On Wednesday, the House Homeland Security Committee passed a substitute bill for H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013. The committee substitute bill was broadly supported by both parties. As it presently stands, H.R. 3696 delegates to the Department of Homeland Security the responsibility for civilian cybersecurity research and development, incident detection and response, and facilitating the exchange of cyberthreat information between government and the private sector. It calls for the establishment of industry sector coordinating councils under a so-called public-private partnership model. In response to requests from industry, it expands the tort liability immunity provisions of the SAFETY Act by adding cybersecurity technologies to the anti-terrorism technologies covered by that statute.
Of concern to privacy advocates is the inclusion of a provision that appears to immunize private electronic communications services from liability for selling information about their customers’ communications to the government. Under the bill, DHS is authorized to enter into contracts or other agreements to obtain “the assistance of private entities that provide electronic communication services, remote computing services, or cybersecurity services to acquire, intercept, retain, use, and disclose communications and other system traffic . . . . No cause of action shall exist against private entities for assistance provided to the Secretary in accordance with this subsection.”
Written by Jake Romero
The California Senate has passed a bill restricting the information that certain online retailers can collect in connection with consumer purchases. Senate Bill 383 would amend Sections 1747.02 and 1747.08 of the California Civil Code to address the collection of customer information in connection with credit card purchases in online transactions for downloadable products. The bill aims to close a perceived gap in the data privacy protections afforded to California residents, by placing these types of transactions within the scope of California’s Song-Beverly Credit Card Act, which prohibits retailers from requiring certain customer personally identifiable information as a condition to accepting credit card payment.
Does this all sound vaguely familiar? If so, that is likely because SB 383, in its current form, is just the latest development in a series of efforts to adapt Song-Beverly, a law that pre-dates the modern internet, to current retail and data collection practices. Continue Reading
Written by Amy Malone
Data privacy legislation has been introduced regularly, but has yet to pass, could this be the year? The recent breaches at Target and Neiman Marcus (see our posts here, here, here) have drawn national attention and may be the impetus needed to pass the legislation. Currently two bills addressing data breaches have been introduced -
(1) Senator Patrick Leahy reintroduced the Personal Data Privacy and Security Act of 2014. This bill was originally introduced in 2005 because “security breaches are a serious threat to consumer confidence, homeland security, national security, e-commerce, and economic stability” and has been reintroduced in each of the last four sessions of Congress. The bill would establish a national standard for data breach notification, and require businesses to safeguard personal information from cyber threats. Under the legislation covered entities are required to provide notice to the Federal Bureau of Investigation or the United States Secret Service of “major” security breaches of “sensitive personally identifiable information.”
(2) Senators Tim Carper and Roy Blount introduced the Data Security Act, legislation that would require companies that accept credit cards to have information security plans aimed at protecting data and incident response plans to address what steps must be taken in the event a breach occurs. The legislation also contains a notification provision which would require companies to notify affected customers and federal authorities in the event of a breach and to provide credit monitoring services if over 5,000 customers are affected.
The move to a uniform federal notification law — preempting individual state laws — may be welcome in some corners, as companies have spent time and resources trying to comply with the 46 different state laws (see the Mintz Matrix). And, perhaps the current landscape and serious threat to consumer confidence will prompt the passing of the legislation this year. We will provide analysis of each of the pieces of federal legislation and comparisons of the provisions in later posts.
The Department of Defense and the General Services Administration, which together spend more than $500 billion annually on information technology, have released a joint report to the White House recommending steps to upgrade the cybersecurity requirements of acquisitions of information technology and services throughout the federal government. These recommendations will affect not only suppliers to federal agencies, but together with the NIST cybersecurity Framework for critical infrastructure to be released in mid-February, will be felt throughout the broader U.S. marketplace for IT goods and services.
Executive Order 13636, issued in February 2013, is best known for initiating development of the NIST cybersecurity Framework for critical infrastructure, which is due to be released in two weeks. The EO had other, less well-known provisions, including a requirement that DoD and GSA make recommendations to incorporate cybersecurity requirements into standards for federal acquisitions of information technology products and services. This report, completed in November but not released until yesterday, recommends adoption of standards and practices that will significantly affect both federal IT procurement and the broader U.S. market for information technology.
Among the recommendations are the following:
- For acquisitions that present cyber risks, the government should only do business with organizations that meet such baseline requirements in both their own operations and in the products and services they deliver. The baseline should be expressed in the technical requirements for the acquisition and should include performance measures to ensure the baseline is maintained and risks are identified.
- Require organizations that do business with the federal government to receive training about the acquisition cybersecurity requirements of the organization’s government contracts.
- Mitigate the risk of receiving inauthentic or otherwise nonconforming items by obtaining required items only from original equipment manufacturers, their authorized resellers, or other trusted sources.
The report acknowledges that “while it is not the primary goal, implementing these recommendations may contribute to increases in cybersecurity across the broader economy, particularly if changes to Federal acquisition practices are adopted consistently across the government and concurrently with other actions to implement the [NIST] Cybersecurity Framework.”
Initially, the recommendation that technical requirements for cybersecurity in procurements will be implemented through two rulemakings currently underway: “Basic Safeguarding of Contractor Information Systems” published as a proposed rule in August 2012, and “Safeguarding Unclassified Controlled Technical Information” published by DoD as an interim rule in December 2013.
The recommendation to narrow the sources from which the government may buy information technology to OEMs, authorized resellers and “other trusted sources” inherently conflicts with broad competition and may place some smaller contractors at risk because they do not have, or cannot achieve the required status. The report acknowledges that “limiting eligibility to only these types of sources for all acquisitions may not be compatible with acquisition rules, socioeconomic procurement preferences, or principles of open competition,” but leaves resolution of that difficult problem to another day.
The report contends that its recommendations are really more addressed to changing the behavior of government acquisition personnel than changing the behavior of industry, but the consequences of the acquisition rule and policy changes already underway on the larger industry are inevitable.
Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) The European Commission announced yesterday that it is working towards a revised timeline for the adoption of a definitive Data Protection Regulation by the end of 2014.
While Commissioner Viviane Reding’s press release about finalizing the Regulation by the end of 2014 has been reported by some as a new deadline, it is really more of an aspirational date. In fact, the “new deadline” is consistent with comments made by the Commission at the end of 2013. So it’s not really news, but the Commissioner’s comments are certainly worth reading as a summary of where we are with this critical legislation from the Commission’s perspective. In Commissioner Reding’s own words, “[a]n agreement on the reform is possible before the end of this year.”
What might make Dec. 31, 2014 a difficult date to achieve? Certainly the Commission and the European Parliament are keen to expedite adoption of the Regulation, and the difference in their views are relatively minor in the “big picture” sense. However, the Council of the EU (the forum for the views of the national governments of the Member States) still needs to weigh in on the Parliament’s version of the draft Regulation.
Interestingly, Commissioner Reding’s press release was silent concerning the Council’s retraction last December of its support for the crucial “one-stop shop” that would give companies one regulator to deal with rather than 28 – although she did link to her December 6, 2013 speech chiding the Council for backsliding on the one-stop shop. This is just one of several important issues that need to be resolved, and the complexity of the EU legislative process will make it a challenge to tie off all of the major issues and relatively minor loose ends by the end of 2014. That said, we should see a huge push from the Commission and Parliament to make headway in the coming months – so this is a critical time for the national governments of the Member States, businesses and individuals to engage with the ongoing debates over privacy regulation in Europe.
The “observance” of Data Privacy Day annually on January began in 2008. The National Cyber Security Alliance (NCSA) will be kicking off today’s events with a live stream of its press conference in Washington, DC. You can access the stream at the NCSA’s Facebook page here.
Data privacy — and data security — has been in the headlines across the world in the last few months, putting a new focus on Data Privacy Day. These stories have reinvigorated old debates, and prompted new questions, about the increasingly complex relationship between individuals, online data they create or is about them, and how data is protected and shared.
The theme of Data Privacy Day 2014 is Respecting Privacy, Safeguarding Data, and Enabling Trust. It is a call to action for everyone — individuals, governments and organizations — to be good stewards of the data they create, access, and use. Sources are indicating that at least the Target data breach (and possibly others) may have been caused by an employee clicking on a phishing email which allowed malware to infect the company’s network.
The NCSA’s global cybersecurity awareness campaign, STOP. THINK. CONNECT. can be implemented in your own organization and in your own use of the Internet.
- Keep a clean machine. Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
- Secure your accounts. Create long, strong and unique passwords and enable multi-factor authentication for online accounts.
- Own your online presence. Set privacy and security settings on websites and social networks to your comfort level of sharing.
- Get savvy about Wi-Fi hotspots. If you’re online through an unsecured or unprotected network, be cautious about the sites you visit and the information you release.
- Disable auto-connect. Check your Wi-Fi and Bluetooth settings to be sure you connect manually to networks you trust. Automatically connecting to Wi-Fi can leave you vulnerable to hackers and others.
Use today to encourage employees to STOP. THINK. CONNECT.
Written by Ernest C. Cooper
Should retailers be required to obtain written consent before sending a consumer a text message with information or a coupon that was specifically requested? The Retail Industry Leaders Association (RILA) thinks not, and has filed a petition asking the Federal Communications Commission to clarify that sending a one-time text message in response to a consumer request does not violate FCC telemarketing rules requiring prior written consent for marketing text messages. The FCC has issued a public notice asking for comments on the petition, which must be submitted by February 21, 2014, with reply comments due by March 10, 2014.
FCC telemarketing rules that went into effect on October 16, 2013, require prior written consent of the called party to send marketing or advertising messages, including text messages. The RILA petition argues that those rules do not sensibly apply to an “on-demand” text service that provides one-time text message replies to consumer requests for offers. For example, a consumer might respond to a retailer’s advertising display by texting “discount” to the retailer, which then sends a reply text message to the consumer with a coupon or other discount information. RILA is concerned that because the reply message is arguably marketing or advertising and is sent without the consumer’s written consent, some persons might charge the retailer is violating the FCC’s telemarketing rules, despite the fact that the reply message was specifically requested by the consumer.
To ensure retailers can send these types of reply messages without risking lawsuits for violation of FCC rules, RILA asks the FCC to clarify that its telemarketing rules do not apply to an “on-demand” text service sending reply messages because the text communications are: (1) initiated by the consumer; (2) one-time messages sent in response to a specific consumer request; and (3) include only specific information requested by the consumer.
The RILA petition is available here.
The FCC’s public notice can be found here.
Written by Kevin McGinty
In the latest chapter in the Sony PlayStation Network (“PSN”) data breach saga, a decision that issued on January 21, 2014 permanently dismissed all but a handful of the class action claims advanced in a 51 count complaint. Plaintiffs, representing a putative nationwide class of PSN users, asserted dozens of state law consumer protection and common law claims arising from the alleged failure of Sony to take adequate measures to protect users’ personal and credit card information and purported misrepresentations concerning the adequacy of PSN’s data protection practices and capabilities. As previously reported in this blog, an earlier complaint in the action had been dismissed without prejudice in 2012, primarily due to the inability of the plaintiffs to allege that Sony’s purported negligence and misrepresentations caused them damage. The court allowed plaintiffs leave to amend, and defendants moved to dismiss the resulting amended complaint. This week’s decision shows that plaintiffs were unable to cure the deficiencies in their damages allegations that led to dismissal of their original complaint. Allegations that the privacy of plaintiffs’ information was compromised, without any allegation that private information was used in a manner that caused loss or injury, did not suffice. As a result, the court dismissed 45 separate claims for relief, with prejudice and without leave to amend.
Notably, the court did allow eight claims for relief to go forward. Claims for restitution under California consumer protection law survived dismissal, as the court construed California law to allow a consumer to seek restitution where an allegedly false or deceptive statement induced the consumer to purchase a product. Thus, plaintiffs’ claims on behalf of California consumers that misrepresentations concerning data security had induced the purchase of PlayStation 3 units or PSP personal gaming devices were allowed to go forward. Plaintiffs were also allowed to continue to pursue claims for injunctive relief under the consumer protection laws of Florida, Michigan, Missouri, New Hampshire and California, which permit equitable claims to rectify alleged violations, even where there has been no pecuniary loss or injury. Finally, the court allowed claims on behalf of participants in a settlement of PSN-related claims to bring claims for alleged breaches of that agreement. The survival of these claims vindicated a common plaintiff strategy of bringing dozens of counts, in hopes of increasing the odds that some claims will survive dismissal. The claims that were dismissed reinforced the increasingly well-developed principle that inability to plead or establish damages will be fatal to claims arising from a data breach.
One last noteworthy aspect of the most recent decision in the PSN case is the court’s rejection of defendants’ argument that plaintiffs’ inability to allege actionable damage deprived them of Article III standing to pursue their claims. Addressing the interplay between the Ninth Circuit’s decision in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), and the Supreme Court’s recent decision in Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), the PSN court concluded that mere risk of disclosure does not confer standing in a data breach case, but that actual misuse is not required. Rather, the requirement for standing, the court concluded, is actual disclosure or misappropriation of an individual’s personal data. Nonetheless, as the balance of the court’s decision makes abundantly clear, standing is merely the first hurdle that a would-be litigant must surmount to maintain a data breach lawsuit. Even though damages are not require to establish Article III standing, inability to allege damages will often be fatal to a plaintiff’s data breach claims.
Written by Cynthia Larose
The US CAN-SPAM Act is old hat for marketers in the US. But it is time to revisit email marketing compliance programs if you send email north of the US border. Canada’s anti-spam law (known as “CASL”) has been debated for years but is finally coming into effect. Industry Canada released its final regulations on December 4, 2013 and CASL will come into force on July 1, 2014.
There are some very important differences between CAN-SPAM and CASL and CASL’s sweep is very broad. The biggest difference: CASL imposes an “opt-in” scheme — express consent must be given by the recipient of the commercial electronic message. Consent cannot be implied or “read in” and recipients must take action to express consent. Prefilled “tick boxes” giving “permission” to send marketing emails will not be compliant.
Because of the major “opt-in” requirement versus the standard operating procedure of “opt-out,” organizations will want to get a head start on compliance with CASL. One suggestion: consider obtaining express consent from those persons currently on your marketing lists. Sending e-mails to such people after CASL is in force may violate its provisions if the commercial electronic message is not exempt (limited exemptions), or the recipients have not provided implied consent.
For more information regarding CASL, our Canadian friend, Ariane Siegel of Signal Hill Digital Law, has provided an analysis, which we have posted here.