Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

The conclusions of the Report are unsurprising, namely that (i) personal information has commercial value, (ii) good data protection can bring business benefits and (iii) there are significant downsides to ignoring data protection.  The Report also reiterates the need for direction and accountability on the part of senior management for the organization’s privacy strategy. 

Against the backdrop of these conclusions, the Report offers a structured approach for Data Protection Officers to build their own business case to secure privacy investment and build a privacy culture.  It highlights the key components of a privacy program, and offers a framework (including examples) for estimating both the value of personal data, and the costs of ignoring data privacy.

In launching the report, the UK Information Commissioner, Christopher Graham, recognized that there can be no ”one size fits all” approach to privacy.  Instead, the Report provides practical tools to help organizations of all sizes and across all sectors to build a business case for investing in privacy.”  The Commissioner challenges organizations to use the tools necessary to ensure that privacy protection is hardwired into organizational culture and governance, and urges organizations to realize the privacy dividend.

Highlights from the Court’s decision are detailed below. 

• According to the Court, the data retention in question is incompatible with the constitutional right of telecommunications secrecy and thus violates the German Constitution.  The data that has already been collected must be deleted without undue delay.
• The ruling does not, however, exclude the storage of the data in general.  The Court did not question the admissibility of the European Directive on Data Retention, which was the basis for the German law.
• The judges stated in their ruling that (i) the provisions of the law implementing the European Directive on Data Retention fail to observe the principle of proportionality, (ii) there is a lack of security for the data, and (iii) there is a lack of information regarding the purposes for which the data will be used.  The Court also criticized the law’s lack of transparency.
• The Court stressed that the mass storage of data is considered a very serious encroachment on fundamental rights with an impact never before seen by the German legal system.  For example, the traffic data collected would enable the creation of personality profiles and allow for the tracking of individuals’ movements.  Such a threat to fundamental rights must be subject to very strict conditions that are not met by the current German law.  The law’s provisions cannot be applied even in a limited or temporary way, and must be annulled.  Because there is then no legal basis for the storage, data retention must cease and the previously collected data must be deleted.
• The Court requested that the legislature develop strict criteria for data security that can be implemented by telecom companies, with the costs to be borne by the telecom companies since they profit from the telecommunication.
• The Court stated that the federal government needs to (i) clarify that the data retained may be used only for law enforcement purposes, (ii) establish a catalogue of crimes serious enough to merit this kind of invasive data retention, and (iii) provide clear instructions to the federal states regarding the extent to which the police may access the data to prevent danger.  Because of the perception by individuals of a constant threat of being tracked, the Court stated that the legislature must establish effective transparency rules.  Affected individuals must be informed about the data analysis, and sanctions must be imposed for violations of this obligation to inform.
• According to the Court, when a request is made to an ISP to disclose the identity of an individual using a specific IP Address, the indirect use of data collected pursuant such a request is subject to less stringent constitutional requirements.  In these cases, the authorities are not provided with the data as it is preserved by the ISP, rather they receive just the personal information related to the holder of IP address as identified by the ISP using the data.  Systematic, long-term fishing expeditions or individual profiling cannot be carried out through these kinds of disclosure requests.  Further, for such disclosure requests only a pre-determined, limited amount of data is used and storage of such data implies much less risk of encroachment on fundamental rights.  Accordingly, such disclosure requests may be ordered under less stringent conditions.

The regulations require entities to develop, implement and maintain a written, risk-based information security program that takes into account the entity’s size, nature of its business, types of records it maintains and the risk of identity theft posed by the entity’s operations.  Also set out in the regulations are numerous administrative, technical and physical safeguards that the required information security program must include. 

Finally, the regulations require covered entities to take steps to select and retain service providers that are capable of appropriately safeguarding personal information.  Covered entities must contractually require their service providers to safeguard personal information in accordance with the Massachusetts regulations and applicable federal requirements; provided, however, that  service provider contracts entered into no later than March 1, 2010, are exempt from complying with this requirement until March 1, 2012. 

To read more about compliance with the new regulations, please see our Client Alerts (from February 2009 and from September 2008) and our previous blog posts.

View the Massachusetts regulations. 

In the resolution, the DPAs specify that website operators must comply with the provisions of the German Telemedia Act (“TMG”) when creating user profiles.  According to the TMG, website operators are only allowed to create user profiles by using pseudonyms.  A user’s IP address, however, does not qualify as a pseudonym under the TMG. The resolution further states that the following TMG requirements must be met:

• Website users must have the opportunity to object to the creation of their user profiles, and website operators must honor such objections effectively.
• Pseudonymized user data may not be combined with data about the individual associated with the pseudonym. 
• User data must be deleted (1) if storage is no longer necessary for usage analysis purposes, or (2) if the user requests the deletion.
• Without the user’s consent, personal data may be collected and used only to the extent necessary to enable the use of telemedia services and for billing purposes. Any other use requires the consent of the user.
• In their privacy policies, website operators must (1) provide clear disclosure regarding the creation of pseudonymized user profiles, and (2) inform users that they have the option to object to the creation of such profiles.
• Because complete IP address data may be traced back to a user, analysis of surfing behavior using complete IP addresses (including a geo-localization) is only admissible pursuant to deliberate, explicit consent.  If the user has not given consent, the IP address must be truncated prior to analysis to eliminate the possibility of data being attributed to a specific user.

EPIC’s complaint, which was signed by nine other privacy organizations, alleges that Facebook’s privacy changes injure users by “invading their privacy; allowing for disclosure and use of information in ways and for purposes other than those consented to or relied upon by such users; causing them to believe falsely that they have full control over the use of their information; and undermining the ability of users to avail themselves of the privacy protections promised by the company.”  EPIC’s complaint further alleges that Facebook’s claim that users “have extensive and precise controls available to choose who sees what among their network and friends, as well as tools that give them the choice to make a limited set of information available to search engines and other outside entities” is deceptive because “Facebook’s changes to users’ privacy settings and associated policies in fact categorize as ‘publicly available information’ users’ names, profile photos, lists of friends, pages they are fans of, gender, geographic regions, and networks to which they belong.”

EPIC is requesting the FTC compel Facebook to “restore its previous privacy settings” and “make its data collection practices clearer and more comprehensible and to give Facebook users meaningful control over personal information provided by Facebook to advertisers and developers.”  In response to EPIC’s complaint, Facebook released a statement that the company had “discussed the privacy program with many regulators, including the FTC, prior to launch and expect to continue to work with them in the future.”
 

The complaint alleges that some 330,000 high-speed Internet customer accounts were impacted by the "NebuAd Ultra-Transparent Appliance" that WOW used "to divert Internet traffic," including users' personal information, to NebuAd (a third party provider of tailored advertising services).  The complaint alleges that WOW provided NebuAd with intercepted communications to (i) serve advertisements on the websites users visited, and (ii) transmit code that installed tracking cookies that could not be deleted from users' computers.
 
In addition, the complaint includes charges that WOW misrepresented to Congress the content of user traffic it diverted to NebuAd by stating in response to Congressional inquiries that no personally identifiable information was collected.  The complaint also alleges that WOW's conduct constituted a tortious invasion of privacy, violations of the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, and a violation of the Illinois Criminal Code's eavesdropping restrictions.  It remains to be seen whether the class will be certified in this case.

The event’s closing session – “Exploring Existing Regulatory Frameworks” – featured several speakers including Barbara Lawler of Intuit who provided an overview of the Business Forum for Consumer Privacy's “Use-and-Obligations” approach to privacy governance.  The Business Forum’s paper is available here.  In response to the FTC's request for greater simplicity, Professor Fred Cate suggested a framework based on three categories of information-related activities:  those that are prohibited or heavily disfavored, those that are permitted without specific notice or consent, and a large middle ground that applies consent requirements on a sliding scale from implied to explicit.  The panel’s tone indicated a general consensus that the "notice and choice" privacy governance model is becoming increasingly irrelevant.  At the IAPP conference the following day, EPIC’s Marc Rotenberg agreed that "notice and choice is only effective when the consumer has real choices to make."

The FTC’s Exploring Privacy series will continue with roundtables scheduled for January 28, 2010, in Berkeley, California and March 17, 2010, in Washington, DC.  The FTC is expected to complete the creation of the record during the January session and to explore future initiatives at the meeting in March.

Issuance of this model notice follows the enactment, in October 2006, of the Financial Services Regulatory Relief Act (“Relief Act”).  Section 728 of the Relief Act directs the federal financial services agencies to jointly develop a model privacy notice that incorporates all of GLBA-mandated disclosures to consumers.  Section 728 also provides a safe harbor.  Financial services institutions that elect to use the model form will be deemed in compliance with the GLBA notice requirements.  In response to the Relief Act requirements, on March 29, 2007, the financial services agencies published a proposed model privacy notice.  The final model privacy notice is substantially similar to the proposed model with certain revisions based on comments submitted to the agencies and consumer testing.

For further information regarding the final model privacy notice please refer to our earlier post.

The data contained on the stolen laptop included the names, addresses and Taxpayer Identification Numbers of approximately 19,000 health care providers in Connecticut.  The breach also involved thousands of Social Security numbers (“SSNs”), since an estimated 16-22% of individual health care providers use their SSNs as Taxpayer Identification Numbers.  BCBS confirmed that the breach did not involve any medical information or patient information.

Connecticut’s data breach notification law requires any person who “conducts business in” Connecticut and who “owns, licenses or maintains computerized data that includes personal information” to disclose any breach of security to affected Connecticut residents “without unreasonable delay.”  Attorney General Blumenthal is requesting more details from BCBS about the breach, including a list of impacted health care providers, the credit monitoring services and other protections that BCBS is offering those providers, as well as BCBS’s policies and procedures for responding to data breaches.  He noted that failure to comply with Connecticut’s data breach notification law constitutes an unfair trade practice that may subject BCBS to fines of up to $5,000 for each Connecticut resident affected by the breach and require BCBS to provide restitution to those affected residents.

In October 2006, the Financial Services Regulatory Relief Act (“Relief Act”) was enacted.  Section 728 of the Relief Act directs the federal financial services agencies to jointly develop a model form privacy notice that incorporates all of GLBA mandated disclosures to consumers.  Section 728 also provides a safe harbor.  Financial services institutions that elect to use the model form will be deemed in compliance with the GLBA notice requirements.  In response to the Relief Act requirements, on March 29, 2007, the financial services agencies published a proposed model privacy form.  The final model privacy form is substantially similar to the proposed model form with certain revisions based on comments submitted to the agencies and consumer testing.

The final model form privacy notice addresses the legal requirements of GLBA and is designed to facilitate consumer comprehension.  In terms of content, it is two pages in length, but may be printed on a single sheet of paper.  The first page is organized in five parts: (i) the title, (ii) an introductory section, (iii) a disclosure table describing the types of sharing by financial institutions and, if appropriate, whether a consumer can limit or opt out of sharing, (iv) a mechanism to limit sharing for opt out purposes, and (v) the financial institution’s customer service contact information.  The second page contains supplemental explanatory information in frequently asked question format, as well as definitions of relevant terms.  The content set forth in the model form must remain unchanged for financial institutions to rely on the safe harbor.

The financial services agencies' announcement of the final model privacy notice is anticipated in the near future although a draft of the final rule has been circulated.

The FTC also announced today a settlement with Iconix Brand Group, Inc., which owns, licenses and markets apparel brands including Candie's, Mudd, Bongo and OP.  The FTC alleged violations of the Children’s Online Privacy Protection Act ("COPPA") and Section 5 of the FTC Act.  As to the COPPA violations, the FTC noted that several of the brands' websites collected full dates of birth, presumably putting the company on notice that it had collected information from individuals under the age of 13 although it did not notify parents in advance or seek their consent.  In addition, the brands' privacy statements included a representation that the company does not "seek to collect" personal information from individuals under the age of 13, which the FTC charged was a deceptive trade practice in violation of Section 5 of the FTC Act.  Iconix agreed to pay $250,000 in civil money penalties and to delete all information collected and maintained in violation of COPPA, in addition to other equitable measures such as training employees.

Yesterday, the FTC announced that ChoicePoint, Inc. agreed to strengthen its data security in order to settle charges that it failed to implement a comprehensive information security program as required by the earlier consent order it entered into with the agency following its well-publicized 2005 security breach.  This agreement, which expands the company's obligations under the original consent order, follows a security breach that occurred in 2008.  ChoicePoint allegedly turned off a security feature used to monitor access to one of its databases and failed to detect that the feature was disabled for four months.  During that period, the FTC alleged that the personal information of 13,750 people was compromised, putting them at risk of identity theft.  In addition to paying $275,000 to be used for consumer redress, the modified court order requires ChoicePoint to report to the FTC every two months for the next two years, providing "detailed information about how it is protecting the breached database and certain other databases and records containing personal information."

The three cases, following closely on the heels of seven Safe-Harbor-related settlements, demonstrate the FTC's resolve to enforce more aggressively and levy larger fines when settling cases.

The Australian government’s report addressed 197 of the 295 ALRC recommendations and promised to implement almost 90% of those recommendations.  Some of the more notable recommendations that will be implemented include: strengthening the Privacy Commissioner’s powers of investigation and enforcement; adding biometric information to the definition of “sensitive information” in the Privacy Act; enacting new rights for individuals to transfer their health records between health care providers; and requiring agencies and organizations to notify individuals if their personal information is reasonably likely to be transferred overseas.

The Australian parliament intends to draft legislation to implement the ALRC recommendations in early 2010.  After this first stage response to the ALRC report has progressed, the Australian government intends to consult with the public and privacy sectors to address the remaining 98 ALRC recommendations, which focus on sensitive issues such as data breach notification and the handling of personal information under the Telecommunications Act 1997.

On July 9, Missouri Governor Jay Nixon signed a data security breach bill into law leaving Alabama, Kentucky, Mississippi, New Mexico and South Dakota as the only remaining states without a breach notification requirement.  The Missouri law’s noteworthy provisions include a broad definition of personal information that encompasses medical and health insurance information and a requirement to notify consumer reporting agencies and the state attorney general if more than 1,000 consumers are being notified of a security breach.  The Missouri law goes into effect August 28, 2009.

On July 22, Senator Patrick Leahy (D-VT) reintroduced a privacy bill that includes federal data security breach notification requirements.  The Personal Data Privacy and Security Act would require businesses engaged in interstate commerce to notify individuals if their computerized sensitive personally identifiable information (SPII) is subject to a data security breach.  Notably:

• The bill requires notification of: (1) major media within any state where more than 5,000 individuals are affected by a breach; (2) consumer reporting agencies if more than 5,000 individuals are affected; and (3) the Secret Service if more than 10,000 individuals are affected or if the breach involves a federal database, national security officials or a database containing information on more than 1,000,000 individuals. 
• Businesses that collect, use or access the SPII of more than 10,000 individuals must implement a comprehensive data security and privacy program (financial institutions that are subject to the Gramm-Leach-Bliley Act (GLB) and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) are exempt from this requirement). 
• The notification provisions of the proposed federal law would not preempt existing state data breach notification laws, but they would supersede any other provision of federal law or any provision of any state law relating to notification by a business engaged in interstate commerce. 

Similar federal privacy legislation has been approved by the Senate Judiciary Committee in prior sessions of Congress, but has never been voted upon by the full Senate.  Senator Leahy’s bill is the third major federal data privacy bill to be introduced in 2009.  Senator Diane Feinstein introduced a data breach notification law in January; in April, Representative Bobby Rush introduced H.R. 2221 (the Data Accountability and Trust Act), a bill  which is strongly supported by the FTC's Acting Director of the Bureau of Consumer Protection.

Finally, on July 27, North Carolina Governor Beverly Perdue signed a bill amending that state’s data breach notification law.  As of October 1, 2009, any time a business provides notice pursuant to the North Carolina statute, the business must also notify the Consumer Protection Division of the North Carolina Attorney General’s Office.  The notice must include information on the nature of the breach, the number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future and information regarding the timing, distribution and content of the notice being sent to affected individuals.   Previously, North Carolina required notification of the state attorney general only when a business provided notice to more than 1,000 persons at one time, and such notification needed to include only the timing, distribution and content of the notice to consumers.

Alaska Stat. § 45.48.010 et seq. will apply to breaches of unencrypted personal information in both paper and electronic records.  Personal information is defined as first name or first initial and last name plus one or more of the following data elements:  (i) Social Security number, (ii) driver’s license number or state identification card number, (iii) account number, credit card number or debit card number, combined with any security code, access code, personal identification number or password needed to access an account, and (iv) passwords, personal identification numbers or other access codes for financial accounts.  Notification is not required if, after an appropriate investigation and written notification to the attorney general of Alaska, the entity experiencing the breach determines that there is not a reasonable likelihood that harm to the individuals whose personal information has been acquired has resulted or will result from the breach.  An entity is also exempt from notification in the event of an unauthorized but good-faith acquisition of personal information by an employee of the entity, so long as the employee does not use the personal information for an illegitimate purpose or make further unauthorized disclosure of the information.  The statute authorizes a state agency to promulgate implementing regulations at any point after the effective date.

South Carolina. Code Ann. § 39-1-90 will apply to breaches of unencrypted personal identifying information in both paper and electronic records.  Personal identifying information is defined as first name or first initial and last name in combination with and linked to one or more of the following data elements:  (i) Social Security number, (ii) driver’s license number or state identification card number, (iii) financial account number, or credit card or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial account, and (iv) other numbers or information that may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual.  The law does not require notification in the event of an unauthorized but good-faith acquisition of personal identifying information by an employee of the entity for the purposes of its business if the personal identifying information is not used or subject to further unauthorized disclosure.

Botnets are networks of "zombie" computers that, unbeknownst to their owners, are remotely controlled by hackers with unfettered access to personal information stored on, or transmitted by, the machines.  The use of botnets, and attendant malware, permits criminals to gain access to individuals' private communications with financial institutions as well as other sensitive data.  The criminal operation that resulted in Wednesday's sentencing was uncovered by the Federal Bureau of Investigation two years ago as part of its Operation Bot Roast investigative initiative.  According to the FBI, botnets pose a growing threat to national security, the national information infrastructure and the economy.  In June 2007, federal law enforcement agents announced they had logged the millionth IP address belonging to a botnet.

Kaleidoscope Ltd had published a national advertisement for a marquis ring which included a term in small print stating that “by ordering from us, you are consenting to us sharing your information with other organisations and to us or them contacting you for marketing purposes by mail, telephone, email or otherwise. If you do not wish to be contacted by us by telephone for marketing purposes, please tick this box.”

The ASA ruled that this advertisement breached the CAP Code (rules 43.4c and 43.5), as the small print stated that by responding to the promotion, consumers were not explicitly consenting to the advertiser sharing their information with other organisations who might (by whatever means) contact them directly.

To comply with the CAP Code, which reflects the requirements of the UK Data Protection Act 1998 (“DPA”) and the UK Privacy and Electronic Communications Regulations 2003 (the “Regulations”), marketers advertising within the UK or collecting personal information from individuals within the EU must gain the explicit consent of consumers (i.e., "opt-in” consent) before sending any electronic marketing or disclosing their personal details to third parties for direct marketing purposes.

In contrast, in the U.S., the Federal Trade Commission under CAN-SPAM  allows direct electronic marketing to be sent to anyone, without permission, until the recipient explicitly requests to optout. The Kaleidoscope decision reminds us that in the EU, pursuant to the Directive 2002/58/EC on privacy and electronic communications, marketers are required to obtain explicit consent from subscribers before sending electronic communications.  In addition to a positive indication of consent, the UK CAP Code provides that at the time of data collection and on each occasion that marketing communications are sent, marketers are required to provide subscribers with the opportunity to opt out of future marketing.

The amendment as passed imposes potential criminal penalties not only on government agency personnel, but also on personnel in financial, telecommunications, transportation, educational and medical institutions who may sell personal information or provide it to others.  In other words, the law appears to allow the imposition of penalties within the private sector, as well as on government officials who misappropriate personal data.  The law can also make an enterprise, or a supervising person within an enterprise (“management personnel with direct responsibility”), liable for such misappropriations that are conducted by the enterprise.

Possible penalties for such misappropriations include imprisonment for less than three years, imposition of a fine (as a single penalty or concurrently with other penalties), or detention.  The amendment also makes intrusions into computer systems outside the government sector and obtaining information stored, processed, or transmitted thereon a criminal act.

Companies in the financial, telecommunications, transportation, educational and medical sectors in China may want to establish internal procedures to prevent misappropriations of personal data within their enterprise, and to undertake employee educational efforts to foster awareness of the importance of handling personal data with appropriate care.

New York State recently enacted legislation restricting the use of Social Security numbers (“SSNs”) by employers. The legislation takes effect on January 3, 2009.

Restrictions on the Use of SSNs
At present, the New York Social Security Number Protection Law prohibits a business from (i) intentionally communicating an SSN to the general public; (ii) printing an SSN on any card or tag required for the individual to access products, services or benefits provided by the business; (iii) requiring an individual to transmit his or her SSN over the Internet, unless the connection is secure or the SSN is encrypted; or (iv) requiring an individual to use his or her SSN to access an Internet website, unless a password or unique personal ID number or authentication device is also required.

This law defines an SSN very broadly as any number derived from an SSN. Accordingly, even the last four digits of an SSN are subject to the above-mentioned prohibitions. The newly-enacted New York legislation amends existing law by including an additional prohibition on the use of SSNs. Specifically, businesses must refrain from encoding or embedding an SSN in a card or document (such as in a bar code, chip or magnetic strip).

Restrictions on Employers’ Use of SSNs
The new legislation also amends New York’s labor law by restricting employers’ use of employee SSNs. Notably, employers are prohibited, except as required by federal or state law, from (i) publicly posting or displaying an SSN; (ii) visibly printing an SSN on any identification badge or card, including a time card; or (iii) placing an SSN in files with unrestricted access. As a result of the new law, businesses must verify that employee SSNs are being stored in a secure manner so as to prevent unauthorized access.

We Can Help
In addition to New York, a majority of states have enacted laws aimed at protecting personal information such as SSNs. Hunton & Williams’ Privacy and Information Management practice assists clients in complying with the myriad federal and state privacy and information security laws. If you would like assistance in reviewing how your organization handles and secures personal information, please contact us.