Header graphic for print

Password Protected

Data Privacy & Security News and Trends

Behavioral Advertising: What Companies Need to Know About Evolving Advertising Technologies

Posted in Consumer Privacy/FTC, Privacy, Profiling, Social Media

Rapidly changing and complex technology, the rise of “Big Data” and an increasing focus on digital advertising has made advertising legal compliance an increasingly complex area for companies. In-house attorneys and their outside counsel must wrestle with understanding the legal implications of new digital marketing and advertising technologies. The increasing use of newer technologies in this space requires that a company manage the privacy implications as well as the cybersecurity implications that come along with them.

Companies have participated in behavioral advertising for years by collecting data about consumers and targeting ads to these consumers based on data analysis about an individual’s preferences. However, the technology behind behavioral advertising has evolved, and companies have now started to use the data collected to build very detailed profiles about individuals, to track individuals across devices and to combine these detailed profiles about individuals with data obtained from other sources. Some of these new “hot” behavioral advertising technologies include programmatic advertising and data onboarding. Programmatic advertising is the serving of hyper-targeted ads on a real-time basis that draw on vast amounts of data such as cookies and other tracking technologies to create consumer profiles and serve more targeted ads to consumers. Data onboarding, on the other hand, involves companies providing a third-party “onboarding” provider with de-identified data originally derived from a consumer’s personally identifiable information (PII). The onboarding vendor then hashes the information and the hashed values are used to link to other data (provided by third parties and other offline data) to send a consumer much more targeted advertising than conventional behavioral targeting. Companies have also started to combine these technologies with cross-device tracking, which is where data collected about an individual is used to track that person across different devices. New technologies mean that it is necessary for companies to re-examine their privacy practices.

Although complying with self-regulatory guidelines like the Networking Advertising Initiative (NAI) Code of Conduct, the Digital Advertising Alliance’s (DAA) Self-Regulatory Principles for Online Behavioral Advertising and the FTC’s 2009 Staff Report “Self-Regulatory Principles for Online Behavioral Advertising” may provide a starting point for compliance, these guidelines may still not go far enough to avoid legal trouble when utilizing some of these newer advertising technologies. A company should delve deeper into understanding its own use of marketing and advertising technologies and the technologies of its third party vendors to avoid lawsuits, bad press, and catching the FTC’s attention. The FTC has set its sights on behavioral advertising and cross-device tracking in the last few years so it is increasingly likely that these issues will continue to be on the FTC’s radar. Continue Reading

Balancing Convenience and Risk: OCR Issues Statement on Use of Mobile Devices

Posted in Cybersecurity, Data Security, Health Information

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently issued guidance emphasizing the increased risks of using mobile devices in the workplace when the mobile devices contain or have access to sensitive data. Particularly, OCR warns of the risks of the use of mobile devices by healthcare organizations when the mobile devices are used to create, receive, maintain or transmit electronic protected health information (“ePHI”) that is protected by the Health Insurance Portability and Accountability Act (“HIPAA”).

Under the HIPAA Security Rule, covered entities and their business associates are required to conduct a risk analysis of the organization’s security risks and vulnerabilities and address identified vulnerabilities. OCR highlights that compliance with the Security Rule requires organizations to include mobile devices in the risk analysis and to address the inherent risks “to a reasonable and appropriate level.” A significant portion of reported settlements of alleged HIPAA claims have involved lost or stolen mobile devices that were not addressed in a risk assessment or not appropriately secured. In some cases, settlements for alleged non-compliance involving mobile devices have exceeded $2 million.

In addition to their inherent risk of being lost or stolen, OCR notes the following risks of using mobile devices to store or transmit ePHI: Continue Reading

First Annual Review and the Privacy Shield is Still Standing: What’s Next?

Posted in E-commerce, EU Data Protection, Other, Privacy

On October 18, 2017, the European Commission issued its report on the first annual review of the EU- U.S. Privacy Shield, aimed at allowing personal data transfer from the EU to the U.S. through the implementation of a data protection framework providing an adequate level of protection in the U.S. Over 2,400 companies have now been certified under the Privacy Shield framework by the U.S. Department of Commerce.

From the European Commission’s perspective, the Privacy Shield continues to ensure an adequate level of protection, including new redress possibilities for individuals, enforcement procedures, and cooperation with the European data protection authorities. However, as “[t]he Privacy Shield is not a document lying in a drawer” but “a living arrangement that both the EU and U.S. must actively monitor”, the Commission made some recommendations to improve the current framework:

“More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce.

More awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.

Closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), notably to develop guidance for companies and enforcers.

Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorization and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).

To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).”

Is this review a sufficient guarantee for U.S. businesses to continue to rely on their Privacy Shield certification with absolute trust? That remains to be seen. Indeed, the Commission negotiated the Privacy Shield agreement to reconcile the data exchange economy with the standard that must be reached in order to comply with the requirements imposed by the EU Court of Justice (CJEU). The Commission was expected to advocate for the ongoing validity of the compromise. However, a number of authorities and data protection defenders are of the opposite opinion.

The European Data Protection Supervisor, one of the strongest official voices on data protection in the EU, already had some concerns about its validity (Opinion n° 4/2016 of May 30, 2016). So did the Working Party of Article 29, gathering all national data protection authority at the EU level (Opinion n° 1/2016 of April 13, 2016). These two authorities will soon issue their own reports on this first annual review. Furthermore, these reports could have some impact on the outcome of the two actions currently pending before the CJEU, which aim at invalidating the Privacy Shield’s adequacy decision on the following grounds:

  • The possibility for U.S. agencies to legally access, on a generalized basis, the content of electronic communications;
  • The absence of complete transposition of the right to access, rectify, oppose and erase, that the EU regulations grant to data subjects; and
  • The absence of a fully independent U.S. data protection authority, with complete effective and binding redress power.

U.S. entities certified with the Privacy Shield should closely monitor the development of those cases since, in the end, the CJEU will have the final say. It would also be prudent for them to take advantage of the opportunity to implement additional safeguards by using other data transfer mechanisms, such as Binding Corporate Rules, Certification (when available), adherence to approved Codes of Conduct or Standard Contractual Clauses.

For more information on the future of the Privacy Shield, please refer to the following Password Protected blog posts:

The Validity of EU-U.S. Personal Data Export Tools: A Pending Issue

Is the Privacy Shield Viable? Article 29 Working Party Proposes to Wait for Its Final Verdict

Criticisms over the Draft Adequacy Decision by the European Data Protection Supervisor: Final Lap for the Privacy Shield?

WP 29 Expresses Concerns About EU-U.S. Privacy Shield

EU-U.S. Privacy Shield: Better or Worse?


DoD Cyber Compliance Deadline Fast Approaching – Here’s What Government Contractors Need to Know

Posted in Cybersecurity, Regulation

U.S. Department of Defense (DoD) contractors face new cybersecurity compliance requirements, including a significant deadline set for December 31, 2017.

Most DoD contracts now include clauses imposing obligations on contractors’ protection of government information and reporting of cyber incidents. These obligations include a requirement for contractors to comply with the cybersecurity standards set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

Contractors must comply with the NIST standards no later than the end of calendar year 2017. Submission of a proposal to DoD now serves as a specific representation that the offeror meets these compliance requirements. Failure to meet the NIST standards potentially opens the door to more stringent government enforcement actions and liability under the False Claims Act. Continue Reading

The Politics of Access to Student Data

Posted in Legislation, Privacy

Combine several hotly contested elections for state office, traditional voter registration and mobilization tactics, a progressive special interest group and the use of an existing law to gain access to tens of thousands of individual student phone numbers and email addresses and you get a mini-firestorm of debate over personal privacy rights.

As reported recently in the The Roanoke Times, a progressive special interest group requested student contact information from all of Virginia’s publicly supported colleges and universities. According to The Roanoke Times, 18 public institutions of higher education produced the requested information. That information was then used by various political campaigns to contact students about registering to vote. Presumably, campaigns in possession of the information will use it to further in their voter identification and political advocacy efforts.

Two Virginia legislators recently announced they will introduce legislation to make it harder for third-parties to obtain such information in the future.

Unless a student affirmatively “opts-out,” The Family Education Rights and Privacy Act of 1974 does not prohibit universities and colleges from releasing student directory information, provided proper notice was given to the student. Interestingly, current Virginia law prohibits public institutions of higher education from selling a student’s personal information.  See Va. Code Ann. § 23.1-405(C). The statute delineates personal information as name, address, phone number and email address. Id. While Virginia law prohibits the selling of such information, it does not explicitly prohibit releasing the information through Virginia’s Freedom of Information Act.  While some may argue the information is a “scholastic record” under the Virginia Freedom of Information Act, which would have allowed the schools to withhold the information, 18 public colleges and universities took a different view. Continue Reading

The New CFPB Consumer Protection Principles

Posted in Consumer Privacy/FTC, Cybersecurity, Financial Services Information Management, Notification, Privacy

On October 18, 2017, the Consumer Financial Protection Bureau (CFPB) issued a set of Consumer Protection Principles regarding the sharing and aggregation of consumers’ financial data. The timing of the announcement in light of last month’s disclosure of the Equifax breach of approximately 140 million consumers’ financial data seems noteworthy, as all companies whose businesses rely on the consumer-authorized financial data market are scrambling to regain consumer trust.

Noting the “growing market” for consumer-authorized financial data aggregation services, the CFPB has promulgated nine principles which, in the words of CFPB Director Richard Cordray “express [the Bureau’s] vision for realizing an innovative market that gives consumers protection and value.” (See CFPB press release).

Many of the principles themselves will be familiar to anyone who has paid attention to consumer privacy discourse over the last 30+ years. They are in many ways a restatement of the OECD Guidelines, published in 1980 by the Organisation for Economic Co-operation and Development, but with a few useful additions. The “new” CFPB principles include time-tested privacy principles of:

  1. informed consent & control over data sharing;
  2. notice and transparency regarding the third parties’ access to and use of consumer data;
  3. data quality & accuracy and the right of consumers to dispute inaccuracies;
  4. an expectation of security and safeguards to protect consumer data;
  5. a right of access by consumers to their own data; and
  6. accountability to the consumer for complying with the foregoing principles.

In addition, however, the CFPB principles contain some fairly specific guidance that is particularly useful in the context of financial data and may have a significant impact on the way financial data is gathered, marketed and retained. For example, the CFPB Principles contain a specific principle (#4) regarding payment authorization:

  • Authorizing Payments. Authorized data access, in and of itself, is not payment authorization. Product or service providers that access information and initiate payments obtain separate and distinct consumer authorizations for these separate activities. Providers that access information and initiate payments may reasonably require consumers to supply both forms of authorization to obtain services.

The above principle is one of several that illustrate the CFPB’s disapproval of broad, open-ended consents from consumers, favoring instead tailored, purpose-specific access. Principle #2 (Data Scope and Usability) is another example of this theme. It reads in part, “Third parties with authorized access only access the data necessary to provide the product(s) or service(s) selected by the consumer and only maintain such data as long as necessary.”

It remains to be seen how these principles might be applied to data collectors like credit bureaus, who typically hold consumer data for as long as a consumer’s lifetime in many cases. The CFPB’s press release emphasized that the principles are not intended to supercede or interpret any existing consumer protection statutes or regulations and that they are not binding. Still, they do provide a window into the CFPB’s mindset and the likely trend for future regulation.

Allocation of Data Breach Risks and Costs in Vendor Contracts: Negotiate, Negotiate, Negotiate (And Negotiate Again!) Limitations on Liability and Indemnification

Posted in Data breach, Information Management, Notification

“A significant data breach is likely to cost the company materially, and costs could drag on for a number of years,” analyst Shlomo Rosenbaum, commenting on the Equifax breach.

Organizations increasingly rely on third-party service providers for data collection, processing, transfer and storage. As a result of this dependence on external data management sources, most companies are rethinking data breach risk and cost allocations in new and existing vendor agreements.

Limitation of liability and indemnification clauses form the framework for reducing unforeseeable, and potentially devastating, data breach costs. To defend against unpredictable damages, these clauses are fast becoming the most fiercely negotiated language in service provider agreements.  Both liability and indemnity have taken on new importance as organizations become acutely aware that the customer, not the vendor, most likely has the ultimate responsibility for data breached while in the hands of a vendor. The harsh reality that a majority of state statutes allocate the risk and costs of unauthorized disclosure to the data owner, not the vendor, is a red flag in contract negotiations. Customers now realize that they are probably legally required to investigate a breach, provide required notifications and cover any and all costs related to a breach despite the fact the vendor is the sole culpable party.  Under most state statutes, a service provider’s obligations, and liability for costs, end with notification to the customer.  Simply put, if the organization’s sensitive data is breached while under the control of a vendor, the vendor’s only obligation is to notify the organization. It is then the customer’s obligation to handle the fallout, unless the customer’s contract with the vendor provides otherwise. Continue Reading

Delaware Strengthens Cybersecurity Law

Posted in Data breach

On August 17, 2017, Delaware became the latest state to strengthen its cybersecurity laws. Under the newly enacted House Substitute 1 for House Bill 180, businesses who suffer cybersecurity breaches will face far more stringent notification requirements.

According to Representative Baumbach, D-Newark, who sponsored the bill, the legislation “is a meaningful step forward in addressing [cybersecurity] breaches so that we guarantee better protections for our residents and help them rebuild their lives after a cyber-attack.”

Under existing Delaware law, businesses that experience a cybersecurity breach are required only to notify the affected Delawareans “without unreasonable delay.” Effective April 14, 2018, companies will need to provide notice within 60 days, except in limited circumstances.  If the breach affects over 500 residents, the statute also requires the company to notify the Delaware Attorney General within the same time frame.

The law further expands the types of incidents that could give rise to consumer notification requirements by expanding the definition of “personal information.”  Continue Reading

Kaspersky: Back in the News and What to Do About the Order to Stop Using Kaspersky Products and Services

Posted in Cybersecurity, Data Security

Kaspersky Lab is once again in the news as questions are being raised about the role of Kaspersky software in a reported hack of the National Security Agency. The story repeats the all-too-frequent scenario of an employee—in this case a government contractor—transferring files from work to his home computer and that action leading to the disclosure of sensitive information.  In this case the data is said to have included “highly classified U.S. cyber secrets” and Russian hackers are alleged to have accessed the employee’s home computer through Kaspersky software. Kaspersky software, including popular antivirus tools, is developed by a company with alleged ties to the Russian government.

Last month the U.S. Department of Homeland Security (DHS) announced plans for the federal government to terminate “the use or presence of information security products, solutions, and services supplied directly or indirectly by AO Kaspersky Lab or related entities.” The federal government’s decision on Kaspersky reflects long-standing concerns about the company’s ties to the Russian Government and, in particular, to the Russian intelligence and security agency known as the Federal Service Bureau. U.S. media reports have highlighted worries that Kaspersky software and tools might be able to collect or otherwise be utilized to create opportunities for Russian cyber operations. Last week’s report about the hacking of the National Security Agency adds fuel to that fire, and it builds on tensions that have been exacerbated by Kaspersky’s efforts to publicly attribute certain cyber activities to the U.S. Government (which, it should be pointed out, Kaspersky has done in relation to other States as well).

The U.S. Government’s decision to remove Kaspersky software from government systems occurs against the backdrop of a heightened focus on cybersecurity across the federal government, including an Executive Order, additional Defense Department information security standards, and other new compliance requirements to be included in most federal contracts.  DHS required a plan to be developed by all federal agencies to remove the software within 90 days. What might this decision mean for government contractors currently using the software and/or tasked with removing the software from government systems?

Continue Reading

FTC Monitors Claims of Privacy Shield Compliance

Posted in Consumer Privacy/FTC, EU Data Protection

On September 15, 2017, the Trump White House released a Press Release regarding the EU-U.S. Privacy Shield—reiterating that they “firmly believe that the upcoming review [of the EU-U.S. Privacy Shield] will demonstrate the strength of the American promise to protect the personal data of citizens on both sides of the Atlantic.”

The first alliance of its kind, the E.U.-U.S. Privacy Shield provides a framework for the exchange of consumer personal data between the United States and countries in the European Union. Established in 2016, one of the purposes was to enable U.S. companies to more efficiently receive data from countries in the EU while staying compliant with privacy laws that protect EU citizens.  The agreement also allows companies to store EU citizens’ personal data on U.S. servers.

The “upcoming review” referenced in the White House Press Release refers to the first annual review of the Privacy Shield since its adoption, with both EU and U.S. officials stating their support for the alliance in a joint statement released September 21, 2017.  According to this statement, over 2,400 organizations have jointed the Privacy Shield since the program’s inception a year ago.  The U.S. and EU both declared a “share[d] . . . interest in the Framework’s success and remain committed to continued collaboration to ensure it functions as intended.”

But what good is an agreement without any bite for potential violators? The Federal Trade Commission (FTC) recently signaled that it fully intended to keep companies accountable for potential violations of the EU-U.S. Privacy Shield.

According to an FTC Press Release dated September 8, 2017, three U.S. Companies agreed to settle FTC charges that they “misled consumers about their participation” in the EU-U.S. Privacy Shield. The FTC alleged that these companies violated the FTC Act by “falsely claiming that they were certified to participate in the EU-U.S. Privacy Shield” when they had all “failed to complete the certification process for the Privacy Shield.” Acting FTC Chairman Maureen K. Ohlhausen warned companies that these “actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce.” Notably, these enforcement actions are the first cases the FTC has brought to enforce the Privacy Shield.

Moving forward, companies should carefully assess whether they have completed the steps and certification necessary to make certain representations about participation in the EU-U.S. Privacy Shield—as both the FTC and the current White House administration fully intend on continuing to “demonstrate the strength of the American promise” to pull their weight in the alliance.