Posted on July 19, 2011 by Boris Segalis

Russia Amends Federal Data Protection Law; Privacy Enforcement on the Rise

Last week, the upper house of Russia's federal legislature approved amendments to the country's federal data protection law. The amendments impose detailed information security requirements on businesses that process personal data and revise some of the statute's data subject consent provisions.The amended law will come into force when it is published in the official newsletter.

Russia originally enacted a comprehensive federal data protection law in 2006, but the statute has faced major headwind. While the law is similar in its approach to the EU Data Protection Directive 95/46/EC, it is much more restrictive regarding personal data processing. After several delays, the law came into effect on July 1, 2011. Commentators, however, continue to view the law unfavorably, arguing that it's unworkable. 

The amended security provisions include the requirements to:

  • Conduct an assessment of threats to the safety of personal data and the effectiveness of the measures that the business has in place to safeguard personal data;
  • Employ only verified methods of protecting personal data;
  • Implement controls for access to personal data;
  • Log all actions takes with respect to personal data;
  • Detect and record incidents of unauthorized access to personal data; and
  • Implement measures to restore information that is lost, destroyed or damages as a result of an information security breach.

The amended law directs the government to develop regulations that will set forth appropriate levels of information security protections. The regulations will also establish the security requirements for processing biometric data.

The federal law's privacy provisions were amended to allow individuals to consent to the processing of their personal data through a representative. When this occurs, the recipient of the consent will need to verify the consent. Similarly, businesses will be able to obtain personal data from third parties on the condition that they verify that the third party had a valid basis for obtaining and sharing the information.

While the privacy enforcement picture in Russia has been at most oblique, the country's data protection authority -- the federal agency for oversight of communications, information technology and mass media (in Russian, "Роскомнадзор") -- has shown strong interest in privacy enforcement. It is being reported this week that the agency is investigating the circumstances surrounding the exposure on the web of mobile text messages from the customers of the Russian carrier Megafon. Initial investigation suggests that an error on the carrier's website made the messages publicly accessible. The data protection agency stated that it's investigating whether the incident violated the federal data protection law.

InfoLawGroup Says:

With privacy enforcement in on the rise throughout the world, businesses should be prepared to review and adjust as necessary their privacy and data security practices in the markets in which they operate. In the past, some of the strict foreign data protection laws have not been rigorously enforced, giving businesses breathing room. The enforcement landscape is likely to tighten in the near future, however, increasing the risk of investigations and sanctions for privacy violations.

 

 

Tags: , , , , , , , , ,
Posted on May 10, 2011 by Nicole Friess

Senate Subcommittee Holds Hearing on Mobile Privacy

On May 10, 2011 the Senate Judiciary Subcommittee on Privacy, Technology and the Law held a hearing entitled Protecting Mobile Privacy: Your Smartphone, Tablets, Cell Phones and Your Privacy. The hearing focused on the privacy concerns raised by mobile devices, location-based mobile services, and check-in applications.

Senator Leahy opened the hearing, reflecting on the benefits of mobile devices, apps, and social networks, as well as the risks these new technologies pose to consumer privacy. Leahy expressed that he is “deeply concerned” that smartphones may be tracking and storing data without users’ consent, that sensitive user data may be maintained by providers in unencrypted formats, and that companies are involved in the sale of location data without consumer knowledge resulting in the receipt of unsolicited ads by third parties.

Subcommittee Chairman Al Franken’s opening remarks focused on the increasing number of entities whose business model is to collect and maintain information on consumers under consumers’ radar. Franken noted the many benefits of location-based services, making a point to emphasize that “the existence of this business model is not a bad thing.” “The answer is not ending location-based services,” Franken said, “what today is about is trying to find a balance” between the benefits of these services and the public’s right to privacy.

The first panel of testifying witnesses consisted of two government representatives from their respective agencies. Here are some highlights from their testimony:

Jessica Rich, Deputy Director, Bureau of Consumer Protection, FTC

  • The rapid growth of mobile products and services raises several concerns: mobile devices are always on and always with the consumer, mobile devices contain information that is highly personal in nature, and companies have the ability to track consumers who use mobile devices, including children and teens.
  • The FTC has called on the industry to develop simplified disclosures embedded in each mobile interaction so that consumers know when and how their data is being used, rather than rely on privacy policies that are difficult to access using a mobile device.
  • Companies should implement privacy by design principles in the development of their products and services, making it easier for consumers understand and choose how their data is used.

Jason Weinstein, Deputy Assistant Attorney General, Criminal Division, DOJ

  • Three major threats mobile devices pose to consumers include (1) cyber criminals such as identity thieves, stalkers, and hackers who access and exploit information without authorization; (2) the collection and disclosure of location data by service providers themselves - including app providers; and (3) the use of mobile devices by criminals to facilitate their own crimes.
  • While the ECPA restricts providers from sharing location data with the government, it does not restrict them from sharing such information with other private entities.
  • Companies are not currently required to retain the data they collect, which impedes the DOJ’s ability to investigate and prosecute crimes.

The second panel consisted of five non-government witnesses – from privacy advocates to representatives from major mobile market players. Here are some highlights from their testimony:

Ashkan Soltani, Independent Researcher and Consultant

  • The most serious threat mobile devices pose today is that consumers are repeatedly surprised by the information mobile device platforms and apps are accessing.
  • Mobile devices and apps don’t only collect location data - they also transmit consumers’ phone numbers and information from their address books, text messages, contact lists, etc.

Justin Brookman, Director of the Project on Consumer Privacy, Center for Democracy and Technology

  • Only a patchwork of outdated and insufficient laws applies to mobile service providers, leaving consumers inadequately protected.
  • While companies can’t affirmatively lie about how they protect consumer data, they can decline to make any representations to consumers regarding their data privacy and security practices, thereby avoiding FTC enforcement.
  • The default rule for service providers is that they can disclose location data without notifying consumers and obtaining their consent. They only things providers can’t do are things the providers have promised they won’t do.

Guy L. "Bud" Tribble, Vice President of Software Technology, Apple Inc.

  • Apple does not track users’ locations and “has never done so,” nor do Apple devices transmit data back to Apple that is unique to any particular consumer.
  • Apple controls the apps available to consumers by contract – if apps don’t meet Apple’s privacy requirements then those apps are not made available in Apple’s app store.
  • Apple conducts “random audits” and “examines network traffic produced by applications” to ensure that available apps are properly protecting the privacy of Apple consumers.

Alan Davidson, Director of Public Policy, Americas, Google Inc.

  • Google makes location-based services opt-in only. If a consumer doesn’t opt-in, his or her mobile device will not transmit any location data back to Google.
  • Every third party app must notify users that the app will access location data and the user consent before the app is installed on the user’s device.
  • Google believes in providing users with highly transparent information regarding its information practices, requiring opt-in consent before location data is collected, and implementing high security standards to anonymize data once it’s collected.

Jonathan Zuck, President, Association for Competitive Technology

  • Mobile apps are made predominantly by small businesses - to protect consumer privacy without unduly burdening innovation, concerns about privacy must be dealt with holistically rather than from a technology-specific perspective.

Chairman Franken closed the hearing by noting that current laws don’t provide consumers with sufficient privacy protections - legislation and agency enforcement hasn’t kept up with the pace of technology. Franken restated his belief that consumers have a “fundamental right” to know what personal information is collected about them, and when and with whom their information is shared. Franken noted that these rights are particularly important when sensitive information – data from mobile devices – is involved.

To view the hearing on the U.S. Senate Committee on the Judiciary website, click HERE.

 
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted on March 25, 2011 by Nicole Friess

Kerry Releases Draft of "Privacy Bill of Rights"

A week after the Senate held a hearing on the state of online consumer privacy, Senator John Kerry (D-Mass) has published a draft of the "Commercial Privacy Bill of Rights Act of 2011." The Act, co-sponsored by Senator John McCain (R-Ariz.), directs the FTC to make rules requiring certain entities that handle information covered by the Act to comply with a host of new requirements protecting the security of the information as well as the privacy of the individuals to whom information pertains. The Act aims to enhance individual privacy protections “in a balanced way that establishes clear, consistent rules,” and “will stimulate commerce by instilling greater consumer confidence at home and greater confidence abroad.” In this post, we take a look at the highlights of the Act.

Entities Covered by the Act. The Act defines “covered entities” as any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12-month period and is subject to FTC jurisdiction, as well as telecommunication common carriers and non-profit organizations.

Information Protected Under the Act. The various provisions of the Act address “covered information” which includes personally identifiable information (“PII”), unique identifier information (“UII”), and any information that is collected, used, or maintained in connection with PII or UII that may be used to identify an individual. Some provisions require businesses to comply with specific obligations when dealing with “sensitive” PII, which is defined as PII which, if lost, compromised, or disclosed without authorization could “result in harm to an individual.”

Some information is always considered PII of the individual to whom it pertains, including:

  • First name (or initial) and last name;
  • Residential address;
  • E-mail address if it contains the individual’s name (the draft brackets indicate it is currently undecided whether that means the individual’s full name, legal name, maiden name, nickname, initials, or names embedded with other letters or characters such as Danny123@xyz.com);
  • Telephone or mobile device numbers other than those considered work contact numbers;
  • Social security numbers and other government-issued identification numbers
  • Credit card numbers;
  • Unique persistent identifiers (including cookies, user IDs, processor serial numbers, or device serial numbers) if used to identify a specific individual; and
  • Biometric data, including fingerprints and retina scans.

If used, transferred, or maintained in connection with one or more pieces of PII listed above, the following information is also considered PII:

  • Birth date, birth or adoption certificate number, or place of birth;
  • Unique persistent identifiers (not limited to those used to identify a specific individual);
  • Precise geographic location; and
  • Any other information concerning an individual that may “reasonably be used to identify that individual.”

UII includes unique persistent identifiers other than those qualifying as PII, including “a customer number held in a cookie, user ID, processor serial number, or device serial number.”

Data Collection, Integrity and Retention Constraints. Covered entities may collect only as much covered information about an individual as is reasonably necessary to improve their services through research and development, provide services requested by or consented to by the individual, or to prevent fraud. Covered entities are required to establish procedures to ensure that the PII they maintain is accurate. The Act restricts the retention of covered information to a period only as long as necessary to provide a service or for a reasonable period of time if the service is ongoing.

Right to Notice. Covered entities must provide readily accessible notice regarding the collection and use of covered information as well notify individuals of any changes to the entity’s collection and use practices. The FTC will establish rules requiring a covered entity to provide individuals with a mechanism for opt-in consent for:

  • The collection, use, or transfer of an individual’s sensitive PII other than to process transactions or services requested by the individual, for fraud prevention and detection, or to provide for a secure environment;
  • The use or transfer of previously collected PII if there is a material change in the entity’s practices requiring notice to the individual; and
  • The transfer of PII, UII, and other covered information to third parties for an unauthorized use or public display.

The FTC’s rules will also require covered entities to offer individuals a mechanism for opt-out consent for any unauthorized use of their PII.

Right to Access. Covered entities are required to provide individuals reasonable access to their PII. If an individual terminates a service or relationship with the covered entity or if the entity enters bankruptcy, individuals are given the right to demand that PII be rendered not personally identifiable or if that is not possible, to cease its collection, use, transfer or maintenance.

Constraints on Transfers to and Use by Third Parties. The Act prohibits third parties from unauthorized use of PII for which opt-in consent is required, unless the individual is notified of and consents to the use. A “third party” is a person that is not related to the covered entity by common ownership or control nor contractually required to comply with the covered entity’s privacy policies, privacy controls, and any applicable confidentiality agreement.

A covered entity is required to provide notice to individuals if the entity intends to transfer covered information to third parties. If a third party receives covered information from a covered entity, the third party is treated as a covered entity under the Act unless the FTC decides otherwise. When a transfer occurs, the covered entity and third party must enter into a contract ensuring that "the third party will not combine information that is not personally identifiable ... with other information in order to identify individuals with that information." The concept of transfer is not limited to situations where active steps are undertaken by a covered entity – it includes the collection of the information by a third party through a covered entity’s website, mobile application, or other consumer interface. Transfers to "unreliable third parties" are prohibited.

Unauthorized Use. The term ‘‘unauthorized use’’ means the use of covered information for any purpose not authorized by the individual to whom the information pertains, other than use:

  • To process a transaction or service requested by that individual;
  • To operate the covered entity that is providing a transaction or service requested by that individual, such as inventory management, accounting, planning, product or service improvement or forecasting;
  • To prevent or detect fraud or to provide for a secure environment;
  • To investigate a possible crime or that is required by law or legal process;
  • To market or advertise to an individual from a covered entity if the personally identifiable information used for such marketing or advertising was collected directly by the covered entity;
  • Necessary for the improvement of the transaction or service through research and development; or
  • Necessary for internal operations, including collecting customer satisfaction surveys to improve customer service information as well as collection of website visit and click-through rates to improve site navigation.

Enforcement and Penalties. The FTC is granted enforcement authority and state attorneys general are given civil action authority to enforce the Act. The Act does not provide for a private right of action, which is likely to raise opposition from privacy advocates. Monetary penalties for violating the Act are stiff - a covered entity that knowingly or repeatedly violates the Act is liable for a civil penalty of $16,500 multiplied by the number of days of noncompliance. If a covered entity violates the Act and fails to obtain proper consent when required, the penalty is $16,500 multiplied by the number of days of noncompliance or the number of individuals whose consent was not obtained, whichever is greater. However, liability is capped at $2 or $3 million depending on the nature of the violation.

Effect on Other Laws. State laws are preempted by the Act, except those laws dealing with health or financial information or data breach notification.

Safe Harbor Programs. The Act requires the FTC to create requirements for “safe harbor programs.” The programs, administered by non-governmental organizations, will be designed to enable participants to implement the requirements of the Act, implement "comprehensive information privacy programs," and offer consumers a means to opt out if a participant transfers covered information to a third party for an unauthorized use. A covered entity that participates in such a program is exempt from the major provisions of the Act if, according to the FTC’s determination, the program obligates participants to comply with requirements that are substantially the same as, or more protective of privacy than, the provisions of the Act. The programs are to be supervised and enforced (with penalties) by the FTC.

With the exception of the FTC’s enforcement actions cracking down on unfair and deceptive practices, the government has favored industry self-regulation over privacy legislation. Between the new draft of the "Commercial Privacy Bill of Rights Act of 2011," three separate privacy bills pending in the House, and the Obama administration backing a “consumer privacy bill of rights,” it looks like change is in the air (and I’m not just saying that to be clever).

 
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted on January 26, 2011 by Boris Segalis

Support for Privacy Legislation Survives Change of Power in Congress; Privacy Legislation May Advance

Last week, Politico ran an interesting piece suggesting that federal privacy legislation may see the light of day in 2011. Democratic supporters of the legislation show no signs of slowing down. In the Senate, John Kerry (D-Mass.) is working on privacy legislation based on a bill he proposed last year. Senator Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce Committee, is planning to hold public hearings on Internet privacy starting in February. Of course the key to the success of federal privacy legislation lies in the House, and there Republicans have voiced support for a privacy bill as well. Rep. Cliff Stearns (R-Fla.), Chairman of the Subcommittee on Oversight and Investigations at the House Energy and Commerce Committee, has said that the privacy bill introduced last year by former representative Rick Boucher (D-Va.) could be revised and reintroduced with Republican support (Rep. Stearns co-sponsored the Boucher bill). This sentiment was echoed by Rep. Mary Bono Mack (R-Calif.), Chairwoman of the Subcommittee on Commerce, Manufacturing and Trade. According to Politico, Rep. Bono Mack informed her colleagues on the subcommittee that she remains committed to addressing privacy issues.

Inevitably, Republicans and Democrats are bound to disagree on many aspects of the legislation. For example, while Democrats have sought to expand the Federal Trade Commission’s privacy enforcement jurisdiction, Republicans are keen on keeping the regulators’ power in check. Both parties, however, will have to balance privacy protections against the ability of businesses that leverage personal information to grow and create jobs. Republican and Democratic legislators, as well as the administration, have made repeated pledges to their constituents that saving and creating jobs is their top priority.

Bipartisanship on privacy and information security issues in not unprecedented. Last year, for example, Republicans and Democrats joined in amending the Fair Credit Reporting Act to drastically limit the scope of the FTC’s Identity Theft Red Flags Rule. Whether the parties will in fact cooperate this year is an open question. Republican members of the House have made it clear that 2011 is likely to be a bruising legislative season.

Check back with us often as we track legal developments in the privacy and information security arena.
Tags: , , , , , , ,
Posted on January 12, 2011 by Tanya Forsheit

Please Tune In Monday, January 31, 2011

I hope you will tune in Monday, January 31, 2011, 8-9 am Pacific (11-12 Eastern), to Privacy Piracy, audio streaming on www.kuci.org (or locally in Southern California on KUCI 88.9 FM in Irvine, CA).  Mari Frank will interview me about the following topics and more:

  • If an organization has the time and resources to do only one thing to improve its privacy and data security compliance programs in 2011, what should that one thing be?
     
  • What are the hottest topics in information law in 2011?
     
  • What can an organization using or considering using cloud services do today to protect itself?
Tags: , , , , , , , , , , ,
Posted on November 4, 2010 by Boris Segalis

European Commission Announces Strategy for Revising EU Data Protection Rules

Earlier today, the European Commission released documents setting out the road map for revision of the European data protection rules, including the EU Data Protection Directive 95/46/EC. The strategy is based on the Commission’s position that an individual’s ability to control his or her information, have access to the information, and modify or delete the information are “essential rights that have to be guaranteed in today’s digital world.” The Commission set out a strategy on how to protect personal data while reducing barriers for businesses and ensuring free flow of personal data within the European Union.

The goal in revising EU data protection rules (which also apply to members of the European Economic Area) is to facilitate the establishment of clear and consistent data protection requirements as well as to modernize Europe’s data protection laws to meet the challenges raised by new technologies (e.g., behavioral tracking) and globalization. Europe's data protection laws are currently based in large part on the 1995 EU Data Protection Directive.

The Commission’s announcement comes on the heels of the Data Protection Commissioners Conference in Jerusalem, during which many participants highlighted the need to bring data protection legislation up to date, and raised concerns about inconsistent and complex data protection requirements in various countries (including among EU member states).

The Commission’s strategy to revise data protection rules is based on the goals of:

  • Limiting the collection and use of personal data to the minimum necessary;
  • Transparency as to how, why, by whom and for how long personal data is collected and used;
  • Informed consent;
  • Right to be forgotten;
  • Reducing administrative compliance burdens on businesses;
  • Uniform implementation of data protection rules in EU member states;
  • Improving and streamlining procedures for data transfers outside the EU;
  • Cooperation with countries outside the EU and promotion of high standards of data protection at a global level;
  • Strengthening enforcement of data protection rules by harmonizing the role and power of national data protection authorities;
  • Facilitating consistent enforcement of data protection laws across the EU; and
  • Implementing coherent rules for the protection of personal data in the fields of police and criminal justice.

Notably, many of these goals were announced at the Jerusalem conference.

The Commission’s review will serve as the basis for further discussions of data protection rules and, ultimately, new legislation, which the Commission expects to propose in 2011.

Please see the Commission’s press release, FAQs, and the strategy document for more details. The Commission is encouraging organizations and individuals to submit comments.

Stay tuned for more about the proposed revisions.
Tags: , , , , , , , , , ,
Posted on June 23, 2009 by David Navetta

Nevada Law Incorporates PCI and Provides a Liability Safe Harbor

Nevada appears to be the second State to incorporate the Payment Card Industry Data Security Standard (PCI) into its personal information security law. Minnesota is the other State that incorporated part of PCI into its law. 

In contrast to the Minnesota law (which only partially incorporated one subsection of PCI), the Nevada amendment requires "data collectors" doing business in Nevada to comply with the entire PCI standard:

If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

Unfortunately there is a built in ambiguity in the law since neither the PCI standard itself, nor the PCI Security Standards Council set the PCI compliance date.  Rather, that is done by each card brand.  Ignoring that glitch, obviously, by incorporating PCI into its law, Nevada has explicitly given the PCI "the force of law."  This could have significant legal implications:  see more HERE and HERE.

The Nevada amendment also appears to create a partial "safe harbor" for compliance with the law (and by extension PCI):

3. A data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.

While it is apparent that this language precludes liability for damages under the Nevada statute itself, it may also have wider application.  In other words, would this language bar a "regular" negligence lawsuit arising out of a security breach as long as the data collector was PCI compliant?  "Damages" in a breach of contract lawsuit? The broad language used ("shall not be liable for damages") suggests a solid argument exists for a "safe harbor" (even if compliance with the PCI standard itself was not "reasonable security") against any cause of action not involving "gross negligence" or "intentional misconduct."  More research, and potentially case law, will be necessary before the scope of this safe harbor is clarified.
Tags: , , , , , , ,
Posted on January 28, 2008 by David Navetta

New Bills Concerning Encryption and Retail Liability

The New Year is bringing renewed attempts to legislate data security. Michigan and Washington both have bills pending that would make retailers liable for payment card data security breaches (Michigan bill - Washington bill). The Washington bill explicitly requires compliance with the Payment Card Industry Data Security Standard to avoid liability.

Both States also have bills that require encryption of personal data (Michigan bill - Washington bill). Both bills require encryption of stored personal data consistent with generally accepted industry standards (undefined). The Michigan bill sets forth criminal penalties for non-compliance, including imprisonment for up to 30 days and a fine of up to $1,000, or both.

Tags: , , , ,