Search right to access

As we previously reported, the EU and U.S. reached agreement last week on the EU-U.S. Privacy Shield to replace the invalidated EU-U.S. Safe Harbor Program for transatlantic data transfers.  While the announcement of the Privacy Shield is a relief to the thousands of companies who relied on the Safe Harbor Program, details remain unclear.

What do we know so far? The European Commission announced the EU-U.S. Privacy Shield agreement on February 2, 2016. In announcing the agreement, the European Commission said:

The EU-US Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

Based on the European Commission’s statements, the Privacy Shield will provide for more oversight by the U.S. Department of Commerce and the FTC. Additionally, specific limitations and parameters will be placed on law enforcement or national security access to personal data. Finally, a new Ombudsperson will be established to handle complaints. Providing further insight, the European Commissioner for Justice, Consumers and Gender Equality, Vera Jourova, said there would be “several affordable and accessible dispute resolution mechanisms,” and that EU citizens would be able to channel complaints to the U.S. Department of Commerce, which would act within a “reasonable deadline.”

Reacting in the United States, Penny Pritzker, U.S. Commerce Secretary, lauded the agreement as a way forward, and clarified that the FTC will coordinate with EU data protection officials to resolve complaints about government access to data.  Edith Ramirez, FTC Chairwoman, echoed Pritzker’s statement saying, “[w]e are pleased that U.S. and European Commission officials have reached an agreement in principle which, once finalized, will allow for the continuation of an important mechanism for transatlantic data transfers. Under the new agreement, the EU-U.S. Privacy Shield, the Federal Trade Commission will continue to prioritize enforcement of the framework as part of our broader commitment to protect consumers’ personal information and privacy. We will continue to work closely with our European partners to ensure consumer privacy is protected on both sides of the Atlantic.”

Summing up the months following the Court of Justice of the European Union’s ruling in Schrems v. Data Protection Commissioner, Pritzker went on to say that although “it was a tough negotiation focused on protecting privacy” she was confident the Privacy Shield would withstand scrutiny in the EU.

Ms. Pritzker’s statements are pertinent as the Article 29 Working Party of European Union member state data protection commissions still must assess the Privacy Shield arrangement.  The Article 29 Working Party issued a more cautious response, which was backed by statements from Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party and president of France’s DPA, who welcomed the Privacy Shield but clarified since no written agreement had been provided by the European Commission, the Article 29 Working Party could not confirm nor deny whether the Privacy Shield complied with EU data protection law.

Importantly, Falque-Pierrotin went on to state that companies which continue to transfer data to the U.S. under the Safe Harbor framework without alternative arrangements—i.e. binding corporate rules (BCRs) or standard contractual clauses (SCCs)—would technically not be in compliance with EU law and could face enforcement action depending on the DPA and whether a complaint is received.

What’s next? The European Commission said that the formal Privacy Shield adequacy decision would be prepared “in the coming weeks.” The Article 29 Working Party has called on the European Commission to communicate all relevant documentation on the Privacy Shield by the end of February, so it may assess the options for “all personal data transfers to the U.S” by the end of March and possibly issue a final decision by the end of April.

When assessing the Privacy Shield agreement, the Article 29 Working Party will do so on the basis of the Privacy Shield’s compliance with four “essential guarantees” for transfers of EU citizens’ data. The four essential guarantees are:

  1. There should be precise rules for processing, meaning any individual who is reasonable informed should be able to know what might happen with their data;
  2. Any government access to data should be governed by the principles of necessity and proportionality balancing the objective for which the data is collected and accessed and the rights of the individual;
  3. There should be independent oversight mechanisms that are effective and impartial; and
  4. There must be effective remedies available to individuals.

We will continue to monitor this issue over the course of the coming months and provide updates as they become available.

In honor of Data Privacy Day, we provide the following “Top 10 for 2016.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2016.

  1. EU/U.S. Data Transfer (status of Safe Harbor).  On October 6, 2015, the Court of Justice of the European Union (CJEU) ruled in Schrems v. Data Protection Commissioner (Case C-362/14) that the voluntary Safe Harbor Program did not provide adequate protection to the personal data of EU citizens. The Safe Harbor Program was used extensively by organizations that needed to transfer data from the EU to the U.S. Post Schrems U.S. companies have been unclear what to do to transfer data out of the EU in a compliant manner. The ultimate resolution of this issue is one of the most anticipated privacy topics for 2016.
  2. People Analytics including Employee Tracking/Wearables.  The Federal Trade Commission’s January 2016 report discussing “big data” raised a number of issues for organizations concerning the use of data analytics with respect to both consumer data, as well as the application of big data tools in the workplace. People analytics refers generally to a data-driven approach to managing an organization’s human capital, and it is likely to be a significant trend for employers in the months and years ahead. Some of the data to perform the analytics is collected through the devices employees use and wear. For example, as GPS and RFID enabled devices become more prevalent, employers are faced with the difficulty of balancing the workplace risks against the ability to obtain information about employees’ whereabouts which can substantially increase productivity. Similarly, wellness programs seek to incentivize employees (including the members of their household) to live “healthier” lives. Wearable technologies such as FitBit allow for the collection of data which when analyzed can have substantial benefits and help control healthcare costs, but they can also raise privacy and discrimination risks.
  3. Risk Assessment/Written Information Security Program. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business’ critical information assets must be the first step, and is perhaps the most important step to tackling information risk. It is logically impossible to adequately safeguard something you are not aware exists. In fact, failing to conduct a risk assessment may subject the business to penalties under federal and/or state law. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state (as it is in states such as CA, CT, FL, MA, MD, OR, etc.), having one is critical to addressing information risk. Importantly, an organization’s WISP should also address company data outside of the company’s control, such as data or information which is provided to vendors who provide services to an organization. Not only will a WISP better position a company when defending claims related to a data breach, it will also help the company manage and safeguard critical information and potentially avoid a breach from occurring in the first place.
  4. The Telephone Consumer Protection Act (TCPA).  According to statistics compiled by WebRecon LLC, 3,710 TCPA lawsuits were filed in 2015, representing an increase of 45% over 2014. Demonstrating consistency, 2015 marked the 8th year in a row where the number of TCPA suits increased from the preceding year. Tellingly, 23.6% of those suits (877) were filed as putative class actions. With the recent SCOTUS decision in Campbell-Ewald making defense of class actions under the TCPA more difficult, we expect the number of TCPA suits to continue to grow in 2016. Many of these suits are not just aimed at large companies.  Instead, these suits are often focused on small businesses that may unknowingly violate the TCPA.  With statutory damages ranging from $500 to $1500 per violation (e.g. per fax/text sent or call made) these suits often result in potential damages in the hundreds of thousands, if not millions, of dollars.  Understanding the FAQs for the TCPA and taking steps to comply with the TCPA is a great first step as we enter 2016.
  5. Industry Specific Guidance.  Whether it is the U.S. Food and Drug Administration (FDA) or the U.S. Commodity Futures Trading Commission (CFTC), organizations will need to remain vigilant in 2016 to ensure they are addressing industry specific rules or guidance regarding cybersecurity and the safeguarding of the information they maintain.
  6. BYOD/COPE.  Many organizations have adopted policies allowing employees to utilize their own electronic devices in the workplace, and are turning to Bring Your Own Device (“BYOD”) programs but without considering all of the risks and related issues. Some are sticking with Corporate Owned Personally Enabled (“COPE”) programs.  If you are considering BYOD, you should review our comprehensive BYOD issues outline and determine whether BYOD or COPE is the best option for your organization.
  7. Investigating Social Media.  The use of social media continues to grow on a global scale, and the content available on a user’s profile or account is often being sought in connection with litigation and/or employment decisions. While public content may generally be viewed without issue, employers need to be aware of how they are accessing social media content. This is especially true as the list of states protecting legislation to protect social media privacy continues to grow. In a litigation context, if private content is accessed improperly, serious repercussions can follow.
  8. Federal Trade Commission (FTC) & Federal Communications Commission’s (FCC) Enforcement Re: Data Security.  Both the FTC and FCC continued enforcements actions in 2015 in connection with companies’ alleged failure to properly safeguard data. FCC actions resulted in consent decrees which included penalties in the hundreds of thousands of dollars, and mirrored previous consent decrees entered into by the FTC. However, 2015 decisions in cases stemming from the FTC’s actions found the FTC may have difficulty meeting its burden of proving that a company’s alleged unreasonable data security practices caused substantial consumer injury or that any consumer whose personal information was maintained by a company suffered any harm as a result of such alleged conduct. For 2016 it remains to be seen just how far the FCC and FTC will go to continue enforcement actions related to data security. Nevertheless, organizations still need to be conscious of the statements or promises they make concerning their data security practices and implement appropriate safeguards to protect the personal information they maintain.
  9. HIPAA Compliance. The Office for Civil Rights (OCR) stated that in early 2016 it will launch Phase 2 of its audit program measuring compliance with HIPAA’s privacy, security and breach notification requirements by covered entities and business associates. We previously discussed, having the right documents in place can go a long way toward helping an organization survive an OCR HIPAA audit. Now that it appears these audits are coming, it is important that covered entities and business associates invest the time in identifying and closing any HIPAA compliance gaps before an OCR investigator does this for them. This is particularly true as some of the largest HIPAA settlements to date are less about harm, and more focused on compliance.
  10. Develop a Plan for Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible (with some setting forth specific time periods). Failing to respond appropriately could result in significant liability.  Employers need to be conscious of data breach issues as the leading cause of breaches is employee error. Developing a breach response plan is not only prudent but also may be required under federal or state law.  A proactive approach is often the simplest and cheapest way to avoid liability.

Be Vigilant and Watch for New Legislation. Managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. As such, companies are left to navigate the constantly evolving web of growing state legislation and/or industry guidance. Organizations therefore need to be vigilant in order to remain compliant and competitive in this regard.

As the year draws to a close, employer claims under the Computer Fraud and Abuse Act (“CFAA”) against departing employees for stealing or otherwise diverting employer information without authorization to do so are dying slow deaths in many federal courts across the nation. As noted over on the Non-Compete and Trade Secrets Report, the U.S. federal circuits are split regarding whether an employee acts “without authorization” under CFAA when he or she steals employer confidential data at or near termination. The Second, Ninth and Fourth Circuits hold that as long as the employee was permitted to be on a computer for any purpose, diversion of employer information is “authorized” under CFAA. In contrast, the First, Fifth, Seventh, and Eleventh Circuits have adopted a broad construction, allowing CFAA claims alleging an employee misused employer information that he or she was otherwise permitted to access.

Now, in North Carolina at least, employers may have better luck under fighting malevolent employees under the North Carolina statutory corollary to CFAA. In Sprirax Sarco, Inc. v. SSI Eng’g, the Eastern District of North Carolina put teeth into the North Carolina Computer Trespass Act (“NC Computer Trespass Act”) giving employers a new weapon in the fight against trade secret and confidential information misappropriation by departing employees. The NC Computer Trespass act, N.C. Gen. Stat. § 14-458, provides, in relevant part:

(a) . . . [I]t shall be unlawful for any person to use a computer or computer network without authority and with the intent to do any of the following:

(1) Temporarily or permanently remove, halt, or otherwise disable any computer data, computer programs, or computer software from a computer or a computer network. . . .

(3) Alter or erase any computer data, computer program or computer software. . . . [or]

(5) Make or cause to be made an unauthorized copy, in any form, including, but not limited to, any printed or electronic form of computer data, computer programs, or computer software residing in, communicated by, or produced by computer or computer network.

Unlike the CFAA, the NC Computer Trespass Act defines “without authority” clearly. An employee acts “without authority” when either the employee has no right or permission to use a computer, or the employee uses a computer in a manner exceeding the right or permission given by the employer. The United States District Court for the Eastern District held that a departing employee who intentionally used his employer-issued laptop to download vast quantities of computer files to his own media devices and Dropbox account, was acting “without authorization” under the NC Computer Trespass Act. The Court also noted that the former employee also deleted vast quantities of computer files from the Spirax-issued laptop “without authorization” to so.

Spirax provides employers with employees in North Carolina a new tool for protecting corporate information access without the need to tread into the murky waters of the CFAA.

On December 17, 2015, following four years of sometimes acrimonious debate, the EU Parliament and Council of the European Union informally agreed on the final draft of the General Data Protection Regulation (“GDPR”). The GDPR will replace what privacy experts refer to simply as “95/48” –or the 1995 law known as EU Data Protection Directive— once officially adopted by the Parliament and Council of the EU. It will go into effect two years from passage.

Multinational companies should use the next two years to begin aligning privacy policies and practices with the principles in the new regulation. Key elements of the GDPR include:

  • One Law/One Rule: Unlike 95/46, which was enacted by EU individual member states, the GDPR applies to all EU member nations and is intended to create more consistency across the EU regarding data protection. A business that operates in more than one member state will now deal only with the Data Protection Authority (“DPA”) in the country where the business is most established. This lead DPA will handle cross border data transfers.
  • Broader Brush: The GDPR is expressly extra-territorial. It applies on its face to data controllers and processors outside the EU where their data processing activities affect EU residents. Also, the definition of “personal data” has been expanded to include information related to a data subject’s physical, physiological, genetic, mental, economic cultural or social identity.
  • Consent Rules: Consent remains a valid basis upon which to process data, though likely not in the employment context. Under the GDPR, consent must be freely given, specific, informed and constitute an unambiguous indication of the data subject’s agreement to the processing of the data subject’s personal data.
  • Data Breach Notification: The GDPR establishes a uniform data breach notification requirement applicable to all data controllers. In the event of a data breach leading to the loss, access or disclosure of personal data, controllers must notify the appropriate DPA “without undue delay,” and, where feasible, within 72 hours. Like many US data breach notification laws, GDPR contains a notice exception where the data is encrypted or where it is unlikely the data subject will be harmed.
  • Required Data Protection Officers: The GDPR requires data controllers and processors to appoint a data protection officer (“DPO”) if the business’s “core activities” consist of regular and systematic data subject monitoring or the processing of sensitive personal data (relating to, e.g., health, ethnicity, trade union membership) or data relating to criminal convictions and offenses.
  • Rules on Data Transfer: Binding Corporate Rules are recognized as the “gold standard” for data transfer. Also, data transfer out of the EU will be allowed where the European Commission has issued a decision affirming the adequacy of the level of data protection in the country where the data is being transferred. DPAs will not have to approve EU Model Contract Clauses, which remain valid under the GDPR.
  • Sanctions: GDPR gives data subjects a private right of action in EU courts. Data subjects will have a right to money damages from either controllers or processors for harm caused by processing personal data. DPAs will have enforcement authority similar to US regulators. A European Data Protection Board will issue opinions, adopt binding decisions and otherwise oversee data protection processes.

In the last two weeks, the Office for Civil Rights (OCR) announced two substantial settlements under HIPAA that together totaled $4.35 million. These large amounts seem to be driven not by actual harm to individuals, but in significant part by alleged HIPAA compliance failures identified by OCR following investigations commenced in response to receipt of data breach reports. It is a mistake to believe that timely and otherwise compliant reporting of supposed “no harm, no foul” data breaches will result in minor, if any, enforcement activity; that is, if the agency believes you have not satisfactorily complied with the privacy and security standards.

Depending on the circumstances of the breach, an OCR investigation will look at why the breach occurred, but it likely will go beyond that to examine compliance with basic HIPAA privacy and security standards, even if indirectly related to the breach at hand.

Let’s see how this could play out. In the case of the $3.5 million settlement with Triple-S Management Corporation, there were a number of breaches reported to OCR:

  • Former Triple-S employees while employed by a Triple-S competitor improperly accessed restricted areas of a Triple-S subsidiary’s database. According to OCR’s announcement, the individual’s access rights were not terminated upon leaving Triple-S employment. This allowed the former employees to access names, contract numbers, home addresses, diagnostic codes and treatment codes of covered individuals.
  • As we reported, a Triple-S subsidiary reported to OCR that in September 2013 a vendor disclosed Medicare Advantage beneficiaries’ protected health information (PHI) on the outside of a pamphlet mailed to the beneficiaries, about 13,000 of them.
  • In another breach, a Triple-S subsidiary reported that a former employee of a business associate copied beneficiary ePHI onto a CD, took it home for an unknown period of time, and then downloaded it onto a computer at his new employer. The ePHI included beneficiaries enrollment information, including names, dates of births, contract numbers, HICN, home addresses’ and Social Security numbers.
  • Another breach involved enrollment staff who placed the incorrect member ID cards in mailing envelopes, resulting in beneficiaries receiving the member ID card of another individual. The PHI included members’ names, identification numbers, benefit packages, effective dates, contract numbers, co-payments and deductibles.

Note – these are not sophisticated systems attacks carried out by unnamed international identity theft rings or by nation states. They are essentially mistakes in the handling of PHI that can happen at any covered entity or business associate.

Each of the incidents above affected more than 500 individuals, and there were a handful of other breaches summarized in the resolution agreement affecting fewer than 500 individuals. But there was no discussion of harm to any affected individuals in support of the settlement amount. Instead, OCR itemized a number of alleged compliance failures, not all of which directly led to the breaches, such as:

  • Not implementing appropriate administrative, physical, and technical safeguards to protect PHI
  • Disclosing PHI to an outside vendor without a business associate agreement
  • Using and disclosing more than the minimum necessary PHI
  • Not conducting an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems
  • Not implementing sufficient security measures to reduce risk to ePHI to a reasonable and appropriate level.

In addition to paying $3.5 million, Triple-S will need to establish a comprehensive compliance program satisfactory to OCR that includes a risk analysis and a risk management plan, policies and procedures for compliance with HIPAA requirements, training and other measures.

Of course, OCR’s approach makes sense in that its purpose generally is not to remedy harm to individuals affected by data breaches, but to enforce compliance with the HIPAA privacy and security standards. Covered entities and business associates should avoid, therefore, underestimating potential regulatory exposure because of a “no harm, no foul” view of reported data breaches. Compliance and steps to prevent breaches are the agency’s focus, not whether the breach actually harms affected persons, although significant harm to affected individuals would strengthen the agency’s enforcement position.

Preparedness is key!

Demonstrating its continued commitment to data security enforcement, the Federal Communications Commission (FCC) recently announced Cox Communications Inc., the nation’s third largest cable operator, agreed to pay $595,000 to resolve an investigation into whether the company failed to properly protect its customers’ personal information.  The agreement ends the first data security enforcement action brought by the FCC against a cable operator.
The investigation by the FCC Enforcement Bureau determined that Cox’s electronic data systems were breached in 2014 by a hacker who pretended to be from Cox’s information technology department and convinced both a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a fake, or “phishing,” website.  The user access information was then utilized to obtain customers’ personally identifiable information, which included names, addresses, email addresses, secret questions/answers, PIN, and in some cases partial Social Security and driver’s license numbers, as well as Customer Proprietary Network Information (CPNI) of the company’s telephone customers.
Under the Communications Act, a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior consent of the subscriber and shall take steps necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator.   Importantly, during its investigation, the FCC found Cox’s data security systems did not include readily available measures that might have prevented the use of the compromised credentials. Additionally, the company never reported the breach to the FCC’s data breach portal, as required by law.
According to Travis LeBlanc, Chief, Enforcement Bureau: “Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections….This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media.”
In addition to identifying (and notifying) all affected individuals, the order and consent decree also requires the company to provide free credit monitoring services for one year.  Further, Cox must improve its privacy and data security practices, by: (i) designating a senior corporate manager who is a certified privacy professional; (ii) conducting privacy risk assessments; (iii) implementing a written information security program; (iv) maintaining reasonable oversight of third party vendors; (v) implementing a more robust data breach response plan; and (vi) providing privacy and security awareness training to employees and third-party vendors.
In the past year, the FCC has taken three enforcement actions for violations of the Communications Act and Commission rules related to protection of customer personal information resulting in over $28 million in penalties.

This resolution, and the facts underlying the data incident, demonstrate not only the lengths that hackers will go in order to obtain personal information, but also how easily the hacker was able to obtain IDs and passwords.  As we have discussed, implementation of a written information security program, including prohibitions on sharing user access credentials (IDs and passwords) and employee training on data security, may very well have prevented this incident.

On October 6, 2015, California Governor Jerry Brown signed three new laws which substantially alter and expand the state’s security breach notification requirements. The new changes to California Civil Code sections 1798.29 and 1798.82, the Golden State’s laws that require notifications by state agencies and private sector entities of certain breaches of security (i) provide a definition for encryption, (ii) establish new requirements for the content and form of breach notifications, and (iii) add license plate information gathered through automated license plate recognition (ALPR) systems to the definition of personal information subject to the state’s notification requirements. These changes become effective January 1, 2016.

When is Personal Information Considered “Encrypted”

Under California’s current law, if personal information is “encrypted,” the notification requirements will not apply. Until now, the law had not defined when personal information would be considered to be “encrypted.” Assembly Bill 964 amends California Civil Code sections 1798.29 and 1798.82 to provide a definition for this previously undefined term. With passage of the amendment, the term “encrypted” is now defined as “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.” This language seems to allow for flexibility in the types of encryption that can be applied, as well as for future changes in encryption technology. For more information on encryption technologies, click here.

Updates to Content and Form of Breach Notification

Senate Bill 570 amends California Civil Code sections 1798.29 and 1798.82 to require government agencies and businesses to clarify the content of security breach notifications and provides a model security breach notification. All security breach notifications must now be titled “Notice of Data Breach” and present required information under the following headlines: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” The notice must be designed to call attention to the nature and significance of the matter, must be clear and conspicuous and must be in text no smaller than 10-point type.

Use of the model notification form will be deemed compliant with California’s notification requirements, and thus helpful for agencies and business when trying to understand what the notice needs to say. However, in the case of breaches affecting individuals in multiple states, when simplifying the notification process is critical, use of California’s model notice across multiple states may be problematic. For example, the “What Happened” section should not be included in notices to Massachusetts residents as that state’s law prohibits including a description of the nature of the breach or unauthorized acquisition or use.

Information Obtained from Automated License Plate Recognition Systems is Personal Information

Popular among local law enforcement, automated license plate recognition (ALPR) systems allow license plate information to be captured from videos and stored. Senate Bill 34 added new sections to California’s Civil Code, beginning with section 1798.90.5, to require that certain users of those systems – called ALPR operators – safeguard ALPR information, including a requirement to implement a usage and privacy policy in order to ensure that the collection, use maintenance, sharing and dissemination of ALPR information is consistent with respect for individuals’ privacy and civil liberties. However, the Senate Bill also amends California Civil Code sections 1798.29 and 1798.82 to include information obtained from ALPR systems in the definition of “personal information” when used along with an individual’s name. Thus, if this information is involved in a breach of security, it will trigger a notification requirement. Also, individuals harmed by unauthorized access or use of ALPR information or a breach of security of an ALPR system may bring a private right of action.

These amendments represent significant changes to the security breach notifications provisions of Civil Code sections 1798.29 and 1798.82, as well as additional protections for information obtained from ALPR systems. In particular, they impact how to respond to security breaches, how to protect personal information and the scope of what information is protected. Businesses are encouraged to review their encryption policies, adopt compliant security breach notification forms and, if using an ALPR system, adopt compliant policies with respect to ALPR information and the employees who control those systems.

UPDATE:  The Federal Communications Commission (FCC) has reached a settlement with two telecom companies in connection with allegations the telecom companies violated the law regarding the privacy of phone customers’ personal information.

As we previously reported and discussed, in October 2014 the FCC initiated its first data security case against TerraCom, Inc. and YourTel America, Inc.  Originally, the FCC had proposed a $10 million fine, which at the time made it the largest privacy action in the FCC’s history.  Ultimately, the FCC and the telecom companies reached agreement on a $3.5 million settlement.

According to the consent decree, the companies allegedly breached the personal information of over 300,000 consumers through lax security practices, despite the privacy policies for the two companies stating that they had in place technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.

In addition to the $3.5 million settlement, the companies are also required to provide notification to all customers whose information was subject to the breach, provide credit monitoring to each individual, and improve privacy and data security by taking a number of additional steps.  Those steps include, by way of example:

While the settlement is significantly lower than the initial proposed fine, this matter demonstrates the significant liability associated with the failure to adequately safeguard information and/or to implement safeguards consistent with a company’s statements regarding same.

Among the multitude of unpleasant issues facing a company whose network has been breached is potential liability to customers and employees whose personal information has been compromised.  However, recent district court decisions from around the country continue to limit the opportunity of those customers and employees to have their day in court.  Specifically, these cases have held that, in order for a customer or employee whose data has been stolen to gain standing to sue the company that experienced the breach, the customer or employee must show that the stolen data was, in fact, used to the customer or employee’s financial detriment.  And such financial detriment must be “concrete.”  Increased risk of future harm does not suffice, damages are not recoverable for “mitigation” measures – such as the purchase of credit monitoring services – taken to protect against speculative future harm, and an individual’s allegations that he fears such future harm will generally not be enough to establish a claim for emotional distress.

In Green v. eBay Inc., the U.S. District Court for the Eastern District of Louisiana dismissed a putative class action brought on behalf of eBay customers whose data was stolen when eBay user information was hacked.  The suit alleged that, as a result of eBay’s security failure, Plaintiffs suffered (a) actual identity theft, (b) improper disclosure of their personal information, (c) out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or identify fraud, (d) the value of the time they had spent mitigating identity theft and/or identity fraud, and (e) the deprivation of the value of their personal information.  eBay’s failure, Plaintiffs alleged, violated the Federal Stored Communications Act, the Fair Credit Reporting Act, the Gramm-Leach-Billey Act, and several state laws.  The Court disagreed.  Noting that the “mere increased risk of identity theft or identify fraud alone does not constitute a cognizable injury[,] unless the harm alleged is certainly impending,” the Court dismissed the suit in its entirety.

Similarly, in Strautins v. Trustwave Holdings, Inc., the U.S. District Court for the Northern District of Illinois granted Defendant’s motion to dismiss Plaintiffs’ class action lawsuit seeking damages stemming from the hacking of the South Carolina Department of Revenue.  The data breach had exposed in excess of 3.5 million social security numbers, 380,000 credit and debit card numbers, and the tax records of more than 650,000 businesses.  Plaintiffs alleged that they had not received timely and adequate notification of this breach, and that the breach had resulted in the improper disclosure of their personal information, loss of privacy, the need to incur out-of-pocket mitigation expenses (relating both to dollars spent and time expended), and deprivation of the value of their personal identifying information.  They also alleged that Defendant, by failing to protect their data, had violated their rights under the Fair Credit Reporting Act.  The Court, however, found that Plaintiffs’ “claims of injury . . . [were] too speculative to permit the complaint to go forward.” “Allegations of possible future injury are not sufficient to establish standing,” the Court held. Instead, the “threatened injury must be certainly impending.”  (Emphasis in original.)

Even if a plaintiff can show that a hacker used the data it stole from plaintiff’s employer or merchant, such use may not suffice to confer standing on the plaintiff, unless he can also show that he suffered financial harm as a result.  In Peters v. St. Joseph Services Corp., for example, hackers infiltrated a health care system provider’s network and accessed personal information of patients and employees, including names, social security numbers, birthdates, addresses, medical records, and bank account information.  Even though there was an attempted purchase on Plaintiff’s credit card, which she declined when she received a fraud alert, the U.S. District Court for the Southern District of Texas held that Plaintiff did not have standing to bring suit.  The basis for the Court’s holding was that Plaintiff’s allegation that the breach exposed her to certainly impending or substantial risk of identity fraud/theft was too speculative and attenuated to constitute injury-in-fact.  Notably, she was unable to “describe how [she would] be injured without beginning the explanation with the word ‘if.’”

Notwithstanding the above decisions, companies should continue striving to establish legal and technological protections against data breaches and exposure to related liability.  Even where class actions and other litigations fail, federal agencies and state attorneys general may continue to investigate data breaches and take enforcement actions.  (Many have, the Massachusetts Attorney General being one example.)  These actions can include, among other things, significant fines and increased oversight of the company’s data privacy and security compliance.  And, of course, the potential consequences of data breaches do not end there.  Companies that experience a breach may also suffer damage to their brand and to employee morale.

In Guidance Update No. 2015-02, the Division of Investment Management (Division) of the Securities and Exchange Commission (SEC) issued some high-level suggestions concerning the importance of cybersecurity for registered investment companies and registered investment advisers. The guidance outlines a number of measures these entities should consider for addressing cybersecurity risks. Of course, while some of these and other measures may have specific application to certain sectors of the financial services industry, many of these measures can and should be applied in most organizations, regardless of industry.

Increasingly, companies are realizing the need to tighten their policies and practices concerning information risk, but not sure about where to start or what framework to follow. There are, for sure, industry specific rules and regulations, such as the HIPAA privacy and security regulations that apply to healthcare providers, healthcare clearinghouses, health plans and their respective business associates, as well as state law mandates, such as the data security regulations in Massachusetts. The endnotes in this Guidance discuss and provide helpful links to more specific SEC rules concerning the safeguarding of personal information, such as the Red Flag rules. But among these standards are a number of common threads, many of which are contained in the Division’s guidance referred to above. These include:

  • Conduct a risk assessment designed to help the company understand the “nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses” as well as the effectiveness of its governance structure to ensure appropriate controls are in place. This should be done regularly, perhaps annually. It also should be done when there are material changes in the business that are reasonably likely to alter the risks to sensitive data.
  • Develop access management policies. Not everyone in an organization should have access to all of its data. The first step is finding out who has access to what. See first bullet above…you might be surprised by what you find; scale back from there.
  • Prepare a written information security program that addresses necessary and appropriate administrative, physical and technical safeguards that you have implemented.
  • Strengthen perimeter defenses – maintain up-to-date firewalls, malware, and virus protections. The federal Office for Civil Rights claimed a healthcare provider failed to do this, and it cost the company $150,000.
  • Get control of mobile storage devices and consider whether a more formal “Bring Your Own Device” program is needed.
  • Address whether and under what circumstances encryption is warranted. Some applications may slow down operations, but that level of protection may help the company avoid a significant exposure.
  • Develop and practice an incident response plan. Writing down a plan for responding to a data breach is a good start, but for the members of your team that would be called upon to carry out the plan, a few dry runs would be beneficial.
  • Don’t leave your staff in the dark about what you have done – train your employees and create security awareness throughout the organization.
  • Make sure the third party service providers that the company relies upon are taking similar steps to safeguard data on your behalf.

Will following just these points mean you are 100% compliant with all of the company’s regulatory and contractual obligations pertaining to privacy and data security. Probably not. But they certainly will get you a lot closer and minimize a substantial amount of risk.