The last Monday in July — the summer of 2014 is rapidly slipping away! Here are some privacy and security bits and bytes for this last week of July:
US Congress Heads Out on August Recess Soon – Much to Do
It has been reported today that the U.S. House will vote today on a series of four cybersecurity bills. The bills were moved forward last week after the House Homeland Security and Oversight committees resolved a jurisdictional dispute over federal civilian computer networks. On the list for today’s vote: Rep. Mike McCaul’s National Cybersecurity and Critical Infrastructure Protection Act, Rep. Patrick Meehan’s Critical Infrastructure Research and Development Act and Rep. Yvette Clarke’s Homeland Security Cybersecurity Boots-on-the-Ground Act, all from the House Committee on Homeland Security, and separately Rep. Kerry Bentivolio’s Safe and Secure Federal Websites Act of 2013 from the House Committion on Oversight and Government Reform.
Cybersecurity Still a Top Risk Concern for Boards
We’ve been discussing the elevation of privacy and security risks and vulnerablities to the board level for some time now (see here, here and here). Accounting firm EisnerAmper has just released its annual survey on concerns of corporate board directors. Cybersecurity and IT risk and reputational risk (they do go hand in hand; just ask Target and Neiman Marcus) are the two top issues. Read here
Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) Although no major legislative milestones for the EU Data Protection Regulation have occurred since March 2014 (see status update here), there has been some progress over the late spring and early summer of 2014. One key item that will be of interest to US companies is the Council’s compromise position on a key piece of the Regulation, the rules for the transfer of personal data to countries outside of the European Economic Area (EEA), published on May 28, 2014.
The current mechanisms for legitimizing such transfers, including adequacy assessments, Binding Corporate Rules, model contracts, and express consent, are retained. Also, an important “derogation” for infrequent, small transfers has been endorsed.
The Council’s full wording for the infrequent, small transfer derogation is as follows:
. . . the transfer, which is not large scale or frequent, is necessary for the purposes of legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject and where the controller (…) has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and (…) based on this assessment adduced suitable safeguards with respect to the protection of personal data.
This promises to be a useful tool for companies when a relatively small set of data needs to be transferred, particularly in circumstances (such as employee data) where the EU’s views on the validity of consent makes it difficult to rely on consent as a basis for the transfer.
Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) With no major legislative milestones since the March 2014 EU Parliamentary vote endorsing the LIBE draft of the new Data Protection Legislation, observers from outside the EU might understandably wonder whether the legislative process has derailed somehow. But it hasn’t – the train has just pulled over to a siding while the summer break passes. It will build up a new head of steam when the new Parliament holds its first plenary session in mid-September 2014.
To recap the legislative process, the EU Commission, Parliament and Council all need to agree on the final wording of the new Regulation. The EU Commission put forth a first draft in 2012 and the Parliament proposed a much more pro-individual draft in March 2014. It’s now the turn of the Council of the European Union (a non-elected group of representatives of the governments of the 28 Member States of the EU) to consider the draft Regulation and propose its version. Then a “tri-logue” will follow, during which the three branches of the EU government will try to agree upon a final form of the Regulation.
Some of the delay in finalizing the Regulation is inherent in the EU political process. However, the delay also has political roots, as summarized in part here by an industry association.
The Council has continued to meet while the Parliament is on break, and a small, but important, piece of the Regulation – the rules governing the transfer of personal data outside of the European Economic Area — has effectively been endorsed by the Council (see my summary here). However, a number of important issues remain open, including the “one stop shop” approach to regulation.
While much work remains to be done, the general consensus at the moment is that the final version of the Regulation will be adopted sometime in 2015 and come into force in 2017.
Written by Julia Siripurapu, CIPP
U.S. District Court Judge Ronald M. Whyte has issued an order granting in part and denying in part Google’s Motion to Dismiss the class action filed against the Company on March 7 in the U.S. District Court for the Northern District of California as a result of unauthorized children’s in-app purchases in the Google Play Store. As discussed in detail in our prior blog post, the lawsuit was filed by a New York mother on behalf of herself and other parents whose minor children downloaded free or relatively inexpensive child-directed games from the Google Play store and then incurred charges for purchasing items that cost money within the app without parental consent or authorization. Continue Reading
Written by Julia Siripurapu, CIPP/US
Some clarification and a bit more flexibility was forthcoming late last week from the Federal Trade Commission to help ease compliance with the “new” COPPA.
In its recent update to three FAQs in Section H (Verifiable Parental Consent) of the COPPA FAQs , the FTC provided important information on the topic of verifiable parental consent. The revisions are particularly important for the mobile application market since it is now very clear that developers of mobile applications directed to children under 13 can use an app store to obtain verifiable parental consent and that the app stores providing the verifiable parental consent mechanism “will not be liable under COPPA for failing to investigate the privacy practices of the operators for whom you obtain consent.” Continue Reading
We are now officially in the throes of “midsummer” on this Privacy Monday. And, on occasion in the data privacy world, we agree with Will Shakespeare’s words….“Lord, what fools these mortals be!”
Flash Drives ….
Butler University has warned about 160,000 students, faculty, staff, and alumni that personal information was discovered on a flash drive of an identity theft suspect arrested in California. Exposed information includes birthdates, Social Security numbers and bank account information.
Houston to “Ground Control” – We Have a Problem
The Houston Astros have not exactly been hitting the cover off the ball this season, but the team’s proprietary database system known as “Ground Control” had been the envy of Major League Baseball. That is, until it was hacked. Details of trade discussions involving 22 teams during a 6-month period ending in March were leaked first to Anonbin, a data sharing website, and then most recently, to the website Deadspin.com. Astros GM Jeff Luhnow is furious and says that the team intends to prosecute those involved.
Goodbye Hotel Hippo …
Disclosure of weak security and privacy controls can be harmful to the health of your business. One week after an independent security consultant discovered that the Hotel Hippo site had been leaking large amounts of customer information. The incident is being investigated by UK privacy watchdogs and the site says “website permanently closed.”
SC Magazine UK
Reposted from Mintz Levin’s Health Law & Policy Matters blog
The American Bar Association Health Law Section’s July 2014 eSource publication includes an article by Dianne Bourque, Kimberly Gold, and Stephanie Willis that provides examples of how risk assessments under the Breach Notification Rule have changed since the HIPAA Omnibus Rule went into effect in September 2013. The examples analyzed in this article involve two situations that often stymie health care providers: 1) appropriate disclosures to law enforcement and 2) sending appointment reminders to patients.
Covered entities and business associates having difficulty distinguishing the old “harm standard” and the new Omnibus Rule analysis should understand that the latter clearly imposes a rebuttable presumption that a breach of protected health information will require notification to affected individuals and the government, except under narrow circumstances. As the article concludes, “striking a balance between an inquiry that meets the risk assessment’s requirements but that minimizes the over-reporting of breaches will be a challenge that covered entities and business associates will need to address” for years to come.
Mintz Levin’s Privacy team constantly monitors the HHS Office of Civil Rights’ enforcement and monitoring activities and writes posts noting trends in the area of HIPAA compliance, so keep checking the blog for current health care privacy and security news.
Written by Kevin McGinty
It’s an ancient conundrum; if a tree falls in the forest, and no one is there to hear it, does it make a sound? Privacy litigation may well offer the closest jurisprudential equivalent; if data is stolen, but no one does anything with it, has there been an injury? A recent Illinois state court decision is the latest to answer the latter question in the negative. Continue Reading
FTC Sues Amazon Over In-App Purchases Made by Children
Written by Jake Romero, CIPP
Children, according to Whitney Houston, are our future, but they are also, according to the Federal Trade Commission, willing to spend unlimited amounts of money to purchase virtual items within mobile applications. In a lawsuit filed after Amazon.com, Inc. resisted a settlement offer similar to the FTC’s settlement with Apple, Inc., the FTC claims that Amazon allowed millions of dollars of in-app purchases from children on the mobile application store installed on its Kindle Fire devices and on mobile devices running the Android operating system. In response to the alleged unfair practices, the FTC is seeking an injunction against Amazon and restitution to Amazon consumers. Continue Reading
Written by Jake Romero, CIPP
If you are one of the approximately 1.3 billion people who use Facebook, you’ve likely experienced the phenomenon where a single event (like Luiz Suarez biting that Italian guy or pretty much anything involving TSA) manages to raise the ire of a large number of your Facebook friends, causing them to flood your timeline with single-issue Facebook user rage. Another recent event you likely heard about both on the news and through numerous status updates is Facebook’s 2012 experiment in which user timelines were manipulated to gauge users’ response to changes in the number of positive or negative posts. After results of the study were published in March, many users became upset at the idea of possibly having unknowingly taken part in the study. Now, the Electronic Privacy Information Center (EPIC) has filed a formal complaint asking the Federal Trade Commission (FTC) to investigate Facebook’s use of user data for research purposes as a deceptive trade practice. Continue Reading