Sophisticated phishing scams and muscular hacking efforts continue to compromise personal and sensitive information held by insurers, hospital systems, and businesses large and small. In response, many states have strengthened their data breach notification and have enacted data security laws to enhance data protection obligations imposed on data collectors and to ensure that residents and state regulators receive prompt and adequate notice of security breaches when they do occur. By mid-summer, a range of new measures will be going into effect in Nebraska, Nevada, Rhode Island and Tennessee. Be sure to review the latest edition of the Mintz Matrix for these new measures. Continue Reading Illinois Joins the Fray: Strengthens its Laws Around Data Breach Notification and Data Security
In a decision favorable to the airline industry—but not helpful to other companies—the California Court of Appeal said that a privacy enforcement action against Delta is not going to fly. On May 25, 2016, the Court of Appeal tossed the California Attorney General’s CalOPPA enforcement action against Delta Airlines, affirming the lower court’s 2013 dismissal of the case with prejudice.
As we previously wrote, California AG’s office has been taking incremental steps toward ensuring that mobile applications comply with CalOPPA. As early as 2012, its office began sending notices of non-compliance to mobile application developers. When some companies failed to respond, the Attorney General chose Delta as its pilot case, promptly filing its first-ever enforcement action under CalOPPA. Over the past three years, we have followed the Attorney General’s CalOPPA compliance campaign, including the Delta case. Continue Reading Delta Wins CalOPPA Case – But Your Mobile App May Not Fly
Last week, we discussed the Federal government’s first steps toward implementing the Cybersecurity Information Sharing Act (CISA). Among the guidance documents released by the Department of Homeland Security and the Department of Justice were the Privacy and Civil Liberties Interim Guidelines. This guidance is designed to apply Fair Information Practice Principles (FIPPs) to Federal agency receipt, use and dissemination of cyber threat indicators consistent with CISA’s goal of protecting networks from cybersecurity threats.
FIPPs form the core of many federal and state privacy laws as well as the basis for privacy best practices across numerous industries and government agencies. This guidance applies them to federal agency collection of cyber threat indicators as described below. In practice, the government intends that application of some FIPPs to cyber threat indicators shared via the Department of Homeland Security’s Automated Indicator Sharing (AIS) tool, which we referenced here, will be effectuated via capabilities embedded within the AIS mechanism. Continue Reading CISA Guidelines: Privacy and Civil Liberties Interim Guidelines for Federal Agencies
This week, the Federal government took the first steps toward implementation of the The Cybersecurity Information Sharing Act (CISA), enacted into law last December. CISA aims to encourage sharing of cyber threat indicators and defensive measures among private companies and between the private sector and the Federal government by providing liability protection for sharing such information in accordance with the Act. The DHS Federal Register notice was published this morning here.
As required by the Act, the government has released four pieces of guidance designed to assist companies and Federal agencies with respect to sharing, receiving and handling cyber threat information. Continue Reading Cyber Threat Information Sharing Guidelines Released by DHS
The amended Judicial Redress Act has passed the House and is on its way to the president to be signed into law. The Act, which we covered in an earlier blog post, gives citizens of foreign countries the same rights as US citizens in connection with the use by the US government of their personal data, subject to a determination by the Attorney General that the country in question cooperates with the US in sharing law enforcement information, doesn’t impede the flow of personal data to the US for commercial purposes, and meets certain other requirements. Essentially, the Judicial Redress Act helps assuage the EU’s concerns about government uses of personal data. The Judicial Redress Act is vital for the EU’s acceptance of the Umbrella Agreement for sharing of data by law enforcement agencies. It should be helpful for the proposed new “Privacy Shield,” which is currently under review by representatives of Europe’s national data protection agencies.
There’s no doubt businesses in the EU and US would breathe a sigh of relief if a new Safe Harbor agreement is put in place between before European data protection authorities start prosecuting companies for potentially illegal personal data transfers to the US. But if it doesn’t happen, the US is actually not any worse off than most of the rest of the world. No other country has a special agreement with the EU concerning personal data transfers, and only eleven countries have been deemed to be “adequate” by the European Commission: Andorra, Argentina, Canada (commercial organizations only), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Only one of the countries on the “adequate” list, Switzerland, is a “top ten” EU trade partner, according to the latest trade statistics published by the Commission (based on 2014 figures). Only two of the countries are in the top twenty (Canada is in twelfth place). Japan, India, Brazil, Turkey, South Korea, all “top ten” EU trade partners, are not on the “adequate” list. Nor is China or Russia, both of which have significant trade with the EU (coming in second and third in the “total EU trade” rankings published by the Commission). So if the US isn’t on the “adequate” list, it is no worse off than most other major EU trade partners. Continue Reading (So) What if there’s no Safe Harbor 2.0?
Just at the end of 2015, the Cybersecurity Information Sharing Act (CISA) was enacted into law as part of the omnibus spending measure passed by Congress and signed by President Obama at right before Christmas. The legislation combines elements from the versions of CISA that passed the House in April of 2015 and the Senate in October.
Enactment of CISA was driven by the goal of clearing away some of the legal uncertainty and liability risk concerns inhibiting sharing of cybersecurity threat information. Cyber criminals are technologically proficient and constantly innovating, which means that protecting American enterprise networks, industrial control systems, and electronic information systems requires continued vigilance and innovation. There is broad agreement that the nation’s cyber defense posture could be greatly strengthened through more robust and timely sharing of cyber threat information both between the government and the private sector and between private companies themselves. Continue Reading Happy New Year – Cybersecurity Information Sharing Act
The EU Parliament committee that is charged with considering data protection matters (LIBE) has issued a press release calling on the European Commission to take action before the end of 2015 to come up with alternatives to Safe Harbor. Importantly, LIBE has also called on the Commission to reassess whether the European Court of Justice’s recent invalidation of Safe Harbor casts doubt on other means for legitimizing the transfer of personal data from the EEA to the US.
As we have commented previously here, the ECJ’s rationale in the Schrems Safe Harbor decision could be used to attack both BCRs and Model Clauses. LIBE certainly seems to have picked up on that also. Continue Reading EU Parliament Committee calls on the Commission for immediate action on US data transfers
As EU data protection watchers know, the draft General Data Protection Regulation (which has been around long enough to be universally referred to by its acronym, GDPR) exists in three major versions, with a fourth version recently released by the office of the European Data Protection Supervisor (EDPS). The EDPS is the EU’s own internal privacy cop and, of course, a significant commentator on EU data protection matters.
The authors of the EU Parliament and Council drafts used their own unique editing styles to show their changes to the Commission’s original draft, which makes it a challenge to compare all three drafts. The EDPS has made the drafts a bit more accessible to the public by launching an app to display the drafts side by side (two at a time) on a smart phone or tablet. There’s a Google Play and an Apple AppStore version – links here. I’ve tried the Apple version of the app and am pleased to report that it works well. The interface is easy to use. There’s a search function (remember to use British spellings, like “pseudonymisation” and “unauthorised”).
The EDPS has also prepared a PDF version showing the four drafts in columns, but it’s not a particularly user-friendly format. As a lawyer, I’d prefer nice clean copies of the four versions in a form I could redline, but failing that, I’ll take the app!
As cyber week continues in Washington, Federal Communications Commission Chairman Tom Wheeler traveled to the west coast to speak about cybersecurity at the RSA Conference in San Francisco. Wheeler noted that the FCC has several charges to protect against cyber-attacks and similar threats, including the agency’s responsibility to protect the safety of communications networks generally, as well as its responsibility to protect the privacy of consumer data collected by communications providers.
Wheeler centered his remarks on information sharing and accountability by the private sector. He suggested that the communications industry’s approach to 911 calls – a combination of industry best practices and rules requiring that network outages be reported to the government – could serve as a model for cybersecurity information sharing. Cyber-attacks should be subject to similar reporting requirements.
He praised the work of the National Institute of Standards and Technology for its Critical Infrastructure Framework, and the FCC’s cybersecurity advisory committee, the Communications Security, Reliability and Interoperability Council (“CSRIC”) for its recommendations, released last month, to assist and encourage communications providers with implementing NIST’s voluntary framework. He focused specifically on one of CSRIC’s accountability proposals – that members of the communications sector periodically meet with the FCC to discuss their companies’ cyber-risk management efforts. He acknowledged that the FCC’s goal is not to micromanage implementation of the NIST framework by communications companies, but instead to learn whether the framework and companies’ efforts are actually working to mitigate risk. He stated that the meetings will not be framed as depositions and sensitive information shared would be protected from public disclosure, but that many of the details regarding the meetings still need to be worked out. The FCC is seeking comment on this and the other CSRIC recommendations until June 26, 2015.
And, back in Washington, the House of Representatives passed the Protecting Cyber Networks Act on a 307-116 vote over the concerns of civil liberties groups. Read more: