Privacy Compliance & Data Security - A Fox Rothschild Blog

“Whenever we make a call, go to work, search the web, pay with our credit card, we generate data. While de-identification might have worked in the past, it doesn’t really scale to the type of large-scale datasets being collected today.”

It turns out that ” four random points (i.e. time and location where a person has been) are enough to uniquely identify someone 95 percent of the time in a dataset with 1.5 million individuals…”

All these results lead to the conclusion that an efficient enough, yet general, anonymization method is extremely unlikely to exist for high-dimensional data — say Y.A. de Montjoye and A. Gadotti.

They suggest we need to “move beyond de-identification and start using modern solutions to unlock the huge potential of data for social good and economic development. Else, we risk being stuck in the false dichotomy that we have either innovation or privacy.”

Read the full interview in LINC.

shutterstock_690300811

The U.S. Federal Trade Commission (FTC) has entered into a settlement agreement with a company that claims on its website that it is EU U.S. Privacy Shield certified, when in fact, it had only started the process and stopped midway.

The FTC also sent warning letters to:

  • 13 companies that falsely claimed they participate in the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor frameworks, which were invalidated in 2015 and replaced in 2016 by the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, respectively.
  • Two  companies that falsely claimed that they are participants in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system even though they are not certified participants.

Read the full FTC complaint.

shutterstock_139554221

A New York Times review of 150 website privacy notices argues there is still work to be done to make privacy disclosures say what the law requires and be an effective tool for the user.

“The vast majority of…privacy policies exceed college reading level… That means a significant chunk of the data collection economy is based on consenting to complicated documents that many Americans can’t understand.”

“Despite efforts like the General Data Protection Regulation to make policies more accessible, there seems to be an intractable tradeoff between a policy’s readability and length. Even policies that are shorter and easier to read can be impenetrable, given the amount of background knowledge required to understand how things like cookies and IP addresses play a role in data collection.”

“As data collection practices become more sophisticated (and invasive), it’s unlikely that privacy policies will become any easier to comprehend. And if states continue to draft their own data protection laws, as California is doing with its Consumer Privacy Act, privacy policies could balloon with location-specific addendums.”

Details from The New York Times.

The Swedish Data Protection Authority has initiated an inquiry into how song streaming provider Spotify handles data access requests.

The questions posed in the inquiry can be useful to companies in structuring their procedures for responding to access requests under the General Data Protection Regulation and/or the California Consumer Privacy Act (especially re: profiling and encrypted data):

  • What information is provided and how (e.g. online, in the copy of personal data or otherwise)?
  • If only provided on the web, how do you see that the data subject receives the information? (e.g. information box, popup window, link etc.)
  • Do you exclude certain categories of personal information from the copy provided? Under what exemption?
  • If you analyze data on user behavior in the service, through so-called profiling, e.g. song selection, interrupted songs etc., how does this data appear from the copy of personal data?
  • How do you ensure that all information provided is given in a concise, clear, understandable and easily accessible form?
  • Are you leaving out encrypted personal data and if so, which, and do you attach a translation key or secure it in another way that the data subject can receive the information?

Details from the Swedish DPA.

Privacy Compliance & Data Security - A Fox Rothschild Blog

The Federal Trade Commission (FTC) has entered into a settlement with a provider of management software for car dealerships that held personal information, including SSN’s and payroll information, in cleartext, holding its practices to be in violation of the FTC Act’s prohibition against unfair practices and GLBA’s Safeguards Rule, which requires financial institutions to develop, implement and maintain a comprehensive information security program.

The settlement requires the provider to implement a written information security plan, procure third party assessment and engage in periodic reporting to the FTC.

Takeaways:

  • Never store or transmit sensitive personal information in cleartext, period.
  • Implement appropriate access controls and authentication procedures.
  • Ensure that a connection of a storage device to backup is securely configured.
  • Perform periodic vulnerability scanning, penetration testing or other measures designed to detect vulnerabilities.
  • Develop implement and maintaining a written information security policy and training for employees.

Read the full complaint.

EU Flag

Red Card! The Spanish Data Protection Authority has issued LaLiga a 250,000 EUR fine for using its mobile app to detect bars illegally broadcasting soccer matches, without duly disclosing this data processing activity in violation of GDPR.

When installing the application and receiving user approval, LaLiga remotely activated the microphone of any user’s mobile phone in order to detect, through the analysis of ambient sound, whether the user is in a bar broadcasting the match without paying the required fee. It also collected exact location.

AEPD deemed an initial notice and consent insufficient. Instead, holding that LaLiga must notify the user every time it activates this data collection, for example, by means of an icon that indicates that the app has activated the microphone itself to track the ambient sound.

The user should also be able to revoke their consent each time. LaLiga was given a month to  to correct these deficiencies in the app. It has declared that it will appeal this decision. LaLiga contends that no personal data is processed, but rather just the sound signature of the broadcast.

Details from El Diario.

A Tennessee District Court recently ruled in Wachter Inc. v. Cabling Innovations, LLC, 3:18-cv-00488 (W.D. Tenn. May 7, 2019) that two former employees with permitted access to company computers were not liable under the Computer Fraud and Abuse Act (“CFAA”) for sharing their employer’s confidential information with a competitor.  Wachter adds to the split amongst the circuit courts as to when an employee has acted “without authorization” or “exceeded authorized access” under the CFAA.   In part, the CFAA prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer.” 18 U.S.C. § 1030(a)(5)(C).

Privacy Compliance & Data Security - A Fox Rothschild BlogIn Wachter, two former employees with access to company computers and computer systems allegedly obtained information for personal gain and for the benefit of Wachter’s competitor, Cabling Innovations, LLC.  The employees allegedly shared their employer’s confidential information and trade secrets without permission.

The Court in Wachter noted that the CFAA fails to define “without authorization” and acknowledged the split amongst the jurisdictions in interpreting the term.  Thereafter, and consistent with prior decisions from the Sixth Circuit, the Court narrowly interpreted the CFAA holding that there “cannot be a CFAA violation where an employee has lawful access to his computer.”  The Court’s holding continued that the “[CFAA] was not meant to cover the disloyal employee who walks off with confidential information. Rather, the statutory purpose is to punish trespassers and hackers.”  Lastly, Wachter stresses the need to construe the CFAA, a criminal statute, narrowly within the context of civil proceedings.

Cases from the Second, Fourth, and Ninth Circuits echo Wachter’s narrow and literal interpretation of the CFAA.  The Court of Appeals for the Fourth Circuit in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) held that “an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer.”  The Court in WEC stated that to exceed authorized access “refers to obtaining or altering information beyond the limits of the employee’s authorized access.  It does not address the use of information after access.”   In U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), a former employee received confidential information from his still employeed and former assistance who had current log-in credentials.  Despite the assistant violating the employer’s disclosure policy, the Ninth Circuit held that such conduct was not “without authorization, or exceed[ing] authorized access” because the assistant “had permission to access the company database and obtain the information contained within.”

A number of jurisdictions have adopted an expansive view of the CFAA and recognized instances when an employee’s conduct went beyond authorized access.  The Court of Appeals for the Seventh Circuit held in Int’l Airport Ctrs., LLC, v. Citrin, 440 F.3d 418 (7th Cir. 2006) that a former employee’s authorized access terminated “when, having already engaged in misconduct and decided to quit…he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee.”  Citrin continued that the “breach of [the employee’s] duty of loyalty terminated his agency relation…and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”

Opinions from the Eleventh and Fifth Circuit have held that an employee who accesses information beyond the purposes of his granted authority exceeds his authorized access.  In U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), the Court of Appeals for the Eleventh Circuit held that a former Social Security Administration (the “SSA”) employee violated the CFAA upon accessing personal records maintained by the SSA for non-business purposes.  The Court in Rodriguez ruled that “the plain language of the [CFAA] forecloses any argument that Rodriquez did not exceed his authorized access” when he accessed personal information that he was authorized to access only for business reasons.  Similarly, in U.S. v. John, 597 F.3d 263 (5th Cir. 2010), the Fifth Circuit Court of Appeals held that a former Citigroup employee exceeded her authorization when she shared personal customer information in violation of Citigroup’s policy prohibiting the misappropriation of confidential information contained on Citigroup’s computer systems.  The opinion in John offers guidance that “authorization access” as used in the CFAA, “may encompass limits placed on the use of information obtained by permitted access.”

The Supreme Court has yet to address to divergence amongst the circuit courts relating to the CFAA.  As such, and given the conflicting jurisdictional interpretations, it is important that businesses (i) clearly communicate access policies to their employees, (ii) review existing confidentiality and non-disclosure policies with both management and employees, and (iii) implement policies and procedures to quickly limit the access rights of terminated or otherwise restricted employees.

The U.S. Congress is considering increased enforcement powers for the Federal Trade Commission (FTC), reports Bloomberg’s Sara Merken

“House and Senate lawmakers are weighing whether to give the FTC broad or targeted new rulemaking authority, and more resources, to enforce privacy and data security obligations. They also are discussing whether federal legislation should override state privacy laws, including California’s sweeping privacy law, the California Consumer Protection Act, taking effect in January”

“U.S. Rep. Jan Schakowsky (D-Ill.) said she would propose creating a division within the Federal Trade Commission to police data privacy, rather than establishing a separate agency. She said she would push to ‘beef up’ the FTC in legislation ‘to make sure there is real capacity and the resources to do that.’”

Details from Bloomberg Law.

U.S. Capitol Building, Washington, D.C.

To sue or not to sue (for privacy violations), that is the question.

“Lawmakers negotiating a national privacy bill are clashing over whether to allow consumers to sue companies … over privacy violations — in what’s shaping up to be another potential roadblock to bipartisan legislation. Republicans and Democrats are split over whether to include a so-called private right of action, which would create a legal mechanism for individuals to take companies to court for violating a future privacy law.”

“Democrats are pushing for the provision, widely backed by privacy advocates, as a way to increase corporate liability for Silicon Valley firms … Many Republicans, however, criticize the idea, saying it will hurt small businesses and cause frivolous litigation. The tech industry is also opposed.”

“GOP members prefer to focus on things like expanding the Federal Trade Commission and giving it limited rulemaking authority — which shows more promise as an area of consensus with Democrats. But some Republicans haven’t shut the door entirely on a private right of action.”

Details from Politico.

GDPR Lock EU
When dealing with data subject access requests (DSAR) under GDPR:
  1. Take your time and think about the response.
  2. Document and audit your response process.

These are the key takeaways from a panel at the recent International Association of Privacy Professionals privacy summit in Washington DC.

Take the time and communicate:
  • Reading over the inquiries thoroughly is important in determining whether the information falls within the scope of the request.
  • Engage with the data subject and show that you have a process in place.
  • Sending a receipt that says you received the request and shows you have a good process in place. It will be better received than silence up until day 29 or 30 and then blasting a subject with only part of the information.
Keep track and audit:
  • Keep track of your DSAR processes.
  • Be able to show regulators all of the requests you have been able to fulfill in the event even one is not properly executed.

Details from the IAPP.