21st Century Oncology Holdings, a company that operates a chain of 181 cancer treatment centers in the US and Latin America, announced on Friday March 4 that it was latest victim of a cyber-attack affecting 2.2 million individuals. When did the attack occur? Months ago. Read on for the gory details….. Continue Reading
Last week, a federal court in Atlanta issued an order preliminarily approving a proposed settlement – valued up to $19.5 million – of the consumer claims arising from the 2014 theft of payment card data from Home Depot. The cash and noncash terms of the proposed settlement are unexceptional. What is unusual about this settlement is its timing. According to plaintiffs’ brief seeking preliminary approval of the settlement, rather than wait for a decision on Home Depot’s still-pending motion to dismiss, the parties conducted a mediation after argument on the motion, and concluded a negotiated settlement before the motion was decided. The decision to settle early in the case – before discovery or summary judgment – may signal a recognition that the likely settlement value of the case did not warrant the substantial cost of additional litigation for either side. Insofar as that logic would apply with equal force in just about any consumer payment card data breach case, the early resolution of the Home Depot case could provide a model for future settlements. Continue Reading
FCC Chairman Tom Wheeler has announced that a proposed rulemaking is being circulated among the Commissioners that would establish privacy and data security requirements applicable to providers of broadband Internet access service (BIAS). The Notice of Proposed Rulemaking (NPRM) itself will not be released to the public until the end of March when it is scheduled for a vote, but Chairman Wheeler released a summary of his proposal on Thursday.
In adopting the Open Internet Order, which reclassified BIAS as a telecommunications service subject to Title II of the Communications Act, the FCC determined that the privacy provisions of Section 222 of the Communications Act that govern how call detail and call record information are used and protected by providers of telecommunications services also would apply to BIAS providers. The Commission concluded, however, that its rules implementing the privacy provisions of that Title were ill-suited for broadband privacy, and opted to forbear from applying those rules to BIAS providers. Instead, the Commission stated that it would establish a new privacy framework applicable to BIAS providers, and last week’s announcement represents the start of that process. Continue Reading
Verizon Wireless has reached a settlement with the Federal Communications Commission over Verizon’s insertion of unique identifier headers (“UIDH”), also known as “supercookies,” to track customers’ mobile Internet traffic without their knowledge or consent. Verizon inserted UIDH into customers’ web traffic and associated the UIDH with customer proprietary information to create profiles and deliver targeted ads. In at least one instance, a Verizon advertising partner overrode customers’ privacy choices by using the UIDH to restore cookies deleted by the customer. For over two years Verizon Wireless did not disclose its use of UIDH in its privacy policies or offer consumers the opportunity to opt-out of the insertion of UIDH into their Internet traffic.
Among the major headlines dominating not only the recent news cycle, but also this week’s RSA Conference in San Francisco, has been Apple’s challenge to the federal government’s request that Apple assist in unlocking the iPhone recovered from the perpetrators of the shootings in San Bernardino. On March 1, 2016, the House Judiciary Committee held a hearing titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy” focused on the intersection of the competing values of privacy and security in American society. Testifying before the committee were two panels, one consisting solely of Federal Bureau of Investigation James Comey and the other of Bruce Sewell, Senior Vice President and General Counsel for Apple, Inc.; Cyrus R. Vance, District Attorney for New York County and Professor Susan Landau of Worcester Polytechnic Institute. Continue Reading
Last week, we discussed the Federal government’s first steps toward implementing the Cybersecurity Information Sharing Act (CISA). Among the guidance documents released by the Department of Homeland Security and the Department of Justice were the Privacy and Civil Liberties Interim Guidelines. This guidance is designed to apply Fair Information Practice Principles (FIPPs) to Federal agency receipt, use and dissemination of cyber threat indicators consistent with CISA’s goal of protecting networks from cybersecurity threats.
FIPPs form the core of many federal and state privacy laws as well as the basis for privacy best practices across numerous industries and government agencies. This guidance applies them to federal agency collection of cyber threat indicators as described below. In practice, the government intends that application of some FIPPs to cyber threat indicators shared via the Department of Homeland Security’s Automated Indicator Sharing (AIS) tool, which we referenced here, will be effectuated via capabilities embedded within the AIS mechanism. Continue Reading
Now that the EU Commission has published the complete version of its draft decision adopting the EU-US Privacy Shield program, it’s time for the key reviewers to dig in. I don’t mean the lawyers, or EU privacy advocates, or US businesses, although their views will no doubt be wide-ranging and illuminating. But no, the really important reviewers are the members of the Article 29 Working Party.
Regular readers of this blog will know that the Art. 29 WP is made up of representatives of the EU’s national data protection authorities and that the group has a major advisory role as mandated by Art. 29 of the Data Protection Directive (hence the catchy name). The reason that that Art. 29 WP’s views will be particularly important for Privacy Shield is that the national DPAs will be the arbiters of the initial attacks that are almost certain to be made on Privacy Shield once it is adopted. In terms of legal action, the first step EU privacy advocates who are not satisfied with Privacy Shield (which Max Schrems has already characterized as “lipstick on a pig“) will take is to file complaints with their local DPAs. The DPAs will then need to consider whether Privacy Shield protects the “fundamental rights and freedoms” of the complainants. The DPAs will then issue decisions that can be appealed to the local courts. The local courts would then need to refer questions of European law (such as the validity of the Commission decision to adopt Privacy Shield) to the Court of Justice of the EU, which is the only court authorized to strike down a Commission decision. But it all starts with the DPAs.
The Art. 29 WP has promised to publish its comments after a plenary meeting on April 12-13. If the Art. 29 WP comes out in favor of Privacy Shield prior to its adoption, it will be a lot tougher for the DPAs to turn around later and agree with complainants that Privacy Shield is, after all, inadequate and should be struck down. So Art. 29 WP has compelling incentives to scrutinize the draft Privacy Shield decision very carefully over the next six weeks. It will be interesting to see whether the Commission draft survives the review without any vulnerabilities being identified that would lead the Commission to reopen negotiations with the US.
The European Commission has finally made the draft text of the EU-US Privacy Shield program available (scroll down in the press release for further links). The Privacy Shield program, which was agreed to in principle by US and EU negotiators nearly four weeks ago, will replace the Safe Harbor program that was struck down last autumn by the Court of Justice of the EU. However, Privacy Shield is not quite a done deal. The Commission is awaiting comments on the Privacy Shield program from the Article 29 Working Party, an advisory group that consists of members of the national data protection authorities.
Yesterday, we reviewed the staggering numbers in California Attorney General Kamala Harris’ 2016 Data Breach Report.
In addition to providing a comprehensive analysis of four years of data breaches, the report provides what is an answer to the vexing question of what her office considers to be “reasonable security.”
California Attorney General Kamala Harris has released a report of the data breaches that have been reported to her office from 2012 until 2015. Although the California data breach notification law took effect in 2003, beginning in 2012, businesses and government agencies have been required to notify the Attorney General of data breaches affecting more than 500 California residents.
The number of personal records that were compromised is staggering; 178 breaches were reported during 2015 and 24 million personal records were compromised.