President Obama today signed an Executive Order granting authority to the Department of the Treasury’s Office of Foreign Assets Control (OFAC) to impose sanctions on individuals and entities determined to be “responsible for or complicit in malicious cyber-enabled activities” that result in harms “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” For purposes of the Executive Order, “malicious cyber-enabled activities” include deliberate activities accomplished through unauthorized access to a computer system, including
- by remote access;
- circumventing one or more protection measures, including by bypassing a firewall; or
- compromising the security of hardware or software in the supply chain.
OFAC will work in coordination with other U.S. government agencies to identify individuals and entities whose conduct meets the criteria set forth in the Executive Order and designate them for sanctions. Persons designated under this authority will be added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List). There are no immediate compliance obligations for U.S. companies under this Executive Order, however, once Treasury has made designations pursuant to this authority, U.S. persons (and persons otherwise subject to OFAC jurisdiction) must ensure that they are not engaging in trade or other transactions with persons named on OFAC’s SDN List pursuant to this Executive Order or any entity owned by such persons.
The Executive Order is available here. OFAC has issued a series of related Frequently Asked Questions here.
Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jonathan Cain and Paul Pelletier’s Responding to Insider Data Theft & Disclosure presentation. Jonathan and Paul discussed how distinguishing the insider threat differs from the techniques used to identify and stop hackers, creating an environment that deters insiders from stealing data, and the legal remedies – both civil and criminal – that are available to recover stolen data and compensate for its loss. Nearly 100 participants joined us for this webinar.
For those who missed the webinar, some of the key takeaways include the following:
- Data losses due to insiders are not the most common source of loss, but they are consistently among the most damaging to the company’s finances and future. They target customer data, intellectual property, future business plans and embarrassing skeletons.
- Insiders are not hackers and traditional technology based barriers to outside hackers don’t stop them because the insider is entitled to be in the network and have authorized access to the data.
- Detecting insiders is an ongoing exercise of analyzing the data of nominally equivalent employees and identifying anomalous conduct.
- Deterring insiders through social engineering is easier and more productive than trying to identify an attacker after the fact. Where employees are aware that indicators of insider attacks are being watched, there is less likelihood that attacks will occur.
- The Computer Fraud and Abuse Act (CFAA), which is the most commonly employed federal statute to redress insider attacks, has inconsistent interpretations throughout the federal courts, and its effectiveness varies. State computer abuse, trade secrets, and breach of fiduciary duty law continues to provide suitable remedies, both civil and criminal.
- Criminal prosecution of insiders under federal law based on the CFAA, wire fraud, HIPAA and other federal criminal statutes is feasible, but is likely to be available only in the largest cases.
For a recording of the webinar, click here.
The next webinar — the fourth in our Mintz Levin Privacy Series — EU Data Protection for US Companies, will discuss the issues faced by US companies who do business in Europe or simply interact with European customers. We will look at how to determine whether EU data protection laws apply to you, and what you need to do to comply. We will also provide an overview of the upcoming major overhaul of EU data protection laws in the form of the draft Data Protection Regulation, which is likely to be finalized in late 2015 or 2016. The webinar will be presented by Susan Foster, a member in our London office, who is qualified as a solicitor in England & Wales as well as an attorney in California.
Sign up here to attend.
Facebook does it. Google does it. It’s everywhere in the mobile ad ecosystem. And your smartphone does it often than you know, according to a study released on Monday by Carnegie Mellon.
Now, Federal authorities have turned their attention to cross-device and cross-service tracking of consumers over the last several days and weeks. Speaking at a Federal Communications Bar Association and American Bar Association joint event on March 25, Federal Communications Commission Enforcement Bureau Chief Travis LeBlanc expressed his privacy concerns with Triple-Play providers of Internet, video, and voice services aggregating customer data collected from across all three services. This came just a day after reports that Google would be testing a new model for television advertising in markets where it sells both Google Fiber Internet and television service. Also on March 24, the House Commerce, Manufacturing and Trade Subcommittee held a hearing on the Internet of Things that included questions about how personal information could be protected when collected and shared by connected devices. Continue Reading
The Federal Communications Commission’s (“FCC”) net neutrality proceeding culminated this month with the release of an Order reclassifying broadband Internet access service as a common carrier Telecommunications Service subject to regulation under Title II of the Communications Act. Previously, the FCC classified broadband service as a lightly regulated Title I Information Service, while Title II was primarily used to regulate telephone service. This decision by the FCC has two major privacy implications for broadband customers and Internet Service Providers (“ISPs”).
But Section 5 of the FTC Act exempts common carriers from FTC oversight of “unfair methods of competition… and unfair or deceptive acts or practices.” With broadband service soon to be regulated as common carriage in light of the FCC’s Order, and broadband ISPs regulatedas common carriers, the FTC will likely lose its enforcement authority over that service to the FCC. In the fall of 2014, FTC Commissioner Maureen Ohlhausen expressed concern over the FTC’s continued ability to protect consumers should the FCC decide to pursue reclassification, and FTC officials, including FTC Chairwoman Edith Ramirez and Consumer Protection Director Jessica Rich, recently reiterated those concerns and called on Congress to eliminate the common carrier exemption. One data security and breach notification bill currently before the House Subcommittee on Commerce, Manufacturing, and Trade would do just that in the limited context of privacy.
Second, broadband service is now subject to the privacy provisions of Title II that protect Customer Proprietary Network Information (“CPNI”) – which includes information related to the quantity, location, and amount of use of a telecommunications service. However, the FCC’s rules implementing those provisions are mostly inapplicable to broadband service as they specifically focus on protecting information related to telephone calls, such as phone numbers dialed and the duration of calls. To resolve this dilemma, the FCC’s Order applies Section 222 of the Communications Act to broadband providers, which prohibits carriers from using or disclosing individually identifiable CPNI without consent except as needed for providing service, but forbears from applying the FCC’s current implementing rules pending further proceedings to adopt new rules that apply specifically to broadband.
On Friday, the FTC published updates to the COPPA FAQs, the Commission’s compliance guide for businesses and consumers, to address the applicability of COPPA and the Amended COPPA Rule to educational institutions and businesses that provide online services, including mobile apps, to educational institutions. Specifically, nearly a year after the last update to the “COPPA and Schools FAQs”, the Commission revisited its answers to FAQs M.1, M.2, and M.5 and deleted FAQ M.6 in an attempt to streamline the FAQs to provide further clarity on the key topics of notice and consent, best practices for educational institutions, and the interplay between COPPA and other federal and state laws that may apply in the education space. To access our blog post on the prior update to the COPPA and Schools FAQs please click here. Continue Reading
If you’ve been following the our sister blog, Employment Matters, then you will understand the headline. If you have not, you should click over there and check out the tournament action on a Friday afternoon while you are … streaming some other things. Social Media Policies won out in the Round of 32 over At-Will Employment, but BYOD Policies fell in a buzzer beater to Pregnancy Accommodations.
On March 18, 2015 – just three months after denial of a motion to dismiss consumer claims arising from Target’s 2013 data breach – Target and the consumer class filed papers seeking approval of a settlement. The proposed settlement agreement creates a $10 million cash fund to be paid out to class members claiming actual damages arising from the settlement. Settlement funds will be distributed in a claims-made process to be run by a settlement administrator (the cost of which will be borne by Target). The maximum claim amount is $10,000. Claims without supporting documentation are capped at lower dollar amounts. Unclaimed funds will not revert to Target, but will be redistributed to class members submitting claims or as otherwise directed by the Court. The settlement also calls for non-cash relief consisting of the adoption of certain data security protection practices and appointment of a chief information security officer. Finally, class counsel have indicated that they will apply for $6.75 million in attorneys’ fees.
Why the quick settlement? Continue Reading
While we’re not in the habit of driving traffic to other blogs, it is always a pleasure to point to one of our Mintz family of blogs doing some great work — the Employment Law Matters blog is hosting a 2015 Employment Law Issues Tournament to go along with your college basketball brackets. 64 employment law issues, seeded 1 through 16 across four regions.
You cannot miss this (I only wish we’d thought of it…..)! And there are certainly some privacy teams in the matchups as well (Go BYOD Policies and Social Media Policies!)
First Round Results and Recaps
Taking another “step” toward developing comprehensive privacy legislation, the White House has released a discussion draft of the Consumer Privacy Bill of Rights Act of 2015. The draft reflects the Fair Information Practice Principles (“FIPPs”) long championed by the Obama Administration, and calls on businesses engaged in the collection of consumer information (“covered entities”) to either abide by a Privacy Bill of Rights or engage in self-regulation. While commentators have suggested the proposal is dead on arrival (read here, here and here) , the Privacy Bill of Rights warrants attention because it will serve as jumping-off point for further legislative and policy discussions on consumer privacy rights.
The draft Data Protection Regulation doesn’t offer many carrots to business – and a recent announcement by the Council of the European Union takes away one of the biggest carrots, the “One-Stop Shop” mechanism.
The One-Stop Shop refers to the principle that businesses would have to deal with just a single national data protection authority instead of 28 different authorities across the EU. The objective was to simplify logistics for businesses and to reduce any chance of multiple, inconsistent requirements from different authorities.