In this edition of the “Innocents Abroad” series, Susan Foster discusses the privacy considerations that come into play when an employee loses a laptop containing customer data abroad!


From: Ned Help

To: Carrie Counselor

Subject:  Lost laptop containing European customer information


A couple of weeks ago, you wrote me about an employee who will be engaging in a six-month temporary assignment around Europe to scope market opportunities. The employee was Abbie Absent-Minded.  Well, we hit a snag pretty quickly.  Abbie just e-mailed me to say that she left her laptop on a train in London last evening and it hasn’t turned up yet in the train company’s lost-and-found.  It was a brand-new laptop that we had given her for her European assignment, so fortunately it didn’t have a lot on it.  Abbie said that the laptop had contact information for her various marketing prospects, plus some sample customer data that she was given by one of her prospects to use in a demo of our web-based advertising product.  She thinks that the customer data included around 200 records with the customer’s name, age, gender, e-mail address and the history of purchases that the customer made from our prospective client’s retail stores.

I assume that we should tell our prospective client that the laptop with their customer data was lost.  What else do we need to think about?




Continue Reading Innocents Abroad: Lost laptop with customer data

Mintz Levin’s Immigration Law Blog is running a series titled “Innocents Abroad” addressing issues in an increasingly globalized economy where employers assign employees all over the globe.

These are big questions, reflecting some of the practical concerns in our international marketplace.  The series focuses on the well-intentioned Global HR Director, Ned Help, who will raise hot topics and difficulties his company faces when sending their employees abroad.  We will then explore the common pitfalls and offer practical solutions to the difficulties Ned Help faces.   This month’s edition:   Privacy Considerations – follow the rest of the series at Innocents Abroad.


From:            Carrie Counselor

To:                  Ned Help

Date:              May 24, 2016

RE:     Privacy considerations for employees working abroad

Dear Ned,

I understand that one of your employees will be engaging a six-month temporary assignment around Europe to scope market opportunities, and you’d like to have a better understanding of what to be thinking about in terms of privacy.  Great question!  This is an area where many employers struggle because other jurisdictions protect privacy and personal data quite differently than we do here in the United States.

Generally speaking, federal and state laws applicable to employee information do not have “extraterritorial” effect beyond the information that remains in the United States, meaning that American employees working abroad (even temporarily) will not benefit from US legal protections with respect to personal information collected, stored or transmitted outside of the country.

What makes this area of the law particularly crucial and daunting for employers is that non-US countries frequently offer greater protections to employees and establish far higher compliance obligations on the part of employers.  Of particular concern for you should be the data protection landscape across the European Economic Area (referred to as the “EEA,” encompassing all European Union (EU) Member States as well as Iceland, Liechtenstein and Norway) because each country has passed its own set of national laws governing the collection, use, retention and transmission of personal data. Companies must consider these local laws before electronically monitoring an employee outside the United States or transferring an employee’s personal information back home.  Let’s talk specifics: Continue Reading Innocents Abroad: Privacy Considerations for Employers

Since it’s traditionally the time for new beginnings and resolutions to clear away old habits, we’d like to pass on some tips for improving privacy and security in your operations — and in your own life —  in 2012.

1.   Be sure to secure.

Many data breaches occur by leaving sensitive information lying around the office.  Keep documents containing sensitive data and personally identifiable information locked up.  A clean desk is a safe desk.  Also, make this the time to secure your home network.   Since many online banking and other types of activities occur across a home network, why allow drive-by hackers to compromise your information?

2.  Encrypt, Encrypt, Encrypt.

When transmitting sensitive information, make sure it is encrypted and transmitted over a secure connection.   This is not only a privacy and information security “best practice,” it is also required by several laws and industry body regulations, including the HITECH Act (for electronic protected health information), the Massachusetts data security regulations, and the Payment Card Industry Data Security Standards (for credit card information).

3.  If you don’t need it, don’t take it.

Data breaches often occur when a laptop or document files are stolen from an employee’s home, or lost while in transit.  If you don’t need to work with sensitive data outside the office, don’t take it with you.

4.   Once you have read it, shred it.

If you no longer need files or documents containing sensitive information, destroy them using proper methods.  Using a secure file deletion program or an “e-shredder” is an effective way to destroy electronic copies.  Again, this isn’t just “best practice” in many situations — it’s the law (e.g., FTC Disposal Rule, Mass. Gen. Law 93I, HIPAA Privacy Rule).

5.   Browse intelligently.

Make sure that your web browser’s security and privacy settings are set to an appropriate level.  When traveling, or using a personal computer, be sure to delete web or temporary file caches so your “e-footprints” don’t expose any sensitive information.

6.    Never engage with a spammer.

  While unsolicited commercial emails (“spam”) are annoying, do not e-mail or otherwise contact the spammer unless you use a valid “unsubscribe” link at the bottom of the email.   It only serves to confirm your email as “live” and may actually increase the amount of spam you receive. Don’t open email or attachments from anyone you do not know.   Remind employees of this at work to avoid your company’s information being compromised by phishing scams.

7.  Make your passwords complex.

The passwords you use for your email, online banking, network access, or any other services that contain your private information — or the confidential information of your company/employer — should not be simple or easily guessed.   The best passwords are a mix of numbers, characters and letters.   If your company does not have a password policy, 2012 is a good time to start.  And,  mix up your own passwords.   Utilization of the same password across all your electronic activities is an invitation to be hacked.

Here’s to a happy and SAFE 2012!!


Ann Cavoukian, Ontario’s information and privacy commissioner, has issued her 2009 Annual Report, entitled “Access & Privacy, A Time for Innovation.” One of Cavoukian’s main subjects this year is the smart grid and the associated privacy issues, including the collection of knowledge about personal habits via “smart” appliances communicating with the grid. Cavoukian is a thought leader in building privacy into processes and controls and we’ve blogged about some of her writings in past issues. Her latest publication is worth consideration as we move further along with technological development – and before the grid becomes too smart.

Related link:
Smart grid data must be protected: Privacy czar –

And, Canada’s Assistant Privacy Commissioner is expressing concerns about the U.S. Secure Flight Program that will complete implementation and be fully operational by December. Under the program, passengers of any nationality who raise suspicions of U.S. authorities can be prevented from boarding flights that fly over U.S. airspace. Chantal Bernier told the Canadian Parliament yesterday that there is little Canada can do about it except urge the U.S. government to address extremely long data retention periods and other privacy concerns of Canadians. Under the program, Homeland Security may retain information collected (including name, birth date, flight information, itinerary and passport number) for periods ranging from a week up to 99 years.

Related link:
Vancouver Sun

As I blogged a few weeks back, the “Clear” Registered Traveler program abruptly ended because the service provider ceased operations. The announcement at the time raised the questions of what happens to the vast trove of personal information and biometric data that the company collected in order to “clear” frequent fliers who ponied up the $199 annual fee. Those questions have still not been completely answered, and just before the holiday, the Chairman of the House Committee on Homeland Security sent a letter to the Transportation Security Administration asking the same questions……..and giving TSA until July 8th to explain how the agency plans to ensure the security of the data.

Chairman Thompson wants TSA to explain what role it will take in ensuring that “adequate privacy protections are in place prior to any disposition of the personally identifiable information.” The TSA has posted an FAQ on its website directing questions about Clear back to the vendor.

We have learned a bit more from Verified Identity Pass (VIP), the company that operated the Clear program. VIP has issued a statement regarding the handling of existing data on hardware — airport kiosks and computers assigned to VIP employees. According to VIP, all such equipment was being cleared using a process known as “triple wiping,” which is a reliable method for clearing hard disks of data. Once the information has been wiped, Clear says that it will send members one final email confirming that their information has been deleted from the kiosks and computers.

None of this addresses the issue of the central database. What we do not know — and will not know until it happens — is whether the data will be sold. VIP has not filed for protection under the Bankruptcy Code and is presumably trying to sell itself to another Registered Traveler service provider (there are 8 approved by TSA). In the FAQ, the company’s response was that “(t)he personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider.” Short answer, if it can find a buyer that is a TSA-authorized RT provider, your data will most certainly be sold. Clear says nothing about informing members that their information will be transferred to another provider in a sale of what is left of the company, or obtaining consent to such a transfer.

All of this illustrates a ticking time bomb in difficult economic times — what happens to the myriad of personal and financial data that a failing or failed company has collected during the time it was in business?? Databases and customer lists are assets that can be converted to cash to pay creditors. Hardware is often sold for scrap without “triple wiping” or is just transferred to a new buyer.

Good discussion of the Clear program issues at ComputerWorld.

Bad news if you were a frequent flyer who ponied up the $199 annual fee to participate in Verified Identity Pass, Inc.’s registered traveler program, branded as “Clear.” Last night, the company announced that it was “unable to negotiate an agreement with its senior creditor” and shut down. Membership fees will not be refunded.

The bigger concern is what will happen to the (very) personal information of some 260,000 travelers who had registered and been “cleared.” In order to receive a Clear card, you had to provide substantial background information, fingerprints and iris scans. In its announcement, Clear Lanes Are No Longer Available, the website says that the company will take “appropriate steps” to delete its customers’ personal data. Given some of the prior history of the company with respect to securing that information, I am not reassured by that statement.

Last year, the company acknowledged temporarily losing an unencrypted laptop at San Francisco International Airport that contained the personal data of approximately 33,000 of its customers. In a press release, the Transportation Security Administration announced at the time that it was temporarily suspending Verified Identity Pass’ operations of the Clear program until VIP got its security house in order. The question is: now what? Does a bankruptcy judge decide what happens to the data? Will those whose information is in the database be informed in a manner other than a post on the company website? What methods will this now-defunct company use to “delete” the wealth of personal data it has on 260,000 Americans and how can those people be assured that any such deletion is reliable (I’ll be interested in hearing about that…)?

Tip of the iceberg……………