Happy Data Privacy Day

January 28, 2015January 28, 2015 ~ Peggy Reetz ~ Leave a comment

The Ponemon Institute has released its list of Most Trusted Companies for Privacy. Spoiler alert, they include:

Amazon
American Express
PayPal
Hewlett Packard
IBM

http://www.ponemon.org/blog/ponemon-institute-announces-results-of-2014-most-trusted-companies-for-privacy-study

You might also celebrate by joining IAPP and getting access to the Prudence the Privacy Pro comic strip.

https://privacyassociation.org/news/a/guess-what-its-data-privacy-day/

In related news, the FTC has released a Report on the Internet of Things. The report includes the following recommendations for companies developing Internet of Things devices:

build security into devices at the outset, rather than as an afterthought in the design process;

train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;

ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;

when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;

consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;

monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.

http://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices

And, finally, a move to update ECPA;

• Proponents of updating ECPA, or the Electronic Communications Privacy Act, are using today to renew their call for reform.

“The statute governing access to electronic communications was written in 1986, well before most Americans relied on email and mobile devices to communicate,” said Ed Black, president and CEO of the Computer & Communications Industry Association (CCIA), in a statement. “After nearly 30 years on the books, it’s long overdue for an update.”

An update is what reform legislation, which will reportedly be re-introduced in “the coming weeks” by Sens. Patrick Leahy, D-Vermont, and Mike Lee, R-Utah, would provide. The bill would require a warrant before authorities could search email or other online communications. Under today’s ECPA, no warrants are required for such content that’s older than 180 days.

http://www.siliconbeat.com/2015/01/28/data-privacy-day-canada-spying-ecpa-reform-ubers-god-view-protecting-info/

Data and Security – Balancing Use and Oversight

April 16, 2014April 16, 2014 ~ Peggy Reetz ~ Leave a comment

Using Anonymous Patient Data

The Washington Post reports on the developments of PCORI – the Patient-Centered Outcomes Research Institute. This was part of the move to get better information, data, out of the electronic health records initiative funded and spelled out in the Affordable Care Act. The anonymized or de-identified data is supposed to help clinicians draw some meaningful conclusions from the vast wealth of information gathered by physicians, researchers, hospitals, insurers and the pharmaceutical industry. The PCORI network is supposed to identify patients who could be invited to join clinical trials. The new national patient network will comprise eleven sub-networks, drawing on records from participating organizations. Of importance to the privacy watchdogs is that the participating organization retains all of the personally identifiable information and only the aggregated data is submitted for use in a research project.

Go to: http://www.washingtonpost.com/national/health-science/scientists-embark-on-unprecedented-effort-to-connect-millions-of-patient-medical-records/2014/04/15/ea7c966a-b12e-11e3-9627-c65021d6d572_print.html

The FTC Can Seek to Enjoin

In other news, the FTC overcame some question of its authority to police data breach incidents, in this case data specifically involving consumer payment card account numbers. In the FTC v. Wyndham Worldwide Corporation matter, Wyndham hotels challenged the FTC’s authority to bring suit for injunctive relief following three breach incidents. The FTC had alleged in its suit that Wyndham had failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access, collection and use that “has caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses.” The FTC had alleged that after discovering the first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of [its] network.” Accordingly, the FTC sought a permanent injunction against Wyndham, presumably then to enter into some kind of agreement to correct such practices. Wyndham argued that the FTC overstepped its authority and moved to dismiss the complaint, arguing that the FTC’s “unfairness authority” did not cover data security and arguing that the FTC needs to publish regulations before filing an unfairness claim in federal court. The US District Court for the District of New Jersey declined to “carve out a data-security exception to the FTC’s authority.” Wyndham had tried to get the Court to analogize this situation to the tobacco industry cases (where the FDA had denied authority over tobacco). Instead, the District Court noted the FTC had never disavowed its authority over unfair practices related to data security.

Wyndham also challenged the FTC’s deception claim. The FTC cited the Defendants’ privacy policy and alleged that the Defendants did not implement reasonable and appropriate measures to protect personal information from unauthorized access. The FTC argued that the privacy policy representations therefore were false or misleading and constituted deceptive practices. Wyndham argued that the FTC failed to meet a higher burden when alleging unlawful deception. The Court rejected Wyndham’s arguments finding that a reasonable customer would have understood that the policy makes statements about data-security practices at the hotels, to the extent that the hotels control personally identifiable information.

There are other issues to be resolved in the sphere of enforcement and oversight of similar data breaches. The injunction route can be fraught with technical issues and issues regarding how best to tailor oversight of an entities’ practices and promises. However, for now, the FTC has asserted its authority in an important way, and some commentators believe this will embolden the FTC to bring additional enforcement actions. More than likely, the FTC will scrutinize those incidents that involve significant security lapses and/or some significant financial impact on consumers.

See FTC v. Wyndham Worldwide, Case 2:13-cv-01887-ES-JAD, Filed 04/07/14

Copy of case at: http://image.exct.net/lib/fefd167774640c/d/1/4.8%20Alert%20Wyndham%20Opinion.pdf

FTC Logo

Reports of ‘Safe Harbor’ Demise are Premature?

December 11, 2013December 11, 2013 ~ Peggy Reetz ~ Leave a comment

Brill addresses Issues at IAPP Data Protection Congress in Brussels

FTC Commissioner Julie Brill delivered remarks at the IAPP Data Protection Congress in Brussels today along with one the EU’s Commissioners, Constantijn van Orange-Nassau. Commissioner Brill acknowledged some of the criticism being leveled at the U.S.-EU Safe Harbor Data Protection process in light of revelations from the Edward Snowden-NSA so-called spying scandal. Snowden’s disclosures included copies of PowerPoint presentation slides identifying the NSA’s PRISM program, which program reportedly allowed the NSA to gain access to the private communications of users of nine popular Internet services (including Google, Yahoo!, Facebook, Microsoft and others). The Safe Harbor framework is supposed to allow for the transfer of such personal data in compliance with the EU Data Protection Directive. The FTC is responsible for compliance enforcement, once an entity self-reports to the U.S. Department of Commerce.

As a result of the revelations, certain EU principals began to question the efficacy of the terms of transferring data between U.S. and EU entities, via the Safe Harbor program. See remarks from Vice President Reding as of July 2013:

http://europa.eu/rapid/press-release_MEMO-13-710_en.htm

–“PRISM has been a wake-up call. The data protection reform is Europe’s answer.”

–“The Safe Harbour agreement may not be so safe after all.”

Now, Commissioner Brill acknowledges the issue and responds, in part:

–“[Safe Harbor is a] very effective tool for protecting the privacy of EU consumers … the FTC has vigorously enforced the Safe Harbor.”

–“We’ve taken the initiative to look for Safe Harbor violations in every single privacy and data security investigation we conduct. That’s how we discovered the Safe Harbor violations of Facebook, Google and Myspace.”

–“[Safe Harbor has]received its share of criticism in large part due to revelations about government surveillance. There’s no doubt that has created tensions in the transatlantic partnership.”

Commissioner Brill likewise took to Twitter to drive home the point: “Safe Harbor is strong – can help make it strong; increase transparency; make ADR more affordable; strengthen accountability #dpcongress”

See article at:

https://www.privacyassociation.org/publications/eu_u.s._officials_indicate_potential_privacy_agreement_at_data_protection_c

Her EU colleague took the opportunity to outline what should be the focus for these cross-Atlantic partnerships: 1) a standard commitment to Privacy by Design; 2) any Big Data applications that might put fundamental rights at risk should have a privacy impact assessment required; 3) consent is a cornerstone of data protection; and, 4) there needs to be a commitment to de-identification.

Brill, for her part, Tweeted a photo of the two privacy regulators engaged in conversation; apparently, doing some one-on-one diplomacy to try to calm these choppy waters!

FTC Issues Report on Ways to Improve Mobile App Disclosures

February 1, 2013February 4, 2013 ~ Peggy Reetz ~ Leave a comment

The report, issued February 1st, provides recommendations for the mobile marketplace, including operating system providers such as Amazon, Apple, BlackBerry, Google and Microsoft. The report also addresses application developers, advertising networks, analytics companies and app developer trade associations. The report describes that in the fourth quarter of 2012, consumers worldwide bought approximately 217 million smartphones. Given such widespread use of the technology, the FTC staff notes that unprecedented amounts of data are being collected. The FTC offers several suggestions for the “major participants” to improve mobile privacy disclosures. The report recommends that mobile platforms should:

-Provide just-in-time disclosures to consumers and obtain their affirmative express consent before allowing apps to access sensitive content like geolocation;

-Consider providing just-in-time disclosures and obtaining affirmative express consent for other content that consumers would find sensitive in many contexts, such as contacts, photos, calendar entries, or the recording of audio or video content;

-Consider developing a one-stop “dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded;

-Consider developing icons to depict the transmission of user data;

-Promote app developer best practices. For example, platforms can require developers to make privacy disclosures, reasonably enforce these requirements, and educate app developers;

-Consider providing consumers with clear disclosures about the extent to which platforms review apps prior to making them available for download in the app stores and conduct compliance checks after the apps have been placed in the app stores; and

-Consider offering a Do Not Track (DNT) mechanism for smartphone users. A mobile DNT mechanism, which a majority of the Commission has endorsed, would allow consumers to choose to prevent tracking by ad networks or other third parties as they navigate among apps on their phones.

App developers should:

-Have a privacy policy and make sure it is easily accessible through the app stores;

-Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information (to the extent the platforms have not already provided such disclosures and obtained such consent);

-Improve coordination and communication with ad networks and other third parties that provide services for apps, such as analytics companies, so the app developers can better understand the software they are using and, in turn, provide accurate disclosures to consumers. For example, app developers often integrate third-party code to facilitate advertising or analytics within an app with little understanding of what information the third party is collecting and how it is being used.

-Consider participating in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.

Advertising networks and other third parties should:

-Communicate with app developers so that the developers can provide truthful disclosures to consumers;

-Work with platforms to ensure effective implementation of DNT for mobile.

App developer trade associations, along with academics, usability experts and privacy researchers can:

-Develop short form disclosures for app developers;

-Promote standardized app developer privacy policies that will enable consumers to compare data practices across apps;

-Educate app developers on privacy issues.

The FTC also introduces Mobile App Developers: Start with Security, a new business guide that encourages developers to aim for reasonable data security, evaluate the app ecosystem before development, and includes tips such as making someone responsible for data security and taking stock of the data collected and maintained.

The FTC also announced a settlement with the operator of the Path social networking app. The FTC alleged that the app deceived users by collecting personal information from their mobile device address books without their knowledge or consent. The settlement requires Path to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. The company also agreed to pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent.

See update from NYT — loophole allows Path to share location data even when a user has turned off location: http://bits.blogs.nytimes.com/2013/02/01/path-photos-location-loophole/