HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Joel Buckman, an associate in Hogan Lovells Privacy and Information Management practice group located in the Washington, D.C office, assisted in the preparation of this entry.

Recent guidance from the National Institute of Standards and Technology (“NIST”) encourages federal agencies to take advantage of cloud computing. It also provides draft security and privacy guidelines for federal agencies to follow when engaging cloud providers. The draft guidelines serve as roadmaps for how to negotiate meaningful privacy and data security protections from cloud providers. Though prepared for federal agencies, the draft guidelines could prove influential to the private sector as an increasing number of private businesses use cloud services. NIST has requested comments on the drafts by no later than February 28, 2011.

• Email This
• Print
• Share Link

Cisco has launched a Privacy and Security Compliance Journey web site with a variety of useful materials and resources. Here is how Van Dang, Vice-President, Law and Deputy General Counsel of Cisco describes it:

We want to share with our customers, colleagues in other legal departments and other interested parties our privacy and security compliance journey - and it is a journey since the legal framework and regulations in this area are still evolving. We hope you will find useful materials and resources featured in each tab below. We also hope that you will share your best practices and give us feedback on how we can improve. Cisco is pleased to host this collaborative site in support of the privacy community and is committed to continuously refreshing content, so please bookmark the site for future reference.

Hogan Lovells is pleased to have its primer on legal issues in Cloud Computing including privacy and data security concerns as the first featured content on the Cisco site.

• Email This
• Print
• Share Link

Comments are due December 29 on a proposal that would require banks and money transmitters to report information to the U.S. government regarding international fund transfers, including the Social Security numbers of individuals that send or receive such funds.  

On September 30, 2010, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, published a Notice of Proposed Rulemaking (NPRM)   for public comment.  The proposal would amend Bank Secrecy Act (BSA) regulations to add two new requirements.  First, banks and money transmitters would be required to report transmittal information on cross-border electronic transmittals of funds (CBETFs) on an ongoing basis; banks would have to report transfers of any amount, while money transmitters would have to report transfers of at least $1,000.   For reportable transactions of $3,000 or more, money transmitters would have to include in the report the taxpayer identification number (TIN), alien identification number, or passport number of the transmitter or recipient.  Second, the proposal would require all banks to file an annual report with FinCEN of the account numbers and TINs associated with each  account that initiated or received a CBETF. 

The information that would be reported is largely information that banks and money transmitters already collect, even though they currently are not required to report it as they would be under the proposed rule.

The proposal is aimed at furthering the government’s efforts to combat money laundering, terrorist financing, and other violations of law such as tax evasion and customs fraud.  The reports, FinCEN asserts, would greatly facilitate the ability of authorities to investigate and prosecute such activity.  The reports would be submitted to FinCEN, but could be accessed by other federal and state authorities.  This is already the case with other data currently collected pursuant to BSA.   

However, the affirmative reporting of information on all CBETFs – including account numbers and TINs – would be a significant change.  FinCEN would be given the Social Security number of every individual that uses a U.S. bank to either send or receive funds electronically across U.S. borders, and of many other persons that use money transmitters for such transfers.  This raises possible privacy and data security concerns – due both to the fact of the government having such data and to the need to prevent improper access to or misuse of the data.    

FinCEN has acknowledged the privacy and security concerns raised by the proposal and states that it will maintain sufficient procedures to keep such information safe and secure.   The data, FinCEN observes in the NPRM, “is highly sensitive data containing details about the financial activity of private persons.  Without proper safeguards, this data could be at risk of inadvertent or deliberate disclosure or misuse[.]” 

FinCEN is statutorily prohibited from issuing a final rule until it has established adequate, secure systems to accept the required reports.  For that reason, FinCEN does not expect to issue a final rule before January 1, 2012, because it does not expect to have the information technology systems in place to accept the reports before that time.  Even after a final rule is issued, FinCEN anticipates delaying the mandatory compliance date for some period to allow time for financial institutions to implement procedures to comply with the rule.

• Email This
• Print
• Share Link

The UK data protection authority has issued its first monetary penalties for serious data protection breaches. The two cases highlighted in the ICO press release reveal that a county council has been fined £100,000 for faxing highly sensitive information relating to child sexual abuse cases and care proceedings to the wrong recipients, on two separate occasions. The second case involves an employment services company, which has been issued with a fine of £60,000 for the loss of an unencrypted laptop. 

These are the first substantial fines imposed by the ICO, following the introduction of the new monetary penalties in April this year and the cases will attract huge attention as a result. The ICO has the power to award fines of up to £500,000 for serious breaches of the Data Protection Act, but until now, no major fines have been levied and it has been difficult to give real examples of the likely amounts for serious breaches.

The ICO has issued guidance on the new monetary penalties regime, which includes further details of the Commissioner's approach to these cases of serious data protection breach. The decision making process followed by the Commissioner is set out in a flowchart within the guidance, as follows:

The Commissioner has to be satisfied that –

a) There has been a serious contravention of section 4(4) of the Data Protection Act by the
data controller; and
b) The contravention was of a kind likely to cause substantial damage or
substantial distress; and either,
c) The contravention was deliberate; or,
d) The data controller knew or ought to have known that there was a risk that
the contravention would occur, and that such a contravention would be of a
kind likely to cause substantial damage or substantial distress, but failed to
take reasonable steps to prevent the contravention.

Once satisifed, the Commissioner will consider the level of fine to impose. The cases contained within the new press release may not be at the upper end of the scale, but they are not insignificant and should be noted by data controllers.

• Email This
• Print
• Share Link

On November 2, the General Services Administration (“GSA”) published the Proposed Security Assessment & Authorization for U.S. Government Cloud Computing guidelines, developed by an interagency team composed of representatives from the CIO Council, GSA, the National Institute of Standards and Technology (“NIST”), and other organizations.  The proposed guidelines are designed to provide a centralized system for assessing and authorizing cloud computing services for all U.S. government agencies in a manner that would provide appropriate security and maximize the efficiency of government contracting.  High impact U.S. government information services (e.g., classified military and intelligence data) would not be subject to these guidelines.  The agencies responsible for such activities would retain primary authority to assess and authorize information technology services in accordance with applicable laws and regulations.  Public comments on the proposed guidelines will be accepted until December 2, 2010.

The proposed guidelines call for security assessment and authorization of all cloud computing services for U.S. government agencies by the Federal Risk and Authorization Management Program (“FedRAMP”).  Consistent with the requirements of the Federal Information Systems Management Act, the proposed guidelines would require cloud service providers to demonstrate compliance with a variety of security obligations detailed in NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations (August 9, 2009).  Some of the controls recommended within NIST SP 800-53 have been augmented in the proposed guidelines.  Examples of these modifications include:

• implementation of FIPS 140-2 compliant encryption for any Software as a Service (“SaaS”) offering that includes email and
• maintenance of at least three backups and user and system level data (one of which must be available online).

In addition to the goal of ensuring appropriate security for information used by the U.S. government, the guidelines are intended to improve the efficiency of the cloud service contracting process by creating an “authorize use, use many” system.  Once a cloud service provider has been authorized by FedRAMP for one agency, its services would be pre-authorized for other agencies. 

• Email This
• Print
• Share Link

On October 27, the Commodity Futures Trading Commission (CFTC) published two Notices of Proposed Rulemaking (NPRMs) proposing privacy rules under the Gramm-Leach-Bliley Act (GLBA) and affiliate marketing and data disposal rules under the Fair Credit Reporting Act (FCRA). 

The rulemakings were prompted by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).

The CFTC, an independent federal agency, maintains oversight over the commodity and financial futures and options markets.  The Dodd-Frank Act creates two new categories of entities that are subject to CFTC jurisdiction:  “swap dealers” and “major swap participants.”  Thus, the CFTC has proposed that those two types of entities would explicitly be subject to the CFTC’s existing GLBA privacy rules, first issued in 2001. Those rules impose certain obligations regarding the treatment of consumers' nonpublic personal information - in particular, restricting the ability of a covered entity to disclose such information to a party not affiliated with that entity. 

The CFTC’s second NPRM proposes to implement sections of FCRA dealing with affiliate marketing and data disposal.  The CFTC's proposed affiliate marketing rule would closely resemble the affiliate marketing rules issued by the Federal Trade Commission and the federal banking agencies in late 2007. While the CFTC has joined those agencies in other rulemakings, it did not join that particular rulemaking.  However, the Dodd-Frank Act specifically authorizes the CFTC to issue rules implementing the affiliate marketing and data disposal provisions of FCRA.

As with the other agencies' affiliate marketing rules, under the proposed rule an entity generally could not use a consumer's "eligibility information" received from an affiliate to make marketing solicitations to that consumer unless the consumer had first been given notice that such marketing may occur, a reasonable opportunity to opt-out of such use, and had not opted out. 

The disposal rule would require entities subject to CFTC jurisdiction that possess or maintain consumer information to develop and implement written policies and procedures for the proper safeguarding and disposal of such information.  The policies and procedures would be required to address, among other things, administrative, technical, and physical safeguards for consumer information, including protections against unauthorized access to or use of such information in connection with its disposal.  Such requirements are similar to the disposal rules issued by the FTC and federal banking agencies in 2004.

The CFTC is proposing to make the rules effective on July 21, 2011, the planned "transfer date" on which certain authority over consumer protection matters is to be transferred from other federal agencies to the Consumer Financial Protection Bureau created by Dodd-Frank. 

Public comments are due on each proposal by December 27, 2010.

• Email This
• Print
• Share Link

On September 22, the U.S. Senate Commerce Committee's Consumer Protection, Product Safety, and Insurance Subcommittee held a hearing on S.3742, The Data Security and Breach Notification Act of 2010.  This Act would give the Federal Trade Commission the authority to require a wide range of commercial and nonprofit entities to establish security practices to protect personal information, including social security numbers and certain financial information.  Entities also would be required to notify individuals in the event of a breach of such information.  Hogan Lovells US LLP partner Melissa Bianchi testified before the Subcommittee about the effect this legislation would have on HIPAA covered entities, on behalf of the American Hospital Association.  A link to the hearing and video is available at http://commerce.senate.gov/public/index.cfm?p=Hearings.

• Email This
• Print
• Share Link

This month saw the launch of the ICO's first code of practice on online privacy, following extensive consultation earlier in the year. The code provides good practice advice for organisations providing goods and services using the web and explains how the Data Protection Act applies to the collection and use of personal data online.

The code is divided into the following 7 chapters, and also includes a helpful annex and glossary of terms, for those less familiar with online jargon. You can read on to see our summarised highlights of the code, but we also recommend reading the full guidance document on the ICO website, through the link provided above. It should be of particular interest to businesses engaged in behavioural advertising, online sales and cloud computing.

 

• Email This
• Print
• Share Link

On June 24, the FTC announced a proposed consent order with social networking service provider Twitter, Inc.  The Twitter investigation is consistent with the FTC’s longstanding interest in policing the data privacy and security practices of social networking services, dating back to the FTC’s first online privacy case against Geocities in 1998. 

Within the general framework of FTC information security jurisprudence, this investigation reflects three noteworthy developments.  First, the investigation demonstrates the broad reach of FTC Act § 5 concerning data security, extending well beyond protection of the kinds of data traditionally considered sensitive (e.g., Social Security Numbers and payment card numbers).  Second, the complaint introduces security expectations, concerning controlling administrator-level access to information systems, that had not been previously expressed by the FTC.  Third, this enforcement action appears to show that the FTC considers the protection of personal information critical at all stages of the business lifecycle, from start-up to wind-down.

A.  Data Security Obligations Are Not Limited to Sensitive Personal Information

The FTC alleges that lapses in Twitter’s data security practices resulted in unauthorized person’s gaining access to user accounts containing mobile telephone numbers, email addresses, and IP addresses.  Unlike prior data security investigations, there is no allegation that unauthorized persons gained access to the traditionally identified forms of sensitive personal information, such as SSNs, financial account numbers, government ID numbers, or consumer reports.  Nor is there any allegation that the affected information revealed sensitive personal characteristics (e.g., medical conditions) either directly or as revealed by purchases.  There may be a number of explanations for this departure from past precedent. 

1.  Consumer Expectations Influence Security Obligations

All the data types affected by the security incidents suffered by Twitter were stored in areas that were allegedly described by Twitter as non-public.  Hence, the FTC concerns appear to stem in part from the fact that consumers submitted such information to Twitter under the impression that Twitter would prevent unauthorized sharing.  Accordingly, consumer expectations, rather than any fixed list of data elements, may dictate the steps that a company is expected to take to protect such data.  Such a standard may have far reaching implications for websites, particularly those that encourage visitors to build profiles that are not intended for public display, including social networking services that offer users the option of maintaining “private” (or otherwise limited access) profiles. 

2.  Fraud Prevention

Among the consequences of Twitter’s alleged failure to secure its systems was the misuse of existing Twitter accounts to transmit fraudulent messages.  The FTC does not discuss the public policy concerns posed by the transmission of fraudulent messages in any great detail.  Nonetheless, concerns likely include reputational damage, particularly for public figures and businesses (e.g., the Twitter incident resulted in fraudulent tweets transmitted from the accounts of President Barack Obama and Fox News).  In addition, recent press reports indicate that criminals have used compromised social network accounts to attack the account holder’s friends list with messages containing malicious software or fraudulent pleas for money. 

B.  Securing Administrator Level System Access

The attacks perpetrated against Twitter allegedly exploited weaknesses in the security measures used to limit administrator level access.  Because administrator level privileges allow users to manipulate the settings and content of individual user accounts, the attackers were then able to take control of numerous accounts to view private information and engage in fraudulent activity. 

The specific security lapses cited by the FTC included the failure to:

• establish or enforce strong password policies;
• prevent the storage of administrative passwords in plaintext in employees’ private email accounts;
• suspend or disable administrative accounts after a number of failed login attempts;
• provide a separate login page for administrative access the address of which was made known only to authorized users;
• enforce periodic changes of administrative passwords (e.g., 90-day expiration);
• restrict access to administrative controls based on employees’ job functions; and
• impose other restrictions on administrative access, such as by restricting access to specified IP addresses.

• Email This
• Print
• Share Link

On Friday, May 7, 2010, the Office for Civil Rights (“OCR”) issued guidance related to the HIPAA Security Rule’s risk analysis requirement.  Under HITECH, OCR is responsible for issuing annual guidance on provisions of the HIPAA Security Rule.  This guidance is the first in a series of documents aimed at helping covered entities and business associates implement effective and appropriate administrative, physical, and technical security safeguards. 

This guidance document is generally consistent with the materials provided by the Centers for Medicare and Medicaid Services (“CMS”) prior to the introduction of HITECH.  For example, like the recently released OCR guidance, CMS historically directed covered entities to refer to the National Institute of Standards and Technology’s Special Publication 800-66 Rev.1, An Introductory Resource Guide for Implementing the HIPAA Security Rule (October 2008) (“NIST 800-66”).  NIST 800-66 frequently directs readers to consult NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002), which is also quoted extensively in the recently released OCR guidance.  Moreover, the OCR guidance is quite similar to the HIPAA Security Series, Paper 6: Basics of Risk Analysis and Risk Management which was most recently revised by CMS in March 2007. 

OCR encourages the public to offer feedback on the risk analysis guidance. Comments can be submitted to OCR at OCRPrivacy@hhs.gov

• Email This
• Print
• Share Link

The U.S. Department of Defense (DOD) has issued an advanced notice of proposed rulemaking regarding amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) that would add new data protection requirements for unclassified DOD information used or handled by contractors. See 75 F.R. 9563 (March 3, 2010). The proposed amendments would create a two-tiered system of data security requirements, as well as an obligation to notify the DOD of security incidents.

The two tiers of data security requirements are described as “basic safeguards” and “enhanced safeguards,” both of which require “adequate security.” Under the proposed rules, “adequate security” would mean: “protection measures … commensurate with the risks (i.e., consequences and their probability) of loss, misuse, or unauthorized access to or modification of information.” 75 F.R. at 9566.

Basic safeguards are required for any unclassified DOD information. The required protections would include:

§         prohibiting the posting of any DOD information on websites unless they are restricted to users that provide user ID/password, digital certificate, or similar credentials;

§         using the “best level of security and privacy available” for transmissions of any DOD information transmitted via email, text messaging, and similar technologies;

§         transmitting any DOD information via telephone or fax only when reasonably assured that access is limited to authorized recipients;

§         protection of all DOD information by at least one physical (e.g., locked container) or electronic (e.g., user/password restriction) barrier;

§         sanitization of media in accordance with NIST protocols prior to disposal;

§         implementation of regularly updated malware protection and software patches/upgrades;

§         limiting sharing of any DOD information to third parties that have a “need to know;” and

§         contractually obligating all subcontractors to abide by the proposed regulations. 

See id.

Enhanced safeguards apply to unclassified DOD information that meets one or more of the following criteria:

§         Critical Program Information (as defined in DOD Instruction 5200.39);

§         data subject to export controls under International Trafficking in Arms Regulations and Export Administration Regulations;

§         data designated for withholding under the FOIA program (as described in DOD Directive 5400.07);

§         data bearing current or prior controlled access/dissemination designations (e.g., For Official Use Only, Limited Distribution, and Proprietary);

§         technical data, software, or other information subject to DOD Directive 5230.24; and

§         personally identifiable information, including (but not limited to) data protected by the Privacy Act and HIPAA. 

See 75 F.R. at 9566 - 67.

In addition to the basic safeguards listed above, contractors would be obligated to implement the following measures for data subject to enhanced safeguard requirements:

§         reporting any “cyber intrusion incident” to DOD, which includes any event involving unauthorized access to DOD information or an “advanced persistent threat” (meaning a “proficient, patient, determined, and capable adversary”);

§         cooperate with and provide support for DOD investigations of reported cyber intrusion incidents;

§         encryption when transmitting DOD information across wireless networks (by either encrypting the wireless connection itself or the individual files transmitted across such connections);

§         encryption of DOD information stored on laptops, mobile devices, and removable media;

§         monitoring and control of network traffic through mechanisms such as firewalls and or intrusion detection/prevention systems; and

§         implementation of an information security program consistent with NIST Special Publication 800-53.

See id.

With regard to the “cyber intrusion incident” reporting requirements, “advanced persistent threats” appear to be reportable without regard to whether such a threat actually results in unauthorized access to DOD information. Attempted advanced persistent threats may be reportable events. In addition, covered contractors may be obligated to comply with all reporting, support, and cooperation requirements for incidents reported by their subcontractors.

With regard to cross-compliance with HIPAA, it appears that entities which are already compliant with the HIPAA Security Rule would not be required to make substantial changes to their existing safeguards for protected health information with the exception of adding procedures for reporting “cyber intrusion incidents” to, and cooperating with resulting investigations by, DOD.

The public comment period ends on May 3, 2010. DOD has scheduled a public meeting to discuss the proposed regulations on April 22, 2010 from 8:00 AM to 4:00 PM (EST). Attendees are expected to register two weeks in advance (thus, by April 8, 2010).

• Email This
• Print
• Share Link

The Federal Communications Commission released its long-awaited National Broadband Plan today, providing an aggressive roadmap for advancing affordable broadband deployment and adoption; stimulating economic growth; and boosting the nation's capabilities in education, healthcare, homeland security, and other areas.  The Plan also appears to confirm that the FCC is looking to take an expanded role in privacy-related consumer protection issues.

In the Plan, the FCC discusses a number of broadband privacy and data security issues focused on the protection of and consumer control over personal information.  For example, the FCC states 

 

[t]he collection, aggregation and analysis of personal information are common threads among, and enablers of, many application-related innovations...

and the Plan notes the value of services such as customized suggestions for movie rentals or books and more targeted and relevant advertising.  It cautions, however

many users are increasingly concerned about their lack of control over sensitive personal data.

The FCC then remarks:  

Innovation will suffer if a lack of trust exists between users and the entities with which they interact over the Internet.  Policies therefore must reflect consumers’ desire to protect sensitive data and to control dissemination and use of what has become essentially their “digital identity.”  Ensuring customer control of personal data and digital profiles can help address privacy concerns and foster innovation.

The FCC also makes several broadband privacy and data security recommendations in the Plan, including:

• Encouraging Congress and the Federal Trade Commission (as well as the FCC) to clarify the relationship between users and their online profiles, including disclosure and consent requirements and data collection, sharing, storage, safeguarding, and accountability responsibilities;

• Suggesting that Congress consider helping spur the development of trusted "identity providers" that can help consumers maximize the privacy and security of their data;

• Having the FTC and FCC jointly develop principles to require that customers provide informed consent before broadband service providers share certain information with third parties (including account and usage information and other personally identifiable information); and

• Prompting the federal government to put additional resources into combating identity theft and fraud and enhancing consumer online security.

In addition, the Plan includes several privacy and data security recommendations in the smart grid and cybersecurity areas, including a recommendation that states require utilities to "provide consumers access to, and control of, their own digital energy information, including real-time information from smart meters and historical consumption, price and bill data over the Internet."  If states fail to do so within 18 months, the Plan recommends that Congress consider national legislation.

• Email This
• Print
• Share Link

The Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00 (“Massachusetts Standards”), include a broad range of administrative, physical, and technical obligations.  Nevertheless, there are certain common business processes that may pose unique and substantial compliance challenges.  Accordingly, organizations subject to these regulations should give very careful consideration to their practices in the following high risk areas. 

Email

First, the obligation to encrypt all sensitive personal information transmitted over public networks will have a substantial impact on the use of email to collect and transmit such data.  While there is generally accepted technology available to encrypt email and/or or files attached to emails, implementing such tools and properly training the workforce to use them may require significant expense.  (It should also be noted that this would apply to webpage forms that populate and transmit emails, as well as the use of Instant Messaging, Text Messaging, or similar technologies to transmit personal information.)

Organizations that exchange personal information directly with consumers may find the transition particularly difficult.  Many consumers may be ill-equipped to deal with encrypted messages and attachments.  Moreover, the encryption/decryption process may create negative user experiences that undermine customer goodwill.  While decrypting messages and attachments may be quite straightforward for the technology savvy consumer, it is likely to be confusing or frustrating for many others.  Similar complications may arise when dealing with small to mid-sized third party service providers that have limited technological sophistication.

In light of the foregoing, many organizations may consider alternative communications protocols, such as shifting email-dependent business processes to web browser-based processes that can be secured in a more efficient and centralized manner. Web pages served over secure HTTP or secure FTP could replace most present-day email communications involving personal information. 

Portable Devices

The Massachusetts Standards require the encryption of sensitive personal information stored on portable devices.  By the Massachusetts government’s own admission, there are no generally accepted encryption tools for use on many commonly-used portable devices, such as smartphones and PDAs.  As a result, enterprises subject to the Massachusetts Standards should carefully consider when it is necessary and appropriate, if ever, to store sensitive personal information on portable devices.  Alternatives, such as truncation of sensitive data (e.g., SSNs and financial account numbers) and use of secure online protocols (e.g., secure HTTP or secure FTP) for transmitting data to third parties, should be thoroughly contemplated.  In those instances when such storage is both necessary and appropriate, procedures, including workforce training, should be developed to ensure that the data remains secure during storage.

There is a certain level of overlap with the email concerns discussed above because a likely source of personal information on smartphones is the email messages that may accessed through the devices.  Since encryption of these messages may not be practicable, organizations may have further incentive to suspend the exchange of personal information via email in favor of browser-based protocols.  

Third Party Relationships

The Massachusetts Standards require enterprises to “select and retain” third party service providers that will provide safeguards consistent with the other requirements of the regulations, as well as contractually obligate third party service providers to maintain such safeguards.  The “select and retain” provision is fairly vague, affording the Massachusetts government (and courts) the opportunity to interpret it in ways that could introduce substantial obligations.  This provision appears to impose obligations to engage in pre-contract evaluation and post-execution monitoring of the security practices of third parties. 

Prior iterations of the Massachusetts Standards included an explicit requirement to obtain written certification of compliance from third party service providers.  Since that language has been removed, the regulations no longer provide concrete guidance on what steps should be taken to “select and retain” appropriate third party service providers.  The resulting ambiguity is a problem for both data owners and their prospective service providers.  Service providers are reluctant to reveal detailed information about their security policies and procedures because such information may be misused at significant cost to the service provider.  On the other hand, data owners are limited in their ability to rely upon imprecise representations of robust security measures from service providers because such representations appear to be self-serving. 

Accordingly, it is important for enterprises in both positions (as data owners and/or service providers) to thoroughly analyze the most effective and appropriate way to ensure that their contractual relationships satisfy the Massachusetts Standards.  Among the potential alternatives is the retention of reputable independent auditors to analyze service provider security practices and generate compliance reports for distribution to business partners (as is common for third parties that provide services subject to the Sarbanes Oxley Act). 

• Email This
• Print
• Share Link

 A new era of information security law may well start as the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, 201 CMR 17.00 (“Massachusetts Standards”) go into effect today, March 1, 2010.  All institutions collecting sensitive personal information (e.g., a name combined with a Social Security Number, state-issued identification number, or financial account number) from Massachusetts residents should pay careful attention to the requirements and enforcement of these regulations.  However, the implications beyond those entities that operate in Massachusetts may be longstanding as well.

Information Security Law Trend: From Generalities to Specificity

While information security statutes and regulations are fairly new developments in United States law, the previous trend reflected a bifurcated approach by federal and state authorities.  On the one hand, were somewhat ambiguous reasonableness standards imposed by states such as California and Texas.  On the other hand, were detailed regulations imposed upon industry sectors commonly involved in the handling of sensitive personal information, such as the HIPAA Security Rule, GLB Safeguards Rule, and FCRA/FACTA Disposal Rule. 

As press reports of significant breaches of sensitive personal information continued to mount, state lawmakers have taken an increasingly aggressive approach to regulation. Starting with the rather quiet passage of the Oregon Identity Theft Protection Act and more widely noted passage of the Minnesota Plastic Card Security Act, both in 2007, several states have attempted to adopt detailed information security obligations applicable to all entities that handle sensitive personal information.  Accordingly, Nevada has recently revised its data protection statute, which includes an obligation that businesses that handle credit card transactions must comply with the Payment Card Industry Data Security Standard (similar to the Minnesota Plastic Card Security Act).  Meanwhile, detailed information security regulations remain under development in New Jersey.

A New Revolution Starts in Massachusetts

The Massachusetts Standards stand as a unique development in this lineage because they are notably more comprehensive than the reasonable security statutes implemented in many states and expressly disclaim any exemptions based upon compliance with other regulatory schemes (whether self regulatory such as PCI DSS or federal such as HIPAA and GLB).  In fact, the Massachusetts Standards include a number of technical requirements that are not spelled out in similar detail in the federal sector-specific regulations.  For example, the Massachusetts Standards expressly require the implementation of network firewalls and regularly scheduled patching of operating systems, obligations that are not expressed in either the HIPAA Security Rule or the GLB Safeguards Rule. 

While the Commonwealth’s enforcement agenda remains to be seen, particularly with respect to out-of-state organizations, the regulations are likely to have a distinct impact on many entities. The wide scope of the regulations themselves (covering many administrative, physical, and technical security areas) and the entities arguably subject to the regulations (any entity, regardless of size, that collects sensitive personal information from Massachusetts residents), will compel a significant number of organizations to consider their compliance alternatives.

Although the Massachusetts Standards are designed to scale to the unique circumstances of each entity subject to the obligations (a point reemphasized in revisions issued on August 17, 2009), it is yet to be seen how the enforcement authorities will apply this scalability in practice.  Some of the provisions introduced in an attempt to increase the flexibility of the regulations have inadvertently led to new ambiguities.  For instance, the technical security requirements are only necessary to the degree that they are “technically feasible.”  However, the definition of “technically feasible” (“if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used”) provides limited practical guidance.  Regardless of their ultimate decisions, entities will be assuming a certain level of risk with any compliance decision until the Massachusetts authorities establish further guidance, either through supplemental documents or enforcement actions.

All that being said, many elements of the Massachusetts Standards are more evolutionary than revolutionary, but their impact may remain substantial.  For example, the Massachusetts Office of Consumer Affairs and Business Regulation has stated in its official Frequently Asked Questions that all backup media must be encrypted prospectively.  While encryption has been a solution of choice for legislators and regulators for sometime now, it has historically been encouraged as a form of safe harbor for data breach notification requirements (in state law and recently issued federal health data breach notification regulations).  However, the Massachusetts Standards join the Nevada encryption law in mandating the encryption of sensitive personal information both during transmission and during storage on portable devices and media.  The financial and opportunity costs of such wide ranging obligations to encrypt data may prove substantial and enterprises should be planning accordingly.

• Email This
• Print
• Share Link

The Federal Trade Commission has warned one hundred businesses and organizations that peer-to-peer software (typically used by employees to download and share copyrighted music, software and movie files over the Internet) is exposing information on customers and employees, including health and financial data, Social Security numbers and driver's license numbers.

In a release entitled "Widespread Data Breached Uncovered by FTC Probe" the FTC warned that the presence of privacy-violating peer-to-peer software on an organization's network may represent a violation of the security obligations under a variety of federal statutes.

In one sample letter of the type sent to one of the 100 entities referenced in the FTC release the Commission wrote:

We have not determined whether your company is violating laws enforced by the Commission. However, the FTC is urging you to review your security practices for personal information about your customers and employees, and, if appropriate, the practices of contractors and vendors with access to such information, to ensure that the practices are reasonable, appropriate, and in compliance with the law. It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers. (emphasis supplied)

In the letters sent to organizations found to be hosting the P2P software, the Commission also pointedly provided a link to the long list of enforcement actions taken by the Commission for inadequate data security (leading to compromised personal privacy).

While focused on the data security threats created by P2P software, the FTC's release also underscores the importance of data security generally and the legal risks involved in not adequately addressing the issue.   (In that connection, Hogan & Hartson's privacy and data security practice group regularly assists clients in conducting a risk management assessment to indentify privacy and data security issues, including the presence of P2P software, and to suggest remedial steps.)

• Email This
• Print
• Share Link

The Federal Communications Commission released a Public Notice this week seeking further comment on numerous privacy issues as part of its National Broadband Plan proceeding.  Based on questions raised in a recent Center for Democracy & Technology filing, some of the broad issues that the Notice seeks comment on include:

• Consumer expectations of privacy, and how to meet those expectations as new technologies are deployed;
• Building Privacy by Design;
• Concerns surrounding the collection, use, and storage of transactional data; and
• The regulation of third-party applications.

The FCC, which is working to complete the Plan and submit it to Congress by March 17, has thus far not focused extensively on how to protect consumer privacy and personal information in the broadband ecosystem.  This Notice, however, indicates that the FCC may be planning to highlight a number of privacy-related consumer protection issues in the Plan.  Moreover, depending in part on the comments received in response to the Notice, it could also open the door to future privacy and data protection proceedings at the FCC.

Comments are due on January 22, 2010, just over a week after the Commission issued the Notice.

• Email This
• Print
• Share Link

 The European Network and Information Security Agency (ENISA) has just published a paper on cloud computing, which discusses the benefits and risks of cloud computing from a security perspective. The paper also includes recommendations for improving information security in the context of cloud computing and provides a - in our view very helpful - set of questions that organizations can use to assess whether or not providers of cloud computing services are sufficiently protecting the data entrusted to them.

The key conclusion of the paper is that the “cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost-effective.” 

The paper is particularly timely in light of the European Commission’s public consultation on the legal framework for the fundamental right to protection of personal data, which closes at the end of next month. ENISA’s paper includes specific recommendations for the European Commission’s future consideration. It rightfully points out that certain issues related to the EU Data Protection Directive and Article 29 Working Party recommendations warrant clarification. In the current legal framework, it is not clear, for example, under which circumstances a provider of cloud computing services may be classified as a “joint controller” of personal data. ENISA also recommends that the European Commission examine and clarify, inter alia:

-         whether providers of cloud computing services should be obliged to notify their customers of data security breaches (and what information should be provided to these customers);

-         the legal impact of data transfers to providers of cloud computing services in countries outside the European Economic Area (EEA), if those countries do not provide an “adequate” level of data protection;

-         how the intermediary liability exemptions arising from the eCommerce Directive apply to providers of cloud computing services.

As far as information security in concerned, ENISA’s paper provides useful and practical guidance for potential and existing users of cloud computing services as well as policy makers. It will be interesting to see to what extent its recommendations will result in concrete action by the European Commission and/or Article 29 Working Party.

• Email This
• Print
• Share Link

The Personal Data Privacy and Security Act (“PDPSA”), recently reintroduced by Sen. Patrick Leahy (D-VT) and referred to the Senate Judiciary Committee proposes comprehensive federal regulation of data broker services.  While enactment of the PDPSA remains uncertain, the draft legislation may presage future legislative and regulatory trends.

Comprehensive Federal Regulation of “Data Brokers”

Title II of the PDPSA would introduce significant new regulation for data brokers, which are defined as

“a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purpose of providing such information to nonaffiliated third parties on an interstate basis.” 

PDPSA § 3(5).  Entities that are already regulated under the Fair Credit Reporting Act (“FCRA”), Gramm-Leach-Bliley Act (“GLBA”), or Health Insurance Portability and Accountability Act (“HIPAA”) are not subject to the data broker requirements of the PDPSA as currently drafted.  See PDPSA § 201(b)(1)-(3).  Notably, the PDPSA requirements would apply to the use of any form of sensitive personally identifiable information ("SPII"), unlike the FCRA which is limited to information used in consumer reports. 

• Email This
• Print
• Share Link

The August 17, 2009 revisions of the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (“Massachusetts Standards”) were accompanied by reassurances that the changes were designed to create a more flexible regulatory framework that would ease the burdens on business while protecting the public interests. However, the revisions also include more detailed provisions dealing with sharing of personal information with third party service providers.  Third party service provider relationships can be a substantial source of risk to the confidentiality, integrity, and availability of sensitive information.  Risk factors include the security practices of third parties within their own facilities as well as the seemingly simple process of transferring sensitive information to a service provider. 

The Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) has addressed these risks by requiring businesses subject to the Massachusetts Standards to take “reasonable steps to select and retain third party service providers that are capable of providing appropriate security measures” consistent with the regulations and contractually obligating those service providers to do so.  There are several particularly noteworthy implications of these requirements.

Expansive Definition of Service Provider

The revised Massachusetts Standards define a “service provider” as: “any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of service directly to a person that is subject to this regulation …” explicitly excluding the U.S. Postal Service. Accordingly, almost any vendors, suppliers, consultants, contractors, and advisors with which a business shares the personal information of Massachusetts residents appear to fall within this definition. Going forward, businesses subject to the Massachusetts Standards should carefully examine all of their third party relationships to identify all scenarios where the third party service provider requirements are applicable.  

Data Security Due Diligence

While it has been an advisable practice for some time now, the express reference to selecting third party service providers that are capable of providing appropriate security raises analysis of data security practices during due diligence to the level of a legal obligation. The Commonwealth is unlikely to be sympathetic to claims that an entity was in compliance with the Massachusetts Standards without meaningful evidence of pre-closing investigation into the data security practices of its service providers.

Monitoring Third Party Service Provider Data Security Practices

The August 17th revisions removed the prior obligation to ensure that third party service providers are applying security measures consistent with the regulations. Nonetheless, the new language contains the admonition to “retain” third party service providers capable of providing such security. Hence, OCABR maintains some authority to require monitoring of the data security performance of third party service providers. Consequently, guaranteeing the right to audit the data security measures taken by third party service providers remains a strongly advised policy. 

Limited Grandfather Clause

Finally, the August 17th revisions include a grandfather clause apparently designed to exempt third party service contracts entered into before a particular date. Due to a likely drafting error, the grandfather clause contains conflicting dates (March 1, 2010 and March 1, 2012) for the exemption. This confusion is likely to be resolved after the current public comment period. While a reasonable reading of the current language could lead one to conclude that contractual obligations are not necessary for any contract entered into before March 1, 2010, the use of contract to protect the interests of businesses subject to the Massachusetts Standards remains a very attractive option, even for agreements currently in existence. 

The grandfather clause provides no indication that it exempts presently existing third party relationships from the “selection and retention” requirements discussed above. Contractual restrictions are among the more readily practicable methods of implementing the requirement to select and retain service providers capable of providing appropriate security. Therefore, ensuring that relevant contractual obligations are in place is in the interests of all businesses subject to the Massachusetts Standards.

• Email This
• Print
• Share Link