Not all the news coming out of Europe these days is about Brexit. In fact, the forces of unity and harmonization remain a top priority for European regulators hoping to combat digital security threats and create a safer and more secure environment for the entire online community. To this end, on July 6, 2016, the European Parliament adopted the Network and Information Security (“NIS”) Directive in an effort to enhance cybersecurity and incident reporting at a national level across all of its member states (“NIS Directive”). This move followed an announcement the day before from the European Commission (the “Commission”) that it had launched a public-private initiative that will steer €1.8 billion of investment into cybersecurity by 2020. Continue Reading EU Adopts Cybersecurity Directive: What US Companies Need to Know
According to several news reports, the Commission has sent a revised draft of the Privacy Shield adequacy decision to the Article 31 Committee. One tech industry news source, Ars Technica, has made available a purportedly leaked draft of the version of Privacy Shield that is being reviewed by the Article 31 Committee. The Commission has reportedly asked the Committee to vote to adopt Privacy Shield on Monday. Whether or not the Article 31 Committee will act swiftly remains to be seen, but we expect further news early next week.
Colorado is the latest state to revisit, and expand upon, its laws pertaining to the use and protection of student data. Colorado Governor John Hickenlooper recently signed into law House Bill 16-1423 (the “Bill”) designed to increase the transparency and security of personal information about students enrolled in Colorado’s public education system (K-12). Described by its sponsors and the media as “nation-leading” with respect to the extremely broad scope of the definition of “student personally identifiable information”, the Bill imposes additional, detailed requirements on the Colorado Department of Education, the Colorado Department of Education, the Colorado Charter School Institute, school districts, public schools, and other local education providers (each, a “Public Education Entity”) and commercial software providers (including education application providers) with respect to the collection, use, and security of student data. In this blog post, we focus only on the duties of commercial software or education application providers. Continue Reading Colorado Student Data Privacy Bill – What EdTech software providers need to know
US companies and policy makers will no doubt spend a good chunk of the day today considering the possible implications for them of yesterday’s UK vote for Brexit. Mark Carney, Governor of the Bank of England, has issued a statement to calm the markets. I will content myself with a much more modest statement to calm US companies who have been working hard to fill in the gap left by the demise of Safe Harbor and to prepare for the implementation of the GDPR in May 2018: Brexit will have very little, if any, impact on the UK’s approach to data protection laws, at least in the medium term (say the next five years or so).
Why is that? First and foremost, the UK has no interest in doing anything that would impede the flow of personal data between the UK and the rest of Europe. The GDPR, like the current laws under the Data Protection Directive, provides a pathway of least resistance for data transfers: If a country’s laws “ensure[ ] an adequate level of protection” for the personal data, the Commission can issue an adequacy decision to allow data transfers to that country (without the need for model clauses or BCRs). The most straightforward way for the UK to get an adequacy decision is to adopt and implement the GDPR (or at least all of the material parts of the GDPR) as part of its national legislation.
Second, of all the things that the UK will need to negotiate with the EU over the coming years, any quibbles that the UK may have about data protection legislation is likely to be low on the list, far behind passporting of banking services and new immigration arrangements. The UK did have some concerns about the GDPR, as communicated by the ICO in its initial comments on the Commission’s early draft of the GDPR. However, none of them were deal-breakers for the UK.
Third, as a practical matter, UK companies that are part of international corporate groups with a European presence would probably not make it a priority to push hard for UK legislation that eases their burden under UK law, while they still have to comply, in effect, with the GDPR with respect to their European operations (both of their affiliates and with regard to UK companies’ own sales into Europe).
Looking past the medium term, how might the UK’s approach change later on, once the key Brexit negotiations are finished? The ICO did say a couple of weeks ago at a conference that it would consider other approaches, such as the data protection frameworks used in New Zealand or Australia, that meet EU adequacy requirements. However, all of those existing frameworks will need to be reviewed again against the GDPR in order to keep their adequacy decisions in place, so those legal frameworks may look a lot more like the GDPR within a couple of years.
So until the ICO tells us otherwise, US companies working on preparing for the implementation of the GDPR should continue with that work even if their primary EU activities are only in the UK. (And don’t forget that the actual exit is not taking place immediately.)
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently issued a warning regarding vulnerabilities in third-party applications used by entities covered by HIPAA. The OCR warning applies generally to HIPAA Covered Entities and Business Associates. While Covered Entities and Business Associates are more cognizant of vulnerabilities in operating systems (like Windows) and install updates and patches as needed (we hope), OCR reported that companies are less likely to do the same for third-party applications (like Adobe’s Acrobat or others). Continue Reading OCR Warns of HIPAA Risks in Third-Party Apps
The number one threat to a company’s information (personal or confidential) is still its own employees. Data security and privacy training are the first lines of defense against negligent employee behavior.
Join us tomorrow (6.22) at 1 PM ET for a webinar in which we will explore why traditional training programs are falling short and what you can do to boost your efforts and counter top concerns regarding malicious and negligent employee handling of personal and confidential data.
CLE credit available in NY and CA
The Mintz Levin Privacy and Security team is pleased to welcome Brian H. Lam to our group of privacy and security professionals. Brian comes to Mintz with broad experience in data aggregation, network data security, and technology transactions – in particular, the role security infrastructure plays in both technology transactions and M&A transactions.
Brian brings important real-world technical and legal expertise to our clients: he has undergraduate and graduate degrees in computer science (B.S. and M.S. from University of Colorado); has worked as a network security analyst prior to entering the University of Southern California law school; and is credentialed as a Certified Information Security Professional (CISSP), which is recognized by security professionals around the world as the field’s premier certification program.
While it’s making few headlines, the European Commission is still working to finalize Privacy Shield, and it’s even possible that Privacy Shield will pass a key hurdle by the end of this month. The Commission is still scrambling to address the concerns raised by the Article 29 Working Party and the European Data Protection Supervisor concerning the Privacy Shield arrangements that the Commission had negotiated with the US. (The European Parliament has also criticized Privacy Shield.) Some of the concerns raised so far have made it necessary for the Commission to negotiate further with the U.S. State Department. And now the Commission is shortly to present a proposed final version of Privacy Shield to the Article 31 Committee, which represents the Member States.
If the Art. 31 Committee agrees with the Commission, Privacy Shield will be submitted to the College of the Commission for formal adoption. If the Art. 31 Committee does not endorse the Privacy Shield arrangements, the Commission will need to consider further how to proceed. Also, the Council or Commission could intervene as permitted by the comitology procedure (which could result in more pressure on the Commission to negotiate further with the US).
News sources have speculated as to the status of the Article 31 negotiations (see here and here (scroll down)), but given the lack of specific information from the Commission on this point, it’s tough to tell what the real status is. In any event, while we expect to have some more concrete news by the end of June as to the progress of Privacy Shield, it is unlikely that Privacy Shield will be formally adopted by then.
And it’s important to keep in mind that, as soon as Privacy Shield limps over the finish line (assuming it doesn’t succumb to death by a thousand objections), it will almost certainly face immediate litigation seeking to have the Court of Justice of the EU invalidate it.
PS – for those who’ve been wondering, Brexit (should it occur) is unlikely to result in the UK taking a divergent path from the EU on general data protection rules.
The Department of Homeland Security (DHS) and the Department of Justice (DOJ) have issued the long-awaited final procedures for both Federal and Non-Federal Entities under the Cybersecurity Information Sharing Act (CISA) (“Final Procedures”) that provide information on how DHS will implement CISA. In addition to the Final Procedures, the agencies also released “Guidance to Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015” (the “Guidance”).
As we have written previously, a company may share cyber threat indicators (CTIs) and defensive measures (DMs) for cybersecurity purposes “notwithstanding any other provision of law,” and receive certain liability protections for sharing in accordance with the Act. The Final Procedures and the Guidance are finalized versions of interim guidance previously discussed. Any decision to share information under CISA is complex and involves factual and legal determinations.
Read on to find out what CTIs and DMs are, and information on the procedures companies must follow to obtain liability protection for sharing CTIs and DMs with the Federal Government. Continue Reading “Interim” No More: DHS and DOJ Publish Final CISA Guidance on Cybersecurity Sharing
Last week, the Federal Trade Commission (FTC) announced (press release) that Practice Fusion, the largest cloud-based electronic health company in the United States, has agreed to settle FTC charges over deceptive practices involving the public disclosure of healthcare provider review information collected from consumers that included sensitive personal and medical information. Below is our review of the circumstances of the basis of the FTC complaint, a summary of the terms of the settlement, and a few pointers on how to avoid a similar situation. There are many lessons to be learned from this FTC complaint for all online providers, not only EHR providers. Read on ….. Continue Reading Practice Fusion and FTC Settle Complaint Over Deceptive Statements About the Privacy of Consumer-Generated Online Content