lose the annual notice exception.  The proposed changes would also remove the rule implemented in 2014 that permits alternative annual notice delivery methods because any party that meets the criteria for alternative delivery will also meet the criteria set forth in the new rule that permits the institution to forego providing the annual notice altogether.

The proposal does not affect the requirement that financial institutions provide an initial privacy notice to new customers, and it does not exempt the financial institution from providing any disclosures required by the Fair Credit Reporting Act in association with affiliate information sharing.

Comments may be submitted electronically or by mailing or delivery to the CFPB.

Just a Matter of Time: First-Ever Settlement of HIPAA Claims Against a Business Associate

Posted in Data Security, Health Information

On June 30, 2016, the Health and Human Services Office for Civil Rights (OCR) announced the first-ever settlement of Health Insurance Portability and Accountability Act (HIPAA) claims against a business associate. According to the settlement agreement, an OCR investigation found that Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a nonprofit corporation that previously owned six nursing homes and continues to provide management services to the facilities, failed to conduct an accurate and thorough risk assessment or implement appropriate security measures to address risks and vulnerabilities as required by the HIPAA Security Rule. OCR also found that CHCS did not have appropriate Security Rule policies in place and no risk analysis or risk management plan.

OCR conducted the investigation after receiving notification that a CHCS-issued smart phone had been stolen from an employee. The smart phone contained protected health information (PHI) of more than 400 individuals but was not encrypted or password-protected. CHCS agreed to pay $650,000 and follow a two-year corrective action plan as part of the settlement.

Although direct enforcement against business associates was authorized in the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, and detailed in The Omnibus Final Rule in 2013, this settlement is the first action under these amended laws.  Significantly, the CHCS settlement is the latest indication that business associate operations and relationships in general are a growing focus of OCR action. Earlier this year, two covered entities entered into settlements with OCR for failure to have business associate agreements in place, and in March 2016 OCR began its Phase 2 audits, which will include business associates.  Although CHCS is the first business associate to enter into a settlement, it is almost certain that there will be more enforcement actions against business associates in the future.

To the degree that there is good news about the CHCS settlement, it is that the relatively low settlement amount imposed on CHCS confirms that OCR’s (current) goal is not to be punitive, but to achieve compliance with the HIPAA requirements.  Indeed, in its public statement about the settlement, OCR stated that in determining the settlement amount, it considered CHCS’s provision of services to the elderly, developmentally disabled individuals, young adults aging out of foster care, and HIV/AIDS patients. There is no guarantee, however, that OCR will not administer harsher penalties in the future if business associates fail to comply with the Security Rule and other applicable HIPAA rules.

Both covered entities and business associates should ensure compliance with the HIPAA Security Rule by conducting thorough risk assessments and addressing risks and vulnerabilities that are identified. Comprehensive security policies should be implemented, including risk management, procedures in the event of a security incident, and policies regarding mobile devices. With respect to mobile devices like the stolen CHCS smart phone, the best practice is to avoid saving PHI on mobile devices, but at a minimum the device’s password function should be enabled and the device should be encrypted.

As always, the specific terms of the correction action plan — which places an emphasis on policies, procedures and work force education — offers a glimpse into OCR’s priorities.  Thus, covered entities and business associates should consider CHCS’s corrective action plan as a compliance checklist of sorts.

BREXIT: What Does It Mean for Data Protection and What Should You Be Doing Now?

Posted in EU Data Protection, Privacy

While we wait to see what the BREXIT result will mean for the UK’s data protection regime, it is important to recognize that the result will not change anything immediately. The exact nature of the post-BREXIT UK-EU relationship will influence any UK data protection reform, and it is highly likely that the UK will continue to be heavily influenced by EU laws. Indeed, the UK’s data protection authority (the ICO) has emphasized that “international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.”

So what should you be doing now?

Prepare for the GDPR and changes to UK data protection laws

Data controllers established in the UK processing personal data in the context of that establishment are currently subject to the UK’s Data Protection Act (DPA). Once the EU’s General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, the UK will still be a member of the EU and so the GDPR will automatically replace the DPA. UK companies will then need to comply with the new regime until BREXIT occurs. Following that, the GDPR will fall away but we do not yet know what form any replacement legislation will take.  If the UK wants to continue trading with other EU Member States, it will likely need to adopt legislation similar to the GDPR (see further below). With this in mind, businesses should continue with their GDPR compliance preparations.

In addition, the GDPR will not only apply to businesses established in the EU, but it will also apply to businesses outside the EU that processes personal data of EU citizens, either by offering services or goods or from monitoring behavior. Therefore, following BREXIT, the GDPR will still apply to UK based businesses trading with the EU or targeting EU citizens. Such businesses therefore should continue their GDPR compliance efforts.

Consider where personal data is processed and transferred

EU data protection laws prohibit transfers of personal data to countries outside the European Economic Area (EEA), unless they have been recognized as providing “adequate protection” to personal data. Companies need to consider whether they receive data in the UK from global regions which are currently compliant based on the UK being within the EU or EEA.  If the UK is not classified as “adequate” post BREXIT, UK companies receiving data from the EEA will need to re-think their data protection compliance strategy and put in place adequate safeguards, such as Model Clauses and Binding Corporate Rules.

In addition, the converse (transfers outside the UK) may also be an issue and so companies should consider whether they send personal data from the UK and what compliance measures they may need to put in place. The new EU/U.S. Privacy Shield is due to be adopted early next week. Following BREXIT, the Privacy Shield will not cover transfers from the UK to the U.S. However, the ICO could approve the Privacy Shield as an adequate means of data transfer from the UK to the U.S., or it could establish a similar framework (e.g. like the U.S.-Swiss Safe Harbor framework).

Determine where the organization’s main EU establishment will be

Some GDPR provisions are dependent on the “main establishment” of a business being in the EU. Once the UK leaves the EU, a company with UK based headquarters will no longer count as the main establishment under the GDPR following BREXIT. This will affect a company’s lead data protection supervisory authority under GDPR for the purpose of enforcement and other reasons such as approval of Binding Corporate Rules.

It is hard to predict at the moment precisely the timing and scope of legal changes to the UK’s data protection regime resulting from BREXIT. We will continue to monitor developments closely and keep you fully informed and the post-BREXIT process unfolds.

SAVE THE DATE McGuireWoods Annual European Data Protection and Security Conference September 27, 2016 London

Learn more about data protection laws in light of BREXIT. The conference is designed for in-house counsel, risk managers, security officers, regulatory and compliance officers, directors, financial officers, information officers, human resource officers and managers of corporations with cross-border operations. A full agenda is under development, but topics and speakers from last year’s event can be viewed here.

Click here to ensure you receive an invitation to our 2016 conference.

A Storm Brews: Retailers Push Back Against Payment Card Industry Data Security Standards

Posted in Data breach, Financial Services Information Management, FTC enforcement, Retail

As businesses and financial institutions grapple with data security in the wake of high profile breaches, tensions between retailers and the credit card industry over the creation and implementation of security standards appear to be growing. The disagreements between these two groups manifested themselves on June 2, when the National Retail Federation (“NRF”), the world’s largest retail trade association, announced that it sent a nineteen-page white paper to the Federal Trade Commission (“FTC”) encouraging it to investigate the Payment Card Industry Security Standards Council (“PCI”) for potential antitrust violations. PCI, an organization formed by major credit card companies in 2006, promulgates Data Security Standards (“DSS”) for merchants and service providers to follow for credit and debit card transactions.  The NRF’s white paper attacks both the PCI DSS as well as the PCI and its standards more generally, arguing that PCI is acting collusively and that the PCI DSS should not be adopted as a government standard.  The white paper comes after the FTC announced in March that it had issued orders to nine major companies requiring them to detail their compliance with the PCI DSS.

In its white paper, the NRF urged the FTC not to rely on the PCI DSS “for any purpose,” and “particularly not as an example of industry best practices.”  The NRF argued that PCI was formed and is controlled by a single industry sector—major credit card companies—without input from retailers or other stakeholders, and that its motivations “conflict with the interests of businesses and consumers who use the payment card system.” NRF claimed that PCI’s actions in promulgating DSS that require retailers to invest in particular software and hardware (such as chip-and-PIN payment systems) amounts to anticompetitive conduct potentially in violation of antitrust law.  The white paper argued that the PCI DSS, by requiring the adoption of specific proprietary technology, serves to “shift costs associated with data security—and notably, data breaches—onto merchants” while simultaneously benefiting payment card industry stakeholders.  NRF also argued that the PCI DSS are not in fact more secure than cheaper alternatives (such as PIN-entry systems that do not require chip readers), and that PCI’s promotion of its standards constitute a “scheme” designed to benefit PCI members at the expense of retailers.  In response to the NRF’s announcement, PCI issued a statement declaring that it “strongly disagreed with the unfounded assertions” in the NRF’s letter.

The NRF’s public announcement reflects the storm brewing between retailers and credit card companies over who should develop enhanced security standards and what those standards will be, as well as who will bear the cost of implementing those standards.  The FTC’s potential adoption of the PCI DSS as a standard for determining the strength of companies’ data security practices would represent a significant step in establishing these standards as requirements, rather than non-binding suggestions, for all U.S. retailers.  NRF’s strident statement that PCI is engaging in anticompetitive activity and acting contrary to the interests of retailers and consumers demonstrates that retailers do not intend to allow this development to occur without a fight.

McGuireWoods LLP is a member of the NRF but had no involvement in the NRF’s announcement and letter to the FTC, and takes no position on the statements made by either the NRF or PCI.  McGuireWoods LLP represents a range of financial services institutions as well as retailers.

8th Circuit: Financial Institution Bond Provides Coverage for Fraudulent Wire Transfers

Posted in Cyber Insurance, Cybersecurity, Data breach

With policyholders facing increased losses from hacking and business email compromise, insurers are fighting hard to escape their obligations under financial institution bonds, crime policies and cyber insurance policies. In a case that  bolsters policyholders seeking coverage for digital fraud, the U.S. Court of Appeals for the Eighth Circuit held that a bank’s financial institution bond provided coverage for losses arising from the fraudulent transfer of $485,000 by computer hackers to a foreign bank, even though the bank’s employees were negligent in securing the bank’s computer network.

In its May 20 decision, issued in State Bank of Bellingham v. BancInsure, Inc., No. 14-3432, — F.3d —, 2016 WL 2943161 (8th Cir. May 20, 2016), the Eighth Circuit affirmed the District Court’s conclusion that the efficient and proximate cause of the loss was the criminal activity of the third-party hackers.

The Underlying Breach and Loss

In October 2011, an employee of the State Bank of Bellingham (the “Bank”) completed a wire transfer, which required several security steps, including the entry of the names and passwords of two Bank employees and the insertion of two physical tokens.  At the end of the work day, the employee left the two tokens in the computer and left the computer running.  Prior to the wire transfer, a Zeus Trojan horse virus had infected the Bank’s computer system.  This virus then allowed a computer hacker to access the Bank’s network and transfer funds to accounts in Poland (the “Loss”).

The Bank held a financial institution bond issued by BancInsure providing coverage for losses such as those arising from dishonesty and computer systems fraud.  The Bank submitted a claim and proof of loss to BancInsure seeking coverage for the Loss.  BancInsure denied coverage, relying on exclusions for (a) employee-caused losses, (b) theft of confidential information, and (c) mechanical breakdown or deterioration of a computer system.

The Litigation and the District Court Decision

The Bank filed suit seeking damages for the insurer’s breach of contract.  The U.S. District Court for the District of Minnesota granted the Bank’s motion for summary judgment, holding that the “computer systems fraud was the efficient and proximate cause of [Bank’s] loss,” and “neither the employees’ violations of policies and practices … the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of [Bank’s] loss.”

The Eighth Circuit Decision

Continue Reading

Home Depot Alleges Visa, MasterCard Colluded To Delay Chip-and-PIN Implementation; Exposed Retailers, Consumers to Data Breach Risks

Posted in Data Protection and Competition, Financial Services Information Management

A recent bombshell lawsuit by The Home Depot alleges patterns of antitrust violations, illegal collusion, and anti-competitive conduct by the Visa and MasterCard credit card networks. The suit arises in a climate in which the networks are increasingly under attack by retailers, and in which The Home Depot is embroiled in extensive litigation stemming from a massive 2014 breach of customer data.  Finally, for consumers concerned with payment card security, the suit highlights potential weaknesses in some U.S. payment card technologies – particularly when compared to systems widely used overseas.

The Home Depot’s Lawsuit and Allegations

On Monday June 13, 2016, The Home Depot filed a 138-page complaint against Visa and MasterCard alleging the credit card behemoths engaged in collusion and price fixing to delay implementation of effective chip-and-PIN security technology in payment cards in the United States. As alleged in the Complaint, the use of Personal Identification Number (“PIN”) verification along with “EMV” chips (“chip-and-PIN”) has been used widely used in Europe since the mid-1990s “to make credit and debit card transactions safer and less prone to fraud.”

Continue Reading