European Commission Announces Agreement with the US on the Framework for Transatlantic Data Flows

On February 2, the members of the European Commission approved a new framework for transatlantic data flows: EU-US Privacy Shield. The European Commission and the United States agreed to a deal that reflects the requirements set forth in the Court of Justice of the European Union’s (CJEU) October 6, 2015 decision declaring the old Safe Harbor framework invalid. The agreement aims to protect “fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.” Specifically, the drafters of the new framework attempt to provide (i) robust obligations on U.S. companies to ensure that they are protecting Europeans’ personal data, such as strengthened monitoring by the Department of Commerce and the FTC and increased cooperation with European Data Protection Authorities; (ii) written commitments by the U.S. that “the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms”; and (iii) effective protection of Europeans’ rights regarding how their data is handled, including several redress possibilities and the creation of an Ombudsperson to whom they can raise inquiries or complaints. Commenting on the agreement, Commission Vice-President Ansip stated, “[t]oday’s decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US.” In the upcoming weeks, the U.S. will prepare to put in place the new framework while Vice-President Ansip and Commissioner Jourová prepare a draft “‘adequacy decision,’” which could be “adopted by the [Commission] after obtaining the advice of the Article 29 Working Party (WP29) and after consulting a committee composed of representatives of the Member States.”             Read more…

LinkedInFacebookTwitterGoogle+Share

European Commission Celebrates Data Protection Day; Deadline for US-EU Data Protection Framework Approaches

On January 28, the European Commission issued a statement in observance of its 10th European Data Protection Day. Vice President Ansip and Commissioner Jourová commented on the December 2015 agreement on EU data protection reform, noting that “[w]ith one streamlined set of rules across the European Union, we will cut red tape and ensure legal certainty, so that both citizens and companies can benefit from the Digital Single Market.” The United States and the European Union are scheduled to reach an agreement on the “Safe Harbor” data transfer program in the upcoming week, to which Ansip and Jourová commented: “These flows are essential, between EU countries, but also between the EU and its closest partners. The European Commission is currently working on a renewed and safe framework on transfers of personal data with the United States. We need an arrangement that protects fundamental rights of Europeans and ensures legal certainty for businesses.”

LinkedInFacebookTwitterGoogle+Share

New York AG Requires Transportation Company to Enhance Data Security Practices

On January 6, New York AG Schneiderman announced a settlement with a California-based transportation network company that requires the company to enhance its data security protection practices to ensure protection of consumers’ personal information. In November 2014, the AG’s office launched an investigation into the company’s collection, maintenance, and disclosure of users’ personal information “amid reports that [company] executives had access to riders’ locations and that the company displayed this information in an aerial view, known internally as ‘God View.’” Moreover, in February 2015, the company reported to the AG’s office that, as early as September 2014, it had experienced a data breach where company drivers’ names and license numbers were exposed to an unauthorized third party. Read more…

LinkedInFacebookTwitterGoogle+Share

FTC Reveals Agenda for PrivacyCon

On December 29, the FTC revealed the full agenda for PrivacyCon, a Washington, D.C. conference scheduled to take place on January 14, 2016. Participants will examine current research and trends related to consumer privacy and data security. The event will host panels on the following topics: (i) the current state of online privacy; (ii) consumers’ privacy expectations; (iii) big data and algorithms; (iv) economics of privacy and security; and (v) security and usability.

LinkedInFacebookTwitterGoogle+Share

FTC Announces Record Settlement with Identity Theft Protection Company over Alleged Failures to Adhere to a 2010 Court Order

On December 17, the FTC announced a $100 million settlement with an Arizona-based identity theft protection company for violating the terms of a prior federal court order. In 2010, the District Court of Arizona prohibited the company from engaging in deceptive advertising and required it to secure consumers’ personal information. According to the FTC’s contempt charges, the company violated the terms of the prior order primarily by (i) failing to establish and maintain an adequate information security program to protect consumers’ personal information, such as social security numbers, and credit card and bank account numbers; (ii) falsely advertising that it protected consumers’ sensitive data by using the same sophisticated protections that financial institutions use; (iii)  falsely advertising that it would send consumers alerts “as soon as” it received any indication that the consumer was a victim of identity theft; and (iv) failing to sufficiently create and retain records regarding the sale or provision of products or services related to identity theft.

Read more…

LinkedInFacebookTwitterGoogle+Share

European Commission Announces Agreement on New Cybersecurity Rules

On December 8, the European Commission announced that European Union lawmakers reached an agreement regarding cybersecurity and breach reporting legislation. The rules are intended to improve cybersecurity capabilities in Member States as well as their cooperation on cybersecurity, and will “require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to national authorities.” The text of the agreement is subject to formal approval by the European Parliament and the EU Council of Ministers; once officially published in the EU Official Journal, Member States will have 21 months to adopt the directive into their national laws and an additional 6 months to identify which internet providers it will affect.

LinkedInFacebookTwitterGoogle+Share

FTC Settles with Hotel and Resort Chain Over Data Security Practices

On December 9, the FTC announced a settlement with a leading United States-based hotel and resort chain to resolve charges that the company’s data security practices were unfair and deceptive under Section 5 of the FTC Act. The settlement follows the Third Circuit’s August 24 ruling affirming the FTC’s authority to take action against companies with deficient cybersecurity practices that fail to protect consumer data against hackers. The settlement terms require the company for the next 20 years to establish, implement, and maintain a comprehensive information security program that is designed to protect the security, confidentiality, and integrity of cardholder data. In addition, the company must obtain annual written assessments of its information security program. The assessments must certify (i) the “untrusted” status of franchisee networks that may store, process, or transmit cardholder data; (ii) the extent of the company’s compliance with the risk management protocol; and (iii) that the assessments were completed by a qualified and independent auditor free from any conflicts of interest. The settlement also requires that in the event of another data breach affecting more than 10,000 consumers, the company must obtain an assessment of the breach within 180 days and report the findings of the assessment to the FTC within 10 days of its completion.

LinkedInFacebookTwitterGoogle+Share

State AGs Urge Card Companies to Advance Consumer Protection by Implementing Chip and PIN Technology

On November 16, nine state attorneys general sent a letter urging leading card brands to expedite the implementation of chip and PIN technology in the United States. The letter summarizes research connected to recent data breaches, stating “individuals whose credit or debit cards were breached in the past year were nearly three times more likely to be an identity fraud victim.” Addressing concern that PIN technology would be burdensome or confusing to consumers, the AGs maintain that many consumers are accustomed to financial transactions that rely on PIN technology, such as transactions involving debit cards, and point to a November 2014 poll that indicated cardholders were supportive of chip and PIN technology. The AGs emphasize that PIN technology is “nothing new” and is considered the “gold standard” for payment card security, noting that countries around the world have seen a dramatic decrease in fraud since implementing the technology. Finally, while the letter stresses that chip and PIN technology would better protect both consumers and businesses from data breaches, it does not suggest that the technology be legally mandated at the federal or state level: “[T]his letter calls upon you as good corporate citizens to voluntarily expedite the implementation of existing technology that offers the most substantial security benefits, and to continue to adapt and improve security as quickly as possible as technology advances.”

LinkedInFacebookTwitterGoogle+Share

DOJ Unseals Indictment Against Individuals for Alleged Involvement in Hacks Against Various U.S. Institutions

On November 10, the DOJ unsealed an indictment against three individuals, Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein, for allegedly orchestrating and committing computer hacking crimes against U.S. financial institutions, brokerage firms, and financial news publishers. According to the DOJ, “these three defendants perpetrated one of the largest thefts of financial-related data in history – making off with the sensitive information of literally thousands” of Americans. The DOJ alleges that, from approximately 2012 to mid-2015, Shalon and Aaaron hacked financial institutions to steal the personal information of more than 100 million customers, and then manipulated the price of certain U.S. publicly traded stocks, seeking to “market the stocks, in a deceptive and misleading manner, to customers of the victim companies whose contact information they had stolen in the intrusion.” Additionally, Shalon engaged in illegal businesses with Orenstein between 2007 and July 2015, allegedly operating (i) unlawful internet gambling businesses; (ii) multinational payment processors for illegal pharmaceutical suppliers, counterfeit and malicious software distributors, and unlawful internet casinos; and (iii) Coin.mx, a Bitcoin exchange company that violated federal anti-money laundering laws. Read more…

LinkedInFacebookTwitterGoogle+Share

FCC Settles with Company Over Alleged Data Protection Failures

On November 5, the FCC resolved its first ever data security action against a cable company with a $595,000 settlement. According to the FCC, the company did not have adequate data security measures in place for employees and contractors with access to the company’s electronic data systems. In 2014, the company’s electronic data systems were breached by a third party who, by pretending to be from the company’s IT department, convinced a customer service representative and a contractor to enter their account information into a fake website. The third party hacker allegedly used the information to gain access to customers’ personally identifiable information, subsequently sharing the information with another hacker and posting the information on social media sites. The cable company did not use the FCC’s breach-reporting portal to report the breaches. In addition to the civil money penalty, the settlement requires the company to: (i) identify and notify all customers affected by the breach and provide them with one year of free credit report monitoring; (ii) designate a senior corporate manager who is a certified privacy professional; (iii) conduct privacy risk assessments; (iv) implement a written information security program; (v) maintain reasonable oversight of third party vendors and implement multi-factor authentication; (vi) implement a more robust data breach response plan; (vii) provide privacy and security training to third party vendors and employees; and (viii) regularly file compliance reports with the FCC.

LinkedInFacebookTwitterGoogle+Share

FTC Announces Agenda for Cross-Device Tracking Workshop

On November 3, the FTC announced the agenda for its Cross-Device Tracking workshop, which is scheduled to take place on November 16 in Washington, D.C. FTC Chairwoman Edith Ramirez will deliver opening remarks, with FTC Office of Technology, Research and Investigation Policy Director Justin Brookman introducing two panel discussions. The first panel will examine the technology used for cross-device tracking, including how it has evolved, privacy concerns, and how the technology benefits consumers and businesses alike. The second panel will focus on the policy implications of cross-device tracking, such as: (i) the type of data being collected about consumers; (ii) consumer awareness of this type of tracking; (iii) notice to consumers of cross-device tracking and consumers’ ability to give consent; and (iv) industry self-regulation efforts.

LinkedInFacebookTwitterGoogle+Share

German Data Protection Authorities Issue Position Paper In Light of Schrems EU Court Decision

Recently, German data protection authorities issued a position paper to address potential consequences of the Court of Justice of the European Union’s (CJEU) Schrems ruling on the handling of personal data. The first section of the paper summarizes the ruling, noting that the court found the Safe Harbor decision overly restrictive of the “supervisory powers of the European data protection supervisory authorities and does not follow the requirements of the provisions that empower the Commission to decide on the level of protection of a third country.” The remaining four sections of the paper consider the following: (i) the European Commission’s options to either adopt a new decision which declares U.S. law provides an adequate level of protection, or to push for an international treaty to include a data protection agreement with the U.S.; (ii) the legal basis for the transfer of personal data; (iii) private bodies’ use of standard contractual clauses, concluding that private bodies must “consider terminating the underlying standard contract with the data importer in the U.S. or suspending data transfers”; and (iv) enforcement concerning private bodies, noting that authorities will examine “whether orders against private bodies must be issued and on which basis data transfers to the United States must be suspended or banned.”

LinkedInFacebookTwitterGoogle+Share

FTC and International Partners Launch New Information-Sharing System

On October 25, the FTC and seven members of the Global Privacy Enforcement Network (GPEN) launched GPEN Alert, a new information-sharing system designed to enhance coordinated efforts to protect consumer privacy. The FTC and seven data protection authorities from Australia, Canada, Ireland, the Netherlands, New Zealand, Norway, and the United Kingdom signed an MOU to participate in GPEN Alert. GPEN Alert is based on the FTC’s Consumer Sentinel Network and will allow participating agencies to confidentially share information about privacy investigations and enforcement actions.

LinkedInFacebookTwitterGoogle+Share

Statement of the Article 29 Working Party Regarding Schrems EU Court Decision

On October 16, the Article 29 Working Party (Working Party) released a statement regarding the October 6 Court of Justice of the European Union’s decision to invalidate the adequacy of the U.S.-EU data protection Safe Harbor framework. The EU Court recently declared that the Safe Harbor Framework fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.” In response to the EU Court’s decision, the Working Party provided the following guidance on the implementation of the judgment: (i) a broad analysis of third country domestic laws and international commitments must be applied when determining if data transfers meet adequacy standards; and (ii) Member States and European institutions should hold open discussions with U.S. authorities to “find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights.” The Working Party noted that it will continue to monitor the Irish High Court for developments concerning the Schrems opinion, but that “[i]f by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”

LinkedInFacebookTwitterGoogle+Share

Illinois to Host Cyber Risk and Security Conferences; CSBS to Co-host

On October 14, the Illinois Division of Banking announced that it would host two Cyber Risk and Security Conferences on November 9 and November 16. With the growing number of threats to financial data systems, cyber and data security has become a top concern for regulators in the financial industry. Topics to be addressed at the conferences include: (i) current cyber threats; (ii) bank and credit unions’ cyber preparedness and response to threats; and (iii) existing trends and the globalization of cyber crimes. The CSBS will co-host the conferences.

LinkedInFacebookTwitterGoogle+Share