The federal Departments of Homeland Security, Defense and Justice and The Office of the Director of National Intelligence issued guidance on the implementation of the Cybersecurity Information Sharing Act of 2015 (CISA).  Among the four guidance documents issued by these agencies is one outlining the ways non-federal entities (which would include private employers) can share information with federal entities regarding cyber threat indicators and defensive measures taken against those threat indicators.  The guidance addresses procedures for sharing cyber threat indicator and defensive measures information under the CISA.

The CISA authorizes the sharing of “cyber threat indicators” and “defensive measures” for a “cybersecurity purpose.”  The guidance highlights the fact that the CISA attempts to strike an appropriate balance between sharing information about cyber threat indicators and defensive measures while protecting the privacy of information when it is not directly related to and necessary to identify or describe a cyber security threat.  The guidance further explains that the CISA “promotes the goal of sharing while simultaneously providing privacy protections.” Therefore, the guidance cautions non-federal entities such as private employers to carefully review information before sharing it to assure they do not inadvertently disclose information that should have been kept private.

The guidance provides an overview of the methods non-federal entities can use to report to federal agencies information about cyber threats and defensive measures. These include the Department of Homeland Security’s (DHS) Automated Indicator Sharing (AIS) initiative, the webform on DHS’ National Cybersecurity and Communications Integration Center, emailing DHS, and sharing information through Information Sharing and Analysis Centers or Information Sharing and Analysis Organizations.  When a non-federal entity shares information using these methods, it is afforded liability protection under the CISA, as well as other protections such as an exemption from federal antitrust laws.

When a non-federal agency reports cyber threats and defensive measures in a manner other than those outlined above, it does not receive protection from liability, but still has the other protections available under CISA like the federal antitrust exemption and protection of commercial, financial and proprietary information.

The U.S. Court Appeals for the Eleventh Circuit has ruled that statutory damages under the Stored Communications Act (SCA) are not available in a case where the plaintiff did not incur any actual damages.

The case, Vista Marketing LLC v. Burkett, originated from an extremely contentious divorce proceeding.  While the majority of the  allegations in that proceeding might make for good television, they are not relevant here.  In short, Terri Burkett filed for divorce from her husband, Franklin, in February 2010.  During the divorce proceeding, the valuation of Vista Marketing became a primary issue.  Terri suspected her estranged husband was lying about the financial status of Vista.  To obtain information to prove her theory, Terri began regularly accessing the Vista web mail account to read Franklin’s emails from October 2011 until May 2012.  Sometimes Terri would review the emails before Franklin had opened them, but most of the time she did not read them until after they had been viewed by Franklin .  The emails Terri obtained were valuable evidence in the divorce proceeding and led to a significant valuation of Vista.

Less than a month after the final judgment of the divorce court, Vista sued Terri, alleging she violated the SCA when she access Vista’s web mail account and Franklin’s Vista email account during the divorce proceedings.  Following a three-day jury trial, the jury found Terri had violated he SCA when she accessed Franklin’s emails.  It further concluded Terri had committed 450 violated of the SCA.  But, the jury determined Vista had sustained no actual damages as a result of Terri’s actions and despite finding Terri’s conduct was “willful, wanton, or malicious,” it awarded no punitive damages to Vista.  The district court then conducted a hearing to determine whether it would award statutory damages to Vista.  Vista argued it was entitled to $450,00 in statutory damages ($1,000 for each violation of the SCA), while Terri contended no damages should be awarded as the jury found Vista had suffered no actual damages.  Ultimately, the district court, in an exercise of discretion, awarded Vista $50,000 in statutory damages.

In analyzing the case, the Circuit Court looked to the SCA’s damages provision which provides: “The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000. If the violation is willful or intentional, the court may assess punitive damages. In the case of a successful action to enforce liability under this section, the court may assess the costs of the action, together with reasonable attorney fees determined by the court.”

Ultimately, the Circuit Court agreed with Terri that the SCA precluded the district court from awarding Franklin any money in statutory damages because the jury returned a verdict reflecting that Franklin incurred no actual damages as a result of the 450 violations, and statutory damages may be awarded only upon a finding of actual damages. The Circuit Court upheld the judgment but vacated the district court’s award of statutory damages to Franklin.

In reaching its conclusion, the Circuit Court relied on the U.S. Supreme Court’s decision in Doe v. Chao, which construed the phrase “person entitled to recovery” under the Privacy Act to require a finding of actual damages before statutory damages may be awarded.  The Circuit Court also examined the Wiretap Act, which like the SCA were both part of the Electronic Communications Privacy Act (ECPA), and found it would be “inconsistent, to say the least, if Congress treated violations of the SCA more severely than civil violations of the Wiretap Act.”

While the decision provides legal precedent in the Eleventh Circuit that SCA statutory damages are not available absent actual damages, district courts in other jurisdictions, including New York and Illinois, have reached the opposite conclusion.  In those districts, proof of actual damages is not required to seek statutory damages.  As courts throughout the country continue to struggle with analyzing claims under the SCA, it may ultimately fall on the Supreme Court to decide this issue.

Each year at the beginning of tax season, the IRS releases the “Dirty Dozen,” a list of twelve tax scams to be mindful of when individuals are filing their taxes.  This list is something to consider sharing with colleagues or friends within your organization.

The first member of the 2016 Dirty Dozen is identity theft. Tax-related identify theft occurs when someone uses a stolen Social Security number to file a tax return to get a fraudulent refund.  According to the IRS, tax scammers are becoming increasingly sophisticated, and taxpayers should be cautious about sharing their Social Security numbers, should be cautious when getting advice on tax issues, and should be cautious when viewing e-mails and accepting telephone calls asking for private information.

The IRS has compiled a guide to tax-related identify theft to help taxpayers identify the warning signs that identify theft has occurred. The warning signs include being contacted by the IRS or your tax preparer about 1) more than one tax return being filed with your social security number; 2) owing additional tax, refund offset or having collections against you for a year you did not file a tax return; and 3) IRS records show you worked for an employer when actually did not work for that employer. Often, the IRS is the first to discover tax-related identity theft and inform the victim.

Identify theft can occur in a number of ways including data breaches, phishing scams, and telephone calls from people masquerading as banks, credit card companies and the IRS. If you have been the victim of a data breach, you should keep in contact with the company to determine what type of information was compromised.

Recent phishing scams have included false emails to tax preparers that link to a fake website that tell the tax prepare to update their Electronic Filing Identification Numbers (EFINS). The scammer collects the tax preparers’ usernames entered into the false website. Tax preparers are advised to disregard these types of emails that appear to be from the IRS. Phishing scams have also targeted taxpayers by directing consumers to fake websites that look like the IRS website. These types of emails should be reported to the IRS at phishing@irs.gov.

Sophisticated telephone scams have cropped up where scammers pretending to be IRS employees try to gather information or to convince individuals that they must urgently pay money to the IRS via pre-loaded debit cards or wire transfers.

The IRS advises that it does not ask for credit card or debit card information over the telephone, and does not demand payment in specific forms like pre-paid debit cards. Also, the IRS will not demand payment for taxes due without giving you the chance to question or appeal the amount due. The IRS will also never threaten to have local law enforcement arrest you for non-payment.

If you determine your Social Security number was compromised as a result of a data breach, you can submit an Identity Theft Affidavit to the IRS if the IRS has informed you might have been a victim of identity theft or your e-file return was rejected as duplicate filing.

For more information the IRS provides a Taxpayer Guide to Identity Theft.

Demonstrating a continued focus on information security, the Food and Drug Administration (FDA) published draft guidance on Design Considerations and Pre-market Submission Recommendations for Interoperable Medical Devices.  As the title indicates, the draft guidance focuses on issues manufacturers should address in the development and design of medical devices prior to sale to consumers.  This draft guidance comes on the heels of the FDA’s draft cybersecurity guidance for medical devices after they have entered the market.

For those unfamiliar with the term, “interoperability” generally refers to the interconnectivity of various products or systems.  For purposes of the FDA’s guidance, interoperability means the ability of two or more products, technologies or systems to exchange information and to use the information that has been exchanged.  The exchange of information includes transmission, reception or both, that may be accomplished by means of wires or wireless methods which on a local network, or through the internet.  The use of exchanged information can include various purposes such as displaying, storing, interpreting, analyzing and automatically acting or controlling another product.

According to the FDA, as electronic medical devices are increasingly connected to each other and to other technology, the ability of these connected systems to safely and effectively exchange and use the information that has been exchanged becomes increasingly important.  As such, the FDA intends to promote the development and availability of safe and effective interoperable medical devices.  The FDA issued this draft guidance to assist industry and FDA staff in identifying specific considerations related to the ability of electronic medical devices to safely and effectively exchange and use exchanged information.

The draft guidance focuses on five considerations for interoperable devices:

  • the purpose of the electronic data interface;
  • the anticipated users;
  • risk management;
  • verification and validation; and
  • labeling considerations.
Importantly, the FDA’s guidance documents, including this draft guidance, do not establish legally enforceable responsibilities.  The guidance includes suggestions or recommendations, as opposed to requirements.  The FDA is accepting comments and suggestions regarding the draft guidance until March 28, 2016.

As we previously reported, the EU and U.S. reached agreement last week on the EU-U.S. Privacy Shield to replace the invalidated EU-U.S. Safe Harbor Program for transatlantic data transfers.  While the announcement of the Privacy Shield is a relief to the thousands of companies who relied on the Safe Harbor Program, details remain unclear.

What do we know so far? The European Commission announced the EU-U.S. Privacy Shield agreement on February 2, 2016. In announcing the agreement, the European Commission said:

The EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

Based on the European Commission’s statements, the Privacy Shield will provide for more oversight by the U.S. Department of Commerce and the FTC. Additionally, specific limitations and parameters will be placed on law enforcement or national security access to personal data. Finally, a new Ombudsperson will be established to handle complaints. Providing further insight, the European Commissioner for Justice, Consumers and Gender Equality, Vera Jourova, said there would be “several affordable and accessible dispute resolution mechanisms,” and that EU citizens would be able to channel complaints to the U.S. Department of Commerce, which would act within a “reasonable deadline.”

Reacting in the United States, Penny Pritzker, U.S. Commerce Secretary, lauded the agreement as a way forward, and clarified that the FTC will coordinate with EU data protection officials to resolve complaints about government access to data.  Edith Ramirez, FTC Chairwoman, echoed Pritzker’s statement saying, “[w]e are pleased that U.S. and European Commission officials have reached an agreement in principle which, once finalized, will allow for the continuation of an important mechanism for transatlantic data transfers. Under the new agreement, the EU-U.S. Privacy Shield, the Federal Trade Commission will continue to prioritize enforcement of the framework as part of our broader commitment to protect consumers’ personal information and privacy. We will continue to work closely with our European partners to ensure consumer privacy is protected on both sides of the Atlantic.”

Summing up the months following the Court of Justice of the European Union’s ruling in Schrems v. Data Protection Commissioner, Pritzker went on to say that although “it was a tough negotiation focused on protecting privacy” she was confident the Privacy Shield would withstand scrutiny in the EU.

Ms. Pritzker’s statements are pertinent as the Article 29 Working Party of European Union member state data protection commissions still must assess the Privacy Shield arrangement.  The Article 29 Working Party issued a more cautious response, which was backed by statements from Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party and president of France’s DPA, who welcomed the Privacy Shield but clarified since no written agreement had been provided by the European Commission, the Article 29 Working Party could not confirm nor deny whether the Privacy Shield complied with EU data protection law.

Importantly, Falque-Pierrotin went on to state that companies which continue to transfer data to the U.S. under the Safe Harbor framework without alternative arrangements—i.e. binding corporate rules (BCRs) or standard contractual clauses (SCCs)—would technically not be in compliance with EU law and could face enforcement action depending on the DPA and whether a complaint is received.

What’s next? The European Commission said that the formal Privacy Shield adequacy decision would be prepared “in the coming weeks.” The Article 29 Working Party has called on the European Commission to communicate all relevant documentation on the Privacy Shield by the end of February, so it may assess the options for “all personal data transfers to the U.S” by the end of March and possibly issue a final decision by the end of April.

When assessing the Privacy Shield agreement, the Article 29 Working Party will do so on the basis of the Privacy Shield’s compliance with four “essential guarantees” for transfers of EU citizens’ data. The four essential guarantees are:

  1. There should be precise rules for processing, meaning any individual who is reasonable informed should be able to know what might happen with their data;
  2. Any government access to data should be governed by the principles of necessity and proportionality balancing the objective for which the data is collected and accessed and the rights of the individual;
  3. There should be independent oversight mechanisms that are effective and impartial; and
  4. There must be effective remedies available to individuals.

We will continue to monitor this issue over the course of the coming months and provide updates as they become available.

President Barack Obama requested $19 billion in his budget for 2017 to address cybersecurity in the United States, $5 billion more than was budgeted for the current year. Today, he issued an Executive Order that will create a commission within the Department of Commerce to be known as the “Commission on Enhancing National Cybersecurity.”

So, what will $19 billion buy? The President’s proposal calls for a number of measures designed to improve and strengthen cybersecurity. Some examples include:

  • $3.1 billion to update and replace old IT systems, along with a new position in the White House to lead the effort.
  • About $62 million is allotted for more cybersecurity professionals, including funding scholarship programs to strengthen the pipeline for this much needed human capital.
  • Amounts for the classified cyber budget for intelligence agencies such as the National Security Agency and the CIA.

The Commission on Enhancing National Cybersecurity under the President’s Executive Order would have as its mission:

To make detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices. The Commission’s recommendations should address actions that can be taken over the next decade to accomplish these goals.

The Commission will need to consider recommendations for at least the following:

  1. how best to bolster the protection of systems and data, including how to advance identity management, authentication, and cybersecurity of online identities, in light of technological developments and other trends;
  2. ensuring that cybersecurity is a core element of the technologies associated with the Internet of Things and cloud computing, and that the policy and legal foundation for cybersecurity in the context of the Internet of Things is stable and adaptable;
  3. further investments in research and development initiatives that can enhance cybersecurity;
  4. increasing the quality, quantity, and level of expertise of the cybersecurity workforce in the Federal Government and private sector, including through education and training;
  5. improving broad-based education of commonsense cybersecurity practices for the general public; and
  6. any other issues that the President, through the Secretary of Commerce (Secretary), requests the Commission to consider.

These actions are designed to affect both the public and private sectors. Accordingly, businesses need to monitor these activities to ensure compliance and that their efforts are consistent with recognized best practices.

US.EUCompliance and privacy officials all over the U.S. just let out a breath they had been holding since last October when the European Court of Justice invalidated the US/EU Safe Harbor Program. BNA is reporting that negotiators just reached an agreement on a new data transfer framework between the U.S. and the European Union. Details are forthcoming and we will report on them here as we learn more about this development.

UPDATE:  Although we previously reported that a possible Safe Harbor resolution may be imminent, Bloomberg BNA is now reporting that a European Commission official has told them there may be no deal today to replace the U.S.-EU Safe Harbor Program.

According to BNA, when European Commissioner for Justice, Consumers and Gender Equality Justice Vera Jourova goes before the European Parliament later today, she will only provide a status update of the negotiations as opposed to announcing a resolution of this issue.  Without an announcement resolving this matter today, it is possible the Art. 29 Party (made up of data protection officials from the 28 EU member states) may decide during their scheduling meeting tomorrow that individual Data Protection Authorities will start enforcement actions against companies over data transfers which are still based on the invalidated Safe Harbor Program.

We will continue to update this situation as it unfolds.

The folks over at Politico are reporting that the Senate Judiciary Committee struck a deal Wednesday night regarding the Judicial Redress Act. The committee adopted Senator John Cornyn’s amendment that ties the bill’s privacy protections to the proposed new Safe Harbor Agreement being negotiated between the U.S. and the EU. The Judicial Redress Bill attempts to strike a balance between providing EU citizens a judicial forum in which to bring privacy related claims and the need for the U.S. to protect national security. The Senate and House now have to agree on a bill to send to the President. Thousands of U.S. companies are watching with interest in the hopes that a new Safe Harbor agreement can be reached to avoid a last-minute scramble to put model data transfer agreements or binding corporate rules in place to allow the free flow of data across borders.

Bloomberg BNA is reporting that the EU hopes to reach a Safe Harbor deal with the U.S. on Monday, February 1, 2016.  Speaking at the Computers, Privacy and Data Protection Conference in Brussels, Paul F. Nemitz, Director for Fundamental Rights and Union Citizenship at the Directorate-General Justice of the European Commission said, “[w]e hope to be able to reach an [acceptable] arrangement.”   Mr. Nemitz is considered one of the top European Commission officials negotiating with the U.S. on reaching a successor treaty to the U.S.-EU Safe Harbor data transfer program.

As previously reported, on October 6, 2015, the Court of Justice of the European Union overturned the Safe Harbor program when it ruled in Schrems v. Data Protection Commissioner  that the voluntary Safe Harbor Program did not provide adequate protection to the personal data of EU citizens. Post Schrems U.S. companies have been unclear what to do to transfer data out of the EU in a compliant manner.

Mr. Nemitz said the European Commissioner for Justice, Consumers and Gender Equality Justice, Vera Jourova, will go to parliament Monday evening to “inform member states then of the outcome” of talks to reach a resolution on a possible replacement for the Safe Harbor.  A January 31, 2016 deadline has been set by the Article 29 Working Party of data protection officials from the 28 EU member states.  The hope for agreement by February 1, 2016 is pertinent as the Art. 29 Party is scheduled to meet February 2, 2016 to discuss this issue.

Interestingly, U.S. Federal Trade Commissioner Julie Brill also appeared with Mr. Nemitz at the conference.  While Ms. Brill confirmed “[t]here’s absolutely a path to agreement,” she was less committal as to a potential Monday resolution saying, “[w]e need to get there. We can’t allow this to continue to be a stumbling block. But I don’t have a crystal ball.”

We will continue to monitor this situation and provide updates as we obtain them.