Electronic Data Security

Data privacy bills are pending in at least eight states, reports Sara Merken at Bloomberg Law.

State lawmakers are aiming to give citizens more control over their personal data. Some of the bills largely follow the lead of California, whose Consumer Privacy Act takes effect Jan. 1, 2020. Others are more narrowly focused on specific business practices.

Some highlights:

  • In North Dakota – a bill would require companies to provide to consumers, upon request, information about the types of personal information the companies collect and possess
  • In New York – one bill addresses biometric privacy and another would govern businesses’ collection and disclosure of personal information
  • In Utah – a bill would require law enforcement to get a warrant from a judge to access electronic information
  • In Washington state – a bill would allow consumers to ask companies for a copy of their personal data and to delete or correct inaccurate data and would also regulate facial recognition technology

Details in Bloomberg Law.

Data rights > data ownership?

That’s the position taken by Privacy International in its response to the recent editorial by artist wil.i.am in The Economist which called for tech giants to pay individuals for their data:

  • Data rights offer a system of control and protection that is much more comprehensive than ownership, and these rights continue to exist even after you share your data with others. They apply to data that others collect about you with or without your knowledge and they also apply to the insights and conclusions that they make about you.
  • Existing data protection laws, like the EU General Data Protection Regulation (GDPR) put a strong data rights system in place. Now is the time to focus efforts on making it easy to use and widely adopted.
  • As powerful as data rights are, they are not a silver bullet. Market dominance and other distortions are a growing concern which should be addressed as well.

Read Privacy International’s Full Argument.

In the age of digitization, personal information your business holds about your customers (or your customers’ customers) has become a strategic enterprise asset and should be treated as such.

Privacy considerations should be incorporated into your go-to-market strategies.

Gartner with some tips:

  • Customer-facing policies and communications should clearly explain what information is collected and why, as well as any applicable customer rights.
  • Policies should be readily accessible and understandable for customers — and are reinforced internally.
  • Managers and senior leaders should echo the standards in small team discussions, all-company meetings and other forms of messaging.
  • There should be a coherent approach to working with third parties. Codify what third parties can and can’t do with user data, and define consequences for failure to comply. Make sure to follow through and monitor compliance.
  • Compare your customers’ privacy appetite to your organization’s overall risk appetite — and be prepared to manage any gaps between the two.

Details from the International Association of Privacy Professionals.

Enforcement is increasing under the EU US Privacy Shield Framework for cross border transfer of personal data. A report published by European regulator, the European Data Protection Board (EDPB), lists enforcement initiatives by the Department of Commerce (DoC) and the FTC.

  • On a quarterly basis the DoC conducts “false claims reviews” to identify organizations that have started but not finished an initial or re-certification or that did not submit their annual recertification.
  • The DoC performs random web searches for false claims of participation in the program
  • The DoC performed a sweep of 100 randomly chosen organizations.
  • The DoC designated a person to follow the media and to do keyword searches to identify possible breaches of the Privacy Shield commitment.
  • The DoC performs regular checks for broken links to the privacy policy on the Privacy Shield list.
  • This year the FTC brought 5 new Privacy Shield cases.
  • The FTC investigates Privacy Shield-related referrals (approximately 100).
  • The FTC started to send Civil Investigation Demands (CIDs) proactively to monitor compliance with the Privacy Shield principles.

Details in the Second Annual Joint Review.

Japan is the latest country to be recognized by the European Union as providing adequate protection to data. The decision is one of mutual adequacy and creates the world’s largest area of safe data flows.

Per European commissioner Vera Jourova: “Europeans’ data will benefit from high privacy standards when their data is transferred to Japan. Our companies will also benefit from a privileged access to a 127 million consumers’ market.”

Before the adoption of the decision, Japan implemented additional safeguards to guarantee that data transferred from the EU enjoy protection in line with European standards. This included:

  • a set of supplementary rules to bridge differences between the two data protection systems (specifically regarding sensitive data, the exercise of individual rights and cross border data transfers).
  • assurances from the Japanese government that the access of Japanese public authorities to personal data for criminal law enforcement and national security purposes would be limited to what is necessary and proportionate
  • a complaint handling mechanism to investigate and resolve complaints from Europeans regarding access to their data

Details from the International Association of Privacy Professionals.

 

2019 presents businesses with new cybersecurity and privacy challenges: rapid advances in technology, sophisticated new cyberattacks and stricter privacy regulations here and around the world, just to name a few. Businesses that fail to plan risk significant financial and reputational damage.

Those at the front of the fight, but out of the headlines will:

  • Afford users and consumers true “data self-determination” and transparent control over data while providing a frictionless digital experience.
  • Master what data they collect, who has access to it and how long they have it: “Cradle-to-grave” control over data will win the day.
  • Master baseline data privacy and security, whether defined by statutory schemes, best practices or voluntary industry standards.
  • Remain battle-ready for the critical infrastructure breach (financial, utility and/or transportation).
  • Deploy robust methods to repel the email compromise.
  • Implement tested response plans for digital deep fakes (false video and audio recordings) and other disinformation campaigns.
  • Master vendor and supply chain data security.

Austin, Texas, downtown skyline at sunsetThe American Bar Association is holding its upcoming 2018 Business Law Section Annual Meeting at the Austin Convention Center in Austin, TX, from September 13 to 15.

Fox partner Matt Kittay will moderate a panel entitled “Lawyer Ethical Issues in M&A Technology.” Featuring Haley Altman of Doxly, Steve Obenski of Kira Systems, and James Walker of Richards Kibbe & Orbe. The group will discuss ethical issues facing lawyers who use both emerging and globally accepted technology platforms to execute M&A and private equity transactions. The panel will take place on Friday, September 14 from 3:30 PM to 5:00 PM at the Technology in M&A Subcommittee Meeting of the Mergers & Acquisitions Committee. The Fairmont Hotel connected to the Convention Center will host the panel.

For more information and to register to attend the section’s Annual Meeting, please visit the ABA website.

Data-rich companies like Facebook have a unique opportunity to capitalize on the recent surge in regulatory scrutiny and turn it to their advantage.

Savvy tech companies are attuned to public opinion and won’t allow others to control the narrative. They are already taking steps to regain the upper hand in the privacy debate.

Facebook demonstrated this during Senate hearings on the Cambridge Analytica “data breach” by announcing it would upgrade privacy features and offer its users protections that mirror those in the EU’s strict General Data Protection Regulation (GDPR). Facebook has also gone out of its way to publicize its efforts to comply with GDPR. Messaging service WhatsApp, too, recently touted its decision to set a minimum age of 16 for EU users.

Some of the major tech companies – Facebook, Google and Apple – could actually benefit from increased data privacy and security regulation if they take the initiative. They have the resources to impose strict compliance requirements on smaller third-party players such as application developers and vendors in the tech eco-system, portraying themselves as trusted custodians of consumer data.

To gain the advantage, they will need to be proactive because regulators are not sitting back.

Officials at all levels of government are clamoring to get a piece of the data privacy enforcement pie. The SEC recently imposed a first-of-its-kind $35 million fine on Altaba Inc., formerly Yahoo, for failing to disclose a major data breach. The FTC struck a first-of-its-type 20-year consent decree that requires Uber Technologies Inc. to report any future data breach regardless of whether it involves harm to consumers. States are also getting into the act. Arizona and Delaware recently joined the list of states that have toughened their breach notification laws, while attorneys general have stepped up enforcement activities in Massachusetts (Equifax), New York (Facebook), Pennsylvania (Uber) and other states.

Data is the new currency. As a result, antitrust regulators have stepped up scrutiny of M&A deals in relation to the aggregation and control of data. This has already affected proposed deals. The EU halted Apple’s proposed acquisition of Shazam over possible adverse effects on other music streaming services.

In this climate, it is no time for major tech companies to lay low. The smarter path – the one that will allow them to regain the initiative – is taking proactive steps to address privacy and data security concerns before regulators do it for them.

Europe map with padlock symbolizing the General Data Protection Regulation (GDPR)With the European’s Union’s new General Data Protection Regulation (or GDPR) taking effect in less than 100 days, the interest of many U.S. Companies has been piqued as to how the GDPR may affect their overseas and internet-based businesses.  This article on CFO.com, “Why GDPR Matters,” which I co-authored with Bill Shipp from Vaxient, LLC and Jonathan Marks, CPA from Marcum, LLP, tackles this hot issue and answers why GDPR should matter to U.S. companies in a wide variety of industries.

To assist U.S.-based companies in determining how GDPR may affect their business, Fox Rothschild has also developed a GDPR mobile app called “GDPR Check” (details and download information here).  The app is designed to help companies determine which areas of their business (if any) may require GDPR compliance.

If you have any questions about how GDPR may affect your company, we encourage you to consult a knowledgeable attorney and experienced professionals.

Shata Stucky writes:

Username and password login fields, online securityThe United States National Institute for Standards and Technology (NIST) has issued new guidelines for creating secure passwords.  NIST guidelines, which are directed to “federal government systems,” often become best practice recommendations across the security industry.

The new guidelines are a significant break from previous rules.  Security experts previously recommended frequent password changes and using a mixture of upper case letters, symbols, and numbers.  The NIST guidelines acknowledge that users often work around these types of restrictions in a way that is counterproductive.  The most effective passwords are those that are easy for the user to remember so that it is less likely they will be written down or stored electronically in an unsafe manner.

Accordingly, NIST recommends dropping complexity requirements and requirements for frequent password changes.  Instead organizations should emphasize password length:  Passwords should be at least 8 characters in length, and users should be allowed a maximum length of at least 64 characters.

Additional recommendations can be found in the NIST guidelines, accessible on the NIST’s website.


Shata L. Stucky is an associate in the firm’s Privacy & Data Security practice, resident in its Seattle office.