HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

The International Telecommunications Union (ITU) is the agency of the United Nations focused on information and communications technology. It currently is hosting the ITU Telecom World in Geneva, and invited Hogan Lovells' Chris Wolf, in his capacity as founder and co-chair of the Future of Privacy Forum, to submit a paper and participate in a panel on cybersecurity challenges.  

Chris' paper, entitled The Role of Government in Commercial Cybersecurity: Public-Private Partnerships and Improvements in Government Data Security Rather Than Government Control as the Optimal Model is available here.

And here is the text of Chris' prepared remarks for delivery today in Geneva:

Christopher Wolf’s Remarks at the ITU Telecom World,  Geneva, October 26, 2011

Thank you for inviting me to speak with you today.

ITU Telecom World 2011 here in Geneva has brought together heads of state, leaders of government and international organizations together with corporate CEOs, mayors of top cities, thought leaders, innovator and researchers.  I am honored and humbled to be included among such an elite group.

And among the topics being explored here at the ITU gathering, perhaps none is as pressing as the issue of cybersecurity.  So I am especially pleased to be on this panel exploring that issue.

My part of this program, in contrast with the other presentations, has a truly “macro” focus: the role of government in achieving cybersecurity.

In the paper I prepared for this session, I observe that given the dramatic increase in cybersecurity incidents, some look to government to take control of the cybersecurity problem.   And in my paper, I have concluded that not only is government control not possible in most modern democracies, but it is not the best approach at all.

In my own country, the United States, there are restrictions on the government “taking charge” of the flow of information through network access, monitoring, and/or control, as well as the limitations of government technical capabilities.  As a result, US cybersecurity policy is collaborative, with the government working with industry to develop flexible standards rather than prescribing complex regulations. The result is a process-oriented, thematic approach to commercial cybersecurity that is more likely to produce optimal business practices.

Indeed, government control of cybersecurity is ill-advised even in non-democratic countries, such as China. I currently am examining the so-called MLPS proposals in China, which would require indigenous Chinese technology for cybersecurity, and am concluding that a restrictive and prescriptive approach to information security blocks the adoption of best available technology and practices.

After reviewing frameworks in the US, the EU and Asia, I have concluded that government’s principal role in protecting cyberspace is and should be through (1) law enforcement, (2) improvements to its own cybersecurity and sharing its research and experience with industry and the public, and (3) engaging in a public-private dialogue about cybersecurity through which it has incorporates suggestions from industry into cybersecurity policy.

• Print

By Dan Brenner, Technonology, Media and Telecoms Practice

The network neutrality debate in the U.S. has moved to the appeal courts as the 2010 FCC Order, which becomes effective on Nov. 20, awaits review.  Meanwhile, two E.U. developments presage more regulatory steps forward. The result is movement away from the European Commission’s wait-and-see communique announced just last April. 

On Oct. 7, the European Data Protection Supervisor Opined on network neutrality and protection of privacy. The decision represents a relatively balanced review of the need for internet service providers (ISPs) to manage traffic and the impulse for “function creep where the initial purposes could easily evolve into commercial or other exploitation of information collected.” The Opinion recognizes that both the content and the traffic data processed by ISPs are protected by the right of confidentiality of correspondence of the E.U. Charter.   Use of either requires “free, specific and informed indication of wishes”.

• Print

On October 13th, the SEC's Division of Corporation Finance issued a Disclosure Guidance that urges public companies to evaluate their cybersecurity risks and, if material, to disclose those risks to investors.

On October 31st, Hogan Lovells will present a complimentary webinar exploring the impact of the Disclosure Guidance featuring senior lawyers in the Hogan Lovells Capital Markets and Privacy and Information Management practices, as well as a managing director of Stroz Friedberg LLC, a technology firm assisting clients with digital risks.

For more information, and to register, click here.

Since all businesses using the Internet are, to some degree, vulnerable to intrusions, what does the new guidance actually mean for public companies?  That question and these will be addressed in the webinar:

• When does the risk of intrusion become material? 
• What are the triggers for reporting?  
• What assessments are required?  
• Does every company suffering a data security breach have to report it to the SEC?   
• What has to be reported?
• How can the reporting company make public disclosure of cybersecurity risks in a way that will not make the company a target for attacks?
• What is the best way for a company to wrap its arms around a cyberattack so it can make the appropriate disclosure?
• What steps should a company take to insure its disclosure is a fair, accurate, and timely description of the attack? 

Readers of the Hogan Lovells Chronicle of Data Protection are invited to attend.

• Print

On October 17, the Mobile Marketing Association (“MMA”) released a set of draft privacy policy guidelines for mobile applications (“apps”) designed to address key data and privacy security issues. Entitled “Mobile Application Privacy Policy Framework,” the draft guidelines provide a “starting point” privacy policy template written in consumer-friendly language with instructions for adapting the template to specific apps.

• Print

On October 14, 2011, the Department of Defense (DOD), the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) published a proposed rule that would amend the Federal Acquisition Regulation (FAR) to strengthen government contractor privacy training.

Specifically, the proposed rule would require the employees of federal government contractors who work with government records containing personally identifiable information to undergo privacy training on an annual basis. The purpose of this amendment to FAR would be to extend existing Privacy Act training requirements to the employees of government contractors who work with covered systems of records.

For complete details and analysis, see this Alert from the Hogan Lovells Government Contracts and Privacy and Information Management practices. 

• Print

The French Data Protection Authority (the Commission Nationale de l'Informatique et des Libertés or CNIL) opened a public consultation on cloud computing, citing the growing significance of the cloud computing market: "already €6 billion at the European level, with a yearly growth of approximately 20%". The CNIL believes that the opacity inherent in cloud computing raises data protection concerns.

The CNIL’s consultation focuses on five areas: definition of cloud computing, role of the parties, applicable law, international transfers of data outside the European Union and data security.

The consultation process opened on 17 October 2011 and input is sought from the public.

• Print

Following a request in May 2011 from Senator Jay Rockefeller (D-WVA) to the Securities and Exchange Commission that the SEC advise public companies on when disclosure of cybersecurity risks to investors is mandated, on October 13 the Division of Corporate Finance at the SEC issued a Disclosure Guidance that for the first time advises registrants to evaluate their cybersecurity risks and, if deemed material, to disclose such risks to investors. The Guidance contained this caveat:

The statements in this CF Disclosure Guidance represent the views of the Division of Corporation Finance. This guidance is not a rule, regulation, or statement of the Securities and Exchange Commission. Further, the Commission has neither approved nor disapproved its content.

Still, companies that ignore the advice from the Division of Corporate Finance and fail to assess and disclose material cybersecurity risks do so at their peril -- risking regulatory and legal action.

• Print

The German data protection authorities on September 26, 2011 adopted an "Orientation guide – cloud computing."  The guide sets out mandatory and recommended content for any agreement between German users of cloud computing services (“customers”) and cloud computing service providers. It highlights the customer's responsibility for full compliance with German data protection requirements for the cloud. Based on this orientation guide, customers and providers will have to review existing agreements in the German market.

Privacy and data protection compliance has been a challenging and unclear issue for cloud computing customers and service providers. The new German "orientation guide", adopted by the Munich conference of the German data protection authorities gives clear guidance to cloud computing service providers and their customers in the German market. Privacy practitioners can expect that German DPAs will refer to this guide when addressing situations that raise close questions about the application of data protection laws to cloud computing.

• Print

 Thanks to Steven Spagnolo for his substantial assistance in drafting this entry.

On October 3^rd, the Court of Appeals for the Ninth Circuit became the first appeals court to extend the protections of the Electronic Communications Privacy Act (“ECPA”) to non-U.S. citizens when it held in Suzlon Energy Ltd. v. Microsoft Corp. that the Stored Communications Act (“SCA”) provisions of the ECPA protect the confidentiality of all email communications stored in the United States, not just those of U.S. citizens.  This broadening of the jurisdictional scope of the ECPA and SCA is likely to result in increased data privacy protection for foreign citizens, at least with regard to email communications that are physically stored on servers located in the U.S. In addition, the expanded scope of the law may simplify the process by which electronic communications service providers respond to requests for stored communications, likely alleviating the need to engage in an assessment of the citizenship of the data subject whose communications are sought.  

• Print

A French Court of Appeals in Caen recently confirmed a lower court's order for the suspension of a whistleblowing system implemented by French company Benoist Girard, a subsidiary of American group Stryker. The decision comes as a surprise as it rejects the approval of the whistleblower system by French data protection authority (the "CNIL"). 

Under French law, the implementation of whistleblowing systems is subject to prior authorization by the CNIL. To reduce the burden of such formalities, the CNIL issued, in 2005, a general authorization for whistleblowing systems limited to the reporting of accounting, financial, banking and corruption misconducts (the "General Authorization"). Benoist Girard decided to implement their whistleblowing system in 2008 by relying on the General Authorization, regardless of three negative opinions on the system issued by the company's Works Council (the "CE").

In 2009, Benoist Girard's CE and Hygiene and Security committee (the "CHSCT") contested the validity of the whistleblowing system before the Caen Tribunal of First Instance, arguing that it allowed the reporting of alleged misconducts which exceeded the scope of those covered by the General Authorization. The CE and CHSCT therefore argued that the system required the obtaining of a prior specific authorization from the CNIL. The Tribunal ruled in favour of the CE and CHSCT, considering that the system, as implemented, was therefore in breach of French data protection legislation and posed an immediate and substantial threat to the rights and freedoms of the employees. Benoist Girard appealed this decision.

In its analysis of the matter, the Caen Appeal Court first held that the CE and the CHSCT had to be consulted prior to the implementation or modification of the whistleblowing system and then moved on to it analyse in detail to evaluate its compliance with French law.

• Print

The pending proposal from the European Commission for revision of the EU Directive (expected in early 2012) raises questions about the efficacy under a revised Directive of the EU-US Safe Harbor framework, which permits the legal cross-border transfer of personal data from the EU to the US for companies enrolled in the Safe Harbor and committed to the requisite privacy protections.  That's the recent observation in Europolitics, the European Affairs daily:

It is not clear what impact a revamp of the EU and US data privacy legal frameworks would have on Safe Harbour. According to the Commerce Department official, "we have been assured by the European Commission that Safe Harbour will not be affected by changes in the Data Protection Directive". The official adds, however, that they do have concerns about US firms lacking the clarity they need should new terms like 'privacy by design' and 'right to be forgotten' be introduced without their precise meaning being spelled out. A Commission proposal is due to be unveiled in early 2012.

The article goes on to speculate about and comment on pending US privacy legislation and its effect on cross-border transfers, concluding that passage of a new US law is not likely:

Meanwhile, the US Congress is considering several bills that could move the US from its current sector-based system to a more comprehensive framework. If this happens, Washington could ask the Commission to adopt a so-called adequacy finding on the US data privacy framework, which would permit an automatic free flow of personal data from the EU to the US. This could effectively render Safe Harbour obsolete. But there is no guarantee that the Commission would adopt such a finding even if Congress does enact comprehensive data privacy legislation. Moreover, with the Obama administration not yet strongly pushing these bills and some Republicans on Capitol Hill opposing them on the grounds that they will stifle innovation in the digital environment, their passage looks far from certain.  

On the efficacy of the Safe Harbor arrangement, Peter Fleischer, Google's Global Privacy Counsel offered a rousing defense in a recent blog: "I cannot think of a single international privacy framework that has done more to raise the standards of privacy practices by US companies over the last decade than Safe Harbor."

• Print