Header graphic for print

Password Protected

Data Privacy & Security News and Trends

Federal Agencies Respond to Concerns About Student Privacy

Posted in Privacy, Regulation

The Federal Trade Commission (FTC) and U.S. Department of Education (ED) increasingly are responding to concerns about educational technology and its ability to capture and manipulate massive quantities of private student and parent data. “EdTech,” as it is called, broadly refers to online curriculum and instructional materials accessed by school and personal devices. EdTech has the capacity to use student performance data to improve vendors’ learning programs and enhance educational outcomes. But it also has the ability to use that data for commercial uses that would otherwise be forbidden under privacy laws.

In a recent workshop held on December 1, 2017 by the FTC and ED, the agencies examined issues surrounding student privacy and EdTech. In particular, they looked at the intersection of the Children’s Online Privacy Protection Act (COPPA), overseen by the FTC, and the Family Educational Rights and Privacy Act (FERPA) regulated by ED. The workshop examined critical questions such as whether EdTech providers sufficiently understood FERPA and COPPA requirements, whether it is appropriate for school officials to provide consent under COPPA using in loco parentis concepts, what limits apply to personal information collected by EdTech vendors, and how schools can maintain “direct control” over EdTech providers when they rely on the School Official exception to FERPA’s consent requirements. Click here for more information about the workshop.

FERPA and COPPA have not been amended and updated in several years, during which the use of EdTech has exploded. Parents and privacy advocates increasingly are expressing concerns that the statutes are antiquated and inadequate to the task at hand. In response, many states have passed privacy legislation, and the EdTech industry has attempted to self-regulate through voluntary commitments such as the Student Privacy Pledge. But a robust and balanced federal regulatory scheme is the best approach for industry, schools, and students, providing a uniform system across the country and strong assurances that student data privacy and protection will be a reality.

The WP29 Issues an Ultimatum to Improve the Privacy Shield

Posted in EU Data Protection, Regulation

The EU and U.S. competent authorities have one year to implement the recommendations that the Article 29 Working Party (WP29, which is a gathering of all EU national data protection authorities) made in its opinion of November 28, 2017 to increase the level of personal data protection provided by the Privacy Shield framework. As they announced in this opinion, failure to do so will result in these authorities challenging the validity of the Privacy Shield adequacy decision before courts. Such a cancellation could lead to certified U.S. companies losing their certification (2,400 companies, including web giants and major cloud providers), having to freeze data flows and implementing other legal mechanisms allowing them to import personal data from the EU.

It should be noted that the EU and U.S. authorities negotiated the Privacy Shield under a perspective that was more in line with Directive 95/46 (the main data protection applicable instrument at the time of negotiation) than with the General Data Protection Regulation (GDPR). The GDPR will repeal this Directive and increase the level of protection of personal data from May 25, 2018, and the WP29 will plan to prepare businesses for it.

In its report, the WP29 focuses on guarantees of enforcement and efficiency. Continue Reading

A First Step from South Korea Towards an Adequacy Finding with EU Commission

Posted in Other

In early 2017, the EU Commission published a communication about “Exchanging and Protecting Personal Data in a Globalized World” in which the EU Commission prioritizes discussions on possible adequacy decision with key trading partners, starting from Japan and South Korea in 2017. A first step appears to be taking place by the fact that South Korea has agreed to join – as an observer in the first instance- the Council of Europe Convention for Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). South Korea does not exclude a future step towards an inclusion as a party to the Convention 108.

On November 2017, the Commissioner for Justice, Consumers and Gender Equality, the Chairman of the Korea Communication Commission and the Vice-President of the Korea Internet & Security Agency met, in Brussels, to discuss the possibilities of further strengthening cooperation between the EU and South Korean around data protection, including data flows.

Both sides expressed the need to ensure a high level of privacy and data security. Each assured they are ready to enhance cooperation in promoting strong data protection standards as soon as personal data is a central factor of consumer trust in the data economy.

EU and South Korean privacy legislation has recently reformed, increasing the convergence between the data protection regimes. New opportunities now exist to further facilitate data flows, including through an adequacy decision of the EU Commission.

The EU Commission and South Korea have reaffirmed their commitment to intensify their efforts towards achieving their common objective in 2018.

SEC to Begin Regulating Initial Coin Offerings More Heavily

Posted in Regulation, Securities and Exchange Commission

On November 16, 2017, U.S. Securities and Exchange Commission (SEC) Chairman Jay Clayton announced in a symposium on cybersecurity and financial crimes that the SEC would start taking enforcement action against coin offering issuers who fail to register with the SEC.

As cryptocurrencies, like Bitcoin, have become increasingly popular, startup companies have turned to a method known as an initial coin offering (“ICO”) to raise capital. Law 360 explains, “ICOs are used by the creators of blockchain-based structures to raise funds, usually for projects. . . . Instead of stock, investors receive tokens that can either be traded in the secondary market or used within the blockchain project.” This method closely resembles an initial public offering, but the key difference is that ICOs have largely been able to avoid federal regulations. These offerings have flown under the radar, at least up until now, because the technology is still in its early stages.

This unregulated method of raising capital creates the potential for significant fraud and abuse. As such, the SEC intends to regulate the practice, so much so that the Securities and Exchange Commission decided to form a Cyber Unit earlier this year. According to the SEC, the Cyber Unit will focus on targeting cyber-related misconduct, such as:

  • Market manipulation schemes involving false information spread through electronic and social media;
  • Hacking to obtain material nonpublic information;
  • Violations involving distributed ledger technology and initial coin offerings;
  • Misconduct perpetrated using the dark web;
  • Intrusions into retail brokerage accounts; and
  • Cyber-related threats to trading platforms and other critical market infrastructure

The creation of a Cyber Unit within the SEC is a clear indicator that the SEC will regulate cryptocurrency more heavily. As Chairman Clayton noted, “I think that now we have given the market a sufficient warning where we can move from level-setting the field to enforcing it.”

ICOs are not just in the crosshairs of American regulators, rather European regulators have also raised significant concerns about the practice. In fact, earlier this November, the European Securities and Markets Authority (ESMA) issued a statement warning firms involved in ICOs that they need to “comply with relevant legislation” and that “[a]ny failure to comply with the applicable rules will constitute a breach.”

Given the increasingly burdensome regulatory environment surrounding initial coin offerings and cryptocurrency, startups and other companies utilizing ICOs would be well advised to seek legal counsel so as to comply with all federal laws and or SEC regulations.

Behavioral Advertising: What Companies Need to Know About Evolving Advertising Technologies

Posted in Consumer Privacy/FTC, Privacy, Profiling, Social Media

Rapidly changing and complex technology, the rise of “Big Data” and an increasing focus on digital advertising has made advertising legal compliance an increasingly complex area for companies. In-house attorneys and their outside counsel must wrestle with understanding the legal implications of new digital marketing and advertising technologies. The increasing use of newer technologies in this space requires that a company manage the privacy implications as well as the cybersecurity implications that come along with them.

Companies have participated in behavioral advertising for years by collecting data about consumers and targeting ads to these consumers based on data analysis about an individual’s preferences. However, the technology behind behavioral advertising has evolved, and companies have now started to use the data collected to build very detailed profiles about individuals, to track individuals across devices and to combine these detailed profiles about individuals with data obtained from other sources. Some of these new “hot” behavioral advertising technologies include programmatic advertising and data onboarding. Programmatic advertising is the serving of hyper-targeted ads on a real-time basis that draw on vast amounts of data such as cookies and other tracking technologies to create consumer profiles and serve more targeted ads to consumers. Data onboarding, on the other hand, involves companies providing a third-party “onboarding” provider with de-identified data originally derived from a consumer’s personally identifiable information (PII). The onboarding vendor then hashes the information and the hashed values are used to link to other data (provided by third parties and other offline data) to send a consumer much more targeted advertising than conventional behavioral targeting. Companies have also started to combine these technologies with cross-device tracking, which is where data collected about an individual is used to track that person across different devices. New technologies mean that it is necessary for companies to re-examine their privacy practices.

Although complying with self-regulatory guidelines like the Networking Advertising Initiative (NAI) Code of Conduct, the Digital Advertising Alliance’s (DAA) Self-Regulatory Principles for Online Behavioral Advertising and the FTC’s 2009 Staff Report “Self-Regulatory Principles for Online Behavioral Advertising” may provide a starting point for compliance, these guidelines may still not go far enough to avoid legal trouble when utilizing some of these newer advertising technologies. A company should delve deeper into understanding its own use of marketing and advertising technologies and the technologies of its third party vendors to avoid lawsuits, bad press, and catching the FTC’s attention. The FTC has set its sights on behavioral advertising and cross-device tracking in the last few years so it is increasingly likely that these issues will continue to be on the FTC’s radar. Continue Reading

Balancing Convenience and Risk: OCR Issues Statement on Use of Mobile Devices

Posted in Cybersecurity, Data Security, Health Information

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently issued guidance emphasizing the increased risks of using mobile devices in the workplace when the mobile devices contain or have access to sensitive data. Particularly, OCR warns of the risks of the use of mobile devices by healthcare organizations when the mobile devices are used to create, receive, maintain or transmit electronic protected health information (“ePHI”) that is protected by the Health Insurance Portability and Accountability Act (“HIPAA”).

Under the HIPAA Security Rule, covered entities and their business associates are required to conduct a risk analysis of the organization’s security risks and vulnerabilities and address identified vulnerabilities. OCR highlights that compliance with the Security Rule requires organizations to include mobile devices in the risk analysis and to address the inherent risks “to a reasonable and appropriate level.” A significant portion of reported settlements of alleged HIPAA claims have involved lost or stolen mobile devices that were not addressed in a risk assessment or not appropriately secured. In some cases, settlements for alleged non-compliance involving mobile devices have exceeded $2 million.

In addition to their inherent risk of being lost or stolen, OCR notes the following risks of using mobile devices to store or transmit ePHI: Continue Reading

First Annual Review and the Privacy Shield is Still Standing: What’s Next?

Posted in E-commerce, EU Data Protection, Other, Privacy

On October 18, 2017, the European Commission issued its report on the first annual review of the EU- U.S. Privacy Shield, aimed at allowing personal data transfer from the EU to the U.S. through the implementation of a data protection framework providing an adequate level of protection in the U.S. Over 2,400 companies have now been certified under the Privacy Shield framework by the U.S. Department of Commerce.

From the European Commission’s perspective, the Privacy Shield continues to ensure an adequate level of protection, including new redress possibilities for individuals, enforcement procedures, and cooperation with the European data protection authorities. However, as “[t]he Privacy Shield is not a document lying in a drawer” but “a living arrangement that both the EU and U.S. must actively monitor”, the Commission made some recommendations to improve the current framework:

“More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce.

More awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.

Closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), notably to develop guidance for companies and enforcers.

Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorization and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).

To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).”

Is this review a sufficient guarantee for U.S. businesses to continue to rely on their Privacy Shield certification with absolute trust? That remains to be seen. Indeed, the Commission negotiated the Privacy Shield agreement to reconcile the data exchange economy with the standard that must be reached in order to comply with the requirements imposed by the EU Court of Justice (CJEU). The Commission was expected to advocate for the ongoing validity of the compromise. However, a number of authorities and data protection defenders are of the opposite opinion.

The European Data Protection Supervisor, one of the strongest official voices on data protection in the EU, already had some concerns about its validity (Opinion n° 4/2016 of May 30, 2016). So did the Working Party of Article 29, gathering all national data protection authority at the EU level (Opinion n° 1/2016 of April 13, 2016). These two authorities will soon issue their own reports on this first annual review. Furthermore, these reports could have some impact on the outcome of the two actions currently pending before the CJEU, which aim at invalidating the Privacy Shield’s adequacy decision on the following grounds:

  • The possibility for U.S. agencies to legally access, on a generalized basis, the content of electronic communications;
  • The absence of complete transposition of the right to access, rectify, oppose and erase, that the EU regulations grant to data subjects; and
  • The absence of a fully independent U.S. data protection authority, with complete effective and binding redress power.

U.S. entities certified with the Privacy Shield should closely monitor the development of those cases since, in the end, the CJEU will have the final say. It would also be prudent for them to take advantage of the opportunity to implement additional safeguards by using other data transfer mechanisms, such as Binding Corporate Rules, Certification (when available), adherence to approved Codes of Conduct or Standard Contractual Clauses.

For more information on the future of the Privacy Shield, please refer to the following Password Protected blog posts:

The Validity of EU-U.S. Personal Data Export Tools: A Pending Issue

Is the Privacy Shield Viable? Article 29 Working Party Proposes to Wait for Its Final Verdict

Criticisms over the Draft Adequacy Decision by the European Data Protection Supervisor: Final Lap for the Privacy Shield?

WP 29 Expresses Concerns About EU-U.S. Privacy Shield

EU-U.S. Privacy Shield: Better or Worse?


DoD Cyber Compliance Deadline Fast Approaching – Here’s What Government Contractors Need to Know

Posted in Cybersecurity, Regulation

U.S. Department of Defense (DoD) contractors face new cybersecurity compliance requirements, including a significant deadline set for December 31, 2017.

Most DoD contracts now include clauses imposing obligations on contractors’ protection of government information and reporting of cyber incidents. These obligations include a requirement for contractors to comply with the cybersecurity standards set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

Contractors must comply with the NIST standards no later than the end of calendar year 2017. Submission of a proposal to DoD now serves as a specific representation that the offeror meets these compliance requirements. Failure to meet the NIST standards potentially opens the door to more stringent government enforcement actions and liability under the False Claims Act. Continue Reading

The Politics of Access to Student Data

Posted in Legislation, Privacy

Combine several hotly contested elections for state office, traditional voter registration and mobilization tactics, a progressive special interest group and the use of an existing law to gain access to tens of thousands of individual student phone numbers and email addresses and you get a mini-firestorm of debate over personal privacy rights.

As reported recently in the The Roanoke Times, a progressive special interest group requested student contact information from all of Virginia’s publicly supported colleges and universities. According to The Roanoke Times, 18 public institutions of higher education produced the requested information. That information was then used by various political campaigns to contact students about registering to vote. Presumably, campaigns in possession of the information will use it to further in their voter identification and political advocacy efforts.

Two Virginia legislators recently announced they will introduce legislation to make it harder for third-parties to obtain such information in the future.

Unless a student affirmatively “opts-out,” The Family Education Rights and Privacy Act of 1974 does not prohibit universities and colleges from releasing student directory information, provided proper notice was given to the student. Interestingly, current Virginia law prohibits public institutions of higher education from selling a student’s personal information.  See Va. Code Ann. § 23.1-405(C). The statute delineates personal information as name, address, phone number and email address. Id. While Virginia law prohibits the selling of such information, it does not explicitly prohibit releasing the information through Virginia’s Freedom of Information Act.  While some may argue the information is a “scholastic record” under the Virginia Freedom of Information Act, which would have allowed the schools to withhold the information, 18 public colleges and universities took a different view. Continue Reading

The New CFPB Consumer Protection Principles

Posted in Consumer Privacy/FTC, Cybersecurity, Financial Services Information Management, Notification, Privacy

On October 18, 2017, the Consumer Financial Protection Bureau (CFPB) issued a set of Consumer Protection Principles regarding the sharing and aggregation of consumers’ financial data. The timing of the announcement in light of last month’s disclosure of the Equifax breach of approximately 140 million consumers’ financial data seems noteworthy, as all companies whose businesses rely on the consumer-authorized financial data market are scrambling to regain consumer trust.

Noting the “growing market” for consumer-authorized financial data aggregation services, the CFPB has promulgated nine principles which, in the words of CFPB Director Richard Cordray “express [the Bureau’s] vision for realizing an innovative market that gives consumers protection and value.” (See CFPB press release).

Many of the principles themselves will be familiar to anyone who has paid attention to consumer privacy discourse over the last 30+ years. They are in many ways a restatement of the OECD Guidelines, published in 1980 by the Organisation for Economic Co-operation and Development, but with a few useful additions. The “new” CFPB principles include time-tested privacy principles of:

  1. informed consent & control over data sharing;
  2. notice and transparency regarding the third parties’ access to and use of consumer data;
  3. data quality & accuracy and the right of consumers to dispute inaccuracies;
  4. an expectation of security and safeguards to protect consumer data;
  5. a right of access by consumers to their own data; and
  6. accountability to the consumer for complying with the foregoing principles.

In addition, however, the CFPB principles contain some fairly specific guidance that is particularly useful in the context of financial data and may have a significant impact on the way financial data is gathered, marketed and retained. For example, the CFPB Principles contain a specific principle (#4) regarding payment authorization:

  • Authorizing Payments. Authorized data access, in and of itself, is not payment authorization. Product or service providers that access information and initiate payments obtain separate and distinct consumer authorizations for these separate activities. Providers that access information and initiate payments may reasonably require consumers to supply both forms of authorization to obtain services.

The above principle is one of several that illustrate the CFPB’s disapproval of broad, open-ended consents from consumers, favoring instead tailored, purpose-specific access. Principle #2 (Data Scope and Usability) is another example of this theme. It reads in part, “Third parties with authorized access only access the data necessary to provide the product(s) or service(s) selected by the consumer and only maintain such data as long as necessary.”

It remains to be seen how these principles might be applied to data collectors like credit bureaus, who typically hold consumer data for as long as a consumer’s lifetime in many cases. The CFPB’s press release emphasized that the principles are not intended to supercede or interpret any existing consumer protection statutes or regulations and that they are not binding. Still, they do provide a window into the CFPB’s mindset and the likely trend for future regulation.