Fox Partner and Chair of the Privacy and Data Security Practice Scott L. Vernick was a guest on Fox Business’ “The O’Reilly Factor” and “After the Bell” on February 17, 2016, to discuss the controversy between Apple and the FBI over device encryption.

A federal court recently ordered Apple to write new software to unlock the iPhone used by one of the shooters in the San Bernardino attacks in December. Apple CEO Tim Cook has vowed to fight the court order.

The Federal Government vs. Apple (The O’Reilly Factor, 02/17/16)

Apple’s Privacy Battle With the Federal Government (After the Bell, 02/17/16)

 

 

 

The White House is building on recent laws addressing cybersecurity in the United States with the release of a new Cybersecurity National Action Plan (“CNAP”). The plan focuses on:

  • improving cybersecurity awareness and protections;
  • additional privacy and security protections for individuals through the creation of a permanent Federal Privacy Council;
  • maintenance of public safety, economic security and national security through a new Commission on Enhancing National Security; and
  • encouraging citizens to take better control of their digital information and security.

CNAP includes a request to Congress to invest over $19 billion for the 2017 Fiscal Year Budget, which is a 35% increase to resources allocated to cybersecurity during FY 2016.

The plan is highlighted by a new Commission on Enhancing National Security (“Commission”). The Commission will be comprised of top technical, strategic, and business advisors in the private sector chosen by bipartisan Congressional leadership.  It will make detailed recommendations to improve cybersecurity awareness both inside and outside the government.  The Commission will also make specific findings about improving national security and empowering citizens to better handle their digital security.  These recommendations and findings must be reported to the President before the end of this year.

The White House looks to make significant improvements in government cybersecurity as part of a $3.1 billion Information Technology Modernization Fund, which will allow agencies to modernize outdated IT infrastructure, networks and systems. A new Federal Chief Information Security Officer will be solely dedicated to developing, managing, and coordinating cybersecurity policies, strategies and operations in the federal government.  The Department of Homeland Security will have new federal civilian cyber defense teams to protect associated networks, systems and data.  The plan also calls for disrupting cyberattacks and improving cyber incident response.

CNAP’s concern for citizens’ privacy and security is reflected in an Executive Order making the Federal Privacy Council permanent. Privacy officials from across the government will help ensure that more strategic and comprehensive federal privacy guidelines are implemented.  The Administration wants citizens to leverage multiple layers of authentication when logging into online accounts instead of just a password. Extra factors like a fingerprint or a single use code via text message are ways to improve online security. The federal government is accelerating adoption of this approach for citizen-to-government digital services, such as tax and health benefit information.  The White House’s new milestones for the 2014 BuySecure Initiative will build upon the already 2.5 million issued Chip-and-PIN payment cards.

Research and development will continue to be a focus with a new Federal Cybersecurity Research and Development Strategic Plan. The strategic plan outlines research and development goals so that U.S. can advance cybersecurity technologies.  CNAP further mentions working with the Linux Foundation’s Core Infrastructure Initiative to maintain and improve internet infrastructure.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

The “new age” of internet and dispersed private data is not so new anymore but that doesn’t mean the law has caught up.  A few years ago, plaintiffs’ cases naming defendants like Google, Apple, and Facebook were at an all-time high but now, plaintiffs firms aren’t interested anymore.  According to a report in The Recorder, a San Francisco based legal newspaper, privacy lawsuits against these three digital behemoths have dropped from upwards of thirty cases in the Northern District of California i 2012 to less than five in 2015.   Although some have succeeded monumentally—with Facebook writing a $20 million check to settle a case over the fact that it was using users’ images without their permission on its “sponsored stories” section—this type of payout is not the majority.  One of the issues is that much of the law in this arena hasn’t developed yet.  Since there is no federal privacy law directly pertaining to the digital realm, many complaints depend on old laws like the Electronic Communications Privacy Act and Stored Communications Act (1986) as well as the Video Privacy Protection Act (1988).  The internet and its capacities was likely not the target of these laws—instead they were meant to prohibit such behavior as tapping a neighbor’s phone or collecting someone’s videotape rental history.

Further, it seems unavoidable now to have personal data somewhere somehow.  Privacy lawsuits attempting to become class actions have a difficulty in succeeding in a similar way that data breach class actions do: the plaintiffs face the challenge of proving concrete harms.  In a case later this year, Spokeo v. Robins, the Supreme Court may change this area of law because it will decide whether an unemployed plaintiff can sue Spokeo for violating the Fair Credits Reporting Act because Spokeo stated that he was wealthy and held a graduate degree.  The issue will turn on proving actual harm.  Companies that deal with private information on a consistent basis should protect themselves by developing privacy policies that, at the very least, may limit their liability.   The reality is that data is everywhere and businesses will constantly be finding creative and profitable ways to use it.

To keep up with the Spokeo v. Robins case, check out the SCOTUSblog here.

http://www.scotusblog.com/case-files/cases/spokeo-inc-v-robins/

New innovations come hand in hand with new privacy issues.  Privacy policies may seem like a last minute add-on to some app developers but they are actually an important aspect of an app.  Data breaches are an imminent risk and a business’s first defense to potential problems is a privacy policy.

Fordham University in New York hosted its Ninth Law and Information Society Symposium last week where policy and technology leaders came together to discuss current privacy pitfalls and solutions.  Joanne McNabb, the California attorney general’s privacy education director and a leader in policies affecting the privacy agreements of companies such as Google and Apple, emphasized in a panel that she “wants to make the case for the unread privacy policy.”  She noted that the policy mainly promotes “governance and accountability [and] it forces an organization to be aware of their data practices to some degree, express them and then therefore to stand behind them.”  The privacy policy still matters because it protects businesses from the risks associated with having a high level of data. It is especially necessary for those businesses that depend solely on private information because they are at a higher risk of breach.

The FTC (Federal Trade Commission) has suggested using an approach called “Privacy By Design” which is a method of imbedding privacy protections into the infrastructure of the app.  This approach removes the concern of implementing privacy policies post-development. Another method of simplifying the privacy policy is the alert prompt that some apps have employed to consistently give consumers notice of when and where their information is used. McNabb and her fellow panelists found this method of “short, timely notices” helpful in closing the gap between the unread privacy policies and the claimed “surprise” of consumers who blame an app for the dissemination of information.

As the industry moves forward, privacy will become an even greater part of the equation. Whether a privacy policy is read is insignificant. The protections it puts in place for all parties involved are crucial. As apps and technologies become more connected to the private preferences of consumers, businesses with a leg up on privacy protections will thrive against the backdrop of those who view privacy as a second tier requirement.

For more information on “Privacy By Design” click here.

The freedom from automated calls at random hours of the evening may seem like the true American dream these days as more and more companies rely on these calls to reach out and communicate with customers.  Unfortunately, now that the Federal Communications Commission (“FCC”) voted to expand the Telephone Consumer Protection Act (“TCPA”) to include stringent yet vague restrictions on telemarketing robocalls, it may not be a dream for everyone. 

In June of this year, in a 3-2 vote, the FCC voted on adding the rule to the TCPA that entails barring companies from using “autodialers” to dial consumers, disallowing more than one phone call to numbers that have been reassigned to different customers, and mandating a stop to calls under a customer’s wishes.  These restriction may seem reasonable but dissenting Commissioner, Ajit Pai, recognized that the rule’s broad language will create issues because it does not distinguish between legitimate businesses trying to reach their customers and unwanted telemarketers.  Some attorneys have further commented on the rule stating that its use of “autodialer” opens up a can of worms of interpretations and can really be viewed as any device with even the potential to randomly sequence numbers, including a smartphone.  Companies using even slightly modernized tactics to reach out to their customer base are now at risk of facing litigation—and it won’t stop there.  Businesses that legitimately need to reach out to their customers will be caught between a rock and a hard place as they face a one-call restriction now and may also open themselves up to litigation if a customer decides to take that route.

The FCC Chairman, Tom Wheeler, attempted to quash concerns by stating that “Legitimate businesses seeking to provide legitimate information will not have difficulties.”  This statement unfortunately won’t stop plaintiff’s attorneys from greasing their wheels to go after companies who even make “good faith efforts” to abide by the new rule.  Attorneys who defend businesses have recognized that the rule is ridden with issues that could potentially harm companies that simply do not have the mechanisms to fully control and restrict repeated calls or the technology that makes those calls.  But, long story short, just because this rule has been put in motion, does not mean it will stand as is. Litigation and court action will likely be a natural consequence and that may result in changes for the future.  For now, businesses that utilize automated phone calls should be wary of the technology used and attempt to at least keep track of numbers and phone calls made.  When in doubt, talk to an attorney to make sure you are taking the appropriate precautions.

A recent District of Nevada ruling could cause issues for consumers in data breach class action cases moving forward.  On June 1, 2015, the court ruled that a consumer class action against Zappos.com Inc. could not proceed because the class did not state “instances of actual identity theft or fraud.”  The suit was brought as a result of a 2012 data breach where Zappos’ customers’ personal information was stolen, including names, passwords, addresses, and phone numbers.  Even though the information was stolen, the court dismissed the case because the class could not prove that they had been materially harmed and had no other standing under Article III.

If a data breach has occurred, but the victims cannot claim any harm besides the fear that a hacker has their information, courts have been willing to grant defendants’ motions to dismiss.  The ruling by the District of Nevada court is the most recent decision in a trend to block consumer class actions relating to data breaches.  Many of these recent rulings have been influenced by the Supreme Court’s 2013 decision in Clapper v. Amnesty International USA.  In Clapper, the Supreme Court held that claims of future injury could only satisfy the Article III standing requirement if the injury was “certainly impending” or if there was a “substantial risk” that the harm was going to occur.  Unfortunately for the consumer class in the Zappos’ case this means that unless their stolen information has been used to harm them, the data breach alone is not enough standing to bring a suit.

However, some district courts have been able to find sufficient standing for data breach victims in spite of the Clapper decision.  In Moyer v. Michaels Stores, a district court in the Northern District of Illinois ruled that data breach victims had standing to sue.  The court relied on Pisciotta v. Old National Bancorp, a Seventh Circuit pre-Clapper decision, which held that the injury requirement could be satisfied by an increased risk of identity theft, even if there was no financial loss.  Moyer further distinguished itself from Clapper by explaining that Clapper dealt with national security issues, and not general consumer data breaches.  Other district courts have distinguished their cases from Clapper by holding that Clapper dealt with harm that was too speculative to quantify, while consumer data breach cases deal with the concrete possibility of identity theft.

Although Clapper set the tone for consumer data breach claims, district courts have been divided because of different interpretations in the ruling.  The Supreme Court recently granted certiorari in another Article III standing case, Spokeo Inc. v. Robins Inc., which deals with a private right of action grounded in a violation of a federal statute.  Although it does not directly deal with consumer data breaches, the decision may lead the Supreme Court to expand the standing requirements generally.  Given society’s increasing use of technology and inclination to store personal information electronically, consumer data breach claims will only increase in the future.  The courts’ standing requirements must adapt to meet the changing needs of individuals and businesses alike.

With 2013 being dubbed as the “Year of the Mega Breach” it comes as no surprise that the Federal Trade Commission (“FTC”), on June 30, 2015 published “Start with Security: A Guide for Businesses” to educate and inform businesses on protecting their data.  The FTC is tasked with protecting consumers from “unfair” and “deceptive” business practices and with data breaches on the rise, it has come to take that job much more seriously.  The lessons in the guide are meant to aid businesses in their practices of protecting data and the FTC cites to real examples of its data breach settlement cases to help companies understand each lesson and the real world consequences that some companies have faced.  Here are the lesson headlines:

  1. 1. Start with security;
  2. 2. Control access to data sensibly;
  3. 3. Require secure passwords and authentication;
  4. 4. Store sensitive personal information securely and protect it during transmission;
  5. 5. Segment networks and monitor anyone trying to get in and out of them;
  6. 6. Secure remote network access;
  7. 7. Apply sound security practices when developing new products that collect personal information;
  8. 8. Ensure that service providers implement reasonable security measures;
  9. 9. Implement procedures to help ensure that security practices are current and address vulnerabilities; and
  10. 10. Secure paper, physical media and devices that contain personal information.

  Katherine McCarron, the Bureau of Consumer Protection attorney, explained that the Bureau “look[s] at a company’s security procedures and determine[s] whether they are reasonable and appropriate in light of all the circumstances” when evaluating an organization’s conduct.  It is likely that this guide will become the FTC’s road map for handling future enforcement actions and will help businesses to remain on the safe side of the data breach fence.

Whether you run a mom and pop shop or a multi-million dollar company, this guide is a must-read for any business that processes personal information.

Start reading here.

https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business

Last week we posted about A Brief Primer on the NIST Cybersecurity Framework.  Our partner and HIPAA/HITECH expert Elizabeth Litten took the NIST Cybersecurity Framework and created a blog post for the HIPAA, HITECH and Health Information Technology Blog on how How the NIST Cybersecurity Framework Can Help With HIPAA Compliance: 3 Tips, which can be read here.  For those facing any HIPAA-related issues, it is a worthwhile read.

In February 2013, President Obama issued his Improving Critical Infrastructure Cybersecurity executive order, which presented a plan to decrease the risk of cyberattacks on critical infrastructure.  The US Department of Commerce’s National Institute of Standards and Technology (NIST) was charged with creating the plan, which became known as the Framework for Improving Critical Infrastructure Cybersecurity (Framework).  The NIST worked with over three thousand individuals and business organizations to create the Framework.  The goal of the Framework is to help businesses develop cybersecurity programs within their organizations and to create industry standards for dealing with cybersecurity issues.

The Framework is designed to work with businesses to reach a sufficient level of cybersecurity protection regardless of size, sector, or level of security.  The Framework consists of three parts (1) The Framework Core, (2) The Framework Implementation Tiers, and (3) The Framework Profiles.  The Framework Core is a grouping of cybersecurity activities based on industry indicators, desired outcomes, and practices.  It assists businesses in developing Framework Profiles, which are used to create cybersecurity plans.  Essentially, the Core characterizes all aspects of a business’ cybersecurity protection so that the Framework can assist the business in creating a secure network.

The Framework Implementation Tiers assess how a business acknowledges cybersecurity issues and ranks the business into one of four tiers.  Ranked from weakest to strongest the four tiers are: (1) Partial, (2) Risk Informed, (3) Repeatable, and (4) Adaptive.  The Partial Tier is for businesses that may not consult risk objectives or environmental threats when deciding cybersecurity issues.  The Risk Informed Tier is for businesses that have cybersecurity risk management processes, but may not implement them across the entire organization.  The Repeatable Tier is for businesses that regularly update their cybersecurity practices based on risk management.  The Adaptive Tier is for businesses that adapt cybersecurity procedures frequently and implement knowledge gained from past experiences and risk indicators.  The Tier assignment helps a business better understand the impact of cybersecurity issues on its organizational procedures.

After a business has gone through the necessary steps with the Framework Core and Implementation Tiers, it can create a Framework Profile based on its individual characteristics.  A “Current” Profile allows a business to have a clear sense of where it stands in terms of cybersecurity and what aspects of its cybersecurity program need improvement.  A “Target” Profile represents the cybersecurity state that a business wants to achieve through the use of the Framework.  By comparing its “Current” Profile and “Target” Profile, a business is able to prioritize its actions and measure its progress.

There are several resources that support the Framework including the NIST’s Roadmap for Improving Critical Infrastructure Cybersecurity, the NIST’s Cybersecurity Framework Reference Tool, and The Department of Homeland Security’s Critical Infrastructure Cyber Community C3 Voluntary Program.  A business that wants to utilize the Framework should visit the NIST’s Framework website at:  http://www.nist.gov/cyberframework/.

Copyright: argus456 / 123RF Stock Photo
Copyright: argus456 / 123RF Stock Photo

Fox Rothschild partner Scott L. Vernick was quoted in The New York Times article, “Hacking Victims Deserve Empathy, Not Ridicule.” Full text can be found in the September 2, 2015, issue, but a synopsis is below.

While some data breach victims may face only minor frustrations – changing a password or getting a new credit card – it is a different story for the more than 30 million Ashley Madison users who had their accounts for the infidelity website compromised.

Many of the victims of this latest massive data breach have been plunged into despair, fearing they could lose jobs and families, and expecting to be humiliated among friends and colleagues.

“It’s easy to be snarky about Ashley Madison, but just because it’s unpopular or even immoral, it doesn’t mean this sort of activity shouldn’t be protected,” said Scott L. Vernick, a noted privacy attorney. “This gets at fundamental issues like freedom of speech and freedom of association – today it’s Ashley Madison, tomorrow it could be some other group that deserves protection.”