Header graphic for print

Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Privacy Monday – April 27, 2015

Posted in Cybersecurity, Events and Webinars, Privacy Monday, Privacy Regulation

Some privacy & security bits and bytes to start your week:

FCC to Hold Public Workshop on Broadband Consumer Privacy Tomorrow

Over the last several months, the Federal Communications Commission has taken on a significantly expanded role on consumer privacy protection issues. Between the FCC’s expanded notion of the type of personal information subject to its authority under Section 222 of the Communications Act that surfaced in the TerraCom and YourTel cases last year and its recent reclassification of broadband Internet access service as a Title II telecommunications service – which was accompanied by a determination that the privacy requirements in Section 222 applicable to telephony could be extended to broadband service – the FCC is showing every intention of expanding its reach over privacy issues..

In the order reclassifying broadband service, the FCC recognized that the currently effective privacy rules are not a good match for broadband Internet access service, as those were written with telephone service in mind. For example, those rules include provisions for the use and disclosure of Customer Proprietary Network Information (CPNI) in connection with voice mail and caller I.D. Therefore, while the FCC applied the statutory privacy requirements of Section 222 to broadband service providers, it forbore from applying its rules implementing that statute pending further proceedings.

The FCC kicks off those further proceedings tomorrow with a public workshop on Broadband Consumer Privacy.  The workshop will include discussions of what subscriber information is collected by broadband Internet access service providers and how that information is used. There will also be a panel discussion of how the Section 222 applies to broadband services. Speakers include FCC Chairman Tom Wheeler and other members of the FCC, as well as representatives from local governments, academia, public interest groups, and broadband service providers.   The Commission will also provide audio and video coverage of the discussion on the FCC’s Web page at www.fcc.gov/livePrivacyMonday_Image

RSA Conference 2015

It is clear that “security” is a big industry:  there were more than 30,000 attendees with more than 9 acres of exhibitor space at last week’s record-breaking RSA Conference 2015 in San Francisco.   BankInfoSecurity has published a “visual journal” here.   I must say, I need to hang out with these guys next year.  They are masters of the swag bag.   CSO Online also has posted an interesting summary of the week here.

From the legal side, Smeeta Ramarathnam, the chief of staff to SEC Commissioner Luis Aguilar, told a Thursday morning panel hat the Securities and Exchange Commission (SEC) is about to “enter a “time of great change” as it pertains to regulation for disclosing cyber security incidents.

The discussion, called “Full Disclosure: What Companies Should Tell Investors about Cyber Incidents,” Ramarathnam, along with Jonas Kron, director of shareholder advocacy with Trillium Asset Management, discussed the growing concerns and sense of responsibility board of directors face in the wake of high-profile breaches, which will indelibly engage investors’ attentions.

“Hardly a day goes by without another breach being reported,” Ramarathnam said, explaining that the SEC is tasked with formally overseeing security incidents or issues that would impact the integrity of market systems, customer data protection and disclosure of material information.

While the SEC’s Division of Corporation Finance published guidance in 2011 to make companies aware of the agency’s views on what needs to be reported as far as material information disclosure related to cyber incidents, Ramarathnam noted that the guidance provided context for current SEC rules, but no new regulatory obligations for organizations.  Although she did say she expects “much more to come in way of requirements from the SEC” in reporting and disclosure of cybersecurity risks and incidents, by the end of the panel, she had walked that statement back a bit.

REMINDER – Wednesday Webinar – April 29

Don’t miss the next in our 2015 Privacy Webinar series coming up this Wednesday.   Mintz Levin’s Sue Foster will be discussing Compliance with EU Data Protection for US Companies.   Register here.

 

FCC Chairman Tom Wheeler Speaks about Cybersecurity at RSA Conference

Posted in Cybersecurity, Legislation, Privacy Regulation, Security

As cyber week continues in Washington, Federal Communications Commission Chairman Tom Wheeler traveled to the west coast to speak about cybersecurity at the RSA Conference in San Francisco.  Wheeler noted that the FCC has several charges to protect against cyber-attacks and similar threats, including the agency’s responsibility to protect the safety of communications networks generally, as well as its responsibility to protect the privacy of consumer data collected by communications providers.

Wheeler centered his remarks on information sharing and accountability by the private sector.  He suggested that the communications industry’s approach to 911 calls – a combination of industry best practices and rules requiring that network outages be reported to the government – could serve as a model for cybersecurity information sharing.  Cyber-attacks should be subject to similar reporting requirements.

He praised the work of the National Institute of Standards and Technology for its Critical Infrastructure Framework, and the FCC’s cybersecurity advisory committee, the Communications Security, Reliability and Interoperability Council (“CSRIC”) for its recommendations, released last month, to assist and encourage communications providers with implementing NIST’s voluntary framework.  He focused specifically on one of CSRIC’s accountability proposals – that members of the communications sector periodically meet with the FCC to discuss their companies’ cyber-risk management efforts.  He acknowledged that the FCC’s goal is not to micromanage implementation of the NIST framework by communications companies, but instead to learn whether the framework and companies’ efforts are actually working to mitigate risk.  He stated that the meetings will not be framed as depositions and sensitive information shared would be protected from public disclosure, but that many of the details regarding the meetings still need to be worked out.  The FCC is seeking comment on this and the other CSRIC recommendations until June 26, 2015.

And, back in Washington, the House of Representatives passed the Protecting Cyber Networks Act on a 307-116 vote over the concerns of civil liberties groups.  Read more:

Wired 

PC World

New York Times

It’s Cyber Week in Washington, DC — and RSA Conference Week in San Francisco

Posted in Cybersecurity, Legislation, Privacy Regulation

Security is on the agenda from coast to coast this week.

Cybersecurity information sharing legislation will hit the House floor this week.  H.R. 1731, the National Cybersecurity Protection Advancement Act was reported out of the House Committee on Homeland Security on April 17, and H.R. 1560, the Protecting Cyber Networks Act was moved by the House Permanent Select Committee on Intelligence on April 13.  The two bills will likely be merged before coming to a vote.  Similar to the Cybersecurity Information Sharing Act moving through the Senate – the most recent version of which, S. 754, was reported out of the Senate Select Committee on Intelligence in March – both House bills authorize and provide liability protections for companies to, for cybersecurity purposes, monitor their networks and share information on cybersecurity threats with both the government and other private companies.  The bills also authorize the use of defensive measures to protect networks from malicious threats, though they contain limits designed to restrict so-called “hack back” techniques.

Both bills include privacy protections designed to safeguard personal information and restrict companies from sharing it with either the government or other private entities, but some privacy advocates are still concerned about the adequacy of these safeguards.  Privacy has remained a hot-button issue surrounding cyber information sharing legislation since Edward Snowden’s exposure of the National Security Agency’s bulk collection of telephone metadata and PRISM surveillance program.

And, the RSA Conference — “where the world talks security” — opens today in San Francisco.  The conference kicks off this morning, with a keynote by RSA President Amit Yoran and another later in the day by Department of Homeland Security Secretary Jeh Johnson, but yesterday, things were already getting rolling as the Cloud Security Alliance held its CSA Summit, focusing on enterprise cloud adoption and security lessons learned. Trusted Computing Group had its panel discussion combining mobile computing, Internet of Things, and cloud security.    Follow the RSA Conference blog for summaries and updates.

 

Thanks to Mary Lovejoy for the Washington update.

WEBINAR: Compliance with EU Data Protection Laws for US Companies

Posted in EU Data Protection Regulation, Events and Webinars, Privacy Regulation

Register now for the fourth installment in our monthly 2015 Privacy Wednesday webinar series, coming up next Wednesday, April 29th at 1:00 pm ET.  

Susan Foster, a CIPP/E in Mintz’s London office, will consider issues faced by US companies who do business in Europe or simply interact with European customers.  We will look at how to determine whether EU data protection laws apply to you, and what you need to do to comply.  We will also provide an overview of the upcoming major overhaul of EU data protection laws in the form of the draft Data Protection Regulation, which is likely to be finalized in late 2015 or 2016.

A link to our registration page is here.

 

UPDATE: Target Confirms It Has Negotiated A $19 Million Data Breach Settlement With MasterCard

Posted in Class Action Litigation, Data Breach, Privacy Litigation

Target confirmed a report in the Wednesday edition of The Wall Street Journal of a settlement with MasterCard concerning claims of card-issuers arising from Target’s 2013 data breach.  The data breach, which occurred during the post-Thanksgiving holiday shopping season, compromised over 40 million credit and debit cards used to make purchases at Target stores. The settlement has not been presented to the court for approval but was described in a press release issued by Target after the close of business on Wednesday.  The settlement proposes payment of up to $19 million (previous reports had indicated a fund of $20 million) to reimburse issuers of MasterCard-branded payment cards for costs arising from reissuance of cards compromised by the data breach.  Target’s obligation to proceed with the settlement is conditioned on acceptance by issuers of at least 90% of the eligible payment card accounts.  Target indicates in its press release that it intends to “defend itself vigorously against any assessments made by MasterCard on behalf of MasterCard issuers that do not accept their offers.”  In order to accept Target’s offer, settling issuers must agree to release all claims that they may have against Target arising from the data breach.  The press release also states that the potential $19 million cost of the MasterCard settlement is included in the total cost of the data breach disclosed Target’s public securities filings (reported at 2014 year end to be $252 million before insurance offsets).

According to Target’s Wednesday press release, issuers that accept the MasterCard settlement are expected to be paid “by the end of the second quarter of 2015.”  Based on the description of the settlement and the expected timing, it appears that the MasterCard settlement will take place entirely outside of the card issuer class action that is still pending in federal court in Minnesota, although any releases given in connection with the MasterCard settlement would finally resolve claims of settling issuers as to MasterCard payment cards compromised by the breach.  The proposed settlement would not affect outstanding claims on behalf of issuers of other types of payment cards (including Visa, Discovery and American Express cards).

Report: Target Close To $20M Data Breach Settlement With Master Card

Posted in Class Action Litigation, Data Breach, Privacy Litigation

According to a report published today in The Wall Street Journal, Target and MasterCard are close to reaching a settlement of the claims of MasterCard-issuing institutions in connection with Target’s 2013 data breach.  The settlement would reimburse the cost of reissuing debit and credit cards compromised by the breach, as well as a portion of the resulting fraudulent charges made using stolen payment card numbers.  A $20 million settlement would be comparable to the amount paid by TJX Cos. to MasterCard in connection with the 2008 TJX data breach.  News of a potential card issuer settlement comes less than one month after Target and class counsel filed papers seeking court approval of a proposed class settlement of consumer claims arising from that same data breach.  Sources informed the Wall Street Journal that a definitive MasterCard settlement could be announced as soon as this week.

Privacy Monday – April 13, 2015

Posted in Privacy Monday

PrivacyMonday_ImageSpring has finally arrived on the East Coast, and not a moment too soon.

Here are 3 privacy & security bits and bytes to start your week.

ICYMI – 60 Minutes’ Steve Krofft Story on Why the Sony Hack is Important

Fascinating piece by a reporter who has been looking at cybersecurity/cyberwarfare issues for 15 years.  “You don’t have to be a superpower to inflict damage on US corporations….”  Watch the entire story here.  (Full disclosure – Mintz client Cylance is prominently featured in this story.)

 

As a Follow-on:  New RSA Breach Readiness Survey Finds Majority Not Prepared

Now that you have seen the 60 Minutes eyeopener, read the latest study released by RSA, The Security Division of EMC, just ahead of next week’s RSA Conference in San Francisco.   The opening few lines preview the content of Failures of the Security Industry: Accountability and Action Plan:

The information security industry is losing the cyberwar.  Make that cyberwars.  Plural.  Black hat “hactivists,” organized crims syndicates, state-sponsored operatives, terrorists, and other threat actors attack computer systems and critical infrastructure on multiple fronts across the globe with seeming impunity….Cybercrime hurts the global economy.

Download the white paper here.

This is one you have to see – IT Governance, a UK consultancy, has a blog post with pictures — screen shots from live TV broadcasts that leaked passwords.  Including one from the SuperBowl:  a live shot showing the credentials for the stadium’s wireless network.   Take a look at the article and pictures here.

 

 

 

UPDATE: FTC Plans Review of YouTube Kids App

Posted in Children, Federal Trade Commission, Privacy Regulation

As we predicted in our post late last month, Google’s YouTube Kids app has attracted more than just the “curious little minds” Google was hoping for.  Yesterday, a group of privacy and children’s rights advocates (including the Center for Digital Democracy and the American Academy of Child and Adolescent Psychiatry) asked the Federal Trade Commission “to investigate whether Google’s YouTube Kids app violates Section 5 of the FTC Act . . . .”

The advocacy group downloaded the YouTube Kids app onto an Android device, and two iOS devices.  It then reviewed and assessed the app as it functioned; watching content Google says caters to children while protecting them from questionable or troubling content.

The advocacy group claims this review identified three features of the app it believes are unfair or deceptive.  First, the group faults Google for offering content “intermixed” with advertising content in a manner the group claims “would not be permitted to be shown on broadcast or cable television” under Federal Communications Commission guidelines.  Second, the group worries that much of advertising violates FTC Endorsement Guidelines because it is user-generated in a way capable of masking relationships with product manufacturers.  Finally, the group claims the advertising content violates the YouTube Kids app’s stated policies and procedures.

Taken together, the advocacy group issues all collapse around the same core argument: very young children (generally under 5 years of age) cannot distinguish between actual content and advertising and that makes them “uniquely vulnerable to commercial influence.”  This argument has a lot of emotional appeal: who wouldn’t want to protect small children?  But the implications of this argument extend far beyond the YouTube Kids app, and would call into question any free, advertising supported video platform, including network television.   As such, it seems like the advocacy groups position face significant First Amendment hurdles.

Although the advocacy group does not (yet) take issues with YouTube Kids’ data collection practices, it does question how the app is able to generate video recommendations.  And its letter to the FTC explicitly asks the Commission to investigate whether or not children are being tracked without verifiable parental consent.

The ball is now squarely in the FTC’s court.  It could launch a non-public investigation regarding the app’s practices, or it could do nothing.   However, as the Commission has recently signaled a renewed interest in protecting children online (including entering a $19 million dollar settlement with Google over children’s in-app purchases last September), it seems likely the Commission will have at least some questions for Google following the advocacy group’s letter.

We’ll be sure to keep you posted.

Video Interview: Discussing Cross-Device Tracking on LXBN TV

Posted in Data Compliance & Security, Federal Trade Commission, Mobile Privacy, Online Advertising

Following up on my recent post on the matter, I had the opportunity to speak with Colin O’Keefe of LXBN on the subject of cross-device tracking. In the brief interview, I discuss the growing prevalence of cross-device tracking and what the FTC is doing in response.

Privacy Monday – April 6, 2015 – Play Ball! (and other privacy-related bytes)

Posted in Privacy Litigation, Privacy Monday

Not only is it Privacy Monday – it is OPENING DAY!   After this long, long winter … welcome back baseball!

It’s usually an end-of-season tradition for some baseball writers and announcers, but I like to revisit it in the spring for what is ahead “in a green field, in the sun” — one of the greatest odes to the game ever written:

It breaks your heart. It is designed to break your heart. The game begins in the spring, when everything else begins again, and it blossoms in the summer, filling the afternoons and evenings, and then as soon as the chill rains come, it stops and leaves you to face the fall alone. You count on it, rely on it to buffer the passage of time, to keep the memory of sunshine and high skies alive, and then just when the days are all twilight, when you need it most, it stops.   …  It breaks my heart because it was meant to, because it was meant to foster in me again the illusion that there was something abiding, some pattern and some impulse that could come together to make a reality that would resist the corrosion; and because, after it had fostered again that most hungered-for illusion, the game was meant to stop, and betray precisely what it promised.

Of course, there are those who learn after the first few times. They grow out of sports. And there are others who were born with the wisdom to know that nothing lasts. These are the truly tough among us, the ones who can live without illusion, or without even the hope of illusion. I am not that grown-up or up-to-date. I am a simpler creature, tied to more primitive patterns and cycles. I need to think something lasts forever, and it might as well be that state of being that is a game; it might as well be that, in a green field, in the sun.

Read “The Green Fields of the Mind” by A. Bartlett Giamatti here and hear him read it himself here.   Or, watch the epic James Earl Jones monologue from Field of Dreams here.

Enjoy Opening Day!

Now back to your regularly-scheduled Privacy & Security Matters programming — Opperman v. Path Inc.‘s Impact on Privacy Notices Continue Reading