On Fox’s Above the Fold blog, associate Eric Bevan interviewed Brian Tu, an experienced digital media industry leader. We invite you to read his insights on trends in privacy and technology as it relates to online advertising.
Digital copiers pose many of the same cybersecurity risks associated with computers. This is so because they’re also computers. Data thieves know that office copiers run on “smart” technology with hard drives that store information about printed, copied and scanned documents – a potential trove of sensitive data.
What steps should businesses take to protect the data across a copier’s lifecycle?
The Federal Trade Commission provides guidance online in Digital Copier Data Security: A Guide for Businesses. The guide details the process from integrating a copier into your company’s information security policies and offers best practices for printing to securing the hard drive after the device has run its course.
Manufacturers can also tell you about the security features of their copiers, which may include:
- Encryption software that scrambles hard drive data, making it difficult to extract
- Overwriting functionality that digitally changes data values so files can’t be reconstructed
- Locking a hard drive via passcode
The FTC’s point is clear: businesses of all kinds are legally responsible for the information stored on digital copiers. In fact, institutions handling personal financial or health care information are required to have security plans for the information processed on digital copiers.
Facebook has failed to prevent its feud with an Austrian privacy activist over the legality of two widely used mechanisms for transferring data between the European Union and the U.S., from reaching the EU Court of Justice.
In a May 2nd ruling, the Irish High Court sided with activist Max Schrems and the Irish Data Protection Commissioner, rejecting Facebook’s request to stay the court’s October 2017 referral of the case to the EU Court of Justice to give the company time to appeal the referral to the Irish Supreme Court.
The decision carries with it potential consequences for thousands of international companies that use model contracts and Privacy Shield for transatlantic data transfers.
Schrems filed a grievance over Facebook’s use of model contracts with the Irish Data Commissioner in 2015 saying that Facebook failed to protect EU citizens’ data from the prying eyes of U.S. law enforcement and intelligence agencies.
The Data Commissioner referred the case to the Irish High Court in May 2016 after determining the compliant was “well founded.” The Irish High Court expanded the scope to include Privacy Shield in its 2017 decision to refer the matter to the EU Court of Justice.
In 2015, the EU Court of Justice invalidated the Safe Harbor accord, then a widely used mechanism for transferring data between the EU and U.S., ruling it failed to adequately protect the privacy of EU citizens. Privacy Shield was created to replace Safe Harbor. Details via Reuters, Fortune and Bloomberg.
Data-rich companies like Facebook have a unique opportunity to capitalize on the recent surge in regulatory scrutiny and turn it to their advantage.
Savvy tech companies are attuned to public opinion and won’t allow others to control the narrative. They are already taking steps to regain the upper hand in the privacy debate.
Facebook demonstrated this during Senate hearings on the Cambridge Analytica “data breach” by announcing it would upgrade privacy features and offer its users protections that mirror those in the EU’s strict General Data Protection Regulation (GDPR). Facebook has also gone out of its way to publicize its efforts to comply with GDPR. Messaging service WhatsApp, too, recently touted its decision to set a minimum age of 16 for EU users.
Some of the major tech companies – Facebook, Google and Apple – could actually benefit from increased data privacy and security regulation if they take the initiative. They have the resources to impose strict compliance requirements on smaller third-party players such as application developers and vendors in the tech eco-system, portraying themselves as trusted custodians of consumer data.
To gain the advantage, they will need to be proactive because regulators are not sitting back.
Officials at all levels of government are clamoring to get a piece of the data privacy enforcement pie. The SEC recently imposed a first-of-its-kind $35 million fine on Altaba Inc., formerly Yahoo, for failing to disclose a major data breach. The FTC struck a first-of-its-type 20-year consent decree that requires Uber Technologies Inc. to report any future data breach regardless of whether it involves harm to consumers. States are also getting into the act. Arizona and Delaware recently joined the list of states that have toughened their breach notification laws, while attorneys general have stepped up enforcement activities in Massachusetts (Equifax), New York (Facebook), Pennsylvania (Uber) and other states.
Data is the new currency. As a result, antitrust regulators have stepped up scrutiny of M&A deals in relation to the aggregation and control of data. This has already affected proposed deals. The EU halted Apple’s proposed acquisition of Shazam over possible adverse effects on other music streaming services.
In this climate, it is no time for major tech companies to lay low. The smarter path – the one that will allow them to regain the initiative – is taking proactive steps to address privacy and data security concerns before regulators do it for them.
In a daylong Privacy Summit at Citizens Bank Park in Philadelphia, the co-chairs of Fox Rothschild’s Privacy & Data Security practice group led a series of panel discussions with leading cybersecurity professionals and government officials.
Fox partner Elizabeth Litten, who serves as Fox Rothschild’s HIPAA Privacy & Security Officer, and partner Mark McCreary, the firm’s Chief Privacy Officer, moderated a two-part panel series examining cyber risk management for protecting company data. The first segment, “Looking Inward: Risk Management Part I,” focused on the best internal company practices, policies and training to combat cyber threats and protect valuable data. “Beyond Company Walls: Risk Management Part II” examined the ways businesses should approach vendor management and cyber insurance to further secure and safeguard their data assets.
Litigation partner Scott Vernick moderated the panel “Current State of Affairs in Regulation & Enforcement.” Discussion highlighted the domestic and international data privacy and security obligations relevant to U.S. businesses.
The summit closed with a thought-provoking keynote address from Eric O’Neill, a former FBI counterintelligence operative who helped apprehend Robert Phillip Hanssen – one of the most notorious spies in U.S. history – who provided memorable insights about corporate diligence and defense.
In the fourth quarter of 2017, we spearheaded a sweeping, cross-industry survey of chief executives to gauge corporate cybersecurity preparedness. The results revealed important organizational issues.
The survey showed C-suite corporate leaders know their companies’ data is at risk but are not taking adequate measures to protect that data.
- Awareness: More than half of C-level officers recognized their companies were at high or very high risk of a data breach. Three quarters said they had been hit recently by phishing attacks.
- Inaction: Despite that, 53 percent of executives admitted their cybersecurity and data privacy budgets are insufficient to respond to a breach. Nearly a third don’t train all their employees on data breach prevention, a basic component of cybersecurity.
“Cyberattacks are growing in frequency and severity,” said Mark McCreary, Fox’s Chief Privacy Officer and co-chair of its Privacy and Data Security Practice. “Companies should take steps to manage that risk and prevent breaches, but it requires a clear-eyed, systematic approach.”
Survey findings offer big-picture takeaways to bolster a company’s approach to cyber threats and their prevention. The report examines five key areas of cybersecurity readiness:
- Breach response plans
- Budget priorities
- Cyber liability policies
- Determining risk severity
- Training effectiveness
How does your organization compare? Read the full report.
The European General Data Protection Regulation (GDPR) comes into force on May 25, 2018. This gives companies only two months to prepare for and comply with the GDPR. Companies should be conducting data mapping to identify all cross-border transfers of personal data so that they can determine the best way to comply with the GDPR requirements.
The GDPR has been, perhaps, the most widely talked about privacy regulation for the past year and a half after it was approved by the EU Parliament on April 14, 2016 because of the sweeping changes it will bring to how the global digital economy operates with regard to processing personal data. GDPR will apply to all EU-based companies, irrespective of whether personal data is processed inside or outside of the EU. The GDPR will also apply to companies outside the EU that offer goods or services to individuals in the EU and/or that monitor or track the online behavior or activities of individuals in the EU.
Any transfer of personal data to a third country can take place only if certain conditions are met by the data exporter and the data importer. If a company is transferring EU personal data outside of the EU, that company must identify a valid transfer mechanism to legally transfer that personal data. The most widely used transfer mechanisms are: (1) transfers within the EU and adequacy rulings; (2) appropriate safeguards; and (3) derogations.
Transfers Within the EU and Adequacy Rulings
Under GDPR, personal data can be moved between EU member states (and Norway, Liechtenstein, and Iceland) without restriction.
Cross-border transfers may also take place without a need to obtain further authorization if the European Commission determines that the third country’s body of national law ensures an adequate level of protection for personal data. The European Commission considers several factors when determining if the country has an adequate level of protection, including the specific processing activities, access to justice, international human rights norms, the general and sectoral law of the country, legislation concerning public security, defense and national security, public order and criminal law.
In the absence of an adequacy determination, cross border personal data transfers are permitted if the controller and processor use EU-approved safeguards. The most widely used transfer mechanisms are binding corporate rules, model contractual clauses, and certification mechanisms (e.g. Privacy Shield).
Binding corporate rules (BCRs) are internal codes of conduct adopted by multinational companies to allow transfers between different branches of the organization. BCRs are a favored mechanism because of their flexibility, ability for tailored customization, and a lower administrative burden once implemented.
Model contractual clauses are legal terms contained in a template data processing agreement drafted and ratified by the EU. Model contractual clauses can be burdensome because companies are required to enter new model contractual clauses to cover each new third party and each new purpose for processing or transfer.
Because the European Commission does not recognize the U.S. as an adequate third country, U.S. companies can comply by certifying under the EU-U.S. Privacy Shield that they meet the high data protection standards set out in the Privacy Shield. The Privacy Shield remains subject to the same criticism that ultimately resulted in the downfall of its predecessor (Safe Harbor), that it does not fully protect the fundamental rights of individuals provided under EU privacy laws.
In the absence of either an adequacy decision or the implementation of an appropriate safeguard, a cross-border transfer can still take place in limited circumstances, where an exception applies. These circumstances include situations where the individual explicitly consents after having been informed of the risks of data transfer in the absence of an adequacy decision and appropriate safeguards, the transfer is necessary for the performance of a contract between the parties, or if the transfer is necessary for important reasons of public interest. The permitted derogations are fact-specific and are generally not intended to be relied upon as a company’s primary transfer mechanism.
Guidance for GDPR Compliance
Transferring personal data out of the EU without a valid transfer mechanism can result in significant fines and increased regulatory oversight. Beginning on May 26, 2018, compliance with the GDPR will be essential for companies engaging in cross-border transfers of personal data.
To comply with the GDPR, companies should first identify and map all cross-border data flows. Companies should then examine and assess for each of these flows whether the receiving country is in the EU (and Norway, Liechtenstein and Iceland) or is otherwise deemed adequate. If not, the company should consider whether any appropriate safeguards have been put in place, and/or whether any specific derogations apply.
Recent news that Facebook has suspended research firm Cambridge Analytica for improperly collecting users’ personal data without their knowledge may not constitute a classic “data breach,” but it poses real risks for the popular social media platform.
Fox Rothschild Partner Scott Vernick, founder of the firm’s Privacy & Data Security Practice, discussed the implications for Facebook, and the next steps the company should take, in an interview with the TD Ameritrade Network.
“Consumers do select companies and want to do business with companies that have control over their data and that can secure their data,” Scott said. “In turn, If you lose consumer confidence, you lose advertiser confidence, so that is the challenge for Facebook.”
Roger Severino, director of the Department of Health and Human Services’ Office of Civil Rights, told HIMSS18 conference attendees this week that he plans no slowdown in HIPAA enforcement.
“I come from the Department of Justice Office for Civil Rights; I bring that mindset to OCR. We’re still looking for big, juicy egregious cases” for enforcement, Severino said, according to this report in Data Breach Today. That doesn’t mean smaller companies should assume they are off the radar, he added.
He said 2017 was OCR’s second biggest year for HIPAA settlements with $19.4 million collected, second only to 2016 in which OCR collected nearly $25 million.
The National Restaurant Association released a must-read guide for restaurant operators on how to increase their cybersecurity efforts.
Franchising, Licensing & Distribution partner Eleanor Vaida Gerhards explains on the Franchise Law Update blog how the guide takes the cybersecurity framework prepared by the National Institute of Standards and Technology and adapts it for use in the restaurant hospitality industry.
Because restaurants have to handle the personal information of their customers, they’re constantly at risk for data compromises that carry heavy fines.
Even the most cyber savvy restaurant systems should find the guide full of useful information. Access the guide and read Eleanor’s full post here.