Tag Archives: privacy

Recent Court Ruling Delivers a Victory for Data Privacy

A recent case against Microsoft ended in a victory for data privacy. The U.S. Court of Appeals for the Second Circuit held that Microsoft cannot be compelled to hand over customer emails stored abroad to U.S. law enforcement.

Background

The U.S. government obtained a warrant under the 30-year-old Stored Communications Act (SCA) to access contents of emails and information of a Microsoft user.  Microsoft declined to hand over the emails stored on a server in Ireland. They argued that search warrants under the SCA only apply to data within the U.S.

The government held the belief that the location of stored electronic files is irrelevant. Simply put, the files are under Microsoft’s control and they are required to produce them. Subsequently, in April 2014, a judge ruled that Microsoft must adhere to a search warrant and turn over user data to U.S. law enforcement, even if the data sits outside the U.S.

Appeal Ruling

The ruling was overturned by the Second Circuit based on a narrow interpretation of the SCA. Specifically, the Second Circuit found that the SCA’s warrant provisions were not intended to apply outside the U.S.

Based on this decision, internet service providers subject to the SCA have a good argument for refusing to disclose client information held outside of the U.S. in response to a government warrant. Judge Gerard E. Lynch’s opinion mentioned the original intent, “there is no evidence that Congress has ever weighed the costs and benefits of authorizing court orders of the sort at issue in this case.”

Key Takeaway

In the ongoing battle between the concerns of privacy and law enforcement duties, this seems to be a leg up for the privacy side. Going forward, this decision could give law enforcement and investigators some trouble when dealing with foreign suspects.

Companies can disperse email or communication files throughout the world and provide users a level of protection against U.S. law enforcement. Even domestic cases could be affected if data on U.S. citizens is moved across borders and outside U.S. jurisdiction.

The call to action is for Congress to take the next step and revise the SCA to more accurately reflect the dynamic age of technology and information we’re in.

Washington Launches Digital Privacy Protection Guide and Website

The state of Washington launched a new website with a privacy guide in order to provide its citizens with Internet privacy protection tips. The state is increasing efforts to help its citizens protect their data online and educate them about privacy policies.

Governor Inslee commented, “Increasingly, businesses, government and personal transactions are happening online. I want to make sure our state agencies are taking the privacy of our customers seriously and that we’re helping Washingtonians understand how to protect their privacy and personal information. Just as Washington is a technology leader in so many important fields—from software development to e-commerce—we strive to set an example of ‘best practices’ when it comes to collecting and protecting the personal information citizens provide when engaging with state government services.”

Washington is trying to take the lead when it comes to privacy efforts. Earlier this year, Washington announced the state’s first chief privacy officer Alex Alben, and modified its data breach notification statute. The new privacy website for Washington citizens just adds to the recent efforts the state has made to put itself on the cutting edge of privacy reforms.

Pros and Cons of Drone Use

The heated debate over ddrones picrone use continues. Many are in favor of ramping up drone use and point to the military and economic benefits. But other groups are hesitant about increased drone activity and concerned about the privacy and security issues involved.

The actual definition of a drone—what it is and what it does—often creates some confusion. Drones are typically referred to as unmanned aerial vehicles – UAVs. Drones are not piloted by an onboard person, but controlled remotely by a pilot or computer. Their functionality can vary from aerial cameras to weaponized machines in the military.

Pros:

There are several benefits that are driving the drone market to an estimated $91 billion within the next ten years. The first to point to would be reducing the number of military personnel at risk in combat. With drones performing strike missions overseas, the need for boots on the ground is decreasing and putting fewer people in harm’s way.

The lower cost of drones is also an advantage. Regardless of functionality, drones are cheaper to purchase and operate than traditional airplanes. Outside of commercial traveling, drones should see an increase in demand from the transportation industry.

Also relative to traditional airplanes, drones can maintain more operational hours. Without the need for a human pilot, drones can stay operational longer – whether operated by a computer or with the transition of remotely-based pilots. Drones are proving to be more effective and efficient.

The efficiency of drones can also be seen in delivery services. Amazon is touting its proposed Amazon Prime Air services, which claims customer delivery within 30 minutes. As drone use surges, it could disrupt the transportation sector and cause delivery prices to decrease.

Cons:

Of course, there are downsides to the increased use of drones. The first negative aspect pointed to is the privacy infringement they present. Attaching a camera to an aerial vehicle and flying it around can cause quite a scandal if people are unknowingly caught on tape minding their own business on their own properties. California bill, SB 142, is in the Senate for final approval. If passed, it would cause a trespassing violation for flying a drone less than 350 feet above private property without consent.

Safety is also a chief concern when discussing drone use. North Dakota has recently become the first state to legalize ‘weaponized’ drones for police use. According to the Daily Beast, it’s now legal for law enforcement in North Dakota to fly drones with non-lethal weapons – tasers, tear gas, rubber bullets, etc. One local sheriff says the police need to use drones for surveillance in order to obtain a warrant in the first place. This also calls into question an individual’s rights to privacy.

Another concern regarding drone use is the security of the drone itself. If drones are susceptible to a cyber-attack, they could become a danger, especially if there are weaponized drones flying the airwaves.

Key Takeaways

As the discussion continues, and drones gain increasing support and demand, the privacy and security issues they bring up must be kept in mind. The controls necessary to protect civil liberties and privacy shouldn’t be neglected to allow drones to continue spreading their wings.

Delaware Passes New Online Privacy Protection Laws

Delaware Governor Markell signed 4 bills into law providing increased privacy protections for online activities for the state’s citizens.

Delaware Online Privacy and Protection Act

Key provisions:

  • Prohibits marketing certain age-related products such as alcohol, tobacco, and firearms to children on websites or mobile apps directed towards children
  • Prohibits using a child’s personal information to market those products to that child
  • Requires commercial websites and online apps that collect personally identifiable information about users to post a privacy policy explaining the type of information they collect and the purpose for the information
  • Restricts online book service providers from disclosing information about customer’s reading choices without a court order

Student Data Privacy Protection Act

Key provisions:

Prohibits education technology service providers from –

  • Selling student data
  • Using student data to engage in targeted advertising to students
  • Amassing a profile on students to be used for non-educational purposes
  • Disclosing student data

Requires education technology service providers to –

  • Have reasonable procedures and practices for ensuring the security of student data the collect or maintain
  • Protect student data from unauthorized access, destruction, use, modification, or disclosure
  • Delete student data if appropriately requested to do so by a school or school district

Victim Online Privacy Act

Key provisions:

Prohibits anyone from publicly displaying, posting online, soliciting, selling, or trading online the address, image, or telephone number of a participant in the Address Confidentiality Program for the purpose of provoking someone to commit harm against that person.

Employee Protection for Social Media

Key provisions:

Prohibits employers from requiring employees to disclose information that would allow the employer access to their personal social media accounts.

Canada Joins APEC Cross-Border Privacy Rules System

The Asia-Pacific Economic Cooperation (APEC) announced (press release) that Canada has become the latest addition to the APEC Cross-Border Privacy Rules (CBPR) System, joining the U.S., Mexico, and Japan. The CBPR system works to increase the protection of consumer data as it is transmitted across borders throughout the Asia-Pacific region.

The CBPR system requires organizations in participating APEC member countries to develop their own internal rules on cross-border data privacy procedures, complying with the minimum requirements set forth in the APEC Privacy Framework.

FCC Adopts Net Neutrality Rule

The Federal Communications Commission (FCC) voted 3-2 in favor of a new rule known as “net neutrality”, which is based on the idea that all online content delivery should be handled the same. The new rule will prevent Internet Service Providers (ISPs) from slowing down content along networks and charging extra fees for faster speeds.

Another significant part of the new regulation deals with privacy. ISPs will be reclassified as a telecommunications service rather than an information service. This brings the Communications Act of 1934 into effect, requiring protection of confidential customer information. Under section 222 of the Communications Act, protected customer information could apply to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer.  This provision would also mean ISPs would need to have a customer opt in for data sharing, as opposed to the opt out policy currently in place.

GPEN Sends Open Letter to App Marketplaces re Privacy Practice Information

A collection of 23 international privacy authorities issued an open letter to the operators of several app marketplaces urging them to make links to privacy policies a mandatory practice for developers.  The letter was sent to Apple, Google, Samsung, Microsoft, Nokia, Blackberry and Amazon.com.

This letter appears after the Global Privacy Enforcement Network (GPEN) Privacy Sweep, which assessed over 1,200 popular mobile apps, revealed that “nearly 60 percent of apps examined globally raised privacy concerns even before they were downloaded.” Further, the study found that 30 percent of apps offered no privacy communication whatsoever.

The open letter states that “Given the wide-range and potential sensitivity of the data stored in mobile devices, we firmly believe that privacy practice information (for example, privacy policy links) should be required (and not optional) for apps that collect data in and through mobile devices within an app marketplace store. Such links provide a simple and convenient manner for individuals to obtain privacy-related information which they need to be meaningfully informed regarding the collection and use of their data before making the decision to download the app.”

Key Takeaway:

Privacy enforcement authorities are calling on the app marketplace operators to require apps that collect personal information to provide users with prompt access to information about their privacy practices.

Donated Filing Cabinet Contained Medical Records

Medical records for more than 1,600 patients were left in a filing cabinet donated to another organization in October, 2013. The error was discovered in June, 2014, when two boxes of medical records were returned to a Kamloops, British Columbia hospital. According to a report by the Brandon Sun, “a letter sent to 1,628 patients in July says no one asked for identification from the person who returned the boxes to the hospital, making it difficult to investigate the breach.” Hospital staff had to manually search each patient’s records for their contact information and age.

Cyber Liability – A Message from the Attorneys General

Written by: Randall J. Krause, Esq., CIPP/US

At ACI’s Cyber & Data Risk Insurance conference held on March 24, 2014, representatives from five (5) state attorneys general offices (AGs)* sent a message to organizations throughout the United States. They had been asked to address the following question: “What are the top 5 messages that you want to send to companies across the country?” Their responses, along with some additional explanation, are the subject of this article.

In short, the AGs’ top 5 messages are (1) everyone is vulnerable to data breaches; (2) as a “steward” of sensitive data, you must be proactive in your efforts to protect it; (3) dispose of sensitive data properly and/or don’t collect it in the first place; (4) employee training and monitoring regarding cyber and data risks are critical; and (5) encryption is a basic “reasonable measure” to safeguard sensitive data*.

CyberCrime_1120201299-resize-380x3001. Don’t be fooled – Everyone is vulnerable to data breaches

As privacy professionals often say, when it comes to whether your organization will experience a data breach, “the question is not if, but when.” According to the PandaLabs 2013 Annual Report, 20% of all malware that has ever existed was created in 2013, with 31.53% of computers around the world being infected. In early 2013, the Ponemon Institute reported that, in its survey of small businesses throughout the United States, 55% of those responding reported having had a data breach (almost all involving electronic records), and 53 % reported having had multiple breaches. Continue reading Cyber Liability – A Message from the Attorneys General