Tag Archives: Cyberlaw

California Passes Law Requiring Data Breach Notification for Stolen Encryption Keys

Everett Monroe
September 14, 2016

Governor Brown signed into law AB 2828, which will update California’s breach notification statute.  The law addresses encrypted Personally Identifiable Information that has been breached in the event that the encryption keys are also compromised. The law will go into effect January 1st.

AB 2828 seeks to close a loophole in California’s current data breach notification law, Civil Code Section 1798.82, under which a business must notify affected persons of a data breach where unencrypted personal information is lost. Presently, Section 1798.82 does not expressly require notification where the lost data was encrypted and the encryption key was also lost or improperly disclosed. That data would be at as much risk as unencrypted information, but there is no requirement to notify affected individuals. But requiring companies to report all data breaches where encrypted information was lost but the key remains secure may result in notifications to individuals who are not in serious risk of identity theft, fraud, or loss of privacy.

Continue reading California Passes Law Requiring Data Breach Notification for Stolen Encryption Keys

Three Lessons from the Federal Trade Commission’s LabMD decision

Everett Monroe
August 10, 2016

The Federal Trade Commission (FTC) has made good data security practices a focus of its mission in recent years. It has issued guidance, held workshops, and brought enforcement actions against businesses that fail to implement common sense measures to protect their data. The Third Circuit’s opinion in Wyndham v. FTC acknowledged the Commission’s authority to hold companies accountable for claiming to have better data security then they do. Now, the Federal Trade Commission’s opinion and order In the Matter of LabMD, Inc. makes clear that good security practices are a must, regardless of claims a business makes to consumers.

The unanimous opinion by the Commission includes a long list of LabMD’s data security failures, but it focuses on employees’ administrative access to the computers. This access allowed an employee to install peer to peer file sharing software, and configured it so that it made patients’ sensitive medical data available outside the company. A security firm found the vulnerability, acquired some of the sensitive data, and then informed LabMD of the vulnerability in conjunction with an offer to provide security services. Here are three lessons that all businesses can glean from the FTC opinion.
Continue reading Three Lessons from the Federal Trade Commission’s LabMD decision

U.S.-EU Privacy Shield receives final approval, scheduled to go live on August 1.

Everett Monroe
July 15, 2016

The European Commission has approved the EU – U.S. Privacy Shield to replace the Safe Harbor program invalidated by the European Court of Justice last year in Schrems v. Data Protection Commissioner. The Privacy Shield governs the transfer of personal information from the European Union to businesses in the United States. Indeed, it is apparent from the formal approval documents that the European Commission and the U.S. Department of Commerce made great efforts to address the procedural and substantive deficiencies identified in Schrems as well as criticisms raised by the EU’s data protection commissioners.

Key new requirements of the Privacy Shield for businesses include:

  • disclosing more information in their privacy policies,
  • introducing additional recourse mechanisms for data subjects for Privacy Shield violations, and
  • limiting data retention based on the original purposes for data collection.

These new requirements may prove challenging for many businesses. The Safe Harbor framework required assurances that the transferee provided an equivalent level of protection to the Safe Harbor. Whereas, the Privacy Shield requires data holders obtain privacy protective contracts from their business partners, even if the contractor participates in the Privacy Shield or uses other compliance mechanisms. Companies that commit to the Privacy Shield in the first two months of implementation will be given a nine-month grace period to bring existing data sharing arrangements with their vendors and partners into compliance.

The Privacy Shield increases EU regulatory oversight, including the imposition of an annual joint review of the program and a formal exit procedure in the event the Commission finds the program deficient. The joint review will involve reporting—albeit limited—on U.S. intelligence activities intended to address the European Court of Justice’s concerns that the Safe Harbor decision did not include an analysis of the civil liberties protections from surveillance authorities. The results of the first review will be critical to the viability of the Privacy Shield and the confidence of businesses to avail themselves of it, as both the Article 29 Working Party and the European Data Protection Supervisor will scrutinize the application and enforcement of the Privacy Shield closely.

The Privacy Shield kept the benefits of the Safe Harbor’s light administrative procedures and self-certification framework that provides an easier way to receive EU data subject information than other mechanisms like model contract clauses or binding corporate rules. But businesses seeking to avail themselves of this option should be aware of the more stringent requirements, as well as the increased pressure on Federal agencies to show to EU authorities that the framework will substantively protect the privacy of EU data subjects, especially in the first year.

Proposed Privacy Shield framework criticized by European Parliament, civil liberties groups

Everett Monroe
April 7, 2016

On February 29, the European Commission published its complete draft of the EU-U.S. Privacy Shield framework. The framework, if approved, will replace the invalidated Safe Harbor, which was the governing mechanism for the transfer of European personal data to the U.S. for commercial purposes. The framework has been criticized by members of the European Parliament and civil liberties groups in the United States.

The Privacy Shield keeps the basic self-certification mechanism of Safe Harbor, but contains new substantive requirements for U.S. businesses. Privacy Shield participants would need to meet a number of new requirements, as well as more exacting versions of old requirements.

  • Privacy notices must include more information about Privacy Shield requirements than previously needed under Safe Harbor. Businesses will need to make clear their participation, identify redress mechanisms available to European Data Subjects, and explain under what circumstances it will disclose personal data to government agencies for law enforcement or national security purposes
  • Participating businesses will fund a last resort arbitration system, in addition to providing other dispute resolution mechanisms to EU data subjects free of charge
  • Third party data controllers will have to agree by contract to maintain Privacy Shield protections before a participating business can disclose personal information to them. This will be the case even if the third party independently meets EU data transfer requirements
  • Participating businesses must continue to protect data collected under Privacy Shield – even if it later chooses not to re-certify or is disqualified from participating.

Federal agencies have also committed to stronger oversight of the Privacy Shield framework. The Department of Commerce has agreed to step up monitoring and to designate an official contact for European Data Protection Authorities to receive and respond to inquiries, inform them of potential violators, and facilitate resolution of complaints. The Federal Trade Commission has also pledged to step up enforcement, and both agencies will participate in a joint annual review of the framework with the European Commission and Data Protection Authorities.

To satisfy the European Court of Justice’s requirements from the Schrems decision, the Privacy Shield framework includes letters from Office of the Director of National Intelligence and the Department of Justice detailing U.S. regulation of national security surveillance and law enforcement access to data. The framework also establishes a State Department Ombudsman responsible for addressing grievances of EU data subjects over specific alleged surveillance abuses.

Privacy groups and European lawmakers in the European Parliament’s civil liberties committee viewed the framework’s safeguards against improper surveillance with skepticism. Committee members questioned whether commitments made about surveillance by the Office of the Director of National Intelligence and the Department of Justice were suffiently binding and enforceable. In addition, a number of civil liberties group sent a letter expressing their view that legislation from Congress is the only way to guarantee that European personal data would be protected from indiscriminate surveillance.

The European Commission hopes to finalize the Privacy Shield this summer. Before that can happen, the Article 29 Working Party has to give its opinion on the framework, and representatives from EU Member State governments must assent to it. The view of the Working Party is important, despite their inability to officially reject the framework, because the individual Data Protection Authorities that make up the working party can challenge the framework in future court actions. While a negative opinion of the framework is not fatal to finalization, it could signal future challenges to the framework in European courts.

Department of Commerce and European Commission Agree on New EU-US Privacy Shield Framework

Samir Abdelnour
February 10, 2016

Last week, the European Commission announced  they had reached  agreement with the United States Department of Commerce on a new framework for the transfer of personal data of EU data subjects from EU member states to the U.S. The new data framework, called the EU-US Privacy Shield, attempts to address concerns cited by the European Court of Justice that caused it to invalidate the EU-US Safe Harbor last October.

The Privacy Shield will require participating businesses to make and publish their privacy commitments, though it is unclear exactly what substantive commitments will be required. Similar to the Safe Harbor framework, the Department of Commerce and the Federal Trade Commission will enforce those commitments. The new framework will also formalize dispute resolution mechanisms. Businesses will be encouraged to resolve disputes in house, but the Privacy Shield would establish a free (to the data subject) external dispute resolution mechanism. The framework also allow National Data Protection Authorities to refer complaints they receive to the Federal Trade Commission.

Continue reading Department of Commerce and European Commission Agree on New EU-US Privacy Shield Framework

President Obama Presents Cybersecurity Action Plan

Everett Monroe
February 9, 2016

Today President Obama unveiled his new Cybersecurity National Action Plan as part of his 2017 budget proposal to Congress. The Plan has a broad scope designed to address many of the cybersecurity issues that gained high visibility in 2015. In particular, the Plan focus on issues with Federal cybersecurity infrastructure: modernizing antiquated software and systems vulnerable to cyber attacks, developing uniform cybersecurity practices, and developing best practices for Federal agencies to follow in managing both data security and data privacy.

A strong piece of the Plan involves the Commission on Enhancing National Cybersecurity, which the President established today by executive order. The President will appoint up to twelve people to the Commission, with recommendations from Congressional leadership. The Commission will issue a report before the end of the year making recommendations in a number of cybersecurity areas including IT procurement and modernization practices, best practices for networking security, and cybersecurity risk management for Federal agencies, as well as for business and consumers. The Plan also explains implementation of Commission recommendations.

Continue reading President Obama Presents Cybersecurity Action Plan

Defining the Limits of the Computer Fraud and Abuse Act: The Ninth Circuit’s Second Take on United States v. Nosal.

Everett Monroe
November 4, 2015

Is it a federal crime to use a co-worker’s password with permission in order to access information for an improper purpose? What about those who get usernames and passwords from unwitting victims in an email scam? What does it mean to have authority to access a computer system, and who can give that authority? Could Congress have anticipated these questions in 1986 when it passed the Computer Fraud and Abuse Act (“CFAA”)? A three judge panel of the Ninth Circuit Court of Appeal wrestled with these questions recently as they tried to augur the limits of the CFAA during oral argument in United States v. Nosal.

The CFAA makes it a criminal offense to use a computer without authorized access or in a manner that exceeds authorized access. The Act also provides a civil right of action to hacking victims. The same prohibition applies to both criminal and civil causes of action, and requires proof on the issue of whether the activities of the alleged hacker either accessed the computer without authorization or exceeded the authorization he or she had.

Continue reading Defining the Limits of the Computer Fraud and Abuse Act: The Ninth Circuit’s Second Take on United States v. Nosal.

Senate Passes Cybersecurity Information Sharing Act

Everett Monroe
October 30, 2015

On Tuesday, the United States Senate passed S. 754 – the Cybersecurity Information Sharing Act (“CISA”). CISA’s goal is to facilitate and improve sharing about cybersecurity threats between private business and the federal government. While CISA will likely undergo some changes and still has some steps to overcome before it becomes law, Senate passage was a major hurdle. Bills similar to CISA have been pending before Congress since 2012 without success.

Under CISA, the federal government would set guidelines and procedures for receiving cyberthreat information from businesses and sharing cyberthreat information with businesses. The Department of Homeland Security would create a preferred process for businesses to use when sharing cyberthreat information.

Businesses would be given legal protections from anti-trust, trade secret, and some civil suits for cyberthreat information they share under the statute. Businesses and government entities would be required to remove unnecessary personal information before sharing it. Businesses would also be given immunity from suit to monitor their computer networks for cybersecurity purposes, and be authorized to deploy defensive measures.

CISA will now go to conference committee to be reconciled with HR 1560, which is a combination of two similar bills passed by the House of Representatives in April. A single form of the legislation will be agreed upon. Once passed, the resulting bill is expected to be signed by President Obama consistent with the directives he announced at the Cybersecurity Summit at Stanford University on February 13, 2015, at which time he signed Executive Order No. 13691 entitled Promoting Privacy Sector Cybersecurity Information Sharing.

Third Circuit Affirms FTC Authority to Regulate Cybersecurity

Batya Forsyth and William Kellermann
September 2, 2015

If it wasn’t clear before, data breaches are now a federal affair, in addition to falling under various statutes and regulations in 47 states. Since 2000, the Federal Trade Commission (FTC) is the self-styled “primary federal data security regulator” in the United States. Beginning in 2005, the FTC instituted numerous data security enforcement actions, primarily under authority found in Section 5 of the Federal Trade Commission Act. Yet nowhere in the Act are there explicit references to “data privacy,” “data security” or the more modern moniker, “cybersecurity.”

Until recently, targets of FTC investigations or enforcement actions arising from data breaches have chosen administrative settlements rather than fight. That changed as a result of the Wyndham Worldwide hotel chain data breaches and Wyndham’s subsequent resistance to FTC enforcement. Under the recent ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al., __ F.3d __, 2015 WL 4998121 (3d Cir. Aug. 24, 2015), FTC regulatory authority appears to be on solid ground.

Section 5 of the FTC Act grants the FTC broad authority to prevent the use of unfair and deceptive trade practices. 15 U.S.C. § 45(a)(1) and (2). While  banks, savings and loans, federal credit unions and transportation companies are exempt, 15 U.S.C. § 45(a)(2), the Act otherwise casts a broad net across industries.

Wyndham Worldwide owns or operates a hotel chain and provides centralized IT services to franchises, as well as its own properties. The FTC enforcement action stemmed from a series of data breaches that gave hackers access to payment card information for more than 619,000 customers. The hacks later gave rise to more than $10.6 million in fraudulent charges.

The FTC brought its action against Wyndham in the United States District Court for the District of New Jersey alleging the company’s data security practices were an “unfair practice” and that its privacy policy was “deceptive” under section 5 of the Act. The FTC complaint alleged Wyndham misrepresented the security measures it took to protect customer personal information, and that Wyndham’s cybersecurity efforts were unfair in the face of the FTC’s published security guidance. The District Court denied Wyndham’s motion to dismiss, finding the FTC had the authority to regulate data security practices. Notably, the Court further found the FTC did not have to issue formal regulations before bringing enforcement actions. The Third Circuit certified two issues for interlocutory appeal:

  1. Whether the FTC has authority to regulate cybersecurity under the unfairness prong of 15 U.S.C. § 45(a); and,
  2. Assuming such regulatory authority, whether Wyndham had fair notice its specific cybersecurity practices could fall short of the statutory requirement.

The Third Circuit affirmed the District Court finding ample authority for the FTC to regulate cybersecurity under the Act, as well as clear guidance under the Act, the FTC’s regulatory enforcement history and published guidance as to acceptable conduct in setting cybersecurity policies and practices.

While the FTC Act grants the FTC both rulemaking and enforcement authority under Section 5, the FTC has not enacted formal rules or regulations that apply to data security requirements. As set forth in the Wyndham Worldwide order, companies must rely on FTC publications, data security complaints and consent decrees to determine if their data security programs comply with FTC standards. To that end, the FTC published Protecting Personal Information, A Guide for Business which sets forth five principles on which a company must base its data security practices:

    • Be aware of all the personal information collected, retained and shared.
    • Keep only personal information required for legitimate business operations.
    • Use physical and electronic security to protect the information an organization retains.
    • Properly dispose of personal information as soon as it is no longer necessary for business operations.
    • Have a plan to respond to security incidents.

The FTC is seen as having a central role in protecting consumers. However, just as the FTC Act is silent on the topic of data security, nothing in 15 U.S.C. § 45(a) limits the FTC’s authority to “consumer” data per se. The Act empowers the Commission to address “unfair or deceptive acts or practices in or affecting commerce.” That broad mandate, coupled with the guidelines established by the Commission and the holding in the Wyndham opinion strongly suggests all companies must now address their cybersecurity policies and practices. Companies must ensure the policies and practices meet the guidelines set by the FTC, at least with respect to the personally identifiable information (PII) of employees, contractors and business partners that finds its way onto company systems.

The first four bullets of the FTC Guidelines are essential elements of an Information Governance program. One could argue after the Wyndham opinion that the failure to institute an information governance program puts an enterprise squarely in the sights of a costly and time consuming FTC enforcement action in the event of a data breach. Conversely, implementing an IG program, coupled with a well-crafted cyber incident response plan, will help a company stave off or mitigate the effects of FTC scrutiny. Moreover, an IG program comes with added benefits of reduced cost and risk associated with data storage as well as reduced cost whenever a company must respond for compliance or other investigations or to parties in litigation. If your company has not considered an Information Governance program before now, perhaps now is the time. Moreover, outside counsel are essential members of an incident response team, providing legal risk analysis, representation and the umbrella of privilege for communications.

Preserving Your CEO’s Vehicle Infotainment System Data

William Kellermann
August 7, 2015

Like the technology ecosystem it feeds from, electronic discovery is rife with acronyms, for good or ill.  One of the more recent is COPE – “Company Owned, Personally Enabled.”  The target of COPE is mobile devices – tablets, phablets, smartphones – whatever your preferred nom du jour.  It is the counterpoint to BYOD (“Bring Your Own Device”) the alternative way that mobile devices significantly impact enterprise security, privacy and electronic discovery efforts.  Which begs the question, does your Enterprise Mobile Management (EMM) system consider the ultimate corporate mobile device, the company car?

In the latest episode of vehicle hack-a-mania, Wired reports the successful hack of a Tesla Model S.  Researchers Hacked a Model S, But Tesla’s Already Released a Patch.  This report is just the latest news about a series of similar exploits, starting with the Jeep Cherokee hack reported two weeks ago.  Hackers Remotely Kill a Jeep On The Highway – With Me In It.  The motivation for the Tesla hack was to demonstrate a way to virtually “hot wire” and steal a Tesla, otherwise thought to be impervious to traditional methods of auto theft.  But what both these hacks reveal is a more insidious threat vector.

In each of the hacks demonstrated thus far, access to the command and control system was accomplished via a breach of the car’s infotainment system – the Bluetooth smartphone-enabled navigation and entertainment computer installed in many new vehicles.  Therein lies the rub.  In addition to being a method to steal or wreak havoc with vehicle operation, these systems are a virtual gold mine of hacker information or electronic discovery data, depending on where you sit.

I recently discussed new technology to forensically collect vehicle infotainment system data, such as iVE by Berla, with a close friend in the computer forensics business.  He related how in a test, a forensic analyst was able to extract the user and vehicle event data from over 30 prior users of a rental car.  User data includes call logs, contacts, text messages, navigation data and the names and MAC addresses of connected devices.  Examples of vehicle event data include doors opening, closing and locking, light activation, device connections, system resets and transmission shifter activation, such as a sequence from “park” to “reverse” to “drive.” Each event is accompanied by a time and date stamp, as well as geolocation data if the vehicle has a navigation system.  In all there are over 250 data attributes forensically available in the modern computerized vehicle system.  Much of this data is captured in addition to better known vehicle “black box” data found in all late-model cars and trucks and targeted for auto accident reconstruction.

Have your executives ever synchronized their Smartphone with the system in a rental car?  What about the systems in a company car or their personal vehicles?  Much of the above-mentioned information will have leaked onto those various systems.  For every hacker who ever rented a car, all this information is low hanging fruit for easy pickings.  It is also sitting out there unprotected in every vehicle traded-in or sold, as most vehicles have no technical mechanism to wipe this data. If nothing else, contact lists are extremely valuable to initiate spear-phishing attacks: spoofing an executive’s email or text-messaging address to send virus laden payloads to trusted advisors such as lawyers, doctors, accountants and financial services professionals.

Moreover, to the extent the company is obligated to preserve and collect this data for electronic discovery, is that data source contemplated by your internal electronic discovery protocols?  As with anything else, such devices may be the bane or panacea, depending on your particular circumstances.  Text messages deleted from a device may be recovered from the car to save the company from a spoliation sanction.  On the flip side, a savvy opposing counsel may make a credible argument the data should have been collected for preservation before the executive traded-in the car.

As with everything else with technology, these concepts may take some time to seep into the consciousness of the legal profession.  Nevertheless, forward thinking lawyers and technologists have another dimension to track when mapping out data sources for investigations and discovery.  Similarly, Information Governance professionals must consider the retention, disposition, security and privacy impacts presented by vehicle infotainment systems bridged to corporate information systems via mobile devices.