Posted on May 13, 2011 by Timothy Tobin

California PUC Issues Proposed Decision on Smart Grid Privacy

On May 6, 2011, the California PUC (CPUC) issued a proposed decision  by CPUC President Peevey addressing smart grid privacy and security. The proposed decision is part of a longstanding proceeding we first discussed here

The proposed decision represents a significant step towards a set of smart grid privacy rules in the United States during a time that smart grid privacy is attracting increasing global attention. For example, as discussed in the Chronicle of Data Protection post on April 18, 2011, the European Union’s Article 29 Working Party issued smart meter guidelines last month.

The California PUC Proposed Decision expressly embraces Fair Information Practice (FIP) principles. The proposed rules are designed around the FIP principles of Transparency, Purpose Specification, Individual Participation, Data Minimization, Use and Disclosure Limitation, Data Quality and Integrity, Data Security, Accountability and Auditing. A Future of Privacy Forum blog post available here provides a brief overview of the Proposed Decision and a longer “Future of Privacy Summary of California Public Utilities Commission Proposed on Smart Grid Privacy and Security” dated May 9, 2011, drafted by yours truly, provides more detail about the California PUC’s approach to the proposed rules and jurisdictional issues. The California PUC is accepting comments on the proposed decision until May 26, 2011.   

Smart meters and the smart grid present the prospect of empowering consumers to more efficiently control their energy usage and lower their bills, increasing consumers’ ability to use and manage smart appliances and new and innovative applications, fostering a reliable electricity grid, and helping to reduce carbon emissions. For an excellent background on Smart Grids and the privacy issues they present, see the white paper, Smart Privacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation, co-authored by Hogan Lovells partner, Christopher Wolf.
Tags: , , , , , , , , , , , ,
Posted on November 25, 2009 by Wim Nauwelaerts

European Network and Information Security Agency (ENISA) Issues Cloud Computing Guidance

 The European Network and Information Security Agency (ENISA) has just published a paper on cloud computing, which discusses the benefits and risks of cloud computing from a security perspective. The paper also includes recommendations for improving information security in the context of cloud computing and provides a - in our view very helpful - set of questions that organizations can use to assess whether or not providers of cloud computing services are sufficiently protecting the data entrusted to them.

The key conclusion of the paper is that the “cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost-effective.” 

The paper is particularly timely in light of the European Commission’s public consultation on the legal framework for the fundamental right to protection of personal data, which closes at the end of next month. ENISA’s paper includes specific recommendations for the European Commission’s future consideration. It rightfully points out that certain issues related to the EU Data Protection Directive and Article 29 Working Party recommendations warrant clarification. In the current legal framework, it is not clear, for example, under which circumstances a provider of cloud computing services may be classified as a “joint controller” of personal data. ENISA also recommends that the European Commission examine and clarify, inter alia:

-         whether providers of cloud computing services should be obliged to notify their customers of data security breaches (and what information should be provided to these customers);

-         the legal impact of data transfers to providers of cloud computing services in countries outside the European Economic Area (EEA), if those countries do not provide an “adequate” level of data protection;

-         how the intermediary liability exemptions arising from the eCommerce Directive apply to providers of cloud computing services.

As far as information security in concerned, ENISA’s paper provides useful and practical guidance for potential and existing users of cloud computing services as well as policy makers. It will be interesting to see to what extent its recommendations will result in concrete action by the European Commission and/or Article 29 Working Party.

Tags: , , , ,
Posted on August 25, 2009 by Andrea Ward

UPS Ltd Subject of UK Data Security Enforcement

UPS Ltd has joined the ever-increasing number of companies featuring in the ‘Enforcement’ section of the UK Information Commissioner’s website, for failing to ensure the adequate security of personal data, which was held on an unencrypted laptop.

Security is one of the key data protection principles set out in Schedule 1, Part 1, of the Data Protection Act 1998 (the “DPA”) and although organizations are familiar with the principle, the basic elements of protecting data can still be overlooked. As a reminder, the DPA requires all ‘data controllers’ (such as UPS Ltd in this case) to comply with the eight data protection principles. The seventh principle deals with the security of personal data and provides that data controllers must take “appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. This means, for example, using password protection and encryption on portable hardware, such as laptops and memory devices. Of course, such measures are only effective if everyone knows about them and uses them appropriately.

This recent decision involved the loss of personal data when a UPS employee’s laptop was stolen, whilst on business abroad last year. The laptop was unencrypted and was never recovered.

Unfortunately (but as is often the case) it held personal data belonging to some 9,150 UK-based employees. Worse still, the data was payroll-related and so contained information relating to employees’ names, dates of birth, National Insurance numbers, salary and bank details.
Whilst there is no legal requirement to inform the Information Commissioner’s Office (ICO) of a DPA breach, UPS Ltd’s lawyers made the notification for their client, presumably recognizing the harm that could result from the loss of such data, for the employees themselves and also for the company’s reputation.

By this time, UPS Ltd had endeavored to remedy the breaches and could therefore submit evidence of improvements it had made, to the ICO. Helpfully, in reaching its decision, the ICO noted such remedial steps as:

  • encryption for all UK and European UPS laptops and Smart phone devices and
  • updating the security policy to include encryption for removable media

The ICO also recognized UPS Ltd’s understanding of the seriousness of the event and its efforts to comply with the DPA. Rather than issuing an Enforcement Notice, UPS Ltd were able to sign an undertaking to comply with the DPA and put in place these promises within 6 months.

This case demonstrates that although mistakes happen, there are ways to limit the exposure and organizations in breach of the DPA should act purposefully to rectify the damage as soon as possible.
Tags: , , , ,
Posted on August 20, 2009 by Scott Loughlin

Possible Health Information Trend in State Data Protection Statutes

With the compliance date for the federal health data breach notifications in the HITECH Act looming, more states are amending their data breach notification statutes to cover health information. The possible trend is evident in the newly-enacted laws of three states – Missouri, New Hampshire and Texas – all of which have been enacted since June 2009. 

  • Missouri – Within the key definition of “Personal Information,” Missouri’s new data breach notification law includes both “medical information” and “health insurance information,” which if disclosed in combination with an individual’s name, may trigger notification rights. 
  • New Hampshire– In a separate provision from its general data breach notification law, disclosure of HIPAA protected health information by health care providers and business associates may trigger notice requirements even if the disclosure is permitted under federal law or does not create a risk of harm.
  • TexasExpanding its existing data breach notification statute, Texas specifically amended the definition of “sensitive personal information” to include types of health information not previously covered.

These states join California, Arkansas and Puerto Rico as the only jurisdictions to protect health data under their data breach notification statutes. Still, compliance with these statutes may be costly and burdensome.  Businesses must carefully monitor access, acquisition and disclosure of health and medical information in addition to other types of sensitive information – social security number numbers, financial account numbers, etc. – routinely protected under these statutes. Definitions of health and medical information vary, but can be quite broad to cover, among other things, information relating to:

  • physical or mental health or conditions and medical histories; 
  •  provision of health care;
  •  treatment and diagnosis; 
  •  payments for health care; and 
  •  insurance policy numbers and subscriber IDs.

Although the interaction of these state laws with the federal data breach notification regulations under the HITECH Act is unsettled, state laws must continue to be monitored and analyzed closely, especially if the number of states protecting health information continues to grow and their notification obligations are consistent with, but extend beyond, the federal requirements.

Tags: , , , , , , , , , , , ,