Electronic Data Security

2019 presents businesses with new cybersecurity and privacy challenges: rapid advances in technology, sophisticated new cyberattacks and stricter privacy regulations here and around the world, just to name a few. Businesses that fail to plan risk significant financial and reputational damage.

Those at the front of the fight, but out of the headlines will:

  • Afford users and consumers true “data self-determination” and transparent control over data while providing a frictionless digital experience.
  • Master what data they collect, who has access to it and how long they have it: “Cradle-to-grave” control over data will win the day.
  • Master baseline data privacy and security, whether defined by statutory schemes, best practices or voluntary industry standards.
  • Remain battle-ready for the critical infrastructure breach (financial, utility and/or transportation).
  • Deploy robust methods to repel the email compromise.
  • Implement tested response plans for digital deep fakes (false video and audio recordings) and other disinformation campaigns.
  • Master vendor and supply chain data security.

Keep your passwords close…and complex, and encrypted and unique, and ever-changing.

In the wake of recent data breaches involving passwords, the French data protection authority, the CNIL, has published guidelines for adequate passwords.

Some highlights include:

  • If you use a password as your sole method of authentication, it needs to be at least 12 characters consisting of uppercase letters, numbers and special characters.
  • If you use additional measures of protection, the password may be less complex.
  • A passphrase is better than a password, and the CNIL developed a tool for producing passwords from sentences.
  • Your authentication function must (i) use a public algorithm deemed strong and (ii) have a software implementation that is free of known vulnerabilities.
  • NEVER store passwords in cleartext – require and allow periodic renewal of passwords.

For details, see the full guidelines.

According to Rochelle Osei-Tutu, an International Trade Specialist at the U.S. Department of Commerce, over 4,000 companies have already registered for EU-US Privacy Shield and 2,600 for the Swiss-US Shield. Of them, 1,300 cover cross-border flows of HR data. Eighty percent of registered companies are small and medium-sized businesses, but many Fortune 500 companies are registered as well.

It took 13 years under the now defunct Safe Harbor to reach these numbers, which have been reached in just two years of Privacy Shield. This, says Osei-Tutu, underscores the importance of data protection and cross-border transfers now.

Things to look out for, regarding Privacy Shield on the commercial side, says Ralf Sauer, Deputy Head of Unit for International Data Flows at the European Commission, are checks against false claims made by companies and making sure that there are no bad apples on the list that don’t play by the rules. In the wake of the Schrems lawsuit, surveillance under Section 702 of FISA and the functioning of the ombudsperson mechanism are of importance as well. A remaining issue of concern for the EU is the appointment of a permanent ombudsperson, says Sauer.

 

Acting Federal Trade Commission (FTC) Chairman Maureen K. Ohlhausen made it clear that she expects the FTC’s enforcement role in protecting privacy and security to encompass automated and connected vehicles. In her opening remarks at a June 28, 2017 workshop hosted by the FTC and National Highway Traffic Safety Administration (NHTSA), she said the FTC will take action against manufacturers and service providers of autonomous and connected vehicles if their activities violate Section 5 of the FTC Act, which prohibits unfair and deceptive acts or practices.

Such concern is warranted as new technologies allow vehicles to not only access the Internet, but also to independently generate, store and transmit all types of data – some of which could be very valuable to law enforcement, insurance companies, and other industries. For example, such data can not only show a car’s precise location, but also whether it violated posted speed limits, and aggressively followed behind, or cut-off, other cars.

Acting Chairman Ohlhausen noted that the FTC wants to coordinate its regulatory efforts with NHTSA, and envisions that both organizations will have important roles, similar to the way the FTC and the Department of Health and Human Services both have roles with respect to the Health Insurance Portability and Accountability Act (HIPAA).

Traditionally, NHTSA has dealt with vehicle safety issues, as opposed to privacy and data security. Thus, it may mean that the FTC will have a key role on these issues as they apply to connected cars, as it already has been a major player on privacy and data security in other industries.

Acting Chairman Ohlhausen also encouraged Congress to consider data breach and data security legislation for these new industries, but speakers at the workshop (video available here and embedded below) noted that legislation in this area will have difficulty keeping up with the fast pace of change of these technologies.

Part 1:

Part 2:

Part 3:

Specific federal legislation, or even laws at the state level, may be slow in coming given the many stakeholders who have an interest in the outcome. Until then, the broad mandate of Section 5 may be one of the main sources of enforcement. Companies who provide goods or services related to autonomous and connected vehicles should be familiar with the basic FTC security advice we have already blogged about here, and should work with knowledgeable attorneys as they pursue their design and manufacture plans.

The French data protection authority (CNIL) is placing Facebook’s EU-U.S. data transfer practices under new scrutiny over its use of the defunct Safe Harbor framework.

The agency issued a two-part order Feb. 8 requiring the social media company to stop using Safe Harbor to transfer data to the United States. Safe Harbor was nullified in October 2015 when the European Court of Justice invalidated the EU Commission’s Safe Harbor agreement with the U.S. The agreement had allowed U.S. companies to transfer EU citizens’ data to the U.S. from the EU.

The ECJ’s decision to invalidate Safe Harbor stemmed from an Austrian citizen’s complaint – filed in the aftermath of revelations about U.S. National Security Agency data collection practices – that Facebook violated his privacy rights by transferring his personal data to the U.S. The decision imperiled 4,000 U.S. companies’ ability to transfer data from the EU to the U.S.

The new CNIL order is based on Facebook continuing to include language detailing its use of Safe Harbor on its France privacy policy page. Part two of the order accuses Facebook of using cookies to track non-users’ activity without their consent, a violation of French law, according to CNIL. It gives Facebook three months to stop tracking non-users without their consent, or face potential fines.

The order comes at an tumultous time for U.S.-EU data transfer policy. EU and US officials agreed to a new EU-U.S. Privacy Shield transatlantic data transfer pact on Feb. 2nd,  but many of the details, including language and legal implications of the agreement are in flux. Critics say details are so scarce that the agreement is not the basis for a working policy. While many in the EU have criticized the U.S. government’s data collection practices, critics point out that the EU may want to take a look in the mirror since many of its member states spy on their own citizens.

It all leads to massive uncertainty. No one is sure how things will develop over the next few months.

If you or your company have questions or concerns about preparing for or responding to new privacy regulations, or you are interested in creating and/or implementing a cybersecurity plan, contact the author or a Fox Rothschild Privacy & Data Security team member.

Businesses that relied previously on the EU’s Safe Harbor exception to transfer data from Israel to the United States have had that authorization revoked by the Israeli Law, Information and Technology Authority (ILITA).

It’s part of the ongoing ripple effect caused by the invalidation of Safe Harbor.

Now that Safe Harbor is off the table, businesses must rely on standard contractual clauses, binding corporate rules or other legal strategies, to transfer data out of the EU, and now Israel.

Israel is not an official member of the so-called “Euro Data Zone,” but it was granted an exception in 2011 under the EU Data Protection Directive, allowing data to be transferred out of the EU to Israel without requiring companies to use standard contractual clauses or binding corporate rules.

Israel’s 2001 Privacy Protection Regulations permitted moving data from Israel to a database outside the country if the transferee country had laws regulating data protection that were at least as strict as Israeli law. It included an exception for companies located in countries with inadequate legal protections by allowing data transfers to nations to which the EU allows data transfers.

In effect, that allowed Safe Harbor compliant U.S.-based companies to transfer data out of Israel.

On July 20, 2015, in Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015), the Seventh Circuit held that the United States District Court for the Northern District of Illinois wrongfully dismissed a class action suit brought against Neiman Marcus after hackers stole their customers’ data and debit card information.  The District Court originally dismissed the plaintiffs’ claims because they had not alleged sufficient injury to establish standing.  The District Court based its ruling on a United States Supreme Court decision, Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013), which held that to establish Article III standing, an injury must be “concrete, particularized, and actual or imminent.”

However, the Seventh Circuit clarified that Clapper “does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.”  Rather, “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” are sufficient to confer standing.

In Remijas, the Seventh Circuit explained that there is a reasonable likelihood that the hackers will use the plaintiffs’ information to commit identity theft or credit card fraud.  “Why else would hackers break into a store’s database and steal consumers’ private information?” – the Seventh Circuit asked.  The Seventh Circuit held that the plaintiffs should not have to wait until the hackers commit these crimes to file suit.

The Seventh Circuit also considered that some of the plaintiffs have already paid for credit monitoring services to protect their data, which it held is a concrete injury.  Neiman Marcus also offered one year of credit monitoring services to its customers affected by the breach, which the Seventh Circuit considered an acknowledgment by the company that there was a likelihood that their customers’ information would be used for fraudulent purposes.

Ultimately, this decision may serve to soften the blow dealt by Clapper to data breach plaintiffs.  Specifically, based on this ruling, plaintiffs who have not incurred any fraudulent charges, but have purchased credit monitoring services, or have spent time and money protecting themselves against potential fraud may argue that they have standing.

Online retailers will need to take proactive measures in 2015 to prevent customers’ personal data from being compromised, according to Symantec’s 2015 Internet Security Threat Report.

The report from the U.S. internet security firm breaks down the threats and vulnerabilities of the past year, and offers a preview of the cyber threats that the coming year may bring.

Between 2013 and 2014 the number of large data breaches involving more than 10 million records dropped, but the total number of breaches doubled between 2012 and 2014 to 312. The health care sector reported the most breaches in 2014, accounting for 37 percent of all incidents, perhaps a result of the tremendous amount of health information its members collect.

Retail ranked second in breaches, making up 11 percent of the total, but accounted for a stunning 59 percent of exposed identities. That’s a number that will probably increase as online retail makes up a larger portion of total sales, and vulnerabilities surface in the ecommerce software that makes those sales possible. Retailers should be vigilant, and employ basic safeguards to improve security and protect customers’ personal and financial data.

Here are some common security gaps to address:

  • “Wait, I didn’t mean to buy that.” Confirming transactions reduces inadvertent online and app purchases made through an online store or app. Consider requiring customers to enter their password before completing a transaction.
  • Can I get a receipt?” Automatically provide customers with SMS or E-mail receipts, immediately after they purchase a product or service. It helps customers track their purchases and quickly identify fraud by calling attention to unauthorized purchases.
  • “Password” is not a good password. Require customers to set strong passwords to plug a common cybersecurity gap that can open the door to hackers. A business can’t prevent users from recycling passwords, but it can dictate their content and complexity. Set a minimum number of characters, require uppercase and lowercase letters, numbers, and special characters and require updates.
  • “But we’ve never had a breach.” Don’t relax. Apply best practices and keep abreast of emerging threats to protect your online storefront and your customers’ personal data. Track hackers’ efforts to steal personal data, patch vulnerabilities and employ recommended encryption.

Fox Rothschild attorneys know protecting customers’ personal information is critical. For more information, please contact the author, a member of the Privacy & Data Security practice, or your Fox Rothschild attorney.

The Security and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently released an initial summary of its findings from its 2014 OCIE Cybersecurity Initiative.  The OCIE examined 57 registered broker-dealers and 49 registered investment advisers to better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity.

The OCIE Summary made the following observations:

  • the majority of examined broker-dealer and advisers have adopted written information security policies;
  • the majority of examined firms conduct periodic risk assessments to identify cybersecurity threats and vulnerabilities;
  • most of the examined firms reported that they have experienced cyber-attacks directly or through one or more of their vendors; and
  • almost all of the examined firms make use of encryption in some form.

The OCIE also identified key differences in practices between broker-dealers and advisers, including that broker-dealers were more likely to:  (1) incorporate cybersecurity risk policies into contracts with vendors; (2) explicitly designate a Chief Information Security Officer; and (3) maintain insurance for cybersecurity incidents.

FINRA also recently released a Report on Cybersecurity Practices, which presents firms with an approach to cybersecurity grounded in risk management.  FINRA’s Report recommends:

  • a sound governance framework with leadership engagement on cybersecurity issues;
  • risk assessments;
  • technical controls and strategy that fit the firm’s individual situation;
  • testing response plans, which should include containment, mitigation, recovery, investigation, notification and making consumers whole;
  • exercising due diligence when contracting with and using a vendor;
  • training staff to prevent unintentional downloading of malware; and
  • engaging in collaborative self-defense with other firms by sharing intelligence.

For more information and resources related to the SEC and FINRA’s examination of cybersecurity, check out Christopher Varano‘s post on Fox Rothschild’s Securities Compliance blog.

Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.

The White House’s proposed Consumer Privacy Bill of Rights seeks to provide “a baseline of clear protections for consumers and greater certainty for companies.”  The guiding principles of the draft bill are:  individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.

But the proposed legislation also seeks to afford companies discretion and flexibility to promote innovation, which some officials argue has led to a lack of clarity.

FTC Chairwoman Edith Ramirez had hoped for a “stronger” proposal and had “concerns about the lack of clarity in the requirements that are set forth.”  However, Chairwoman Ramirez acknowledged the significance of a privacy bill backed by the White House.  FTC Commissioner Julie Brill also expressed concern over weaknesses in the draft, calling for more boundaries.

Likewise, European Data Protection Supervisor Giovanni Buttarelli felt that the proposal lacked clarity and that, as written, “a large majority of personal data would not be subject to any provisions or safeguards.”

To review the administration’s proposed bill, click here.