General Privacy & Data Security News & Developments

Username and password login fields, online security
Usernames and passwords were exposed in a number of reported data breaches.

According to the monthly report from the Identity Theft Resource Center, the health care industry suffered more data breaches in January than government, educational and financial sectors combined.

Medical and health care-related data breaches accounted for 26.7 percent of the verified 116 data breaches in early 2018. The report defines a breach as a cybersecurity incident in which personal information such as emails, medical records, Social Security numbers or driver’s license information, is exposed and made vulnerable to risk.

While the report identifies “Business” as the sector most affected by data breaches, the category broadly encompasses many types of major service providers in retail, hospitality, trade, transportation and other industries.

For more detailed statistics of data breaches by industry, download the ITRC report.

The Federal Trade Commission (FTC) has offered businesses an updated anti-phishing toolbox. It’s contained in new guidelines the agency has issued for preventing cyberattacks. Share the recommendations with your IT department to provide your email servers and networks with the latest defenses. Doing so sends a message that your company takes the threat to personal information seriously and is taking prudent and reasonable steps to protect it.

Here are the email authentication technologies the FTC recommends:

  • Sender Policy Framework (SPF) – requires a business to designate the IP addresses it uses to send emails
  • DomainKeys Identified Mail (DKIM) – authenticates the source and integrity of messages
  • Domain Message Authentication Reporting and Conformance (DMARC) – reports on and excludes unauthenticated email sources.

The FTC has additional recommendations. Chief among them? Make sure your software is at the strongest security setting. It should block delivery of unauthenticated messages and scan attachments for sensitive personally identifiable information (PII).

A growing number of apps are using location data that is expected to be subject to tighter regulation under new European Union privacy laws, particularly the much anticipated General Data Protection Regulation, or GDPR.

The new rules are expected to toughen requirements for obtaining consent from consumers to access this data and place restrictions on how companies operating in Europe can use data consumers agree to provide. Despite widespread speculation, the extent of the changes are unclear. With a potential for higher noncompliance fines, U.S. companies that use location data in apps for passive tracking are urged to closely monitor GDPR development.

Location, Location

EU regulators are particularly concerned about location data because it can reveal private, sometimes intimate details about consumers’ lives. It can expose where people travel, what stores and restaurants they visit and even details of their everyday routines. Location data involving medical facilities and places of worship triggers even more stringent protections.

The new EU regulations will require more than the blanket consent provided in the U.S. when a consumer clicks a box to acknowledge an app’s or service’s privacy policies. They are expected to require informed notice and consent for each individual use of the data. Many mapping apps collect location data to provide traffic information, but also to target ads, for example. EU regulators are particularly concerned about such “secondary uses” of data.

To give citizens more control over their personal data, the EU expects companies to provide customers with detailed notice of when and how their data is being used. Personal data can only be gathered for legitimate purposes, just what is needed to support a company’s business model. If a company wants to repurpose or analyze the data it has collected, it would have to go back to the consumer for consent on each occasion. That means companies must proactively monitor how their partners are using data, and ensure they obtain consent for each occasion and use.

EU Data Collection Compliance Checklist

  • Inform consumers clearly and in detail about what location data is being gathered and the primary and secondary ways it being used, such as to target ads.
  • Give consumers the ability to refuse to allow their data to be collected, or opt out of any of the ways in which it will be used.
  • Put a mechanism in place to notify consumers of changes in company data collection policy,  for example if you plan to repackage and data to an aggregator in the future.
  • Sign agreements with partners to ensure they are complying with the data collection permission your company has obtained.

For a review of your company’s privacy policies and guidance on how these new regulations may impact your organization, contact the author or other member of the Fox Rothschild Privacy & Data Security team.

Two bills that provide new funds to the Department of Homeland Security to support public-private collaboration on development of innovative cybersecurity technologies have passed the U.S. House of Representatives.

The legislation – the Support for Rapid Innovation Act (H.R. 5388) and the Leveraging Emerging Technologies Act (H.R. 5389) – was passed with bipartisan support after winning the approval of the House Homeland Security Committee last week.

“We need more [capabilities] and the government can’t do it alone; the dangers are too pressing for Washington to protect the American people all by itself,” said Majority Leader Rep. Kevin McCarthy, (R-California).

“Cybercriminals continue to develop even more advanced cyber capabilities, and in 2016 these hackers pose an even greater threat to the U.S. homeland and our critical infrastructure,” bill sponsor Rep. John Ratcliffe (R-Tex.) said.

Democrats made similar statements in support of the bills.

Other, similar legislation is in the pipeline: the Cybersecurity and Infrastructure Protection Agency Act (H.R. 5390) and the Improving Small Business Cyber Security Act (H.R. 5064). No votes have been scheduled.

For more information about how new regulations may affect your organization contact the author or a member or Fox Rothschild’s Privacy & Data Security Practice Group.

Federal lawmakers took steps Wednesday to convert the Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) into a fully-operational agency dedicated to cybersecurity that would be called the Cybersecurity and Infrastructure Protection Agency.

The agency’s goal would be to “realign and streamline” federal cybersecurity initiatives and implement the recently passed Cybersecurity Information Sharing Act (CISA).

The legislation (H.R. 5390) was one of four cybersecurity-related bills that passed the U.S. House of Representatives Homeland Security Committee Wednesday.

“Every day, cybercriminals and nation-states are looking for vulnerabilities to exploit at companies like Target and Sony, our critical infrastructure sectors and our federal government,” Committee Chairman Michael McCaul (R-Texas), said.

The Committee also endorsed the Improving Small Business Cyber Security Act (H.R. 5064), the Support for Rapid Innovation Act (H.R. 5388), and the Leveraging Emerging Technologies Act (H.R. 5389).

The Improving Small Business Cyber Security Act allows DHS to provide greater resources and support to small business, and to work with small-business development centers to develop better cybersecurity infrastructure, and improve employee cybersecurity risk training.

The Support for Rapid Innovation Act adds a section to the Homeland Security Act directing DHS – itself or through other federal agencies, in academia, and/or through the private sector – to support research and development of new cybersecurity and data protection technology.

The Leveraging Emerging Technologies Act, would authorize DHS to work with emerging technology developers and startups to help address federal cybersecurity and technology needs, and establish offices in areas where tech and cyber-related businesses are concentrated.

All of the legislation now heads to the full House where nothing is certain. If enacted, the legislation will direct addition funding to companies operating with the cybersecurity and technology spaces, likely with increased government oversight and/or involvement.

For more information about how new regulations may impact your organization, contact the author or a Fox Rothschild Privacy and Data Security Practice Group member.

The Federal Trade Commission wants app users to know if their television viewing habits are being tracked by Silverpush for marketing purposes.

The agency recently warned 12 application developers to notify consumers if the software, which tracks television use whether or not a user is in an app, is in use in the United States. Silverpush says it is not.

According to the FCC, the app developers in question ask end users to approve access to the device’s microphone even though their apps don’t require audio input. This, the agency concluded, was to collect information on users’ activities. It reminded app developers to follow FTC marketing guidelines and not to state or imply that their apps aren’t collecting and transmitting television viewing behavior, which would risk violating Section 5 of the FTC Act.

It’s an interesting counterpoint to a recent Eleventh Circuit decision, which held that a content provider could not hold a company liable for tracking viewing habits through third party software, because the TV app was free and there was no direct customer relationship with the company.

The FTC warning does not distinguish among apps by type and is important for both app developers and content providers to keep in mind.

Whether developer or owner of a platform, companies should continually evaluate their disclosures and warranties regarding collection and marketing practices related to apps. That applies to their privacy policy and those of vendors and other third parties they work with. Contracts and licenses between the app owners and developers should outline marketing practices disclosure and warranty obligations.

If you or your company have questions or concerns, contact the author or a Fox Rothschild Privacy & Data Security team member.

The French data protection authority (CNIL) is placing Facebook’s EU-U.S. data transfer practices under new scrutiny over its use of the defunct Safe Harbor framework.

The agency issued a two-part order Feb. 8 requiring the social media company to stop using Safe Harbor to transfer data to the United States. Safe Harbor was nullified in October 2015 when the European Court of Justice invalidated the EU Commission’s Safe Harbor agreement with the U.S. The agreement had allowed U.S. companies to transfer EU citizens’ data to the U.S. from the EU.

The ECJ’s decision to invalidate Safe Harbor stemmed from an Austrian citizen’s complaint – filed in the aftermath of revelations about U.S. National Security Agency data collection practices – that Facebook violated his privacy rights by transferring his personal data to the U.S. The decision imperiled 4,000 U.S. companies’ ability to transfer data from the EU to the U.S.

The new CNIL order is based on Facebook continuing to include language detailing its use of Safe Harbor on its France privacy policy page. Part two of the order accuses Facebook of using cookies to track non-users’ activity without their consent, a violation of French law, according to CNIL. It gives Facebook three months to stop tracking non-users without their consent, or face potential fines.

The order comes at an tumultous time for U.S.-EU data transfer policy. EU and US officials agreed to a new EU-U.S. Privacy Shield transatlantic data transfer pact on Feb. 2nd,  but many of the details, including language and legal implications of the agreement are in flux. Critics say details are so scarce that the agreement is not the basis for a working policy. While many in the EU have criticized the U.S. government’s data collection practices, critics point out that the EU may want to take a look in the mirror since many of its member states spy on their own citizens.

It all leads to massive uncertainty. No one is sure how things will develop over the next few months.

If you or your company have questions or concerns about preparing for or responding to new privacy regulations, or you are interested in creating and/or implementing a cybersecurity plan, contact the author or a Fox Rothschild Privacy & Data Security team member.

Critical infrastructure operators and multinational companies must fully disclose cybersecurity breaches and violations to European Union (EU) authorities or face severe penalties under a new EU cybersecurity law.

The law – the Network and Information Security Directive – is aimed at promoting transparency and cooperation between governments and global companies in the response to cyber threats. It lays out new breach reporting rules for companies in the finance, energy, health and technology sectors.

The new rules will apply, notably, to tech companies considered “digital service providers,” a group that includes online retailers and marketplaces, cloud storage firms and search engines. The definition of “digital service providers” is less clear, leaving uncertainty as to what types of companies will face new reporting requirements. Take Facebook, for example. Search engines and e-commerce sites such as Amazon may be required to fully disclose data breaches, while social networks’ disclosure obligations are less clear. They may face no disclosure requirements.

Expect more clarity in coming months. European regulators are negotiating a new transatlantic data transfer agreement to replace Safe Harbor, and could release the long-awaited General Data Protection Regulation, to replace Data Protection Directive, any day.

The upside is that these new laws and directives will provide some uniformity, and clear direction on companies’ obligations in Europe. But that may result in higher privacy protection standards, stiffer penalties and more aggressive compliance enforcement. To prepare, companies should firm-up their data security and privacy compliance efforts to align with industry standards such as ISO 27001.

For help drafting data security policies, or for advice on how to prepare for new European data privacy rules, contact the author or a member of the Fox Rothschild Privacy & Data Security or Technology teams.

The U.S. House of Representatives has passed legislation authorizing the Department of Homeland Security to create a National Computer Forensics Institute (NCFI).

The new entity, operated by the U.S. Secret Service, would train state and local law enforcement authorities, as well as prosecutors and judges on cyber threat investigations and forensic examination of mobile devices.

The NCFI has its origins in Alabama. The state proposed creating a cyber crime training facility for state and local law enforcement in 2007, asking that it be operated by the Secret Service and Department of Homeland Security. The NCFI was created in 2008, but never formally authorized.

After passing the House on November 30, the Strengthening State and Local Cyber Crime Fighting Act (H.R. 3490) now moves on the Senate.

The legislation details institute operations and requires it to disseminate information on investigating and preventing cyber crime. House Judiciary Committee Chairman Bob Goodlatte (R-VA) said the NCFI is a “vital” part of addressing cyber crime, which he said has the ability to affect “national security, economic prosperity and public safety.”

The Federal Financial Institutions Examination Council (FFIEC) is warning financial institutions that extortion-related cyberattacks are on the rise.

The FFIEC said in a statement that “financial institutions should develop and implement effective programs to ensure the institutions are able to identify, protect, detect, respond to, and recover from these types of attacks.”

It lays out the following preventative measures:

  • Periodically review, test and update incident response and business continuity plans
  • Conduct information security risk assessments
  • Defend against unauthorized access
  • Securely configure systems and services
  • Add information on cyberattacks involving extortion to data security awareness and training programs,
  • Test controls around critical systems on a regular basis
  • Upgrade security monitoring, prevention, and risk mitigation
  • Share information at industry forums

The guidance demonstrates a shift in the FFIEC’s stance to one that urges proactive steps in combatting cyberattacks in the financial services industry. It comes as ransomware attacks are on the increase and in the wake of distributed denial-of-service attacks tied to extortion, including those by a group known as DD4BC.

Banks must assess their cyber defenses, as well as the effectiveness and sophistication of their risk mitigation plans, the FFIEC urges. Financial institutions must provide training to bank employees and key contractors to narrow the cyber-skills gap with advanced cyber criminals.

In its statement, the FFIEC urges banks to make sure their “risk management processes and business continuity planning” covers these new cyberattacks in a manner that aligns with the commission’s previous risk management guidance.

The FFIEC – made up of the Federal Reserve’s Board of Governors, the Consumer Financial Protection Bureau, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, and National Credit Union Administration – asserts that regulators are seeing more attacks in which hackers steal private data and hold it for ransom, or demand payment to prevent a shutdown.

The rising tide of extortion-related attacks is worrisome because cyber criminals typically install malware throughout a network before making it operational, according to fraud experts. These exploits stay in place and are difficult to remove because they are hard to find. Once a cyberattack infiltrates a bank’s web servers or systems, it can reproduce itself, infecting customers, vendors, partners, and others the bank interacts with. Extortion-related cyberattacks pose “liquidity, capital, operational, compliance and reputation risks” and can result in fraud, data loss, and disruption of customer service. The cost of cyber-extortion may be covered by a good cyber insurance policy, but it’s hard to put a true value on or restore a bank’s reputation and lost revenue.

Questions or concerns about the FFIEC’s cyber guidance or the creation and/or implementation of a cybersecurity plan? Contact the author or a Fox Rothschild Privacy & Data Security team member.