Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Register for our next Wednesday Webinar — February 25

Posted in Employee Privacy, Events and Webinars, HIPAA/HITECH, Identity Theft, Mobile Privacy, Privacy Litigation, Security, Social Media

Registration is open for the next installment in the Mintz Levin Privacy & Security Group Wednesday Webinar series —

This webinar,  scheduled for Wednesday, February 25,  will focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss developments in the workplace privacy field, including statutory developments, mobile device regulation, social media’s impact on workplace privacy, recruiting and hiring, and some practical advice to keep your workplace policies in compliance with rapid legal developments.

Save the date and register online here!

Continue Reading

The Anthem Data Breach: The Fallout and What’s Next

Posted in Class Action Litigation, Cybersecurity, Data Breach, Data Breach Notification, HIPAA/HITECH, Identity Theft

By now (unless you have been under a snow drift), you have likely heard about the apparent intrusion into a database at the nation’s largest health insurer, Anthem, Inc.  Rather than reiterate the facts as currently known (see Anthem’s dedicated website for updates), we’ll look at the fallout and what’s next. Continue Reading

Who’s your role model for EU privacy notices? The latest Google Undertaking

Posted in European Union, Mobile Privacy, Online Advertising, Uncategorized

When small and mid-size companies start expanding their apps or web presence into Europe, they need to start thinking about EU data protection laws.  It’s tempting to take a look at what one or two of the “big guys” do about EU data protection compliance and think that whatever  the big guys do in Europe must be good enough.  But the ongoing saga between Google and the EU’s data protection authorities shows that this approach shouldn’t be adopted uncritically.

In the latest Google EU privacy development, Google has signed an undertaking (binding commitment) with the UK’s data protection office (the ICO) to make a number of changes to its privacy policy.  Google has been in dialogue with EU data protection offices both at the country level and through the Article 29 Working Party since Google adopted a unified privacy policy across its products and businesses in 2012.  While the ICO has recognized that Google has made progress since 2012, the ICO has recently determined that “further improvements” are needed.  Google has agreed to a number of specific requirements, including:

  • Making it easier for users to find information about Google’s privacy policy.
  • Describing its data processing activities more clearly in its privacy policy, including clarifying the types of information that it processes, the purposes, and how users can exercise their rights.
  • Providing “clear, unambiguous and comprehensive information” regarding its data processing,” including an “exhaustive list of the types of data . . . and purposes.”
  • Providing more information about its use of anonymous identifiers (a next-generation tracking/behavioral profiling technology that’s being developed and may eventually replace cookies).
  • Educating its employees better concerning notice and consent requirements.
  • Making sure that users are equally protected regardless of what device they are using (mobile phones, tablets, desktops, and any new devices that are invented).

Google has committed to putting these changes into effect by June 30, 2015.  In the meantime, Google’s undertaking provides a useful spotlight on the areas of EU data protection compliance that the ICO (and other data protection offices) think require significant attention.

Privacy Monday – February 2, 2015

Posted in Privacy Monday

Happy Groundhog Day!   While we were recovering from last night’s heart-attack Super Bowl 2015,  Punxsutawney Phil saw his shadow this morning …. predicting 6 more weeks of winter, for an already winter-weary US. #sixmoreweeksofwinter

Three things you should know on this Privacy Monday:

Over 110,000 Facebook Uses Hit With Malware
Cybercriminals are targeting Facebook users with malware embedded in videos that are pushed to their timeline and in which their friends are tagged. Security researchers from Bitdefender say victims are taken to a video, which redirects them to a site that analyzes their operating system for weaknesses and eventually installs malicious software that give hackers access to their machines.   The malware is described in a post via the Full Disclosure mailing list.    Read more about the malware at CSO Online.
Continue Reading

Viacom and Google Win Important Dismissal in Online Tracking Class Action

Posted in Class Action Litigation

Last week the United States District Court for the District of New Jersey dismissed, with prejudice, class action claims against Google and Viacom concerning targeted advertising and the online tracking of children through cookies.  Perhaps surprisingly, the claims did not involve allegations that the parties violated the Children’s Online Privacy Protection Act (COPPA).  The suit arose from allegations that when users register on Viacom’s Nick.com website, they are asked to input their gender and birthday and create a username.  Viacom collects this information and gives each user a unique internal code that reflects their gender and age.  Viacom then places a cookie on each user’s computer, which tracks the user’s IP address, browser settings, unique device identifier, certain system and browser information, and the URLs and videos requested from Viacom’s children’s websites.  Viacom would share with Google its unique internal code, along with the record of what parts of the site users interacted with, and Google would place its own cookie on each user’s computer.  Google and Viacom would then use this information to target the user’s with advertising.

The plaintiff’s alleged violations of the Wiretap Act, Stored Communications Act, California’s Invasion of Privacy Act, the Video Privacy Protection Act (VPPA), New Jersey’s Computer Related Offenses Act (CROA), and two New Jersey torts, including Intrusion upon Seclusion.  The plaintiffs did not allege violations of the Children’s Online Privacy Protection Act (COPPA).  In July 2014, the Court dismissed with prejudice all claims except the VPPA claim against Viacom and the CROA and Intrusion upon Seclusion claims against both defendants, about which the court allowed the plaintiffs to amend their complaint.

In January 2015, the court dismissed the amended complaints with prejudice.  With regard to the VPPA claim against Viacom, the court found that the plaintiffs had not alleged sufficient facts to show that the information collected by Viacom could actually identify the plaintiffs.  The Court noted that the VPPA requires disclosure of personally identifiable information (PII) concerning a consumer, but that there is no support for the proposition that PII includes the kind of information Viacom collected and shared, such as IP address, gender, and age.  Further, the court found that this information was insufficient to identify an individual plaintiff and a video that plaintiff watched, as required for a violation of the VPPA to be found.  Therefore, the court holds that the VPPA claim fails. Continue Reading

It’s Data Privacy Day 2015

Posted in Cybersecurity, Data Compliance & Security, Federal Trade Commission

Today is Data Privacy Day, and as you might expect, we have a few bits and bytes for you.

Use the Opportunity 

Data Privacy Day is another opportunity to push out a note to employees regarding their own privacy and security — and how that can help the company.   Emails with articles and reminders are helpful.   Here are some that might be interesting to your company:

Happy Data Privacy Day – Now Lock Your Cellphone

Celebrate Data Privacy Day

8 Ways to Celebrate Data Privacy Day Securely

And finally – International Privacy Day – Protect Your Digital Footprint

The concept reinforces corporate privacy programs, while encouraging employees to take steps to protect their personal data.

The Federal Trade Commission Issues IoT (Internet of Things) Report

Following up on its November 2013 workshop on the Internet of Things, the Federal Trade Commission (“FTC”) has released a staff report on privacy and security in the context of the Internet of Things (“IoT”), “Internet of Things: Privacy & Security in a Connected World” along with a document that summarizes the best practices for businesses contained in the Report.  The primary focus of the Report is the application of four of the Fair Information Practice Principles (“FIPPs”) to the IoT – data security, data minimization, notice, and choice.

The report begins by defining IoT for the FTC’s purposes as “‘things’ such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet,” but limits this to devices that are sold to or used by consumers, rather than businesses, in line with the FTC’s consumer protection mandate.  Before discussing the best practices, the FTC goes on to delineate several benefits and risks of the IoT.  Among the benefits are (1) improvements to health care, such as insulin pumps and blood-pressure cuffs that allow people avoid trips to the doctor the tools to monitor their own vital signs from home; (2) more efficient energy use at home, through smart meters and home automation systems; and (3) safer roadways as connected cars can notify drivers of dangerous road conditions and offer real-time diagnostics of a vehicle.

The risks highlighted by the Report include, among others, (1) unauthorized access and misuse of personal information; (2) unexpected uses of personal information; (3) collection of unexpected types of information; (4) security vulnerabilities in IoT devices that could facilitate attacks on other systems; and (5) risks to physical safety, such as may arise from hacking an insulin pump.

In light of these risks, the FTC staff suggests a number of best practices based on four FIPPs. At the workshop from which this report was generated, all participants agreed on the importance of applying the data security principle.  However, participants disagreed concerning the suitability of applying the data minimization, notice, and choice principles to the IoT, arguing that minimization might limit potential opportunities for IoT devices, and notice and choice might not be practical depending on the device’s interface – for example, some do not have screens.  The FTC recognized these concerns but still proposed best practices based on these principles.

Recommendations

Data Security Best Practices:

  • Security by design.  This includes building in security from the outset and constantly reconsidering security at every stage of development. It also includes testing products thoroughly and conducting risk assessments throughout a product’s development
  • Personnel practices.  Responsibility for product security should rests at an appropriate level within the organization.  This could be a Chief Privacy Officer, but the higher-up the responsible part, the better off a product and company will be.
  • Oversee third party providers.  Companies should provide sufficient oversight of their service providers and require reasonable security by contract.
  • Defense-in-depth.  Security measures should be considered at each level at which data is collected stored, and transmitted, including a customer’s home Wi-Fi network over which the data collected will travel.  Sensitive data should be encrypted.
  • Reasonable access control.  Strong authentication and identity validation techniques will help to protect against unauthorized access to devices and customer data.

Data Minimization Best Practices:

  • Carefully consider data collected.  Companies should be fully cognizant of why some category of data is collected and how long that data should be stored.
  • Only collect necessary data.  Avoid collecting data that is not needed to serve the purpose for which a customer purchases the device. Establish a reasonable retention limit on data the device does collect.
  • Deidentify data where possible.  If deidentified data would be sufficient companies should only maintain such data in a deidentified form and work to prevent reidentification.

Notice and Choice Best Practices:  The FTC initially notes that the context in which data is collected may mean that notice and choice is not necessary. For example, when information is collected to support the specific purpose for which the device was purchased.

When notice or choice are necessary, the FTC offers several suggestions for how a company might give or obtain that, including (1) offer choice at point of sale; (2) direct customers to online tutorials; (3) print QR codes on the device that take customers to a website for notice and choice; provide choices during initial set-up; (4) provide icons to convey important privacy-relevant information, such a flashing light that appears when a device connects to the Internet; (5) provide notice through emails or texts when requested by consumers; and (6) make use of a user experience approach, such personalizing privacy preferences based on the choices a customer already made on another device.

Legislation.  The FTC staff recommends against IoT-specific legislation in the Report, citing the infancy of the industry and the potential for federal legislation to stifle innovation.  Instead, the FTC recommends technology-neutral privacy and data security legislation.  Without saying it explicitly, this appears to be a recommendation for something akin to the Consumer Privacy Bill of Rights recently proposed by the President, along with giving the FTC authority to enforce certain privacy protections, including notice and choice, even in the absence of a showing of deceptive or unfair acts or practices.

In the meantime, the FTC notes that it will continue to provide privacy and data security oversight of IoT as it has in other areas of privacy.  Specifically, the FTC would continue to enforce the FTC Act, the Children’s Online Privacy Protection Act, and other relevant statutes.  Other initiatives would include developing education materials, advocating on behalf of consumer privacy, and participating in multi-stakeholder groups to develop IoT guidelines for industry.

 

Privacy Monday – January 26, 2015

Posted in Cybersecurity, Data Breach, HIPAA/HITECH, Legislation, Privacy Monday, Privacy Regulation, Uncategorized

Good Monday – The East Coast prepares for Apocalypse (Sn)ow.

In the meantime, here are three privacy-related tidbits for your day.

Privacy Concerns Cause Scale Back of Release of HealthCare.gov Data

We spend a fair amount of time warning about third party vendors and the risk that such vendors can pose to sensitive data.   Just ask Target.   Last week, the Associated Press revealed that the healthcare insurance exchange, HealthCare.gov, was connecting with third party analytics sites and others and operating much like any commercial website — except that it is not.  The AP reported over the weekend that the Obama Administration has “reversed itself” and scaled back the release of (or access to) consumer data — including anonymized data.     According to the AP’s Saturday follow-up, an analysis of the Federal exchange showed that the number of third party companies with connections embedded in the site, thus giving them access to consumer data, “dropped from 50 to 30.”

Read more:

The Hill — The Centers for Medicare and Medicaid Services will encrypt additional data when customers use the Window Shopping feature on HealthCare.gov.

New York Times — Is the data usage “industry standard” and much ado about SOP?

CNN Money

 

Continue Reading

Cybersecurity and Privacy in State of the Union Address

Posted in Children, Cybersecurity, Data Breach, Data Breach Notification, Data Compliance & Security, Legislation, Privacy Regulation, Security

As expected in his State of the Union address last night, President Obama made it very clear that cybersecurity is on his agenda for 2015.  After stating that:

 “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids,”

the President urged Congress to “finally” pass “legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information” and cautioned law makers that “if we don’t act, we leave our nation and our economy vulnerable.”

Just days before the State of the Union address, in a speech delivered at the Federal Trade Commission on January 12, the President highlighted the measures he discussed in the State of the Union and unveiled the next steps in his comprehensive approach to better protect American companies, consumers, and infrastructure against cyber threats. These steps include:

  1. Improving consumer security by establishing a national standard for companies to notify employees and customers about security breaches and identifying and preventing identity theft. For more information about the proposed Personal Data Notification & Protection Act, please see our prior blog post. The President announced that in an effort to tackle identity theft and assist consumers in spotting identity theft early on, several large financial companies have committed to offer free credit scores to their customers, joining an existing list of financial companies that already engage in this practice.
  2. Improving consumer confidence online by passing a Consumer Privacy Bill of Rights to establish an enforceable code of conduct for online interactions and protect consumers’ privacy. This proposed legislation will be based on the Obama Administration’s 2012 Consumer Privacy Bill of Rights and is expected to be released within the next month and a half.
  3. Safeguarding student data in the classroom and beyond by passing legislation to promote student privacy, convening the private sector to pledge to help enhance the privacy of students, and offering  new tools via the Department of Education  to help schools and teachers better protect the privacy of students. Sometime in the next two months, the Obama administration will release a proposal to update the Family Educational Rights and Privacy Act (FERPA). The President highlighted that the proposed Student Digital Privacy Act would: (i) limit the use of data collected “in an educational context” to educational purposes; (ii) prohibit companies from selling student data to third parties for unrelated purposes; and (iii) prohibit targeted advertising derived from data collected in school, however, the bill would still permit the use of such data for certain types of research, as well as for improving the effectiveness of learning technology products. The President noted that the bill would be modeled on a recently passed California law covering the collection and use of student data. For more information on the California law, please see our prior blog post.
  4. According to a recent White House press release on the subject, as part of the Obama Administration’s comprehensive plan to better protect the privacy of consumers, on January 12, the Department of Energy and the Federal Smart Grid Task Force released a new Voluntary Code of Conduct (VCC) “for utilities and third parties providing consumer energy use services that will addresses privacy related to data enabled by smart grid technologies.” For more information about this initiative, please click here.

The next item on the law makers’ agenda is a hearing before the House Energy and Commerce subcommittee next Tuesday entitled “What are the Elements of Sound Data Breach Legislation?” According to new subcommittee Chairman Michael Burgess (R-TX), “data security will be the focus of our subcommittee’s first hearing as we drill down on what components should be included in a bill that will give consumers the peace of mind they deserve.”

We will keep you updated on proposed legislation and new initiatives that are part of the Administration’s cyber security plan.

If cybersecurity and data privacy are on the President’s agenda, shouldn’t those issues be on the top of your company’s agenda this year?!