Archives: Legislation

Security is on the agenda from coast to coast this week.

Cybersecurity information sharing legislation will hit the House floor this week.  H.R. 1731, the National Cybersecurity Protection Advancement Act was reported out of the House Committee on Homeland Security on April 17, and H.R. 1560, the Protecting Cyber Networks Act was moved by the House Permanent Select Committee on Intelligence on April 13.  The two bills will likely be merged before coming to a vote.  Similar to the Cybersecurity Information Sharing Act moving through the Senate – the most recent version of which, S. 754, was reported out of the Senate Select Committee on Intelligence in March – both House bills authorize and provide liability protections for companies to, for cybersecurity purposes, monitor their networks and share information on cybersecurity threats with both the government and other private companies.  The bills also authorize the use of defensive measures to protect networks from malicious threats, though they contain limits designed to restrict so-called “hack back” techniques.

Both bills include privacy protections designed to safeguard personal information and restrict companies from sharing it with either the government or other private entities, but some privacy advocates are still concerned about the adequacy of these safeguards.  Privacy has remained a hot-button issue surrounding cyber information sharing legislation since Edward Snowden’s exposure of the National Security Agency’s bulk collection of telephone metadata and PRISM surveillance program.

And, the RSA Conference — “where the world talks security” — opens today in San Francisco.  The conference kicks off this morning, with a keynote by RSA President Amit Yoran and another later in the day by Department of Homeland Security Secretary Jeh Johnson, but yesterday, things were already getting rolling as the Cloud Security Alliance held its CSA Summit, focusing on enterprise cloud adoption and security lessons learned. Trusted Computing Group had its panel discussion combining mobile computing, Internet of Things, and cloud security.    Follow the RSA Conference blog for summaries and updates.

 

Thanks to Mary Lovejoy for the Washington update.

The draft Data Protection Regulation doesn’t offer many carrots to business – and a recent announcement by the Council of the European Union takes away one of the biggest carrots, the “One-Stop Shop” mechanism.

The One-Stop Shop refers to the principle that businesses would have to deal with just a single national data protection authority instead of 28 different authorities across the EU.  The objective was to simplify logistics for businesses and to reduce any chance of multiple, inconsistent requirements from different authorities.

Continue Reading One Less Carrot for Business:  Council of European Union Limits the “One-Stop Shop” Mechanism in the Draft Data Protection Regulation

Good Monday – The East Coast prepares for Apocalypse (Sn)ow.

In the meantime, here are three privacy-related tidbits for your day.

Privacy Concerns Cause Scale Back of Release of HealthCare.gov Data

We spend a fair amount of time warning about third party vendors and the risk that such vendors can pose to sensitive data.   Just ask Target.   Last week, the Associated Press revealed that the healthcare insurance exchange, HealthCare.gov, was connecting with third party analytics sites and others and operating much like any commercial website — except that it is not.  The AP reported over the weekend that the Obama Administration has “reversed itself” and scaled back the release of (or access to) consumer data — including anonymized data.     According to the AP’s Saturday follow-up, an analysis of the Federal exchange showed that the number of third party companies with connections embedded in the site, thus giving them access to consumer data, “dropped from 50 to 30.”

Read more:

The Hill — The Centers for Medicare and Medicaid Services will encrypt additional data when customers use the Window Shopping feature on HealthCare.gov.

New York Times — Is the data usage “industry standard” and much ado about SOP?

CNN Money

 

Continue Reading Privacy Monday – January 26, 2015

As expected in his State of the Union address last night, President Obama made it very clear that cybersecurity is on his agenda for 2015.  After stating that:

 “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids,”

the President urged Congress to “finally” pass “legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information” and cautioned law makers that “if we don’t act, we leave our nation and our economy vulnerable.”

Just days before the State of the Union address, in a speech delivered at the Federal Trade Commission on January 12, the President highlighted the measures he discussed in the State of the Union and unveiled the next steps in his comprehensive approach to better protect American companies, consumers, and infrastructure against cyber threats. These steps include:

  1. Improving consumer security by establishing a national standard for companies to notify employees and customers about security breaches and identifying and preventing identity theft. For more information about the proposed Personal Data Notification & Protection Act, please see our prior blog post. The President announced that in an effort to tackle identity theft and assist consumers in spotting identity theft early on, several large financial companies have committed to offer free credit scores to their customers, joining an existing list of financial companies that already engage in this practice.
  2. Improving consumer confidence online by passing a Consumer Privacy Bill of Rights to establish an enforceable code of conduct for online interactions and protect consumers’ privacy. This proposed legislation will be based on the Obama Administration’s 2012 Consumer Privacy Bill of Rights and is expected to be released within the next month and a half.
  3. Safeguarding student data in the classroom and beyond by passing legislation to promote student privacy, convening the private sector to pledge to help enhance the privacy of students, and offering  new tools via the Department of Education  to help schools and teachers better protect the privacy of students. Sometime in the next two months, the Obama administration will release a proposal to update the Family Educational Rights and Privacy Act (FERPA). The President highlighted that the proposed Student Digital Privacy Act would: (i) limit the use of data collected “in an educational context” to educational purposes; (ii) prohibit companies from selling student data to third parties for unrelated purposes; and (iii) prohibit targeted advertising derived from data collected in school, however, the bill would still permit the use of such data for certain types of research, as well as for improving the effectiveness of learning technology products. The President noted that the bill would be modeled on a recently passed California law covering the collection and use of student data. For more information on the California law, please see our prior blog post.
  4. According to a recent White House press release on the subject, as part of the Obama Administration’s comprehensive plan to better protect the privacy of consumers, on January 12, the Department of Energy and the Federal Smart Grid Task Force released a new Voluntary Code of Conduct (VCC) “for utilities and third parties providing consumer energy use services that will addresses privacy related to data enabled by smart grid technologies.” For more information about this initiative, please click here.

The next item on the law makers’ agenda is a hearing before the House Energy and Commerce subcommittee next Tuesday entitled “What are the Elements of Sound Data Breach Legislation?” According to new subcommittee Chairman Michael Burgess (R-TX), “data security will be the focus of our subcommittee’s first hearing as we drill down on what components should be included in a bill that will give consumers the peace of mind they deserve.”

We will keep you updated on proposed legislation and new initiatives that are part of the Administration’s cyber security plan.

If cybersecurity and data privacy are on the President’s agenda, shouldn’t those issues be on the top of your company’s agenda this year?!

 

Written by Cynthia Larose, CIPP and Ari Moskowitz, CIPP

This has been a big week for cybersecurity announcements from Washington.   In what the White House has called a series of “SOTU Spoilers,” President Obama announced his intention to follow through on some of the recommendations in his administration’s Big Data report — the culmination of the White House’s 90-day “Big Data” review in 2014.  Specifically, the President proposed following through on the report’s recommendations that the following legislation be passed:  a consumer privacy bill of rights, a national data breach notification law, and a law to promote student privacy. Continue Reading White House Proposes National Data Breach Notification Standard

Three privacy/security stories that you should know as you start your week:

 

President Obama to Offer Cybersecurity/Privacy Previews to State of the Union Proposals

In a series of speeches this week, President Obama will preview important issues to appear in his January 20th State of the Union address.    A White House official said in a statement to reporters over the weekend that the president would “lay out a series of legislative proposals and executive actions that will be in his State of the Union that will tackle identity theft and privacy issues, cybersecurity, and access to the Internet.”   The President will reportedly speak at an event at the Federal Trade Commission today and outline a plan to tackle identity theft and improve consumer and student privacy.    Tuesday, the President will discuss cybersecurity at the National Cybersecurity and Communications Integration Center.    We will keep readers updated on what the White House is calling “SOTU Spoilers.”

Read more here:Privacy and Security Updates Monday

CNBC

CNET

New York Times

 

ICYMI:  The January 2015 Edition of the Mintz Matrix Is Out — and State Changes are in the Works

On Friday, we released the updated version of the Mintz Matrix of state data breach notification laws.   In case you missed it, you can get the updated chart here.

Now that the state legislatures are getting into session, we are expecting more action amending and tightening up state laws.    For example, legislators in Washington state have already filed an amendment to that state’s data breach notification law.

At the end of 2014, several proposals were introduced and we will be following where these bills head in the  2015 session.     New York‘s proposal (Bill A10190) imposes requirements on entities conducting business in New York and which own/license computerized data that includes private information that are nearly identical to those required under Massachusetts 201 CMR 17.   Most importantly (as you will recall), the Massachusetts regulations require that entities develop, implement and maintain a comprehensive written information security program.     A proposed New Jersey amendment would expand the definition of “personal information” to include a combination of user name or email address with any password or security question and answer that would permit access to the online account.  Attorneys general in Indiana and Oregon closed out the year with calls for more robust data breach protection legislation in their states.    Stay tuned.

 

Tax Time is a Good Time For a “Security Check”

Businesses and their employees are all dealing with receipt of documents, filings, etc. during this taxing time of year.  Tax season is also a prime time for personal information scams and can expose lax internal controls.   Here are a few things to remember as you begin preparing for tax season:

Secure your data – Do you prepare your business’ taxes on a company computer? If so, you likely have some very sensitive financial information on your hard drive. Make sure your files are secured with password-protected directories and accounts, and that your entire system is protected from outside threats. Also, if you plan to use a wireless network to electronically file your taxes, be sure to use a secure Internet connection and never use public wireless hotspots.  Do NOT send personal information to employees or service providers via email.   Make sure that you only use secure transmission methods for sending W2 and other forms that contain Social Security or other sensitive information.   If a tax preparer asks you to send documents via unencrypted email — find another tax preparer.

Back up financial data – When was the last time you backed up your company data?  If you don’t already follow a backup schedule, tax season can be a great reminder that you need to regularly back up your data. Regularly backing up your data not only protects you at tax time in the event your data is compromised, it can also help protect you against future events such a natural disaster.  Remember that whether you back up to the cloud or a separate physical device/location, electronic data needs to be kept in a secure environment.

Keep your security software updated – You don’t have the time or resources to keep track of each and every new scam, phishing attack, or threat that comes around – that’s what your security software is supposed to do. But just as you can file your taxes without the most accurate tax information, your security software can’t do its job if it’s not up-to-date. The threat landscape changes daily, so keeping your security software up-to-date helps ensure that it will be able to address the most current threats to your information. After all, your ability to run an effective business depends on making sure your confidential data is safe and secure from outside threats.

Remind employees of phishing threats — Use this time of year as an opportunity to remind employees to protect themselves from tax-related phishing scams.    The IRS will never ask for personal information via email.  Ever.    Some of these reminders from the IRS may be useful to send to your employees as a reminder to protect themselves — and as a result, protect your business.

Have a safe and secure week!

Make sure to get your January 2015 Mintz Matrix!    

Available here for downloading and always linked through the blog right hand navigation bar.

Things you will not want to miss:

  • California has significantly amended its breach notification requirements
  • Kentucky’s new data breach law (2014) is expanded effective January 1
As always, this chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Credit – Photobucket: bjaco6

sing it with me now….

Five Golden Rules…….(well, five new privacy laws/requirements)

There are five significant new privacy laws/amendments that will be effective as of New Year’s Day — January 1, 2015 — and four are from California.    Pull up a chair, brew that cup of tea.  It’s time to review and prepare. Continue Reading On the Fifth Day of Privacy, California (and Delaware) gave to me

Our series last year was a reader favorite, so we decided to put our prognosticator hats on again and present:

 

Rather than look back at 2014, starting tomorrow, the Privacy & Security blog will count down The 12 Days of Privacy, looking ahead to what we might expect in 2015 and what we might be talking about in the year to come.

Don’t miss a day starting tomorrow!

Day One – 12/9 – Does Santa Claus Have to Comply  with EU Data Protection Laws: 2015 Compliance Considerations for Non-EU Companies

Day Two – 12/10 – Through the Looking Glass: Privacy Litigation

Day Three – 12/11 -What the 2015 Proxy Season Might Bring……

Day Four – 12/12 – Cyberliability Policies: What to Expect in 2015

Day Five – 12/15 – California Dreaming … New Legislation Effective January 1

Day Six – 12/16 – Hacks and the State Actor:  What Sony Portends…

Day Seven – 12/17 — Questions of Authority:  Who is “the cop” on the Privacy and Data Security Beat?

Day Eight – 12/18 – Health Data Sharing – How much is too much?

Day Nine – 12/19 — OCR Corrective Action Planning in 2015:  The Gift That Keeps on Giving

Day Ten – 12/22 —Wearables:  What will that new gadget be spilling about you?

Day Eleven – 12/23 –ISO and the Courts:  How Your Coverage is Likely to Narrow in 2015 (and why….)

Day Twelve – 12/24 –On the Twelfth Day…..

 

Join us each day as we celebrate the 12 Days of Privacy, v.2014!

Written by Susan Foster, Solicitor England & Wales/Admitted in California

 (LONDON) Google – along with the rest of us – is still considering the implications of the European Court of Justice’s May 13, 2014 decision that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant or accurate.  This decision by Europe’s highest court is unappealable, so the Google Spain case is law throughout the European Economic Area (EEA) until changed by legislation (unlikely) or modified by the ECJ in a later decision (also unlikely).

To reach this conclusion, the ECJ found that:

  1.  Google is a data controller (and not merely a data processor) because it indexes information gleaned from the Internet in order to create its search results.
  2. The information in question (which had to do with a government order that a house be put up for auction due to its owner’s failure to pay certain taxes) is protected personal data despite the information having been properly published at the time of its initial publication. (Ironically, the Spanish newspaper that initially published the information was not required to remove the article – Google just can’t include the article in its search results.)
  3. Countervailing considerations such as the potential burden on Google that will arise from having to consider “right to be forgotten” requests and the interest of the public in having access to past public information are outweighed by the right of the individual to be forgotten.

From one perspective, this is just a search engine case, and the only companies that need to worry about it are search engine companies with some kind of business presence or technical facilities in Europe (which creates the nexus for the EU’s legal jurisdiction).  And of course, historians might be worried, along with anyone else who thinks that public information should stay publicly available to safeguard freedom of expression, or the integrity of the historical record, or the democratic process, or the like.  And EEA residents might even wonder what their life would be like if all search engines blocked off European results because the compliance burden outweighed the ad revenues – or, because, now that they are deemed to be data controllers, they couldn’t work out a way to comply with the Eighth Principle restricting transfers of personal data outside of the EEA . . .

No, the reasons that other (non-search) businesses, particularly in the US, should be concerned about the Google Spain decision are the following:

  • The EU notion of personal data is not the same as the US notion of private information.  It is far broader and includes information obtained from public sources as well as information that an individual has voluntarily disclosed to the world.  When you evaluate your company’s data collection and processing activities, you need to remember that, in Europe, personal data is virtually everything about, or written by, an individual, whether or not the information has already been made public.
  • The EU is unconcerned about imposing huge burdens on companies.  Well, at least it’s unconcerned about imposing huge burdens on large companies that aren’t headquartered in the EEA  – but it would be unwise to look at the Google Spain case as inherently exceptional.  There’s a draft Data Protection Regulation making its way through the EU legislative pipeline that will levy fines for breaches in the order of up to 5% of global turnover.   The draft Data Protection Regulation imposes very strict standards and processes on businesses that process personal data, and the Google Spain decision simply underscores that the balance of rights and interests in the EU is tipped firmly in the direction of the individual.  Message to business?  Get ready for the hammer.  The Google Spain decision shows where it’s going to strike.