Posted on September 13, 2011 by Richard L. Santalesa

Blumenthal Bill Bumps Up Big Fines for Data Thefts and Security Breaches

Late last week Senator Richard Blumenthal (D-CT) introduced a one-hundred page bill, dubbed the Personal Data Protection and Breach Accountability Act of 2011, S.1535, (the “PDPBA Act”), referred to the Senate Judiciary Committee, that if ultimately passed would levy significant penalties for identify theft and other “violations of data privacy and security,” criminalize as felonies the installation of software that collects “sensitive personally identifiable information” without clear and conspicuous notice and consent, and specifies requirements that companies collecting or storing online data of more than 10,000 individuals adhere to data storage guidelines to be enacted by the FTC via its Title 5 rulemaking authority, including a mandate to audit the information security practices of contractors and third party business entities.  Notably the PDPBA Act provides for enforcement by the United State Attorney General, by State Attorneys General, and by individuals via a private right of action that allows for civil penalties of up to $10,000 per violation per day per individual up to a maximum of $20,000,000 per violation.

The PDPBA Act’s findings section notes in support that “over 9,300,000 individuals were victims of identity theft in America last year” and “over 22,960,000 cases of data breaches involving personally identifiable information were reported through July of 2011, and in 2009 through 2010, over 230,900,000 cases of personal data breaches were reported.”

The complicated technology and legal landscape subject to the Act is plainly evidenced by the  numerous carveouts and exceptions, including express carveouts for financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”), HIPAA regulated entities and public records.  With no co-sponsors at present PDPBA joins the crowded landscape of data security, privacy and other such bills that have been introduced in 2011 and which we've covered previously in detail.

While we'll keep an eye on Senator Blumenthal's latest bill as it progresses through the long legislative process, some notable provisions in brief include:

  • The requirement that "business entities", as defined, shall "on a regular basis monitor, evaluate, and adjust, as appropriate its data privacy and security program" in response to changes in technology, threats, PII retained, and "changing business arrangements";
  • A duty to vet subcontractors not otherwise subject to the Act and to impose by contract appropriate obligations regarding data handling, security and safeguarding;
  • Steps by business entities to conduct employee training regarding data security programs;
  • Imposition of regular vulnerability testing by business entities subject to the Act;
  • Comprehensive requirements concerning risk assessment, management and control in the area of data privacy and security;
  • The implementation within one year of enactment of "a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the business entity and the nature and scope of its activities";
  • Civil penalties for violation of either, depending on who is seeking enforcement, of from $5,000 to $10,000 per day per violation, as well as potential punitive damages and equitable relief, "up to a maximum of $20,000,000 per violation" for each individual;
  • Criminal penalties of up to 5 years imprisonment for those who:
    • "intentionally or willfully conceals the fact of [a] [] security breach and which breach causes economic damage or substantial emotional distress to 1 or more persons," or
    • "engages in a pattern or practice of activity that violates [Section 105, Unauthorized Installation of Personal information Collection Features on a User's Computer]," or
    • sends "a notification of a breach of security is false or intentionally misleading in order to obtain sensitive personally identifiable information in an effort to defraud an individual"
  • Required notice, as specified in the Act, "without unreasonable delay" to individuals in the event of any data breach involving sensitive PII, as well as notice to the owner or licensee of the data breach, if applicable, after a risk assessment concludes the there is a significant risk of harm to the effected individual(s);
  • Two years of free credit reports on a quarterly basis, and credit monitoring, including a security freeze at no cost to the effected individuals in the event notice is required;
  • Notice to the FBI, Secret Service and credit reporting agencies in the event of a breach effecting more than 5,000 individuals;
  • The maintenance by the Attorney General of a "Post-Breach Technical Information Clearinghouse"; and
  • The requirement that all federal contracts with "data brokers" in excess of $500,000 are to be evaluated by the GSA with regards to the data privacy and security program, program compliance, and other factors.

Needless to say, the PDPBA Act covers a great deal of ground and we will continue to monitor progress of the bill and provide timely alerts on new developments.
Tags: , , , , , ,
Posted on May 13, 2011 by W. Scott Blackmer

Cookie-Cutter: UK Announces New Rules for Website Cookies

The United Kingdom Information Commissioner’s Office (ICO), which oversees compliance with privacy laws, announced this week new rules governing the use of website “cookies” that will come into effect on May 26, 2011, possibly following an as-yet unidentified grace period. The new rules will effectively require opt-in consent to use most kinds of cookies, and they will be particularly difficult to manage in the context of third-party cookies such as those employed by advertisers and advertising networks.

Since the new British rules are meant to implement amendments to the European Union’s ePrivacy Directive, this is an issue that will have to be addressed across Europe and is likely to impact any website aimed at a European market.

Cookies Everywhere

“Cookies,” small text files that a website automatically places on a visitor’s computer when the website is loaded, are ubiquitous on the Web. Session cookies track a user’s activity from page to page during a session, so that the user does not have to re-enter information or selections. Authentication cookies store logon credentials so that the user does not have to log on again after navigating to another website. Persistent cookies store user preferences for each successive visit to the website.

Tracking cookies may be used to collect analytic data on how an individual website is used, and some kinds of tracking cookies record the user’s activity across websites – which is more controversial from a privacy perspective. For example, “conversion tracking cookies” allow an advertiser to determine whether a user who clicks on a third-party advertising link ends up making an online purchase from the advertiser. Some behavioral marketing programs use cookies to collect information about the pages and sites visited by a consumer so that a profile can be constructed for targeted marketing purposes. Google Analytics uses cookies to create statistical reports for advertisers and website operators, without identifying the individual users other than by IP address.

The ePrivacy Directive

The European Union’s Privacy and Electronic Communications Directive (the “ePrivacy Directive”) essentially required transparency concerning cookies. Website visitors were to be informed about the website operator’s practices and available options to refuse or delete cookies. This has been the standard for website operators and advertisers since 2002.

In November 2009, the ePrivacy Directive was modified by amendments that included a revised Article 5(3) emphasizing the need for informed consent:

Member States shall ensure that the storing of or access to information already stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC [the EU Data Protection Directive], inter alia about the purposes of the processing.

There is an exception for storage or access that is “strictly necessary” to provide an explicitly requested service.

The UK Response

Member States were required to transpose the amendments into national law in 18 months. This explains the timing for the revision of Regulation 6 of the UK Privacy and Electronic Communications Regulations 2003 (“PERC”), which will require after May 25 that the user “has given his or her consent” to storing or accessing information on the user’s equipment.

ICO’s announcement this week concerning the rule change raises as many questions as it answers, and the announcement itself states that ICO will issue separate guidance on how it intends to enforce PERC with respect to cookies.

Key Issues

  • ICO expects that the more intrusive cookies (such as those that create profiles of users, especially across multiple websites) will require more explanation and well-documented consent. Conversion tracking and behavioral marketing uses of cookies are clearly in the crosshairs.
  • The recitals to the amended ePrivacy Directive discuss the possibility of relying on the user’s browser settings to accept or reject cookies. ICO rejects this as a current solution, however, given the variety of browsers and settings in use, their unfamiliarity to many users, and the increasing use of mobile devices to access websites.
  • ICO mentions several other possible ways of informing users about cookies and obtaining consent, such as highlighted or scrolling headers, footers, or splash screens; disclosures on pages requesting personal information or offering particular downloads such as videos; website terms and conditions or pop-ups that require a user to click “I agree” before proceeding; website “settings” that could be selected by a user once and then remembered (presumably using a cookie) for subsequent visits.
  • ICO frankly acknowledges that third-party cookies may present the most challenging compliance issues and simply concludes that “everyone has a part to play in making sure that the user is aware of what is being collected and by whom.” An ICO spokesperson mentioned the possibility of establishing advertising network policies and procedures that could be viewed (and consented to?) by clicking on an icon displayed with banner ads and other advertising links.
  • ICO says the exception for “strictly necessary” cookies will be interpreted narrowly. It gives one potential example: cookies used to keep track of a user’s purchases in a “shopping basket” until the user is ready to “check out” and pay for the purchases. ICO advises that it would not be acceptable to use cookies without consent simply to make the presentation of the website more attractive or collect statistics about the use of the website.

Implications for Website Operators

  • Websites hosted in Europe are clearly subject to the new rules as they are implemented in each country this year. Data protection authorities and courts in some European countries may also assert that websites hosted elsewhere but targeting European residents should conform to the new cookie rules. When a company offers a UK or EU version of a website, for example, it may be required (or at least expected by users) to follow the EU rules.
  • The trend toward requiring fuller disclosure and explicit consent, especially for behavioral tracking, is likely to be seen in the US as well, as suggested by the Federal Trade Commission’s December 2010 report on consumer privacy.
  • Website operators should stay abreast of official interpretations and enforcement policies, such as those promised by ICO, that may offer more detailed guidance on cookie notices and consent mechanisms.
  • It’s a good time to inventory your organization’s cookie practices, make sure they are fully disclosed in website privacy policies, and consider how to operationalize express consent requirements in Europe.  Watch how popular commercial websites in the UK adapt to the new rules.  (Right now, even the privacy policy on ICO's website would be inadequate!)
  • Contracts with third-party advertisers, advertising networks, providers of website and browsing statistics, and business partners involved in co-branded websites should clearly delineate who is responsible for providing cookie notices and obtaining (and preserving evidence of) consent where required.
Tags: , , , , , , , , , , , , , , , ,
Posted on December 3, 2010 by Boris Segalis

Tel-Aviv District Court Finds No "Right to Forget"

As reported by Dan Or-Hof, Manager of the Information Technology, Internet and Copyright group at the Israeli law firm of Pearl Cohen Zedek & Latzer, in a first of its kind decision, the Tel-Aviv district court ruled on November 30, 2010 that a subscriber of cellular services does not have a general right to have his phone records deleted.

Cellular providers maintain and store, as a general practice, a record of the calls made by their subscribers. The phone records include lists of phone numbers called, received calls, call durations and calls dates and time.

The right to privacy is a fundamental (semi-constitutional) right under Israel's Freedom and Human Dignity Basic Law. In addition, the Privacy Protection Act sets a balance between the right to privacy and other rights and legitimate interests and regulates data protection. The Act provides, in relevant part, that a person may use data stored in a database the person owns only if (i) the database is lawfully registered and (ii) any use of the data is consistent with the database’s registered purposes.

The plaintiff, Amir Liran, a subscriber of two cellular providers (Pelephone and Partner), filed a civil action against the providers, on grounds that they unlawfully retained his subscriber’s phone records for periods of 8 to 10 years, respectively.

The plaintiff argued that cellular providers store phone records for billing purposes only, and as soon as a subscriber pays for the calls he made, the relevant phone records should not be retained. The plaintiff petitioned for the permanent deletion of his phone records.

The defendants countered that they need to retain phone records for lawful business purposes, including for settling accounts with third parties (such as interconnection cross-payments), internal audits, tax filings, future litigation and mandatory reports to the ministry of communications.
Defendants further pointed out their obligation to provide information to law enforcement agencies for investigatory purposes, counter-terrorism and locating missing persons.

The Attorney General, who joined the proceedings, argued that as long as records are kept for legitimate purposes and maintained with an appropriate level of security, there are no grounds for ordering defendants to delete the records. The AG further argued that retaining phone records serves public interest, as it is often required to investigate and to prevent unlawful activities.

The court viewed phone records retention as a potential threat to an individual’s privacy. The court found, however, that data retention has advantages and benefits as well. For example, it allows the subscriber easy access to his records and enhances his ability to monitor the services he uses. Data retention also allows better review of customers’ complaints, and increases consumers’ ability to file class actions. The court also found that the retention of subscriber data provides factual basis and findings for studying trends in the use of cellular services and supports law enforcement activities.

The court ruled that plaintiff did not prove, or even argue, that defendants used the records in a manner inconsistent with the registered purposes of their databases in violation of the Privacy Protection Act. In light of the above findings and the benefits of records retention, the court dismissed the complaint.

Notably, in its ruling, the court made clear that the scope and duration of data retention is a matter that requires separate review. Thus, the court’s decision may serve as a starting point for a meaningful discussion of the rationale and justification for data retention and the need to balance data retention with the right for privacy and self-autonomy.

The case is CP 1994-06 Amir Liran v. Pelephone Communications Ltd. and Partner Communications Ltd., delivered by the Tel-Aviv District Court on November 30, 2010.
 
Tags: , , , , , , , ,
Posted on July 28, 2010 by W. Scott Blackmer

Mexico's New Data Protection Law

Mexico has joined the ranks of more than 50 countries that have enacted omnibus data privacy laws covering the private sector. The new Federal Law on the Protection of Personal Data Held by Private Parties (Ley federal de protección de datos personales en posesión de los particulares) (the “Law”) was published on July 5, 2010 and took effect on July 6. IAPP has released an unofficial English translation. The Law will have an impact on the many US-based companies that operate or advertise in Mexico, as well as those that use Spanish-language call centers and other support services located in Mexico.

Like the EU Data Protection Directive and the Canadian federal PIPEDA legislation, Mexico’s data protection statute requires a lawful basis, such as consent or legal obligation, for collecting, processing, using, and disclosing personally identifiable information. There is no requirement to notify processing activities to a government body, as in many European countries, but companies handling personal data must furnish notice to the affected persons. Individuals have rights of access, correction, and objection (on “legitimate grounds”) to processing or disclosure. In the event of a security breach that would significantly affect individuals, those persons must be promptly notified. The Law also addresses data transfers, both within and outside Mexico.

A federal agency, the Institute for Access to Information and Data Protection (IFAI), will provide interpretive guidance and supervise compliance with the new law. IFAI will investigate complaints and inquiries and may launch investigations on its own initiative. In addition to administrative sanctions including warnings and fines, the law contemplates criminal prosecution of violators, with more substantial fines and the possibility of imprisonment for those responsible for a security breach or for fraudulent or deceptive collection and use of personal data.

The Law regulates private parties that “process” personally identified or identifiable data, with exceptions for credit reporting agencies (which are already covered by separate legislation) and individuals recording data exclusively for personal use. Definitions largely track those of the EU Data Protection Directive, including a very broad definition of “processing” that includes any collection, use, storage, or disclosure of data. The Law also uses the concepts of “data controller” and “data processor” as found in the EU Directive, respectively signifying entities that decide to process personal data and entities that carry out processing on their behalf.

The Law departs from the EU Directive, however, in reflecting the habeas data concept found in several Latin American constitutions and statutes: the individual to whom personal data relates is treated as the “data owner.” The individual’s legal rights derive largely from this concept of ownership and the associated right to control whether and how personal data is used.

Sensitive data” gets some additional protections under the Law, as it does in Europe. As defined in the Law, sensitive data denotes information that touches on the most intimate aspects of a person’s life or involves a serious risk of discrimination. This includes but is not limited to “special categories” of data listed in the EU Directive: race or ethnicity, health, sexual preference, religious or philosophical beliefs, political views, and trade union membership. The Mexican law expressly adds genetic data to this list but does not include special treatment for criminal records as the EU Directive does.

The Law incorporates eight general principles that data controllers must follow in handling personal data: legality, consent, notice, quality, purpose limitation, fidelity, proportionality, and accountability. The Law also addresses data retention: personal data must be deleted when no longer necessary for the purposes set out in the privacy notice and applicable law.
 

Notice and Consent

Data controllers must furnish a privacy notice indicating what data is collected and for what purposes. If the data is collected directly from the individual, the privacy notice must be delivered at the same time (if not earlier) and in the same format. If the data is collected electronically, however, the data controller can choose to give only the identity and purposes of collection and a mechanism for obtaining the full privacy notice. Where the data has not been collected directly from the individual, the data controller must still provide a privacy notice and notification of changes in the privacy notice.

Data controllers can request authorization from IFAI to forego some or all of the notice requirements where, for example, the data collection is old or the cost of providing notice would be disproportionate.

The privacy notice must include the identity of the data controller, the purposes of processing, the individual’s options for limiting use or disclosure of the data, the procedures for access and correction by the individual, any contemplated transfers of the data, and procedures for notifying individuals about any subsequent changes in the privacy notice. The notice must expressly state if it concerns any sensitive data.

Consent usually can be tacit (opt-out) so long as there is sufficient notice. However, processing sensitive data or information about personal finances and assets requires express consent (opt-in); this must be recorded in writing (or electronically with authentication) in the case of sensitive data.

Consent is not required if

• the data controller is legally obliged to process the information
• the data is publicly available
• the data has been anonymized
• the data is necessary to fulfill obligations under a legal relationship between the data controller and the individual (such as employment or payment processing)
• there is an emergency that could harm the individual
• a health care professional needs the data to provide medical attention and the individual cannot give consent
• a competent government body issues a resolution waiving the consent requirement.
 

Security and Breach Notice

Data controllers are responsible for maintaining physical, technical, and administrative security measures to protect personal data from loss, alteration, and unauthorized disclosure or use. The measures must at least equal those taken to protect the data controller’s own information. Potential harm, the likelihood of security breaches, the sensitivity of the data, and technological developments are all to be taken into account in crafting appropriate security measures.
Security breaches that “materially” affect property or personal rights must be reported immediately to the affected individuals.

Data Transfers

Transferring personal data to a third party (other than for processing on behalf of the data controller) will typically require an agreement that the transferee will assume the same obligations as found in the privacy notice provided by the transferor. A data transfer requires the consent of the individual except where the transfer

• is pursuant to a law or treaty
• is necessary for medical purposes
• is made to a parent company or affiliate “operating under the same internal processes and policies” (Art. 37 (III))
• is necessary to fulfill a contract in the interest of the individual
• is necessary or legally required to protect a public interest or in the administration of justice
• is necessary to exercise a judicial claim or defense
• is necessary to maintain a legal relationship between the data controller and the individual.

The Law does not establish a formal procedure for approval of foreign data transfers. It appears that data controllers should be able to move data within a corporate group without individual consent, inside and outside Mexico, so long as the parent or affiliate does not handle the data in a manner contrary to the privacy notice furnished by the affiliate in Mexico.

Impact on US Companies

Many US companies have subsidiaries or distributors in Mexico, and data concerning Mexican employees, customers, and business contacts is often transferred to the US company for recordkeeping, contract fulfillment, business planning, market analysis, and other management purposes. Privacy notices in Mexico should mention these purposes and transfers, and the Mexican company may need to obtain opt-in consent in the case of sensitive and financial information. The US company must then handle data consistently with the privacy notice delivered by the Mexican affiliate or distributor, to avoid creating problems for the Mexican firm. For unrelated companies, data transfers should be covered by contractual terms that specify the relevant restrictions and provide for notice to the individuals unless an exception applies.

US companies also often contract with Mexican firms for Spanish-language call centers, customer support services, or outsourced data processing. Once customer data is processed by the Mexican company, it is subject to the Law, regardless of the location of the customers. US companies using such services in Mexico may expect that their vendors will increasingly refer in contracts to their own obligations under the Law and may require cooperation from the US companies in responding to privacy-related complaints and security breaches in Mexico.

Corporate groups operating in Mexico or using data-centric services in Mexico will need to stay abreast of IFAI decisions and changing business practices resulting from the new Law.
 
Tags: , , , , , , , , , , ,