Posted on January 27, 2012 by Eric Bukstein

Upcoming Compliance Deadline for Massachusetts Service Provider Contracts

This blog entry was contributed by Kate Abramson, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office.

Massachusetts information security regulations (“Standards for the Protection of Personal Information of Residents of the Commonwealth”) took effect on March 1, 2010. In approximately five weeks, covered companies face a compliance deadline relating to their third party service provider contracts.

To reduce the risk of data breaches involving third-party service providers, the regulations require companies to take reasonable measures to select vendors capable of “maintaining appropriate security measures to protect such personal information consistent with [the] regulations and any applicable federal regulations.” Furthermore, the regulations mandate that companies contractually require their service providers to safeguard personal information in accordance with the Massachusetts regulations and applicable federal requirements.

The contract provision includes a grandfather clause, providing that all contracts entered into before March 1, 2010 are exempt from complying with this requirement until March 1, 2012.

Accordingly, companies that own or license personal information of Massachusetts residents must ensure they have specifically contracted with their service providers to implement and maintain such security measures before the pending deadline.

While the regulations only affect companies possessing personal information of Massachusetts residents, companies outside the scope of these regulations should nonetheless consider amending their contracts in conformity with the Massachusetts regulations to ensure that service providers are aware of their obligations to safeguard personal information.
Tags: , , ,
Posted on December 22, 2011 by HL Chronicle of Data Protection

District Court Dismisses Most Claims Related to Heartland Data Breach

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

A federal judge dismissed all but one of the claims (PDF) brought against Heartland Payment Systems, a payment card processor, in a class action lawsuit stemming from a breach of Heartland’s computer systems, demonstrating that it may be difficult to hold companies legally responsible for breaches of their data. The plaintiffs of the class action lawsuit, nine financial institutions that issued payment cards to consumers affected by the breach, balked at Heartland’s settlement offers and instead sought relief from the court, alleging breach of contract, negligence, misrepresentation, and violations of several states’ consumer-protection statutes. Only the alleged violation of Florida’s consumer-protection statute survived Heartland’s motion to dismiss, an outcome which may deter future plaintiffs affected by data breaches from rejecting settlement offers to litigate their claims.

As early as December 2007, a ring of hackers, led by notorious cyber-criminal Albert Gonzalez, gained access to Heartland’s computer systems and installed programs that allowed them to obtain the payment-card information stored on those systems. The breach continued over the course of many months before Heartland discovered the rogue programs in January 2009, by which time the hackers had already obtained the payment-card information of approximately 130 million consumers.

As a result of the massive breach, one of the largest ever involving payment-card information, numerous lawsuits were filed against Heartland by both consumers whose payment-card information was compromised and financial institutions that issued payment cards to the affected consumers. Those lawsuits were consolidated and split into two tracks, one that addressed the claims of the consumers and one that addressed the claims of the financial institutions.

Heartland has settled the majority of the lawsuits stemming from the breach. Last year, Heartland settled the consumers’ claims, agreeing to pay up to $175 to each consumer to cover out-of-pocket expenses and charges incurred due to the breach and up to $10,000 to victims of identity theft resulting from the breach.  Heartland also agreed to settlements with the four major payment card brands and the financial institutions that utilize their networks to issue credit to consumers, agreeing to pay $3.6 million to American Express, $60 million to Visa, $41.1 million to MasterCard, and $5 million to Discover. However, the financial institutions were not bound by these settlements unless they chose to accept their terms. Although most financial institutions did so, some determined that the proposed settlements did not adequately cover their losses from the breach and instead elected to reject the settlements and litigate the matter.

The resulting litigation is an on-going class action lawsuit against Heartland. The financial institution plaintiffs alleged that the breach of Heartland’s computer systems resulted from Heartland’s failure to adequately safeguard its computer systems and caused the plaintiffs to incur significant expenses replacing credit and debit cards and reimbursing fraudulent transactions. The financial institution plaintiffs’ complaint (PDF) asserted claims for breach of contract and implied contract; negligence and negligence per se; negligent and intentional misrepresentation; and violations of the consumer-protection statutes in California, Colorado, Florida, Illinois, New Jersey, New York, Texas, and Washington. 

In a December 1, 2011 opinion, Judge Lee Rosenthal of the U.S. District Court for the Southern District of Texas granted Heartland’s motion to dismiss (PDF) with respect to all but one of the claims asserted by the financial institution plaintiffs. Judge Rosenthal dismissed the contract claims due to the fact that the plaintiffs were: (1) not in a direct contractual relationship with Heartland; (2) not third party beneficiaries of Heartland’s contracts with other banks; and (3) not entitled to consequential damages. He dismissed the negligence claims because the plaintiffs’ damages were solely economic in nature and thus barred by the economic loss doctrine. The consumer-protection claims were dismissed for various reasons including that the plaintiffs were not “consumers” protected by the state statute.

Heartland’s alleged violation of the Florida Deceptive and Unfair Trade Practices Act (FDUTPA) was the lone claim that survived Heartland’s motion to dismiss. Heartland argued in its motion to dismiss that the plaintiffs lacked standing to assert a claim under the FDUTPA because only consumers, as the word is traditionally used, may assert such claims. In denying Heartland’s motion to dismiss, Judge Rosenthal highlighted that in 2001 the Florida Legislature amended the statutory provision that creates a private right of action for violations of the FDUTPA to use the word “persons” instead of “consumers” when identifying who may bring a claim. To this point, he stated that the “Florida Legislature’s use of word ‘person’ in creating a private right of action suggests a broader reach than the word ‘consumer.’”

Although all of the plaintiffs’ other claims were dismissed, the court granted the plaintiffs leave to amend their claims for breach of contract and implied contract (but only in certain limited situations); express misrepresentation; negligent misrepresentation based on nondisclosure; and violations of the California, Colorado, Illinois, and Texas consumer-protection statutes. However, the claims for negligence and violations of the consumer-protection statutes in New Jersey, New York, and Washington were dismissed with prejudice and without leave to amend. The plaintiffs must file the amended complaint by December 23, 2011.
Tags: , , , ,
Posted on October 19, 2011 by Mark Brennan

New Guidelines Released for Mobile App Privacy Policies

On October 17, the Mobile Marketing Association (“MMA”) released a set of draft privacy policy guidelines for mobile applications (“apps”) designed to address key data and privacy security issues. Entitled “Mobile Application Privacy Policy Framework,” the draft guidelines provide a “starting point” privacy policy template written in consumer-friendly language with instructions for adapting the template to specific apps.

The guidelines provide a helpful tool for informing app users of the type of information that the app obtains and how that information is used, with sections devoted to both user-provided data and automatically collected information. The guidelines also address the collection and use of “precise" real-time location information, an issue that has garnered much media attention (and increasing regulatory scrutiny) due to the popularity of new location-based services. Finally, the guidelines also address other critical app areas, including:

  • Third-party access and use of consumer data;
  • Advertising (including the use of mobile advertising networks);
  • Consumer consent and opt-out rights;
  • Data retention;
  • Children’s Online Privacy Protection Act (“COPPA”) compliance;
  • Security and confidentiality safeguards; and
  • Future changes to the policy.

The guidelines are a response to data privacy and security concerns brought about by the skyrocketing consumer demand for and usage of apps, which have exploded in the last few years. For example, although the iTunes Store and Android Market only opened in 2008, today more than 1.2 million apps are currently available from multiple app stores on various operating systems. And consumers have downloaded more than 10 billion mobile apps to date.

Hogan Lovells represented the Future of Privacy Forum, a member organization of the MMA Privacy & Advisory Committee,which developed the guidelines. According to MMA, the draft guidelines are the first in a series of privacy policy materials that the organization is planning to develop. 

Comments on the draft guidelines are due November 18, 2011. After that date, the guidelines will be finalized and released publicly.
Tags: , , , , , , , , , , , , , , , , ,
Posted on July 27, 2011 by Winston Maxwell

Cloud Computing for Regulated Industries: Security Requirements Differ

Data stored in the cloud will be subject to numerous data security laws, explains Hogan Lovells partner Phil Porter in a recent article.   Specific types of data will trigger different security regulations, ranging from HIPAA rules for health data, to Gramm-Leach-Bliley Act rules for financial service data, to COPPA for data about children.  Data hosted in the cloud in the U.S. might also subject the data to U.S. national security rules, including USA Patriot Act.  Cloud service providers and customers need to tailor their contractual provisions to match these regulatory imperatives.

Tags: , , , , , ,
Posted on May 12, 2011 by Florian Unseld

German Census 2011 Raises Privacy Concerns and Court Challenges

This week, Germany started a new Volkszählung - the first count and registration of Germany's, its federal states' and communities' population since 1987.  The census 2011 has precititated  privacy concerns and legal challenges.

The census has its basis in the EU Regulation 763/2008, which provides that such census be conducted by the Member States in 2011, the Federal Census Act 2011 (Zensusgesetz 2011), and implementation laws enacted by the federal states.  Approximately one third of the people living in Germany are asked questions related to age, registered residence, nationality, relationships, education, employment, and residential property.  People that refuse to answer could forfeit monetary fines up to 1,500 Euro.  The data gathered shall be used for "important political and economical decisions", such as the re-calculation of the financial compensation scheme of Germany's federal states or of the distribution of seats in the Bundesrat (the representation of the federal states on the federal level).

The census 2011, however, is not undisputed.  Some people express concern about becoming a "gläserner Bürger", a transparent citizen, because of the state's collecting vast amounts of personal information.  Other concerns raised by data protection experts are about threats to the safety of the data, in particular caused by possible hacking attacks.  There would also be a risk of authorities sharing the collected data with other authorities that could combine the data with their own databases and use it in an unauthorized way  (e.g., to impose a fine upon a person who is, according to the findings of the census, not properly registered).  Data protection authorities argue that there would be no need for a census, because different authorities (such as the German Register of Residents)  already have enough data which could be used instead of the data collected during the census.  Also, the questions asked would not be proportionate in light of the purposes of the census.

For these reasons, the Federal Census Act 2011 was challenged before the Federal Constitutional Court, but the motion was dismissed for rather formal reasons.  The implementation law of the federal state of Berlin was challenged before the Berlin Constitutional Court this May 2011, inter alia, because the data collection would not be proportionate.

Indeed, Germany has a famous history of censuses and their challenges.  When the government set to count the German people in 1983, this caused a lot of uproar in the German population and was ultimately brought before the Federal Constitutional Court (Bundesverfassungsgericht).  The court handed-down its famous "Volkszählungs-Urteil", in which it acknowledged the "right to informational self-determination" (Recht auf informationelle Selbstbestimmung), i.e., the right of each individual "to decide upon the disclosure and use of his or her data".  This landmark decision can be seen as the very cornerstone of modern German, and possibly also European, data protection legislation.  The Federal Constitutional Court, moreover, set forth special requirements for conducting censuses, such as the need to anonymisation "as soon as possible" and to maintain confidentiality.

The Federal Census Act and its implementing laws contain provisions addressing the concerns against the census 2011 and the Federal Constitutional Court's stipulations in the Volkszählungs-Urteil.  For example, data need to be stored on systems with special firewall protection; the sharing of data with other authorities is prohibited; the data will be stored anonymously and deleted after specified periods.  Therefore, it is doubtful whether the Berlin challengers will have something to celebrate in 2011.  With the upset against the census 2011, at the same time, lacking the 1983-intensity, all seems to be going a rather smooth way towards a re-collected number of Germans.
 
Tags: , , , , ,
Posted on January 12, 2011 by Christopher Wolf

Insurer Announces Innovative Risk Management Relationship with Hogan Lovells Privacy Practice

News of an innovative client program, a strategic risk management relationship with Hogan Lovells offering proactive resources and advice to manage privacy and data security risks, as well as just in time support and access to counseling in the event of an information breach:

ZUG, Switzerland, Jan. 11, 2011 /PRNewswire/ -- Allied World Assurance Company Holdings, AG (NYSE:  AWH) announced new strategic risk management relationships with the law firm of Hogan Lovells US LLP and eRisk Hub® available for Privacy 403v2 policyholders.

"The goal of our program is to provide our policyholders with both proactive resources and advice as well as just in time support and access to industry experts in the event of an information breach," said Susan Chmieleski, Senior Vice President Healthcare Product and Risk Management Lead, Allied World U.S.

Our program includes the following Hogan Lovells resources: Guide for Data Security Breach Preparedness and Response, Monthly Updates on Important Developments in Privacy and Information Management Law, Chronicle of Data Protection, Webinars, Help Desk for Breach Response and Incident Reporting, and Proactive Consulting.

Additionally, Allied World's e-Risk Hub® portal powered by Net Diligence is an internet-based service that features news, content and services from leading practitioners in risk management, computer forensics, forensic accounting, crisis communications, legal counsel, and other highly-specialized segments of cyber risk.

Adam Sills, Vice President of Allied World U.S.' Privacy/Technology Unit adds, "We are very pleased to announce our Risk Management services providing our Privacy 403v2 policyholders with the ability to proactively manage and respond to Privacy risks."

About Allied World Assurance Company

Allied World Assurance Company Holdings, AG, through its subsidiaries, is a global provider of innovative property, casualty and specialty insurance and reinsurance solutions, offering superior client service through a global network of branches and affiliates.  Our insurance and reinsurance subsidiaries are rated A (Excellent) by A.M. Best Company, and our Lloyd's Syndicate 2232 is rated A+ (Strong) by Standard & Poor's and Fitch. Please visit our website at www.awac.com for further information on Allied World.

Cautionary Statement Regarding Forward-Looking Statements

Any forward-looking statements made in this press release reflect our current views with respect to future events and financial performance and are made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995.  Such statements involve risks and uncertainties, which may cause actual results to differ materially from those set forth in these statements.  For example, our forward-looking statements could be affected by pricing and policy term trends; increased competition; the impact of acts of terrorism and acts of war; greater frequency or severity of unpredictable catastrophic events; negative rating agency actions; the adequacy of our loss reserves; the company or its subsidiaries becoming subject to significant income taxes in the United States or elsewhere; changes in regulations or tax laws; changes in the availability, cost or quality of reinsurance or retrocessional coverage; adverse general economic conditions; and judicial, legislative, political and other governmental developments, as well as management's response to these factors, and other factors identified in our filings with the U.S. Securities and Exchange Commission. You are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date on which they are made. We are under no obligation (and expressly disclaim any such obligation) to update or revise any forward-looking statement that may be made from time to time, whether as a result of new information, future developments or otherwise.

SOURCE Allied World Assurance Company Holdings, AG

Tags: , , ,
Posted on November 29, 2010 by Elizabeth Khalil

FinCEN Considers Proposed Rule to Require Reporting of Cross-Border Electronic Fund Transfers

Comments are due December 29 on a proposal that would require banks and money transmitters to report information to the U.S. government regarding international fund transfers, including the Social Security numbers of individuals that send or receive such funds.  

On September 30, 2010, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, published a Notice of Proposed Rulemaking (NPRM)   for public comment.  The proposal would amend Bank Secrecy Act (BSA) regulations to add two new requirements.  First, banks and money transmitters would be required to report transmittal information on cross-border electronic transmittals of funds (CBETFs) on an ongoing basis; banks would have to report transfers of any amount, while money transmitters would have to report transfers of at least $1,000.   For reportable transactions of $3,000 or more, money transmitters would have to include in the report the taxpayer identification number (TIN), alien identification number, or passport number of the transmitter or recipient.  Second, the proposal would require all banks to file an annual report with FinCEN of the account numbers and TINs associated with each  account that initiated or received a CBETF. 

The information that would be reported is largely information that banks and money transmitters already collect, even though they currently are not required to report it as they would be under the proposed rule.

The proposal is aimed at furthering the government’s efforts to combat money laundering, terrorist financing, and other violations of law such as tax evasion and customs fraud.  The reports, FinCEN asserts, would greatly facilitate the ability of authorities to investigate and prosecute such activity.  The reports would be submitted to FinCEN, but could be accessed by other federal and state authorities.  This is already the case with other data currently collected pursuant to BSA.   

However, the affirmative reporting of information on all CBETFs – including account numbers and TINs – would be a significant change.  FinCEN would be given the Social Security number of every individual that uses a U.S. bank to either send or receive funds electronically across U.S. borders, and of many other persons that use money transmitters for such transfers.  This raises possible privacy and data security concerns – due both to the fact of the government having such data and to the need to prevent improper access to or misuse of the data.    

FinCEN has acknowledged the privacy and security concerns raised by the proposal and states that it will maintain sufficient procedures to keep such information safe and secure.   The data, FinCEN observes in the NPRM, “is highly sensitive data containing details about the financial activity of private persons.  Without proper safeguards, this data could be at risk of inadvertent or deliberate disclosure or misuse[.]” 

FinCEN is statutorily prohibited from issuing a final rule until it has established adequate, secure systems to accept the required reports.  For that reason, FinCEN does not expect to issue a final rule before January 1, 2012, because it does not expect to have the information technology systems in place to accept the reports before that time.  Even after a final rule is issued, FinCEN anticipates delaying the mandatory compliance date for some period to allow time for financial institutions to implement procedures to comply with the rule.

Tags: , , , , , , , , , , , ,
Posted on September 22, 2010 by Elizabeth Khalil

FDIC Requires Banks to Adopt Policies on Disposal of Information Stored on Office Equipment

On September 15th, the Federal Deposit Insurance Corporation (FDIC) issued guidance (Financial Institution Letter FIL-56-2010, "FDIC Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers") urging banks under its supervision to ensure that they have written policies for the erasure or destruction of sensitive or confidential customer information stored in photocopiers, fax machines, or printers.  Such storage may occur when the device's hard drive or flash memory stores digital images of documents that were photocopied, faxed, or printed using the device.

This is a particular concern for banks that lease office equipment - which may be used to process a significant amount of confidential information relating to financial transactions - and then return the equipment or sell it to another party.  If the memory of such devices is left intact, it is possible that such a third party could access data constituting "nonpublic personal information" under the Gramm-Leach-Bliley Act, such as information in consumers' loan applications or account statements, or other confidential information.

FDIC-supervised banks must, therefore, implement written policies and procedures to ensure that a hard drive or flash memory in office equipment containing sensitive data is erased, encrypted or destroyed prior to the device being returned to a leasing company, sold, or otherwise disposed of.  If the bank chooses to erase or encrypt the hard drive rather than destroy it, the bank should ensure that the method used will render the information on the disk unrecoverable.

While FIL-56-2010 applies only to banks supervised by the FDIC, all financial institutions are required to ensure the proper safeguarding and disposal of customer information.  Therefore, even non-FDIC-supervised financial institutions would be well advised to consider and implement the guidance contained in FIL-56-2010.

Tags: , , , , , ,
Posted on April 14, 2010 by Christopher Wolf

Complimentary Webcast of a Presentation by Hogan & Hartson's Privacy Practice Lead Chris Wolf on New Directions in Enforcement and Policy at the FTC and the Impact on Businesses

The privacy and data security enforcement agenda at the Federal Trade Commission is evolving. Consent decrees are imposing stricter and more specific standards on business with respect to the collection, usage, storage, sharing and disposal of personal information. Recent changes in leadership at the FTC, and public statements from the FTC Chairman and the Director of the Bureau of Consumer Protection, suggest more aggressive privacy and data security enforcement in the coming years. And the entire paradigm of privacy protection, including its foundation of notice and choice, is under reexamination after a series of FTC Roundtables conducted in later-2009 and early-2010.

For businesses under the jurisdiction of the FTC, the impact of this evolving enforcement agenda is significant. Greater attention than ever must be paid to the issue of notice and choice, as well as to the physical, technical and administrative safeguards provided for personal information, to ensure that specific statutory standards enforced by the FTC are met and that the general consumer protection standard of Section 5 is also satisfied.

Historically, enforcement actions by the Commission under Section 5 of the FTC Act focused on businesses that failed to adhere to promises they made about privacy and data security. In many of these cases, the FTC determined that a business’s failure to adhere to their own policies and promises constituted an unfair business practice. In the middle of the last decade, however, the enforcement focus at the FTC began to change. Rather than concentrating enforcement activities exclusively on businesses that failed to adhere to their own promises, the Commission began to look more at whether a business’s actual privacy and data security practices were reasonable.

The many reports of data security breaches required under state laws gave the FTC several new enforcement targets – businesses whose lax data security led to breaches that had to be reported publicly. In these cases, unreasonably lax practices led to a complaint of unfairness under Section 5. Also noteworthy about this phase of FTC enforcement was that nearly all of these cases involved instances in which privacy and security failures resulted in substantial consumer harm. In recent years FTC enforcement has become more “granular,” in the sense that the FTC enforcement staff examines specific details of respondents’ privacy practices and information security measures when assessing “reasonableness.”

By clicking on this link, you will be taken to a 45-minute multimedia presentation on the new directions in enforcement at the FTC, with in-depth cases analysis, including the recent Dave & Busters consent decree involving the absence of filters for outgoing data to protect against the loss of personal data. 

Tags: , , , , ,
Posted on March 19, 2010 by Christopher Wolf

Short Guide to Responding to Data Security Breaches

The recent effective data for enforcement of the new HIPAA/HITECH data-security breach notification law, and continued passage of and amendments to state notification laws, make compliance with data-security breach notification requirements more challenging than ever.

The H&H Chronicle of Data Protection thought it would be useful to provide this Short Guide to Responding to Data Security Breaches as a refresher for some and as a wake-up call for others.

Companies collect, maintain, use, and exchange vast amounts of personal data on employees, consumers and others. Unwanted release or exposure of personal information can violate privacy, lead to identity theft, and result in adverse publicity. Lawmakers, regulators, and advocates are increasingly focused on data security and breaches of it. Data security is becoming a risk-management priority at companies.

Still, breaches happen, even with the most careful precautions.

Effective handling of a data-security breach and legal compliance are achieved best with advanced planning to ensure that an business's response is effective, efficient, and timely. Business responses will be facilitated if the business already knows which laws and contracts apply to its data and what its duties will be if its information is improperly disclosed or accessed.

Fundamentally, businesses should have a detailed written data security breach response plan that has been shared with those who will implement the response, because responding to a data security breach “on the fly” creates the potential for liability-creating mistakes.

What law applies to a data-security breach?

As most businesses know by now, starting in California in 2003, the law began to impose an obligation on those who hold data on persons to provide notice if there is a breach of its security. Forty-five states, Washington, DC, the Virgin Islands, and Puerto Rico have such laws currently, and federal rules govern disclosure of health-related personal information.

The Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) each has issued data breach notification rules. See this previous blog entry for details. The rules implement provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”) and are aimed at providing increased protection of individuals’ health information. Enforcement of the HHS and FTC breach notification rules began last month, as described here.

The Federal Trade Commission, state attorneys general, and private plaintiffs have pursued companies that have experienced data-security breaches. Such investigations typically have focused not only on whether notice protocols were followed, but also on underlying data security. Under HITECH, the Department of Health and Human Services has enhanced power to investigate and enforce against data security deficiencies.

What actions should the business take promptly after a breach?

Contain the breach. As soon as the business becomes aware of a data breach it should take all necessary steps to limit further data loss and should investigate the incident. It should also determine whether to involve law enforcement and should limit traffic into the affected area until security officials or law enforcement investigate.

Convene a response team. Businesses should have a standing security breach response team that includes representatives from the office of the general counsel, information technology security, human resources, internal audit, and public communications. When a breach occurs, the response team should convene without delay. Team composition may vary, according to the type and location of the breach.

Analyze the breach. The business should record all information relevant to the breach; learn and evaluate the cause and effect of the incident; determine whether other systems are at serious risk of future breach; and consider engaging specialized consultants to capture relevant information and perform forensic analysis.

Determine timing requirements. Time is of the essence. Law of many states prescribes time limits for notification of persons data on whom was breached. Expedition is not just sensible; often it is legally mandated.

Collect information promptly. Information that should be gathered promptly includes the date, time, duration, and location of the breach; how the breach was discovered, by whom, and any known details about it; and information on compromised data, including a list of affected individuals by category, data fields, the number of records affected, and which if any data were encrypted.

What next steps should the business take?

Analyze legal implications of the breach. Legal analysis should include analysis of relevant business contracts for notification and other obligations; breach-notification requirements; and pertinent indemnification agreements. The states and countries potentially involved in the breach should be identified with reference to the location of persons and systems affected by the breach. Federal, state, and international statutes and regulations potentially triggered or violated by the breach, and their notification requirements, should be identified.

Contact law enforcement. Where appropriate, contact local or federal law enforcement agencies.

Contact insurance carrier. Review insurance pertinent to the breach; notify the insurance carrier in accordance with policy requirements.

What internal and external breach-related communications should the business make?

A wave of telephone calls, e-mails, and other inquiries should be expected when a breach is reported. Before occurrence of a breach, the business should have a plan for handling such inquiries. Actions to consider include selecting a mode of communication with the public (toll-free 1-800 numbers and/or e-mail address); selecting a mode of communication with interested parties; training and hiring staff for inquiry response, or outsourcing such activities; preparing a script; notifying credit-reporting agencies prior to providing notification to a large group of affected persons (or as required by applicable law); documenting inquiry responses; and preparing Frequently Asked Questions (“FAQs”) for potential online posting.

What should be in the business’s notification plan?

The business should develop a notification plan for affected persons, based on legal requirements and its contractual obligations. The content of notice to affected persons will be dictated by regulation or contract, and public relations considerations should be taken into account. Remember that notices to attorneys general or consumer protection authorities are required in some jurisdictions. Similarly, how notice is delivered (e.g. by mail, or e-mail if the recipient agreed in advance to such notification method) requires a legal determination. Generally, notice should include this information:

  • Description of what happened;
  • Type of protected data involved;
  • Actions the business has taken to protect data from further unauthorized access;
  • What the business will do to assist affected persons;
  • What affected persons can do to assist themselves;
  • Contact information for the business to respond to inquiries (a toll-free 1-800 number should be provided); and
  • Contact information for local and federal government authorities.

The business may elect to offer remediation services to assist affected persons after a breach, including credit monitoring services, identify-theft insurance, identity-theft information packets, and/or compensation for identity theft. A number of companies have elected to offer remediation services, although usually such services are not legally required.

What other post-breach actions are indicated?

Prepare for litigation. If litigation is threatened, preservation of relevant documents and information is vital.

Re-assess technology systems, physical and administrative security. The business should conduct an analysis of the breach to determine causes and should review access controls and procedures to ensure that weaknesses have been addressed and resolved.

Perform an assessment. Assess the business's operations to determine necessary revisions to data collection, retention, storage, and processing policies and procedures, so that further breaches are less likely to occur.

Evaluate the business’ response. After the business has responded to the breach, it should evaluate its response and implement changes to improve its effectiveness in preventing and responding to breaches.

Summary

  • Have a written post-breach response plan ready and tested before a breach happens.
  • Ensure that business officials know what role they will have when a breach happens.
  • Have a communications plan regarding breaches.
  • Know what regulations, statutes, and contracts cover post-breach obligations.
  • When a breach happens, act promptly to prevent further exposure of data.
  • Promptly find out what happened and preserve the evidence.
  • Involve technology and legal experts as needed.
  • Have draft notices that are ready to be customized with reference to the facts.
  • Contact law enforcement, credit resorting agencies, and the business's insurance carrier as  appropriate.
  • Keep regulators informed, both when required by law and when merely sensible.
  • Provide timely notice; legal deadlines are strict.
  • Help affected individuals; their goodwill can forestall legal difficulties.
  • Update the breach response plan periodically.

       
Tags: , , , ,
Posted on February 23, 2010 by Christopher Wolf

FTC Sends Warning Shot to Organizations Allowing Peer-to-Peer Software on their Networks

The Federal Trade Commission has warned one hundred businesses and organizations that peer-to-peer software (typically used by employees to download and share copyrighted music, software and movie files over the Internet) is exposing information on customers and employees, including health and financial data, Social Security numbers and driver's license numbers.

In a release entitled "Widespread Data Breached Uncovered by FTC Probe" the FTC warned that the presence of privacy-violating peer-to-peer software on an organization's network may represent a violation of the security obligations under a variety of federal statutes.

In one sample letter of the type sent to one of the 100 entities referenced in the FTC release the Commission wrote:

We have not determined whether your company is violating laws enforced by the Commission. However, the FTC is urging you to review your security practices for personal information about your customers and employees, and, if appropriate, the practices of contractors and vendors with access to such information, to ensure that the practices are reasonable, appropriate, and in compliance with the law. It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers. (emphasis supplied)

In the letters sent to organizations found to be hosting the P2P software, the Commission also pointedly provided a link to the long list of enforcement actions taken by the Commission for inadequate data security (leading to compromised personal privacy).

While focused on the data security threats created by P2P software, the FTC's release also underscores the importance of data security generally and the legal risks involved in not adequately addressing the issue.   (In that connection, Hogan & Hartson's privacy and data security practice group regularly assists clients in conducting a risk management assessment to indentify privacy and data security issues, including the presence of P2P software, and to suggest remedial steps.)

Tags: , , ,
Posted on October 20, 2009 by Winston Maxwell

French CNIL Issues Data Security Tips

On October 12, 2009 the CNIL issued ten recommendations for companies to help protect their data.  The recommendations are fairly basic, ranging from implementing a rigorous password policy to ensuring that only authorized personnel have access to the company’s computer room.  The recommendations have an important pedagogical role, however, and illustrate that the CNIL is broadening its scope of focus from its traditional role of defining under what conditions personal data can be processed in France to dealing with the results of that processing,  in particular focusing on the prevention of data breaches. 

For those familiar with the security recommendations issued by ENISA, the European Network and Information Security Agency, the CNIL’s recommendations may seem quite rudimentary in comparison.   ENISA has issued a number of detailed recommendations on data security, and it is unfortunate that the CNIL did not refer to the excellent ENISA work in this area.   See, for example, ENISA's 2009 papers "10 Security Awareness Good Practices" and "Information Security Awareness in Financial Organizations - Guidelines and Case Studies."   However, the CNIL's recommendations may only be a first step, and it will be interesting to see whether the CNIL's guidance evolves as concern about data breaches continues to grow. 

Tags: , , ,
Posted on August 19, 2009 by Mark Paulding

Latest Revision of Massachusetts Data Security Regulations Attempts to Increase Flexibility

On August 17, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) issued a second set of revisions to the Standards for the Protection of Personal Information of Residents of the Commonwealth (“Massachusetts Standards”), 201 CMR 17.00. In support of the revisions, the OCABR also issued Frequently Asked Questions (“FAQs”) to clarify the regulators’ views on issues that may not have been entirely clear in the text of the rules. The revisions are intended to increase the flexibility of the regulations in a manner that will reduce burdens on entities subject to the Massachusetts Standards, particularly small and mid-sized businesses. 

Notable among the revisions are the attempts by the OCABR to: (1) introduce a more risk-based approach to the comprehensive information security programs required by the Massachusetts Standards; (2) implement a “technical feasibility” test for required technological controls; and (3) adopt a technology neutral approach to data encryption. While these initiatives should assuage some of the concerns previously expressed by the private sector, the ultimate practical impact remains in doubt.

Risk-Based Approach 

While the OCABR press release and FAQs heavily emphasize the position that the revised Massachusetts Standards take a more risk-based approach to compliance, the changes are not readily apparent. Previous iterations of the Massachusetts Standards were similarly scalable based on the unique circumstances of each covered entity. The prior versions of the regulations stated that the required information security program would be evaluated by the Commonwealth based on the: (a) size and type of the covered business; (b) resources available to the covered business; (c) amount of stored data; and (d) need for security and confidentiality of the personal information. Although that provision has been removed, the revised regulations state that the required information security program should implement safeguards that are appropriate to the same four factors listed above. This change may make the scalability of the regulations slightly more straightforward, but appears to have little impact on the practical considerations of compliance.

Technical Feasibility

Entities subject to the Massachusetts Standards are now only required to implement technical safeguards that are “technically feasible.” Unfortunately, the definition of technically feasible provided in the FAQs (“if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used”) provides little practical guidance. Nonetheless, subsequent portions of the FAQs provide additional insight into the Commonwealth’s intentions. The FAQs note that: “there is little, if any, generally accepted encryption technology for most portable devices ….” On the other hand, the FAQs unequivocally state that there is technology available to encrypt laptops. As a practical matter, it may be reasonable to conclude that covered entities are not expected to adopt cutting edge technologies to satisfy their obligations. Only “generally accepted” technology is expected. 

However, the absence of generally accepted technological controls does not absolve businesses of all obligation to protect personal information. When there is no feasible technical control, the OCABR clearly expects covered entities to take reasonable alternative steps to protect personal information. For example, the FAQs recommend that:

  • if encryption of backuptapes is not technically feasible, entities should take reasonable steps to physically protect the personal information stored on the tapes such as using an armored vehicle service to transport tapes containing unencrypted personal information; 
  • a secure, password-protected website should be used to conduct transactions involving personal information if encryption of email is not technically feasible; and
  • personal information should not be stored on portable devices, such as smart phones, for which there is no generally accepted encryption technology.

Accordingly, businesses should careful consider available administrative and physical security options when dealing with provisions of the Massachusetts Standards that do not appear to be technically feasible. 

Technology-Neutral Encryption Requirement

In an attempt to ensure that the Massachusetts Standards remain flexible enough to adjust to the evolution of technology, the definition of encryption has been revised to make it slightly more technology neutral.  Past versions of the Massachusetts Standards expressly required that encryption involve an algorithmic process.  The August 17th revisions eliminated this requirement.  This change is unlikely to have any significant effect in the foreseeable future.  

In fact, it is not yet clear what OCABR’s intentions were in this instance. While there is no formally accepted mathematical definition of the term “algorithm,” the word is generally taken to mean a process involving a specific sequence of actions.   Encryption and decryption are quintessential examples of algorithmic processes. These functions require a specific series of actions in order to transform readily-understandable information into a form that is difficult to understand and, when an authorized recipient receives the information, transform it back into readily-understandable information. It is difficult to conceive of a method of encryption that would not involve an algorithmic process. Even methods of concealing information which are traditionally outside the scope of cryptography, such as steganography, typically involve the use of a sequence of specific actions to protect and recover information.

It is possible that OCABR wished to avoid contentious litigation over the meaning of algorithm in the absence of a formal mathematical definition. Nevertheless, businesses should expect to use generally accepted, industry standard algorithmic encryption technology for the foreseeable future in order to ensure compliance with the Massachusetts Standards.    

Businesses Should Continue to Monitor Developments

As this is the third version of the Massachusetts Standards to be issued since the regulations were declared “final,” further adjustments in the future are not unforeseeable. The OCABR has scheduled a public hearing for September 22, 2009 and will be accepting written comments up to September 25, 2009. Persuasive arguments presented by both consumer advocates and the private sector may lead to further refinements of the regulations before the current effective date of March 1, 2010.
Tags: , , ,