Tag Archives: data privacy

California’s Sweeping New Privacy Legislation – What You Need to Know!

With the recent passage of the California Consumer Privacy Act of 2018 (CCPA), California continues to be a leader when it comes to protecting the privacy rights of individuals. Many experts agree that the CCPA is the most comprehensive consumer privacy legislation in the United States to date.

Like the new EU privacy regulation GDPR, the CCPA is meant to give consumers more control over their personal information, including:

  • knowing what kind of information is being collected about them;
  • knowing if their information is being sold or disclosed (and to whom);
  • allowing them to restrict the sale of their information; and
  • giving them access to their information.

Most U.S. privacy legislation focuses on specific sectors or privacy issues, but the new CCPA applies broadly to businesses that collect personal information about California consumers and creates significant new consumer privacy rights. That means your business may face new obligations. Here’s what you should know.

Does it apply to you?

The CCPA only applies to companies that conduct business in California and Continue reading California’s Sweeping New Privacy Legislation – What You Need to Know!

Massachusetts Improves Patient Privacy with PATCH Act

Medical records and patient information are particularly sensitive topics for a lot of people.

Recently, Massachusetts Governor Charlie Baker signed into law the Protecting Access to Confidential Healthcare (PATCH) Act that extends privacy protection to cover the explanation of benefits (EOB) summaries mailed by health insurers.

Privacy Concerns of EOB Summaries

Health insurers regularly send out an EOB summary to the policy’s primary subscriber detailing the type and cost of medical care performed under the policy. Supporters of the PATCH act say EOB summaries violate HIPAA privacy rights of patients who are young adults, minors or spouses because their information is exposed to the primary subscriber through the EOB summary. Continue reading Massachusetts Improves Patient Privacy with PATCH Act

The CLOUD Act and Private Data in the U.S. and Abroad

In March 2018, the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act was signed into law as part of the 2018 Omnibus Spending Bill. The CLOUD Act allows U.S. federal law enforcement to compel U.S.-based technology companies to provide requested data stored on servers regardless of whether the data are stored inside or outside the U.S.

The CLOUD Act establishes procedures for law enforcement when requesting this data and to provide clarity for organizations caught between conflicting domestic and foreign laws.

What is the Cloud? Continue reading The CLOUD Act and Private Data in the U.S. and Abroad

South Dakota, 49th State to Enact Breach Notification Law, Alabama Close Behind

This week, on March 21, 2018, South Dakota’s Governor signed into law the nation’s 49th Breach Notification Law.

Alabama remains the sole U.S. state without a breach notification law, but not for long. Yesterday, Alabama’s pending breach notification bill unanimously passed the House of Representatives and is headed to the Governor’s desk awaiting final passage.

Here are some of highlights of the two pieces of legislation.

South Dakota: Breach Notification Law

Highlights:

  • Applies to:
    • “Information Holder”: includes “any person or business that conducts business in the state” andowns or retains “personal or protected information” of South Dakota residents.
  • Personal AND Protected Information:
    • This South Dakota bill distinguishes and covers both personal information and protected information.
    • “Personal information” includes a person’s first name or first initial and last name combined with one or more of the following data elements (SSN, driver’s license number, account number with access code, etc.) but also includes health information (as defined in HIPAA) and employee identification numbers in combination with access code or biometric data.
    • “Protected information” includes: (1) “a user name or email address, in combination with a password, security question answer, or other information that permits access to an online account” and (2) financial account number, in combination with a “required security code, access code or password that permits access to a person’s financial account.”
    • Of note, the definition of “protected information” does not include a person’s name.
  • Breach Definition:
    • “Breach of system security” is limited to “unauthorized acquisition” (as opposed to unauthorized access) of unencrypted computerized data or encrypted data where the decryption key is also acquired by an unauthorized person.
  • Breach Notification Requirements:
    • Trigger: Following “discovery by or notification to” an entity of a “breach of system security”, the entity must notify “any resident whose personal OR protected information was or is reasonably believed to have been, acquired by an unauthorized person”.
    • Timeline: Notification to affected individuals is required within 60 days of discovery of the breach.
  • Harm Threshold:
    • Notification is NOT required if the Entity can reasonable determine that the breach will not likely result in harm to the “affected person”.
    • However, this harm exception is an option after an “appropriate investigation and notice to the attorney general”.
    • The entity must keep documentation of any no-harm breach in writing for no less than three years.
  • Unauthorized person/access:
    • South Dakota has included a very broad definition of “unauthorized person,” a term that is defined in only a few state data breach notification laws.
    • The bill also defines “unauthorized person” to include a person with access to “personal information who has acquired or disclosed the personal information outside the guidelines for access of disclosure…” This definition is very unique amongst data breach notification laws and addresses those otherwise authorized persons that exceed their scope of authorization.
  • Other Notification Requirements:
    • Attorney General: If more than 250 individuals are affected, the entity must notify the South Dakota Attorney General.
    • Consumer Reporting Agencies: If notification to affected individuals is required, the bill requires notification to “all consumer reporting agencies” as to “the timing, distribution, and content of the notice.” This provision is a bit unusual –as it does not include a numerical threshold of affected persons as a trigger to credit reporting agency notifications (see AG trigger above).
  • Penalties:
    • The Attorney General is authorized to enforce the breach notification law and may impose a fine of up to $10,000 per day per violation.
    • A violation of this breach notification law is also considered a deceptive act under the state’s consumer protection laws, allowing the possibility of both criminal liability and a possible private right of action.
    • While SB 62 does not expressly create a private right of action, South Dakota Attorney General noted that this violation has the same effect through express incorporation of South Dakota’s Deceptive Trade Practices Act.
    • This private right of action issue will likely be litigated after the law takes effect this summer.
  • Exceptions:
    • If an entity is already compliant with HIPAA, GLBA or regulated by another federal law that maintains procedures for breach of a system then that entity is deemed to be in compliance with this state law IF it notified affected South Dakota residents in accordance with the provisions of that applicable federal law or regulation.
    • If an entity maintains its own notification procedures as part of an information security policy, then the entity is in compliance with notification requirements if they notify each person affected in accordance with their internal policies regarding breach of system security.

This law will take effect on July 1, 2018.

Alabama: Proposed Bill

Alabama’s proposed bill would require a notification period of 45 days from the determination of a breach and follows suit with similar breach law definitions of “Breach of Security”, “Personally Identifiable Information (PII)” and exceptions.

Alabama Attorney General Steve Marshall has been vocally supportive of the bill through this legislative process, thanking the Alabama Senate for “taking us one step closer to giving Alabama consumers the same protections as the citizens of 48 other states who already receive notifications when their sensitive personal information has been hacked”.

Well…now it’s 49 states to follow for data breach notification requirements, and Alabama will complete the patchwork of state breach notification laws in the coming weeks.

Stay tuned!

 

For questions about these updates, or to obtain an up-to-date state breach notification chart, you can contact our privacy and security professionals at cyberteam@eplaceinc.com.

 

Recent Court Ruling Delivers a Victory for Data Privacy

A recent case against Microsoft ended in a victory for data privacy. The U.S. Court of Appeals for the Second Circuit held that Microsoft cannot be compelled to hand over customer emails stored abroad to U.S. law enforcement.

Background

The U.S. government obtained a warrant under the 30-year-old Stored Communications Act (SCA) to access contents of emails and information of a Microsoft user.  Microsoft declined to hand over the emails stored on a server in Ireland. They argued that search warrants under the SCA only apply to data within the U.S.

The government held the belief that the location of stored electronic files is irrelevant. Simply put, the files are under Microsoft’s control and they are required to produce them. Subsequently, in April 2014, a judge ruled that Microsoft must adhere to a search warrant and turn over user data to U.S. law enforcement, even if the data sits outside the U.S.

Appeal Ruling

The ruling was overturned by the Second Circuit based on a narrow interpretation of the SCA. Specifically, the Second Circuit found that the SCA’s warrant provisions were not intended to apply outside the U.S.

Based on this decision, internet service providers subject to the SCA have a good argument for refusing to disclose client information held outside of the U.S. in response to a government warrant. Judge Gerard E. Lynch’s opinion mentioned the original intent, “there is no evidence that Congress has ever weighed the costs and benefits of authorizing court orders of the sort at issue in this case.”

Key Takeaway

In the ongoing battle between the concerns of privacy and law enforcement duties, this seems to be a leg up for the privacy side. Going forward, this decision could give law enforcement and investigators some trouble when dealing with foreign suspects.

Companies can disperse email or communication files throughout the world and provide users a level of protection against U.S. law enforcement. Even domestic cases could be affected if data on U.S. citizens is moved across borders and outside U.S. jurisdiction.

The call to action is for Congress to take the next step and revise the SCA to more accurately reflect the dynamic age of technology and information we’re in.

FTC Signs MOU with Dutch Agency on Privacy Enforcement Cooperation

The Federal Trade Commission (FTC) has signed a memorandum of understanding (MOU) with the Dutch Data Protection Authority to cooperate in information sharing and enforcement of privacy-related affairs. The MOU is similar to previous agreements the FTC has made with data protection authorities in the United Kingdom and Ireland.

“In our interconnected world, cross-border cooperation is increasingly important,” FTC Chairwoman Ramirez said. “This arrangement with our Dutch counterpart will strengthen FTC efforts to protect the privacy of consumers on both sides of the Atlantic.”

Dutch Data Protection Authority Chairman Kohnstamm said, “In this day and age of increasing cross-border data flows, it is important that the data protection and privacy authorities across the globe increase their cooperation as well.”

Financial Services Firm Suffers Insider Attack

Morgan Stanley, one of the largest financial services firms in the world, recently reported a breach of customer information. The highlight of the breach was that an employee stole data from over 350,000 customer accounts. The company says information for about 900 of the accounts was posted online.

Stolen data is reported to not include account passwords or Social Security numbers. Morgan Stanley is notifying all potentially affected clients and providing fraud monitoring.

This serves as a wake-up call to organizations about the dangers of insider attacks. Such attacks cost US companies $40 billion in 2013 alone.

Best Practices to Reduce Risk

Insider attacks are often difficult to identify or even notice for IT professionals. While no single measure will prevent such attacks, implementing the following best practices can help reduce risks.

  • Increase restrictions on highly sensitive data. Files with sensitive data should be locked behind passcodes and security systems, with trusted employees and business partners having access. Using cryptographic computer code to encrypt the contents of the files is also recommended.
  • Segment networks. Information that is not necessary on the company network should be segregated and located elsewhere.
  • Prevent files from being copied to USB media. This has been commonly done by blocking USB ports with liquid cement, as well as removing cameras from screens of laptops and desktop computers.
  • Perform background checks on employees. This is especially necessary for new employees who will have access to sensitive data.

Massive Open Online Courses – Potential Privacy Issues to Consider

An article from Politoco outlines potential privacy concerns with massive open online courses (MOOCs). First envisioned as a way to democratize higher education, MOOCs have made their way into high schools. Universities and private companies this fall unveiled a number of free, open-access online courses to high school students, marketing them as a way for students to supplement their Advanced Placement coursework or earn a certificate of completion for a college-level class.

When middle and high school students participate in classes with names like “Mars: The Next Frontier” or “The Road to Selective College Admissions,” they may be unwittingly transmitting into private hands information about not only their academic strengths and weaknesses and  learning styles and thought processes, but also sensitive personal information such birth dates, addresses, and even driver license data. Their IP addresses, attendance and participation in public forums may be also be logged. The course providers note that these “metrics” can help them better understand how students learn. Less clear is the extent to which providers might profit from the information in other ways, be it by selling the data to other organizations, or mining it themselves for future marketing purposes.

Key privacy and data security takeaways: school districts contemplating MOOC instruction at a minimum should:

  1. Become familiar with state and federal laws protecting student privacy, such as The Family Educational Rights and Privacy Act, and
  2. Carefully review often jargon-laden privacy policies of companies they work with.

An Education Department official is quoted as saying “This is a space where districts need to get up to speed before they jump. They need to have a common understanding with the MOOC provider about what would happen with the data.”

USPS Joins the Long List of Breached Organizations

According a statement released by the US Postal Service (USPS), attackers have likely compromised personal information of some 800,000 current and past employees, as well as data for customers who contacted the USPS Customer Care Center via phone or e-mail between Jan. 1, 2014, and Aug. 16, 2014. Affected employee information includes name, date of birth, Social Security number, address and other contact information.

The USPS explained in a FAQ document that as part of the cyber security intrusion mitigation efforts, the Postal Service took some systems offline over the 11/8-11/9 weekend.

The identity of the attackers is unknown.

Mac OS Yosemite “Features” Users Should be Aware Of

According to an article from Ars Technica, Critics chafe as Macs send sensitive docs to iCloud without warning, the newest version of Mac OS X, Yosemite, automatically uploads documents opened in TextEdit, Preview, and Keynote to iCloud servers by default, even if the files are later closed without ever having been saved.  Apparently there is no warning that the program will do this. The autosave feature can be disabled within System Preferences > iCloud > Documents & Data.

Also note that Apple’s desktop search app Spotlight sends user queries to the company’s servers to process. Spotlight phones home in OS X Yosemite, version 10.10, and again is enabled by default. It too can be switched off. See FYI: OS X Yosemite’s Spotlight tells Apple EVERYTHING you’re looking for for more information.