Copyright: hywards / 123RF Stock Photo
Copyright: hywards / 123RF Stock Photo

France’s data protection regulator – the  Commission Nationale de L’Informatique et des Libertés (CNIL) – ordered Alphabet Inc.’s Google in 2015 to comply with the right to be forgotten.

If the ruling is upheld, the approach to personal privacy threatens the equal and competing legitimate freedom of expression and access to information rights of businesses and consumers outside the European Union.

Scott L. Vernick and Jessica Kitain recently authored the Bloomberg BNA Privacy and Security Law Report article “The Right To Be Forgotten – Protection or Hegemony?” We invite you to read the full article.

Reproduced with permission from Privacy and Security Law Report, 15 PVLR 1253, 6/20/2016. Copyright © 2016 by The Bureau of National Affairs, Inc. (800.372.1033) http://www.bna.com

EU and U.S. officials finally unveiled the full text of the proposed EU-U.S. Privacy Shield framework earlier this week. The agreement is the culmination of a five-month negotiation to address European concerns regarding mass surveillance and personal data protection issues surrounding transatlantic data transfers. The European Commission’s Article 29 Working Party must now review and approve it.

Pixelated shield icon on digital background,, illustrating EU-U.S. Privacy Shield conceptPrivacy Shield replaces the Safe Harbor framework, which the European Court of Justice invalidated in October. That decision impacted nearly 4,000 United States companies that transfer data from the EU to the United States under Safe Harbor.

Under the provisions of Privacy Shield:

  • Companies must self-certify annually that they meet its requirements
  • The U.S. Department of Commerce will monitor all registered companies to ensure that their publicly facing privacy notices reflect Privacy Shield principles
  • Companies that leave the program will still be required to follow its principles for as long as they use, maintain and store the personal data they received while they were participants
  • There will be a 45-day response period for EU consumer complaints related to mishandling personal information
  • In addition to directly contacting the company, EU consumers can submit their complaint to their data protection authority, which will coordinate with the U.S. Department of Commerce or the Federal Trade Commission to achieve a response within 90 days.
  • Companies must offer an alternative dispute resolution process for consumers and provide details on said process in its privacy notice
  • Participating companies that do not comply with the Privacy Shield framework will face sanctions, which can include fines and exclusion from the program.

The Story So Far

The origins of the Safe Harbor framework, agreed upon in July 2000, lie in the 1995 EU Data Protection Directive, which laid out seven data protection principles. Safe Harbor allowed companies to transfer data out of the EU if they annually self-certified their adherence to those seven principles. About 4,000 U.S. companies took advantage of the program as an alternative to binding corporate rules or model contractual clauses.

In October 2015, the European Court of Justice (ECJ) found that Facebook’s transfer of data from the EU back to the U.S. violated EU citizens’ privacy rights under the EU Data Protection Directive. and invalidated Safe Harbor in the process. The case arose in response to Edward Snowden’s revelations about the NSA’s PRISM program.

Shortly thereafter, EU authorities announced they would suspend enforcement campaigns against Safe Harbor-certified U.S. companies until February 2016, but reserved their rights to enforce the Data Protection Directive in the event that a replacement was not implemented before that deadline.

Enter the Judicial Redress Act, Stage Left

Meanwhile, the U.S. Senate began negotiating the terms of the Judicial Redress Act – a bill that would allow EU citizens to pursue a private right of action for misuse of their personal data that occurs in the U.S. While the Act falls short of providing the same level of protections EU citizens enjoy in their own countries, it does more closely align those protections, allowing some level of comfort for EU officials.

The U.S. House of Representatives passed its Judicial Redress bill in October 2015, shortly after the ECJ’s decision. The bill was expected to pass the Senate in early 2016, but an 11th hour amendment limited the right to sue to citizens of countries that permit data transfers for commercial purposes to the U.S. and do not impose personal data transfer protections that impede U.S. national security interests. That amendment stalled discussions between the U.S. and the EU days before the February deadline. Fortunately, the parties reached an agreement before Congress finalized the privacy legislation – the interested parties had to wait to see if the U.S. would follow through on its promise to provide privacy protections to EU citizens.

The Senate voted on, and passed, the amended version of the Judicial Redress Act, which allowed both houses to consolidate and pass it. The finalized bill was sent to President Obama’s desk in mid-February and he signed it into law on February 24.

What’s Next?

The European Commission submitted the Privacy Shield text to the EU data protection authorities. The DPAs will convene in April to review and announce their position. While their positions will not be legally binding, they will be highly impactful and could set the stage for the ECJ’s inevitable review of the framework. If the ECJ finds that the agrement fails to adequately protect EU citizens and their right to privacy, then the court will likely send it back to the committee for a rewrite.  The associated uncertainty prior to any review may lead to greater demand for U.S. companies to implement binding corporate rules or model contractual clauses to transfer personal data out of the EU. Additionally, many U.S. companies have already been exploring projects to create local data infrastructure in the EU, which may become necessary if Privacy Shield is never ratified.

Fox Partner and Chair of the Privacy and Data Security Practice Scott L. Vernick was a guest on Fox Business’ “The O’Reilly Factor” and “After the Bell” on February 17, 2016, to discuss the controversy between Apple and the FBI over device encryption.

A federal court recently ordered Apple to write new software to unlock the iPhone used by one of the shooters in the San Bernardino attacks in December. Apple CEO Tim Cook has vowed to fight the court order.

The Federal Government vs. Apple (The O’Reilly Factor, 02/17/16)

Apple’s Privacy Battle With the Federal Government (After the Bell, 02/17/16)

 

 

 

Luxembourg politician Viviane Reding proposed three years ago to overhaul the EU Data Protection Directive. Now, European Union officials have settled on an agreement to replace the Directive with new privacy legislation called the General Data Protection Regulation (GDPR). It is not EU law just yet, but the EU Parliament is expected to fully approve it during its next meeting. Upon approval, the GDPR will become law in 2018 across all 28 EU Member States and replace the widely inconsistent laws previously implemented to comply with minimum data protection requirements set out in the directive.

Illustration of binary code rippling out from the European Union flag, in relation to GDPRFirst enacted in 1995, the Directive needed to be updated due to a routine change in the technology sector. It is anticipated the EU government will synchronize privacy laws across the Euro zone through GDPR. Heavy fines are expected for any company’s failure to implement these new requirements.

In its current form, the GDPR contains provisions expected to change how data is collected, stored and transmitted in and out of the EU. This includes the following:

  • Instituting more rigorous requirements for accessing and obtaining consent for collecting and individual’s information.
  • Raising the consent age for collecting information to 16 years old (from 13).
  • Mandating that companies must delete an individual’s data if they are no longer using the data for the original purpose for which it was collected.
  • Requiring all companies to notify the EU of data breaches within 72 hours.
  • Implementing one national office to monitor and manage complaints brought under GDPR.
  • Instituting fines up four percent of a company’s global revenue for non-compliance.

The GDPR’s most critical change is that jurisdiction is not a physical or geographical barrier; the jurisdiction will be digitally measured, which means that companies outside the EU could be affected by new regulations by virtue of collecting data that belongs to an EU citizen. As previously mentioned, fines for non-compliance are four percent of a company’s global revenue, and the financial impact to Fortune 500 companies could be in the billions. It remains to be seen how strictly the EU government will enforce these restrictions. Still, companies should begin planning and implementing new business practices into their workflows and expect the EU to be aggressive in its enforcement when the 2018 deadline hits.

The GDPR will also recognize standard contractual clauses and binding corporate rules as authorized frameworks for transferring citizen data out of the EU. The Safe Harbor was invalidated in 2015 in the wake of the Edward Snowden disclosure of the United States’s comprehensive surveillance programs. As such, the recognition of standard contractual clauses and binding corporate rules should, in theory, provide relief to business owners who rely on self-certifying their company’s compliance with Safe Harbor principles. Negotiations between the United States and the European Union are underway to establish “Safe Harbor 2.0.” Both parties are pushing to finalize the framework by the end of January 2016. This would provide another avenue for data transfer to about 4,000 companies that relied on the first Safe Harbor to collect and transfer data.

Privacy officials in Germany penned a position paper arguing that standard contract language and binding corporate rules do not adequately provide data protections necessary for legal U.S.-EU data flows. These two data transfer alternatives to Safe Harbor are not viable.

Binary code on the European continent from space, illustrating European Union data privacyThe German data protection authority (DPA) recommended a path of informed consent. U.S. companies should provide potential EU partners full disclosure of how U.S. information security and data privacy laws lack protections equivalent to the EU’s laws. Before consenting to data transfers with U.S. organizations, EU companies must be made aware of the U.S. government’s ability to access data and personal information. But it doesn’t stop there. The DPA asserted that discrepancies between individual privacy rights in the U.S. and EU should be clarified, as well as the U.S. government’s shortcomings in abiding by EU privacy standards.

However, the German DPA warned that providing these disclosures may still not be enough considering the U.S. mass surveillance programs brought to light in 2013 by Edward Snowden.

The position paper may be a harbinger of developments in the era beyond Safe Harbor invalidation. In fact, the Israeli Law, Information and Technology Authority (ILITA) has also disallowed U.S. businesses to conduct data Israel-U.S. data transfers under Safe Harbor exceptions. EU countries and allies may follow in stride under the U.S. government agrees to elevated privacy principles or limits its unchecked national surveillance program.

In February 2013, President Obama issued his Improving Critical Infrastructure Cybersecurity executive order, which presented a plan to decrease the risk of cyberattacks on critical infrastructure.  The US Department of Commerce’s National Institute of Standards and Technology (NIST) was charged with creating the plan, which became known as the Framework for Improving Critical Infrastructure Cybersecurity (Framework).  The NIST worked with over three thousand individuals and business organizations to create the Framework.  The goal of the Framework is to help businesses develop cybersecurity programs within their organizations and to create industry standards for dealing with cybersecurity issues.

The Framework is designed to work with businesses to reach a sufficient level of cybersecurity protection regardless of size, sector, or level of security.  The Framework consists of three parts (1) The Framework Core, (2) The Framework Implementation Tiers, and (3) The Framework Profiles.  The Framework Core is a grouping of cybersecurity activities based on industry indicators, desired outcomes, and practices.  It assists businesses in developing Framework Profiles, which are used to create cybersecurity plans.  Essentially, the Core characterizes all aspects of a business’ cybersecurity protection so that the Framework can assist the business in creating a secure network.

The Framework Implementation Tiers assess how a business acknowledges cybersecurity issues and ranks the business into one of four tiers.  Ranked from weakest to strongest the four tiers are: (1) Partial, (2) Risk Informed, (3) Repeatable, and (4) Adaptive.  The Partial Tier is for businesses that may not consult risk objectives or environmental threats when deciding cybersecurity issues.  The Risk Informed Tier is for businesses that have cybersecurity risk management processes, but may not implement them across the entire organization.  The Repeatable Tier is for businesses that regularly update their cybersecurity practices based on risk management.  The Adaptive Tier is for businesses that adapt cybersecurity procedures frequently and implement knowledge gained from past experiences and risk indicators.  The Tier assignment helps a business better understand the impact of cybersecurity issues on its organizational procedures.

After a business has gone through the necessary steps with the Framework Core and Implementation Tiers, it can create a Framework Profile based on its individual characteristics.  A “Current” Profile allows a business to have a clear sense of where it stands in terms of cybersecurity and what aspects of its cybersecurity program need improvement.  A “Target” Profile represents the cybersecurity state that a business wants to achieve through the use of the Framework.  By comparing its “Current” Profile and “Target” Profile, a business is able to prioritize its actions and measure its progress.

There are several resources that support the Framework including the NIST’s Roadmap for Improving Critical Infrastructure Cybersecurity, the NIST’s Cybersecurity Framework Reference Tool, and The Department of Homeland Security’s Critical Infrastructure Cyber Community C3 Voluntary Program.  A business that wants to utilize the Framework should visit the NIST’s Framework website at:  http://www.nist.gov/cyberframework/.

Copyright: argus456 / 123RF Stock Photo
Copyright: argus456 / 123RF Stock Photo

Fox Rothschild partner Scott L. Vernick was quoted in The New York Times article, “Hacking Victims Deserve Empathy, Not Ridicule.” Full text can be found in the September 2, 2015, issue, but a synopsis is below.

While some data breach victims may face only minor frustrations – changing a password or getting a new credit card – it is a different story for the more than 30 million Ashley Madison users who had their accounts for the infidelity website compromised.

Many of the victims of this latest massive data breach have been plunged into despair, fearing they could lose jobs and families, and expecting to be humiliated among friends and colleagues.

“It’s easy to be snarky about Ashley Madison, but just because it’s unpopular or even immoral, it doesn’t mean this sort of activity shouldn’t be protected,” said Scott L. Vernick, a noted privacy attorney. “This gets at fundamental issues like freedom of speech and freedom of association – today it’s Ashley Madison, tomorrow it could be some other group that deserves protection.”

On July 20, 2015, in Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015), the Seventh Circuit held that the United States District Court for the Northern District of Illinois wrongfully dismissed a class action suit brought against Neiman Marcus after hackers stole their customers’ data and debit card information.  The District Court originally dismissed the plaintiffs’ claims because they had not alleged sufficient injury to establish standing.  The District Court based its ruling on a United States Supreme Court decision, Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013), which held that to establish Article III standing, an injury must be “concrete, particularized, and actual or imminent.”

However, the Seventh Circuit clarified that Clapper “does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.”  Rather, “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” are sufficient to confer standing.

In Remijas, the Seventh Circuit explained that there is a reasonable likelihood that the hackers will use the plaintiffs’ information to commit identity theft or credit card fraud.  “Why else would hackers break into a store’s database and steal consumers’ private information?” – the Seventh Circuit asked.  The Seventh Circuit held that the plaintiffs should not have to wait until the hackers commit these crimes to file suit.

The Seventh Circuit also considered that some of the plaintiffs have already paid for credit monitoring services to protect their data, which it held is a concrete injury.  Neiman Marcus also offered one year of credit monitoring services to its customers affected by the breach, which the Seventh Circuit considered an acknowledgment by the company that there was a likelihood that their customers’ information would be used for fraudulent purposes.

Ultimately, this decision may serve to soften the blow dealt by Clapper to data breach plaintiffs.  Specifically, based on this ruling, plaintiffs who have not incurred any fraudulent charges, but have purchased credit monitoring services, or have spent time and money protecting themselves against potential fraud may argue that they have standing.

On June 30, 2015, Connecticut Governor Dannel Malloy signed into law Senate Bill 949, “An Act Improving Data Security and Agency Effectiveness”, a data privacy and security bill that creates stricter data breach response requirements.  S.B. 949 specifies that an entity that experiences a data breach must give notice to those affected no “later than [90] days after discovery of such breach, unless a shorter time is required under federal law.”  Previously, Connecticut law only required entities to provide notice of a data privacy breach to affected individuals “without unreasonable delay.”

During a press conference on June 2, 2015, Attorney General George Jepsen clarified that 90 days is the floor – not the ceiling.  He stated that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.”  Projected to become effective October 1, 2015, S.B. 949 also requires entities affected by breaches to provide at least one year of free identity theft prevention services for breaches involving the resident’s name and Social Security number.

Guest Blogger: Kevin P. Demody, Summer Associate

Cyberattacks are not reserved for science fiction or corporate America; they can also impact professional sports.  An example of cybercrime is currently unfolding in Major League Baseball, where the St. Louis Cardinals are under investigation for cyberattacks.  The F.B.I. and Justice Department prosecutors are investigating whether the Cardinals hacked into the Houston Astros’ computer systems to obtain confidential baseball data.

Investigators have discovered evidence suggesting that Cardinals’ front office employees hacked the Astros’ computer systems containing information regarding possible trades, injury reports, and scouting evaluations.  If the allegations prove to be accurate, the attack would be the first known instance of corporate cyber warfare between professional sporting organizations.  The Cardinals organization, one of the most successful baseball clubs over the past two decades, has been served with subpoenas to obtain electronic correspondence that may have been related to the attacks.

In a written statement from Major League Baseball, the organization assured the public that it “has been aware of and has fully cooperated with the federal investigation into the illegal breach of the Astros’ baseball operations database.”  The League also promised to “evaluate the next steps” and “make decisions promptly” after the federal investigation concludes.

The cyberattacks may have been a revenge tactic by Cardinals’ employees against former Cardinals executive and current Astros’ general manager, Jeff Luhnow.  Mr. Luhnow, a scouting and player development executive with the Cardinals, was instrumental in the team’s World Series success by developing a unique way to evaluate players and manage talent.  Much of Luhnow’s success with the Cardinals was attributed to a computer system, named “Redbird,” which contained the organization’s collective baseball knowledge.  When Mr. Luhnow’s polarizing tenure with the Cardinals came to an end after the 2011 season, he left to become the general manger of the Astros.  Once with the Astros, he used his computer expertise to create an electronic baseball knowledge system similar to the Cardinals’ “Redbird.”

The Astros’ system, known as “Ground Control,” was a collection of the team’s baseball data that weighted information based on the opinions of the team’s physicians, scouts, statisticians, and coaches.  Investigators believe that members of the Cardinals organization used Luhnow’s old passwords to hack into the team’s system and steal data.  This is a common practice among cybercriminals who attempt to use previous passwords to gain access to other restricted networks.  The investigation initially began last year when the Astros believed that the cyberattacks had originated from rouge outside hackers.  It was only after further investigation that the F.B.I. determined the source of the cyberattacks to be a home occupied by a Cardinals’ employee.

At this point the investigation is ongoing and federal officials would not comment on which Cardinals’ employees were involved in the matter or if the front office executives had any knowledge of the cyberattacks.  No Cardinals’ employees have been suspended or put on leave yet.