The Department of Defense (DoD) has published its new final rule governing the security measures imposed on DoD unclassified technical information resident on or passing through the unclassified information systems of its contractors and subcontractors. This final rule will require contractors to safeguard unclassified controlled technical information and to report the compromise of such information to the DoD.
Written by Amy Malone, CIPP/US
In 2013 geolocation and biometrics were hot topics. Apple included a fingerprint reader on the new iPhone which was either really cool or an epic fail depending on your viewpoint, and Google and the NSA are tracking our every move.
While Edward Snowden’s revelations may have been eye opening (and headline-grabbing), the government has long been first in line to develop and use technology like geolocation and biometrics. Homeland Security insists that biometrics are essential in national defense – identify and stop the bad guys. The feds have also pushed biometrics in immigration reform bills for over a decade and continue to push that legislation forward. And your location? Well, law enforcement has been conducting warrantless geolocation tracking for years!
States have also been active in this area – passing legislation to allow the storage of the high resolution photos they take of you at the DMV in a searchable data base. Many states allow federal and state law enforcement officials to search those databases. Most legislation is aimed at limiting government use of this information, but the winds may be turning…
Currently, no federal law limits a private entity’s ability to collect, use or disclose biometric information. Cybersecurity has been a hot button issue over the last few years and legislation has been introduced, but no legislation regarding private use of biometric data has been passed. The Cyber Privacy Fortification Act has been introduced a few times and was reintroduced in March. This legislation could be passed in 2014; it would require covered entities to provide notice to the FBI or the United States Secret Service of “major” security breaches of “sensitive personally identifiable information,” which by definition in the legislation includes unique biometric data.
Despite the current lack of proposed legislation, legislators are definitely paying attention to this area. Senator Franken has repeatedly taken aim at the use of biometrics and recently questioned Apple about their use of fingerprint readers on the iPhone and urged the Department of Commerce to develop best practices for facial recognition technology. The National Telecommunications and Information Administration responded to Franken’s request by announcing the kick-off of a privacy multistakeholder process to implement the Consumer Privacy Bill of Rights in the field of facial recognition.
With Senator Franken pushing and the multistakeholder process moving forward, there’s a good chance we will see new legislation aimed at regulating biometric information in 2014.
As this technology has flowed into our everyday lives we’ve seen some states take action by regulating the collection and use of biometric information. Both Illinois and Texas have laws restricting a private entities use and disclosure of biometric information and several other states have laws governing the disposal of biometric information. A few states also include biometric data in their definition of “personal information” and require notice to data owners in the event of a data breach involving that information.
In 2014 Alaska may pass its proposed House Bill No. 144, which is similar to the laws in Illinois and Texas. The law requires covered entities to provide notice and obtain written consent from individuals prior to the collection of their biometric information and provides for an individual cause of action. It would not be a surprise to see other states move forward in the biometric regulation area in 2014.
With the advent of smartphones came the love-hate relationship with geolocation. We love when Siri gives us the name of a great restaurant that is up the street, but we are creeped out when we discover she’s been tracking our every move, even when we aren’t trying to locate that hip hangout.
Like with biometrics, the government has been all over geolocation technology for some time now and courts are playing catch up. The big question today is whether police need warrants to obtain the location information of suspects. Decisions around the country have been all over the map. In July the New Jersey Supreme Court overturned an appellate decision and ruled that the use of cell phone information obtained by police without a warrant from a wireless provider violates the suspect’s constitutional rights under the Fourth Amendment of the New Jersey Constitution. It’s possible that in 2014 the US Supreme Court will take this matter up for review.
Most legislation in this area has focused on limiting the government’s ability to collect and use geolocation information. The Geolocation Privacy and Surveillance Act was reintroduced in 2013, and the bill requires government agencies to obtain a warrant to obtain geolocation information in the same way they currently get warrants for wiretaps.
On the state level, both Maine and Montana have laws requiring law enforcement agencies to get a warrant before they can obtain location information of an electronic device. Texas, Maryland Ohio, Colorado, California, and Illinois introduced similar bills this year, and we expect to see more state legislative activity in this area in 2014.
In the private sector, geolocation is an exploding industry. In an attempt to compete with online competitors (who can easily track your every move) brick and mortar retailers use geolocation tracking via your mobile device to gather specific information on your shopping habits – like how long you stayed in the store, whether you went to the register, how long you waited in line and where the store hotspots are located. In 2013 we saw this type of tracking blow up in Nordstrom’s face, but that did not stop Apple from rolling out its iBeacon in its own company stores in the U.S., or Macy’s from piloting the iBeacon technology in a few of its stores this holiday season. We expect that 2014 will bring more new and creative technology to retailers who will use that to find new ways to find us — and monetize mobile location information.
Mobile app providers are also trying to get your geolocation information to improve their bottom line. The New Year rings in with Twitter tapping into its location data. Twitter just entered into an agreement with a provider for location intelligence technology which Twitter will use to support location sharing in tweets. A news source reports, “Twitter will have an option to combine that location data for tweets with buying patterns, behaviors, preferences and influencers, and cross-reference it with nearby stores or other mobile users within an individual’s social network. It uses a smartphone’s GPS signal to pinpoint a location.”
Although we have not seen laws regulating the private sector’s collection of geolocation information, we blogged recently about the release of the Mobile Location Analytics Code of Conduct. The Code is a self-regulatory framework of seven principles for services provided to retailers by mobile location analytic companies.
If a voluntary framework doesn’t ease your worried mind, maybe an app to block location tracking will? Android users can now download an app to do just that!
Mintz Levin has added three new Certified Information Privacy Professionals to its ranks -
- Jonathan Cain, a member in our Washington D.C. office,
- Susan Foster, a member in our London office, and
- Jake Romero, an associate in our San Diego office.
This brings the total number of CIPPs in our Privacy & Security group to six, one of the highest certification numbers for a law firm.
Well, the headlines don’t exactly work with the traditional tune, but blame the editor for that…..
Written by Jake Romero, CIPP/US
2013 was a busy year for California. We passed a budget with a surplus, let Kim and Kanye get engaged in one of our stadiums and panicked over possibly losing Sriracha sauce. At the same time, we also passed a number of significant pieces of legislation related to data privacy, the effects of which will be felt throughout the year.
- Happy New Year! Consumer Notification Laws Effective as of January 1, 2014 – “Do Not Track” and Data Breach Notification
As we discussed earlier this year, the absence of a universal industry standard for “Do Not Track” (which is not defined in the statute), may create pitfalls for unwary online service operators as they attempt to comply with the law’s requirements. A full, clear and accurate description of an online service’s interpretation of Do Not Track signals will likely require significant review and diligence by, among others, that service’s operational and technical managers and support staff. An online service that inaccurately describes the additional disclosures required by A.B. 370, or fails to update those disclosures in a timely manner following operational changes, may incur liability for engaging in deceptive practices. On the other hand, a blanket disclosure stating that the service does not honor Do Not Track signals may ward off potential customers and damage the service’s reputation.
Under A.B. 370, online service operators are deemed to have satisfied the requirement to disclose the service’s interpretation of Do Not Track signals (but not the required disclosure regarding tracking by third parties), by linking to a description of a program or protocol that the operator follows that allows the consumer to exercise choice regarding collection of personally identifiable information. Note that this option is only effective if the operator follows and complies with the protocol to which it directs consumers. This may be problematic because many protocols, including the Digital Advertising Alliance (previously discussed here), require that all third party advertisers on the service be members of the program. An online service operator hoping to take advantage of this option will need to have policies in place to assess compliance on an ongoing basis, including with respect to its third party advertisers.
The other consumer notification law going into effect is S.B. 46, which expands California’s data breach notification requirements to include incidents involving certain types of online data. S.B. 46 amends Sections 1798.29 and 1798.82 of the California Civil Code to expand the definition of “personal information” to include “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.”
As we previously discussed, this expansion of California’s notification requirement could significantly increase the number of reportable incidents in two ways. First, California’s data breach notification requirements will apply to many more online service providers, as this type of online account information is commonly collected by websites. Second, websites that only collect online account information may not have the type of robust safeguards and policies that an online service that collects other types of personal information, such as social security numbers, driver’s license numbers or credit card, medical or health insurance information, has already put in place. We recommend that online services that collect “personal identification” as defined under that term’s expanded definition review our recommendations for preparing to comply with the new law here.
- Sector-Specific Regulations Effective as of January 1, 2014 – Medical Information and Customer Electrical or National Gas Usage Data
In addition to the generally applicable laws described above, two pieces of industry-specific legislation will also go in effect. A.B. 658 amends Section 56.06 of the California Civil Code, which is part of the “Confidentiality of Medical Information Act” (or “CMIA”). The CMIA prohibits providers of health care or recipients of individually identifiable medical information from using or disclosing medical information for any purpose not necessary to provide health care services to patients, without first obtaining authorization. A.B. 658 will expand the definition of “provider of health care” so that this prohibition will also apply to “[a]ny business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information . . . in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual . . .” This change to the CMIA should be of particular concern to mobile application developers and operators. With the use of mobile applications generally on the rise, health care related applications are expected to play a part in promoting wellness and addressing a number of issues, including rural access to health care. However, as compared to the average website, mobile applications typically require a more complex system of third party service providers that may have access to data, and can be an inherently challenging platform for displaying notices.
As of January 1, we will also see new regulations applicable to businesses that use “smart meter” data. For the past three years, utilities have been prohibited from sharing or disclosing data regarding individual consumption or use of electricity or natural gas by an individual without that individual’s prior consent. A.B. 1274, extends this prohibition to non-utility businesses, and requires that such businesses disclose any third parties with whom they share such information and how it will be used. In addition, A.B. 1274 requires businesses to use reasonable security procedures and practices to protect usage data from unauthorized access or disclosure, and put in place contractual requirements with any third parties who receive usage data requiring those third parties to do the same. A.B. 1274 also requires certain steps to be taken when disposing of usage data, and prohibits businesses from offering incentives to consumers who allow their information to be accessed without prior consent.
- Looking Ahead – Children’s Privacy Rights
The supporters of the ballot initiative known as the California Personal Privacy Initiative may have dropped their efforts, but we expect that in 2014 California will continue its aggressive push to increase data privacy regulation and enforcement. We will also be tracking preparations for S.B. 568, which goes into effect on January 1, 2015. S.B. 568 prohibits operators of online services directed toward minors under the age of 18 (as well as online services not directed toward minors, if the operator of the service has actual knowledge of a minor using the service and advertisements are specifically directed to that minor based on information the minor has provided) from marketing certain products (including alcoholic beverages, firearms, ammunition, spray paint, cigarettes, fireworks, tanning devices, lottery tickets, tattoos, drug paraphernalia and obscene materials). S.B. 568 also requires that these types of online services permit minors to remove or request the removal of content or information posted by that minor and provide certain specific disclosures regarding deletion of online information. We discuss S.B. 568 in further detail and provide recommendations for preparing to comply with the new requirements here.
Welcome to our series, “The 12 Days of Privacy” as we look to “gifts” that may be received this season and some of the big issues ahead ….
Day One – - HIPAA 2014 – Where will the Audit Trail Lead?
The year 2013 started with a bang for HIPAA-regulated entities, with the passage of the long-awaited HIPAA Omnibus Rule, implementing privacy, security, breach notification, enforcement and other provisions of the HITECH Act. Omnibus Rule momentum carried through much of the year with an industry-wide push to comply with the September 23, 2013 compliance date for significant provisions of the Omnibus Rule.
One of the drivers of Omnibus Rule compliance momentum was the HITECH-mandated audit program, which was implemented by the Office for Civil Rights (“OCR”) through a pilot audit program in 2011. In addition to being a source of concern for regulated entities (with its extensive document requests, aggressive turnaround times and on-site, top-to-bottom organizational scrutiny), it has been a source of compliance guidance (with a comprehensive audit protocol published by OCR to provide insight into the agency’s compliance approach and priorities).
In late November 2013, the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) released a report entitled: The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule. In its report, the OIG criticized OCR for its failure to implement a program of periodic audits to ensure security rule compliance among covered entities and business associates. In response to OIG’s findings, OCR commented that no funds had been appropriated for a permanent HITECH audit program and that funds to support its pilot audit activities were no longer available.
It will be interesting to see what happens to Omnibus Rule compliance efforts going into the new year and whether lack of audit funding will be perceived by the industry as a reduced risk of audit, investigation or even enforcement generally. OCR has not updated its audit protocol to reflect new Omnibus Rule compliance requirements and has not released findings of its own review of the pilot audit program, so the work of the pilot program is unfinished.
However, there is no reason to believe that HITECH enforcement will relent in 2014, especially because the HITECH Act authorized the transfer of funds collected through civil monetary penalties or monetary settlements for HIPAA violations to OCR to support enforcement efforts. Enforcement has been, and remains, a largely complaint-driven process, and there is no reason to believe that will change in 2014. Accordingly, covered entities and business associates are encouraged to remain diligent and continue with Omnibus Rule compliance efforts as if audit was inevitable in 2014.
Rather than look back at 2013, next week the Privacy & Security blog will count down The 12 Days of Privacy, looking ahead to what we might expect in 2014. The editor’s muse for this series came from our friend and partner, Len Weiser-Varon, who riffed on yesterday’s post regarding the latest password hack:
- 318,000 Facebook accounts
- 70,000 Gmail, Google+ and YouTube accounts
- 60,000 Yahoo accounts
- 22,000 Twitter accounts
- 8,000 ADP accounts (ADP says it counted 2,400)
- 8,000 LinkedIn accounts
- Three French hens
- Two turtle doves
- And a password in a pear tree.
In Len’s words: This year, a brand new password in an unhacked stocking is a holiday must.
Don’t miss our series starting on Monday. Continue Reading
If you haven’t been paying attention to “password hygiene” preached by this blog and others, perhaps it’s time. Jose Pagliery from CNNMoney reports of a large-scale hack that has compromised over 2 million passwords at Facebook, Gmail, Twitter, Yahoo and others.
Here is the partial list -
- 318,000 Facebook accounts
- 70,000 Gmail, Google+ and YouTube accounts
- 60,000 Yahoo accounts
- 22,000 Twitter accounts
- 8,000 ADP accounts (ADP says it counted 2,400)
- 8,000 LinkedIn accounts
Change your passwords for any of these accounts, and change any other accounts using that password as well. Chances are good that the hackers were not after your latest Facebook post, but rather the information and access they could get to the rest of your digital life through that password.
And if you need any tips on how to create a strong password, read this post.
Written by Jake Romero, CIPP/US
This past weekend if you survived the towel aisle and other Black Friday dangers and made it to the register to purchase your items, it is possible you were asked to provide an email address so that your receipt could be emailed to you. This type of request is the focus of a class action lawsuit brought against Nordstrom, Inc., where plaintiff Robert Capp alleges that Nordstrom violated California’s Song-Beverly Credit Card Act by requesting his email address at the time of purchase and subsequently using it to send Capp unsolicited marketing materials. The U.S. District Court for the Eastern District of California denied Nordstrom’s motion to dismiss Capp’s complaint, concluding that the California Supreme Court would likely hold that email addresses constitute “personal identification information” under the Song-Beverly Act, which prohibits retailers from requiring personal identification information as a condition to accepting credit card payments. Therefore under the Court’s analysis, retailers like Nordstrom are prohibited from collecting email addresses in connection with the completion of credit card transactions.
Nordstrom made two primary arguments in favor of its motion to dismiss. First, Nordstrom argued that email addresses do not fit within the definition of “personal identification information” under the Song-Beverly Act. Second, Nordstrom argued that to the extent that email addresses are personal identification information, the Song-Beverly Act is preempted by the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM Act”). The Court disagreed on both counts.
The Song-Beverly Act defines “personal identification information” as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” The issue of what type of information is included in this definition was also at issue in 2011, when the California Supreme Court, in Pineda v. Williams-Sonoma, held that it should include cardholder zip codes, thereby making it illegal for retailers to request zip codes from customers paying by credit card. Nordstrom argued that email addresses are distinguishable from the zip codes in Pineda because email addresses are chosen arbitrarily by the owner, can be anonymous and can be changed easily. Nordstrom also argued that email addresses “cannot be used to call consumers during dinnertime or to show up on their doorstep in the middle of the night . . . in the way that a home address or phone number can be abused.” The
Court reasoned, however, that emails permit direct contact with individuals and therefore implicate the privacy interests of cardholders. In addition, the Court referenced exhibits provided by the plaintiff showing that email addresses can be used to gather additional personal information about the consumer which retailers would otherwise be prohibited from collecting directly. The Court also held that the overriding purpose of the Act to protect the personal privacy of consumers supports the Court’s broad interpretation.
Nordstrom argued that since the passage of the Song-Beverly Act predates the application of email and e-receipts to consumer transactions, the legislature could not have intended to include email addresses as “personal identification information.” In support of this argument, Nordstrom cited the California Supreme Court’s decision in Apple, Inc. v. Superior Court, in which the Supreme Court held that the Song-Beverly Act does not apply to online purchases of downloadable music. However, the Court rejected this argument as Nordstrom misreading the Supreme Court’s holding in Apple, and clarified that the basis for the Supreme Court’s ruling was the unavailability of safeguards against fraud in online transactions, not unforeseeable nature of online transaction technology.
Finally, the Court also held that the CAN-SPAM Act does not preempt the application of the Song-Beverly Act to email addresses because, although the CAN-SPAM Act preempts state laws that expressly regulate the use of email to send electronic messages, the Song Beverly Act only regulates the request for email addresses, rather than the use of email addresses or the content of emails. The court also reasoned that it was possible for retailers to comply with the requirements of both the CAN-SPAM Act and the Song-Beverly Act, and that application of the Song-Beverly Act to email addresses furthers the goals of the CAN-SPAM Act to reduce the volume of unsolicited, unwanted email addresses.
We are continuing to monitor this case for further developments. In the meantime, retailers should review their processes for completing customer credit card transactions, especially as they pertain to requesting or obtaining information from customers, as this ruling will likely trigger a number of similar suits. The collection of email addresses in connection with retail purchases should cease unless the collection falls within one of the Song-Beverly Act’s exceptions (further information about those exceptions can be found here
Written by Susan Foster, Solicitor England & Wales/Admitted in California
As most readers will know, the US Safe Harbor program is a voluntary program under which US companies agree to assume various legal obligations, and in turn are permitted by EU data protection laws to receive the personal data of EU residents.
The Commission’s recommendations are obviously in response to the revelations concerning the US’s intelligence activities involving the collection, via US internet services providers and others, of vast quantities of data transmitted by, or concerning, EU residents. The Commission cannot comment, of course, on the intelligence activities of its own member states, since, as the Commission notes, “whilst the EU can take action in areas of EU competence, in particular to safeguard the application of EU law, national security remains the sole responsibility of each Member State.” This means that the Commission’s interests in restricting surveillance of the online activities of EU residents may not be entirely congruent with the interests of its member states, which will need to take into account their own intelligence activities and intelligence sharing arrangements as well as their concerns for the privacy of their citizens. That said, the Commission does not appear at all reluctant to recommend changes to US intelligence programs and the powers of the Foreign Intelligence Surveillance Court.
The other key context for the recommendations is the ongoing trade talks between the US and EU, known as the Transatlantic Trade and Investment Partnership (T-TIP). The Commission pointedly states in today’s communication that the EU views T-TIP and data protection laws (including Safe Harbor) as separate matters, and that the T-TIP negotiations will not affect its views on Safe Harbor: “For this reason, data protection standards will not be negotiated within the Transatlantic Trade and Investment Partnership, which will fully respect the data protection rules.” That seems rather a brave statement at this stage of the T-TIP negotiations (which are not due to be concluded until sometime in 2014). It remains to be seen whether the Commission will be successful in completely separating the two issues, given the fundamental commercial value of personal data.
But let’s assume for now that neither EU national security interests nor the T-TIP talks will have any influence on the discussion about Safe Harbor. What is the Commission proposing? Broadly, the following:
- a broad review of the functioning of Safe Harbor
- improving the US government’s supervision and monitoring of compliance of Safe Harbor participants
- ensuring that the national security exception that is currently available under Safe Harbour is used only “to an extent that is strictly necessary and proportionate”
- EU citizens must receive the same level of protection (due process and judicial redress) as US citizens in intelligence-gathering operations
- The US government should commit that “personal data held by private entities in the EU will not be accessed directly by US law enforcement agencies outside of formal channels of co-operation, such as Mutual Legal Assistance agreements and sectoral EU-US . . . authorising such transfers under strict conditions, except in clearly defined, exceptional and judicially reviewable situations.”
- US intelligence collection programs should be “improved by strengthening the role of the Foreign Intelligence Surveillance Court and by introducing remedies for individuals.”
The Commission also provided a summary of 13 specific recommendations in a separate press release today. The following selections from these 13 requirements are slightly paraphrased – see the EC’s memo for the full recommendations.
- Requiring the Safe Harbor website to list all companies that are NOT current member of Safe Harbor (which would be in the hundreds of thousands, if not more, as there are only some 3,000 plus participants today)
- Privacy policies on companies’ websites should include a link to an alternative dispute resolution (ADR) provider
- The Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints
- The US government should conduct proactive compliance investigations (not contingent on complaints or any signs of non-compliance)
- Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour
- Companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements
The Commission’s Communication and related press releases should have the positive effect of making the discussion around Safe Harbor more specific in light of the Commission’s concrete suggestions. Meanwhile, the larger context of sweepingly ambitious trade treaty negotiations, citizens’ reactions (on both sides of the Atlantic) to government surveillance programs (and not just by the USA), and national interests in intelligence-gathering and counterterrorism may make it difficult to negotiate the changes to Safe Harbor in isolation. But that’s not really a bad thing. Data protection laws don’t exist in a vacuum, after all.
Holiday e-commerce is expected to jump this year by about 17% over last year, and shoppers will be flocking to mobile devices more often to make those purchases.
It is also the time to be cautious and protect your personal data security. We received a great “happy Thanksgiving…but….” email from our friends at Kroll, and wanted to pass it on.
As you may know, more than 75% of annual online sales occur in the 4 weeks between black Friday and the weekend before Christmas. Therefore, the hackers, scammers and spammers will be working overtime. Please remind your family, friends and clients of the following helpful pointers:
1. Be cautious of any deal too good to be true.
2. Update your web browser at a minimum; it would be ideal to update the Operating System and Security Software as well.
3. Avoid shopping on public wi-fi.
4. Update your Anti-Virus Scanner.
5. Look for a padlock icon or a URL the starts with https:// when browsing and shopping online.
6. Avoid shopping on unfamiliar sites and clicking on links for “freebies” or “coupon codes”.
And have a happy Thanksgiving and a happy Hanukkah!