On July 12, the European Union (EU) finalized and adopted the EU-U.S. Privacy Shield for transatlantic data flows. As previously covered in InfoBytes, on October 6, 2015, the Court of Justice of the European Union declared in Shrems v. Data Protection Commissioner “invalid” a decision of the European Commission that the EU-U.S. Safe Harbor Framework provided adequate protection for personal data transferred from the EU to the U.S., thus requiring the EU and the U.S. to develop a new framework for transatlantic data transfers. The recently finalized EU-U.S. privacy shield is based on the following principles: (i) strong obligations on companies handling data, including requiring the Department of Commerce to regularly conduct updates and reviews of participating companies and tightening conditions for the onward transfers of data; (ii) clear safeguards and transparency obligations on U.S. government, assuring that “the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms”; (iii) effective protection of individual rights, including complaint-handling mechanisms and the designation of an Ombudsperson independent from U.S. intelligence services to handle redress possibility in the area of national security for EU citizens; and (iv) annual joint review mechanism to monitor the functioning of the Privacy Shield. On July 12, the Commission simultaneously released a Q&A, a Fact Sheet, the “Adequacy Decision,” which will enter into force immediately after Member States are notified, and Annexes.
Department of Agriculture Requests Comments on Continuation of, and Changes to, Registration Form to Request Electronic Access Code Information
On July 22, the Federal Register published the U.S. Department of Agriculture’s (USDA) request for comments on the Office of the Chief Information Officer’s (OCIO) intent to “request approval for the continuation of and changes to the [USDA] Registration Form to Request Electronic Access Code information collection to allow USDA customers to securely and confidently share data and receive services electronically.” The USDA’s eAuthentication Service (eAuth) collects customer and employee information in order to provide “public citizens as well as federal government employees with a secure single sign-on capability for USDA applications, management of user credentials, and verification of identity, authorization and electronic signatures.” The online self-registration process and identity proofing service, which is voluntary, permits USDA customers and employees to access to USDA Web applications and services via the Internet. As it currently exists, the eAuth service allows customers to access USDA Web site portals through two Levels of Assurance (LOAs). LOA 1 provides limited access to portals and applications that have minimal security requirements. LOA 2 “enables users to conduct official electronic business transactions via the Internet, enter into a contract with the USDA, and submit forms electronically via the Internet to USDA agencies.” The OCIO is developing LOA 3, which, if authorized, would provide public citizens with accounts. LOA 3 would require the same level of self-registration and identity proofing, but would also incorporate strong multi-factor authentication credentials for access to secure, high risk, or sensitive systems. Comments on the USDA’s notice are due by September 20, 2016.
On June 8, the SEC announced that a New York-based financial services firm agreed to pay a $1 million civil monetary penalty to resolve allegations that it violated the “Safeguards Rule,” Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)). According to the SEC, the firm “failed to ensure the reasonable design and proper operation of its policies and procedures in safeguarding confidential customer data.” The SEC further contends that the firm failed to audit or test the authorization models that allowed employees to access the portals hosting customer data. The financial services firm settled the charges without admitting or denying the SEC’s findings. As of result of the company’s alleged failures, between 2011 and 2014, a then-current employee of the firm gained access to and copied data regarding approximately 730,000 customer accounts to his personal server. The SEC alleges that the employee’s personal server was hacked, and portions of the misappropriated data were posted to at least three Internet sites, with an offer to sell more of the stolen data in exchange for payment in digital currency. Per the employee’s separate consent order, the employee agreed to an industry and penny stock bar with the right to apply for reentry after five years. He was previously criminally convicted for his actions and received 36 months of probation and $600,000 in restitution.
On June 15, the FTC will host its fourth Start with Security event in Chicago, Illinois. Featuring agency representatives Todd Kossow, Maureen Ohlhausen, Cora Han, Jim Trilling, Steve Wernikoff, and Andrea Arias, as well as security experts from various industries, the Start with Security event is intended to provide companies with tips for implementing effective data security. The event will host the following four panels: (i) Building a Security Culture; (ii) Integrating Security into the Development Pipeline; (iii) Considering Security when Working with Third Parties; and (iv) Recognizing and Addressing Network Security Challenges. A full day event, the panels “will address how companies can create and prioritize a culture of security, how to integrate security into the development pipeline, what security issues to consider when a company works with third parties, and how to recognize and address network security challenges.”
As recently noted in its 2015 Annual Highlights report, the FTC’s Start with Security efforts, including its June 2015 Guide for Business, are part of the agency’s education outreach programs designed to promote good data security practices within businesses.
On May 4, New York AG Schneiderman announced that, from January 1, 2016 through May 2, 2016, his office received 459 data breach notices – more than a 40% increase compared to the 327 notices received during the same time last year. Due to the increased volume of data breach notices and in an effort to provide greater efficiency in the reporting process, AG Schneiderman announced an electronic breach reporting form. The new form allows companies to submit data breach notices via web submission: “[c]ompanies may now notify the Attorney General’s Office of a data breach via a web submission form in order to expedite and streamline the process. Previously, and consistent with most other state attorneys general offices, companies were required to mail, fax, or email a separate data breach form.” AG Schneiderman’s office expects to receive “well over” 1,000 data breach notices in 2016.