OF DIGITAL INTEREST
OF DIGITAL INTEREST
Legal news and analysis of all things digital
OF DIGITAL INTEREST
Legal news and analysis of all things digital
Cybersecurity
Subscribe to Cybersecurity's Posts

The Highest Court in the European Union Strikes Down the Data Retention Directive as Invalid

by | Apr 16, 2014 | , ,

In a significant move, the Court of Justice of the European Union (CJEU) has ruled that the Data Retention Directive 2006/24/EC (Directive) is invalid. This decision is expected to have wide-reaching implications for privacy laws across the European Union.

On 8 April 2014, the CJEU held that the requirement imposed on internet service providers (ISP) and telecom companies to retain data for up to two years “entails a wide-ranging and particularly serious interference with [the] fundamental rights [to respect for private life and communications and to the protection of personal data] in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.”

The Directive

The Directive is a product of heightened security concerns in the aftermath of terrorist attacks around the world. It facilitated almost unqualified access by national authorities to the data collected by communications providers for the purpose of organised crime and terrorism prevention, investigation detection and prosecution. To enable this access, obligations were imposed on communications providers to retain certain data for between six months and two years.

The Ruling

Specifically, communications providers were required to retain traffic and location data as well as data necessary to identify users. It did not, however, permit the retention of communication content or of the information consulted by the user.

The CJEU found that the retained data revealed a phenomenal amount of information about individuals and their private lives. The data enabled the identification of persons with whom the user has communicated and by what means; the time and place of communication; and the frequency of communications with certain persons during a given period. From this data, a very clear picture could be formed of the private lives of users, including their daily habits, permanent or temporary places of residence, daily or other movement, activities carried out, social relationships and the social environments frequented.

The CJEU accepted the retention of data for use by national authorities for the legitimate objective of national security, however opined that the Directive went further than necessary to fulfil those objectives violating the proportionality principle.

It delineated five main concerns:

  1. Generality – The Directive applies to all individuals and electronic communications without exception.
  2. No Objective Criteria – The Directive did not stipulate any objective criteria and procedures with which national authorities should comply in order to access the data.
  3. No Proportionality of Retention Period – The minimum retention period of six months failed to provide for categories of data to be distinguished or for the possible utility of the data vis-à-vis the objectives pursued. Further, the Directive did not provide any objective criteria by which to determine the data retention period which would be strictly necessary according to the circumstances.
  4. Insufficient Safeguards – The Directive fails to provide sufficient safeguards against abuse and unlawful access and use of the data.
  5. Data may leave the EU – There is no requirement to retain the data in the EU [...]

    Continue Reading


read more

Kentucky Becomes 47th State with a Data Breach Notification Law

by | Apr 15, 2014 | , ,

On April 10, 2014, Kentucky became the 47th state to enact breach notification legislation.  Under the new law, companies that conduct business in Kentucky and hold consumer data of Kentucky residents will now be required to disclose data breaches involving the unauthorized acquisition of unencrypted computerized data of Kentucky residents.  Companies must disclose the breach in the “most expedient time possible” and “without unreasonable delay” to any state resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The Kentucky law is similar to many other state breach notification laws.  For example, the Kentucky law defines “personal information” as an individual’s first name or first initial and last name in combination with either their Social Security number; driver’s license number; or account, credit or debit card number in combination with any required security or access code.  In addition, the legislation permits companies to provide notification in written or electronic form, through email, through major statewide media or by posting an alert on their website, and allows for the delay of notification if a law enforcement agency determines the action will impede its criminal investigation.

Notably, the law does not require notification to the state attorney general, but does require that notification be given to consumer reporting agencies and credit bureaus if the breach affects more than 1,000 individuals.

Now that Kentucky has a data breach notification law, just Alabama, New Mexico and South Dakota remain as the three states that still do not have a comprehensive notification law outside of the public sector.



read more

Take Action to Stop the Bleeding: Follow These Steps

by and | Apr 14, 2014 | , , ,

“Heartbleed” has been all over the news, and companies have been scrambling to respond.  What sounds like a nasty medical condition is actually a recently discovered flaw in popular encryption software called OpenSSL.  It has been widely reported in the news outlets that approximately 60 percent of all web servers use OpenSSL.  According to the Federal Trade Commission, the flaw can permit a hacker to unlock the encryption and “monitor all communication to and from a server—including usernames, passwords, and credit card information—or create a fake version of a trusted site that would fool browsers and users, alike.”

So how can companies stop the bleeding?

  1. Figure out if any websites, systems (like e-mail) or applications (like virtual private network [VPN] endpoints, load balancers or database management software) use OpenSSL.  More information about how internal information technology (IT) teams can find and fix the flaw can be found on heartbleed.com.
  2. A comprehensive review of systems is important because, according to security firm Coalfire, OpenSSL is a program that is not just used on externally facing websites.  It also is frequently used on internal applications, management consoles, “appliances” and legacy systems, which will remain vulnerable until patched.  This is especially critical for systems that contain sensitive information, such as protected health information, financial information, Social Security numbers and other highly confidential items.  A firm like Coalfire can scan corporate systems to discover the vulnerability at a relatively modest cost.
  3. Update to the latest version of OpenSSL to fix the flaw.  After updating, companies need to generate a new encryption key (most IT teams know how to do this) and obtain a new SSL Certificate from a trusted authority, which will signal to browsers that the website is secure.  Generating the new key is critical—otherwise a company’s server and data could still be at risk.
  4. Confirm that vendors, business partners and contractors that provide technical services or support to company systems have addressed any OpenSSL flaws in their systems.

But what about the blood that’s already spilled?

After taking these steps to stop the bleeding by fixing OpenSSL flaws, a critical next step is for companies to conduct an assessment of data and actions previously thought to be encrypted.

Companies should consider evaluating with counsel how and when to communicate with customers and employees about changing log-in credentials and taking any other appropriate steps in light of the particular situation addressed by the company.

In addition, given the publicity and attention to this issue, customer service lines might see an increase in calls inquiring whether a company’s website is secure and whether log-in credentials should be changed.  Convening the right internal resources to prepare clear, concise talking points will help those customer service teams convey accurate, consistent information in a way that minimizes harm to consumers and brand.

Even if companies are confident that their own sites have been fixed, they should consider whether employees may have used corporate log-in credentials on mobile devices or over connections, such as remote access VPN [...]

Continue Reading



read more

New Mexico Moves One Step Closer to Becoming the 47th State with a Breach Notification Law

by | Feb 28, 2014 | , ,

46 states plus Washington, D.C. have data breach notification laws.  Alabama, Kentucky, New Mexico and South Dakota still do not have a comprehensive notification law outside of the public sector.  That may change soon though, because the New Mexico House of Representatives unanimously passed a bill on February 17, 2014, that would require companies to notify state residents of a breach of their unencrypted personal information.  The bill appears to resemble many existing state breach notification laws, and contains a number of exceptions under which companies would not be required to provide notice of a breach.

The definition of personal information is the standard definition we see in many state breach notification laws – defined as name plus another data element that could lead to identity theft or financial fraud: social security number; driver’s license number; government-issued ID; or account number, credit card number or debit card number, in combination with any required code or password that would permit access to a person’s financial account.

If the bill passes, New Mexico will join the handful of other states with specific timing provisions for notification—if the breach involves 1,000 or more residents, companies would be required to notify affected individuals within 45 days of discovering the breach, and the state attorney general (AG) within 14 days (like Vermont).

Companies can avoid notification to affected residents if there is no “significant risk of identity theft or fraud,” but when the incident involves 1,000 or more individuals, the company still must notify the state AG with a written explanation of its risk of harm analysis.  Like many other states, the bill also contains a “deemed in compliance” provision stating that companies in compliance with the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act would be deemed to be in compliance with the proposed law.

At the federal level, there have been increased demands for Congress to establish a national data breach notification standard, and several bills have been introduced that would create such a standard.  Most recently, on February 4, 2014, U.S. Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the Personal Data Protection and Breach Accountability Act, which seeks to establish a federal breach notification standard and impose minimum data security requirements for companies, like the approach taken in Massachusetts with 201 C.M.R. 17.00, et seq.  We will be watching these bills closely and reporting on any further developments.



read more

In with the New, Part III: 2014 Privacy, Advertising and Digital Media Predictions

by | Jan 31, 2014 | , , , , , ,

Boston-based litigation partner Matt Turnell shares his predictions about class action litigation under the Telephone Consumer Protection Act (TCPA) and Electronic Communications Privacy Act (ECPA) in 2014 and Boston-based white-collar criminal defense and government investigations partner David Gacioch shares his predictions about government responses to data breaches.

Class Action Litigation Predictions

2014 is already shaping up to be an explosive year for privacy- and data-security-related class actions.  Last December’s data breach at Target has already led to more than 70 putative class actions being filed against the retailer.  With recently disclosed data breaches at Neiman Marcus and Michaels Stores—and possibly more to come at other major retailers—court dockets will be flooded with these suits this year.  And consumers are not the only ones filing class actions; banks that have incurred extra costs as a result of the data breaches are headed to court as well, with at least two putative class actions on behalf of banks filed so far against Target.

That volume of litigation related to the Target data breaches likely will be matched by a steady stream of class actions filed under the TCPA.  2013 was a busy year for the TCPA docket and I expect that the Federal Communications Commission’s (FCC) stricter rules requiring express prior written consent from the called party, which took effect in October 2013, means that 2014 will be just as busy since the majority of TCPA class actions seek statutory damages for companies’ failure to obtain consent before making autodialed or prerecorded voice calls or sending unsolicited text messages or faxes. 

In 2014, I expect to see key decisions under the ECPA related to social media platforms and email providers capturing and using content from customers’ emails and other messages for targeted advertising or other purposes.  One district court has already denied a motion to dismiss an ECPA claim challenging this conduct and I predict that other decisions are forthcoming this year.  Needless to say, decisions in favor of class-action plaintiffs in this area could have major implications for how social media sites and email providers do business.

Matt Turnell, Partner

Government Responses to Data Breaches

As significant data breaches continue to dominate the news, public awareness of data privacy and security issues will increase, as will their political appeal.  I expect to see in 2014:

  • Record numbers of breach reports to state and federal regulators, as awareness of reporting obligations spreads further and further across data owner, licensee, broker and transmitter groups;
  • More states committing more enforcement resources to data privacy and security, including budget dollars and dedicated attorney general’s office units;
  • More state/federal and multi-state coordination of investigations, leading to increased settlement leverage by enforcement authorities vis-à-vis firms under investigation; and
  • Greater numbers and dollar values of settlements by the Federal Trade Commission (FTC) and state attorneys general than ever before.

Similarly, with the HIPAA Omnibus Final Rule going into effect on September 23, 2013, coupled with the late-2013 Department of Health and Human Services [...]

Continue Reading



read more

In with the New, Part II: 2014 Privacy, Advertising and Digital Media Predictions

by | Jan 30, 2014 | , ,

On the heels of 2014 predictions from the U.S.-based Of Digital Interest (ODI) editorial team, following are some predictions from our London-based editor, Rohan Massey:

Security breaches

Recent security breaches concerning consumer data in the retail industry have demonstrated the damage breaches of this kind can have on a business’ brand, with potential impact on share price. Such breaches highlight the pressing need for robust data security measures, and the commercial importance these issues can have on an organization’s brand value. It is likely that, as with intellectual property assets 25 years ago, we will begin to see a push, driven by shareholders and proactive management for data assets to be listed as an accounting line item in corporate accounts in the coming year.

Europe

The draft report of Rapporteur Jan Philipp Albrecht on the proposed Data Protection Regulations recently discussed by the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament has indicated that the Commission and the Rapporteur strongly support radical changes to the current data protection regime. As we enter the next stage of negotiations for the draft Regulation, this report could have a significant impact, with reforms not anticipated to be finalized until 2015. Within the next 12 months, a roadmap of terms and timelines for the new regime will likely be delivered. We can expect larger penalty capacity and a streamlined, if broader, regulatory framework, but as we know the devil remains in the detail.



read more

Data Privacy Day 2014

by , and | Jan 29, 2014 | , , , , , , , ,

In Boston, we celebrated Data Privacy Day (January 28) by presenting “U.S. Privacy and Data Protection: 2013 Year In Review and a Prediction of What’s to Come in 2014” for participants in an IAPP KnowledgeNet.  Our panel of speakers discussed significant U.S. data privacy and protection events from 2013 and shared thoughts about what’s ahead for 2014 in U.S. data privacy and protection.  You may download the presentation slides here.

We hope you find our presentation materials informative.   Of course, please do not hesitate to contact any member of the Of Digital Interest editorial team with questions or comments.



read more

In with the New: 2014 Privacy, Advertising and Digital Media Predictions

by | Jan 24, 2014 | , , , , ,

Data privacy and security made the headlines practically daily in 2013.  Our second annual Privacy and Data Protection 2013 Year in Review topped 65 pages!

What privacy, advertising and digital media trends will make headlines in 2014? Here are predictions from Of Digital Interest’s U.S. editorial team:

User Tracking Law Enforcement in California: “Amendments to the California Online Privacy Protection Act (CalOPPA) took effect on January 1, 2014 that require every website that is available to California residents to disclose how it responds to Do Not Track signals from web browsers and what third party data collection is occurring on the website.  I predict that we will see enforcement activity from the California Attorney General about whether website owners/operators have made disclosures to consumers that not only meet the new CalOPPA requirements but also accurately reflect tracking activities by the website and by third parties.”  – Heather Egan Sussman, Partner

No Kid-ding:  “January 1 marked the six-month anniversary of the effective date of the amended “COPPA Rule,” which requires businesses to have parental consent before personal information is collected from kids under age 13.  Having just approved a parental consent method (in December), I predict that the Federal Trade Commission (FTC) will initiate COPPA enforcement actions related to social media (now that photos and videos are personal information under COPPA) and in mobile apps (now that COPPA covers geo-location data).  Perhaps the FTC will start by investigating the app developers to which the FTC sent letters explaining their new COPPA compliance responsibilities last May.”  – Julia Jacobson, Partner

Safe Harbor Will Stay Safe:  “Last year’s government surveillance accusations made the U.S. Safe Harbor Program a flash point for debate between EU and U.S. data protection regulators.  Nevertheless, very few on either side of the Atlantic believe that companies properly certified under the Safe Harbor Program should disrupt data transfers necessary to meet credible business objectives.   I predict that the rhetoric will continue, but so will the U.S. Safe Harbor Program, albeit perhaps tweaked in response to the European Commission’s recently-issued recommendations to improve the Progam’s effectiveness.   More debate to come in 2014, but, meanwhile, many U.S. companies will continue to view Safe Harbor certification as their preferred approach to E.U. data protection compliance and will continue to implement data protection policies and programs intended to comply with the Safe Harbor Principles.”  – Ann Killilea, Counsel

Cloudy Forecast:  “The year of 2014 is quickly becoming the year of the mega-sized data breach, with the Target and Neiman Marcus incidents leading the way.  Corporate customers have long been aware that cloud offerings present data security concerns, but may not have been as laser-focused on the data breach aspects as they should.  I predict that in 2014, as the cloud service market becomes a commercial fact of life, data breach concerns will dominate how customers select and contract with their cloud service providers, and how they implement their incident response plans by including cloud service providers in their preparations.”  – [...]

Continue Reading



read more

Privacy and Data Protection: 2013 Year in Review

by | Dec 10, 2013 | , , , , , , , , , , , ,

Privacy and data protection continue to be an exploding area of focus for regulators in the United States and beyond. This report gives in-house counsel and others responsible for privacy and data protection an overview of some of the major developments in this area in 2013 around the globe, as well as a prediction of what is to come in 2014.

Read the full report here.



read more

BYOD is Here to Stay

by | Dec 6, 2013 |

The buzz at Georgetown Law’s recent Advanced eDiscovery Institute on Information Governance and Big Data (November 21-22, 2013) made it crystal clear to attending corporate C-suiters:  Bring Your Own Device (BYOD) is here to stay and so are its risks.

BYOD describes the trend of companies allowing employees to use their personal smart phones, tablets and other devices to create and store business information and access company networks.  Corporations have been cautiously receptive of the trend, recognizing its morale, productivity and cost-saving benefits.  Whether BYOD actually saves money in the long run remains to be seen; corporate bulk buying power and resulting discounts can be lost in the shift to BYOD.  Also, allowing varied devices and applications can exponentially increase the burden on corporate IT departments for backup, service and support.

BYOD also creates a host of compliance, corporate risk and data privacy issues:

  • Employees may connect to the internet over unsecured connections, causing data on the corporate network to be unwittingly exposed to theft, alteration and other risk.
  • Casual, improper disposal or loose protection of a personal device increases the risks of data theft or hacking.
  • As data security for protected personal information continues to evolve as an increasing regulatory concern, BYOD and its IT security challenges raise the regulatory risk profile of most companies.
  • Unforeseen liabilities and expenses may arise that relate to regulatory control over some types of data (e.g., protected health information under HIPAA) for business sectors in which the corporation normally does not operate.
  • Both the employee and the employer may claim ownership of data on a BYOD device.

A proper BYOD policy that addresses data protection and ownership issues may help mitigate these issues. Ensuring regular backup, basic security, encryption and remote-wiping capabilities will protect confidential corporate data in most circumstances.

For more information on BYOD, see “E-Discovery: Is BYOD a B-A-D idea?” written by Elle Pyle and Jessica Smith and published by Inside Counsel on September 10, 2013.



read more

BLOG EDITORS

Amanda Enyeart

Marshall E. Jackson, Jr.

Lisa Schmitz Mazur

Michael G. Morgan

Romain Perray

Amy C. Pimentel

STAY CONNECTED

Subscribe

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law