General Privacy & Data Security News & Developments

2019 presents businesses with new cybersecurity and privacy challenges: rapid advances in technology, sophisticated new cyberattacks and stricter privacy regulations here and around the world, just to name a few. Businesses that fail to plan risk significant financial and reputational damage.

Those at the front of the fight, but out of the headlines will:

  • Afford users and consumers true “data self-determination” and transparent control over data while providing a frictionless digital experience.
  • Master what data they collect, who has access to it and how long they have it: “Cradle-to-grave” control over data will win the day.
  • Master baseline data privacy and security, whether defined by statutory schemes, best practices or voluntary industry standards.
  • Remain battle-ready for the critical infrastructure breach (financial, utility and/or transportation).
  • Deploy robust methods to repel the email compromise.
  • Implement tested response plans for digital deep fakes (false video and audio recordings) and other disinformation campaigns.
  • Master vendor and supply chain data security.

Keep your passwords close…and complex, and encrypted and unique, and ever-changing.

In the wake of recent data breaches involving passwords, the French data protection authority, the CNIL, has published guidelines for adequate passwords.

Some highlights include:

  • If you use a password as your sole method of authentication, it needs to be at least 12 characters consisting of uppercase letters, numbers and special characters.
  • If you use additional measures of protection, the password may be less complex.
  • A passphrase is better than a password, and the CNIL developed a tool for producing passwords from sentences.
  • Your authentication function must (i) use a public algorithm deemed strong and (ii) have a software implementation that is free of known vulnerabilities.
  • NEVER store passwords in cleartext – require and allow periodic renewal of passwords.

For details, see the full guidelines.

According to Rochelle Osei-Tutu, an International Trade Specialist at the U.S. Department of Commerce, over 4,000 companies have already registered for EU-US Privacy Shield and 2,600 for the Swiss-US Shield. Of them, 1,300 cover cross-border flows of HR data. Eighty percent of registered companies are small and medium-sized businesses, but many Fortune 500 companies are registered as well.

It took 13 years under the now defunct Safe Harbor to reach these numbers, which have been reached in just two years of Privacy Shield. This, says Osei-Tutu, underscores the importance of data protection and cross-border transfers now.

Things to look out for, regarding Privacy Shield on the commercial side, says Ralf Sauer, Deputy Head of Unit for International Data Flows at the European Commission, are checks against false claims made by companies and making sure that there are no bad apples on the list that don’t play by the rules. In the wake of the Schrems lawsuit, surveillance under Section 702 of FISA and the functioning of the ombudsperson mechanism are of importance as well. A remaining issue of concern for the EU is the appointment of a permanent ombudsperson, says Sauer.

 

Registration for the Privacy Summit is open.

Fox Rothschild’s Minneapolis Privacy Summit on November 8 will explore key cybersecurity issues and compliance questions facing company decision-makers. This free event will feature an impressive array of panelists drawn from cybersecurity leaders in major industries, experienced regulatory and compliance professionals and the Chief Division Counsel of the Minneapolis Division of the FBI.

Attendees receive complimentary breakfast and lunch, and can take advantage of networking opportunities and informative panel sessions:

GDPR and the California Consumer Privacy Act: Compliance in a Time of Change

The European Union’s General Data Protection Regulation has been in effect since May. Companies that process or control EU citizens’ personal data should understand how to maintain compliance and avoid costly fines. Many more businesses should also prepare for the next major privacy mandate: the California Consumer Privacy Act.

Risk Management – How Can Privacy Officers Ensure They Have the Correct Security Policies in Place?

Panelists offer best practices for internal policies, audits and training to help maintainn protected health information (PHI), personally identifiable information (PII) or other sensitive data. Learn the cutting edge strategies to combat the technology threats of phishing and ransomware.

Fireside Chat

Jeffrey Van Nest, Chief Division Counsel of the Minneapolis Division of the FBI, speaks on the state of affairs in regulation and enforcement, including how to partner with the FBI, timelines of engagement and the latest on cyber threat schemes. His insights offer details on forming effective cyber incident response plans.

Keynote Speaker – Ken Barnhart

Ken is the former CEO of the Occam Group, a cybersecurity industry advisor and the founder and principal consultant for Highground Cyber – a spin-off of the Occam Group’s Cybersecurity Practice Group. For more than a decade, he has helped companies of all sizes design, host and secure environments in private, public and hybrid cloud models. Prior to his work in the corporate sector, Ken served as a non-commissioned officer in the United States Marine Corp and is a decorated combat veteran of Operation Desert Shield\Storm with the HQ Battalion of the 2nd Marine Division.

Geared toward an audience of corporate executives, in-house chief privacy officers and general counsel, the summit will provide important take-aways about the latest risks and threats facing businesses.

Stay tuned for more agenda details. Registration is open.

Austin, Texas, downtown skyline at sunsetThe American Bar Association is holding its upcoming 2018 Business Law Section Annual Meeting at the Austin Convention Center in Austin, TX, from September 13 to 15.

Fox partner Matt Kittay will moderate a panel entitled “Lawyer Ethical Issues in M&A Technology.” Featuring Haley Altman of Doxly, Steve Obenski of Kira Systems, and James Walker of Richards Kibbe & Orbe. The group will discuss ethical issues facing lawyers who use both emerging and globally accepted technology platforms to execute M&A and private equity transactions. The panel will take place on Friday, September 14 from 3:30 PM to 5:00 PM at the Technology in M&A Subcommittee Meeting of the Mergers & Acquisitions Committee. The Fairmont Hotel connected to the Convention Center will host the panel.

For more information and to register to attend the section’s Annual Meeting, please visit the ABA website.

The French data protection authority (CNIL) is placing Facebook’s EU-U.S. data transfer practices under new scrutiny over its use of the defunct Safe Harbor framework.

The agency issued a two-part order Feb. 8 requiring the social media company to stop using Safe Harbor to transfer data to the United States. Safe Harbor was nullified in October 2015 when the European Court of Justice invalidated the EU Commission’s Safe Harbor agreement with the U.S. The agreement had allowed U.S. companies to transfer EU citizens’ data to the U.S. from the EU.

The ECJ’s decision to invalidate Safe Harbor stemmed from an Austrian citizen’s complaint – filed in the aftermath of revelations about U.S. National Security Agency data collection practices – that Facebook violated his privacy rights by transferring his personal data to the U.S. The decision imperiled 4,000 U.S. companies’ ability to transfer data from the EU to the U.S.

The new CNIL order is based on Facebook continuing to include language detailing its use of Safe Harbor on its France privacy policy page. Part two of the order accuses Facebook of using cookies to track non-users’ activity without their consent, a violation of French law, according to CNIL. It gives Facebook three months to stop tracking non-users without their consent, or face potential fines.

The order comes at an tumultous time for U.S.-EU data transfer policy. EU and US officials agreed to a new EU-U.S. Privacy Shield transatlantic data transfer pact on Feb. 2nd,  but many of the details, including language and legal implications of the agreement are in flux. Critics say details are so scarce that the agreement is not the basis for a working policy. While many in the EU have criticized the U.S. government’s data collection practices, critics point out that the EU may want to take a look in the mirror since many of its member states spy on their own citizens.

It all leads to massive uncertainty. No one is sure how things will develop over the next few months.

If you or your company have questions or concerns about preparing for or responding to new privacy regulations, or you are interested in creating and/or implementing a cybersecurity plan, contact the author or a Fox Rothschild Privacy & Data Security team member.

Critical infrastructure operators and multinational companies must fully disclose cybersecurity breaches and violations to European Union (EU) authorities or face severe penalties under a new EU cybersecurity law.

The law – the Network and Information Security Directive – is aimed at promoting transparency and cooperation between governments and global companies in the response to cyber threats. It lays out new breach reporting rules for companies in the finance, energy, health and technology sectors.

The new rules will apply, notably, to tech companies considered “digital service providers,” a group that includes online retailers and marketplaces, cloud storage firms and search engines. The definition of “digital service providers” is less clear, leaving uncertainty as to what types of companies will face new reporting requirements. Take Facebook, for example. Search engines and e-commerce sites such as Amazon may be required to fully disclose data breaches, while social networks’ disclosure obligations are less clear. They may face no disclosure requirements.

Expect more clarity in coming months. European regulators are negotiating a new transatlantic data transfer agreement to replace Safe Harbor, and could release the long-awaited General Data Protection Regulation, to replace Data Protection Directive, any day.

The upside is that these new laws and directives will provide some uniformity, and clear direction on companies’ obligations in Europe. But that may result in higher privacy protection standards, stiffer penalties and more aggressive compliance enforcement. To prepare, companies should firm-up their data security and privacy compliance efforts to align with industry standards such as ISO 27001.

For help drafting data security policies, or for advice on how to prepare for new European data privacy rules, contact the author or a member of the Fox Rothschild Privacy & Data Security or Technology teams.

Businesses that relied previously on the EU’s Safe Harbor exception to transfer data from Israel to the United States have had that authorization revoked by the Israeli Law, Information and Technology Authority (ILITA).

It’s part of the ongoing ripple effect caused by the invalidation of Safe Harbor.

Now that Safe Harbor is off the table, businesses must rely on standard contractual clauses, binding corporate rules or other legal strategies, to transfer data out of the EU, and now Israel.

Israel is not an official member of the so-called “Euro Data Zone,” but it was granted an exception in 2011 under the EU Data Protection Directive, allowing data to be transferred out of the EU to Israel without requiring companies to use standard contractual clauses or binding corporate rules.

Israel’s 2001 Privacy Protection Regulations permitted moving data from Israel to a database outside the country if the transferee country had laws regulating data protection that were at least as strict as Israeli law. It included an exception for companies located in countries with inadequate legal protections by allowing data transfers to nations to which the EU allows data transfers.

In effect, that allowed Safe Harbor compliant U.S.-based companies to transfer data out of Israel.

Online retailers will need to take proactive measures in 2015 to prevent customers’ personal data from being compromised, according to Symantec’s 2015 Internet Security Threat Report.

The report from the U.S. internet security firm breaks down the threats and vulnerabilities of the past year, and offers a preview of the cyber threats that the coming year may bring.

Between 2013 and 2014 the number of large data breaches involving more than 10 million records dropped, but the total number of breaches doubled between 2012 and 2014 to 312. The health care sector reported the most breaches in 2014, accounting for 37 percent of all incidents, perhaps a result of the tremendous amount of health information its members collect.

Retail ranked second in breaches, making up 11 percent of the total, but accounted for a stunning 59 percent of exposed identities. That’s a number that will probably increase as online retail makes up a larger portion of total sales, and vulnerabilities surface in the ecommerce software that makes those sales possible. Retailers should be vigilant, and employ basic safeguards to improve security and protect customers’ personal and financial data.

Here are some common security gaps to address:

  • “Wait, I didn’t mean to buy that.” Confirming transactions reduces inadvertent online and app purchases made through an online store or app. Consider requiring customers to enter their password before completing a transaction.
  • Can I get a receipt?” Automatically provide customers with SMS or E-mail receipts, immediately after they purchase a product or service. It helps customers track their purchases and quickly identify fraud by calling attention to unauthorized purchases.
  • “Password” is not a good password. Require customers to set strong passwords to plug a common cybersecurity gap that can open the door to hackers. A business can’t prevent users from recycling passwords, but it can dictate their content and complexity. Set a minimum number of characters, require uppercase and lowercase letters, numbers, and special characters and require updates.
  • “But we’ve never had a breach.” Don’t relax. Apply best practices and keep abreast of emerging threats to protect your online storefront and your customers’ personal data. Track hackers’ efforts to steal personal data, patch vulnerabilities and employ recommended encryption.

Fox Rothschild attorneys know protecting customers’ personal information is critical. For more information, please contact the author, a member of the Privacy & Data Security practice, or your Fox Rothschild attorney.