Illinois AG Proposes Updates to Breach Law

HiResIllinois’ Attorney General Lisa Madigan issued a report and a press release on March 2, 2105 addressing proposed updates to the Personal Information Protection Act, the Illinois breach notification statute.  In her press release, she states:

Madigan recently drafted legislation to strengthen the state’s Personal Information Protection Act (PIPA). Originally passed in 2005 at Attorney General Madigan’s direction, PIPA made Illinois among the first states in the country to require entities that suffer a data breach to notify Illinois residents if the breached information included residents’ drivers’ license numbers, social security numbers, or financial account information. Since the law’s enactment, the extent of sensitive information collected about consumers has expanded and the threat of data breaches has increased significantly, necessitating the need to update and strengthen the state’s law.

Madigan’s bill, which is sponsored by Sen. Daniel Biss and Rep. Ann Williams, will expand the type of information that requires a company to notify consumers of a breach, including medical information outside of federal privacy laws, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts. The bill also requires entities holding sensitive information to take “reasonable” steps to protect the information and requires entities to notify the Attorney General’s office when breaches occur. Madigan said her office would create a website that lists every data breach that affects Illinois to increase awareness among residents.

One of the notable findings in the report is what the AG calls “confusion over breaches,” citing comments from consumer roundtable discussions.  The report states that the most frequent complaint from participants was that while they were well aware of breaches from the media, they were not always aware if those breaches had affected them directly.  The report outlines three principles the updated legislation should address:

1. Disclosure – the new law should require websites and apps that collect personal information to display privacy policies that explain what information is collected and who that information is shared with.

2. Protection – the updated law should require entities to establish reasonable security measures to safeguard sensitive personal information.

3. Notification – the legislation should expand the definition of personal information (medical, health insurance information, biometric data, geolocation information, sensitive marketing data, contact information when combined with additional identifying information like DOB, and log in credentials); require entities to notify the AGs office and create a database of breaches affecting Illinois; enable small businesses to notify local media rather than statewide media when breaches occur.

News reports suggest the legislation will go to the Illinois General Assembly shortly.

Happy Data Privacy Day

dataprivacyiStock_000019536561XSmallThe Ponemon Institute has released its list of Most Trusted Companies for Privacy.  Spoiler alert, they include:

Amazon
American Express
PayPal
Hewlett Packard
IBM

http://www.ponemon.org/blog/ponemon-institute-announces-results-of-2014-most-trusted-companies-for-privacy-study

You might also celebrate by joining IAPP and getting access to the Prudence the Privacy Pro comic strip.

https://privacyassociation.org/news/a/guess-what-its-data-privacy-day/

In related news, the FTC has released a Report on the Internet of Things.  The report includes the following recommendations for companies developing Internet of Things devices:

  • build security into devices at the outset, rather than as an afterthought in the design process;
  • train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
  • ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
  • when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
  • consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
  • monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.

http://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices

And, finally, a move to update ECPA;

• Proponents of updating ECPA, or the Electronic Communications Privacy Act, are using today to renew their call for reform.

“The statute governing access to electronic communications was written in 1986, well before most Americans relied on email and mobile devices to communicate,” said Ed Black, president and CEO of the Computer & Communications Industry Association (CCIA), in a statement. “After nearly 30 years on the books, it’s long overdue for an update.”

An update is what reform legislation, which will reportedly be re-introduced in “the coming weeks” by Sens. Patrick Leahy, D-Vermont, and Mike Lee, R-Utah, would provide. The bill would require a warrant before authorities could search email or other online communications. Under today’s ECPA, no warrants are required for such content that’s older than 180 days.

http://www.siliconbeat.com/2015/01/28/data-privacy-day-canada-spying-ecpa-reform-ubers-god-view-protecting-info/

California Updates and Tries to Strengthen Some Privacy Protections

California’s Updates on Breach and Security

Gov. Jerry Brown signed legislation beefing up California’s breach notification law. The new law, effective January 1, 2015, requires companies that suffer a breach to offer free identity theft prevention and mitigation services to consumers for at least a year if their Social Security or driver’s license number was compromised. The consumer will still be responsible for taking some action to accept those services.

The Governor signed other bills that also attempt to provide additional privacy and security protections, including restrictions on the paparazzi, laws addressing “revenge porn,” and a prohibition on the state from helping federal intelligence agencies collect telephone records without warrants:

  • SB 1177 – Prohibits the creation and distribution of “profiles” of minor students; prohibits applications from targeting K-12 students
  • AB 928 – Requires each state agency and department to conspicuously post its privacy policy on its website
  • AB 1256 and AB 2306 – Expand existing law regarding invasion of privacy (type of activity protected from unwarranted capturing of images or photographs; establishes zones of privacy around schools and medical facilities; eliminating the existing physical trespass requirement for invasion of privacy; renders illegal the use of drones and other electronic devices to capture images of individuals in their homes)
  • AB 1356 – Expands legal recourse for stalking victims (allows plaintiffs to plead “substantial emotional distress” as an alternative to the existing standard of “reasonable fear”)
  • AB 2643 – Creates private legal recourse against a person who intentionally distributes a sexually explicit image or video of another without his or her consent (allows plaintiffs to file a civil suit for damages against a defendant who posted intimate photos or videos of the plaintiff without consent)
  • SB 828 – Prohibits state agencies from assisting the federal government in the collection of personal, electronically stored data, except under certain circumstances (that the state knows to be illegal or unconstitutional)
  • SB 1255 – Expands existing law regarding the distribution of a sexually explicit image or video of another with the intent to cause serious emotional distress

Forget Me Not

As noted in an earlier post, in May, the European Court of Justice ruled in favor of an individual’s right to have Google delete certain links about that individual. The decision was based in part on a finding by the court that Google is a data controller.

In 2010 a Spanish citizen lodged a complaint against a Spanish newspaper with the national Data Protection Agency and against Google Spain and Google Inc. The citizen complained that an auction notice of his repossessed home on Google’s search results infringed his privacy rights because the proceedings concerning him had been fully resolved for a number of years and hence the reference to these proceedings was entirely irrelevant. He requested, first, that the newspaper be required either to remove or alter the pages in question so that the personal data relating to him no longer appeared; and second, that Google Spain or Google Inc. be required to remove the personal data relating to him, so that it no longer appeared in the search results.  The ECJ agreed.

http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf

Google set up a form on its site allowing people to request which links should be taken down.  Google has fielded about a hundred and twenty thousand requests for deletions and granted roughly half of them. Other search engines that provide service in Europe, like Microsoft’s Bing, have set up similar systems.

http://www.newyorker.com/magazine/2014/09/29/solace-oblivion

And Google, at last count, reportedly rejects 59% of the requests.

http://money.cnn.com/2014/10/10/technology/google-forgotten/

The ruling has been criticized, primarily by news gathering organizations and certain free speech advocates.  The New York Times editorial: “The court’s decision is both too broad and curiously narrow. It is too broad in that it allows individuals to impede access to facts about themselves found in public documents. This is a form of censorship, one that would most likely be unconstitutional if attempted in the United States.”

Now, the BBC will begin – in the “next few weeks” – publishing the list of removed URLs it has been notified about by Google.

http://www.bbc.com/news/technology-29658085

The editorial staff of the BBC felt that some of its articles had been wrongly hidden.

 European Union flags outside the European Commission headquarters in Brussels

Florida Updates Breach Law

-Effective July 1, 2014-

 On June 20, 2014, Florida Governor Rick Scott signed into law the Florida Information Protection Act of 2014. The legislation beefs up the definition of what will trigger a notification response. The definition of personal information is now defined as an individual’s first name, first initial and last name, or any middle name and last name, in combination with any one or more of these data elements:

-SSN

-DL number or ID number, passport number, military ID number or other similar number issued on a government document

-Financial account number or credit/debit card number in combination with security/access code or password

-Any information regarding a person’s medical history, mental/physical condition or treatment/diagnosis

-Health insurance policy number or subscriber number

-User name or email address, in combination with a password or security question (that would permit access)

The law requires notification following a breach “without unreasonable delay,” and no later than 30 days following the determination of a breach (with certain exceptions). If the notification affects more than 1,000 persons at a single time, notice must also be given to consumer reporting agencies. The act now uses the definition “covered entity” to describe the organizations impacted; covered entity includes a sole proprietorship, partnership, corporation, trust, estate, cooperative, association or other commercial entity that acquires, maintains, stores, or uses personal information. (For certain purposes, this includes governmental entities). The act addresses customer records and data (electronic format). Notice is to be provided to the Department of Legal Affairs of any breach affecting 500 or more individuals, no later than 30 days after the determination of a breach (or reason to believe there was a breach).

In addition to describing the incident and who was affected, the reporting entity must include a police or incident report or computer forensics report, a copy of policies in place regarding breaches, and steps taken to rectify the breach.

The law provides quite a few more rigorous requirements involving security and how entities are to provide a breach response. The Attorney General “thanked” the Governor for enacting the law quoting other legislators who commented that the act “will better protect the confidential personal information of Floridians and hold accountable those who attempt to compromise the security of that information.” The AG notes that the law also requires covered entities “to take reasonable measures to protect Floridians’ personal information and [to] properly dispose of customer records.”

See text at:

http://www.flsenate.gov/Session/Bill/2014/1524

See also commentary about why this law could be model for a comprehensive federal law (reasonable data protection; secure disposal; unauthorized access triggers notification; scale of notification requirements; PII includes medical history, insurance ID; 30-day notification deadline; documentation of investigation; schedule for penalties).

http://www.idt911.com/KnowledgeCenter/NewsRoom/NewsRoomDetail.aspx?a=6E04A83A-6EE4-4806-AA26-6623B82FAB65

 

 

floridaiStock_000002848277Medium

Once Again, California…on Privacy, Do Not Track

AG Kamala Harris Issues Guide on Privacy Policies/Do-Not-Track Disclosures

calstampiStock_000016159030Medium

In  a press release issued May 21, 2014, the Attorney General for California, Kamala Harris, issued a series of recommendations for businesses that address changes to California privacy law.  Key recommendations include:

  • Prominent labeling for sections dealing with online tracking, e.g., “California Do Not Track Disclosures”
  • Describe how you respond to a browser’s Do Not Track signal (or similar mechanisms)
  • Are third parties collecting personally identifiable information?  If yes, say so
  • Explain uses of personally identifiable information
  • Describe what you collect, how you use it, how long you retain it
  • Describe choices the consumer has regarding use/sharing of PII
  • Use plain language – use graphics/icons

The guide includes summaries of relevant CA statutes (CalOPPA, – broad requirement for privacy policies; AB 370 – tracking transparency).  And, while there are no new regulations or enforcement mechanisms provided in the “guide,” obviously, entities doing business in California, and those entities previously under scrutiny by the AG (e.g.,g Amazon, Apple, Facebook, etc.) will likely pay close attention to ensure compliance.    The guide is called, Making Your Privacy Practices Public  and you can see it at:

https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf

calcubeiStock_000013476441Large

The Right to be Forgotten: EU Decision

euflagth4P2UWF78

Historic Decision by the European Union’s Highest Court

The European Court of Justice ruled in favor of an individual’s right to have Google delete certain links about that individual. The decision was based in part on a finding by the court that Google is a data controller, which apparently is at odds with earlier EU rulings – ECJ’s Advocate General decided in 2013 that Google did not need to delete the links because it was not the “controller” of data and that information should only be deleted when the personal information is either incomplete or inaccurate.

Some commentators question the basis for the decision: “Given that the EU has spent two years debating this right as part of the reform of EU privacy legislation, it is ironic that the ECJ has found it already exists in such a striking manner.” Richard Cumbley of Linklaters told The New York Times.

And, practitioners sound the alarm: Operationally, this will “put search engines in the extremely onerous position of having to take a view on how to comply with potentially millions of individual requests.”  (See more details at IAPP Newsletter, The Privacy Advisor, https://www.privacyassociation.org/publications)

Google and others will argue that this amounts to censorship; from Levi Sumagaysay’s blog:

* * * *

Does the right to be forgotten — or the right to privacy — outweigh censorship concerns? “[The decision] is one of the most wide-sweeping Internet censorship rulings that I’ve ever seen,” Wikipedia founder Jimmy Wales told the BBC. Wales said he expects Google to fight back hard. “If they have to start coping with everybody who whines about a picture they posted last week, it’s going to be very difficult for Google.”

http://www.siliconbeat.com/author/lsumagaysay/