Once Again, California…on Privacy, Do Not Track

AG Kamala Harris Issues Guide on Privacy Policies/Do-Not-Track Disclosures

calstampiStock_000016159030Medium

In  a press release issued May 21, 2014, the Attorney General for California, Kamala Harris, issued a series of recommendations for businesses that address changes to California privacy law.  Key recommendations include:

  • Prominent labeling for sections dealing with online tracking, e.g., “California Do Not Track Disclosures”
  • Describe how you respond to a browser’s Do Not Track signal (or similar mechanisms)
  • Are third parties collecting personally identifiable information?  If yes, say so
  • Explain uses of personally identifiable information
  • Describe what you collect, how you use it, how long you retain it
  • Describe choices the consumer has regarding use/sharing of PII
  • Use plain language – use graphics/icons

The guide includes summaries of relevant CA statutes (CalOPPA, – broad requirement for privacy policies; AB 370 – tracking transparency).  And, while there are no new regulations or enforcement mechanisms provided in the “guide,” obviously, entities doing business in California, and those entities previously under scrutiny by the AG (e.g.,g Amazon, Apple, Facebook, etc.) will likely pay close attention to ensure compliance.    The guide is called, Making Your Privacy Practices Public  and you can see it at:

https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf

calcubeiStock_000013476441Large

The Right to be Forgotten: EU Decision

euflagth4P2UWF78

Historic Decision by the European Union’s Highest Court

The European Court of Justice ruled in favor of an individual’s right to have Google delete certain links about that individual. The decision was based in part on a finding by the court that Google is a data controller, which apparently is at odds with earlier EU rulings – ECJ’s Advocate General decided in 2013 that Google did not need to delete the links because it was not the “controller” of data and that information should only be deleted when the personal information is either incomplete or inaccurate.

Some commentators question the basis for the decision: “Given that the EU has spent two years debating this right as part of the reform of EU privacy legislation, it is ironic that the ECJ has found it already exists in such a striking manner.” Richard Cumbley of Linklaters told The New York Times.

And, practitioners sound the alarm: Operationally, this will “put search engines in the extremely onerous position of having to take a view on how to comply with potentially millions of individual requests.”  (See more details at IAPP Newsletter, The Privacy Advisor, https://www.privacyassociation.org/publications)

Google and others will argue that this amounts to censorship; from Levi Sumagaysay’s blog:

* * * *

Does the right to be forgotten — or the right to privacy — outweigh censorship concerns? “[The decision] is one of the most wide-sweeping Internet censorship rulings that I’ve ever seen,” Wikipedia founder Jimmy Wales told the BBC. Wales said he expects Google to fight back hard. “If they have to start coping with everybody who whines about a picture they posted last week, it’s going to be very difficult for Google.”

http://www.siliconbeat.com/author/lsumagaysay/

Largest HIPAA Settlement: $4.8 mil

medicaldollariStock_000021393857SmallHHS issued a press release on May 7, 2014 announcing settlements with two healthcare organizations.  Following submission of a joint breach report by New York and Presbyterian Hospital (NYP) and Columbia University (CU), the HHS Office of Civil Rights (“OCR”) investigated the disclosure of ePHI of 6,800 individuals, which included patient status, vital signs, medications, and laboratory results.  NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP.  The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI.  Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.

In addition to the disclosure of ePHI, OCR’s investigation found that neither NYP or CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections; and neither entity had conducted a thorough risk analysis or had an adequate risk management plan.

NYP has paid $3.3 million and CU has paid $1.5 million, with both entities agreeing to a substantive corrective action plan.

HHS press release: http://www.hhs.gov/news/press/2014pres/05/20140507b.html

 

Costs of Data Breach: Benchmark Study Released

dollarsigniStock_000003198587Small

The Ponemon Institute and IBM have released their 2014 Cost of Data Breach Study for the U.S.  The notable results include:

  • Per record cost has increased from $188/record in 2013 to $201/record as of 2014
  • The indirect cost per record was $134/record; direct cost at $67/record (indirect=internal overhead; loss of brand value/reputation; customer “churn”)
  • 44% of those surveyed blamed breach on malicious or criminal attacks as compared to 31% blaming some human factor
  • Public sector and retail companies are more likely to have a breach (healthcare sector came in 8th place, financial sector in 10th place)
  • Healthcare industry had highest costs per capita ($316/record – authors cite regulation as factor)
  • Notification costs decreased
  • Companies are far more likely to have a small data breach than a mega breach

The authors also provide details regarding the factors that they found are influencing the costs – consultants engaged; mobile devices at issue; quick notification and the like.

For a copy of the report, go to:

http://www.ponemon.org/ dataprivacyiStock_000019536561XSmall