Data Privacy Archives - Page 15 of 35

Data Privacy

Update on State Breach Notification Laws

by Amy C. Pimentel | Apr 14, 2015 | Consumer Protection, Cybersecurity, Data Privacy

In the first few months of 2015, a number of states have introduced data breach notification bills and proposed legislative amendments designed to enhance consumer protection in response to increasingly high profile data breaches reported in the media. This activity at the state level seems to indicate that protecting consumers from data breaches is one area where democrats and republicans can find common ground.

From the text of these bills, some of which have already become law, we see two emerging trends: (1) an expansion of the definition of personal information to include more categories of data that, if compromised, would trigger a notification requirement, and (2) the addition of a requirement to notify state agencies (such as attorneys general and state insurance commissioners) where none previously existed.

Here are developments in three states reflecting these emerging trends:

Wyoming

In late February, Wyoming passed two bills that amend its existing data breach notification law by specifying the content required in notices to Wyoming residents, modifying the definition of personal information, and providing for covered entities or business associates that comply with HIPAA to be deemed in compliance with the state individual notice requirements.

In particular, Wyoming’s definition of personal information will now include the following:

Shared secrets or security tokens that are known to be used for data-based authentication;
A username or email address, in combination with a password or security question and answer that would permit access to an online account;
A birth or marriage certificate;
Medical information (a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional);
Health insurance information (a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claims history);
Unique biometric data (data generated from measurements or analysis of human body characteristics for authentication purposes); and
An individual taxpayer identification number.

These changes to Wyoming law will become effective July 1, 2015.

Montana

Beginning October 1, 2015, amendments to Montana’s breach notification law will require entities that experience a data breach affecting Montana residents to notify the Montana Attorney General and, if applicable, the Commissioner of Insurance. Notification must include an electronic copy of the notice to affected individuals, a statement providing the date and method of distribution of the notification, and an indication of the number of individuals in the state impacted by the breach. Entities must provide notice to state regulators simultaneously with consumer notices.

The recent amendments to the Montana law also expand the definition of personal information to include medical record information, taxpayer identification numbers and any “identity protection personal identification number” issued by the IRS. The law specifies that medical information is that which relates to an individual’s physical or mental condition, medical history, medical claims history or medical treatment, and is obtained from [...]

Continue Reading

The Consumer Privacy Bill of Rights Redux

by Jennifer S. Geetter | Mar 3, 2015 | Advertising & Marketing, Consumer Protection, Data Privacy, General Interest, Mobile Apps

On February 27, 2015, the Obama White House released an “Administration Discussion Draft” of its Consumer Privacy Bill of Rights Act of 2015 (Proposed Consumer Privacy Act).

The Proposed Consumer Privacy Act revises and builds on the “Consumer Privacy Bill of Rights” that the Obama White House released in its 2012 Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy report.

As described during President Obama’s January 12 visit to the Federal Trade Commission (FTC), the Proposed Consumer Privacy Act identifies seven “basic principles to both protect personal privacy and ensure that industry can keep innovating.” These seven principles are:

Transparency (§101): Transparency is a principle frequently cited in guidance from the FTC, as well as self-regulatory framework, such as the Digital Advertising Alliance’s cross-industry code for interest based-advertising. The Proposed Consumer Privacy Act describes transparency as “concise and easily understandable language, accurate, clear, timely, and conspicuous notice about privacy and security practices.” The notice required from an entity subject to the Proposed Consumer Privacy Act (defined as a “covered entity” (CE)) must describe the entity’s collection, use, disclosure, retention, destruction and security practices.
Individual Control (§102): The Individual Control principle means offering consumers a “reasonable means to control the processing (i.e., taking any action regarding) personal data about them in proportion to the privacy risk to the individual and consistent with context.” An individual must have a way to either withdraw consent related to his or her personal data that is “reasonably comparable” to the means by which the consent was initially granted consent or request that the CE “de-identify” (as defined in the Proposed Consumer Privacy Act) his or her personal data.
Respect for Context (§103): Under the Respect for Context principle, a CE must process personal data reasonably “in light of context.” If the processing is not reasonable, the CE must undertake a “privacy risk analysis” to identify and take reasonable steps to mitigate privacy-related risk, including “heightened transparency and individual control,” such as just-in-time notices. Reasonableness is presumed when a CE’s personal data processing “fulfills an individual’s request.”
Focused Collection and Responsible Use (§104): The Focused Collection and Responsible Use principle requires that a CE limit its collection, retention and use of personal data to a “manner that is reasonable in light of context.” The CE also must “delete, destroy, or de-identify” personal data within a “reasonable time” after the original purpose for its collection, retention, or use has been fulfilled.
Security (§105): Under the Security principle, a CE must: identify internal and external “risks to privacy and security” of personal data; implement and maintain safeguards “reasonably designed” to secure personal data; regularly assess the efficacy of the safeguards, and adjust the safeguards to reflect material changes to business practices or “any other circumstances that create a material impact on the privacy or security” of personal data under the CE’s control. The [...]

Continue Reading

FTC Merger Review Likely to Incorporate Analysis of Privacy Issues

by Carla A. R. Hine | Mar 2, 2015 | Big Data, Consumer Protection, Cybersecurity, Data Privacy, General Interest

The Federal Trade Commission (FTC or the Commission), along with the U.S. Department of Justice, can challenge mergers it believes will result in a substantial lessening of competition – for example through higher prices, lower quality or reduced rates of innovation. Although the analysis of whether a transaction may be anticompetitive typically focuses on price, privacy is increasingly regarded as a kind of non-price competition, like quality or innovation. During a recent symposium on the parameters and enforcement reach of Section 5 of the FTC Act, Deborah Feinstein, the director of the FTC’s Bureau of Competition, noted that privacy concerns are becoming more important in the agency’s merger reviews. Specifically she stated, “Privacy could be a form of non-price competition important to customers that could be actionable if two kinds of companies competed on privacy commitments on technologies they came up with.”

At this same symposium, Jessica Rich, director of the FTC’s Bureau of Consumer Protection, remarked on the agency’s increasing expectations that companies protect the consumer data they collect and be more transparent about what they collect, how they store and protect it, and about third parties with whom they share the data.

The FTC’s Bureaus of Competition and Consumer Protection fulfill the agency’s dual mission to promote competition and protect consumers, in part, through the enforcement of Section 5 of the FTC Act. With two areas of expertise and a supporting Bureau of Economics under one roof, the Commission is uniquely positioned to analyze whether a potential merger may substantially lessen privacy-related competition.

The concept that privacy is a form of non-price competition is not new to the FTC. In its 2007 statement upon closing its investigation into the merger of Google, Inc. and DoubleClick Inc., the Commission recognized that mergers can “adversely affect non-price attributes of competition, such as consumer privacy.” Commissioner Pamela Jones Harbour’s dissent in the Google/DoubleClick matter outlined a number of forward-looking competition and privacy-related considerations for analyzing mergers of data-rich companies. The FTC ultimately concluded that the evidence in that case “did not support the theories of potential competitive harm” and thus declined to challenge the deal. The matter laid the groundwork, however, for the agency’s future consideration of these issues.

While the FTC has yet to challenge a transaction on the basis that privacy competition would be substantially lessened, parties can expect staff from both the Bureau of Competition and the Bureau of Consumer Protection to be working closely together to analyze a proposed transaction’s impact on privacy. The FTC’s review of mergers between entities with large databases of consumer information may focus on: (1) whether the transaction will result in decreased privacy protections, i.e., lower quality of privacy; and (2) whether the combined parties achieve market power as a result of combining their consumer data.

This concept is not unique to the United States. The European Commission’s 2008 decision in TomTom/Tele Atlas examined whether there would be a decrease [...]

Continue Reading

Consumer Health Information Update from Both Sides of the Atlantic

by Jennifer S. Geetter and Scott Weinstein | Feb 27, 2015 | Big Data, Consumer Protection, Data Privacy, General Interest, Mobile Apps

As we reported in May 2014, the Federal Trade Commission (FTC) convened stakeholders to explore whether health-related information collected from and about consumers — known as consumer-generated health information (CHI) — through use of the internet and increasingly-popular lifestyle and fitness mobile apps is more sensitive and in need of more privacy-sensitive treatment than other consumer-generated data.

One of the key questions raised during the FTC’s CHI seminar is: “what is consumer health information”? Information gathered during traditional medical encounters is clearly health-related. Information gathered from mobile apps designed as sophisticated diagnostic tools also is clearly health-related — and may even be “Protected Health Information,” as defined and regulated by Health Information Portability and Accountability Act (HIPAA), depending on the interplay of the app and the health care provider or payor community. But, other information, such as diet and exercise, may be viewed by some as wellness or consumer preference data (for example, the types of foods purchased). Other information (e.g., shopping habits) may not look like health information but, when aggregated with other information generated by and collected from consumers, may become health-related information. Information, therefore, may be “health information,” and may be more sensitive as such, depending on (i) the individual from whom it is collected, (ii) the context in which it is initially collected; (iii) the other information which it is combined; (iv) the purpose for which the information was initially collected; and (v) the downstream uses of the information.

Notably, the FTC is not the only regulatory body struggling with how to define CHI. On February 5, 2015, the European Union’s Article 29 Working Party (an EU representative body tasked with advising EU Member States on data protection) published a letter in response to a request from the European Commission to clarify the definitional scope of “data concerning health in relation to lifestyle and wellbeing apps.”

The EU’s efforts to define CHI underscore the importance of understanding CHI. The EU and the U.S. data privacy and security regimes differ fundamentally in that the EU regime broadly protects personally identifiable information. The US does not currently provide universal protections for personally identifiable information. The U.S. approach varies by jurisdiction and type of information and does not uniformly regulate the mobile app industry or the CHI captured by such apps. These different regulatory regimes make the EU’s struggle to define the precise scope and definition of “lifestyle and wellbeing” data (CHI) and develop best practices going forward all the more striking because, even absent such a definition, the EU privacy regime would offer protections.

The Article 29 Working Party letter acknowledges the European Commission’s work to date, including the European Commission’s “Green Paper on Mobile Health,” which emphasized the need for strong privacy and security protections, transparency – particularly with respect to how CHI interoperates with big data – and the need for specific legislation on CHI-related apps or regulatory guidance that will promote “the safety and performance of lifestyle and wellbeing apps.” But, [...]

Continue Reading

Employers with Group Health Plans: Have You Notified State Regulators of the Breach?

by McDermott Will & Emery and Amy C. Pimentel | Feb 20, 2015 | Consumer Protection, Cybersecurity, Data Privacy, General Interest

Data security breaches affecting large segments of the U.S. population continue to dominate the news. Over the past few years, there has been considerable confusion among employers with group health plans regarding the extent of their responsibility to notify state agencies of security breaches when a vendor or other third party with access to participant information suffers a breach. This On the Subject provides answers to several frequently asked questions to help employers with group health plans navigate the challenging regulatory maze.

Read the full article.

Secure Sockets Layer (SSL) 3.0 Encryption Declared “No Longer Acceptable” to Protect Data

by McDermott Will & Emery | Feb 17, 2015 | Consumer Protection, Cybersecurity, Data Privacy, Ecommerce

On Friday, February 13, 2015, the Payment Cards Industry (PCI) Security Standards Council (Council) posted a bulletin to its website, becoming the first regulatory body to publicly pronounce that Secure Socket Layers (SSL) version 3.0 (and by inference, any earlier version) is “no longer… acceptable for protection of data due to inherence weaknesses within the protocol” and, because of the weaknesses, “no version of SSL meets PCI SSC’s definition of ‘strong cryptography.’” The bulletin does not offer an alternative means that would be acceptable, but rather “urges organizations to work with [their] IT departments and/or partners to understand if [they] are using SSL and determine available options for upgrading to a strong cryptographic protocol as soon as possible.” The Council reports that it intends to publish soon an updated version of PCI-DSS and the related PA-DSS that will address this issue. These developments follow news of the Heartbleed and POODLE attacks from 2014 that exposed SSL vulnerabilities.

Although the PCI standards only apply to merchants and other companies involved in the payment processing ecosystem, the Council’s public pronouncement that SSL is vulnerable and weak is a wakeup call to any organization that still uses an older version of SSL to encrypt its data, regardless of whether these standards apply.

As a result, every company should consider taking the following immediate action:

Work with your IT stakeholders and those responsible for website operation to determine if your organization or a vendor for your organization uses SSL v. 3.0 (or any earlier version);
If it does, evaluate with those stakeholders how to best disable these older versions, while immediately upgrading to an acceptable strong cryptographic protocol as needed;
Review vendor obligations to ensure compliance with a stronger encryption protocol is mandated and audit vendors to ensure the vendor is implementing greater protection;
If needed, consider retaining a reputable security firm to audit or evaluate your and your vendors’ encryption protocols and ensure vulnerabilities are properly remediated; and
Ensure proper testing prior to rollout of any new protocol.

Additional resources and materials:

NIST SP 800-57: Recommendation for Key Management – Part 1: General (Revision 3)
NIST SP 800-52: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (Revision 1)

Consumer Privacy Rights – Germany To Enable Consumer Protection Organisations To Bring Actions For Privacy Violations

by Vincent Schroeder | Feb 16, 2015 | Consumer Protection, Data Privacy

The German federal government has recently approved a bill that might substantially change the way consumer privacy rights are enforced throughout the country.

The bill aims to give consumer protection and similar organizations standing to bring an action for injunctive relief against commercial suppliers of goods or services that unlawfully collect or process personal consumer data for certain purposes such as advertisement, market or opinion research, and personality or user profiling.

Even though these uses entail a high risk of privacy violations, consumers frequently refrain from enforcing their related rights as they are unaware of the unlawful practice or deterred by the prospective costs of litigation or the market power of the suppliers. The bill is intended to alleviate this deficit by allowing public interest organizations to invoke privacy rights on behalf of consumers as a whole.

The German position is in-line with general considerations by the European Union to provide for legal mechanisms of collective redress where limited individual damage prevents potential claimants from pursuing an individual claim. At least to some extent, this is also reflected in the most recent draft version of the General Data Protection Regulation currently being debated by the European Commission, Parliament and Council.

In the past, similar collective redress systems have been instituted very successfully in Germany regarding consumer rights in other areas including, for example, the sale of consumer goods and general terms and conditions. If the concept can effectively be transferred to consumer privacy, suppliers of consumer goods and services will have to expect much closer scrutiny of their privacy practices in the future.

The FTC Did Some Kid-ding Around in 2014

by McDermott Will & Emery | Feb 12, 2015 | Advertising & Marketing, Consumer Protection, Data Privacy, Email/Spam, Mobile Apps

2014 was a busy year for the Federal Trade Commission (FTC) with the Children’s Online Privacy Protection Act (COPPA). The FTC announced something new under COPPA nearly every month, including:

In January, the FTC issued an updated version of the free consumer guide, “Net Cetera: Chatting with Kids About Being Online.” Updates to the guide include advice on mobile apps, using public WiFi securely, and how to recognize text message spam, as well as details about recent changes to COPPA.
In February, the FTC approved the kidSAFE Safe Harbor Program. The kidSAFE certification and seal of approval program helps children-friendly digital services comply with COPPA. To qualify for a kidSAFE seal, digital operators must build safety protections and controls into any interactive community features; post rules and educational information about online safety; have procedures for handling safety issues and complaints; give parents basic safety controls over their child’s activities; and ensure all content, advertising and marketing is age-appropriate.
In March, the FTC filed an amicus brief in the 9th U.S. Circuit Court of Appeals, arguing that the ruling of U.S. District Court for the Northern District of California in Batman v. Facebook that COPPA preempts state law protections for the online activities of teenagers children outside of COPPA’ coverage is “patently wrong.”
In April, the FTC updated its “Complying with COPPA: Frequently Asked Questions” (aka the COPPA FAQs) to address how COPPA applies in the school setting. In FAQ M.2, the FTC discussed whether a school can provide the COPPA-required consent on behalf of parents, stating that “Where a school has contracted with an operator to collect personal information from students for the use and benefit of the school, and for no other commercial purpose, the operator is not required to obtain consent directly from parents, and can presume that the school’s authorization for the collection of students’ personal information is based upon the school having obtained the parents’ consent.” But, the FTC also recommends as “best practice” that schools provide parents with information about the operators to which it has consented on behalf of the parents. The FTC requires that the school investigate the collection, use, sharing, retention, security and disposal practices with respect to personal information collected from its students.
In July, COPPA FAQ H.5, FAQ H.10, and FAQ H.16 about parental consent verification also were updated. In FAQ H.5, the FTC indicates that “collecting a 16-digit credit or debit card number alone” is not sufficient as a parental consent mechanism, in some circumstances, “collection of the card number – in conjunction with implementing other safeguards – would suffice.” Revised FAQ H.10 indicates that a developer of a child-directed app may use a third party for parental verification “as long as [developers] ensure that COPPA requirements are being met,” including the requirement to “provide parents with a direct notice outlining [the developer’s] information collection practices before the parent provides his or her consent.” In revised FAQ H.16, the FTC [...]

Continue Reading

Any Progress? The Draft Data Protection Regulation Celebrates its Third Anniversary

by McDermott Will & Emery | Feb 11, 2015 | Big Data, Cloud, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Ecommerce, Electronic Contracting, Mobile Apps, Social Media, Text Messaging

On the third anniversary of the EU Commission’s proposed new data protection regime, the UK ICO has published its thoughts on where the new regime stands. The message is mixed: progress in some areas but nothing definitive, and no real clarity as to when the new regime may come into force.

The legislative process involves the agreement of the European Commission, the European Parliament and the Council of Europe (representing the governments of the member states). So far the European Parliament has agreed its amendments to the Commission’s proposal and we are still waiting for the Council to agree it’s amendments before all three come together and try and find a mutually agreeable position.

The Council is guided by the mantra “nothing is agreed until everything is agreed”, and so even though there has been progress with the Council reaching “partial general agreement” on international transfers, risk-based obligations on controllers and processors, and the provisions relating to specific data processing situations such as research and an approach agreed on the one-stop shop principle (allowing those operating in multiple states to appointed and deal with a single authority), this progress means nothing until there is final agreement on everything. At this stage that means all informal agreements remain open to renegotiation.

It is noted that Latvia holds the presidency of the Council until June 2015. The Latvians have already noted that Anydata protection reform remains a key priority but progress has been slow and time may be against them. Where Latvia fails, Luxembourg will hopefully succeed as it takes up the presidency from June.

The ICO is urging all stakeholders to push on with the reform, although they see the proposed timetable of completion of the trilogue process by the end of 2015 as being optimistic. Instead a more reasonable timetable may be a final agreement by mid-2016 with the new regime up and running in 2018.

Pressure Points: OCR Enforcement Activity in 2014

by Amanda Enyeart | Feb 9, 2015 | Big Data, Consumer Protection, Cybersecurity, Data Privacy, General Interest

During 2014, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services initiated six enforcement actions in response to security breaches reported by entities covered by the Health Insurance Portability and Accountability Act (HIPAA) (covered entities), five of which involved electronic protected health information (EPHI). The resolution agreements and corrective action plans resolving the enforcement actions highlight key areas of concern for OCR and provide the following important reminders to covered entities and business associates regarding effective data protection programs.

Security risk assessment is key.

OCR noted in the resolution agreements related to three of the five security incidents, involving QCA Health Plan, Inc., New York and Presbyterian Hospital (NYP) and Columbia University (Columbia), and Anchorage Community Mental Health Services (Anchorage), that each entity failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to the entity’s EPHI and to implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level. In each case, the final corrective action plan required submission of a recent risk assessment and corresponding risk management plan to OCR within a relatively short period after the effective date of the resolution agreement.

2. A risk assessment is not enough – entities must follow through with remediation of identified threats and vulnerabilities.

In the resolution agreement related to Concentra Health Services (CHS), OCR noted that although CHS had conducted multiple risk assessments that recognized a lack of encryption on its devices containing EPHI, CHS failed to thoroughly implement remediation of the issue for over 3-1/2 years.

3. System changes and data relocation can lead to unintended consequences.

In two of the cases, the underlying cause of the security breach was a technological change that led to the public availability of EPHI. A press release on the Skagit County incident notes that Skagit County inadvertently moved EPHI related to 1,581 individuals to a publicly accessible server and initially reported a security breach with respect to only seven individuals, evidentially failing at first to identify the larger security breach. According to a press release related to the NYP/Columbia security breach, the breach was caused when a Columbia physician attempted to deactivate a personally-owned computer server on the network, which, due to lack of technological safeguards, led to the public availability of certain of NYP’s EPHI on internet search engines.

4. Patch management and software upgrades are basic, but essential, defenses against system intrusion.

OCR noted in its December 2014 bulletin on the Anchorage security breach (2014 Bulletin) that the breach was a direct result of Anchorage’s failure to identify and address basic security risks. For example, OCR noted that Anchorage did not regularly update IT resources with available patches [...]

Continue Reading

Older Posts »

« Newer Posts

BLOG EDITORS

Amanda Enyeart

Marshall E. Jackson, Jr.

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

RECENT POSTS