Register now for the fourth installment in our monthly 2015 Privacy Wednesday webinar series, coming up next Wednesday, April 29th at 1:00 pm ET.
Susan Foster, a CIPP/E in Mintz’s London office, will consider issues faced by US companies who do business in Europe or simply interact with European customers. We will look at how to determine whether EU data protection laws apply to you, and what you need to do to comply. We will also provide an overview of the upcoming major overhaul of EU data protection laws in the form of the draft Data Protection Regulation, which is likely to be finalized in late 2015 or 2016.
Target confirmed a report in the Wednesday edition of The Wall Street Journal of a settlement with MasterCard concerning claims of card-issuers arising from Target’s 2013 data breach. The data breach, which occurred during the post-Thanksgiving holiday shopping season, compromised over 40 million credit and debit cards used to make purchases at Target stores. The settlement has not been presented to the court for approval but was described in a press release issued by Target after the close of business on Wednesday. The settlement proposes payment of up to $19 million (previous reports had indicated a fund of $20 million) to reimburse issuers of MasterCard-branded payment cards for costs arising from reissuance of cards compromised by the data breach. Target’s obligation to proceed with the settlement is conditioned on acceptance by issuers of at least 90% of the eligible payment card accounts. Target indicates in its press release that it intends to “defend itself vigorously against any assessments made by MasterCard on behalf of MasterCard issuers that do not accept their offers.” In order to accept Target’s offer, settling issuers must agree to release all claims that they may have against Target arising from the data breach. The press release also states that the potential $19 million cost of the MasterCard settlement is included in the total cost of the data breach disclosed Target’s public securities filings (reported at 2014 year end to be $252 million before insurance offsets).
According to Target’s Wednesday press release, issuers that accept the MasterCard settlement are expected to be paid “by the end of the second quarter of 2015.” Based on the description of the settlement and the expected timing, it appears that the MasterCard settlement will take place entirely outside of the card issuer class action that is still pending in federal court in Minnesota, although any releases given in connection with the MasterCard settlement would finally resolve claims of settling issuers as to MasterCard payment cards compromised by the breach. The proposed settlement would not affect outstanding claims on behalf of issuers of other types of payment cards (including Visa, Discovery and American Express cards).
Spring has finally arrived on the East Coast, and not a moment too soon.
Here are 3 privacy & security bits and bytes to start your week.
ICYMI – 60 Minutes’ Steve Krofft Story on Why the Sony Hack is Important
Fascinating piece by a reporter who has been looking at cybersecurity/cyberwarfare issues for 15 years. “You don’t have to be a superpower to inflict damage on US corporations….” Watch the entire story here. (Full disclosure – Mintz client Cylance is prominently featured in this story.)
As a Follow-on: New RSA Breach Readiness Survey Finds Majority Not Prepared
Now that you have seen the 60 Minutes eyeopener, read the latest study released by RSA, The Security Division of EMC, just ahead of next week’s RSA Conference in San Francisco. The opening few lines preview the content of Failures of the Security Industry: Accountability and Action Plan:
The information security industry is losing the cyberwar. Make that cyberwars. Plural. Black hat “hactivists,” organized crims syndicates, state-sponsored operatives, terrorists, and other threat actors attack computer systems and critical infrastructure on multiple fronts across the globe with seeming impunity….Cybercrime hurts the global economy.
This is one you have to see – IT Governance, a UK consultancy, has a blog post with pictures — screen shots from live TV broadcasts that leaked passwords. Including one from the SuperBowl: a live shot showing the credentials for the stadium’s wireless network. Take a look at the article and pictures here.
As we predicted in our post late last month, Google’s YouTube Kids app has attracted more than just the “curious little minds” Google was hoping for. Yesterday, a group of privacy and children’s rights advocates (including the Center for Digital Democracy and the American Academy of Child and Adolescent Psychiatry) asked the Federal Trade Commission “to investigate whether Google’s YouTube Kids app violates Section 5 of the FTC Act . . . .”
The advocacy group downloaded the YouTube Kids app onto an Android device, and two iOS devices. It then reviewed and assessed the app as it functioned; watching content Google says caters to children while protecting them from questionable or troubling content.
The advocacy group claims this review identified three features of the app it believes are unfair or deceptive. First, the group faults Google for offering content “intermixed” with advertising content in a manner the group claims “would not be permitted to be shown on broadcast or cable television” under Federal Communications Commission guidelines. Second, the group worries that much of advertising violates FTC Endorsement Guidelines because it is user-generated in a way capable of masking relationships with product manufacturers. Finally, the group claims the advertising content violates the YouTube Kids app’s stated policies and procedures.
Taken together, the advocacy group issues all collapse around the same core argument: very young children (generally under 5 years of age) cannot distinguish between actual content and advertising and that makes them “uniquely vulnerable to commercial influence.” This argument has a lot of emotional appeal: who wouldn’t want to protect small children? But the implications of this argument extend far beyond the YouTube Kids app, and would call into question any free, advertising supported video platform, including network television. As such, it seems like the advocacy groups position face significant First Amendment hurdles.
Although the advocacy group does not (yet) take issues with YouTube Kids’ data collection practices, it does question how the app is able to generate video recommendations. And its letter to the FTC explicitly asks the Commission to investigate whether or not children are being tracked without verifiable parental consent.
The ball is now squarely in the FTC’s court. It could launch a non-public investigation regarding the app’s practices, or it could do nothing. However, as the Commission has recently signaled a renewed interest in protecting children online (including entering a $19 million dollar settlement with Google over children’s in-app purchases last September), it seems likely the Commission will have at least some questions for Google following the advocacy group’s letter.
Following up on my recent post on the matter, I had the opportunity to speak with Colin O’Keefe of LXBN on the subject of cross-device tracking. In the brief interview, I discuss the growing prevalence of cross-device tracking and what the FTC is doing in response.
Not only is it Privacy Monday – it is OPENING DAY! After this long, long winter … welcome back baseball!
It’s usually an end-of-season tradition for some baseball writers and announcers, but I like to revisit it in the spring for what is ahead “in a green field, in the sun” — one of the greatest odes to the game ever written:
It breaks your heart. It is designed to break your heart. The game begins in the spring, when everything else begins again, and it blossoms in the summer, filling the afternoons and evenings, and then as soon as the chill rains come, it stops and leaves you to face the fall alone. You count on it, rely on it to buffer the passage of time, to keep the memory of sunshine and high skies alive, and then just when the days are all twilight, when you need it most, it stops. … It breaks my heart because it was meant to, because it was meant to foster in me again the illusion that there was something abiding, some pattern and some impulse that could come together to make a reality that would resist the corrosion; and because, after it had fostered again that most hungered-for illusion, the game was meant to stop, and betray precisely what it promised.
Of course, there are those who learn after the first few times. They grow out of sports. And there are others who were born with the wisdom to know that nothing lasts. These are the truly tough among us, the ones who can live without illusion, or without even the hope of illusion. I am not that grown-up or up-to-date. I am a simpler creature, tied to more primitive patterns and cycles. I need to think something lasts forever, and it might as well be that state of being that is a game; it might as well be that, in a green field, in the sun.
Read “The Green Fields of the Mind” by A. Bartlett Giamatti here and hear him read it himself here. Or, watch the epic James Earl Jones monologue from Field of Dreamshere.
Enjoy Opening Day!
Now back to your regularly-scheduled Privacy & Security Matters programming — Opperman v. Path Inc.‘s Impact on Privacy NoticesContinue Reading
President Obama today signed an Executive Order granting authority to the Department of the Treasury’s Office of Foreign Assets Control (OFAC) to impose sanctions on individuals and entities determined to be “responsible for or complicit in malicious cyber-enabled activities” that result in harms “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” For purposes of the Executive Order, “malicious cyber-enabled activities” include deliberate activities accomplished through unauthorized access to a computer system, including
by remote access;
circumventing one or more protection measures, including by bypassing a firewall; or
compromising the security of hardware or software in the supply chain.
OFAC will work in coordination with other U.S. government agencies to identify individuals and entities whose conduct meets the criteria set forth in the Executive Order and designate them for sanctions. Persons designated under this authority will be added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List). There are no immediate compliance obligations for U.S. companies under this Executive Order, however, once Treasury has made designations pursuant to this authority, U.S. persons (and persons otherwise subject to OFAC jurisdiction) must ensure that they are not engaging in trade or other transactions with persons named on OFAC’s SDN List pursuant to this Executive Order or any entity owned by such persons.
The Executive Order is available here. OFAC has issued a series of related Frequently Asked Questions here.
Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jonathan Cain and Paul Pelletier’s Responding to Insider Data Theft & Disclosure presentation. Jonathan and Paul discussed how distinguishing the insider threat differs from the techniques used to identify and stop hackers, creating an environment that deters insiders from stealing data, and the legal remedies – both civil and criminal – that are available to recover stolen data and compensate for its loss. Nearly 100 participants joined us for this webinar.
For those who missed the webinar, some of the key takeaways include the following:
Data losses due to insiders are not the most common source of loss, but they are consistently among the most damaging to the company’s finances and future. They target customer data, intellectual property, future business plans and embarrassing skeletons.
Insiders are not hackers and traditional technology based barriers to outside hackers don’t stop them because the insider is entitled to be in the network and have authorized access to the data.
Detecting insiders is an ongoing exercise of analyzing the data of nominally equivalent employees and identifying anomalous conduct.
Deterring insiders through social engineering is easier and more productive than trying to identify an attacker after the fact. Where employees are aware that indicators of insider attacks are being watched, there is less likelihood that attacks will occur.
The Computer Fraud and Abuse Act (CFAA), which is the most commonly employed federal statute to redress insider attacks, has inconsistent interpretations throughout the federal courts, and its effectiveness varies. State computer abuse, trade secrets, and breach of fiduciary duty law continues to provide suitable remedies, both civil and criminal.
Criminal prosecution of insiders under federal law based on the CFAA, wire fraud, HIPAA and other federal criminal statutes is feasible, but is likely to be available only in the largest cases.
The next webinar — the fourth in our Mintz Levin Privacy Series — EU Data Protection for US Companies, will discuss the issues faced by US companies who do business in Europe or simply interact with European customers. We will look at how to determine whether EU data protection laws apply to you, and what you need to do to comply. We will also provide an overview of the upcoming major overhaul of EU data protection laws in the form of the draft Data Protection Regulation, which is likely to be finalized in late 2015 or 2016. The webinar will be presented by Susan Foster, a member in our London office, who is qualified as a solicitor in England & Wales as well as an attorney in California.
Now, Federal authorities have turned their attention to cross-device and cross-service tracking of consumers over the last several days and weeks. Speaking at a Federal Communications Bar Association and American Bar Association joint event on March 25, Federal Communications Commission Enforcement Bureau Chief Travis LeBlanc expressed his privacy concerns with Triple-Play providers of Internet, video, and voice services aggregating customer data collected from across all three services. This came just a day after reports that Google would be testing a new model for television advertising in markets where it sells both Google Fiber Internet and television service. Also on March 24, the House Commerce, Manufacturing and Trade Subcommittee held a hearing on the Internet of Things that included questions about how personal information could be protected when collected and shared by connected devices. Continue Reading