Following EU, US and Swiss Regulators Reach New ‘Privacy Shield’ Data Transfer Agreement

Following EU, US and Swiss Regulators Reach New ‘Privacy Shield’ Data Transfer Agreement

By Daniel L. Farris

The United States and Switzerland finalized a new “Privacy Shield” Agreement on Wednesday that mirrors the existing U.S.-E.U. Privacy Shield framework. The new deal will allow multinationals to continue to transfer data between the U.S. and Switzerland while complying with Swiss data protection requirements. 

The new deal replaces the existing U.S.-Swiss Safe Harbor Agreement, the validity of which has been in question since the Schrems decision was issued in October of 2015. Companies that have maintained their Swiss Safe Harbor certification may begin certifying under the new U.S.-Swiss Privacy Shield framework on April 12th. The 90 day delay is intended to provide companies with time to review the new Swiss principles and the commitments they entail. 

Read More

Big Law, Big Data, Big Problem

Big Law, Big Data, Big Problem

By Kathryn T. Allen

The Year of the Breach: 2016 was the year that law firm data breaches landed and stayed squarely in both the national and international headlines. There have been numerous law firm data breaches involving incidents ranging from lost or stolen laptops and other portable media to deep intrusions exposing everything in the law firm’s network. In March, the FBI issued a warning that a cybercrime insider-trading scheme was targeting international law firms to gain non-public information to be used for financial gain. In April, perhaps the largest volume data breach of all time involved law firm Mossack Fonesca in Panama. Millions of documents and terabytes of leaked data aired the (dirty) laundry of dozens of companies, celebrities and global leaders. Finally, Chicago law firm, Johnson & Bell Ltd., was in the news in December when a proposed class action accusing them of failing to protect client data was unsealed.

Read More

Yahoo Announces Second Data Breach in Four Months

Yahoo Announces Second Data Breach in Four Months

By Joseph D. McClendon
 
Yahoo, fresh off its September 2016 announcement of a 2014 cyber attack that breached 500 million user accounts, announced on December 14 that there is evidence of a second data breach, which affects twice as many user accounts than the initial 2014 breach. 
 
The beleaguered search engine company disclosed that an internal investigation has uncovered a second data breach dating back to 2013, where cyber criminals were able to steal an estimated 1 billion end user names, email addresses, telephone numbers, and dates of birth. The cyber criminals also stole hashed passwords as well as security questions and answers, some of which may have not been encrypted. Yahoo has not offered any information on why some account recovery questions and answers were encrypted, while others were not. The company does not believe financial data was stolen in the breach.

Read More

Don’t Stop At HIPAA: Why For-Profit Covered Entities and Business Associates that Collect and Share Consumer Health Data Must Consider Both HIPAA and the FTC Act

Don’t Stop At HIPAA:  Why For-Profit Covered Entities and Business Associates that Collect and Share Consumer Health Data Must Consider Both HIPAA and the FTC Act

By Lisa AcevedoLindsay KesslerDaniel FarrisErin Fleming Dunlap

The Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued new guidance last month for organizations that handle consumer health information (Joint Guidance).  This is one of several joint-agency guidance documents issued this year in a collaboration effort by HHS and FTC, including best practices for mobile health app developers and a mobile health apps interactive tool.  

Read More

Recent Attack Demonstrates IoT Risks in Household Items

Recent Attack Demonstrates IoT Risks in Household Items

By Amanda Katzenstein

On October 21, 2016, hackers carried out a massive Denial of Service cyberattack that rendered some of the most popular websites in the country inaccessible to much of the East Coast.  Unlike past DoS attacks, this latest attack was undertaken by infecting millions of internet-connected devices with malware, causing new concerns about the ever-growing Internet of Things.

Read More

OCR Provides New BA Guidance to Cloud Providers

OCR Provides New BA Guidance to Cloud Providers

By Lisa J. AcevedoDaniel L. FarrisLisa S. KatzErin Fleming DunlapRebecca Frigy RomineKathleen D. Kenney, and Lindsay R. Kessler

In the past year, the Department of Health and Human Services, Office for Civil Rights (OCR) has issued a number of guidance documents* to clarify its interpretation of key requirements set forth in the HIPAA Privacy and Security Rules (45 C.F.R. Part 160, 162, and 164) (collectively, the HIPAA Rules).  Its latest guidance clarifies OCR’s position on cloud service providers (CSPs) as business associates (the Cloud Guidance), and the related requirements under the HIPAA Rules through a series of FAQs.  Importantly, the Cloud Guidance applies to all CSPs equally, regardless of the level of functionality or services provided (e.g., the provision of an electronic medical record system on the cloud, versus limited application hosting).

OCR kicked off the Cloud Guidance by clarifying its position on an issue that Covered Entities and CSPs have continued to debate for quite some time - whether a CSP is a business associate if the Protected Health Information (PHI) that is stored in its cloud is encrypted and the CSP does not possess the encryption key.

Read More

As Grace Period Ends, Burst of Privacy Shield Applications May Decrease

As Grace Period Ends, Burst of Privacy Shield Applications May Decrease

By Amanda Katzenstein

More than 700 companies have self-certified to comply with the Privacy Shield in the two months since the Department of Commerce began accepting submissions. The number of applications is expected to rise as the September 30, 2016 deadline for a special grace period looms, and the number is expected to slow down after October 1, 2016 because the compliance obligations increase after the deadline.

Read More

Yahoo Discloses Massive Data Breach

Yahoo Discloses Massive Data Breach

By Joseph D McClendon

Yahoo, the American technology company most famous for its use of a webportal to organize categories of websites and its contributions to early Internet search engine technology, announced today that at least 500 million user accounts were breached in a 2014 cyber attack. Data stolen by, what Yahoo believes are state-sponsored actors, include names, email addresses, telephone numbers, dates of birth, and hashed passwords. Breached data may also include account security questions and answers, however, whether or not that data was encrypted appears to be on an account-by-account basis. Yahoo was quick to note that its investigation into the data breach has not shown that the stolen data includes unhashed passwords or credit card or bank account information. This breach may be the largest data breach publicly disclosed and it comes on the heels of the $4.8 billion Verizon acquisition of Yahoo. Yahoo shares fell after the announcement but analysts have noted that the acquisition is unlikely to be affected by the news.

Read More

Recent Studies Show Increasing Need For Employee Training in Data Security

Recent Studies Show Increasing Need For Employee Training in Data Security

By: Mary Kathryn Curry

Two recent studies show an increasing need for companies to better train their employees in data security to prevent data and monetary loss. On September 7, 2016, Wells Fargo Insurance released a study on cyber security showing some interesting trends in companies with $100 million or more in annual revenue. The second-annual study questioned 100 decision makers on issues of data, hackers, network vulnerabilities, and other cyber security matters. The study showed that companies were nearly twice as concerned with losing private data as they were with being hacked or having some other security breach disrupt their system. 

Read More

Location Data Gathering Under Europe’s New Privacy Laws

Location Data Gathering Under Europe’s New Privacy Laws

By Kathryn Allen

The rise in popularity of apps and services that use location data (technology that pinpoints a consumer’s location automatically), like the smash-hit Pokémon Go, have EU privacy regulators calling on companies to ‘mind the gap.’ The much-anticipated General Data Protection Regulations (the “GDPR), as well as other EU privacy laws, aim to tighten up the rules for obtaining consent from consumers about what data they are sharing and to restrict how companies can use the data they are mining from consumers. There has been much speculation about how these new regulations, not directives, coupled with a much higher potential for fines, will impact U.S. companies that operate or plan to operate in the EU. Those using location data in apps and for passive tracking should pay close attention to EU regulators as GDPR implementation draws near. 

Read More

President Barack Obama Institutes New Policy Responding To Cyber Incidents

President Barack Obama Institutes New Policy Responding To Cyber Incidents

By D. Rockwell Bower

President Barack Obama established a new Presidential Policy Directive on Tuesday, July 26, 2016 outlining the federal government’s response to future cyber attacks in both the public and private sector. Lisa Monaco, Homeland Security Advisor to President Obama for Homeland Security and Counter Terrorism, announced the new directive setting forth “principles governing the Federal Government’s response to any cyber incident, whether involving government or private sector entities.”

Read More

European Commission Approves Privacy Shield, Ushering in ‘Safe Harbor 2.0’

European Commission Approves Privacy Shield, Ushering in ‘Safe Harbor 2.0’

 

By Daniel L. FarrisJonathan J. Bollozos and Joseph D. McClendon

For thousands of U.S. companies left in limbo after the invalidation of Safe Harbor last year, relief has finally arrived.  The European Commission (“EC”) formally approved and adopted the new trans-Atlantic Privacy Shield data transfer pact on Tuesday, opening the door for new certification and EU-US data transfers. 

Read More

Recent Enforcement Action Shows Business Associates Are Not Off the Hook

Recent Enforcement Action Shows Business Associates Are Not Off the Hook

By Erin Fleming DunlapRebecca Frigy Romine and Lindsay R. Kessler

Despite the fact that Business Associates have been directly subject to and liable under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) since February 18, 2010 (the effective date of the relevant provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act), the Department of Health & Human Services, Office for Civil Rights (OCR), announced last Thursday, June 30, 2016, that it has entered into its first resolution agreement with a HIPAA Business Associate.

Read More

Brexit & Privacy: Keep Calm and Carry On

Brexit & Privacy:  Keep Calm and Carry On

By Daniel L. Farris

As markets tumble and many business leaders try to predict what the Brexit may mean for their organizations, privacy officers should remember the neo-classic British refrain: Keep Calm and Carry On.  

There may be turmoil, confusion, new regulations, and new compliance regimes ahead, but it will likely take years for the UK to untangle itself from the European Union, and even then the UK may well remain within the European Economic Area. For US companies with transatlantic operations, the best course is to continue a measured but deliberate approach towards eventual GDPR compliance.  

Read More

House Passes Cybersecurity Funding and Outreach Bills

House Passes Cybersecurity Funding and Outreach Bills

By Daniel L. Farris

The U.S. House of Representative passed the Support for Rapid Innovation Act (H.R. 5388) and the Leveraging Emerging Technologies Act (H.R. 5389), on Tuesday. Both bills gained broad bipartisan report, after being recommended by the House Homeland Security Committee last week. If enacted, the bills will appropriate new funds to DHS for outreach and private-sector collaboration for the development of innovative cybersecurity technologies.  

Read More

UK Parliamentary Committee Recommends Penalizing CEOs for Cyber Breach

UK Parliamentary Committee Recommends Penalizing CEOs for Cyber Breach

By Daniel L. Farris

The effects of last year’s data breach at UK Telecom, TalkTalk, may be farther reaching than the one million customers whose data was compromised. The UK Parliament's Culture, Media and Sports Committee – which opened an inquiry into the circumstances surrounding the breach last November – made recommendations Monday to significantly enhance penalties for both companies and chief executives who fail to prepare for, timely report, or learn from data breaches, including tying CEO compensation to the effectiveness of their companies’ cybersecurity programs.  

Read More

House Homeland Security Committee Approves Slew of Cybersecurity Proposals; Moves for the Creation of New Cybersecurity Agency

House Homeland Security Committee Approves Slew of Cybersecurity Proposals; Moves for the Creation of New Cybersecurity Agency

By Daniel L. Farris

The U.S. House of Representatives Homeland Security Committee approved four cyber-security related bills on Wednesday, including one which could create a new federal cybersecurity agency. Most significantly, the Committee unanimously approved H.R. 5390 – a bill which aims to transform the Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) into a full-blown operational agency. The proposed Cybersecurity and Infrastructure Protection Agency would “realign and streamline” federal cybersecurity initiatives, and implement the Cybersecurity Information Sharing Act (CISA), which passed in December.  

Read More

EU Watchdog Advocates for New Fin Tech Regulations

EU Watchdog Advocates for New Fin Tech Regulations

By Daniel L. Farris

The European Securities and Markets Authority – a top EU security watchdog – published a paper last week calling for new regulation on so called blockchain technology in financial markets. The comments come as financial markets are experiencing a rapid increase in virtual currencies and the underlying Digital Ledger Technology that supports them.  

Read More

EU Regulators Reject Privacy Shield

EU Regulators Reject Privacy Shield

By Daniel L. Farris

A group of European data protection authorities, known as the Article 29 Working Party, is refusing to support the proposed transatlantic data transfer deal known as the “Privacy Shield.”  In a highly anticipated opinion issued Wednesday – which does not bode well for US companies anxiously awaiting guidance after the invalidation of Safe Harbor last year – the Working Party criticized the Privacy Shield for its failure to provide protection for EU citizens’ data against US government surveillance programs. 

In February, the European Commission and US Department of Commerce announced a new deal to replace the Safe Harbor mechanism for transferring personal data from Europe to the United States.  While acknowledging that the Privacy Shield was an improvement that would impose new and heightened obligations on US companies to protect Europeans’ privacy, the Working Party expressed numerous concerns over the ways transferred data may be used for commercial or national security purposes. 

Read More

Giving Customers Control: FCC Confronts Internet Service Providers with Privacy Rules

Giving Customers Control: FCC Confronts Internet Service Providers with Privacy Rules

By Nicole A. Poulos

The Federal Communications Commission (“FCC”) voted yesterday to propose new privacy rules for broadband Internet Service Providers (“ISPs”) a mere three weeks after Chairman Tom Wheeler proposed them.  The proposed privacy rules, which are intended to give customers more control over their personal data, will now be released for public comment.  Currently, no enforceable privacy rules exist for broadband networks.

Adoption of the Proposed Rulemaking did not go without a fight, as the final vote was a 3-2 split.  Opponents to the rules argued that the regulations only target ISPs, and fail to reach social networks and other online services.  Proponents of the proposed rules argued that ISPs can collect and piece together a wealth of information on customers, including private information.

Read More