Data Privacy Archives - Page 16 of 35

Data Privacy

C-Suite – Changing Tack on the Sea of Data Breach?

by McDermott Will & Emery | Feb 6, 2015 | Big Data, Consumer Protection, Cybersecurity, Data Privacy, General Interest

The country awoke to what seems to be a common occurrence now: another corporation struck by a massive data breach. This time it was Anthem, the country’s second largest health insurer, in a breach initially estimated to involve eighty million individuals. Both individuals’ and employees’ personal information is at issue, in a breach instigated by hackers.

Early reports, however, indicated that this breach might be subtly different than those faced by other corporations in recent years. The difference isn’t in the breach itself, but in the immediate, transparent and proactive actions that the C-Suite took.

Unlike many breaches in recent history, this attack was discovered internally through corporate investigative and management processes already in place. Further, the C-Suite took an immediate, proactive and transparent stance: just as the investigative process was launching in earnest within the corporation, the C-Suite took steps to fully advise its customers, its regulators and the public at-large, of the breach.

Anthem’s chief executive officer, Joseph Swedish, sent a personal, detailed e-mail to all customers. An identical message appeared in a widely broadcast press statement. Swedish outlined the magnitude of the breach, and that the Federal Bureau of Investigation and other investigative and regulatory bodies had already been advised and were working in earnest to stem the breach and its fallout. He advised that each customer or employee with data at risk was being personally and individually notified. In a humanizing touch, he admitted that the breach involved his own personal data.

What some data privacy and information security advocates noted was different: The proactive internal measures that discovered the breach before outsiders did; the early decision to cooperate with authorities and press, and the involvement of the corporate C-Suite in notifying the individuals at risk and the public at-large.

The rapid and detailed disclosure could indicate a changing attitude among the American corporate leadership. Regulators have encouraged transparency and cooperation among Corporate America, the public and regulators as part of an effort to stem the tide of cyber-attacks. As some regulators and information security experts reason, the criminals are cooperating, so we should as well – we are all in this together.

Will the proactive, transparent and cooperative stance make a difference in the aftermath of such a breach? Only time will tell but we will be certain to watch with interest.

FTC Releases Extensive Report on the “Internet of Things”

by McDermott Will & Emery | Jan 28, 2015 | Cybersecurity, Data Privacy

On January 27, 2015, U.S. Federal Trade Commission (FTC) staff released an extensive report on the “Internet of Things” (IoT). The report, based in part on input the FTC received at its November 2013 workshop on the subject, discusses the benefits and risks of IoT products to consumers and offers best practices for IoT manufacturers to integrate the principles of security, data minimization, notice and choice into the development of IoT devices. While the FTC staff’s report does not call for IoT specific legislation at this time, given the rapidly evolving nature of the technology, it reiterates the FTC’s earlier recommendation to Congress to enact strong federal data security and breach notification legislation.

The report also describes the tools the FTC will use to ensure that IoT manufacturers consider privacy and security issues as they develop new devices. These tools include:

Enforcement actions under such laws as the FTC Act, the Fair Credit Reporting Act (FCRA) and the Children’s Online Privacy Protection Act (COPPA), as applicable;
Developing consumer and business education materials in the IoT area;
Participation in multi-stakeholder groups considering guidelines related to IoT; and
Advocacy to other agencies, state legislatures and courts to promote protections in this area.

In furtherance of its initiative to provide educational materials on IoT for businesses, the FTC also announced the publication of “Careful Connections: Building Security in the Internet of Things”. This site provides a wealth of advice and resources for businesses on how they can go about meeting the concept of “security by design” and consider issues of security at every stage of the product development lifecycle for internet-connected devices and things.

This week’s report is one more sign pointing toward our prediction regarding the FTC’s increased activity in the IoT space in 2015.

In with the New: Expect FTC Activity on IoT in 2015

by McDermott Will & Emery | Jan 26, 2015 | Big Data, Cybersecurity, Data Privacy, General Interest

The “Internet of Things” (IoT) continues to grow. (IoT refers to the ability of everyday objects to connect to the Internet and one another.) It is estimated that there will be 4.9 billion connected appliances, devices and other “things” in use worldwide by the end of 2015, an increase of 30 percent from 2014. The global market for IoT products is expected to reach $7.1 trillion by 2020.

Proponents of IoT believe that the data generated and shared by connected objects can provide tremendous benefits for individuals, businesses and society as a whole. For example, IoT devices could be used to alert a person of an impending heart attack, improve a business’ manufacturing processes and reduce vehicle traffic congestion. While IoT can provide many benefits, it also poses privacy and security challenges. Internet connected devices, especially when used in an individual’s home or on his or her body, can generate voluminous amounts of highly personal and sensitive data about that individual, including information about physical activity, existing health conditions, energy consumption and entertainment choices. Many users of these devices are unclear about how this data is being used and shared with others. Moreover, the sheer amount and sensitivity of the data collected and transmitted by many IoT products make them an appealing target for hackers.

The Federal Trade Commission (FTC) did not file an enforcement action against a manufacturer of IoT products for inadequate data privacy and security practices in 2014, as it had in 2013. Nonetheless, the privacy and security challenges associated with the massive collection of consumer data by IoT products still are on the FTC’s radar. Commissioner Julie Brill has written extensively about the need to weave in privacy principles to IoT. While IoT products ranging from automated door locks to internet connected pet trackers dominated this year’s International Consumer Electronics Show (CES), Chairwoman Edith Ramirez’s keynote address at the CES outlined several concerns about IoT, including ubiquitous data collection, the ability of IoT devices to capture sensitive personal information about consumers, unexpected uses of consumer data and data security concerns.

Since IoT is on the FTC’s radar, I predict that the FTC will carefully scrutinize manufacturers of IoT products during 2015 and perhaps bring another action against a maker of IoT products for inadequate data privacy or security practices.

A Simplified Norm to Represent an Expanding Power: the Right to Listen in on Employees’ Phone Calls and the Standardization of French Privacy Law

by Myrtille Lapuelle | Jan 20, 2015 | Data Privacy, Email/Spam

Since 2001, the French Court of Cassation has made a continuous effort to refine and, in some circumstances, narrow the scope of the right to privacy in the workplace with a view to reaching a fair and balanced approach. The January 6, 2015 declaration of the French Data Protection Authority (CNIL) further highlights this trend towards the standardization of information collection at work, and serves to clarify and expand the right of employers to listen in on employees’ phone calls at work.

Background

In the landmark 2001 “Nikon Case,” the Court of Cassation ruled that “an employee has the right to the respect of his private life – including the right to the secrecy of correspondence – on the work premises and during working hours.” This announcement was qualified, however, and the court further refined that unless marked by the employee as “private,” the documents and files created by an employee on a company-computer for work purposes are presumed to be professional, which means that the company can access those documents and files without the employee’s presence. This can lead to an employer using such emails against an employee in the case of employment termination. Nonetheless, employers have an obligation under privacy and labor laws to inform employees about the collection and use of their personal data.

Building off of this decision, in October 2014, the French Social Supreme Court held that evidence gathered against an employee from data that had not previously been declared to and registered with CNIL was de facto illegal.

The French Labor Code and the French Data Protection Act both stipulate rules for the use of monitoring software by employers in the event that an employer wishes to establish such mechanisms. In particular, the employer must submit information to and engage in consultation with the works council, provide information to employees impacted by the software and make a formal declaration of the proposed monitoring activities to CNIL.

CNIL Declaration: Movement Toward a Simplified Norm

Continuing this trend, the declaration issued by the CNIL on January 6, 2015, further demonstrates not only how important the CNIL is, but also how the area of data protection is evolving and become more standardized in France.
This recent declaration established that employers wishing to record their employee’s telephone communications must first declare such information by filling out a simplified declaration form in lieu of a normal declaration form. After effectuating this simplified declaration, an employer will have the ability to listen to and record employee conversations for the purpose of employee training, evaluation and betterment of the quality of service.

While this declaration serves to grant employers permission to monitor employees, it also imposes upon them a number of restrictions: (i) the employee must be notified and informed of his or her right to refuse such recordings and (ii) the employee may only keep recordings for a period of six months. The information gathered from such recordings, however, may be kept for a [...]

Continue Reading

In with the New: 2015 Privacy, Advertising and Digital Media Predictions – Part III

by McDermott Will & Emery | Jan 15, 2015 | Data Privacy

Part III of our 2015 predictions series comes from Of Digital Interest editor and McDermott partner, Heather Sussman, who predicts that states will be active with privacy and data security legislation during 2015.

States Active with Privacy and Data Security Legislation

With comparatively little movement from the federal government in 2014, state legislatures around the country have been working to take an active role in addressing the ever-increasing public concern over the collection, use, disclosure and disposal of personal information. Of the 23 states that introduced or considered security breach notification legislation in 2014, at least 11 enacted their bills into law. There remain several bills pending in 2015 in state legislatures across the United States. that may amend or impact the breach notification landscape.

For 2015, we predict action in the following states:

Both Massachusetts and New Jersey have pending bills that aim to further protect financial information, focusing on the breach of “access devices” associated with electronic transactions. Massachusetts SB 132 and New Jersey AB 1239 propose to add restrictions on data retention of certain financial information collected from access devices, as well as dictate how financial institutions will recover costs after a breach.
In Pennsylvania, the legislature is considering AB1329, which increases penalties for failure to report a breach to $5,000 for a first offense, $10,000 for a second offense, and $15,000 for a third or subsequent offense, AB2480, which requires certain notifications and free credit reports for six months following breach, and AB3146/SB2188, which requires notification of a breach of online account credentials.
Two Rhode Island bills impact existing breach laws: HB 5769, which enumerates additional patient’s rights, including the right to be notified in the event of a breach of confidential health care information, and HB 7519 which mandates specific content in breach notifications to consumers. Notifications now must include contact information for consumer reporting agencies and the Federal Trade Commission (FTC), a statement that an individual can obtain information regarding fraud alerts and security freezes, and a statement that warms against possible imposters who attempt to fraudulently notify individuals of security breaches. This latter bill would also require providing one year of credit monitoring at no cost to individuals whose data are impacted in the breach.
Delaware also has two bills pending: SB101 which would clarify that a person who is a victim of a “Digital Data Breach” shall have seven years from the date the personal information is posted in which to bring a civil action for damages, and SB102 which would add name, birth date and address to the definition of personal information. The latter bill also provides either of the following specific damages for breach victims, whichever is greater: consequential damages, profits derived from the unauthorized use, or both; or $1,000 per breach per person if no actual damages can be proven. Punitive damages may be awarded against a person found to have willfully violated this Chapter

In [...]

Continue Reading

In with the New: 2015 Privacy, Advertising and Digital Media Predictions – Part II

by McDermott Will & Emery | Jan 14, 2015 | Consumer Protection, Cybersecurity, Data Privacy, General Interest, Social Media

More predictions about privacy, advertising and digital media trends making headlines in 2015 from Of Digital Interest editor Bridget O’Connell and predictions from our London office by Rob Lister:

Employee Social Media Accounts Garner Increased Attention
by Bridget K. O’Connell, Associate

In 2015, I predict an increased focus on employees’ rights regarding their personal social media accounts. Since 2012, individual states have enacted laws prohibiting employers from requesting access to their employees’ (or job applicants’) personal social media accounts. In 2014 alone, six states enacted such laws, bringing the total number of states with this type of legislation to 18. (Click here for additional analysis of the impact of these laws on employers.)

In addition to individual states’ laws, I expect clarification on a national level regarding employer policies and actions related to employees’ personal social media accounts. In the past year, the National Labor Relations Board (NLRB) has started to focus on whether employer policies regarding employee social media accounts are consistent with the National Labor Relations Act (“Act”). The Act prohibits employers from interfering with employees who come together to discuss their employment for the purpose of collective bargaining or other mutual aid or protection. According to the NLRB, employees’ comments on their personal social media accounts can constitute protected activity under the Act. One recent NLRB case involved two employees who posted on their Facebook accounts about the employers’ alleged failure to correctly withhold taxes from their paychecks. The employer terminated the employees because of their comments on their personal social media accounts. The NLRB found that the employee’s comments were protected under the Act, ordered the employer to reinstate the employees, and ordered the employer to clarify its social media policy. The employer is now appealing the NLRB’s determination in court.

I predict not only that more states will enact employee social media account legislation, but also that the NLRB and the courts will provide more guidance on employer restrictions or sanctions related to employee social media use.

Cybersecurity Predictions from London
by Rob Lister, Associate

With fines for security breaches expected to rise dramatically under the proposed Data Protection Regulation and recent cybercrime/cyberterrorism looking to be an increasingly effective and efficient weapon across all industry sectors, we can expect companies to pay more attention to how they protect their personal data. In addition, we can expect to see more frequent and sophisticated attacks with a view to exposing personal data (or at least holding it for ransom), requiring increased security measures as a matter of course. We may also see increased difficulty in obtaining insurance coverage protecting against such attacks unless companies implement specific risk controls.

In with the New: 2015 Privacy, Advertising and Digital Media Predictions – Part I

by Jennifer S. Geetter | Jan 7, 2015 | Big Data, Consumer Protection, Data Privacy, General Interest, Mobile Apps

What privacy, advertising and digital media trends will make headlines in 2015? Digital Health for one, Big Data for another.

Digital Health

The 2015 International Consumer Electronics Show (CES) started yesterday. Sessions like “Sensibles: The Smarter Side of Wearables” and “DIY Health: Consumer Accessible Innovation” suggest that the consumer health issues explored by the Federal Trade Commission (FTC) last Spring (see our blog post here) are increasingly relevant. Most notably, as more health-related information becomes digital, digital health businesses will need to revisit long-standing privacy, intellectual property protection, notice and consent practices that may not be well-suited to the more sensitive category of consumer-generated health information (CHI) (i.e., health-related information that consumers submit to or through mobile apps and devices). In many cases, the law is underdeveloped and businesses must develop and implement their own best practices to demonstrate good faith as stewards of CHI.

We predict that CHI and the issues raised by its collection, use, disclosure and storage will stay on the FTC’s radar during 2015. Perhaps the FTC will offer some insight about its position on CHI through guidance or regulatory activity related to a digital health business.

With mobile devices proliferating, the volume, versatility and variety of consumer-generated data, including CHI, also is proliferating. CHI typically stands outside of HIPAA’s regulatory silo. HIPAA regulates health plans, health care clearinghouses, health care providers who engage in standardized transactions with health plans and the business associates that assist health plans, clearinghouses and providers, and need protected health information to provide that assistance. Mobile medical services and environments, however, typically fall outside of this framework: most mobile apps, for example, are used directly by consumers, and often at the direction of and under the control of plans and providers. HIPAA may have, however, more reach into the growing business-to-business mobile app sector.

But, in the CHI arena, the sources of privacy and security regulation are murky. Among likely hot topics in 2015 are:

When is consumer-generated information also consumer-generated health information?
Can data ever be “de-identified” or made anonymous in light of the so-called mosaic (or pointillist) effect?
What role can the “pay with data” model play in consumer protection?
Is all CHI deserving of the same level of protection?
What sources of oversight exist and are they sufficient?

The news is ripe with references to data “privacy” and data “security,” but the sensitivity associated with health information requires thinking about data “stewardship” – a broader concept that encompasses not only privacy and security but also data asset management and data governance. Data stewardship captures not only data as an asset, but also as an opportunity to earn public trust and confidence while preserving innovation.

We predict that how to be good data stewards will be a critical issue for digital health businesses in 2015 and that forward-looking and transparent efforts at self-policing will be key to not only avoiding regulatory scrutiny but also fostering consumer trust.

Big Data

Big Data was big news [...]

Continue Reading

Article 29 Working Party Adopts Procedure on Approval of Model Clauses

by McDermott Will & Emery | Dec 18, 2014 | Data Privacy, Data Transfers/Safe Harbor/Privacy Shield

On 26 November 2014, the Article 29 Working Party adopted a working document on establishing a cooperation procedure for issuing common opinions on whether contractual clauses are compliant with the European Commission’s Model Clauses (Model Clauses).

The working document establishes the procedure in which companies wishing to use identical contractual clauses in different Member States for transfers of personal data outside the European Economic Area (EEA) are able to obtain a coordinated position from the relevant Data Protection Authorities (DPA) on the proposed contracts, without the need to approach each relevant DPA individually for approval.

Background

Model Clauses represent one of the ways that a data controller can overcome the general prohibition contained in the EU Data Protection Directive (95/46/EC) on cross-border transfers of personal data to countries outside the EEA that do not offer adequate levels of data protection. The Model Clauses are intended to be used without amendment – although some divergence, e.g., through the use of additional clauses having no impact on the overall compliance of the Model clauses adopted, may be acceptable.

Company groups in Europe often use identical contractual clauses in different jurisdictions for the purposes of transfers out of the EEA. However, differing implementation of the Data Protection Directive between Member States has resulted in the situation whereby some jurisdictions require DPA approval of the Model Clauses used (such as Austria, Denmark, France and Spain), whether used with or without amendment, whereas other jurisdictions do not require such DPA approval where the Model Clauses are used without amendment. The result of the above is that it may be possible that identical contracts using the Model Clauses with only minor amendment are considered compliant by a DPA in one jurisdiction but not in others.

According to the Working Party, the purpose of this working document is to create a procedure allowing companies to obtain a coordinated position from the relevant DPAs when using identical contractual clauses based on the Model Clauses with minor amendment, in particular as to whether the contractual clauses are compliant with the Model Clauses.

The Process

Should a company wish to know whether its contract is compliant with the Model Clauses, under the proposed cooperation procedure, it will first need to ask the DPA it believes is entitled to act as the lead DPA to launch the EU cooperation procedure.

The company will then need to provide the lead DPA a copy of the contract, indicating the references to the Model Clauses together with any divergences and additional clauses, as well a list of EEA countries from which the company will be carrying out the transfers.

The Lead DPA

The Working Party has suggested that the company should choose the lead DPA from a Member State in which the transfers will take place and it will be for the company to justify why the DPA should be considered the lead. According to the Working Party, the following criteria should be considered by the company:

The location from which the contractual [...]

Continue Reading

Just in Time for the Holidays: Another HIPAA Settlement

by Edward G. Zacharias | Dec 12, 2014 | Consumer Protection, Cybersecurity, Data Privacy

Following an Office for Civil Rights investigation, Anchorage Community Mental Health Services, Inc., agreed to pay $150,000 and comply with a two-year Corrective Action Plan to settle allegations that it violated the HIPAA Security Rule. This settlement is another reminder that covered entities and business associates should take the necessary steps to ensure compliance with HIPAA and to reasonably and appropriately safeguard the electronic protected health information in their possession.

Read the full article.

Privacy and Data Protection: 2014 Year in Review

by Daniel F. Gottlieb | Dec 11, 2014 | Advertising & Marketing, Big Data, Cloud, Consumer Protection, Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Ecommerce, Electronic Contracting, Email/Spam, General Interest, Mobile Apps, Promotions, Sweepstakes & Contests, Social Media, Text Messaging, Workplace Privacy

In 2014, regulators around the globe issued guidelines, legislation and penalties in an effort to enhance security and control within the ever-shifting field of privacy and data protection. The Federal Trade Commission confirmed its expanded reach in the United States, and Canada’s far-reaching anti-spam legislation takes full effect imminently. As European authorities grappled with the draft data protection regulation and the “right to be forgotten,” the African Union adopted the Convention on Cybersecurity and Personal Data, and China improved the security of individuals’ information in several key areas. Meanwhile, Latin America’s patchwork of data privacy laws continues to evolve as foreign business increases.

This report furnishes in-house counsel and others responsible for privacy and data protection with an overview of key action points based on these and other 2014 developments, along with advance notice of potential trends in 2015. McDermott will continue to report on future updates, so check back with us regularly.

Read the full report here.