Year in Review: Top Privacy and Data Security Developments of 2013

Transcription

1 Contact: Timothy J. Toohey Partner Year in Review: Top Privacy and Data Security Developments of is the year when privacy and data security became matters of general public recognition. Privacy and security were constantly in the headlines in 2013, particularly after the revelations of Edward Snowden regarding the surveillance activities by the National Security Agency (NSA). The final months of 2013 were particularly active, with news of the data security breach affecting the retailer Target, two court decisions addressing the constitutionality of NSA surveillance (one finding it unconstitutional and the other constitutional), extensive recommendations by a Presidential committee for changing government surveillance programs, major court decisions in privacy litigation involving Google and Apple, and heightened debate in the European Union (EU) regarding a major reform of its data protection laws and the EU/US Safe Harbor allowing data to be transferred between the US and EU. The top developments in privacy and data security in 2013 are described below. A separate story will address what to look for in NSA Surveillance Undoubtedly the number one story of 2013 was the revelation by Edward Snowden of unprecedented details regarding US government surveillance programs. Although these programs involved government surveillance, they have impacted virtually every aspect of data collection and security, including those undertaken by non-government entities, such as businesses. Indeed, the term Snowden Effect has been coined to describe the wide-ranging effects that the disclosures have had and continue to have on privacy and data security. The Snowden Effect reveals the ways in which laws regarding data security and privacy have either not kept up with or have been drastically modified by changes in technology in recent years. The surveillance techniques that have been revealed rely on an ability to collect and access massive amounts of data that

2 was unheard of when the Foreign Intelligence Surveillance Act (FISA), 1 on which these programs are based, was passed in Courts struggle with the impact of technological change on the law, as seen in the decisions of two different district courts in December 2013 addressing the constitutionality of the NSA s program regarding the bulk collection of telephone metadata. In the first of these decisions, 2 Judge Richard Leon of the United States Court for the District of Columbia found that the NSA s mass collection of telephony metadata is unconstitutional under the Fourth Amendment because technological advances have made the third party doctrine inapplicable. This doctrine, which was stated in the seminal 1979 Supreme Court case of Smith v. Maryland, 3 holds that an individual has no reasonable expectation of privacy in data disclosed to a third party, such as a telecommunications provider. In contrast, Judge William H. Pauley III of the United States Court for the Southern District of New York decided later that same month 4 that the third party doctrine is still valid, despite changes in surveillance technology. In an opinion that made frequent reference to the events of September 11, 2001, Judge Pauley found that when a person voluntarily conveys information to a third party, he forfeits the right to privacy in the information... The collection of breathtaking amounts of information unprotected by the Fourth Amendment does not transform that sweep into a Fourth Amendment search. Three days after Judge Leon s decision, the Obama Administration made public a three-hundred page committee report 5 suggesting 40 different changes to the surveillance programs. Later that month, Mr. Snowden went on British television 6 with a Christmas message warning that a child born today will grow up with no conception of privacy at all. 2. Data Security Although data security breaches are not a new phenomenon, 2013 brought further attention to the scope and variety of breaches of both personal and proprietary information. On February 12, 2013, President 1 50 USC 1801 Definitions, Legal Information Institute, Cornell University Law School, 2 Klayman v. Obama, Civ. No , 3 Smith v. Maryland, 442 U.S. 735 (1979), 4 Doug Stanglin, Federal judge: NSA phone surveillance legal, USA Today, Dec. 27, Liberty and Security in a Changing World: Report and Recommendations of The President s Review Group on Intelligence and Communications Technologies, The White House, Dec. 12, 2013, 6 Stephen Castle, TV Message by Snowden Says Privacy Still Matters, The New York Times, Dec. 25, 2013,

3 Obama issued an Executive Order 7 for increased cyber security for US critical infrastructure. Although cyber security legislation remains bogged down in Congress, the National Institute of Standards and Technology (NIST) of the Department of Commerce issued a Preliminary Cybersecurity Framework 8 pursuant to the Executive Order that received many comments before public comments were closed in December. Overshadowing these developments in the public eye was the constant drum beat of attacks on personal and proprietary data, from ransom ware attacks that hold individuals computers hostage by encrypting the data and locking them out of their computers until payment of the ransom, to stolen or hacked log-in credentials that impacted companies such as Adobe, and malware affecting mobile applications. Data security also has an international dimension. In February 2013, for example, the New York Times revealed 9 that a Shanghai office tower housed a Chinese army base responsible for an overwhelming percentage of cyber-attacks on American corporations and government agencies. The year s data security stories culminated with the revelation that hackers had stolen as many as 40 million credit and debit card records from nationwide retailer Target in the busy post-thanksgiving shopping season. As a result, numerous class actions were filed against Target and some called for retailers 10 to adopt a pointof-purchase security system, such as the chip and pin system widely used in Europe. 3. Big Data Continuing a trend from prior years, the term big data was increasingly used in 2013 to describe the phenomenon where massive amounts of data are collected, retained, and used by private businesses and, as the Snowden stories reveal, by the government. Although big data has many proponents, retention and analysis of large amounts of data by private businesses in 2013 came under increasing scrutiny with some questioning 11 why consumers are more comfortable with businesses collecting personal information than with the government obtaining the same information. With data being collected online, from devices (see Internet of Things, below), brick and mortar businesses, and via omnipresent 7 Executive Order -- Improving Critical Infrastructure Cybersecurity, The White House, Feb. 12, 2013, 8 Improving Critical Infrastructure Cybersecurity Executive Order 13636: Preliminary Cybersecurity Framework, 9 David Sanger, David Barboza, and Nicole Perlroth, Chinese Army Unit Is Seen as Tied to Hacking Against U.S., The New York Times, Feb. 18, 2013, 10 Alan Yu, Outdated Magnetic Strips: How U.S. Credit Card Security Lags, NPR, Dec. 19, 2013, 11 Should the government know less than Google? The Economist, June 11, 2013,

4 communications devices, concerns have arisen that privacy is being undermined by massive amounts of potentially linkable data. Indeed, even those who proclaim the benefits of big data 12 are concerned it may lead to holding people responsible for predicted future acts, ones they may never commit a scenario almost directly out of Steven Spielberg s film Minority Report. In light of these concerns, some have called for additional government regulation and changing the notice and consent model on which many current privacy laws are based. 4. The Internet of Things. From medical devices to smart cars and buildings, the Internet of Things drew increasing attention in The promise of such smart devices is that they can transmit critical information in real time to professionals, such as doctors, and provide consumers with convenient ways to control and monitor devices in their homes and elsewhere. The concern, as highlighted in an episode of Homeland (and echoed by former Vice President Cheney s worries regarding his own pacemaker), 13 is that the wireless function in such devices may be hacked. The security and privacy concerns arising out of the Internet of Things were highlighted in a symposium conducted by the FTC 14 on November 19, 2013 and by the FTC s settlement of an administrative action 15 against Trendnet on September 4, Trendnet, which marketed a camera that allowed consumers remotely to monitor their homes, was accused of failing to use reasonable security measures, including password protections, which allowed consumers private video feeds to be visible on the Internet. 5. Health Care The privacy and security implications of health care were much in the news in 2013, including the rocky rollout of the Affordable Healthcare Act s website was also notable for large security breaches in the health care industry, including those of Horizon Blue Cross Blue Shield of New Jersey, which affected 840,000 patients, Advocate Medical Group of Chicago, which affected 4 million patients, and numerous 12 Michiko Kakutani, Watched by the Web: Surveillance Is Reborn, The New York Times, June 10, 2013, 13 Dan Goodin, Dick Cheney altered implanted heart device to prevent terrorist hack attacks, Ars Technica, Oct. 19, 2013, 14 Internet of Things - Privacy and Security in a Connected World, Federal Trade Commission, Nov. 19, 2013, 15 Marketer of Internet-Connected Home Security Video Cameras Settles FTC Charges It Failed to Protect Consumers' Privacy, Federal Trade Commission, Sept. 4, 2013,

5 other breaches. 16 The breaches involved a wide array of conduct, from unauthorized access and disclosure of protected health information, lost or stolen devices containing unencrypted patient data, illegal recording of patient images during examinations, sharing of information with unauthorized personnel, and mishandling of information by subcontractors. Further underlining the continued sensitivity of health information, the US Department of Health and Human Services (HHS) implemented the HITECH Act on September 23, 2013 through the HIPAA Omnibus Rule. 17 The Omnibus Rule extended the range of individuals and entities that are treated as business associates under HIPAA and thus must comply with the increasingly strict HIPAA Privacy and Security Rules. Given the continued interest in protecting health care information, it is likely that the HHS through its Office of Civil Rights (OCR) will continue actively to enforce these rules. 6. Mobile Applications The enormous growth in mobile applications was another hallmark of In February, the FTC issued a staff report 18 on ways that all players in the mobile ecosystem could improve mobile privacy disclosures to allow consumers to get information about what data is collected and how it is used. California has been active in this area, with the Attorney General issuing guidance 19 on how mobile apps can better improve consumer privacy and pursuing actions against companies under the California Online Privacy Protection Act (CalOPPA) for failure to conspicuously post and comply with privacy policies. On July 1, 2013, the FTC s 20 revised rule for the Children s Online Privacy Protection Act (COPPA) came into effect with increased restrictions on websites and mobile apps that are directed to children and general audience websites with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The FTC also signaled its interest in mobile applications by announcing a settlement 21 on December 5, 2013 with Goldenshores Technology, which is alleged to have 16 Nicole Freeman, Healthcare s most significant data breaches of 2013, HealthITSecurity, Dec. 23, 2013, 17 The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule Summary, American Medical Association, 18 FTC Staff Report Recommends Ways to Improve Mobile Privacy Disclosures, Federal Trade Commission, Feb. 1, 2013, 19 Attorney General Kamala D. Harris Issues Guidance on How Mobile Apps Can Better Protect Consumer Privacy, State of California Department of Justice, Jan. 10, 2013, 20 Complying with COPPA: Frequently Asked Questions, Bureau of Consumer Protection Business Center, 21 Android Flashlight App Developer Settles FTC Charges It Deceived Consumers, Federal Trade Commission, Dec. 5, 2013,

6 deceived consumers using its highly popular Brightest Flashlight application by failing to inform them that the app sent geolocation and device identifier information to third parties, including advertising networks. 7. Litigation As before, litigation alleging privacy and security violations by prominent companies has been a part of the US landscape in As before, plaintiffs in privacy lawsuits have encountered significant challenges to these lawsuits, particularly in establishing standing, alleging injury in fact, and finding a statutory basis for their claims. Among the highlights of 2013 were the settlement in May 22 of a seven-year-old lawsuit against AOL for distributing insufficiently anonymized data to researchers and the dismissal in late November of a lawsuit against Apple alleging that it had improperly disclosed personal information through applications purchased for its ios operating system. In dismissing the Apple lawsuit, the court found that the plaintiffs had not presented evidence that users of applications even saw, let alone read and relied upon, the alleged representations in Apple s privacy policies either prior to purchasing his or her iphone, or any time thereafter. Google was again the subject of a major ruling in a privacy case involving its consolidation of its 70 or more privacy policies into a single policy. In a December 3, 2013 order, a court found 24 that the plaintiffs had standing to pursue their claims because of allegations regarding overpayment and suffering alleged economic and statutory injuries, but dismissed the case with leave to amend. Although plaintiffs alleged that they were aggrieved by Google s actions, the court found the allegations did not fit within existing federal and state laws, including the Wiretap Act, Stored Communications Act, misappropriation of likeness, or unfair competition laws. Also in the news in 2013 were attacks on settlements of privacy litigations that had no provisions for monetary payouts to plaintiffs, but did compensate plaintiffs attorneys for legal fees and gave payments to charitable organizations. These settlements were based on the legal doctrine of cy pres which allows for settlements that accomplish the aim of the lawsuit as near as possible when the original objective is impracticable. On November 4, 2013 the Supreme Court refused to hear a challenge to a settlement of a lawsuit involving Facebook that provided no payment to plaintiffs with Chief Justice Roberts expressing 22 Wendy Davis, AOL Settles Data Valdez Lawsuit For $5 Million, MediaPost Publications, Feb. 19, 2013,

7 the view 25 that [i]n a suitable case, this Court may need to clarify the limits on the use of such remedies. 8. California Legislation In the absence of Congressional passage of privacy and security laws, California continues actively to legislate in these fields. Because of its large population and the fact that many Internet and technology companies are headquartered in the state, California privacy and data security legislation has a disproportionate impact on the rest of the country and, in some instances, may establish a national standard was a very active year in California legislation with two significant laws coming into effect on January 1, In a closely watched measure, California in 2013 amended its Online Privacy Protection Act (CalOPPA), 26 Cal. Bus. & Prof. Code et seq., to require operators of websites to disclose in their privacy policies how they respond to Do Not Track signals and whether third parties may collect personally identifiable information about consumer online activities over time and across websites. Because responding to Do Not Track signals is in a state of flux and is much debated, considerable uncertainty has arisen as to how website operators can comply with this provision. California in 2013 also modified its data breach notification law, 27 Cal. Civil Code and , which requires persons and businesses to disclose breaches involving personal information, by expanding the definition of such information to include [a] user name or address, in combination with a password or security question and answer that would permit access to an outline account. This amendment will most likely have the greatest effect on online businesses, which typically collect passwords and other security data. Although it will not come into effect until January 1, 2015, California in 2013 also became the first state to enact a law governing the privacy rights of minors, 28 i.e., persons under eighteen years of age. The new law prohibits operators of websites and other online services and applications from marketing or advertising certain products to minors. The law gives minors the right to request and obtain removal of, content or information posted on the operator s Internet Web site, online service, online application, or mobile application by the user

8 9. The EU/US Safe Harbor The Snowden Effect also expanded to the EU, which has long prided itself on valuing privacy as a fundamental right. Alarmed by the implications of the NSA revelations on the rights of EU citizens, which do not have rights under the US Constitution to challenge surveillance of their communications, some in the EU called for the suspension or repeal of the EU/US Safe Harbor. The Safe Harbor, which was adopted by treaty in 1998, allows for the transfer of data from the EU to the US for companies subscribing to its principles of notice, choice, onward transfer, access, security, data integrity and enforcement. 29 Without the Safe Harbor, many companies in the US would not be able to obtain personal data from EU citizens for processing in the US. In late November 2013, the European Commission issued a report criticizing the inadequacies of the Safe Harbor self-regulatory regime, but stopping short of calling for its suspension. The report offered thirteen suggestions for the improvement of the Safe Harbor mechanism. 30 The Future of Privacy Forum (FPF), which is largely funded by industry, disputed the Commission s suggested changes, 31 noting that the Safe Harbor (and the EU data protection directive itself) are concerned only with commercial privacy and do not apply to national security matters. As the FPF s report noted, US-based companies that are presented with a valid legal order from the US government for information will nonetheless be compelled to provide access to that data regardless of their membership in the Safe Harbor. 10. EU Proposed Data Protection Regulation Because of its implications for companies having customers or employees in the EU, the 2013 debates regarding the proposed EU data protection regulation are also one of the year s leading stories, even for companies based in the US saw a fierce and occasionally acrimonious debate over the proposed regulation, which (unlike the current data protection directive) would apply uniformly to all of the EU member states. Reflecting the importance of the potential changes, the US technology sector, sometimes supported by the US government, lobbied strenuously against certain provisions of the proposed law. 29 U.S.-EU Safe Harbor Overview, Export.gov, 30 Restoring Trust in EU-US data flows - Frequently Asked Questions, Europa, Nov , 31 The US-EU Safe Harbor: An Analysis of the Framework's Effectiveness in Protecting Personal Privacy, Future of Privacy Forum,

9 After months of debate and consideration, the responsible committee of the EU Parliament voted a strengthened bill out of committee on October 22, and initiated negotiations with the Council of the EU, which is comprised of ministers of the 28 individual EU member states, for a final version of the law. Although EU authorities and the Parliament have pressed for passage of the regulation in 2014, doubts have arisen that this will occur because of the Council s continued debate over certain provisions. Some member states, such as the United Kingdom, 33 are concerned that the regulation would be anticompetitive, while other member states, such as Germany, 34 are worried that the regulation would be weaker than existing law. Among the aspects of the law that are actively being debated are the so-called one stop shop concept, which subjects organizations with more than 250 employees to a single data protection authority in a single member state, the requirement that organizations with more than 250 employees have data protection officers (DPOs), substantially increased sanctions of up to 2% of an organization s annual worldwide turnover for violations of the regulation, restrictions on direct marketing, and the right of the individual to erase his or her data (the right to be forgotten ). Once enacted, the EU proposed regulation will not come into effect for two more years. 32 Civil Liberties MEPs pave the way for stronger data protection in the EU, Committees Committee on Civil Liberties, Justice and Home Affairs, Oct. 21, 2013, %2f%2fEP%2f%2fNONSGML%2bIM-PRESS%2b IPR22706%2b0%2bDOC%2bPDF%2bV0%2f%2fEN 33 James Milligan, EU data protection reform could be delayed until 2015, Direct Marketing Association, 34 James Milligan, EU data protection reform could be delayed until 2015, Direct Marketing Association,

10 About the Author Tim Toohey is partner with Morris Polich & Purdy LLP in Los Angeles and is the head of the firm s Cyber, Privacy and Data Security team. He is a US and EU Certified Information Privacy Professional (CIPP/US and CIPP/EU). Tim is the author of Understanding Privacy and Data Protection: What You Need to Know to be published in early 2014 by Thomson Reuters/Aspatore. About Our Cyber, Privacy & Data Security Practice Data is the lifeblood of our global economy. Collected, stored and transmitted, digital data not only imparts great opportunities, but unprecedented privacy and security challenges for businesses in all industry sectors. Privacy and cyber risks require businesses to contend with a complex web of state, federal and international laws. Best practices and self-regulatory standards further complicate the picture for companies attempting to navigate the cyber, privacy and data security maze. With the government giving companies security and privacy practices greater scrutiny, businesses need to be prepared to meet their evolving obligations in these fields. Constantly changing technology affects the competitive environment and privacy and security requirements. Failure to respect privacy and data security may lead not only to serious economic consequences, but adverse publicity and loss of business. Businesses therefore increasingly consult professionals with expertise to meet the challenges of the cyber, privacy and data security environment. Morris Polich & Purdy's Cyber, Privacy & Data Security team collaborates closely with clients to take a comprehensive approach to managing, responding and mitigating privacy and data security risks. Our team proactively develops, implements and assesses privacy and data security for companies in numerous business sectors. From preparing initial policies and procedures governing privacy and data security and performing baseline privacy and risk assessments, to implementing programs and performing compliance analyses, the team s expertise allows it to respond effectively and efficiently. Our team is equipped to respond to government inquiries, investigate and comply with data breach notification requirements and to handle any litigation or regulatory actions arising from alleged privacy violations or data breaches. MPP s Cyber Privacy & Data Security team is comprised of attorneys specializing in the key areas of cyber and social media law, professional liability, insurance coverage, health and long term care, litigation, employment, commercial transactions, electronic discovery and intellectual property. The team works on

11 a national basis and has knowledge and experience regarding a wide variety of laws affecting privacy and data security. The team is involved in advising and providing litigation support for numerous federal provisions, including the Computer Fraud and Abuse Act (CFAA), the US/EU Safe Harbor, the Fair Credit Reporting Act (FCRA), the Health Information Portability and Accountability Act (HIPAA), the Children s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act (GLB), the Electronic Communications Privacy Act (ECPA), the Stored Communication Act (SCA), the Red Flags Rule, and a myriad of other provisions. Team members have also been involved in numerous matters involving state law, including those arising under California s Song-Beverly Act, the California Medical Information Act (CMIA), the California Invasion of Privacy Act (CIPA), the California Online Privacy Protection Act (CalOPPA), and the California Shine the Light law, among others. MPP s lawyers have also been involved in handling matters dealing with legal provisions relating to cyber security and data breaches, including federal and state laws relating to data breach notification, laws mandating security and encryption, and best practices and self-governing security standards, such as the Payment Card Industry Data Security Standards (PCI DSS). Because digital data is today readily transmitted across national boundaries, members of MPP s team are also knowledgeable regarding international privacy and data security laws, including those of the European Union (EU), Canada, Mexico and Asia. The team is headed by a lawyer who is a United States Certified Information Privacy Professional (CIPP/US) and a European Union Certified Information Professional (CIPP/E) and team members regularly monitor legal developments affecting businesses operating domestically and internationally. Privacy and data security matters are constantly evolving as technology continues to develop. MPP s Cyber, Privacy & Data Security team has both the technical and legal knowledge to monitor these changes and advise clients regarding resulting risks. The team has handled matters involving cloud computing, Big Data, biometric identifiers, the Internet of Things (i.e. smart devices), social media, online behavioral advertising (OBA), and other technologies. Team members have also advised and assisted with numerous privacy issues in the workplace, including Bring Your Own Device (BYOD), preemployment screening, internal investigations, employee use of social media and electronic devices, employee monitoring, and other aspects of the employment relationship. Complementing its work in privacy and data security, the MPP team also has expertise in other aspects of

12 cyber law. The team includes lawyers familiar with copyrights, trademarks, patents, the Digital Millennium Copyright Act (DMCA), government subpoenas of electronic information, trade secrets, and protection of proprietary information. Team members have also handled a wide variety of other cyber matters, including licensing disputes, preservation of electronic evidence, protection of intellectual property against piracy, and registration of domain names. The team has also dealt with numerous e- Discovery issues, particularly those regarding the interplay between electronic collection of documents and relevant privacy and security requirements. This announcement is designed to provide information in regard to the subject matter and may not reflect the most current legal developments, verdicts or settlements. This information is made available with the understanding that the article does not constitute the rendering of legal advice or other professional services. If legal advice is required, such services should be sought Morris Polich & Purdy LLP. All rights reserved.