Tag Archives: Data Security

Three Lessons from the Federal Trade Commission’s LabMD decision

Everett Monroe
August 10, 2016

The Federal Trade Commission (FTC) has made good data security practices a focus of its mission in recent years. It has issued guidance, held workshops, and brought enforcement actions against businesses that fail to implement common sense measures to protect their data. The Third Circuit’s opinion in Wyndham v. FTC acknowledged the Commission’s authority to hold companies accountable for claiming to have better data security then they do. Now, the Federal Trade Commission’s opinion and order In the Matter of LabMD, Inc. makes clear that good security practices are a must, regardless of claims a business makes to consumers.

The unanimous opinion by the Commission includes a long list of LabMD’s data security failures, but it focuses on employees’ administrative access to the computers. This access allowed an employee to install peer to peer file sharing software, and configured it so that it made patients’ sensitive medical data available outside the company. A security firm found the vulnerability, acquired some of the sensitive data, and then informed LabMD of the vulnerability in conjunction with an offer to provide security services. Here are three lessons that all businesses can glean from the FTC opinion.
Continue reading Three Lessons from the Federal Trade Commission’s LabMD decision

President Obama Presents Cybersecurity Action Plan

Everett Monroe
February 9, 2016

Today President Obama unveiled his new Cybersecurity National Action Plan as part of his 2017 budget proposal to Congress. The Plan has a broad scope designed to address many of the cybersecurity issues that gained high visibility in 2015. In particular, the Plan focus on issues with Federal cybersecurity infrastructure: modernizing antiquated software and systems vulnerable to cyber attacks, developing uniform cybersecurity practices, and developing best practices for Federal agencies to follow in managing both data security and data privacy.

A strong piece of the Plan involves the Commission on Enhancing National Cybersecurity, which the President established today by executive order. The President will appoint up to twelve people to the Commission, with recommendations from Congressional leadership. The Commission will issue a report before the end of the year making recommendations in a number of cybersecurity areas including IT procurement and modernization practices, best practices for networking security, and cybersecurity risk management for Federal agencies, as well as for business and consumers. The Plan also explains implementation of Commission recommendations.

Continue reading President Obama Presents Cybersecurity Action Plan

Congress Includes Measures to Ease Privacy Notice Requirements and Cyberthreat Sharing into Appropriations Bills

Everett Monroe
December 18, 2015

Congress has been busy passing last minute appropriations bills before the year ends to fund the government through the end of the fiscal year and to plan long term infrastructure spending. Congress has added some provisions to those bills that affect federal privacy and cybersecurity laws.

Continue reading Congress Includes Measures to Ease Privacy Notice Requirements and Cyberthreat Sharing into Appropriations Bills

Defining the Limits of the Computer Fraud and Abuse Act: The Ninth Circuit’s Second Take on United States v. Nosal.

Everett Monroe
November 4, 2015

Is it a federal crime to use a co-worker’s password with permission in order to access information for an improper purpose? What about those who get usernames and passwords from unwitting victims in an email scam? What does it mean to have authority to access a computer system, and who can give that authority? Could Congress have anticipated these questions in 1986 when it passed the Computer Fraud and Abuse Act (“CFAA”)? A three judge panel of the Ninth Circuit Court of Appeal wrestled with these questions recently as they tried to augur the limits of the CFAA during oral argument in United States v. Nosal.

The CFAA makes it a criminal offense to use a computer without authorized access or in a manner that exceeds authorized access. The Act also provides a civil right of action to hacking victims. The same prohibition applies to both criminal and civil causes of action, and requires proof on the issue of whether the activities of the alleged hacker either accessed the computer without authorization or exceeded the authorization he or she had.

Continue reading Defining the Limits of the Computer Fraud and Abuse Act: The Ninth Circuit’s Second Take on United States v. Nosal.

Senate Passes Cybersecurity Information Sharing Act

Everett Monroe
October 30, 2015

On Tuesday, the United States Senate passed S. 754 – the Cybersecurity Information Sharing Act (“CISA”). CISA’s goal is to facilitate and improve sharing about cybersecurity threats between private business and the federal government. While CISA will likely undergo some changes and still has some steps to overcome before it becomes law, Senate passage was a major hurdle. Bills similar to CISA have been pending before Congress since 2012 without success.

Under CISA, the federal government would set guidelines and procedures for receiving cyberthreat information from businesses and sharing cyberthreat information with businesses. The Department of Homeland Security would create a preferred process for businesses to use when sharing cyberthreat information.

Businesses would be given legal protections from anti-trust, trade secret, and some civil suits for cyberthreat information they share under the statute. Businesses and government entities would be required to remove unnecessary personal information before sharing it. Businesses would also be given immunity from suit to monitor their computer networks for cybersecurity purposes, and be authorized to deploy defensive measures.

CISA will now go to conference committee to be reconciled with HR 1560, which is a combination of two similar bills passed by the House of Representatives in April. A single form of the legislation will be agreed upon. Once passed, the resulting bill is expected to be signed by President Obama consistent with the directives he announced at the Cybersecurity Summit at Stanford University on February 13, 2015, at which time he signed Executive Order No. 13691 entitled Promoting Privacy Sector Cybersecurity Information Sharing.

California Updates Its Data Privacy And Security Laws For 2016

Everett Monroe
October 20, 2015

The end of the first year of California’s legislative session brings several bills that modify California’s data privacy and security regime. A number of these bills expand California’s protections for personal information and will affect how California businesses and government agencies protect, use, and disclose the data they collect. The bills will go into effect January 1, 2016.

Three new laws modify California’s data breach notification statute:

AB 964 defines “encrypted” information as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” The new law provides a definition of encryption similar to that used by HIPAA. Notification to consumers is not required if only encrypted data is breached.

SB 570 mandates that data breach notices sent to California residents have specific titles that are clearly and conspicuously in the notice, and the body of the notice can be in no less than 10 point font. It also provides an optional model form.

SB 34 includes Automatic License Plate Reader (“ALPR”) data in the personal information definition of the data breach statute, which means that ALPR operators would have to provide notice to California residents if they experience a data breach. This law also requires ALPR system operators to publish a privacy policy.

Continue reading California Updates Its Data Privacy And Security Laws For 2016

European Court Of Justice Rules US-EU Safe Harbor Invalid

Everett Monroe
October 9, 2015

This week the European Court of Justice issued a judgment in the case of Maximillian Schrems v. Data Protection Commissioner finding that the US-EU Safe Harbor is invalid for failing to provide adequate limitations on data processing for national security purposes.

The US Department of Commerce and the European Commission negotiated the Safe Harbor framework to provide adequate privacy protections for the personal information of European data subjects transferred to businesses in the United States. US companies participating in the Safe Harbor self-certified to the Department of Commerce that they would abide by seven privacy principles: notice, choice, onward transfer, security, data integrity, access, and enforcement.

The decision from the European Court of Justice removes this protection for US businesses seeking to transfer data from European entities and individuals. The judgment also increases the obligations on national data protection authorities to more closely monitor the adequacy of data transfer mechanisms and to depend less on the European Commission’s authority. Businesses in the US participated in the Safe Harbor to get approval to transfer data out of Europe without seeking approval from each individual EU country. It removed the need to get 28 different approvals for Europe wide business transactions, and protected cloud service providers from being forced to maintain separate European servers. It eased the way for cooperation between US and EU businesses, and lowered barriers for data transfers between US companies and their European subsidiaries.

Responses from US regulatory authorities have been guarded. The Chairman of the Federal Trade Commission, the primary enforcement body for the Safe Harbor in the United States, issued a short statement that “we will continue to work together with our European colleagues to develop effective solutions that protect consumer privacy with respect to cross-border data transfers.” The Department of Commerce expressed deep disappointment in the decision and called for an expedited release of the Updated Safe Harbor Framework, noting that it is prepared to work with the Commission to address uncertainty created by the Court’s decision. Meanwhile, the Article 29 working group, a body made up of the national data protection authorities and representatives from EU governing institutions, announced a meeting this week to consider what guidance to provide European and United States organizations in the wake of the decision.

Continue reading European Court Of Justice Rules US-EU Safe Harbor Invalid

With data privacy, you better do what you say you are doing

Everett Monroe
September 28, 2015

Enforcement actions relating to data privacy often get enforced by administrative agencies under State and Federal Unfair Competition Laws. Enforcement actions against companies that fail to meet their commitments to consumers are a common occurrence.

Comcast’s recent $33,000,000 settlement with the California Attorney General is a good example of how state agencies will take administrative action against companies who tell customers one thing and then do something else. Between 2010 and 2012, Comcast mistakenly published the directory information of VoIP customers that had paid Comcast not to list them. The first cause of action in the complaint against Comcast was for a violation of California’s unfair competition law: Comcast broke its promise to its customers that it would not publish directory listing information.

The Federal Trade Commission often uses its enforcement authority over unfair and deceptive business practices to pursue companies that do not fulfill their privacy commitments. A recent example of this is the Commissions complaint against Nomi Technologies. Nomi Technologies tracked mobile devices in participating retail locations, which could generate data on the duration and frequency of customers entering the location and their shopping habits. The FTC’s complaint alleged that Nomi failed to meet two commitments: (1) that customers would be informed as to which retail locations used Nomi’s service, and (2) that customers would be able to opt out of the tracking at the participating retail locations. The FTC obtained a 20-year monitoring agreement over Nomi.

A recent FTC update shows a group of thirteen companies caught claiming that they were certified under the US-EU Safe Harbor in their privacy policies when, in fact, their certifications had lapsed or they were not certified at all. Another group of six companies faced similar charges in 2009.

Intentional wrongdoing is not the centerpiece of these charges. The Comcast complaint alleges that the disclosures were the result of a technical mistake, and the Nomi Complaint does not claim that the company was intentionally deceiving consumers. Regardless, these agencies have made it clear that companies will be held responsible for failing to keep commitments they make to the public.

US/EU “Safe Harbor” Agreement Ruled Invalid By EU Judge

William Kellermann
September 23, 2015

In an influential opinion published September 23, 2015, European Court of Justice (ECJ) Advocate General Yves Bot recommended the ECJ find the US/EU “Safe Harbor” Agreement invalid.   The 40-page ruling provides a preliminary victory for Austrian law student and privacy advocate Maximillian Schrems, but stands to cast the data transfer practices of many companies into turmoil.

The case stems from Shrems’ crusade against the data privacy and data transfer practices of Facebook in light of Edward Snowden’s revelations about the US National Security Agency’s Prism data surveillance program.  Shrems sued Facebook in Ireland, where it locates its servers for services to it’s EU user-base.  The High Court of Ireland referred the matter to the ECJ for a preliminary ruling.

While Bot’s ruling is preliminary, subject to confirmation by the ECJ and would only be directly binding as to Facebook, the recommendations found in Bot’s opinion upend many commercial practices regarding data transfer from the EU to US-based servers.  While the NSA’s Prism program targeted the data transfers of nine internet companies, such as Microsoft, Google, Apple, Facebook, etc. the unraveling of the Safe Harbor agreement could have far-reaching effects on any company with EU operations sending data about EU citizens, including employees, to the US.

The case is  Maximillian Schrems v Data Protection Commissioner, Case # C‑362/14, pending in Luxembourg.

Third Circuit Affirms FTC Authority to Regulate Cybersecurity

Batya Forsyth and William Kellermann
September 2, 2015

If it wasn’t clear before, data breaches are now a federal affair, in addition to falling under various statutes and regulations in 47 states. Since 2000, the Federal Trade Commission (FTC) is the self-styled “primary federal data security regulator” in the United States. Beginning in 2005, the FTC instituted numerous data security enforcement actions, primarily under authority found in Section 5 of the Federal Trade Commission Act. Yet nowhere in the Act are there explicit references to “data privacy,” “data security” or the more modern moniker, “cybersecurity.”

Until recently, targets of FTC investigations or enforcement actions arising from data breaches have chosen administrative settlements rather than fight. That changed as a result of the Wyndham Worldwide hotel chain data breaches and Wyndham’s subsequent resistance to FTC enforcement. Under the recent ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al., __ F.3d __, 2015 WL 4998121 (3d Cir. Aug. 24, 2015), FTC regulatory authority appears to be on solid ground.

Section 5 of the FTC Act grants the FTC broad authority to prevent the use of unfair and deceptive trade practices. 15 U.S.C. § 45(a)(1) and (2). While  banks, savings and loans, federal credit unions and transportation companies are exempt, 15 U.S.C. § 45(a)(2), the Act otherwise casts a broad net across industries.

Wyndham Worldwide owns or operates a hotel chain and provides centralized IT services to franchises, as well as its own properties. The FTC enforcement action stemmed from a series of data breaches that gave hackers access to payment card information for more than 619,000 customers. The hacks later gave rise to more than $10.6 million in fraudulent charges.

The FTC brought its action against Wyndham in the United States District Court for the District of New Jersey alleging the company’s data security practices were an “unfair practice” and that its privacy policy was “deceptive” under section 5 of the Act. The FTC complaint alleged Wyndham misrepresented the security measures it took to protect customer personal information, and that Wyndham’s cybersecurity efforts were unfair in the face of the FTC’s published security guidance. The District Court denied Wyndham’s motion to dismiss, finding the FTC had the authority to regulate data security practices. Notably, the Court further found the FTC did not have to issue formal regulations before bringing enforcement actions. The Third Circuit certified two issues for interlocutory appeal:

  1. Whether the FTC has authority to regulate cybersecurity under the unfairness prong of 15 U.S.C. § 45(a); and,
  2. Assuming such regulatory authority, whether Wyndham had fair notice its specific cybersecurity practices could fall short of the statutory requirement.

The Third Circuit affirmed the District Court finding ample authority for the FTC to regulate cybersecurity under the Act, as well as clear guidance under the Act, the FTC’s regulatory enforcement history and published guidance as to acceptable conduct in setting cybersecurity policies and practices.

While the FTC Act grants the FTC both rulemaking and enforcement authority under Section 5, the FTC has not enacted formal rules or regulations that apply to data security requirements. As set forth in the Wyndham Worldwide order, companies must rely on FTC publications, data security complaints and consent decrees to determine if their data security programs comply with FTC standards. To that end, the FTC published Protecting Personal Information, A Guide for Business which sets forth five principles on which a company must base its data security practices:

    • Be aware of all the personal information collected, retained and shared.
    • Keep only personal information required for legitimate business operations.
    • Use physical and electronic security to protect the information an organization retains.
    • Properly dispose of personal information as soon as it is no longer necessary for business operations.
    • Have a plan to respond to security incidents.

The FTC is seen as having a central role in protecting consumers. However, just as the FTC Act is silent on the topic of data security, nothing in 15 U.S.C. § 45(a) limits the FTC’s authority to “consumer” data per se. The Act empowers the Commission to address “unfair or deceptive acts or practices in or affecting commerce.” That broad mandate, coupled with the guidelines established by the Commission and the holding in the Wyndham opinion strongly suggests all companies must now address their cybersecurity policies and practices. Companies must ensure the policies and practices meet the guidelines set by the FTC, at least with respect to the personally identifiable information (PII) of employees, contractors and business partners that finds its way onto company systems.

The first four bullets of the FTC Guidelines are essential elements of an Information Governance program. One could argue after the Wyndham opinion that the failure to institute an information governance program puts an enterprise squarely in the sights of a costly and time consuming FTC enforcement action in the event of a data breach. Conversely, implementing an IG program, coupled with a well-crafted cyber incident response plan, will help a company stave off or mitigate the effects of FTC scrutiny. Moreover, an IG program comes with added benefits of reduced cost and risk associated with data storage as well as reduced cost whenever a company must respond for compliance or other investigations or to parties in litigation. If your company has not considered an Information Governance program before now, perhaps now is the time. Moreover, outside counsel are essential members of an incident response team, providing legal risk analysis, representation and the umbrella of privilege for communications.