As we move into 2011 it should be obvious that cloud computing is not a fad, but rather a computing model that is becoming ubiquitous. Cloud computing offers a slew of advantages including efficiency, instant scalability and cost effectiveness. However, these advantages must be balanced against the control organizations may lose over their information technology operations when they are reliant on a cloud provider to provide key processes. The issues that arise out of this loss of control are apparent when considering data breach response and liability in the cloud. When a cloud customer puts its sensitive data into the cloud it is completely reliant on the security and incident response processes of the cloud service provider in order to respond to a data breach. This situation poses many fundamental problems.
As we have previously reported on our blog, 2011 has seen a whirlwind of privacy enforcement activity. The FTC, NLRB, EEOC, HHS and FINRA have all taken privacy enforcement actions this year. This March, the FTC has announced privacy settlements with Chitika and Twitter.
Over the past couple years, many predicted that new state laws would follow the lead of states like Nevada and Massachusetts, and some anticipated we could see a situation where 50 different privacy/security laws across the country. Now it looks like we are beginning to see some renewed activity on the state level. In Hawaii we have a proposed bill that would require breached entities to provide credit monitoring and call center services to impacted individuals. In my home state, Colorado, a legislator (Dan Pabon) has proposed a novel bill that takes a new approach to incentivizing companies to implement good security. In this post, we take a look at the highlights of the Colorado bill.
On February 12, 2011, the American Bar Association Information Security Committee established the Smart Grid Privacy and Security Working Group. The working group's mission is to increase awareness regarding privacy and information security legal issues arising in connection with the Smart Grid among consumers, regulators, utilities, service provider and other stakeholders. Gib Sorebo, Chief Cybersecurity Technologist at SAIC, and Boris Segalis, partner at InfoLawGroup, will co-chair the group.
This month, federal agencies and FINRA have announced significant privacy enforcement actions that have resulted in millions of dollars in fines. The U.S. Department of Health and Human Services (HHS) imposed a $4.3M fine on a health plan for violations of the HIPAA Privacy Rule; the Federal Trade Commission (FTC) settled with several resellers of consumer reports allegations that the resellers failed to adequately safeguard consumer information; and FINRA imposed a $600K fine on two securities firms for failure to safeguard access to customer records. Here are the details:
The California Supreme Court ruled Thursday, in Pineda v. Williams-Sonoma, that zip codes are "personal identification information" for purposes of California's Song-Beverly Credit Card Act, California Civil Code section 1747.08. Really.
Dan Or-Hof, a privacy and technology partner at the Israeli law firm Pearl Cohen Zedek Latzer is reporting that a decision by Israel's National Labor Court imposes severe restrictions on the employers' ability to monitor employee emails. Organizations with employees in Israel must promptly take steps to verify that their employee monitoring policies and practices in the country are consistent with the ruling.
Yesterday we wrote on our blog about the NLRB's Facebook firing settlement. I was interviewed on Fox Live this morning about the case, its implications for employees and businesses, and other developments in workplace privacy. You can view the clip at http://video.foxnews.com/v/4531424/facebook-firing-case-settlement/?playlist_id=87937
The National Labor Relations Board (NLRB) has announced that settlement has been reached in the closely watched Facebook firing suit brought by the agency.We have previously reported on our blog that the NLRB filed an administrative complaint against a Connecticut ambulance company alleging that the company violated an employee's federal rights by firing her for criticizing a manager on Facebook. In the complaint, the NLRB took the position that union and non-union employees have a right to criticize their employers, management or working conditions, and cannot be punished for engaging in such protected activity. The NLRB also alleged that the company maintained overly-broad rules in its employee handbook regarding blogging, Internet posting, and communications between employees. The complaint asserted that an employee's right to criticize the employer and management is an extension of the federal right to discuss unionization and form unions.
The National Institute of Standards and Technology (NIST) has released for public comment two "new" draft documents centered on cloud computing. The first is a NIST-codified Definition of Cloud Computing (Draft SP 800-145), and the second document is what NIST calls "the first set of guidelines for managing security and privacy issues in cloud computing," titled Guidelines on Security and Privacy in Public Cloud Computing (Draft SP 800-144). In conjunction with the release NIST has also unveiled a new NIST Cloud Computing Collaboration site, which includes various working group listservs and Wikis, to "enable two-way communication among the cloud community and NIST cloud research working groups."
On February 1, 2011, the Department of Energy announced the launch of the Cyber Security Initiative to develop cyber security risk management process guidelines for the electric grid. The Department's Office of Electricity Delivery and Energy Reliability will lead the effort in collaboration with the National Institute of Standards and Technology and the North American Electric Reliability Corporation.
InfoLawGroup recently discovered a new data breach case, one of the first that we are aware of in the United States, that dives deep into the issue of whether a common law duty exists to safeguard personal information. In Cooney, et. al v. Chicago Public Schools, et. al¸ an Illinois appellate court actually rendered a decision holding that no such duty exists under Illinois law. In this blogpost we take a closer look at the court's rationale for dismissing the plaintiffs' negligence claim, as well as the other interesting holdings of the court.
Dan Or-Hof, a privacy and technology partner at the Israeli law firm Pearl Cohen Zedek Latzer is reporting that the EU Commission published the much-anticipated announcement on the adequacy of data protection law in Israel. Published on January 31, 2011, the decision adopted by the Commission determines that Israel provides an adequate level of protection for personal data transferred from the EU, however only in relation to automated international data transfers and to automated processing of data in Israel.
Last week, Politico ran an interesting piece suggesting that federal privacy legislation may see the light of day in 2011. Democratic supporters of the legislation show no signs of slowing down. In the Senate, John Kerry (D-Mass.) is working on privacy legislation based on a bill he proposed last year. Senator Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce Committee, is planning to hold public hearings on Internet privacy starting in February. Of course the key to the success of federal privacy legislation lies in the House, and there Republicans have voiced support for a privacy bill as well. Rep. Cliff Stearns (R-Fla.), Chairman of the Subcommittee on Oversight and Investigations at the House Energy and Commerce Committee, has said that the privacy bill introduced last year by former representative Rick Boucher (D-Va.) could be revised and reintroduced with Republican support (Rep. Stearns co-sponsored the Boucher bill). This sentiment was echoed by Rep. Mary Bono Mack (R-Calif.), Chairwoman of the Subcommittee on Commerce, Manufacturing and Trade. According to Politico, Rep. Bono Mack informed her colleagues on the subcommittee that she remains committed to addressing privacy issues.