Posted on January 10, 2012 by Bret Cohen

European Data Protection Supervisor Releases "Inventory" of 2012 Priorities

On January 10, Peter Hustinx, the European Data Protection Supervisor (EDPS), released his annual "Inventory" of issues of strategic importance for 2012, along with an annex of the relevant Commission proposals and other documents that have been recently adopted or otherwise require the attention of the EDPS.  The strategic proposals can be grouped into four main categories:

  • Towards a new legal framework for data protection.  The European Commission has almost finalized its proposal for a new legislative framework, a draft of which was disclosed last month and which is likely to be published by the end of January.  Hustinx will issue an opinion on the legislative proposal in early 2012, closely follow the review process, and continue to fulfill his advisory role throughout the legislative process by intervening at the appropriate stages.
  • Technological developments and the Digital Agenda, IP rights, and Internet.  Of the European Commission's work in the area of new technologies, Hustinx will focus on the policy issues of Internet monitoring, IP enforcement, and takedown procedures (focusing on IP rights and privacy); cloud computing services (focusing on jurisdictional issues); e-Health; and a pan-European framework for electronic identification, authentication, and signature (focusing on e-security and privacy by design).
  • Further developing the Area of Freedom, Security, and Justice.  The items in this area at the top of Hustinx's agenda are immigration, border control, anti-terrorism, and internal security strategy, focusing on ensuring the right balance between privacy and security.
  • Financial sector reform.  Hustinx plans to issue a package of opinions on data protection issues with legislative proposals concerning the regulation and supervision of financial markets and actors, including the legislative package for the revision of the banking legislation; the market abuse regulation; the regulation and the directive on markets in financial instruments; and the revision of the credit rating agencies regulation.

Hustinx also identified trends of focus for 2012, which include:

  • Employment of effective information-gathering and investigative tools by administrative authorities (both EU and national).
  • Significant exchanges of information between national authorities, quite often involving EU bodies and large-scale databases (with or without a central part) of increasing size and processing power.
  • Developments in the field of technology, mainly due to the widespread use of the Internet and geolocation technologies.

The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies, focusing on monitoring the EU administration's processing of personal data; advising on policies and legislation that affect privacy; and cooperating with similar authorities to ensure consistent data protection.  Hustinx is serving a five-year term as the EDPS, which expires in 2013.
Tags: , , , , , , ,
Posted on July 15, 2011 by Elizabeth Khalil

Financial Services Industry Group Issues Social Media Guidance

A financial services industry group released guidance this week on managing the risks associated with using social media, including data protection concerns.  The guidance, titled "Social Media Risks and Mitigation," was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies.  The 71-page report details numerous risks that banks and other financial companies may face when using social media, including compliance, legal, operational and reputational risks.  These risks are discussed in the context of three types of social media use:

  • By a financial institution to communicate with or service the financial institution's customers
  • By the financial institution's employees in their personal or professional capacities
  • By the financial institution's employees or contractors outside the office

The guidance thus addresses sector-specific regulatory requirements, such as Gramm-Leach-Bliley Act compliance and FINRA rules applicable to securities firms.  It also addresses concerns that are relevant to financial institutions as employers, such as bank employees' personal use of social media.

The BITS report is particularly significant because it responds to a need for guidance in an industry that is increasingly using social media, but still lacks clear rules from regulators regarding such activities.  While FINRA has issued guidance on use of social media by firms subject to FINRA's oversight, the federal banking agencies have not , to date, issued detailed guidance to the banking industry on banking compliance issues raised by use of social media.  

Also, while targeted at the financial services sector, the report also has relevance to many other types of users of social media.  It gives guidance, for instance, on coordinating a company's social media policies with its other policies, and performing a risk assessment to determine the risks a company's social media activities could pose.

Tags: , , , , , , , , , , , ,
Posted on September 22, 2010 by Elizabeth Khalil

FDIC Requires Banks to Adopt Policies on Disposal of Information Stored on Office Equipment

On September 15th, the Federal Deposit Insurance Corporation (FDIC) issued guidance (Financial Institution Letter FIL-56-2010, "FDIC Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers") urging banks under its supervision to ensure that they have written policies for the erasure or destruction of sensitive or confidential customer information stored in photocopiers, fax machines, or printers.  Such storage may occur when the device's hard drive or flash memory stores digital images of documents that were photocopied, faxed, or printed using the device.

This is a particular concern for banks that lease office equipment - which may be used to process a significant amount of confidential information relating to financial transactions - and then return the equipment or sell it to another party.  If the memory of such devices is left intact, it is possible that such a third party could access data constituting "nonpublic personal information" under the Gramm-Leach-Bliley Act, such as information in consumers' loan applications or account statements, or other confidential information.

FDIC-supervised banks must, therefore, implement written policies and procedures to ensure that a hard drive or flash memory in office equipment containing sensitive data is erased, encrypted or destroyed prior to the device being returned to a leasing company, sold, or otherwise disposed of.  If the bank chooses to erase or encrypt the hard drive rather than destroy it, the bank should ensure that the method used will render the information on the disk unrecoverable.

While FIL-56-2010 applies only to banks supervised by the FDIC, all financial institutions are required to ensure the proper safeguarding and disposal of customer information.  Therefore, even non-FDIC-supervised financial institutions would be well advised to consider and implement the guidance contained in FIL-56-2010.

Tags: , , , , , ,
Posted on November 27, 2009 by Andrea Ward

UK Takes Step That Likely Will Result in Significantly Increased Penalties for Data Breaches

In a move that likely will result in a significant increase in civil penalties that can be assessed in the UK for data security breaches, this month the UK Ministry of Justice began consultation on the introduction of a maximum civil monetary penalty for serious breaches of the Data Protection Act 1998 (DPA), entitled ‘Civil Monetary Penalties: Setting the maximum penalty’.

The prospect of a maximum financial penalty was introduced into the DPA in 2008 by the Criminal Justice and Immigration Act 2008, but has yet to be implemented. After the consultation closes on 21 December 2009 it is likely to become law in April 2010.

 

The focus of the consultation is whether the current sanctions available to the ICO are sufficient. Last month we reported on the government’s consultation on possible prison sentences for serious breaches of the DPA and this latest consultation builds on the same theme. The current maximum financial penalty the ICO can impose against a data controller for data breaches is £5,000, which is fairly negligible and seriously undermines the ICO’s authority. Other regulators, such as the FSA have much greater powers and may impose severe penalties of up to 10% of an organisation’s turnover; the disparity in approach is obvious. The government’s aim therefore, is to increase the monetary penalties available to the ICO, to increase compliance with the DPA as well as increase public confidence in the system. It is noted that incidences of data loss and other serious breaches of the DPA are increasing, yet the ICO has limited powers to address the problems.

The question posed by the consultation is very simple: “Do you consider that a penalty of up to £500,000 provides the ICO with a proportionate sanction for serious contraventions of the data protection principles?” We might predict a resounding ‘yes’ to this, but must wait and see. We do know however, that, due to the likely administrative burden, the ICO have already rejected an assessment of penalties based on a data controller’s turnover, so a fixed maximum penalty of up to £500,000, (or possibly a different sum) will be adopted.

Further details of the consultation and the proposed introduction of the maximum civil monetary penalty for serious breaches of the DPA can be accessed through the Ministry of Justice website. The link also includes the ICO’s draft guidance on the criteria and circumstances it will consider when using civil monetary penalties. As a rough guide, the seriousness of the breach and whether it was deliberate or not, will be important factors, as is the prospect of substantial damage and distress caused, or likely to be caused.
 
Tags: , , , , , , ,