Category Archives: Privacy

Loss of Safe Harbor Agreement Leaves Thousands of Multinationals in Breach of Data Protection

The European Court of Justice (ECJ) recently ruled that the US Safe Harbor agreement, which allowed the safe transfer of European citizens’ data to US companies, is no longer valid, placing many multinationals in murky water.

The 15-year-old data transfer agreement between the EU and the US allowed multinational companies such as Google, Microsoft and Facebook to store European citizen’s data in the US, so long as the companies agreed to comply with data protection laws.

The abolishment of the agreement comes after the ECJ ruled that the US does not have adequate data protection laws and the Safe Harbor scheme didn’t protect consumers in the wake of the Snowden revelations.

What is the ‘Safe Harbor’ agreement?

Back in 2000, the Safe Harbor agreement was created to find a practical means to deal with data transfer. The scheme allowed companies to self-certify that they would protect EU citizens’ data when transferred to, and stored within, US data centres. This made the Safe Harbor scheme a sort of one-stop-shop, allowing for the export of personal data without the need for consent, speeding up processes and significantly reducing the amount of paperwork required.

Currently there are over 5,000 US companies registered on the program. The courts have not provided any transitional period for companies to adapt and, as a result, these businesses have been left non-compliant with EU data protection rules. Businesses that fall into this area include EU-based multinationals transferring data between group companies and their US parents, and companies based in the US with EU customers.

Implications for your business

Until the EU and US agree a successor program that is compatible with EU data protection law, a large number of companies are left in the lurch.

The Information Commissioner’s Office in the UK (“ICO”) has released a statement following the ruling. They noted: “The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in-line with the law.

“We recognise that it will take some time for them to do so…. We will now be considering the judgment in detail, working with our counterpart data protection authorities in other EU member states and issuing further guidance for businesses on options open to them.”

ICO also noted that negotiations have been going on for some time between the European Commission and the EU to replace the Safe Harbor program with a new, more privacy protective arrangement.

One of the more troubling parts of the judgment is that the decision was largely based on the ability of US intelligence agencies, such as the National Security Agency, to view personal information transmitted to the US. It is unlikely that US security agencies will ever defer to EU privacy legislation over perceived national security needs. So how will this be reconciled in the Safe Harbor 2.0 program?

ALTERNATIVES

The most obvious and cleanest alternative for compliance is not to transfer personal data outside the EEA and to install and maintain servers for information storing personal data about EEA residents within the boundaries of the EEA. This is, unfortunately, not a practical solution for many companies that need to centralise functions requiring collection storage and use of EEA customer, supplier and employee data in the US.

There are other means approved by the EU for transmission of personal data internationally. One of these is known as “binding corporate rules.” With this scheme, companies within a corporate group can agree to transfer personal data within the group under certain rules compatible with EU data protection legislation. The binding corporate rules must be approved by the information commissioner in the EEA country of transmission. However, the use of binding corporate rules only applies to use intra-company, so does not solve the problem of transmission of data between a customer in the EEA and supplier in the US.

Another alternative is the use of “model clauses“ in contracts between persons or companies sending data from within the EEA and the companies or persons receiving them in the US. The EU has pre-approved a certain template for use in contracts that it considers will provide adequate protection.

A third alternative is to obtain express consent from the data subject to the cross border transmission of his or her data for a specific use or uses of the US recipient. This would not be a viable option for situations where mass data passes international borders.

Whatever solution companies find for the interim, all US companies registered on the Safe Harbor program will need to urgently assess their data protection programs to find another means to comply. There is no certainty about enforcement actions that may be taken in the interim period so companies who are unsure of their position are urged to seek legal advice immediately.

How will a new EU data protection law set to arrive by the end of 2015 impact businesses across the UK and Europe?

The proposed General Data Protection Regulation (GDPR) has been a subject of discussion for so long that the only people maintaining an interest in it are the lawyers. But where does it leave the companies who will be impacted by this legislation?

It is likely that any given company’s approach to the new rulings will be determined by some form of risk based assessment – and the level of risk taken will be directly determined by the firm’s size.

Large organisations may try to pre-empt the consequences of the legislation. They may therefore seek to put measures in place in order to make the transition to the new legal status smooth over the two year period that they have to comply.

Smaller organisations are more likely to play a game of wait and see, as they may be in two minds over how big a deal this new regulation will be. The cost of assessing their needs may be too high or they may simply take the view that due to the fact that no negative incidents have happened to date, they may as well carry on as they are.

The fact is, businesses will have to spend more money on compliance and governance to ensure their internal processes work like well-oiled machines if they want to avoid any intrusive “looking in” and inspection by the data protection authorities.

Businesses have some areas to consider when deciding how best to tackle the new EU protection law:

  • Consent – Businesses will need to ensure that they rely on unambiguous consent when processing personal data, whether this belongs to their customers or employees. Businesses in the consumer sector may be most impacted by this factor and companies will need to scrub their customer databases so that they aren’t holding data without consent. For example, holding onto Mrs. Jones’ data from ten years ago when she bought a pair of socks for Mr. Jones is no longer permissible. Companies’ marketing operational strategies will need to be able to handle requests from customers to purge personal data or even to stop using their data altogether.
  • Erasing data (Right to be forgotten) – Businesses are pretty good at personal data collection but how many of them are able to completely erase specific data from their systems? This is going to be a challenge for many organisations as the reality of the Google ‘Right to be forgotten’ case comes to bear on the small business. Perhaps truly anonymising data may be considered by businesses that can afford this.
  • Technical and Organisational Measures – The concern here surrounds the security of business systems from uninvited intrusions. Do you have the right controls (whether IT or otherwise) in place to ensure that your customers’ and personnel data records are kept secure? And can you do this for as long as is needed and without the risk of accidental loss? Do you even know why you keep such data – is it simply to comply with the legitimate purpose of processing? Knowing the answer to these questions is one way for businesses to fully prepare their technical and organisational processes for the implementation of the new data protection law.
  • Data breach notification – Companies which are also data controllers will be obliged to notify data security breaches to the relevant data protection authority and to the data subject(s) within 72 hours where the breach may result in a high risk to the individual(s). This means companies must ensure they have a robust incident management response procedure in place to ensure they can manage these obligations.
  • Enforcement and Fines – If, for any reason, a company breaches the GDPR, the relevant data protection authority may enforce a fine up to €1m or up to 2% of your organisation’s annual turnover.

Businesses should start the process of putting in place compliance and governance teams that can begin looking into the processes and procedures that are likely to be impacted by the introduction of the new GDPR. Regardless of data breaches it is good practice for companies to uphold good governance as this minimises the risk of unexpected breaches.

CASL – New Guidance On The Installation Of Computer Programs

The Canadian Radio-television Telecommunications Commission (CRTC) has released new guidance on the provisions of Canada’s Anti-Spam Legislation (CASL) dealing with the installation of computer programs. The installation of computer program provisions will come into force in just over two months’ time on January 15, 2015.

The good news is that the CRTC appears to confirm that the installation of computer program provisions are largely limited to addressing the scourge of malware and spyware or covert installations. The CRTC is not interpreting the legislation as being intended to unduly interfere with legitimate business.

Among the highlights of from the guidance (warning – this is an initial review by me and subject to change):

1. CASL does not apply when a person is installing software on their own computer, mobile device or tablet.

  • This means that the express consent provision (with the mandatory disclosures) should not apply to mobile app downloads by consumers to their own devices from an App store.
  • The express consent provisions and mandatory disclosures should not apply in the enterprise context where the installation is initiated by the organization onto its own devices used by its employees.
  • The express consent provisions and mandatory disclosures should not apply where the lessor is installing a program on the leased device.

2. The examples provided by the CRTC appear to mean that the term “causes to be installed” does not include code that facilitates the installation. Instead, “causes to be installed” refers to concealed software within an installation .

  • This means that the mere making available of software or code to facilitate an installation probably does not result in the organization being deemed to be “installing” or “causing the installation”.
  • Although the CRTC was not as clear as it could have been on this point, it would seem that there is no requirement for organizations to “police” user-initiated downloads even if the download is by a person who is not the owner of the device.

3. If the installation is not owner-initiated, then consent is required. However, consent is deemed for many types of programs, such as operating systems or programs executable through a program for which consent was already provided, or bug fixes. It should be noted though that consent is only deemed if it would be reasonable based on the person’s conduct that they consented to the installation.

  • This means that organizations must obey signals such as browser settings that disable cookies or Javascript.

4. Automatic updates that are not controlled by the user do require express consent. This can be obtained at the point of installation.

  • The CRTC did not give guidance on whether automatic updates that occur as a result of mobile phone or computer settings that are user-controlled; however, one would hope that the CRTC applies the same logic to these updates as to the original user-initiated installation.
  • In any event, the issue is partially mitigated because the transition period means that automatic upgrades can continue until January 15, 2018 for installations prior to January 15, 2015.

5. Certain spyware-like or malware-like features may require enhanced consent but only if these functions would normally not be expected by the user.

  • These special features include programs that: (a) collect personal information from the device; (b) interferes with the user’s control of the device; (c) changes or interferes with user’s settings, preferences or commands without the user’s knowledge; (d) changes or interferes with data in a manner that will obstruct the user’s access to that data; (e) causes the device to connect to or send messages to another device without the user’s authorization; or (f) installs an application that can be activated remotely without the user’s authorization.
  • Importantly, the CRTC appears to have agreed that the mere inclusion of these types of features does not require enhanced consent. The features must be unexpected given the nature of the program.

6. There will only be limited situations when an organization must provide assistance with uninstalling a program. These situations are primarily limited to misrepresentations regarding the features of the program.

For more information, visit our Privacy and Data Security blog at www.datagovernancelaw.com

About Dentons

Dentons is a global firm driven to provide you with the competitive edge in an increasingly complex and interconnected marketplace. We were formed by the March 2013 combination of international law firm Salans LLP, Canadian law firm Fraser Milner Casgrain LLP (FMC) and international law firm SNR Denton.

Dentons is built on the solid foundations of three highly regarded law firms. Each built its outstanding reputation and valued clientele by responding to the local, regional and national needs of a broad spectrum of clients of all sizes – individuals; entrepreneurs; small businesses and start-ups; local, regional and national governments and government agencies; and mid-sized and larger private and public corporations, including international and global entities.

Now clients benefit from more than 2,500 lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US who are committed to challenging the status quo to offer creative, actionable business and legal solutions.

Learn more at www.dentons.com

California Expands Data Breach Law

On September 30, 2014, California Governor Jerry Brown signed into law AB 1710, a bill which expands California’s existing data breach laws.  As we discuss in further detail below, the new laws introduce substantive requirements to California’s current data breach law by: (1) prohibiting the sale, advertisement or offer to sell an individual’s social security number, (2) including additional requirements related to identify theft prevention and mitigation services, and (3) requiring business that maintain personal information about California residents to implement and maintain reasonable security measures to protect the personal information of its residents.

This expansion of California’s current data breach laws likely comes on the heels of media reports of data breaches and the alarming number of complaints of identify theft received by federal and state agencies.  As we discussed in a previous blog post, Florida has also recently expanded their data breach laws, and we will likely see other states following suit and strengthening their data privacy and security laws.  Meanwhile, California remains at the forefront of the development of privacy-related laws.

Protections for Social Security Numbers

AB 1710 amends Cal. Civil Code 1798.85 to increase protection of an individual’s social security number by prohibiting the sale, advertisement for sale, or offer to sell an individual’s social security number with limited exceptions.  For example, an exception to AB 1710 includes the release of an individual’s social security number, if the release is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose.

Identity Theft Prevention and Mitigation

Cal. Civil Code 1968.82 currently requires entities that own or license certain personal information to notify individuals whose personal information has been involved in a data breach. The new law requires that if any identity theft prevention and mitigation services are already provided, the data breach notification must inform the affected persons that the services will be provided for at least 12 months and at no cost, and must include information on how to obtain those services.1   The addition of “if any” is an important one and one we have seen misreported.  Some have suggested that this law is the first law to require credit monitoring – or similar services – be provided if certain data elements were present.  This is not the case.  The provision of credit monitoring remains optional – albeit a best practice and one often “required” by state attorneys general – and if offered, then certain instructions need be provided as is typically the case.2

Maintenance of Personal Information

Under Cal. Civil Code 1798.81.5, California currently requires businesses that own or license personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

AB 1710 expands the existing law, now requiring of businesses that merely “maintain” a resident’s personal information to implement reasonable security procedures and practices to protect personal information.3

Footnotes

1 An earlier version of the bill, amended on March 28, 2014, read, “[i]f the person or business providing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, such as credit monitoring, shall be provided at no cost to the affected person for not less than 24 months…” The final version of the bill added the critical “if any” language, removed the reference to credit monitoring, and shortened the time period to 12 months.

2 That said, we note the ambiguity for the words “if any,” and whether they refer to the availability of credit monitoring services in the marketplace or to whether the business has chosen to offer it.  Additionally, the bill’s co-author, Assemblyman Roger Dickinson, stated his view in a recent interview with Law360 that the offer to provide credit monitoring services is mandatory when a driver’s license number or social security number was breached.

3 Under Cal Civil Code. 1798.81.5, “Personal Information” means an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (a) Social security number; (b) Driver’s license number or California identification card number; (c) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; and (d) Medical information.

Cross-Border Data Transfers: Cutting Through The Complexity

Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services.

With the rise of the global economy and the reach of the Internet, many businesses now have customers and data from around the world, if not offices and employees in numerous countries. But when marketing or HR asks for data pertaining to global customers or employees to be sent to the home office, this can raise complex cross-border data-transfer issues and the specter of a patchwork of privacy laws applicable to personal information. These laws can pose myriad and sometimes conflicting obligations for a multinational enterprise or any business with global reach. Our attorneys are experienced at guiding our clients through this global labyrinth.

For example, some countries have no general data protection framework in place, but perhaps have sector-specific laws or regulations applicable to cross-border data transfers. Other countries use vague language, such as requiring that the recipient country (the country where the data is to be transferred) have a “sufficient” or “comparable” level of protection in place for data containing personal information. In other countries, such as South Korea, the transfer of personal data may require the prior consent of the data subject. India combines the two approaches, so that data can be transferred only if the recipient adheres to the same level of data protection as the transferor entity and the data subject consents to the transfer.

The European Economic Area (EEA), which includes the 28 EU Member States, has established a framework applicable to cross-border data transfers. Unfortunately, this doesn’t remove complexity from the legal landscape. Generally, under Data Protection Directive 95/46/EC (the DPD), personal data may be transferred outside the EEA only when the recipient country provides an “adequate level of protection” for the data. The European Commission maintains a list of countries that are deemed to provide adequate protection for the processing of data subjects’ personal information, so data transfers from the EEA/EU are allowed to those nations. Presently, there are only a handful of countries on the list, including Argentina, Australia, Canada, Israel, New Zealand, Switzerland and Uruguay.

Notably, the United States is not on the list. However, a U.S. business can instead self-certify with the U.S.-EU Safe Harbor program and therefore meet the “adequacy” standard for privacy protection. Organizations that participate in the Safe Harbor program must annually self-certify with the U.S. Department of Commerce in writing that they agree to adhere to the U.S.-EU Safe Harbor Framework’s requirements, which includes seven privacy principles such as notice, choice, security, access and enforcement. They must also state in their published privacy policy statement that they adhere to the Safe Harbor Privacy Principles.

In addition to the Safe Harbor program, other mechanisms are available to demonstrate that adequate safeguards are in place for data transfers from the EEA/EU. These options, such as Binding Corporate Rules (BCRs) and standard contractual clauses (also known as model contract clauses), may be useful in the context of transferring data from the EEA/EU to countries other than the U.S.

In light of the scope and reach of the various rules and regulations, cross-border data transfer issues can arise under various circumstances. These can include preparing global employee privacy policies, implementing a new global HR system, selling to customers overseas, hiring employees from around the globe and, of course, transferring data between office locations.

Your organization may be unsure which regulations apply or how to ensure compliance. The Privacy and Data Protection team at BakerHostetler can proactively guide you through these issues. For instance, if you are considering consolidating customer data or HR data from offices outside the U.S., we can assess whether Safe Harbor certification, BCRs or model contracts make the most sense for your company.

We can also help companies (1) determine eligibility for participation in the U.S.-EU Safe Harbor program; (2) create or modify privacy notices and internal privacy policies to conform to the seven Safe Harbor Privacy Principles; (3) establish an independent recourse mechanism to investigate unresolved complaints relating to personal information; (4) ensure that procedures are in place for compliance with the Safe Harbor program (by using a self-assessment or an outside/third-party assessment program); and (6) self-certify annually with the Department of Commerce.

In addition, our team can work with clients in drafting policies that may invoke cross-border transfer issues, such as employee personal information privacy policies. Such policies should include the circumstances under which the employer will process personal data, including the transfer of data to third parties.

Accordingly, whether your organization processes, controls or maintains personal data in Europe, Asia or elsewhere, the regulatory landscape can be complex and constantly changing. No matter where your company does business, we can assist with navigating the murky waters of cross-border data transfers and provide expert guidance on the applicable privacy laws and regulations.

Data Security Risk Assessments

Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services.

BakerHostetler lawyers have helped hundreds of businesses and other organizations respond to security incidents each year, many of which lead to regulatory investigations, class action lawsuits, or both. We see hundreds of examples of what went wrong and how regulators and plaintiffs’ attorneys react. Increasingly, as clients recognize the likelihood that they will face an incident, they seek to leverage our security incident response experience to help develop a strategic and focused approach for managing their risks and vulnerabilities. Our risk assessment team, which includes lawyers with Certified Information System Security Professional (CISSP) credentials, works to develop efficient and cost-effective plans to help organizations improve their chances of avoiding data breaches and be better prepared to more quickly detect and contain them if they do occur. We have developed solutions that range from immediate assessments and remediation to phased approaches that incrementally improve a company’s risk profile in a budget-conscious way.

How Should Risk Assessments Be Conducted?

Employing industry standards to determine how data security measures can be strengthened, such as ISO 27001-27002 and NIST SP 800-53, is critical. We then use our insight into how regulators will evaluate a company after a breach occurs and what other organizations are doing to protect their data to help prioritize remediation efforts. As part of this process, we interview key managers and review written information security policies and procedures to ensure they address critical issues that are important to regulators. We team with technical consultants to scan organizations’ computer networks to identify vulnerabilities, such as unpatched software and software configuration errors, which can provide access points for attackers.

Every risk assessment should consider these issues: 

  •  Workstation, laptop, and mobile device security;
  •  Network security;
  •  Security personnel responsibilities and authority;
  •  Access control measures;
  •  Outside service providers’ security measures and commitments;
  •  Secure system planning, acquisition, development, and maintenance;
  •  Data security incident management; and
  •  Security awareness training.

What Deliverables Should Companies Seek?

  The deliverables ultimately depend on the purpose of the risk assessment. Is the purpose of the assessment to comply with a law or regulation? Does it involve conducting a risk assessment to identify vulnerabilities that can be identified and then corrected to obtain a “clean bill of health?” We prepare executive briefings that summarize our findings and recommendations, which are followed by more detailed reports that include the observations that provide the bases for our conclusions. A benefit of using a law firm is that our recommendations are subject to attorney-client privilege. We provide in-depth vulnerability scan reports that list network and endpoint vulnerabilities and prioritize those vulnerabilities according to the severity of the risks they present. We identify immediate steps organizations can take to eliminate easy-to-fix security flaws. We provide prioritized recommendations for additional changes that should be made and help put in place a risk mitigation plan that is just as critical as the risk assessment. We estimate both the initial and ongoing costs of the changes we recommend.

We identify security measures that regulators identify as fundamental and that will result in an investigation, if a security incident occurs due to an organization failure to implement those measures. We encourage organizations to appropriately prioritize security tools and practices the Federal Trade Commission (FTC) has identified through more than 50 enforcement actions as required elements of a reasonable security program, such as: user authentication, access control measures, encryption, intrusion detection monitoring, software updating and patching, security education and awareness training, secure data retention and disposal, management of third-party service providers, and incident response preparedness.

We recognize that deploying measures to meet FTC “hot button” issues and implementing other basic security measures are necessary but insufficient. We also understand that “best practices” standards, including SANS Top 20, NIST SP 800-53, and ISO 27001-27002, are expensive to satisfy completely. Flexibility in approach, therefore, is key. For organizations that strive to implement best-available security practices, we may recommend that they continue to use standard security measures but that they also implement network security monitoring to defeat any attackers who gain access to their networks.

How Organizations Benefit

Chief Information Officers and security managers can use our findings and recommendations to better protect sensitive information. If the measures we recommend are implemented, they should reduce the risk that organizations will experience a data breach and the regulatory, litigation, financial, and reputational harms such breaches cause. Our suggestions regarding incident response procedures help organizations respond more quickly and effectively when data breaches occur. Our prioritized recommendations and cost estimates help organizations plan longer-term steps to continue to improve information security and to show that the company took a thoughtful approach to managing its risks.

CFTC Chairman Provides Guidance On Cybersecurity

On November 5, 2014, the Chairman of the Commodity Futures Trading Commission, Timothy G. Massad, gave keynote remarks at the Futures Industry Association Expo 2014.

Part of Chairman Massad’s remarks focused on the importance and oversight of cybersecurity and business continuity disaster recovery for the financial institutions, exchanges, and markets that the Commission regulates. Specifically, Chairman Massad discussed the fact that the Commission’s system safeguards require that the entities the Commission regulates have four important components:

  1. A program of risk analysis and oversight to identify and minimize sources of cyber and operational risk;
  2. Automated systems that are reliable, secure, and have adequate scalable capacity;
  3. Emergency procedures, backup facilities, and a business continuity disaster recovery plan; and
  4. Regular, objective, independent testing to verify that the system safeguards program is sufficient to fulfill its regulatory responsibilities.

In addition, Chairman Massad explained that the entities the Commission regulates must have a risk management program that addresses the following key elements: information security, systems development, quality assurance, and governance. Clearinghouses and exchanges must notify the Commission promptly of certain incidents and must have recovery procedures in place. For example, systematically important clearinghouses must be able to resume operations in two hours.

Finally, Chairman Massad provided guidance on the key areas that the Commission is focused on:

  • Governance – Is the board paying sufficient attention to cybersecurity and taking appropriate steps? Does the board have the expertise — and does it devote the time — to do so? Is it setting the right tone as to the importance of these issues? The same questions apply, needless to say, to top management.
  • Resources – Are sufficient resources and capabilities being devoted to monitor and control cyber-related risks across all levels of the organization?
  • Policies and Procedures – Are adequate plans and policies in place to address information security, physical security, system operations, and other critical areas? And is the regulated entity actually following its plans and policies and considering how plans and policies may need to be amended from time to time in light of technological, market, or other security developments?
  • Vigilance and Responsiveness to Identified Weaknesses and Problems – If a weakness or deficiency is identified, does the regulated entity take prompt and thorough action to address it? Does it not only fix the immediate problem but also examine the root causes of the deficiency?

Chairman Massad concluded his remarks by noting that enforcement and compliance are a priority for the Commission.

Regulators are continuing to increase their focus on whether directors and executive officers are appropriately engaged in overseeing cybersecurity preparedness. While the board or CEO is not expected to configure the firewall, they should be able to ask appropriate questions to ensure that the right people, processes, and technology are in place and that the company is continuously analyzing threats and risks and adjusting accordingly. Further, they should ensure that the company is preparing to respond in the event of an incident and evaluating ways to appropriately shift liability for financial consequences through insurance products and contracts.