HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

The Federal Trade Commission (FTC) announced today that it is delaying enforcement of its FACTA Red Flags Rule until June 1, 2010 “[a]t the request of Congress.”  This is the fourth time the FTC has delayed the controversial red flags rule and it follows shortly on the heels of the U.S. District Court for the District of Columbia's ruling that the Red Flags Rule does not apply to lawyers.  It also follows the House of Representatives' unanimous passage last week of HR 3763, which proposes to amend FCRA to exempt certain small businesses from the Red Flags Rule.  The FTC's Red Flags Rule has been marred by confusion and uncertainty since it was proposed in July 2006.

• Email This
• Print

As reported in the blog of the American Bar Association Section of Antitrust Law Privacy and Information Security Committee:

Judge Reggie Walton of the U.S. District Court for the District of Columbia ruled today that the FTC cannot force practicing lawyers to comply with Red Flags Rule.

With the November 1st enforcement date for the Red Flags Rule looming, the court's ruling for now eliminates uncertainty for lawyers, who the FTC had argued should be covered because among other things, billing on a monthly basis made them “creditors” under the Rule.  The ABA had argued that Congress did not intend to subject lawyers to FTC regulation (an area traditionally left to the States) and that the extension of the Rule to lawyer billing practices was overly-broad.  Judge Walton's oral ruling appeared to agree with the ABA arguments.  Whether or not the FTC will appeal remains to be seen, but given the fact that it did so in the case involving the applicability of the Gramm-Leach-Bliley to lawyers suggests that it will.  See ABA v. FTC,  430 F.3d 457 (D.C. Cir. 2005).

• Email This
• Print

Starting on Tuesday, November 3d, Hogan & Hartson will be live blogging from international privacy events in Madrid.  Chris Wolf from the firm's Washington Office and Wim Nauwelaerts from the Brussels Office, both senior lawyers in the Privacy and Data Security Practice, will provide timely reports from side events leading to the 31st International Conference of Data Protection and Privacy Commissioners

The civil society conference The Public Voice: Global Privacy Standards in a Global World to be presented by the Electronic Privacy Information Center;  and 

The Data Protection and  Privacy Workshop to be presented by the International Association of Privacy Professionals.    

Then, starting on Wednesday, November 4th, we will bring you reports from the "main event", which the host, the Spanish Data Protection Agency (AEPD), has described as "the largest forum dedicated to privacy in the world, which every year brings together the highest authorities and institutions guaranteeing data protection and privacy, as well as experts in the field from every continent. "

Watch for our daily reports.

• Email This
• Print

Today, the U.S. Department of Health and Human Services (HHS) released a pre-publication copy of an interim final regulation with a request for comments.  The regulations are being promulgated under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted earlier this year.  HITECH enhanced and expanded the enforcement and penalty provisions of the HIPAA Privacy Rule and this rule implements those changes.  The interim final regulations will be officially published in the Federal Register October 30th and will be effective on November 30, 2009.  Public comments will be accepted by HHS until December 29, 2009.

• Email This
• Print

Under the Data Protection Act 1998 (“DPA”), it is an offense to knowingly or recklessly obtain or disclose personal data, or the information contained in personal data, without the consent of the data controller.  Section 55 of the DPA details the offenses and any exclusions, or defenses, which may apply.  It also sets out the procedure for monetary penalties to be imposed.  Under the current law, the maximum penalty for those found guilty of offenses such as selling personal data is a £5,000 fine in the Magistrates Court and an unlimited fine in the Crown Court.  However, cases leading to substantial fines are rare.

The Ministry of Justice (which oversees the Information Commissioner’s Office) has recently announced a consultation exercise to decide whether to introduce tougher penalties for breaches of section 55, DPA, which could lead to the introduction of custodial sentences for those convicted.  Although provision was made to introduce prison sentences through the Criminal Justice and Immigration Act 2008, this has yet to be implemented and is subject to the consultation exercise, which is expected to close on 7 January 2010.

If adopted as law, the maximum penalty for the knowing or reckless misuse of personal data would be a prison sentence of up to 12 months (if heard in the Magistrates Court) or up to 2 years (if heard in the Crown Court).  This is an important development for the ICO, which has fairly limited powers of enforcement, and is arguably a necessary response to the increasingly serious breaches of the DPA involving the misuse of personal data.
 

• Email This
• Print

On October 15, 2009, the French Data Protection Authority, the CNIL, issued a white paper regarding the privacy risks of nanotechnologies.  In its white paper, the CNIL attempts to identify the privacy risks associated with RFID tags which are so small they can be injected into the human body.   The CNIL mentions RFID tags used to trace Alzheimer patients, which the CNIL considers would satisfy the proportionality test set forth in French law.  Other tags, such as an RFID tag injected under the skin which permits nightclub users to pay for their drinks, are more problematic. 

The risks outlined in the CNIL document are not unlike those already identified in connection with RFID devices and the “Internet of things.”  Of particular concern are the small size and potential ubiquity of tracing devices, both of which make it difficult for citizens to control the personal data that is collected about them.  The CNIL recommends application of Privacy by Design methodology to nanotechnologies so that privacy is incorporated into nanotechnology applications from the time of their initial design.  The same recommendation applies to security associated with these devices.  In fact, the CNIL emphasizes the security risks of potential viruses or malware which could be introduced into nanotechnologies so as to permit them to be used for improper purposes.  To prevent such, the CNIL recommends integrating security by design in nanotechnologies in a multi-disciplinary and cooperative approach. 

The CNIL mentions several key principles that should guide any nanotechnology application, such as the right for citizens to “turn off” the device thereby guaranteeing the right to “be forgotten” and to remain anonymous. 

In its white paper the CNIL also recommends clear labeling of nanotechnology applications, comparing nanotechnologies to genetically modified foods for which France has required special labeling which informs consumers about the product being purchased before actual purchase.  The CNIL further suggests that French law should be broadened to ensure that the CNIL has responsibility to implement these general principles, although it does not suggest specific language or legislation.

In conclusion, the CNIL’s consultation document regarding nanotechnologies is not fundamentally different from the European Commission’s recommendations on RFIDs, except that the CNIL puts more emphasis on bio-ethic issues, undoubtedly due to the fact that many of the nanotechnology applications will somehow be linked to the human body, which obviously raises significant privacy issues.

The CNIL's paper was issued as part of a national debate on nanotechnologies, organized by the French government in the Spring of 2009.

• Email This
• Print

Lawyers from Hogan & Hartson offices in London, Paris, Brussels, Berlin and Washington recently presented a webinar in partnership with the Association of Corporate Counsel for Europe, entitled

Navigating the Privacy Challenges: Crossing the Line in Cross-Border Data Transfers

The program, now available in "on demand" format, provides an overview of the law governing international data transfers, as well as two case studies illustrating the practical issues involved in such data transfers.  The webinar concludes with a summary of "hot privacy topics" in  the US and Questions and Answers.  Complimentary attendance and access to the webinar, including the Powerpoint deck, is available by clicking here

• Email This
• Print

In Ethics Opinion 2009-1, Vermont has taken its place in line behind several other states that have found that a lawyer who produces electronic documents has a duty of reasonable care to avoid disclosing confidential metadata.  This is a straightforward approach that translates easily to a lawyer’s everyday practice.

The same cannot be said of the lawyer on the receiving end of the electronic document production.  The Vermont Bar Association found that:

"to insert an obligation into the Vermont Rules of Professional Conduct that would prohibit a lawyer from thoroughly reviewing documents provided by opposing counsel, using whatever tools are available to the lawyer to conduct this review.”  

Vermont’s ethics rules also mandate that the receiving lawyer must notify the producing party “if he knows or reasonably should know that the document was inadvertently sent.”

Okay, fine. But how would this work in practice?  Metadata is in a special class of data/documents because it often reveals corrections, deletions, comments, etc. that reveal attorney-client communications or attorney work product.  If the receiving party does not have the consent of the producing party to review metadata but is permitted to do so any way, doesn’t the Vermont rule amount to an invitation (if not an obligation) to mine for privileged data and then speak up later?  Vermont’s substantive state law may limit how or whether such data may be used, but still, isn’t this an unreasonable intrusion into the attorney-client relationship? 

Other states’ (e.g., Arizona, Florida, New Hampshire) ethics rules disincentive such mischief by prohibiting a lawyer receiving electronic communications from examining it for the purpose of discovering embedded metadata absent special circumstances (consent, accident).  Isn’t this bright-line rule more consistent with a lawyer’s ethical obligations of honesty and forthrightness?

• Email This
• Print

In its first wave of Safe Harbor enforcement actions, the Federal Trade Commission announced settlements on October 6th with 6 companies over misrepresentations that they are current with their Safe Harbor certifications.  In each case, the company had self-certified its compliance with the Safe Harbor Program through the Department of Commerce, but did not keep its annual certification current, while still representing that it was a valid member of the Safe Harbor Program.

The FTC brought the enforcement actions under its Section 5 authority, alleging that the companies’ misrepresentations are deceptive.  The scope of the FTC’s actions is limited to the companies’ lapsed certification and did not address whether the companies were compliant with the substantive requirements of the Safe Harbor Program.

The proposed settlement agreements, open for public comment until November 5^th, prohibits each company from making representations about its membership in any privacy, security, or any other compliance program sponsored by the government or any other third party.  In addition the proposed terms require each company to comply with reporting and compliance obligations, including the retention of documents relating to its compliance with the order for 5 years and initial compliance reports to the FTC. 

The key take-away from these actions is that the FTC is going to be more pro-active in its scrutiny of members of the Safe Harbor Program.  We anticipate more enforcement actions under Section 5 based on misrepresentations about compliance with Safe Harbor obligations, and likely further actions against companies with lapsed certifications.

The FTC complaints, proposed settlements and related documents are available at http://ftc.gov/opa/2009/10/safeharbor.shtm.

• Email This
• Print

On October 12, 2009 the CNIL issued ten recommendations for companies to help protect their data.  The recommendations are fairly basic, ranging from implementing a rigorous password policy to ensuring that only authorized personnel have access to the company’s computer room.  The recommendations have an important pedagogical role, however, and illustrate that the CNIL is broadening its scope of focus from its traditional role of defining under what conditions personal data can be processed in France to dealing with the results of that processing,  in particular focusing on the prevention of data breaches. 

For those familiar with the security recommendations issued by ENISA, the European Network and Information Security Agency, the CNIL’s recommendations may seem quite rudimentary in comparison.   ENISA has issued a number of detailed recommendations on data security, and it is unfortunate that the CNIL did not refer to the excellent ENISA work in this area.   See, for example, ENISA's 2009 papers "10 Security Awareness Good Practices" and "Information Security Awareness in Financial Organizations - Guidelines and Case Studies."   However, the CNIL's recommendations may only be a first step, and it will be interesting to see whether the CNIL's guidance evolves as concern about data breaches continues to grow. 

• Email This
• Print

“Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”

That is the question a federal district judge in Maine has put to the Maine Supreme Court in the data security breach litigation involiving Hannaford Brothers.  In a ruling  dated October 5, 2009, Judge D. Brock Hornby, who earlier this year had dismissed almost all of the claims in the consolidated class action for lack of "economic loss", reversed himself and sent to the Maine Supreme Court an issue that has the potential for opening the floodgates of litigation.   Plaintiffs  so far have been unsuccessful in pursing civil actions following data security breaches where they have not suffered real economic damages.

As Judge Hornby himself observed in his decision,

 “if the Maine Law Court’s answer to the certified question on the cognizable harm issue favors the plaintiffs, the plaintiffs will have both a negligence claim and an implied contract claim.”  

Such a development could have a profound impact on the vulnerability of companies experiencing data security breaches to civil claims, something they so far largely have avoided.  Thus, added to the existing costs of a data security breach (notification costs, credit monitoring costs, regulatory investigation costs, damage to reputation costs, etc.), there may soon be "time and effort" compensation costs.  As menioned in an earlier post concerning Maine's law tp protect kids from predatory marketing, which effectively is on hold, when the State of Maine enjoyed a reputation as a bellwether for presidential elections, this expression was in common parlance:

As Maine goes, so goes the nation?

It appears that while the State of Maine no longer has much impact on presidential elections, it could well have an impact on data security breach law.

• Email This
• Print

I was honored to be invited to speak at the IBM IT Services Legal Summit today in New York City on the topic of ethics and privacy.  As a launching pad for my discussion of privacy ethics, I used the episode from earlier in the year involving Justice Scalia and Fordham University Professor Joel Reidenberg whose privacy law class created a "digital dossier" on the Justice and his famiiy, using publicly available online information.

It seems unlikely that there are workable ethical guidelines to restrict access to and use of publicly available information on the Internet.  If information is on the Internet, searchable through Google, it is unlikely society can set new norms to restrict access. 

[P]ending a societal change in the ethics of what we do with information we can access online, what can be done?

Well, one place to start is at the input side of things. Before people reveal information about themselves or allow data to be collected about them, since it appears to be fair game once it is collected, what is the ethical duty to put people on notice on the collection side? 

I said that the duty, in which privacy lawyers play an important role, is to provide clear, easy-to-access notice to consumers before data is collected, referencing the recent Sears case at the FTC and the ongoing debate abut behavioral advertising.

A copy of my prepared remarks is available here. 

• Email This
• Print

It sounds like an ‘April fool,’ but the story this week that people can sign up to a new internet game where they spot crimes on CCTV cameras posted in Britain and earn points for doing so might actually be true.  Both the Daily Mail and the Guardian’s online news pages featured stories about this bizarre game, which may be launched in November 2009 following a trial in Stratford-upon-Avon.

Customers have the opportunity to sign up to the service and have their CCTV monitored by the public in return for a fee.  Footage from the camera would be streamed on to a website to be used in the game.  Shopkeepers are an obvious target market for the service, but the police, local authorities and home owners may also be encouraged to sign up.

According to press releases, the service provider ‘Internet Eyes,’ offers users (players of the game) the chance to “earn reward money, have a chance at reducing crime, potentially become a hero and save lives.”  Users would compete to earn up to £1,000 per month, collecting points for viewing live CCTV footage and pressing a button whenever they see any suspicious activity.  If and when a crime is suspected, these alerts will be sent, by SMS, to the customer, in real-time, allowing them to take immediate action, or no action, as they wish.  Apparently it is possible to lose points for a false alarm and a ‘3 strikes and you’re out’ rule will apply.

The website also promises to feature a so-called ‘rogue’s gallery’ of ‘criminals,’ with details of their offenses and details of the user responsible for spotting them.

Internet Eyes says its service aims to reduce crime, but civil liberties campaigners and the assistant information commissioner have their doubts about the legality of the idea itself.  Disclosing images of identifiable individuals on the internet for entertainment raises serious issues under the Data Protection Act and the Human Rights Act.  The Guardian reports that the ICO will be ‘talking to’ Internet Eyes shortly.  Watch this space!

• Email This
• Print

In the United States, regulators and policy makers are taking a close look at the issues surrounding behavioral advertising and how to protect the privacy of consumers.  A vigorous debate is occurring over self-regulation versus the asserted need for legislation or regulation.  So it is interesting to see what is going on in Europe in the realm of self-regulation. 

In the EU, a privacy and data protection certification seal for IT products and IT-based services is in place, called the EuroPrise Privacy Seal.  The EuroPrise Privacy Seal recently was awarded to a new German behavioral targeting system called Predictive Targeting Networking (PTN) 2.0 and offered by a company called Nugg.ad.  The Nugg.ad system addresses many of the privacy issues that regulators here and abroad have focused on, such as cookie expiration dates, logging of IP addresses, the notice given to consumers, and opt out.  

For more details, see this blog entry from the Future of Privacy Forum.  

• Email This
• Print

Several federal agencies released new rules yesterday implementing the Genetic Information Nondiscrimination Act of 2008 (GINA). GINA prohibits discrimination based on genetic information in health coverage and employment. The Departments of Labor, Treasury, and Health and Human Services (HHS) issued Interim Final Rules, and HHS separately, through the Office of Civil Rights (OCR), issued a Proposed Rule.

The interim final rules prohibit group health plans and issuers in the group health insurance market from: (1) increasing premiums for the group based on genetic information, (2) requesting or requiring individuals to undergo a genetic test, and (3) requesting requiring or purchasing genetic information prior to or in connection with enrollment, or at anytime for underwriting. In general, individual health insurers are subject to the same or similar prohibitions, with certain exceptions. Comments are due on these interim final rules within 90 days of each rule’s publication in the Federal Register.

The OCR proposed rule seeks to amend the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by including genetic information within the definition of health information and prohibiting covered health plans from using or disclosing genetic information for underwriting purposes (i.e., eligibility determinations, premium and contribution computations, applications of pre-existing condition exclusions and other activities relating to creation, renewal or replacement of health insurance). Comments are due 60 days from publication of the proposed rule in the Federal Register. 

• Email This
• Print

Readers of our blog are cordially invited to a complimentary Hogan & Hartson webinar on the legal issues arising from Cloud Computing on Tuesday, October 6 from 11 AM - 12:30 PM EDT.  To request an invitation to the webinar, please e-mail:  jbhowe@hhlaw.com

Cloud computing allows businesses to use the remote computing power of others to handle data and data applications. For most businesses, it is not a question of whether but how to use cloud computing. Cloud computing — a unique form of outsourcing — can reduce costs, improve service delivery, and allow business innovation not feasible with proprietary servers and on-site software.

So the question is how a company can use the new services in ways that protect the company and its data. As with any transfer of valuable company information, there are legal issues and legal risks that must be addressed.

In this webinar, you will learn and have an opportunity to ask questions about these issues and more:

• What exactly is cloud computing? What forms does it take?
• What steps should a company take to protect its intellectual property, including trade secrets and confidential information, in the cloud?
• Is data in the cloud safe from government view, and what can you do to protect it?
• How should you address the privacy law issues implicated by cloud computing, especially in light of the international legal rules on the cross-border transfer of data?
• What labor and employment law issues are implicated by sending data to the cloud?
• How does a company deal with e-discovery when using cloud computing?
• What data security safeguards should a company put in place before outing data in the cloud?
• Whose responsibility is it if there is a data breach and how are the requirements of data security breach notification laws met?
• What are the contracting issues with cloud computing and the best practices for getting a solid cloud computing contract?
• How do companies and cloud service providers handle service level issues?

• Email This
• Print

As recently reported in the New York Times and elsewhere, two prominent professors conducted a survey of American's feelings about online tracking for the delivery of tailored advertising.

The report on the survey shows that Americans have very strong feelings about tailored advertising and takes issue with the policy arguments in favor of the consumer value of online customization based on past user activity.  However, the authors suggest steps forward for industry based on “respect” and “information reciprocity”.

The Future of Privacy Forum will be hosting the authors of the study, Professors Chris Hoofnagle and  Joseph Turow, for a teleconference with Q&A on Tuesday, October 6th at Noon ET.

Readers of our blog are invited to participate.  To request call-in information, please email Heidi@futureofprivacy.org
 

• Email This
• Print

The Department of Health & Human Services (“HHS”) published an electronic notification form for covered entities to submit notice of a breach of security to the Secretary. The electronic form, available on HHS’ website, is for notification of breaches affecting 500 or more individuals and for breaches affecting fewer than 500 individuals.

The on-line form includes all of the elements required by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the related HHS breach regulations. The form also requires covered entities to include contact information for a business associate (where the breach occurred at or by the business associate), the type of breach, the location of the breach, safeguards in place prior to the breach, and the date(s) individual notifications were provided.

If a covered entity discovers additional information related to a breach after submitting notification to the Secretary, the covered entity may submit an updated notification form using the on-line form.

• Email This
• Print

The United Kingdom Information Commissioner's Office ("ICO") has announced that with effect from 1 October 2009, a new notification fee of £500 will be payable by some larger organizations.  This is the first change to the fee structure since the Data Protection Act 1998 became law in 2000.

Notification is the process by which data controllers register with the ICO.  It is a mandatory requirement for organizations which process personal information in the UK.  

The new £500 per annum fee will apply to a higher tier of:

• data controllers in the private sector with a turnover of £25.9 million and 250 or more members of staff; and

• data controllers in the public sector with 250 or more members of staff.

The standard notification fee is otherwise £35 per year and this will remain so for organizations in the lower tier category.  The ICO has also confirmed that registered charities will not pay the higher fee, regardless of their size.

The increase in fees for larger organizations will, according to the ICO, help increase activity in terms of audits and investigations.   An interesting comment, which should be noted by data controllers.
 

• Email This
• Print

Uruguay may be on its way to become the second Latin-American country recognized by the European Commission as offering an adequate level of data protection. Last month, the Uruguayan government adopted a set of regulations implementing the country’s 2008 Personal Data Protection Act (Law 18331). The implementation of this new law, as well as the creation of a national data protection authority last May, are expected to have a positive impact on the European Commission’s assessment as to whether or not Uruguay’s data protection rules meet EU adequacy standards.

The EU Data Protection Directive (95/46/EC) provides that the transfer of personal data from EU member States to non-Member States may in principle only take place if the laws in the recipient country ensure an adequate level of data protection.  The European Commission can decide that a non-EU country has adequate protection if the country’s legal framework covers all the basic data protection principles (set out in the Directive) and if there is an enforcement system in place ensuring the effectiveness of that framework. To date the European Commission has issued adequacy decisions in favor of Argentina, Canada, Guernsey, Isle of Man, Jersey, Switzerland, the U.S. Department of Commerce’s Safe Harbor Principles, and the transfer of air travelers' data to the U.S. Department of Homeland Security.

Uruguay filed a request for EU adequacy recognition in October 2008, and the preliminary reactions so far appear to be favorable. However, the recognition process is unlikely to be completed before the end of the year. An adequacy decision from the European Commission will allow personal data to flow freely from the EU to Uruguay, without the need for additional data privacy safeguards. EU recognition will help Uruguay boost its outsourcing industry and attract more EU-based companies looking for providers of administrative, financial and other data processing services in Latin America.

• Email This
• Print

Our colleague, Bill Flanagan, has provided this guest blog on a new case from the 9th Circuit construing the Computer Fraud and Abuse Act in the employment context:

The Ninth Circuit Court of Appeals recently weighed in on the question whether an employee who has been granted access to his employer’s computer system – but then uses the properly-accessed information in a manner contrary to the employer’s interest – has acted “without authorization” in violation of the Computer Fraud and Abuse Act (“CFAA”), a federal statute that imposes criminal and civil liability for certain computer crimes (LVRC Holdings LLC, v. Brekka, et al., No. 07-17116 (9^th Cir., Sept. 15, 2009). The court came down on the side of the employee, ruling that because the employee had been given access to the information on the computer, he did not violate when he allegedly misused it.

• Email This
• Print

It appears that Rocky Mountain Bank v. Google (ND CA), a dispute over the disclosure of a Gmail users' account, has been settled according to this newspaper report. When an employee of the bank sent a file containing names, addresses, tax ID numbers and loan information on more than 1,000 customers to a Gmail account by mistake, the Bank sued Google to get the transmittal back and to confirm that the information sent was not inappropriately accessed. The bank obtained a court order preventing Google or its unknown Gmail account holder from accessing the file, which froze e-mail access for the unknown user. This order created some controversy, as reflected here.

One of the purposes of the lawsuit was to determine whether data security breach notification obligations had been triggered. The bank sought to seal the entire record of the case but the district court refused to seal the proceedings regarding the Gmail account. A copy of the District Court's decision is here. Sealing the record was something the plaintiff bank wanted in order to avoid prematurely (and prehaps unnecessarily) announcing a data security breach. Indeed, a major goal of the lawsuit was to seek information that would allow the Bank to avoid announcing a data security breach, but that goal was undermined by the court's refusal to seal the fact of the lawsuit (although parts of the record itself were sealed).

For many companies who misdirect e-mails containing PII, it has been a given that the misdirection alone constitutes a "breach" requiring notification to the person whose PII was in the e-mail. This case suggests that even where e-mail is misdirected, if the facts reveal that the unauthorized recipient never opened the e-mail, or for other reasons did not access the information under the definitions in the breach laws, then notice may not be required.

• Email This
• Print