Skip to content

Archives: Uncategorized

Mintz Levin’s Immigration Law Blog is running a series titled “Innocents Abroad” addressing issues in an increasingly globalized economy where employers assign employees all over the globe.

These are big questions, reflecting some of the practical concerns in our international marketplace.  The series focuses on the well-intentioned Global HR Director, Ned Help, who will raise hot topics and difficulties his company faces when sending their employees abroad.  We will then explore the common pitfalls and offer practical solutions to the difficulties Ned Help faces.   This month’s edition:   Privacy Considerations – follow the rest of the series at Innocents Abroad.


 

From:            Carrie Counselor

To:                  Ned Help

Date:              May 24, 2016

RE:     Privacy considerations for employees working abroad

Dear Ned,

I understand that one of your employees will be engaging a six-month temporary assignment around Europe to scope market opportunities, and you’d like to have a better understanding of what to be thinking about in terms of privacy.  Great question!  This is an area where many employers struggle because other jurisdictions protect privacy and personal data quite differently than we do here in the United States.

Generally speaking, federal and state laws applicable to employee information do not have “extraterritorial” effect beyond the information that remains in the United States, meaning that American employees working abroad (even temporarily) will not benefit from US legal protections with respect to personal information collected, stored or transmitted outside of the country.

What makes this area of the law particularly crucial and daunting for employers is that non-US countries frequently offer greater protections to employees and establish far higher compliance obligations on the part of employers.  Of particular concern for you should be the data protection landscape across the European Economic Area (referred to as the “EEA,” encompassing all European Union (EU) Member States as well as Iceland, Liechtenstein and Norway) because each country has passed its own set of national laws governing the collection, use, retention and transmission of personal data. Companies must consider these local laws before electronically monitoring an employee outside the United States or transferring an employee’s personal information back home.  Let’s talk specifics: Continue Reading Innocents Abroad: Privacy Considerations for Employers

We now have a precise date for the European Union’s General Data Protection Regulation to go into effect: May 25, 2018.  The official version has been published and is available here.  The GDPR, in its official published version, contains 87 densely-packed pages of recitals and articles, and many new and expanded obligations for both “controllers” and “processors” of personal data.  Many companies will need the full two years’ lead time to bring their operations and contracts into compliance.  (Read our bullet point summary here.)

The Article 29 Working Party has released opinions on Privacy Shield and “essential guarantees” under EU law relating to surveillance, here and here.

Please join us in our webinar at 1 pm EDT today to learn more about the Article 29 Working Party’s opinion on Privacy Shield (register here).  We will look at the opinion’s likely impact on Privacy Shield’s rocky progress through the EU bureaucracy, as well as on the legal attacks that we expect Privacy Shield will face if and when it is ultimately adopted by the Commission.

 

cookiesVerizon Wireless has reached a settlement with the Federal Communications Commission over Verizon’s insertion of unique identifier headers (“UIDH”), also known as “supercookies,” to track customers’ mobile Internet traffic without their knowledge or consent.  Verizon inserted UIDH into customers’ web traffic and associated the UIDH with customer proprietary information to create profiles and deliver targeted ads.  In at least one instance, a Verizon advertising partner overrode customers’ privacy choices by using the UIDH to restore cookies deleted by the customer.  For over two years Verizon Wireless did not disclose its use of UIDH in its privacy policies or offer consumers the opportunity to opt-out of the insertion of UIDH into their Internet traffic.

Continue Reading Verizon Settles Supercookie Probe with FCC

apple-logo fbi-sealAmong the major headlines dominating not only the recent news cycle, but also this week’s RSA Conference in San Francisco, has been Apple’s challenge to the federal government’s request that Apple assist in unlocking the iPhone recovered from the perpetrators of the shootings in San Bernardino.  On March 1, 2016, the House Judiciary Committee held a hearing titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy” focused on the intersection of the competing values of privacy and security in American society.  Testifying before the committee were two panels, one consisting solely of Federal Bureau of Investigation James Comey and the other of Bruce Sewell, Senior Vice President and General Counsel for Apple, Inc.; Cyrus R. Vance, District Attorney for New York County and Professor Susan Landau of Worcester Polytechnic Institute. Continue Reading Apple vs. FBI: The House Judiciary Committee Hearing and Takeaways

Now that the EU Commission has published the complete version of its draft decision adopting the EU-US Privacy Shield program, it’s time for the key reviewers to dig in.   I don’t mean the lawyers, or EU privacy advocates, or US businesses, although their views will no doubt be wide-ranging and illuminating.  But no, the really important reviewers are the members of the Article 29 Working Party.

Regular readers of this blog will know that the Art. 29 WP is made up of representatives of the EU’s national data protection authorities and that the group has a major advisory role as mandated by Art. 29 of the Data Protection Directive (hence the catchy name).  The reason that that Art. 29 WP’s views will be particularly important for Privacy Shield is that the national DPAs will be the arbiters of the initial attacks that are almost certain to be made on Privacy Shield once it is adopted.  In terms of legal action, the first step EU privacy advocates who are not satisfied with Privacy Shield (which Max Schrems has already characterized as “lipstick on a pig“)  will take is to file complaints with their local DPAs. The DPAs will then need to consider whether Privacy Shield protects the “fundamental rights and freedoms” of the complainants.  The DPAs will then issue decisions that can be appealed to the local courts.  The local courts would then need to refer questions of European law (such as the validity of the Commission decision to adopt Privacy Shield) to the Court of Justice of the EU, which is the only court authorized to strike down a Commission decision.  But it all starts with the DPAs.

The Art. 29 WP has promised to publish its comments after a plenary meeting on April 12-13.  If the Art. 29 WP comes out in favor of Privacy Shield prior to its adoption, it will be a lot tougher for the DPAs to turn around later and agree with complainants that Privacy Shield is, after all, inadequate and should be struck down.  So Art. 29 WP has compelling incentives to scrutinize the draft Privacy Shield decision very carefully over the next six weeks.  It will be interesting to see whether the Commission draft survives the review without any vulnerabilities being identified that would lead the Commission to reopen negotiations with the US.

The European Commission has finally made the draft text of the EU-US Privacy Shield program available (scroll down in the press release for further links).  The Privacy Shield program, which was agreed to in principle by US and EU negotiators nearly four weeks ago, will replace the Safe Harbor program that was struck down last autumn by the Court of Justice of the EU.  However, Privacy Shield is not quite a done deal. The Commission is awaiting comments on the Privacy Shield program from the Article 29 Working Party, an advisory group that consists of members of the national data protection authorities.

Yesterday, we reviewed the staggering numbers in California Attorney General Kamala Harris’ 2016 Data Breach Report.california-flag-graphic

In addition to providing a comprehensive analysis of four years of data breaches, the report provides what is an answer to the vexing question of what her office considers to be “reasonable security.”

Continue Reading California by the Numbers (Part 2): How to Stay out of the 2017 Report

In a chain of events that should be a wake-up call to any entity using and storing critical health information (and indeed, ANY kind of critical information), Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a ransomware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack that locked access to the medical center’s electronic medical record (“EMR”) system and blocked the electronic exchange of patient information. Earlier reports indicated that the hackers had originally demanded $3,400,000.Such “ransomware” attacks are caused by computer viruses that wall off or encrypt data to prevent user access. Hackers hold the data ransom, demanding payment for the decryption key necessary to unlock the data. The attacks are often caused by email phishing scams. The scams may be random or target particular businesses or entities. In the case of HPMC, the medical center’s president and CEO indicated to media outlets that the attack was random, though Brian Barrett, writing for Wiredquestioned that assertion.The medical center’s announcement of the resolution of the incident indicates that there is no evidence that patient or employee information was accessed by the hackers as part of the attack. Even if the data was not compromised, the attack led to enormous hassles at the hospital, returning it to a pre-electronic record-keeping system.

We have seen many variations of the ransomware attacks on the increase lately.   Cryptolocker and Cryptowall are the two most prevalent threats, but a Forbes article about the HPMC attack revealed that HPMC was victimized by a variant called “Locky,” which, according to the Forbes article, is infecting about 90,000 machines a day.

Details of the HPMC Incident

On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:

  1. Backing up data onto segmented networks or external devices and making sure backups are current.  That protects you from data loss of any kind, whether caused by ransomware, flood, fire, loss, etc.  If your system is adequately backed up, you may not need to pay ransom to get your data unlocked.
  2. Don’t be the low-hanging fruit:  Ensuring software patches and anti-virus are current and updated will certainly help.   Many attacks rely on exploiting security bugs that already have available fixes.
  3. Installing pop-up blockers and ad-blocking software.
  4. Implementing browser filters and smart email practices.

Most of these prevention strategies are HIPAA security and overall general business security measures that ought to be in place for companies across the board. As OCR and the FBI (see below) both indicate, smart email practices and training the workforce on them are key elements to preventing phishing scams.  If you are a HIPAA-covered entity, you should be checking in with Mintz’s Health Law & Policy Matters blog on a regular basis.

FBI on Ransomwaredigitallife03-111715

One of the big questions arising out of the HPMC and other ransomware cases is:  do we pay?   If your business is about to grind to a halt, you likely have no choice.    However, the incident should first be reported to the FBI and discussed with forensics and legal experts who have experience with ransomware in particular.    The FBI’s Ransomware information page provides some tips.  Ransomware attacks should be part of your incident response plan and the “what do we do” should be discussed at the highest levels of the company.

When in Doubt, Don’t Be a Click Monkey!

Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:

  • A shipping confirmation that does not appear to be related to a package you have actually sent or expect to receive.
  • A message about a sensitive topic (e.g., taxes, bank accounts, other websites with log-in information) that has multiple parties in the To: or cc: line.
  • A bank with whom you do not do business asking you to reset your password.CodeMonkey-68762_960x3601
  • A message with an attachment but no text in the body.

All businesses in any sector need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.  

The amended Judicial Redress Act has passed the House and is on its way to the president to be signed into law.  The Act, which we covered in an earlier blog post, gives citizens  of foreign countries the same rights as US citizens in connection with the use by the US government of their personal data, subject to a determination by the Attorney General that the country in question cooperates with the US in sharing law enforcement information, doesn’t impede the flow of personal data to the US for commercial purposes, and meets certain other requirements.  Essentially, the Judicial Redress Act helps assuage the EU’s concerns about government uses of personal data.  The Judicial Redress Act is vital for the EU’s acceptance of the Umbrella Agreement for sharing of data by law enforcement agencies.  It should be helpful for the proposed new “Privacy Shield,” which is currently under review by representatives of Europe’s national data protection agencies.