« December 2010 | Main | February 2011 »

January 31, 2011

ENISA Publishes a Report on Data Breach Notifications in Europe

The European Network and Information Security Agency (ENISA), an agency helping the European Commission, the Member States and the business community to address and prevent network and information security issues, published this month a report (the Report) on data breach notifications in the European Union (EU).

The European Commission Directive 2009/136/EC amended Directive 2002/58/EC (the ePrivacy Directive). The revised ePrivacy Directive introduces to EU law the concept of mandatory data breach notifications in EU law. Member States must implement the Directive by May 25, 2011, but, as of now, data breach notifications are not yet mandatory in most of the Member States.

Since the Directive is not yet implemented by most Member States, telecommunication operators can not yet rely on their state legislators to provide them with guidance to better enable them to comply effectively with data breach notification requirements. This is why ENISA surveyed and interviewed regulatory authorities, legal experts, private companies and industry experts to gather information about the challenges the telecommunications sector may have to face in order to comply with mandatory data breach notifications.


The Report found that telecommunication operators were worried that mandatory breach notifications would have a negative effective on their brands, and were questioning how to assess if the seriousness of a particular breach should trigger a notification, so as to prevent ‘notification fatigue’ for both the operator and the data subjects.


The new EU data breach notification rules

ENISA considers that making data breach notification mandatory “is an important development with a potential to increase the level of data security in Europe and foster reassurance amongst citizens on how their personal data is being secured and protected by electronic communication sector operators.”(p. 8)

Article 2 (h) of the revised ePrivacy Directive now defines a “personal data breach” as:

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.

The reviewed article 4 of the ePrivacy Directive states that: 

In the case of a personal data breach, the provider of publicly available electronic communications services shall, without undue delay, notify the personal data breach to the competent national authority.

When the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, the provider shall also notify the subscriber or individual of the breach without undue delay.

Notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.

Without prejudice to the provider’s obligation to notify subscribers and individuals concerned, if the provider has not already notified the subscriber or individual of the personal data breach, the competent national authority, having considered the likely adverse effects of the breach, may require it to do so.

The notification to the subscriber or individual shall at least describe the nature of the personal data breach and the contact points where more information can be obtained, and shall recommend measures to mitigate the possible adverse effects of the personal data breach. The notification to the competent national authority shall, in addition, describe the consequences of, and the measures proposed or taken by the provider to address, the personal data breach.

Operators are worried that mandatory notifications may damage their brand

The Report noted that that [o]perators want assurances that notification requirements will not negatively impact their brand” (p.4) and that “[b]rand is an important issue for all operators” (p. 26). It is thus important for them to remain in control of the communications with their customers affected by  the breach, so that they can “effectively manage any impact on brand perception brought about by the data breach and subsequnt notification”(p. 26).

However, having to inform one’s customers of a breach may also be regarded, in a “the glass is half full” sort of way, as an opportunity to communicate with customers, and thus, overall, to increase the good will of the company. Bruce Schneier, a data security expert, wrote on his blog in January 2009 that the “direct mail campaign to notify customers… often turns into a marketing opportunity.

Data Breach Notification Fatigue?

The Report also found that breaches of personal data that are likely to cause harm to data subjects or violate their rights should be subject to mandatory notification, However, if the breached data is encrypted, there may be no real risk that the data will be exploited, and thus notifying the customer may be “redundant”(p. 33). Too many notifications would be like crying wolf, undermining customers’ confidence in the organization while desensitizing them. In another words, if you receive data breach notifications regularly, you may treat it as another boring piece of junk mail.

It is interesting to note that EU customers do not have a credit reporting system as in the US. When a U.S. customer receives a data breach notification, he is sometimes offered a year of free credit monitoring. Also, the Fair Credit Reporting Act guarantees U.S consumers access to a credit report from each of the three nationwide credit reporting companies every year. It could be argued that since the EU customers do not have a centralized way to monitor suspicious activities on their accounts, the complexity of monitoring suspicious activities add to the “so what?” reaction that ENISA fears too many notifications may induce.

ENISA proposes some indicators for triggering data breach notification

In order to avoid notification fatigue, the Report suggests enabling a consistent methodology across Europe, by considering several relevant indicators for triggering data breach notifications (p.33) :

1.       Number of people affected

2.        Nature of the data that has been breached (see p. 17)

·         Physical or mental health data

·         Information relating to the sexual life of the data subject

·         Political, philosophical or religious beliefs

·         Information relating to the alleged/actual commission of a criminal offence

·         If the data subjects involved are minors

·         Whether or not the data breach involved financial data

3.       Nature of the breach (widespread, or an isolated incident)

4.       Security level (has the data been encrypted)


Hopefully, the Report will be a useful source of information to a telecommunication provider before the Member State in which it operates implements the revised ePrivacy Directive.




January 30, 2011

Senate Introduces Cybersecurity Legislation

On January 25, 2011, the 112th Congress introduced its first data security-related bill—the Cybersecurity and American Cyber Competitiveness Act (S. 21). The bill is co-sponsored by Senate Majority Leader Harry Reid and several Senate Committee leaders, including Senators Leahy, Levin, Bingaman, Kerry, Rockefeller, Lieberman, and Feinstein. The bill seeks to safeguard critical technology infrastructure from cyber attacks and protect individual privacy by improving identity theft prevention measures, guarding against personal information abuse, and seeking to promote international cooperation to combat cyber threats. More information regarding S. 21 is available in a statement released by the bill’s co-sponsors.

January 27, 2011

Google Faces International Lawsuit Over Privacy Breach Caused by Buzz Tool

In early January 2011, Canadian consumers brought a class action against Google regarding a privacy breach caused by Google’s Buzz social networking and messaging tool. The lawsuit, filed in the Manitoba Court of Queen’s Bench alleged that Google breached consumers’ privacy because the Buzz tool’s default settings allowed users to view private profile information about other users without consent. Under Canadian privacy law, consumers may collect up to $5,000 per consumer in damages for each privacy breach.

A number of privacy advocates and consumers have expressed concerns over Google’s Buzz tool since its launch in early 2010. In February 2010, the Electronic Privacy Information Center filed a complaint with the Federal Trade Commission (“FTC”), urging an FTC investigation and alleging that Google’s Buzz “violated user expectations, diminished user privacy, contradicted Google’s privacy policy, and may have violated federal wiretap laws.” Further, in November 2010, Google settled a U.S. class action relating to privacy protections for $8.5 million. Finally, a number of countries’ privacy commissioners and data protection authorities, including Canada, France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain, and the United Kingdom, sent a letter to Google in April 2010, expressing concern over the Buzz tool and directing Google and other international corporations to respect individuals’ privacy rights.

January 26, 2011

House Judiciary Committee Debates Mandatory Data Retention Requirements

On January 25, 2011, the United States House of Representatives Committee on the Judiciary’s Subcommittee on Crime, Terrorism, and Homeland Security (“Crime Subcommittee”) held a hearing regarding Internet service providers’ (“ISP”) and web hosting companies’, such as social-networking sites, data retention policies. According to a representative from the Department of Justice, who testified at the hearing, ISPs’ disparate data retention policies hamper criminal investigations and other law enforcement and prosecutor initiatives. The Department of Justice has recommended that Congress create mandatory data retention requirements to help facilitate law enforcement and prosecutor activities. No specific legislation was proposed during the Crime Subcommittee hearing; rather, legislators, and agency and industry representatives explored the need for data retention requirements.

Privacy advocates have questioned the implication of mandatory data retention requirements that would require entities to maintain sensitive consumer data, such as personally identifiable Internet address information, email, instant messaging correspondence, and what Web pages users visit. For example, past data retention legislation would have required certain Internet companies to maintain Internet protocol addresses for two years. These data retention proposals conflict with recent agency privacy-protection suggestions advocating the storage of less consumer data, such as the Federal Trade Commission’s proposed privacy framework, which suggests that businesses should “retain[] consumer data for only as long as they have a specific and legitimate business need to do so.”

More information regarding the Crime Subcommittee’s hearing is available here.

January 21, 2011

FTC Extends Deadline for Comments on Privacy Report to Feb. 18

The FTC announced today that it extended the deadline to comment on its preliminary staff report, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policy Makers" until February 18.  Several organizations had requested this extension due to the size and complexity of the report.

To file comments electronically, click here.

January 19, 2011

Supreme Court Rules Background Checks on Government Contractors are Reasonable

Today, the Supreme Court issued its decision in NASA v. Nelson, a case relating to employee privacy.  The Court unaminously ruled (excluding Justice Kagan, who recused) that the federal government has broad latitude to ask questions about the background of independent contractors who work at government facilities.

The Ninth Circuit had previously ruled that the background checks at issue were too invasive of individual privacy because they asked about drug treatment and counseling within the previous year, and asked open-ended questions about the individual's employment suitability.  The backgound check policy at issue was developed after the 2001 terrorist attacks.

Writing for the Court, Justice Alito stated that "the challenged portions of [the forms] consist of reasonable, employment-related inquiries that further the Government's interest in managing its internal operations."  The Court rejected arguments that the Government's inquiries violated a constitutional right to informational privacy.

The full opinion is available here.

January 16, 2011

Facebook Class Action Lawsuits: Consent and Injury in Social Networking


On January 11, 2011, Facebook filed two motions to dismiss against privacy class action lawsuits filed against it in the Northern District of California. 


In Cohen v. Facebook Inc., filed on November 22, 2010, the plaintiffs allege that Facebook’s “Friend Finder” service uses Facebook users’ images and likenesses in advertising without their knowledge or consent.   Specifically, the Complaint alleges that Facebook’s Friend Finder service “uploads users’ entire body of email contacts to a database maintained by Facebook”.   It alleges that Facebook fails to adequately disclose “that Facebook reserves the right to use email contacts uploaded through Friend Finder to spam non-Facebook members to join Facebook.”  The Complaint further alleges that some users who never agreed to use the “Friend Finder” service were also used to solicit friends to use the Friend Finder service.   


The second lawsuit, captioned In re Facebook Privacy Litigation and filed on October 11, 2010, claims that Facebook violated its privacy policies by transmitting users’ personally identifiable information to advertising partners.  Specifically, the Complaint alleges that Facebook “has caused users’ browsers to send “Referrer Headers” transmissions to advertisers that report the user ID or username of the user that clicked the ad, as well as the page the user was viewing just prior to clicking on the ad.”


Facebook argues in both motions that the users consented to Facebook’s practices, and that neither complaint adequately alleges the necessary injury to the plaintiffs.  With regard to the “Referrer Headers,” Facebook argues that users grant Facebook an “irrevocable license to access and use any content a User posts anywhere on Facebook.”   As for the “Friend Finder”, Facebook argues that “Friend Finder” is a Facebook-generated service and users have consented to the use of their name and likeness with Facebook services.    

Data Privacy Day: January 28, 2011

Mark your calendars for Data Privacy Day – January 28, 2011.  Countries around the world are hosting events in honor of Data Privacy Day (or Data Protection Day).  This year is the thirtieth anniversary of the date on which the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature by the Council of Europe on January 28, 1981. Some highlights include:


- Panel Discussions around the world.  For example, the Council of Europe and European Commission are hosting a joint high-level meeting in Brussels (registration due January 24).  Google is opening its Washington, DC offices for Google breakfast and a panel discussion called “The Technology of Privacy: When Geeks Meet Wonks.”  


- Local government initiatives – for example, the California Office of Privacy Protection will be launching a social media site: www.privacy.ca.gov. 


- Happy Hours in many local areas on January 27, 2011, hosted by the International Association of Privacy Professionals (IAPP).


Check out  dataprivacyday2011.org, http://www.europeanprivacyday.org/, or http://www.capapa.org/DPD.html for events in your area. 

January 8, 2011

Supreme Court Grants Certiorari in Case Challenging Vermont’s Prescription Confidentiality Law

On January 7, 2010, the U.S. Supreme Court granted the petition for writ of certiorari filed by the State of Vermont seeking to overturn the decision from the Second Circuit which held that Vermont’s prescription confidentiality law was unconstitutional. 

The section of the Vermont law at issue in the appeal, codified at 18 V.S.A. § 4631, prohibits the sale, license, or exchange for value of prescriber-identifiable data for marketing or promoting a prescription drug unless the prescriber consents.  The Vermont legislature passed the law in 2007, intending to protect public health, to protect prescriber privacy, and to reduce health care costs.

The law was challenged by companies, commonly referred to as “data miners,” which purchase information regarding prescriptions from pharmacies, including the prescriber's name and address, the name, dosage, and quantity of the drug, the date and place the prescription is filled, and the patient's age and gender.  The data miners aggregate this information and sell it to pharmaceutical research and manufacturing companies to assist in their marketing efforts to prescribing physicians.  The law was also challenged by the Pharmaceutical Research and Manufacturers of America.  

The Second Circuit overturned the district court’s decision, 631 F. Supp. 2d 434 (D. Vt. 2009), upholding the Vermont law as a constitutional restriction of commercial speech.  The Second Circuit determined that the Vermont law did not pass intermediate scrutiny under Central Hudson Gas & Elec. Corp. v. Pub. Serv. Comm’n, 447 U.S. 557 (1980) because the Vermont law did not “advance the state's interests in public health and reducing costs in a direct and material way” and there were less speech-restrictive means which Vermont could have used. 

The Second Circuit’s decision created a split with the First Circuit, which had previously upheld similar laws from New Hampshire (IMS Health Inc. v. Ayotte, 550 F.3d 42 (2008)) and Maine (IMS Health Inc. v. Mills, 616 F.3d 7 (2010)).

According to a statement from Vermont Attorney General, the case, Sorrell v. IMS Health Inc., No. 10-779, will likely be argued in April of this year and decided before the end of the Court’s term in June.


January 5, 2011

Lame Duck Privacy Bills

In the last two weeks of 2010, President Obama signed the following three acts addressing privacy:


Red Flags Program Clarification Act of 2010


President Obama signed the “Red Flag Program Clarification Act of 2010,” S. 2987, (“Clarification Act”) on December 18, 2010, which became Public Law No: 111-319.  The Clarification Act narrows the definition “creditor” under the Fair Credit Reporting Act (FCRA) by adding a definition to Section 615(e), 15 U.S.C. § 1681m(e), to address issues with the breadth of the Federal Trade Commission’s Identity Theft Red Flags Rule (“Red Flag Rule”). 


The FTC’s Red Flag Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act, under which the FTC and other agencies were directed to draft regulations requiring “creditors” and “financial institutions” with “covered accounts” to implement written identify theft prevention programs to identify, detect and respond to patterns, practices or specific activities—the so called “red flags”—that could indicate identify theft.   The FTC interpreted the definition of “creditor” to include entities that regularly permit deferred payment for goods and services, which included lawyers, doctors, and other service providers not typically considered to be “creditors.”  This interpretation led to lawsuits by professional organizations, including the American Bar Association, the American Medical Association, and the American Institute of Certified Public Accountants, challenging the FTC’s position that the Red Flags Rule should apply to its members.


The Clarification Act limits the definition of creditor to entities that regularly and in the ordinary course of business: (i) obtain or use consumer credit reports, (ii) furnish information to consumer reporting agencies, or (ii) advance funds to or on behalf of a person.  The definition of creditor specifically excludes creditors that “advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”  However, the Clarification Act also allows the definition of creditor to be expanded by rules promulgated by the FTC or other regulating agencies to include creditors which offer or maintain accounts determined to be subject to a reasonably foreseeable risk of identity theft. 


S. 2987 was introduced and by Senator John Thune (R-S.D.) and co-sponsored by Mark Begich (D-Alaska) on November 30, 2010, and the Senate unanimously approved the bill the same day.  An identical companion bill was introduced in the House, H.R. 6420, by Representatives John Alder (D-N.J.), Paul Broun (R-Georgia), and Michael Simpson (R-Idaho) on November 17, 2010.  S. 2987 passed the House on December 7, 2010.


The FTC had previously delayed enforcement of the Red Flags Rule several times, most recently in May 2010 when it delayed enforcement through December 31, 2010.  The FTC’s Red Flags Rule website, http://www.ftc.gov/redflagsrule, notes that the FTC will be revising its Red Flags guidance to reflect the Clarification Act changes.


Social Security Number Protection Act of 2010


            President Obama also signed the “Social Security Number Protection Act of 2010,” S. 3789, on December 18, 2010, which became Public Law No: 111-318.  S. 3789 was introduced by Senator Dianne Feinstein (D-Cali.) and co-sponsored with bipartisan support, including Senator Judd  Gregg (R-N.H.).  The Act aims to reduce identity theft by limiting access to Social Security numbers, according to a statement from Senator Feinstein.


            The Act prohibits any federal, state, or local agency from displaying Social Security numbers, or any derivatives of such numbers, on government checks issued after December 18, 2013.  The Act also prohibits any federal, state or local entity agency from employing prisoners in jobs that would allow access to Social Security numbers after December 18, 2011.


            S. 3789 unanimously passed in the Senate on September 28, 2010, and passed in the House by voice vote under suspension of its rules on December 8, 2010. 


Truth in Caller ID Act of 2009

            On December 22, 2010, President Obama signed into law the “Truth in Caller ID Act,” S. 30, which became Public Law No: 111-331.  The Caller ID Act is intended to combat the problem of caller ID “spoofing” where identity thieves alter the name and number appearing as caller ID information in an attempt to trick people into revealing personal information over the phone.


            The Caller ID Act amended Section 227 of the Communications Act of 1934, 47 U.S.C. § 227, to make it illegal to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud or cause harm.  However, the Caller ID Act specifically prohibits anything in it from being construed as preventing or restricting any person from using caller ID blocking. 


The Federal Communications Commission (“FCC”) is required to prescribe regulations to implement the Act within six months.  The Caller ID Act specifically exempts law enforcement activity and caller ID manipulation authorized by court order, and it also allows the FCC to define other exemptions by regulation.  


            The FCC can impose civil forfeiture penalties of up to $10,000 per violation, or $30,000 for each day of continuing violation, up to a cap of $1,000,000 for any single act or failure to act.  Willful and knowing violations of the Caller ID Act can result in criminal penalties including the same monetary penalties and up to a year in prison.


S. 30 was introduced by Senator Bill Nelson (D-Fla.) on January 7, 2009, and passed in the Senate on February 23, 2010.  The bill was approved in the House on December 15, 2010 by voice vote under suspension of its rules.  S. 30 was very similar to H.R. 1258 introduced by Representatives  Eliot Engel (D-N.Y.) and Joe Barton (R-Tex.) and passed by the House on April 14, 2010, according to a statement released by Representative Engle.