Technology, Privacy, And Data Security

Defining the Limits of the Computer Fraud and Abuse Act: The Ninth Circuit’s Second Take on United States v. Nosal.

Everett Monroe
November 4, 2015

Is it a federal crime to use a co-worker’s password with permission in order to access information for an improper purpose? What about those who get usernames and passwords from unwitting victims in an email scam? What does it mean to have authority to access a computer system, and who can give that authority? Could Congress have anticipated these questions in 1986 when it passed the Computer Fraud and Abuse Act (“CFAA”)? A three judge panel of the Ninth Circuit Court of Appeal wrestled with these questions recently as they tried to augur the limits of the CFAA during oral argument in United States v. Nosal.

The CFAA makes it a criminal offense to use a computer without authorized access or in a manner that exceeds authorized access. The Act also provides a civil right of action to hacking victims. The same prohibition applies to both criminal and civil causes of action, and requires proof on the issue of whether the activities of the alleged hacker either accessed the computer without authorization or exceeded the authorization he or she had.

Continue reading Defining the Limits of the Computer Fraud and Abuse Act: The Ninth Circuit’s Second Take on United States v. Nosal.

Senate Passes Cybersecurity Information Sharing Act

Everett Monroe
October 30, 2015

On Tuesday, the United States Senate passed S. 754 – the Cybersecurity Information Sharing Act (“CISA”). CISA’s goal is to facilitate and improve sharing about cybersecurity threats between private business and the federal government. While CISA will likely undergo some changes and still has some steps to overcome before it becomes law, Senate passage was a major hurdle. Bills similar to CISA have been pending before Congress since 2012 without success.

Under CISA, the federal government would set guidelines and procedures for receiving cyberthreat information from businesses and sharing cyberthreat information with businesses. The Department of Homeland Security would create a preferred process for businesses to use when sharing cyberthreat information.

Businesses would be given legal protections from anti-trust, trade secret, and some civil suits for cyberthreat information they share under the statute. Businesses and government entities would be required to remove unnecessary personal information before sharing it. Businesses would also be given immunity from suit to monitor their computer networks for cybersecurity purposes, and be authorized to deploy defensive measures.

CISA will now go to conference committee to be reconciled with HR 1560, which is a combination of two similar bills passed by the House of Representatives in April. A single form of the legislation will be agreed upon. Once passed, the resulting bill is expected to be signed by President Obama consistent with the directives he announced at the Cybersecurity Summit at Stanford University on February 13, 2015, at which time he signed Executive Order No. 13691 entitled Promoting Privacy Sector Cybersecurity Information Sharing.

California Updates Its Data Privacy And Security Laws For 2016

Everett Monroe
October 20, 2015

The end of the first year of California’s legislative session brings several bills that modify California’s data privacy and security regime. A number of these bills expand California’s protections for personal information and will affect how California businesses and government agencies protect, use, and disclose the data they collect. The bills will go into effect January 1, 2016.

Three new laws modify California’s data breach notification statute:

AB 964 defines “encrypted” information as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” The new law provides a definition of encryption similar to that used by HIPAA. Notification to consumers is not required if only encrypted data is breached.

SB 570 mandates that data breach notices sent to California residents have specific titles that are clearly and conspicuously in the notice, and the body of the notice can be in no less than 10 point font. It also provides an optional model form.

SB 34 includes Automatic License Plate Reader (“ALPR”) data in the personal information definition of the data breach statute, which means that ALPR operators would have to provide notice to California residents if they experience a data breach. This law also requires ALPR system operators to publish a privacy policy.

Continue reading California Updates Its Data Privacy And Security Laws For 2016

European Court Of Justice Rules US-EU Safe Harbor Invalid

Everett Monroe
October 9, 2015

This week the European Court of Justice issued a judgment in the case of Maximillian Schrems v. Data Protection Commissioner finding that the US-EU Safe Harbor is invalid for failing to provide adequate limitations on data processing for national security purposes.

The US Department of Commerce and the European Commission negotiated the Safe Harbor framework to provide adequate privacy protections for the personal information of European data subjects transferred to businesses in the United States. US companies participating in the Safe Harbor self-certified to the Department of Commerce that they would abide by seven privacy principles: notice, choice, onward transfer, security, data integrity, access, and enforcement.

The decision from the European Court of Justice removes this protection for US businesses seeking to transfer data from European entities and individuals. The judgment also increases the obligations on national data protection authorities to more closely monitor the adequacy of data transfer mechanisms and to depend less on the European Commission’s authority. Businesses in the US participated in the Safe Harbor to get approval to transfer data out of Europe without seeking approval from each individual EU country. It removed the need to get 28 different approvals for Europe wide business transactions, and protected cloud service providers from being forced to maintain separate European servers. It eased the way for cooperation between US and EU businesses, and lowered barriers for data transfers between US companies and their European subsidiaries.

Responses from US regulatory authorities have been guarded. The Chairman of the Federal Trade Commission, the primary enforcement body for the Safe Harbor in the United States, issued a short statement that “we will continue to work together with our European colleagues to develop effective solutions that protect consumer privacy with respect to cross-border data transfers.” The Department of Commerce expressed deep disappointment in the decision and called for an expedited release of the Updated Safe Harbor Framework, noting that it is prepared to work with the Commission to address uncertainty created by the Court’s decision. Meanwhile, the Article 29 working group, a body made up of the national data protection authorities and representatives from EU governing institutions, announced a meeting this week to consider what guidance to provide European and United States organizations in the wake of the decision.

Continue reading European Court Of Justice Rules US-EU Safe Harbor Invalid

With data privacy, you better do what you say you are doing

Everett Monroe
September 28, 2015

Enforcement actions relating to data privacy often get enforced by administrative agencies under State and Federal Unfair Competition Laws. Enforcement actions against companies that fail to meet their commitments to consumers are a common occurrence.

Comcast’s recent $33,000,000 settlement with the California Attorney General is a good example of how state agencies will take administrative action against companies who tell customers one thing and then do something else. Between 2010 and 2012, Comcast mistakenly published the directory information of VoIP customers that had paid Comcast not to list them. The first cause of action in the complaint against Comcast was for a violation of California’s unfair competition law: Comcast broke its promise to its customers that it would not publish directory listing information.

The Federal Trade Commission often uses its enforcement authority over unfair and deceptive business practices to pursue companies that do not fulfill their privacy commitments. A recent example of this is the Commissions complaint against Nomi Technologies. Nomi Technologies tracked mobile devices in participating retail locations, which could generate data on the duration and frequency of customers entering the location and their shopping habits. The FTC’s complaint alleged that Nomi failed to meet two commitments: (1) that customers would be informed as to which retail locations used Nomi’s service, and (2) that customers would be able to opt out of the tracking at the participating retail locations. The FTC obtained a 20-year monitoring agreement over Nomi.

A recent FTC update shows a group of thirteen companies caught claiming that they were certified under the US-EU Safe Harbor in their privacy policies when, in fact, their certifications had lapsed or they were not certified at all. Another group of six companies faced similar charges in 2009.

Intentional wrongdoing is not the centerpiece of these charges. The Comcast complaint alleges that the disclosures were the result of a technical mistake, and the Nomi Complaint does not claim that the company was intentionally deceiving consumers. Regardless, these agencies have made it clear that companies will be held responsible for failing to keep commitments they make to the public.

US/EU “Safe Harbor” Agreement Ruled Invalid By EU Judge

William Kellermann
September 23, 2015

In an influential opinion published September 23, 2015, European Court of Justice (ECJ) Advocate General Yves Bot recommended the ECJ find the US/EU “Safe Harbor” Agreement invalid.   The 40-page ruling provides a preliminary victory for Austrian law student and privacy advocate Maximillian Schrems, but stands to cast the data transfer practices of many companies into turmoil.

The case stems from Shrems’ crusade against the data privacy and data transfer practices of Facebook in light of Edward Snowden’s revelations about the US National Security Agency’s Prism data surveillance program.  Shrems sued Facebook in Ireland, where it locates its servers for services to it’s EU user-base.  The High Court of Ireland referred the matter to the ECJ for a preliminary ruling.

While Bot’s ruling is preliminary, subject to confirmation by the ECJ and would only be directly binding as to Facebook, the recommendations found in Bot’s opinion upend many commercial practices regarding data transfer from the EU to US-based servers.  While the NSA’s Prism program targeted the data transfers of nine internet companies, such as Microsoft, Google, Apple, Facebook, etc. the unraveling of the Safe Harbor agreement could have far-reaching effects on any company with EU operations sending data about EU citizens, including employees, to the US.

The case is  Maximillian Schrems v Data Protection Commissioner, Case # C‑362/14, pending in Luxembourg.

Third Circuit Affirms FTC Authority to Regulate Cybersecurity

Batya Forsyth and William Kellermann
September 2, 2015

If it wasn’t clear before, data breaches are now a federal affair, in addition to falling under various statutes and regulations in 47 states. Since 2000, the Federal Trade Commission (FTC) is the self-styled “primary federal data security regulator” in the United States. Beginning in 2005, the FTC instituted numerous data security enforcement actions, primarily under authority found in Section 5 of the Federal Trade Commission Act. Yet nowhere in the Act are there explicit references to “data privacy,” “data security” or the more modern moniker, “cybersecurity.”

Until recently, targets of FTC investigations or enforcement actions arising from data breaches have chosen administrative settlements rather than fight. That changed as a result of the Wyndham Worldwide hotel chain data breaches and Wyndham’s subsequent resistance to FTC enforcement. Under the recent ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al., __ F.3d __, 2015 WL 4998121 (3d Cir. Aug. 24, 2015), FTC regulatory authority appears to be on solid ground.

Section 5 of the FTC Act grants the FTC broad authority to prevent the use of unfair and deceptive trade practices. 15 U.S.C. § 45(a)(1) and (2). While  banks, savings and loans, federal credit unions and transportation companies are exempt, 15 U.S.C. § 45(a)(2), the Act otherwise casts a broad net across industries.

Wyndham Worldwide owns or operates a hotel chain and provides centralized IT services to franchises, as well as its own properties. The FTC enforcement action stemmed from a series of data breaches that gave hackers access to payment card information for more than 619,000 customers. The hacks later gave rise to more than $10.6 million in fraudulent charges.

The FTC brought its action against Wyndham in the United States District Court for the District of New Jersey alleging the company’s data security practices were an “unfair practice” and that its privacy policy was “deceptive” under section 5 of the Act. The FTC complaint alleged Wyndham misrepresented the security measures it took to protect customer personal information, and that Wyndham’s cybersecurity efforts were unfair in the face of the FTC’s published security guidance. The District Court denied Wyndham’s motion to dismiss, finding the FTC had the authority to regulate data security practices. Notably, the Court further found the FTC did not have to issue formal regulations before bringing enforcement actions. The Third Circuit certified two issues for interlocutory appeal:

  1. Whether the FTC has authority to regulate cybersecurity under the unfairness prong of 15 U.S.C. § 45(a); and,
  2. Assuming such regulatory authority, whether Wyndham had fair notice its specific cybersecurity practices could fall short of the statutory requirement.

The Third Circuit affirmed the District Court finding ample authority for the FTC to regulate cybersecurity under the Act, as well as clear guidance under the Act, the FTC’s regulatory enforcement history and published guidance as to acceptable conduct in setting cybersecurity policies and practices.

While the FTC Act grants the FTC both rulemaking and enforcement authority under Section 5, the FTC has not enacted formal rules or regulations that apply to data security requirements. As set forth in the Wyndham Worldwide order, companies must rely on FTC publications, data security complaints and consent decrees to determine if their data security programs comply with FTC standards. To that end, the FTC published Protecting Personal Information, A Guide for Business which sets forth five principles on which a company must base its data security practices:

    • Be aware of all the personal information collected, retained and shared.
    • Keep only personal information required for legitimate business operations.
    • Use physical and electronic security to protect the information an organization retains.
    • Properly dispose of personal information as soon as it is no longer necessary for business operations.
    • Have a plan to respond to security incidents.

The FTC is seen as having a central role in protecting consumers. However, just as the FTC Act is silent on the topic of data security, nothing in 15 U.S.C. § 45(a) limits the FTC’s authority to “consumer” data per se. The Act empowers the Commission to address “unfair or deceptive acts or practices in or affecting commerce.” That broad mandate, coupled with the guidelines established by the Commission and the holding in the Wyndham opinion strongly suggests all companies must now address their cybersecurity policies and practices. Companies must ensure the policies and practices meet the guidelines set by the FTC, at least with respect to the personally identifiable information (PII) of employees, contractors and business partners that finds its way onto company systems.

The first four bullets of the FTC Guidelines are essential elements of an Information Governance program. One could argue after the Wyndham opinion that the failure to institute an information governance program puts an enterprise squarely in the sights of a costly and time consuming FTC enforcement action in the event of a data breach. Conversely, implementing an IG program, coupled with a well-crafted cyber incident response plan, will help a company stave off or mitigate the effects of FTC scrutiny. Moreover, an IG program comes with added benefits of reduced cost and risk associated with data storage as well as reduced cost whenever a company must respond for compliance or other investigations or to parties in litigation. If your company has not considered an Information Governance program before now, perhaps now is the time. Moreover, outside counsel are essential members of an incident response team, providing legal risk analysis, representation and the umbrella of privilege for communications.

Preserving Your CEO’s Vehicle Infotainment System Data

William Kellermann
August 7, 2015

Like the technology ecosystem it feeds from, electronic discovery is rife with acronyms, for good or ill.  One of the more recent is COPE – “Company Owned, Personally Enabled.”  The target of COPE is mobile devices – tablets, phablets, smartphones – whatever your preferred nom du jour.  It is the counterpoint to BYOD (“Bring Your Own Device”) the alternative way that mobile devices significantly impact enterprise security, privacy and electronic discovery efforts.  Which begs the question, does your Enterprise Mobile Management (EMM) system consider the ultimate corporate mobile device, the company car?

In the latest episode of vehicle hack-a-mania, Wired reports the successful hack of a Tesla Model S.  Researchers Hacked a Model S, But Tesla’s Already Released a Patch.  This report is just the latest news about a series of similar exploits, starting with the Jeep Cherokee hack reported two weeks ago.  Hackers Remotely Kill a Jeep On The Highway – With Me In It.  The motivation for the Tesla hack was to demonstrate a way to virtually “hot wire” and steal a Tesla, otherwise thought to be impervious to traditional methods of auto theft.  But what both these hacks reveal is a more insidious threat vector.

In each of the hacks demonstrated thus far, access to the command and control system was accomplished via a breach of the car’s infotainment system – the Bluetooth smartphone-enabled navigation and entertainment computer installed in many new vehicles.  Therein lies the rub.  In addition to being a method to steal or wreak havoc with vehicle operation, these systems are a virtual gold mine of hacker information or electronic discovery data, depending on where you sit.

I recently discussed new technology to forensically collect vehicle infotainment system data, such as iVE by Berla, with a close friend in the computer forensics business.  He related how in a test, a forensic analyst was able to extract the user and vehicle event data from over 30 prior users of a rental car.  User data includes call logs, contacts, text messages, navigation data and the names and MAC addresses of connected devices.  Examples of vehicle event data include doors opening, closing and locking, light activation, device connections, system resets and transmission shifter activation, such as a sequence from “park” to “reverse” to “drive.” Each event is accompanied by a time and date stamp, as well as geolocation data if the vehicle has a navigation system.  In all there are over 250 data attributes forensically available in the modern computerized vehicle system.  Much of this data is captured in addition to better known vehicle “black box” data found in all late-model cars and trucks and targeted for auto accident reconstruction.

Have your executives ever synchronized their Smartphone with the system in a rental car?  What about the systems in a company car or their personal vehicles?  Much of the above-mentioned information will have leaked onto those various systems.  For every hacker who ever rented a car, all this information is low hanging fruit for easy pickings.  It is also sitting out there unprotected in every vehicle traded-in or sold, as most vehicles have no technical mechanism to wipe this data. If nothing else, contact lists are extremely valuable to initiate spear-phishing attacks: spoofing an executive’s email or text-messaging address to send virus laden payloads to trusted advisors such as lawyers, doctors, accountants and financial services professionals.

Moreover, to the extent the company is obligated to preserve and collect this data for electronic discovery, is that data source contemplated by your internal electronic discovery protocols?  As with anything else, such devices may be the bane or panacea, depending on your particular circumstances.  Text messages deleted from a device may be recovered from the car to save the company from a spoliation sanction.  On the flip side, a savvy opposing counsel may make a credible argument the data should have been collected for preservation before the executive traded-in the car.

As with everything else with technology, these concepts may take some time to seep into the consciousness of the legal profession.  Nevertheless, forward thinking lawyers and technologists have another dimension to track when mapping out data sources for investigations and discovery.  Similarly, Information Governance professionals must consider the retention, disposition, security and privacy impacts presented by vehicle infotainment systems bridged to corporate information systems via mobile devices.

Court: No expectation of privacy in a pocket-dialed conversation

William Kellermann
July 27, 2015

Two steps forward, one step back.  In the introduction to a law review article entitled “Emerging Changes in the Practice of Law,” USC Law Center professor Louis M. Brown wrote of the “Fable of the Telephone.”  Essentially, the story goes that back in 1878, white-shoe New York law firms resisted use of the telephone in their law offices because there was no protection for client confidentiality in the age of the party line.[i]  When clients demanded access to telephones, pay phones were installed in the lobby.  It would be many years before the expectation of privacy was established in the law for telephone conversations and more than 100 years before the last commercial party lines were eliminated in the US.

The same late 19th century lawyers also rejected the typewriter (there was no precedent upholding the legal validity of documents created on a typewriter) and female legal secretaries (because of the prevailing view women gossiped too much and would constitute a threat to the confidentiality of office communications.)  How times have changed.  Nevertheless, with respect to the telephone, there is a kernel of truth in the concerns of those luddite lawyers (all men, by the way).

Fast forward to the 2014 holiday season and the proliferation of “Smart Televisions.”  The press was replete with dire warnings of the anti-privacy effect of voice recognition and control, based on this statement in a privacy policy:

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party…”  Samsung Privacy Policy – Smart TV Supplement

Put simply, if you want to use voice recognition to control your TV, you consent to having everything said in front of your TV recorded and uploaded to Nuance, the third-party company providing voice recognition services to Samsung.  See Not in front of the telly: Warning over ‘listening’ TV  BBC News, 9 February 2015.

So it should come as no surprise when the Sixth Circuit Court of Appeals recently held that there is no expectation of privacy in a conversation inadvertently transmitted to a third-party by what the court called a “pocket dial.”  Bertha Huff, et al. v. Carol Spaw, 2014 U.S.App. LEXIS 12538; 2015 FED App. 0157P (6th Cir. – July 21, 2015).

Continue reading Court: No expectation of privacy in a pocket-dialed conversation

Baseball Rivalry Takes the Low Road In Potential Data Hack

William Kellermann
June 16, 2015

Step aside Video-gate and Deflate-gate. Baseball inter-team rivalry has taken a new turn to the dark side. In the first known case of corporate espionage involving sports teams, the St. Louis Cardinals are under investigation for hacking the corporate network of the Houston Astros. The F.B.I. and Justice Department prosecutors are investigating whether one of the most successful teams in baseball over the past two decades hacked into internal networks of a rival team to steal closely guarded information about player personnel. Investigators have uncovered evidence that Cardinals officials broke into a network of the Houston Astros that housed special databases the team had built.

Of all teams to hack, why the Astros? The motive appears to be revenge executed by front-office employees against a former colleague. Astros general manager Jeff Luhnow was a highly successful executive with the Cardinals until 2011. At St. Louis, Luhnow built a computer network called Redbird housing databases of all the Cardinal’s baseball operations information, including scouting reports and player personnel information. Luhnow used the databases to create the best minor league system in baseball and engineer a “Moneyball” style re-tooling leading to the Cardinal’s 2011 World Series championship. After leaving to join the Astros, Luhnow created a similar program in Houston known as Ground Control. Under Luhnow, the Astros have accomplished a striking turn-around, now leading the American League West.

Continue reading Baseball Rivalry Takes the Low Road In Potential Data Hack