OF DIGITAL INTEREST
OF DIGITAL INTEREST
Legal news and analysis of all things digital
OF DIGITAL INTEREST
Legal news and analysis of all things digital
Cybersecurity
Subscribe to Cybersecurity's Posts

Privacy and Data Protection: 2014 Year in Review

by | Dec 11, 2014 | , , , , , , , , , , , , , , ,

In 2014, regulators around the globe issued guidelines, legislation and penalties in an effort to enhance security and control within the ever-shifting field of privacy and data protection. The Federal Trade Commission confirmed its expanded reach in the United States, and Canada’s far-reaching anti-spam legislation takes full effect imminently. As European authorities grappled with the draft data protection regulation and the “right to be forgotten,” the African Union adopted the Convention on Cybersecurity and Personal Data, and China improved the security of individuals’ information in several key areas. Meanwhile, Latin America’s patchwork of data privacy laws continues to evolve as foreign business increases.

This report furnishes in-house counsel and others responsible for privacy and data protection with an overview of key action points based on these and other 2014 developments, along with advance notice of potential trends in 2015. McDermott will continue to report on future updates, so check back with us regularly.

Read the full report here.



read more

When Seeking Cyber Coverage, Preparation is Key

by | Nov 26, 2014 | , ,

In 2014, major data breaches were reported at retailers, restaurants, online marketplaces, software companies, financial institutions and a government agency, among others.  According to the nonprofit Privacy Rights Clearinghouse, 567 million records have been compromised since 2006.  Companies with data at risk should consider purchasing so-called cybersecurity insurance to help them weather storms created by assaults on their information infrastructure.  A company’s insurance broker and insurance lawyer can be of significant help in procuring insurance that meets a company’s need.

As an additional benefit, preparation for the cybersecurity insurance underwriting process itself likely will decrease the risk of a debilitating cyber incident.  The underwriting process for cybersecurity insurance is focused on the system that a company employs to protect its sensitive data, and can be detailed and exhaustive.  Like other insurance carriers, cybersecurity insurance carriers use the underwriting process to investigate prospective policyholders and ascertain the risks the carriers are being asked to insure.  Before applying for cybersecurity insurance, companies should perform due diligence on their information systems and correct as many potential risks as possible before entering the underwriting process.

Applicants for cybersecurity insurance may expect to answer questions about prior data breaches, information-technology vendors, antivirus and security protocols, and the species of data in their custody.  Carriers might also ask about “continuity plans” for the business, the company’s security or privacy policies, whether those policies are the product of competent legal advice, whether the company’s networks can be accessed remotely and, if so, what security measures are in place.  The investigation might even extend to a company’s employment practices, such as password maintenance and whether departing employees’ network access is cancelled prior to termination.  If a company has custody of private health information, carriers might delve into a company’s compliance with the Health Insurance Portability and Accountability Act of 1996.  Anything that makes a company more or less at risk for a data breach is fair game in the cybersecurity underwriting process.

Due diligence and corrective action prior to approaching an insurance company should yield three related results.  First, it should reduce the company’s risk of a data breach.  Because the insurance carriers are focused on what makes a company a larger or smaller risk to underwrite, companies can use carriers’ underwriting questions as a roadmap to improving the security of their information-technology systems.  Second, it should make the company more attractive to the prospective insurance company.  Insurance companies obviously prefer policyholders that do not present substantial risk of claims.  A company’s ability to present its systems as safe and secure will give a carrier a greater degree of comfort in reviewing and approving the application for insurance.  Finally, it should reduce the company’s premium for cybersecurity insurance.  Premium rates have a simple, direct relationship with risk.  As a policyholder’s risk profile increases, so too does the premium.  Shoring up gaps in a company’s security profile therefore should pay dividends in lower insurance costs.

Companies with sensitive data in their care should investigate options for cybersecurity insurance.  In [...]

Continue Reading



read more

Just In Time for the Holidays: More Security Requirements From NIST

by | Nov 19, 2014 |

National Institute of Standards and Technology (NIST) has published draft recommendations aimed at securing the confidentiality of sensitive federal information located within non-federal entities’ information technology systems.  Draft Special Publication 800-171 includes draft recommendations intended to secure all “controlled unclassified information (CUI)” for non-federal entities doing business with, or for, the federal government.  CUI includes personally identifiable data, financial information, medical records and other sensitive data.

Many of the recommendations are currently in use on a voluntary and limited basis.  Requiring the additional security measures could directly affect thousands of contractors, related businesses, universities and nonprofits conducting business with or research for, the federal government.

Deadline for submitting public comments on Draft Special Publication 800-171 is January 16, 2015. Find Draft Special Publication here.



read more

California Continues to Lead with New Legislation Impacting Privacy and Security

by and | Oct 13, 2014 | , , ,

At the end of September, California Governor Edmund G. Brown, Jr. approved six bills designed to enhance and expand California’s privacy laws. These new laws are scheduled to take effect in 2015 and 2016.  It will be important to be mindful of these new laws and their respective requirements when dealing with personal information and when responding to data breaches.

Expansion of Protection for California Residents’ Personal Information – AB 1710

Under current law, any business that owns or licenses certain personal information about a California resident must implement reasonable security measures to protect the information and, in the event of a data or system breach, must notify affected persons.  See Cal. Civil Code §§ 1798.81.5-1798.83.  Current law also prohibits individuals and entities from posting, displaying, or printing an individual’s social security number, or requiring individuals to use or transmit their social security number, unless certain requirements are met.  See Cal. Civil Code § 1798.85.

The bill makes three notable changes to these laws.  First, in addition to businesses that own and license personal information, businesses that maintain personal information must comply with the law’s security and notification requirements.  Second, in the event of a security breach, businesses now must not only notify affected persons, but also provide “appropriate identity theft prevention and mitigation services” to the affected persons at no cost for at least 12 months, if the breach exposed or may have exposed specified personal information.  Third, in addition to the current restrictions on the use of social security numbers, individuals and entities now also may not sell, advertise to sell, or offer to sell any individual’s social security number.

Expansion of Constructive Invasion of Privacy Liability – AB 2306

Under current law, a person can be liable for constructive invasion of privacy if the person uses a visual or auditory enhancing device and attempts to capture any type of visual image, sound recording, or other physical impression of the person in a personal or familial activity under circumstances in which the person had a reasonable expectation of privacy.  See Cal. Civil Code § 1708.8.

The bill expands the reach of the current law by removing the limitation requiring the use of a “visual or auditory enhancing device” and imposing liability if the person uses any device to capture a visual image, sound recording, or other physical impression of a person in a personal or familial activity under circumstances in which the person had a reasonable expectation of privacy.

The law will also continue to impose liability on those who acquire the image, sound recording, or physical impression of the other person, knowing that it was unlawfully obtained.  Those found liable under the law may be subject to treble damages, punitive damages, disgorgement of profits and civil fines.

Protection of Personal Images and Videos (“Revenge Porn” Liability)– AB 2643

Assembly Bill 2643 creates a private right of action against a person who intentionally distributes by any means, without consent, material that exposes a person’s intimate body parts or the [...]

Continue Reading



read more

France About to Embark on a Cookies Sweep Day

by | Sep 15, 2014 | , , ,

Impending sweep day to verify compliance with guidelines on cookies

During the week of September 15–19, 2014, France’s privacy regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), is organizing a “cookies sweep day” to examine compliance with its guidelines on cookies and other online trackers.

Starting in October 2014, the CNIL will also be conducting onsite and remote inspections to verify compliance with its guidelines on cookies.

Depending on the findings of the sweep and inspections, the CNIL may issue warnings or financial sanctions to non-compliant websites and applications.

Investigations gaining momentum

France is not the only country stepping up its data privacy efforts.  Parallel sweeps to the one conducted by the CNIL in September 2014 will be undertaken simultaneously by data protection authorities across the European Union.  The purpose of the coordinated action is to compare practices on the information given by websites to internet users and the methods to obtain their consent for cookies.

Nor is this the first time such a sweep has been organized in France.  In May 2013, the CNIL joined 19 counterparts worldwide in an audit of the 2,180 most visited websites and applications.  In that operation, known as “Internet Sweep Day”, the CNIL examined the compliance of 250 frequently visited websites and found that 99 percent of websites visited by French internet users collect personal information.  Of those that provided information on their data privacy policy, a considerable number did not render it easily accessible, clearly articulated or even written in French.

Compliance made simpler through CNIL guidelines

EU Directive 2002/58 on Privacy and Electronic Communications imposes an obligation to obtain prior consent before placing or accessing cookies and similar technologies on web users’ devices, an obligation incorporated into French law by Article 32-II of the French Data Protection Act.

Not all cookies require prior consent by internet users.  Exempt are cookies used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” and those that are “strictly necessary for the provision of an information service explicitly requested by the subscriber or user.”

For those cookies that require prior consent, the CNIL will verify how consent is obtained.  Under the CNIL guidelines, consent may be obtained either through an actual click or by the user’s further navigation within the site notwithstanding a continuing banner informing him or her of the website’s use of cookies.

Website owners can rely on tools made available by the CNIL to ensure their compliance with the cookie requirements.  In particular, a set of guidelines released by the CNIL in December 2013 explains how to obtain consent for the use of cookies and other online trackers in compliance with EU and French data protection requirements.

Under the CNIL guidelines, owners of websites may not force internet users to accept cookies.  Instead, the users must be able to block advertising cookies and still use the relevant service.  Internet users can withdraw their consent at any time, and cookies have a [...]

Continue Reading



read more

Wearable Technologies Are Here To Stay: Here’s How the Workplace Can Prepare

by | Sep 9, 2014 | , , , ,

More than a decade ago, “dual use” devices (i.e., one device used for both work and personal reasons) began creeping into workplaces around the globe.  Some employees insisted on bringing fancy new smart phones from home to replace the company-issued clunker and, while many employers resisted at first, dual use devices quickly became so popular that allowing them became inevitable or necessary for employee recruitment and retention, not to mention the cost savings that could be achieved by having employees buy their own devices.  Because of early resistance, however, many HR and IT professionals found themselves scrambling in a reactive fashion to address the issues that these devices can raise in the workplace after they were already prevalent.  Today, most companies have robust policies and procedures to address the risks presented by dual use devices, setting clear rules for addressing privacy, security, protection of trade secrets, records retention and legal holds, as well as for preventing harassment, complying with the National Labor Relations Act (NLRA), protecting the company’s relationships and reputation, and more.

In 2014, there is a new trend developing in the workplace:  wearable technologies.   The lesson to be learned from the dual use device experience of the past decade: Companies should consider taking proactive steps now to identify the risks presented by allowing wearables at work, and develop a strategy to integrate them into the workplace in a way that maximizes employee engagement, but minimizes corporate risk.

An effective integration strategy will depend on the particular industry, business needs, geographic location and corporate culture, of course.  The basic rule of thumb from a legal standpoint, however, is that although wearables present a new technology frontier, the old rules still apply.  This means that companies will need to consider issues of privacy, security, protection of trade secrets, records retention, legal holds and workplace laws like the NLRA, the Fair Labor Standards Act, laws prohibiting harassment and discrimination, and more.

Employers evaluating use of these technologies should consider two angles.  First, some companies may want to introduce wearables into the workplace for their own legitimate business purposes, such as monitoring fatigue of workers in safety-sensitive positions, facilitating productivity or creating efficiencies that make business operations run more smoothly.  Second, some companies may want to consider allowing “dual use” or even just “personal use” wearables in the workplace.

In either case, companies should consider the following as part of an integration plan:

  • Identify a specific business-use case;
  • Consider the potential for any related privacy and security risks;
  • Identify how to mitigate those risks;
  • Consider incidental impacts and compliance issues – for instance, how the technologies impact the existing policies on records retention, anti-harassment, labor relations and more;
  • Build policies that clearly define the rules of the road;
  • Train employees on the policies;
  • Deploy the technology; and
  • Review the program after six or 12 months to confirm the original purpose is being served and whether any issues have emerged that should be addressed.

In other words, employers will need to run through [...]

Continue Reading



read more

Processing Personal Data in Russia? Consider These Changes to Russian Law and How They May Impact Your Business

by | Sep 8, 2014 | , , , , , , , , , ,

Changes Impacting Businesses that Process Personal Data in Russia

On July 21, 2014, a new law Federal Law № 242-FZ was adopted in Russia (Database Law) introducing amendments to the existing Federal Law “On personal data” and to the existing Federal Law “On information, information technologies and protection of information.”  The new Database Law requires companies to store and process personal data of Russian nationals in databases located in Russia.  At a minimum, the practical effect of this new Database Law is that companies operating in Russia that collect, receive, store or transmit (“process”) personal data of natural persons in Russia will be required to place servers in Russia if they plan to continue doing business in that market.  This would include, for example, retailers, restaurants, cloud service providers, social networks and those companies operating in the transportation, banking and health care spheres.  Importantly, while Database Law is not scheduled to come into force until September 1, 2016, a new bill was just introduced on September 1, 2014 to move up that date to January 1, 2015.  The transition period is designed to give companies time to adjust to the new Database Law and decide whether to build up local infrastructure in Russia, find a partner having such infrastructure in Russia, or cease processing information of Russian nationals.  If the bill filed on September 1 becomes law, however, that transition period will be substantially shortened and businesses operating in Russia will need to act fast to comply by January 1.

Some mass media in Russia have interpreted provisions of the Database Law as banning the processing of Russian nationals’ personal data abroad.  However, this is not written explicitly into the law and until such opinion is confirmed by the competent Russian authorities, this will continue to be an open question.  There is hope that the lawmakers’ intent was to give a much needed boost to the Russian IT and telecom industry, rather than to prohibit the processing of personal data abroad.  If this hope is confirmed, then so long as companies operating in Russia ensure that they process personal data of Russian nationals in databases physically located in Russia, they also should be able to process this information abroad, subject to compliance with cross-border transfer requirements.  

The other novelty of this new Database Law is that it grants the Russian data protection authority (DPA) the power to block access to information resources that are processing information in breach of Russian laws.  Importantly, the Database Law provides that the blocking authority applies irrespective of the location of the offending company or whether they are registered in Russia.  However, the DPA can initiate the procedure to block access only if there is a respective court judgment.  Based on the court judgment the DPA then will be able to require a hosting provider to undertake steps to eliminate the infringements.  For example, the hosting provider must inform the owner of the information resource that it must eliminate the infringement, or the hosting [...]

Continue Reading



read more

New Data Disposal Law in Delaware Requires Action by Impacted Businesses

by | Aug 27, 2014 | , , , ,

While the federal government continues its inaction on data security bills pending in Congress, some U.S. states have been busy at work on this issue over the summer.  A new Delaware law H.B. 295, signed into law on July 1, 2014 and effective January 1, 2015, provides for a private right of action in which a court may order up to triple damages in the event a business improperly destroys personal identifying information at the end of its life cycle.  In addition to this private right of action, the Delaware Attorney General may file suit or bring an administrative enforcement proceeding against the offending business if it is in the public interest.

Under the law, personal identifying information is defined as:

A consumer’s first name or first initial and last name in combination with any one of the following data elements that relate to the consumer, when either the name or the data elements are not encrypted:

  • his or her signature,
  • full date of birth,
  • social security number,
  • passport number, driver’s license or state identification card number,
  • insurance policy number,
  • financial services account number, bank account number,
  • credit card number, debit card number,
  • any other financial information or
  • confidential health care information including all information relating to a patient’s health care history, diagnosis condition, treatment or evaluation obtained from a health care provider who has treated the patient, which explicitly or by implication identifies a particular patient.

Interestingly, this new law exempts from its coverage:  banks and financial institutions that are merely subject to the Gramm-Leach-Bliley Act, but the law only exempts health insurers and health care facilities if they are subject to and in compliance with the Health Insurance Portability and Accountability Act (HIPAA), as well as credit reporting agencies if they are subject to and in compliance with the Fair Credit Reporting Act (FCRA).

Given how broadly the HIPAA and FCRA exemptions are drafted, we expect plaintiffs’ attorneys to argue for the private right of action and triple damages in every case where a HIPAA- or FCRA-covered entity fails to properly dispose of personal identifying information, arguing that such failure evidences noncompliance with HIPAA or FCRA, thus canceling the exemption.   Note, however, that some courts have refused to allow state law claims of improper data disposal to proceed where they were preempted by federal law.  See, e.g., Willey v. JP Morgan Chase, Case No. 09-1397, 2009 U.S. Dist. LEXIS 57826 (S.D.N.Y. July 7, 2009) (dismissing individual and class claims alleging improper data disposal based on state law, finding they were pre-empted by the FCRA).

The takeaway?  Companies that collect, receive, store or transmit personal identifying information of residents of the state of Delaware (or any of the 30+ states in the U.S. that now have data disposal laws on the books) should examine their data disposal policies and practices to ensure compliance with these legal requirements.  In the event a business is alleged to have violated one of [...]

Continue Reading



read more

Incorporating Risk Analysis Into Your HIPAA Strategy

by | May 14, 2014 | , , , , ,

In building a stout privacy and security compliance program that would stand up well to federal HIPAA audits, proactive healthcare organizations are generally rewarded when it comes to data breach avoidance and remediation. But an important piece of that equation is performing consistent risk analyses.

McDermott partner, Edward Zacharias, was interviewed by HealthITSecurity to discuss these topics and more.

Read the full interview.



read more

Trendy “Cybersecurity” Versus Traditional “Information Security” Two Sides of the Same Security Coin

by | Apr 24, 2014 |

Cybersecurity has become a dominant topic of the day.  The Snowden revelations, the mega-data breaches of 2013, the pervasiveness of invisible online “tracking” and the proliferation of “ data broker” trading in personal data – all feed into the fears of individuals who struggle to understand how their personal information is collected, used and protected.  Over the past year, these forces have begun to merge an old concern by individuals about the security of their personal information into a broader, more universal fear that the country’s infrastructure lay vulnerable.

In many respects, however, the concept of cybersecurity is not new.  Cybersecurity is a form of information security, albeit perhaps with a broader, more universal view of required security controls.  Decades-old statutes include information security requirements for certain types of information, the Health Insurance Portability and Accountability Act (HIPAA) addresses health information and the Gramm-Leach-Bliley Act (GLBA) addresses financial information.  Add to those statutory regimes the U.S. Federal Trade Commission’s (FTC) enforcement authority over corporate information security practices pursuant to Section 5 of the FTC Act (recently upheld in Federal Trade Comm’n v. Wyndham Worldwide Corp.) and certain state-based data security regulations that require corporations to safeguard personal information (e.g., 201 CMR 17.00, et seq.).  The net effect of these regulatory drivers is that many organizations have focused for decades on developing administrative, physical and technical safeguards for effective protection of personal information – resulting in a programmatic approach to information security.

Now, along comes the evolution of cybersecurity with its own emerging standards.  Organizations are asking themselves whether they need to do something different or in addition to the programmatic steps already taken to comply with information security requirements that are applicable to the organization.  The good news is that while some additional work likely will be required as described below, companies with solid programmatic approaches to information security are well on their way to meeting the following emerging cybersecurity standards.

NIST Cybersecurity Framework

On February 12, 2013, President Obama issued an Executive Order entitled “Improving Critical Infrastructure Cybersecurity.”  The Executive Order has several key components, but most importantly, it contains a requirement for owners and operators of “critical infrastructure” to develop a cybersecurity framework.  The Order directed the National Institute of Standards and Technology (NIST) to develop a baseline cybersecurity framework to reduce cyber risks to critical infrastructure.  NIST subsequently developed its “Framework for Improving Critical Infrastructure Cybersecurity” (Framework), which was released on February 12, 2014.  The goal of these efforts is to provide organizations with a cybersecurity framework as a model for their business.  While at this point, the Framework is intended to provide a voluntary program for owners and operators of critical infrastructure, it is already starting to seep into federal “incentives” used to encourage the private sector to comply with the Framework.  And the Framework itself may evolve into a sort of “security” standard of care.

SEC Cybersecurity and Disclosure Laws

In addition to the Framework, the U.S. Security and Exchange Commission (SEC) recently [...]

Continue Reading



read more

BLOG EDITORS

Amanda Enyeart

Marshall E. Jackson, Jr.

Lisa Schmitz Mazur

Michael G. Morgan

Romain Perray

Amy C. Pimentel

STAY CONNECTED

Subscribe

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law