Technology, Privacy, And Data Security

China Enacts Data Privacy Law Under Guise of Cybersecurity

William Kellermann 
William Kellermann
May 11, 2017

On November 11, 2016, the Standing Committee of the National People’s Congress promulgated the “Internet Security Law of the People ‘s Republic of China” commonly referred to as the “Cybersecurity Law of China.”  Unlike the EU’s General Data Protection Regulation (GDPR) which gave businesses two years to prepare, the new law becomes implemented June 1, 2017.

The law affects almost every business in China, and anyone else doing business in China.  The law targets “critical infrastructure,” which is broadly defined and includes transportation, travel, network software and equipment suppliers, telecommunications, finance (banking, insurance, mutual funds), health care, online shopping platforms, information technology services (Internet Data Center, electronic information delivery and distribution, Internet Service Provider, Internet Content Provider), education, energy, marketing and advertising, social media, gaming, applications and public service.  The new law applies to any entity that 1) maintains a computer network and 2) attaches that network to the internet.

Continue reading China Enacts Data Privacy Law Under Guise of Cybersecurity

California Passes Law Requiring Data Breach Notification for Stolen Encryption Keys

Everett Monroe 
Everett Monroe
September 14, 2016

Governor Brown signed into law AB 2828, which will update California’s breach notification statute.  The law addresses encrypted Personally Identifiable Information that has been breached in the event that the encryption keys are also compromised. The law will go into effect January 1st.

AB 2828 seeks to close a loophole in California’s current data breach notification law, Civil Code Section 1798.82, under which a business must notify affected persons of a data breach where unencrypted personal information is lost. Presently, Section 1798.82 does not expressly require notification where the lost data was encrypted and the encryption key was also lost or improperly disclosed. That data would be at as much risk as unencrypted information, but there is no requirement to notify affected individuals. But requiring companies to report all data breaches where encrypted information was lost but the key remains secure may result in notifications to individuals who are not in serious risk of identity theft, fraud, or loss of privacy.

Continue reading California Passes Law Requiring Data Breach Notification for Stolen Encryption Keys

Three Lessons from the Federal Trade Commission’s LabMD decision

Everett Monroe 
Everett Monroe
August 10, 2016

The Federal Trade Commission (FTC) has made good data security practices a focus of its mission in recent years. It has issued guidance, held workshops, and brought enforcement actions against businesses that fail to implement common sense measures to protect their data. The Third Circuit’s opinion in Wyndham v. FTC acknowledged the Commission’s authority to hold companies accountable for claiming to have better data security then they do. Now, the Federal Trade Commission’s opinion and order In the Matter of LabMD, Inc. makes clear that good security practices are a must, regardless of claims a business makes to consumers.

The unanimous opinion by the Commission includes a long list of LabMD’s data security failures, but it focuses on employees’ administrative access to the computers. This access allowed an employee to install peer to peer file sharing software, and configured it so that it made patients’ sensitive medical data available outside the company. A security firm found the vulnerability, acquired some of the sensitive data, and then informed LabMD of the vulnerability in conjunction with an offer to provide security services. Here are three lessons that all businesses can glean from the FTC opinion.
Continue reading Three Lessons from the Federal Trade Commission’s LabMD decision

When does ‘Delete’ Really Mean Delete?

William Kellermann 
William Kellermann
July 27, 2016

In the words of the late, great Browning Marean[i]:  “The “Delete” key is the greatest lie on the keyboard.”  Unfortunately, this maxim was lost on a UK drug trafficker convicted, in part, on emails he thought were deleted from his Yahoo! email account.  In a motion for discovery filed in the federal district court for the Northern District of California, defense lawyers contend Yahoo! produced six months of deleted email, recovered even though Yahoo!’s own policies indicated otherwise.  Russell Knaggs v. Yahoo! Inc., U.S.D.C. ND-Cal., Case #15-MC-80281-MEJ

In the motion, the criminal defendant speculates the email was collected in violation of UK privacy laws, either through real-time interception or some nefarious NSA surveillance program, such as those exposed by Edward Snowden.  As such, the evidence was unlawfully collected and should be suppressed.

Unfortunately for the drug dealer, the source of the mail is likely much more mundane.  Unfortunately for Yahoo!, its explanation was tortured enough that the court ordered limited discovery, and a person-most-knowledgeable deposition.  The focus of the ordered discovery is a determination of the method Yahoo! used to gather the email data to provide to the government.

For anyone who has performed an in-depth analysis of enterprise email systems, to borrow from the words of Dean Wormer in “Animal House,” there is “deleted, double deleted and double-secret deletion.”  To remind the uninitiated, and using Microsoft Exchange and Outlook as a model, the typical deletion process for email goes something like this:

  1. Delete the message in the email reader software (in the Microsoft world, that would be Outlook.)  This step simply moves the message from the “Inbox,” or other folder in which it is held, to the “Deleted Items” folder.
  2. Delete the message from the “Deleted Items” folder.

Viola! The message is gone!  Or is it?  For most people that would be true.  However technologists, IT staff, email administrators, and electronic discovery practitioners know there is more.  Again, in the Microsoft Exchange environment, a copy of the message is retained in the email server “Deleted Items” cache (a/k/a the “Dumpster”) for a period of time.  This allows an administrator to recover mail inadvertently “double-deleted” by a user.  Many other email systems maintain a similar server-side cache of deleted messages for the same reason.  Until the parameters of the cache system are met, the message is recoverable by an administrator.

In the case of Microsoft Exchange, retention is date-driven.  However, other systems may be size-driven – that is content is not deleted from the server cache file until and unless it reaches a certain size.  At that time, older messages are overwritten to make room for newer messages in an updated version of the cache.  Until that time, the messages persist.

Further, most software used to recover, extract, and export messages typically capture, or provide options to capture, every message related to the user account, whether active, deleted, double deleted, archived or retained in the Dumpster.

Of course, further complicating matters, our drug dealer was using the Yahoo! mailbox as a form of message drop where communications were made using drafts of messages never sent.  One dealer would login to the account and create a draft of a message.  The intended recipient would then login to the same account, read the draft and respond, by either overwriting the prior draft or deleting the draft and creating a new draft.  However, as with any good messaging system seeking to save users from themselves, drafts are “auto-saved” periodically.

Yahoo!’s prior responses and the court’s order gets bogged down in a discussion of when and how auto-save works which, while important, ignores the heart of the matter.   Yahoo! never clearly explains how auto-saved drafts might be retained in either “Draft” or “Archive” folders until deleted, double deleted and purged from the server cache or “Dumpster.”

While the outcome of the purported fishing expedition into Yahoo!’s email practices may never be published due to protective orders, it is more likely than not the source of the offending messages will be the digital analog of a time honored, traditional law enforcement investigative method:  Dumpster diving.

[i] Browning Marean, an attorney with DLA Piper, was known to many in the electronic discovery world as the “Godfather of eDiscovery.”  A prolific speaker, writer and general litigation raconteur, he described the litigation electronic discovery process in ways no one else could, then or since.

U.S.-EU Privacy Shield receives final approval, scheduled to go live on August 1.

Everett Monroe 
Everett Monroe
July 15, 2016

The European Commission has approved the EU – U.S. Privacy Shield to replace the Safe Harbor program invalidated by the European Court of Justice last year in Schrems v. Data Protection Commissioner. The Privacy Shield governs the transfer of personal information from the European Union to businesses in the United States. Indeed, it is apparent from the formal approval documents that the European Commission and the U.S. Department of Commerce made great efforts to address the procedural and substantive deficiencies identified in Schrems as well as criticisms raised by the EU’s data protection commissioners.

Key new requirements of the Privacy Shield for businesses include:

  • disclosing more information in their privacy policies,
  • introducing additional recourse mechanisms for data subjects for Privacy Shield violations, and
  • limiting data retention based on the original purposes for data collection.

These new requirements may prove challenging for many businesses. The Safe Harbor framework required assurances that the transferee provided an equivalent level of protection to the Safe Harbor. Whereas, the Privacy Shield requires data holders obtain privacy protective contracts from their business partners, even if the contractor participates in the Privacy Shield or uses other compliance mechanisms. Companies that commit to the Privacy Shield in the first two months of implementation will be given a nine-month grace period to bring existing data sharing arrangements with their vendors and partners into compliance.

The Privacy Shield increases EU regulatory oversight, including the imposition of an annual joint review of the program and a formal exit procedure in the event the Commission finds the program deficient. The joint review will involve reporting—albeit limited—on U.S. intelligence activities intended to address the European Court of Justice’s concerns that the Safe Harbor decision did not include an analysis of the civil liberties protections from surveillance authorities. The results of the first review will be critical to the viability of the Privacy Shield and the confidence of businesses to avail themselves of it, as both the Article 29 Working Party and the European Data Protection Supervisor will scrutinize the application and enforcement of the Privacy Shield closely.

The Privacy Shield kept the benefits of the Safe Harbor’s light administrative procedures and self-certification framework that provides an easier way to receive EU data subject information than other mechanisms like model contract clauses or binding corporate rules. But businesses seeking to avail themselves of this option should be aware of the more stringent requirements, as well as the increased pressure on Federal agencies to show to EU authorities that the framework will substantively protect the privacy of EU data subjects, especially in the first year.

Are “App Developers Now in Panic Mode?”

William Kellermann 
William Kellermann
May 10, 2016

In a significant break from a long-standing series of contrary decisions, the First Circuit Court of Appeal revived a plaintiff’s case alleging violation of the Video Privacy Protection Act, (VPPA) 18 U.S.C.§ 2710, against USA Today. Yershov v. Gannett Satellite Information Network, Inc., d/b/a USA Today, No. 15-1719 (1st Cir. Apr. 29, 2016).

At the heart of Alexander Yershov’s case is the allegation that USA Today, through an Android phone app, improperly disclosed personally identifiable information to a third-party, Adobe Systems. The disclosure allowed Adobe to identify and track Yershov and other users of the USA Today app across multiple devices, apps and services. In this instance, USA Today contracted with Adobe to provide third-party analytics services. The USA Today app provides access to in-app video.

The VPPA was originally enacted to provide protection for the viewing habits of consumers in the days of VHS videotapes. The Act specifically targeted practices by video rental outlets, such as the largely forgotten Blockbuster Video, to track and disclose customer video rental preferences. The VPPA came about in reaction to the disclosure of Supreme Court nominee Robert Bork’s video rental records in a newspaper, and protects personally identifiable rental records of “prerecorded video cassette tapes or similar audio visual material.” However the language of the act does not limit enforcement to “renters.” Moreover, modern disputes center on the definition of “similar audio visual material” such that the viewing history of online video qualifies for protection.

The matter came up on appeal after the District Court for the District of Massachusetts granted a motion to dismiss. The district court ruled that while the app collected and disclosed personally identifiable information (PII), as defined by the VPPA, Yershov was not a “renter, purchaser, or subscriber” of, or to, Gannett’s video content, and therefore was not a “consumer” protected by the Act. 18 U.S.C.§ 2710(a)(1), (b)(1). The court of appeal agreed with the district court analysis that the information collected in the app, the unique Android device ID and GPS location coordinates, constituted PII. While neither court illuminated whether or not the device ID or GPS coordinates each independently constitute elements of PII, the circuit court focused on the linkage between the two stating:

“While there is certainly a point at which the linkage of information to identity becomes too uncertain, or too dependent on too much yet-to-be-done, or unforeseeable detective work, here the linkage, as plausibly alleged, is both firm and readily foreseeable to Gannett.”

However, the court of appeal disagreed that Yershov was not a consumer protected by the Act and remanded the case for further proceedings. Yershov limited his allegation to contend he was a “subscriber” under the Act. The court found Congress failed to define the term “subscriber” nor provide a clear indication they had a specific definition of the term in mind. Using dictionary definitions for “subscribe” and “subscription,” where a subscription is defined as an agreement to receive or be given access to electronic texts or services, the court found:

“…Gannett offered and Yershov accepted Gannett’s proprietary mobile device application as a tool for directly receiving access to Gannett’s electronic text and videos…”

The court further held the failure to pay for subscription services is not dispositive of whether or not one is a subscriber. To do so would render the category “subscriber” superfluous in light of the “purchaser” or “renter” categories included in the Act. Further, the PII provided to Gannett had sufficient value to act as consideration for the subscription services.

The Yershov decision signals a circuit split on the definition of PII under the Act. The Ninth Circuit previously held in In re Nickelodeon Consumer Privacy Litigation, 2015 WL 248334, MDL No. 2443 (SRC) (D.N.J. Jan. 20, 2015) that the disclosure of user attributes (such as demographic information, unique identifier and IP address), without more, does not amount to disclosure of someone’s personal identity.

The decision in Yershov also creates a split among the circuits as to the definition of “subscriber” under the VPPA. The Eleventh Circuit previously ruled an app downloader is not a subscriber in Ellis v. The Cartoon Network, Inc., 2015 WL 5904760 (11th Cir. Oct. 9, 2015) analogizing an app to a browser bookmark or “Favorites” link.

This case signals a shift in the views of the federal judiciary as to the application of the Act to cutting edge technology. In addition to the Ellis and Nickelodeon cases, previous courts have generally dismissed cases under the Act on a number of grounds. For example the court dismissed a complaint under the Act alleging failure to purge subscriber information (Sterk v. Redbox, 7th Circuit, March 6, 2012) A district court also dismissed a case alleging unlawful disclosure of viewing history and queue titles through enabled devices (Mollett v. Netflix, N.D. Cal.; Aug 17, 2012). Claims alleging violation of the VPPA traditionally subjected plaintiffs to an up-hill battle. A new paradigm may have significant consequences for in-app advertising as well as big data analytics.

Many companies large and small develop apps to build brand identity and market goods and services. Startups, like Cambridge, Massachusetts’ Media Mob, provide a ready platform linking clients with artists and designers to quickly and cheaply build apps. These apps often use video as a means to communicate about the company. Last, the apps may capture a trove of data about the user, often based on the use of developer templates or tools, and unbeknownst to the company that commissioned or developed the app. Hence the tweet from counsel for Plaintiff Jay Edelman, on receipt of the First Circuit opinion:

“Huge privacy decision just handed down. 1st Cir. holds that Android ID is PII. App Developers now in panic mode. Great job Ryan & @edelsonpc”

Proposed Privacy Shield framework criticized by European Parliament, civil liberties groups

Everett Monroe 
Everett Monroe
April 7, 2016

On February 29, the European Commission published its complete draft of the EU-U.S. Privacy Shield framework. The framework, if approved, will replace the invalidated Safe Harbor, which was the governing mechanism for the transfer of European personal data to the U.S. for commercial purposes. The framework has been criticized by members of the European Parliament and civil liberties groups in the United States.

The Privacy Shield keeps the basic self-certification mechanism of Safe Harbor, but contains new substantive requirements for U.S. businesses. Privacy Shield participants would need to meet a number of new requirements, as well as more exacting versions of old requirements.

  • Privacy notices must include more information about Privacy Shield requirements than previously needed under Safe Harbor. Businesses will need to make clear their participation, identify redress mechanisms available to European Data Subjects, and explain under what circumstances it will disclose personal data to government agencies for law enforcement or national security purposes
  • Participating businesses will fund a last resort arbitration system, in addition to providing other dispute resolution mechanisms to EU data subjects free of charge
  • Third party data controllers will have to agree by contract to maintain Privacy Shield protections before a participating business can disclose personal information to them. This will be the case even if the third party independently meets EU data transfer requirements
  • Participating businesses must continue to protect data collected under Privacy Shield – even if it later chooses not to re-certify or is disqualified from participating.

Federal agencies have also committed to stronger oversight of the Privacy Shield framework. The Department of Commerce has agreed to step up monitoring and to designate an official contact for European Data Protection Authorities to receive and respond to inquiries, inform them of potential violators, and facilitate resolution of complaints. The Federal Trade Commission has also pledged to step up enforcement, and both agencies will participate in a joint annual review of the framework with the European Commission and Data Protection Authorities.

To satisfy the European Court of Justice’s requirements from the Schrems decision, the Privacy Shield framework includes letters from Office of the Director of National Intelligence and the Department of Justice detailing U.S. regulation of national security surveillance and law enforcement access to data. The framework also establishes a State Department Ombudsman responsible for addressing grievances of EU data subjects over specific alleged surveillance abuses.

Privacy groups and European lawmakers in the European Parliament’s civil liberties committee viewed the framework’s safeguards against improper surveillance with skepticism. Committee members questioned whether commitments made about surveillance by the Office of the Director of National Intelligence and the Department of Justice were suffiently binding and enforceable. In addition, a number of civil liberties group sent a letter expressing their view that legislation from Congress is the only way to guarantee that European personal data would be protected from indiscriminate surveillance.

The European Commission hopes to finalize the Privacy Shield this summer. Before that can happen, the Article 29 Working Party has to give its opinion on the framework, and representatives from EU Member State governments must assent to it. The view of the Working Party is important, despite their inability to officially reject the framework, because the individual Data Protection Authorities that make up the working party can challenge the framework in future court actions. While a negative opinion of the framework is not fatal to finalization, it could signal future challenges to the framework in European courts.

Department of Commerce and European Commission Agree on New EU-US Privacy Shield Framework

Samir Abdelnour 
Samir Abdelnour
February 10, 2016

Last week, the European Commission announced  they had reached  agreement with the United States Department of Commerce on a new framework for the transfer of personal data of EU data subjects from EU member states to the U.S. The new data framework, called the EU-US Privacy Shield, attempts to address concerns cited by the European Court of Justice that caused it to invalidate the EU-US Safe Harbor last October.

The Privacy Shield will require participating businesses to make and publish their privacy commitments, though it is unclear exactly what substantive commitments will be required. Similar to the Safe Harbor framework, the Department of Commerce and the Federal Trade Commission will enforce those commitments. The new framework will also formalize dispute resolution mechanisms. Businesses will be encouraged to resolve disputes in house, but the Privacy Shield would establish a free (to the data subject) external dispute resolution mechanism. The framework also allow National Data Protection Authorities to refer complaints they receive to the Federal Trade Commission.

Continue reading Department of Commerce and European Commission Agree on New EU-US Privacy Shield Framework

President Obama Presents Cybersecurity Action Plan

Everett Monroe 
Everett Monroe
February 9, 2016

Today President Obama unveiled his new Cybersecurity National Action Plan as part of his 2017 budget proposal to Congress. The Plan has a broad scope designed to address many of the cybersecurity issues that gained high visibility in 2015. In particular, the Plan focus on issues with Federal cybersecurity infrastructure: modernizing antiquated software and systems vulnerable to cyber attacks, developing uniform cybersecurity practices, and developing best practices for Federal agencies to follow in managing both data security and data privacy.

A strong piece of the Plan involves the Commission on Enhancing National Cybersecurity, which the President established today by executive order. The President will appoint up to twelve people to the Commission, with recommendations from Congressional leadership. The Commission will issue a report before the end of the year making recommendations in a number of cybersecurity areas including IT procurement and modernization practices, best practices for networking security, and cybersecurity risk management for Federal agencies, as well as for business and consumers. The Plan also explains implementation of Commission recommendations.

Continue reading President Obama Presents Cybersecurity Action Plan

Congress Includes Measures to Ease Privacy Notice Requirements and Cyberthreat Sharing into Appropriations Bills

Everett Monroe 
Everett Monroe
December 18, 2015

Congress has been busy passing last minute appropriations bills before the year ends to fund the government through the end of the fiscal year and to plan long term infrastructure spending. Congress has added some provisions to those bills that affect federal privacy and cybersecurity laws.

Continue reading Congress Includes Measures to Ease Privacy Notice Requirements and Cyberthreat Sharing into Appropriations Bills