You Are Viewing Cybersecurity

NIS Directive Adopted in August 2016 – What’s Next

Posted by fgilbert on August 12th, 2016

Directive (EU) 2016/1148 of the European Parliament and of the Council of July 6, 2016, Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union Network and Information (“NIS Directive” or “Directive”), entered into force in August 2016, outlines plans for establishing a base level of network and information security that is coherent across the European Union (EU) and European Economic Area (EEA). It defines a framework for enabling networks and information systems to be better prepared to respond to actions that compromise the availability, authenticity, integrity, or confidentiality of the data that they process, store, or transmit. In addition, each Member State will be required to adopt a Network Information Security strategy defining its objectives and policy and regulatory measures regarding cybersecurity.

Scope and Affected Entities

The Directive will primarily affect “operators of essential services” and “digital Service providers”. Under the Directive, an entity provides an essential service if the entity provides a service that is essential for the maintenance of critical societal and/or economic activities; the provision of that service depends on network and information systems; and an incident to the network and information systems of that service would have significant disruptive effects on the provision of that service. Examples of such operators of essential services include entities in the following industries: Energy; Transportation; Banking; Financial Markets Infrastructures; Health care; Drinking water supply and distribution; and Digital infrastructure. The second group of companies impacted by the NIS Directive is digital services providers located in the Member States, which includes online market places, such as e-commerce platforms; cloud computing services; and online search engines.

Obligations of Operators of Essential Services

The Directive outlines specific obligations on operators of essential services. For example, they will have to take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems that they use in their operation and to prevent and minimize the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, to facilitate the continuation of those services.

They will be required to notify the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide. Notifications must include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident.

They will also have to provide information necessary to assess the security of their network and information systems including documented security policies.; and provide evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor, and, in the latter case, to make the results thereof, including underlying evidence, available to the competent authority.

Obligations of Digital Service Providers

Digital service providers will also be required to identify and take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems use to offer services and to prevent and minimize the impact of security incidents. These measures will have to ensure a level of security and take into account the security of systems and facilities, incident handling, business continuity management, monitoring, auditing and testing, and compliance with international standards.

Digital service providers will have to notify the competent authorities without undue delay of any incident having a substantial impact on the provision of a service that they offer in the EU. Such notification will have to include information to enable the competent authorities to determine the significance of any cross-border impact.

Cooperation Among Member States

The Directive puts in place several structures for ensuring efficient activities within each Member State and cooperation among the Member States. For example, Member States will have to designate a competent national authority responsible for implementation and enforcement of the NIS Directive.  They will also be required to establish Computer Security Incident Response Teams (CSIRTs) which will be responsible for handling cybersecurity incidents and risks.

A network of Computer Security Incident Response Teams (CSIRTs Network), also established by the Directive, will help promote swift and effective operational cooperation on cybersecurity incidents and for sharing information about security risks among Member States. The CSIRTs Network will consist of representatives of the CSIRTs established in the Member States and the Computer Emergency Response Team (CERT-EU).

A “Cooperation Group”, composed of representatives of the EU Member States, representative of ENISA (EU Agency for Network and Information Security) and the European Commission will facilitate strategic cooperation and information exchanges among Member States. It will prepare strategic guidelines for the activities of the CSIRTs Network and discuss the capabilities and preparedness of Member States.

Between Now and May 2018

The NIS Directive entered into force in August 2016. The EU/EEA Member States now have until May 2018 to implement its principles into their national laws. Companies that do business in the EU/EEA and fall within the scope of the NIS Directive should monitor the implementation process in the Member States where they operate, and the further guidance that the competent authorities will issue. They also should be aware that the EU Commission has the power to adopt implementing acts regarding the required formats and procedures to be used for notification and incident assessment.

Use of Cloud Computing in a Law Office

Posted by fgilbert on October 10th, 2013

 

Attorney and law firms are increasingly interested in taking advantage of the proliferation of cloud computing services in their law practice. For example, they might wish to use web-based email to interact with their clients, subscribe to customer relationship management (CRM) services that are offered as Software as a Service (SaaS) to manage their customer and prospect lists. They may be tempted to store documents in the many storage services that are offered at no charge. New options are emerging every day, as more applications are developed and marketed.

However, while cloud services present significant advantages, the use of cloud computing services by attorneys and law firms present unique challenges due to the ethical rules to which attorneys are subject. In addition to ethical concerns, services provided in a cloud computing environment present a number of technical, physical, and contractual risks. Cloud computing agreements should be reviewed carefully before venturing into this new, complex form of outsourcing.

The Advantages of Cloud Computing

Cloud computing offers so many advantages that it is difficult to resist the temptation. Many services can be obtained at a significantly low cost; in many cases, they may be offered free of charge. Thus, it may be less expensive for the law firm to acquire these services from a cloud provider rather than running and maintaining an application using one’s own server on one’s premises. The maintenance is usually included in the offering, so there may be no need to worry about keeping up with updates, as they are installed automatically. The services are accessible from anywhere, a feature of great interest to attorneys who work long hours and may take advantage of the remote access capability to telecommute if needed. Altogether, cloud computing requires less in-house expertise and capability and less infrastructure, which may result in significant savings.

Cloud computing services may provide flexibility. As these services are often sold on demand, a law firm may take advantage of the elasticity to purchase as little as it needs on a regular basis, knowing that it can quickly ramp up and add storage, computing capability, or a few new features if the need arises.

Cloud computing may also provide increased stability and security. Reputable cloud providers usually employ the most up-to-date, sophisticated security measures. Their experienced, adequately trained staff excels at implementing security measures that take into account the current trends. They have access to sophisticated tools to monitor unauthorized access to the systems or manage permissions. These entities also have the ability to put in place sophisticated disaster recovery and business continuity features that are likely to be more powerful and effective than those that a small or lean law practice could implement.

However, entrusting data to cloud providers is not without danger. For instance, a large cloud provider that is known for servicing prestigious customers might also be the target of cyber attacks aimed at disrupting these customers’ operation or accessing their critical data. In addition, attorneys are subject to stringent ethical rules that may hamper their ability to use certain types of cloud services for certain purposes or with certain categories of data.

Ethical Rules

Before starting a search for cloud services that would make your practice so much more efficient, you should first determine whether the Ethical Rules that apply to your profession would allow your law firm to use cloud services. Ethical rules vary from one jurisdiction to another, but they tend to follow some common general principles.

Competence, Confidentiality

Most Ethical Rules that apply to attorneys contain a duty of competence and a duty of confidentiality. Will the professionals who will use the new cloud based program be sufficiently proficient, and able to log in and out of a system, save or annotate documents, in a manner that does not put at risk the confidentiality or the integrity of the data?

Duty to Supervise

The Ethical Rules may also contain a duty to supervise and may require an attorney who assigns work or responsibilities to a non-attorney (e.g., the cloud provider) to make reasonable efforts to ensure that the third party’s conduct is compatible with the attorney’s professional obligations.

Duty to Safeguard Client Data

Attorneys are also generally required to keep client property, such as files, information, and documents appropriately safeguarded. Would a law firm be able to ensure proper safekeeping of the clients file if these files were stored in a cloud? Certain cloud services may host the data or several customers on the same server. Would this co-location be deemed “appropriate safeguard?

Further, the cloud provider may have structured its network so that the servers are spread throughout the world. Keep in mind that a foreign country would be likely to assert jurisdiction over any server located within its territory. These countries are also likely to have adopted different laws or standards with respect to third party or government access to data, confidentiality, or data ownership.

Duty to Communicate with Client

Finally, Ethical Rules for attorneys may contain a duty to communicate with clients. Would this duty require a attorney or law firm to promptly inform clients of any decision to store the client’s data in a third party’s cloud and to seek their consent?

Given the potential application of these and other ethical rules it would be prudent for attorneys and law firms that contemplate the use of cloud computing services to review carefully the ethical rules that apply to their profession, in their region, and review, as applicable, any opinion or guidance that may have been published by the applicable authority that regulates their profession.

How to Manage Cloud Computing Risk

Numerous precautions and measures can be taken by attorneys to reduce their exposure to legal, commercial, and reputational risk in connection with the use of cloud services.

Internal Due Diligence

Before stepping into the cloud, you should conduct an internal due diligence in order to determine the potential obstacles or constraints that might prohibit or restrict the use of cloud services by your law firm. For example, you should review the ethical rules that might apply to your organization, as discussed above. You should also determine whether the law firm or any of its professionals has entered in a confidential agreement or data use agreement that might restrict the transfer of data to third parties, even if these third parties are service providers. You should also determine whether the proposed plan to use a cloud service or host would require the prior consent of your clients.

Keep in mind, as well, that some data might be so sensitive or confidential that they should not be transferred to cloud, or the transfer might require significant precautions. This might be the case, for example, for files that pertain to high stakes mergers or acquisitions.

External Due Diligence; Contracts

Make sure that you understand the particular application or service you are contemplating to purchase. How will the servers be used to process your data? While it is important to involve your information technology team, you should understand how the service will operate, where the servers will be located, whether your data will be collocated with others customers’ data, and how your data will be protected from intrusion or disasters. Ensure that the service will be reliable and easy to use by everyone at the law firm. Conduct appropriate due diligence of the proposed vendor and the proposed applications. Check references. Conduct online searches and/or call current clients to evaluate the vendor’s reputation.

You should also review the proposed contract carefully, even if you are told that it is not negotiable. First, it might actually be possible to negotiate changes. And even if it is not, you should understand the consequences and implications of the engagement you are making. Pay special attention to the disclaimers of liability, confidentiality, intellectual property, and security provisions.

Continuous Access to Data

Service outages happen regularly. It is important to ensure that the cloud service will provide alternative access to data, such as by switching to a server located in a different region if an outage affects a specific data center. The service provider should have in place a robust disaster recovery plan that alleviates the effect of outages.

Consider backing-up your data to an alternative system or a second cloud provider, to ensure that you will be able to access the data in the event of an outage in the vendor’s facility or network, or in the event of a natural or other disaster.

Ensure that you have the ability to change providers when it becomes necessary or desirable to do so. Keep in mind, however, that while it may be feasible to move from one hosting service to another, changing applications, such as a customer relationship management, is likely to be impossible, or very costly.

Many cloud contracts provide that in the event of an outage the customer will be refunded that portion of their monthly fee that corresponds to the duration of the outage. Be realistic about the actual effect of such provision. The refund might be insignificant compared to the huge inconvenience and loss of business and loss of data availability. For example, what would you do if you are in the middle of a trial or closing an acquisition, and suddenly the needed data are not available due to an outage or other force majeure event?

Security, Security Breaches

Ensure that the data will be appropriately protected from unauthorized access or modification. Specific steps that may be required such as installation of firewall, access limitations, encryption, strong passwords or other authentication measures, and electronic audit trail to monitor access to data. Ensure that you are informed of the security breaches that affect the data that your law firm uploads to the cloud. You may have a legal and/or ethical obligation to inform your clients and the regulators about an incident affecting these data. Negotiate compensation or indemnification by the service provider if the breach is caused by the cloud provider either affirmatively or through its own negligence/failure to maintain agreed-upon safeguards or reasonable security measures.

Data Ownership

Beware of obscure or confusing clauses that might give the cloud provider ownership of data stored in its services, or the metadata associated with the access to or processing of your law firm’s or clients’ data. Ensure that the contracts with the service provider(s) acknowledge that the data are owned by the law firm and/or its client, and not by the cloud provider.

Termination

Anticipate the need to terminate the service. Have an exit strategy in place so that the law firm may change its provider when it becomes necessary or desirable to do so.

Implementation

Train your own staff and professionals who will use the cloud service or products, and obtain their written agreement to comply with your security measures and those that are recommended by the cloud provider such as the use of strong passwords, and the prohibition of sharing passwords.

Conclusion

There is no doubt that cloud computing is here to stay and that gradually companies will move most of their data to the cloud. However, switching the physical custody of one’s data to a third party does not relieve an organization from its legal obligations to protect these data, ensure adequate security and integrity, limit its use to specific purposes, or ensure its availability. Thus, any company should carefully consider the pros and cons, as well as the consequences of the use of cloud services. For lawyers and law firms, these concerns are compounded with other concerns that come from the specific ethical rules that govern the profession. Before venturing in the cloud, lawyers and law firms must evaluate the effect of the relevant rules of ethics to which they are subject, identify the categories of data that may be processed or stored in the cloud, and take other necessary measures to ensure that they will be able to fulfill all of their legal and ethical duties to their clients.

Hot Issues in Data Privacy and Security

Posted by fgilbert on April 22nd, 2013

Data privacy and security issues, laws and regulations are published, modified and superseded at a rapid pace around the world. The past ten years, in particular, have seen a significant uptake in the number of laws and regulations that address data privacy or security on all continents. On March 1, 2013, a program held at Santa Clara University’s Markkula Center for Applied Ethics, titled “Hot Issues in Global Privacy and Security”, featured attorneys practicing on all continents who provided an update of the privacy, security and data protection laws in their respective countries.

The second half of the program featured a panel moderated by Francoise Gilbert, where the chief privacy counsel of McAfee, Symantec and VMWare talked about how to drive a global privacy and security program in multinational organizations.

Videos of the program are available by clicking here.

The program was the second part of a two-day series of events. The first event was held in San Francisco on February 28, 2013, and was sponsored by Box, Inc. and the Cloud Security Alliance. This program focused on US and Foreign Government Access to Cloud Data and started with an overview of the laws that regulate US government access to data, presented by Francoise Gilbert. A panel featuring European and North American attorneys followed; they discussed the equivalent laws in effect in their respective countries. The program concluded with a presentation by the general counsel of Box, Inc., who spoke about the way in which his company responds to government requests to access to data stored.

Videos of the program are available by clicking here.

Hot issues in Privacy & Security

Posted by fgilbert on May 23rd, 2011

Top ten list of issues presented by Francoise Gilbert as part of her Conference Chair address, at the PLI Privacy & Security Conference in San Francisco, May 23-24, 2011.

# 10 –
In the US, numerous privacy and security bills in the pipeline
Greater compliance burden expected

# 9 –
Abroad, new data protection laws enacted

# 8 –
Security breach continues to be top concern in the US and
More security breach notice laws are developing abroad
Cost of breach expected to increase everywhere

# 7 –
EU data protection 2.0
Back to the drawing board with new rules

# 6 –
Tracking and profiling entering the red zone

# 5 –
Tempest in the EU cookie jar

# 4 –
Everything mobile
Geolocation major source of privacy issues

# 3 –
Cloud computing saves money
But brings new legal headaches

# 2 –
Privacy by design, Right to be forgotten, Smart grid
New legal constraints or technical opportunities?

# 1 –
Privacy and security fiascos becoming very expensive
Million-dollar damages in privacy or security suits and enforcement actions

A copy of the presentation is available here.

Google Engineer Fired for Accessing User Accounts

Posted by fgilbert on September 17th, 2010

Google fired a software engineer because he allegedly took advantage of his position as a member of an elite technical group at the company to access user accounts in violation of the company policy.  Accounts accessed included those of four minors whom he had encountered through a technology group, according to reports by CNN and Gawker.

While there is no allegation of sexual predatory behavior, the engineer appears to have spied on minors’ accounts, accessed their contact lists and chats transcripts.

Given Google’s size it is almost predictable that an incident such as this would happen. When a company has thousands of employees, it is just a matter of statistics and probability. If X% of the country’s population is immature, emotionally unstable or has other personal problems, it is likely that these same characteristics will appear in the workforce of companies, despite the employers’ attempts at identifying the problem employee and prevent the occurrence of any mishap.

Events similar to the Google firing have occurred in hospitals where employees have taken advantage of their access privileges to snoop into celebrities’ health records.  In this case patients records were copies or stolen for the purpose of selling them to the press. As a result, California enacted a law – California Health & Safety Code Section 1280.15 that requires hospitals and clinics to prevent the unlawful or unauthorized access to patient’s medical information and to report these incidents. The law provides for significant fines for hospitals and clinics who fail to provide adequate protection for patients’ records.  Since the enactment of the law, several hospitals have been fined.

It is very difficult to predict and anticipate incidents such as the one that occurred at Google. Human behavior is too unpredictable. There are, however, a few things that a company can do to attempt to prevent this type of situation, or reduce the probability of their occurrence.

Reference checks

Before hiring or promoting an employee, adequate reference and background checks should be conducted. While most companies conduct a reference check when hiring a new employee, in many cases, the investigation is informal, and is limited to acquiring a better understanding of the person’s skills. These reference checks should be adapted to the nature of the position and the rights and responsibilities that the new hire will have.

Background checks

When an applicant’s responsibilities will give him access to sensitive information, such as personal data or company trade secrets, his background should be checked extensively. An in-depth evaluation might include conducting a criminal record investigation and interviewing character witnesses. This type of investigation is highly regulated, and requires significant precautions. While the administrative burden and financial cost of conducting these in-depth investigations are substantial, the cost is negligible when compared to the potential effect on the company’s reputation and market capitalization that a security or privacy incident might have.

Training

It is also crucial to train the employee (or contractor) appropriately. Initial and ongoing training, periodic reminders, and other education regarding privacy and awareness are essential to help reduce the probability of these occurrences. Young or immature employees, in particular, need appropriate, focused, education and awareness sessions for them to acquire the right reflexes when confronted with the temptation to “play God” with a database.

Monitoring

In addition to education and awareness, it is important to ensure that the lessons learned during the training sessions are actually applied in practice.  In other words, the company should regularly monitor the employees’ activities. Companies have a responsibility to their clients and the other employees to ensure that the workforce abides by its rules of ethics and behaviors. They also have an obligation to their shareholders to ensure that the company’s assets (including its intellectual property assets and its reputation) or market value are not jeopardized through the negligence, immaturity or other behavior of their employees. To this end, employee supervision and periodic monitoring of their activities are crucial for identifying derailments while they are still manageable. Many technologies are available for this purpose.

Hotlines

Companies can also supplement their monitoring through the use of whistle blowing hotlines and customer hotlines that allow employees and customers to report problems that they identify.  These hotlines must be administered in such a way as to ensure anonymity, when needed.  The information collected must be reviewed and the matter investigated promptly and with appropriate discretion to protect the individuals concerned.

A company or a group is only as good as its weakest link.  It is a daunting task – but a necessary one – to ensure at all times that all employees understand and abide by the rules.

Location Information in Consumer Contracts

Posted by fgilbert on June 8th, 2010

 

The use of location-based services by consumers, such as for the provision of directions, traffic information, or mapping to locate nearby stores, should be subject to terms and conditions that address the quality of the service, and the reliability of the data. In addition, the contract should address the privacy concerns of the customer. The collection, use and sharing of location information might raise more concerns than that of other data such as their name, phone number or the duration of a call. Thus, special attention should be given to the protection of the location data.

User’s choice

For the service to occur, the service provider needs the ability to locate the client. The cell phone or GPS transponder must be active. Nevertheless, at other times, when customers do not need the service, they may wish to have the ability to turn off the location capability. Cellular phones can easily be turned off. In a car or other machine equipped with a GPS, the user may wish the ability to deactivate the GPS transponder without shutting down the engine, so that it cannot record movements. The same issue arises for RFID tags, such as those that come with EzPass or FastTrak. Is there an off/on switch? Or does the device, once attached to a car windshield, keep transmitting their radiofrequencies at all times?

The service provider should take into account customers’ right or need to be “left alone.” To this end, product documentation, brochures, terms of use should inform purchasers of the ability to switch off the transmittal of information. Device manufacturers might also consider delivering equipment that includes wireless or GPS devices with the broadcasting function turned off, with appropriate instruction on how to turn on, or shut down the wireless capability, so that the customer does not unintentionally broadcast location information. In a related area, – WIFI – California recently enacted a law that requires manufacturers of wireless computer network equipment used in small offices and homes to include a warning on the product about how consumers can secure their networks. Since October 1, 2007, manufacturers of wireless computer network equipment used in small offices and homes must include a warning on their product to inform consumers how they can secure their networks against outside users who piggyback on their connection. They are required to advise consumers about how to secure their networks, in one of 4 ways: (1) Apply a temporary sticker warning over the ports of a device; (2) include a warning in the configuration process of the installation of a device; (3) Protect the device from use until the customer takes steps to secure the network; or (4) Provide other protections that would be enabled before the equipment could be used without an affirmative act of the consumer.

Privacy

Privacy and the use of personal data are of great concern to many individuals. To address privacy concerns, the service provider should use a privacy statement to notify users that the devices or service may be collecting information. In the United States, this may be a “Best Practice” since most US laws do not require privacy statements. Elsewhere, providing a notice of privacy practices may be required by law, for example under the European Union data protection laws.

In the Privacy Statement, the company would disclose what type of personal data will be needed and collected (e.g., identity, phone number, location), the purposes for which the data will be used (e.g., searches, tracking).

Individuals might wish to be informed, as well, when information about their location is generated, and how this information is generated. Since location information appears to be more sensitive than other types of personal information, the contract (and the related technology) may provide for ways that the customer would give her consent to the collection of location information, and ways to turn off the transponder.

The user may also be offered choices regarding management and use of information. This would include, as well, providing the ability to access and edit permissions. The customer could define which disclosures are permitted, and when the company may share data with third parties.

The protection of the collected data is of equal importance. How long will the data be retained? The 2002 European Union Directive on Privacy and Electronic Communication, to be implemented by the EU member states, for example, requires that location data be retained only for limited time. In addition, the 2006 European Union Data Retention Directive requires networks and service providers to retain traffic and location data generated in conjunction with electronic communications services for a minimum amount of time (6 to 24 months) to be specified by the national law of each European Union Member State.

When data are retained, what security will be used to ensure that the data is not exposed to unwanted disclosure, access, or modification?

The privacy statement or terms of service should also address marketing issues. There should be a clear description of the possibility that data (traffic data, location data, non contact information, such as prior searches) might be disclosed to third parties for marketing purposes. The customer should be given choice to prevent, or agree to these disclosures.

Privacy Statement

TRUSTe has worked with the telecommunications industry to outline the content of a privacy statement that would conform to the Fair Information Practices that have been recommended by the Federal Trade Commissions or other organizations such as the California Privacy Office. The proposed content of a Privacy Statement in the context of wireless services would include:

  • Name of organization
  • What information the wireless service provider collects
  • Personally identifiable information
  • Unique mobile device identifier
  • Location information
  • What information is collected by or through a third party
  • How the Wireless Service Provider uses the information
  • Secondary uses of the personal information
  • Secondary uses of the location information
  • With whom the information is shared
  • Sharing the location information with the Location Based Service provider
  • Sharing personal information or location information with third parties for secondary uses
  • What choices are available to the consumer regarding the collection, use, and distribution of the personal information collected by the Wireless Service Provider
  • Method for editing privacy preferences
  • What types of security measures are in place to protect from the loss, misuses, alteration of personal information collected by the Wireless Service Provider
  • How the consumer may access the information, and correct any accuracy
  • Whether location information is retained beyond the time period reasonable needed to complete the transaction requested by the customer.

Technological Constraints

There are practical obstacles to the use of comprehensive privacy statements. One cannot post a full-length privacy statement on a RFID chip, or a telephone screen. Companies have been scratching their head to find appropriate ways to deliver privacy notices and options adapted to the wireless devices. Typical handheld devices are tiny and use small screens. They may also have limited power.

It is not possible to deliver privacy information in the ways traditionally used with a desktop or lap top computer. Alternatives would include providing a full privacy statement in locations where the individuals can access them easily, for example, at a store, or on line, or by delivery through the mails. A summary notice of the privacy statement, with a cross-reference to a URL or brochure, might be able to address the size and other constraints.

If the transaction is conducted on a wireless device, the company may opt to deliver a short privacy notice that informs customers of the existence of the Privacy Statement, and directs them to another location where the full length Privacy Statement may be available for review in its entirety. The company should deliver the full Privacy Statement as soon as practical, in an appropriate medium, for example through postal mail or email. For those devices that are equipped with viewing technology that is based on optimized protocols using a proxy server between the device and the content source, (e.g. WAP technology), it may be possible to add a “privacy” option, and links the “privacy” button to the URL of the statement.

If the transaction is conducted online, but not on a wireless device, the service provider may provide a link to the site where the full privacy statement is located. If the transaction is conducted offline, the service provider could deliver the full privacy statement separately; or include it in the service contract; or include a clear and conspicuous statement in the product or service brochure that the full privacy statement is available by asking an associate.

Mobile Marketing Association

The Mobile Marketing Association (MMA) has defined six fundamental elements to a positive consumer experience. These elements include:

  • Choice. The consumer must “opt-in” to a mobile marketing program. Consumers have a right to privacy and marketers must therefore gain approval from consumers before content is sent, and include clear directions on how to unsubscribe from communication should it become unwanted.
  • Control. Consumers should have control of when and how they receive marketing messaging on the mobile phone and must be allowed to easily terminate or “opt-out” of an unwanted program.
  • Customization. Data supplied by the consumer for marketing purposes should be used to tailor such marketing to the interests of the consumer (e.g. restricting communications to those categories specifically requested by the consumer.). Targeting user consumer data made available to the marketer helps to eliminate spam, making content as relevant and useful to the consumer as possible.
  • Consideration. The consumer must receive or be offered something of perceived value in return for receiving the communication (product and service enhancements, entry into competitions etc.).
  • Constraint. The marketer must effectively manage and limit mobile messaging programs to a reasonable number of programs.
  • Confidentiality. Commitment to not sharing consumer information with non-affiliated third parties.

The MMA has also issued has published a Global Code of Conduct for mobile marketers that choose to use user information in order to market their products and services to these users through mobile devices. This Code of Conduct has five elements:  Notice; Choice and Consent (requires an opt-in); Customization and Constraints; Security; and Enforcement and Accountability.

Location Information in Commercial Contracts

Commercial contracts related to the provision of location-based services are likely to have complex structures because numerous entities might be involved. These entities could include, for example (a) Telco (ATT, Verizon); (b) Advertising networks; (c) Support (maps); (d) Information provider (e.g. traffic information, weather forecast): (e) Optimization technology service (mapping technology, fleet management technology); and (f) Search engines.

Handling Personal Information

Most location based services directed to consumers deal with the use of a person’s location to provide the service requested by that person. Protection of privacy is one of the major concerns of most individuals in connection with location-based services and the use of location information. Laws, regulations, and industry practices are creating pressure for companies to address data protection issues. The parties to contracts related to location-based services should negotiate provisions for the collection and protection of data. For example, will the device have the ability to collect personal information? Will performance of the service give the service provider the opportunity to view or access personal information? If personal information is available, what limitations should there be to collection, use, re-use, retention, or destruction of the information? What notice should be provided to individuals about the collection, use, or secondary uses of their information?

Collection of information

The parties should define what personal information the service provider needs in order to furnish the service. For example, to provide map information to the salesperson looking to organize his sales call, the mapping company might need the nature of the query and the geographic location of the device. It would not need to know who placed the query, from which device the query was placed (other than, perhaps the operating system), or to have the actual phone number of the salesperson’s device where he will receive the map. When the minimum information necessary for the provision of the service is identified, the contract would limit the collection of information and access to that information to that which is specified by the client.

Limitation to use of the data

When addressing limitations to the use of the data that are necessary for the provision of the service, or that are created through the use of the service, it might be appropriate to distinguish between different categories of data. While personal information related to billing, invoicing, or account numbers might need to flow freely (although with appropriate restraints to avoid the disclosure of credit card numbers), the location information might be subject to more restrictions. Thus confidentiality, security, and other clauses that relate to the handling, use, protection, dissemination of information should address with specificity the different requirements and restrictions depending on the nature of the information to be protected.

Quality; data integrity

The quality and accuracy of the information collected should be ensured. Quality of the information is essential to ensure the quality of the services. It is also crucial for providing the needed help in case of an emergency. The parties should require that those who collect, create, maintain, use, disclose or distribute location information ensure that the information is accurate and complete for the purpose of the contract. Otherwise, the service would furnish inaccurate results, the wrong person would be charged for a product purchase; the wrong route would be displayed on the map, and the ambulance would arrive too late to save the stroke patient.

Confidentiality and security

Adequate security measures should be required to ensure the protection of the personal and other information. Recent events have shown that databases and computer systems are vulnerable to numerous types of attacks. When data are accessed, the individuals or institutions to which the data pertain are at a higher risk of harm. Since several organizations may access or transmit personal or confidential data, the risk of losing or misplacing information grows exponentially. Those who collect or hold the information must make sure that the information is kept secure. Each entity involved in the provision of the service should be required to take appropriate confidentiality and security measures, including an obligation to require their subcontractors to implement the same measures.

Protecting the confidentiality and security of the personal data and company data collected should be a crucial component of any contract associated with the provision of location based services. The contract should define what security measures are to be used in order to protect the location information and the personal information to which the other company may receive access. The measures to be taken should be designed to prevent unauthorized use, access, disclosure, or alteration. The contract clause(s) should provide specific and detailed information such as (1) who may have access to the location information; (2) what restrictions will be placed on organizations that handle location information; or (3) what should be done to ensure the protection of personal or sensitive information at each stage of the services.

The parties may need to tailor the security measures to the nature and type of information collected or used. The measures should take into account the nature of the information that is collected or stored. For example, anyone with a suitable reader can scan an RFID chip unless adequate measures have been taken to protect the information. Thus, the information on the RFID chip would require special security measures to prevent hack attacks.

Data Retention

The parties should evaluate the appropriateness, utility, and risk of preserving the information after the service has been provided. Retention of information should be limited to the period reasonably needed to complete the transaction required by the consumer, while taking into account the applicable legal requirements. The E-Discovery amendments to the Federal Rules of Civil procedures create strict data retention requirements. The contract may have to include provisions for cooperation between the parties to ensure compliance with discovery requests. There might be requirements for specific retention period, such as in the case of credit card transactions. Other laws, such as those that implement the 2006 European Union Data Retention Directive may also dictate how long information must be retained.

Data Disposal

In addition, at some point, it will be necessary to dispose of the stored data. Experience has shown that devastating security breaches occur at the time of the disposal of information if the appropriate measures are not used for the destruction of the data. State and federal laws such as the FCRA Disposal Rule ray require specific provisions to be taken for the disposal of certain categories of data. If no law or specific regulation applies, the use of proper methods for disposing of personal information would nevertheless be required as part of the general duty of care of the holder of the data as a fiduciary. Security standards usually include provisions for the use of appropriate measures to destroy data.

For example, the ISO 27001 standard requires both the secure disposal of equipment and that of the media. Under ISO 27001, all items of equipment containing storage media must be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten before disposal. In addition, media must be disposed of securely and safely when no longer required, using formal procedures.

Rights of individuals; access and modification

Since location based services use, collect, or process a lot of personal information, the parties should also address whether, how and to what extent individuals (data subjects) will be granted the ability to access the information collected, such as account, transaction or contact information. In addition, individuals may be granted the right to make changes to this information, including changes to marketing permissions. If this right of access and modification are granted, methods for verification of the identity of the individuals who have access to the information would have to be implemented to reduce the risk of unauthorized access to personal or confidential data.

Limitations to Use and Re-Use of Information

As always, personal information, purchasing patterns, travel schedules, and the like are of great interest to advertisers. The parties to location-based services should discuss whether any of the entities involved might have access to the data subjects’ contact information or profiles. For those who have access to this information, clear guidelines should be set forth about the ability or not to use or re-use the personal information other than to fulfill the contract.

Defining clearly he limits to the use, reuse, and sharing of personal information is crucial because it has to be cross-referenced with several other documents, such as the privacy policy of the entity that signs-up the customer. It also needs to be consistent with each of the services and subcontractors agreement so that discrepancies and unexpected data leaks or misuses are avoided.

Content

Some location-based services rely on the existence of third party content. For example, a phone company may offer customers the latest movie show times. It may display restaurant locations on maps. This content may not be used or displayed without the appropriate license. As part of the pre-contract due diligence, the entity that will use this content to provide the services should verify the service provider’s ability to license and distribute the content for the contemplated purposes. The analysis should include, for example, questions as to the content and scope of the licenses. Do the company’s existing licenses apply to the range of new services to be offered? Does a license for distribution via the Internet also include a license for distribution via handheld device?

Other questions would need to be raised. What content will be provided to the customer’s personnel or clients? What criteria for the quality, such as completeness, accuracy of the maps being used? What updates? How frequent modifications or corrections should be made?

Technical Issues

In addition to privacy and content issues, the use of Geographical Information Systems and Global Positioning Systems raise numerous technical issues, as well. While the technical teams must first resolve them, these issues also need to be reflected in the related service agreements.

Accuracy

There should be a clear understanding of the technical capabilities of the system, in particular with respect to accuracy of the data. For example, if a delivery truck must deliver packages to several businesses located next-door to each other on a street, will the system be able to analyze the GPS data with sufficient precision to ensure accuracy of reporting? Or will the deliveries to Starbucks coffee shop be mixed with those of Noah’s Bagel, whose store is adjacent?

Integration

Another potential challenge is integration. The companies may face challenges when integrating applications based on GPS or geographical information systems with other applications that must send or receive geospatial data. The product functionalities and the representations and warranties made or received should accurately reflect the understanding and expectations of the parties.

Image resolution

There might be concerns about the quality of the images. There may be circumstances when getting two sets of GPS coordinates to match can be difficult because available maps from different service providers may provide different granularity of image resolution. The shortcomings of the technologies or underlying products should be explained clearly to the customer, and the contract provisions or exhibits should state these issues and limits.

Availability, response times

If an application requires access to certain databases, the continued availability of the database for the life of the contract should be part of the terms and conditions of the contract. There might be a similar need to specify the speed of access and response times, and ensure proper commitments from the database or technology provider.

Cellular coverage

Since these applications may require the use of cellular networks, there should be proper cellular network coverage. While GPS receivers can usually receive GPS signals from satellites, they may not always be able to relay the information to the company’s head office, because of deficiencies in the cellular network.

Use of Subcontractors

Contract for services rely in great part on the quality of the service provider. An individual or an organization will retain a particular service provider for its reputation, and the quality of its work or services. In many cases, the customer has conducted a thorough due diligence before choosing one vendor. To ensure that quality standards are maintained, the service agreements should discuss the possibility to use subcontractors, and define what restrictions would be imposed on the use of subcontractors. Consider for example, the obligations to ensure confidentiality and security of personal and other confidential data; or the restriction on the uses or reuses of data.

Compliance with applicable laws

A party to a Manufacturing Agreement or Supply Agreement for the provision of RFID or GPS devices may wish to confirm in writing whether or not the deliverable will / or will not contain any radio frequency device. If RFID tags are used, the purchaser would need appropriate warranties and representations that the equipment will comply with the applicable FCC requirements.

Liability

As seen above, the information and data to be handled might be highly sensitive. There might be issues with content, and the technologies might have shortcomings. As a result, it is important that the parties agree on the appropriate allocation of liability for errors, delays, or system unavailability. Consider, for example:

Liability for errors in the input

Who should be liable for errors in the collection of the data, or the failure to record incoming data (e.g., the location data, the identity of the data subject) properly?

Liability for errors in the output

Who should be liable for providing inaccurate measures?

Liability for breach of security

Who should be liable for errors caused because of technology glitches that allow data to be accessed by the wrong person?

Conclusion

The availability of location information is rapidly becoming ubiquitous as the underlying technologies become more advanced, cheaper, and more widely distributed. Even recent commercial contracts may predate these developments and will not address many of the questions raised by the new capabilities and the new uses of the information. They should be reviewed to determine whether they need to be revised immediately or can wait until their next renewal, but they will certainly need to be updated to cover at least some of the issues discussed above.

HIPAA Security Rule

Posted by fgilbert on June 4th, 2010

On February 20, 2003, the U.S. Department of Health and Human Services (HHS) published the final draft of the new National Standards for Safeguards to Protect Personal Health Information that is maintained or transmitted electronically (“Security Rule“). Required as part of the administrative simplification provisions included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), these standards are separate from, and in addition to, those set in the HIPAA Privacy Rule.

Most covered entities have until April 21, 2005 to comply with the standards; small health plans have an additional year to comply.

The Security Rule lists measures that health plans, health care clearinghouses, and health care providers (“covered entities”) must take to protect the confidentiality, integrity, and availability of individually identifiable health information in electronic form in their custody, or while transmitting it to third parties. These measures include Administrative, Physical, and Technical Safeguards, Organizational Requirements and Policy Procedures and Documentations Requirements. The Security Rule labels these measures as “standards” and “implementation specifications.

In all cases, each covered entity must meet the standards. Each standard is associated with Implementation Specifications, which are either “required” or ” addressable.”

Required Implementation Specifications must be implemented by all covered entities.

Addressable Implementation Specifications allow some flexibility. Each organization must decide whether the security measure to apply fits within its particular security framework. Based on its evaluation of its specific circumstances, each covered entity can (1) implement the specification if reasonable and appropriate; (2) implement an alternative security measure to accomplish the purposes of the standard; or (3) not implement anything if the specification is not reasonable and appropriate and the standard can still be met.

The nine Administrative Safeguards include requirements for the implementation of Security Management Process, assigning Security Management Responsibility, establishing Workforce Security. A covered entity must implement Information Access Management, and Security Awareness and Training. Formal, documented Security Incident Procedures must be in place to ensure that security violations are reported and handled promptly. A Contingency Plan must be in effect for responding to system emergencies. Like for the Privacy Rule, the covered entity must obtain Satisfactory Assurances from its Business Associates that each of them will appropriately safeguard the information in accordance with the Security Standards. Finally, to demonstrate and document their compliance with the entity’s security policy and the other requirements of the Security Rule, the covered entity must periodically conduct an Evaluation of its security safeguards.

The four Physical Safeguards include Facility Access Controls, control of the Workstation Use and Workstation Security, and of other Device and Media. For example, a covered entity must implement policies and procedures to document modifications to the physical components of a facility that are related to security, such as hardware, walls, doors, and locks. In addition, each organization must put in place physical safeguards to secure workstations, and control the use of other devices and media. This would involve policies and procedures that govern the receipt and removal of hardware and/or software (for example, diskettes and tapes) into and out of a facility.

Five Technical Safeguards require policies and procedures for Access Control, Audit Control, ensuring Integrity of the protected health information, Mechanism to Authenticate the persons or entities sending the data, and Transmission Security.

The Security Rule includes, in addition, requirements for the Implementation of the standards. Final responsibility for a covered entity’s security must be assigned to one Official who will manage and supervise the use of security measures to protect data, and the conduct of personnel in relation to the protection of data. The covered entity must implement written policies and procedures to comply with standards and implementation specifications, and review these policies and procedures periodically and update them as needed. The covered entity must also document in writing its actions, activities, or assessments taken or conducted. All documentation must be retained for 6 years from date of creation or from date when last in effect.

The Center for Medicaid and Medicare Services (CMS) is responsible for implementing and enforcing the Security Rule, whereas HHS’ Office for Civil Rights is responsible for implementing and enforcing the Privacy Rule.

The Security Rule works in concert with the final Privacy Rule, which was adopted by HHS in its final form in August 2002, and took effect for most covered entities on April 14, 2003. The HIPAA Privacy Rule defines the authorized or required uses of PII, and the patients’ rights with respect to their PII. The HIPAA Privacy Rule is available at: http://www.hhs.gov/ocr/hipaa/finalreg.html.

The HIPAA Security Rule resides in part 164 of subchapter C of title 45 of the Code of Federal Regulations. The complete text of the final Security Rules is available at http://www.cms.hhs.gov/SecurityStandard/02_Regulations.asp – TopOfPage.

Information Privacy And Security Current And Emerging Issues In The United States

Posted by fgilbert on June 4th, 2010

altNot so long ago, the Internet was a separate world.  We distinguished e-commerce and other activities in “cyberspace” from those that were conducted in the brick and mortar world.  Today, most companies are exploiting at the same, and to the fullest extent possible, all of the vast resources that are available through the Internet, the World Wide Web and otherwise.

Concurrent with the convergence of cyberspace with the brick and mortar world, telephone and information technologies are converging.  From one single device, we can make calls, send emails, browse the web, review our documents, and even pay for our lattes.  With this convergence, and the ubiquitous need for access to personal information databases, data protection issues have gained greater importance.  Without customer information, companies cannot create products adapted to client needs or target the right client for a sale.

However, holding personal information without adequate safeguards may lead to disaster.  Companies have lost goodwill, to the point of bankruptcy, for having failed to address privacy and information security issues.

This article will look at selected current issues and trends in information privacy and security.

Current Issues

  • Accountability for Proper Security

While information privacy and security concepts were first developed in the early 1970s, it is only with the enactment of the modern data protection laws, such as GLBA and HIPAA, that certain markets became aware of, and required to implement security safeguards to protect the confidentiality, integrity, and authenticity of personal information.  Today, this requirement has been extended to all companies that hold sensitive personal information.  The Federal Trade Commission has made it an “unfair practice” under Section 5 of the FTC Act to hold personal data without providing adequate security.  California law requires companies that hold social security numbers or bank account numbers in combination with the first and last name of individuals to implement “reasonable security measures.”  It also requires these companies to implement the same in their contracts with their service providers.

The liability thresholds have also been raised by a recent Minnesota law, which became effective in the summer of 2007.  Under this new law, companies that retain credit card data after receiving the authorization of the transaction will be held strictly liable for any damages caused by a breach of security.  If data have been exposed, liability will follow without a plaintiff having to prove that the business was negligent.  Damages will include the cost of “reasonable actions undertaken” by financial institutions to respond to the breach, such as the costs to cancel or reissue any access device affected by the breach; close accounts affected by the breach and take any action to stop payments or block transactions with respect to the accounts; open or reopen accounts affected by the breach; make any refund or credit to a cardholder to cover the cost of unauthorized transactions related to the breach; and notify the cardholders affected by the breach. The financial institution will also entitled to recover the costs for damages that it paid to cardholders injured by the breach.  Businesses will be also responsible for violations by their service providers.

Security to protect personal information has also been required under the laws that have implemented the 1995 European Union Data Protection Directive.  US Companies that wish to self certify under the Safe Harbor, or that are contemplating the use of the Model Contracts must ensure that they do have security measures, and that their service providers do the same.

Failure to have adequate security measures is likely to lead to security breached, which US companies are required to report to the affected parties, clients or employees, under the Security Breach Notification Laws enacted in over 40 States.  Japanese companies have the same obligation.  The European Union is said to contemplate revisions to its laws to implement a similar requirement, as well.

  • E-Discovery, Records Retention and Destruction Issues

The need for adequate security measures and document control is also created by the new E-Discovery rules that result from a recent amendment of the US Federal Rules of Civil Procedure which were adopted after several well-reported cases took unexpected turns when the parties battled each other on the production of evidence.  The courts questioned the quality and completeness of the files produced and the so convenient loss, misplacement, or destruction of electronic evidence that was key to the case.

In the employment discrimination case Zubulake v. UBS Warburg, 220 F.R.D. 212 (SDNY 2004), which spanned over several years (because of evidentiary issues), for example, the court ruled that the employer had willfully deleted relevant emails despite contrary court orders.  The court granted the plaintiff’s motion for sanctions and ordered the employer to pay costsbecause it had failed to locate relevant information, to preserve that information, and to timely produce that information.

The amendments to the Federal Rules of Evidence, recently adopted, create a new regime for litigation in an era where emails and other electronic documents constitute a crucial component of the litigants’ case.  Organizations have to take affirmative steps to prevent spoliation of electronic evidence, negligent or intentional.  They must guarantee that identified relevant documents are preserved by placing a “litigation hold” on the documents, communicate the need to preserve them, and arrange for safeguarding of relevant archival media.

U.S. courts will not hesitate to impose sanctions for spoliation of electronic documents, even if it results from document mismanagement.  In this new era, companies have to address document retention and preservation issues.

Companies must take affirmative steps to implement appropriate Enterprise Security Programs that ensure that the location of all documents is known, and that these documents are protected and only destructed according to appropriate policies.  When a suit is filed, they must ensure that all sources of discoverable information are retained, and produced.

  • Proper Treatment of Customer Databases in Corporate and Commercial Transactions

Due diligence and other checklists for corporate or commercial transactions have also evolved with the current data protection trends.  A company can no longer simply transfer or license its database of customer information.  Both parties to the transaction must first ensure that the transfer is not prohibited.  They must review each other’s privacy policies.  This duty is imposed on both parties.

In a recent case were a database of personal information was used in connection with a services agreement, the client was found to have an obligation to verify that its service provider had the right to use the personal information it was using to provide the service. Relying only on a mere representation or warranty in a contract was deemed insufficient. http://files.ali-aba.org/thumbs/datastorage/lacidoirep/articles/PL_ACFF154_thumb.pdf)

In that case, the company was in the business of sending emails to consumers.  In order to promote the products and services of its advertising clients, it obtained the email addresses from list providers, which had gathered these lists through a variety of means.

The New York Attorney General’s investigation of the provenance of these marketing lists revealed that some of the company’s list providers, on their own websites, had promised consumers they would NOT sell, rent, or share their information to or with third parties.  On the other hand, the company represented on its website that recipients of its email campaigns “have all requested to receive information about products and services”.

In its March 2006 settlement, the company agreed to pay $1.1 million as penalties, disgorgement, and costs. Reliance on the list provider’s representations or warranties that the use of the contact information was permissible was found insufficient, on its own, to fulfill the obligation of an independent review.  The settlement agreement stated that the party that is acquiring personal information must first independently confirm that such acquisition is permissible under relevant seller privacy policies.  It must independently review all applicable privacy policies that were in effect when the information was collected, and independently confirm that such policies clearly disclosed that the information collected would or might be shared.  In the absence of such explicit terms, it must confirm, through first-hand investigation, that consumers affirmatively opted-in to permit such sharing.

It is therefore recommended that in the event of a corporate or commercial transaction that involves personal information, the recipient of this information (a) conduct due diligence; (b) conduct a thorough review and analysis of the co-contractor’s or target’s information privacy and security policies and practices; and (c) do not rely solely on written representations and warranties.

  • Outsourcing, outsourcing, outsourcing

Many US companies continue to feel that  “outsourcing, outsourcing, outsourcing” is the key to success.  “Outsourcing,” here, encompasses IT outsourcing, Business Process Outsourcing, Legal Process Outsourcing, Offshoring, and similar agreements.  Indeed, outsourcing might provide savings, efficiencies associated with standardization, and attractive balance sheets; but it presents great risks for client and employee personal information.

Poor privacy and information security safeguards have caused great losses, embarrassment, and loss of goodwill when outsourcers or service providers failed to use adequate security.  For example, Master Card, Visa, Discover, American Express and other large financial institution, were forced to reissue cards, pay for credit record monitoring services, and rebuild customer trust when a hacking at their service provider Card Systems caused the compromise of 40 million credit card numbers. (http://money.cnn.com/2005/06/17/news/master_card/index.htm)

When outsourcing contracts involve providing or giving access to personal information, thorough due diligence is essential to investigate the privacy awareness and security practices of the potential service providers.  Comprehensive and detailed contracts must define safeguards and other mechanisms to ensure adequate security to protected personal information, and compliance with privacy laws.  During the performance phase, companies must keep monitoring the performance of their vendor.  Failure to address seriously privacy and security concerns during these three faces would create exposure to great liability.  Several US laws and current jurisprudence require companies to ensure the protection of certain personal information in their custody, and this obligation extends to subcontractors and service providers of these entities.

Emerging Issues

As we are moving into the Web 2.0 era, and we are seeing the emergence of new uses of technology that seem to be stepping out of science fiction books, numerous legal issues are being raised.  Information privacy and security are likely to continue to be a top concern and priority.  Consider, for example, the following trends:

  • New Advertising models.  The customers’ footsteps are tracked to serve “better content,” more adapted to the customer’s needs.
  • Digital rights management.  These systems track customer uses.  What song or movie is accessed, when, how, where from which machine?
  • Social engineering.  My Space, Facebook are providing forums for disclosing the undisclosable.
  • RFID, GPS, and location based servicesallow tracking individuals, and cause serious privacy and security concerns (Nowhere to Hide, by Francoise Gilbert,  http://itlawgroup.com/privacy_publications.html)
  • Mobile web.  Avertisements sent to cellphones.  Electronic payments made easy.  Customers tracked everywhere.  Privacy might be achieved only by turning off the device.
  • Second Life.  Do avatars have feelings, and … a right of privacy?

While most of the emerging trends above are exciting, creative business activities, certain practices might have dramatic consequences for personal privacy.  In addition, current practices might also take a sour turn.  For example, as the cost of living increases in India or Eastern Europe where many companies have outsourced their call centers, so does the cost of the personnel entrusted with the delicate missions outsourced red to them.  If the outsourcer cannot increase the fees paid by its American client, it may attempt to unload the engagement elsewhere, to transfer its work to others with lower wages, and possibly lesser privacy or security practices and awareness.

Conclusion

The information and communications technologies that were created at the end of the XXth century are becoming very powerful and creating new opportunities.  Physical and geographical boundaries are crumbling, allowing for greater exchange.  Individuals seem to become more empowered.  The blogger becomes a journalist, the YouTube user a movie star.  The Second Life avatar can be a superhero.  However, in this emerging world where individuals seem more valued and powerful, privacy might be under attack and security might be endangered.  Legal issues will abound.

Coming Soon to the European Union: Security Breach Disclosure Requirements

Posted by fgilbert on May 30th, 2010
Directive 2002/58/EC (or “e-Privacy Directive”), which defines the restrictions that apply to the protection of personal data in the context of wire or Internet communications, was amended in late 2009. This amendment establishes the first mandatory security breach disclosure regime for the European Union and will soon be reflected in the national laws of the EU and EEA Member States.
While this new security breach disclosure regime affects only providers of a publicly available electronic communication services, it is likely that it will be the foundation for defining a security breach disclosure framework that applies to other personal data holders.
For example, when amending their national laws, some of the EU Member States may opt to apply this security breach disclosure regime to the entire spectrum of data controllers and data processors, rather than limiting it to the smaller subset of electronic communication service providers that are subject to the ePrivacy Directive. Further, when the 1995 EU Data Protection Directive is revised, it should be expected, as well, that the security breach provisions of the ePrivacy Directive (as amended), at a minimum, will serve as a starting point.
The amendments must be implemented in each of the national laws of the Member States of the European Union and the European Economic Area by June 2011.

1. 2009/136/EC Directive

Directive 2009/136/EC entered into force on December 19, 2009. This directive amends and supplements the ePrivacy Directive, i.e., Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector.

The ePrivacy Directive provides a framework for responding to unsolicited commercial messages, the use of fax and similar technologies for telemarketing purposes, and defines the rules for the use of cookies, traffic data, location data, and public directories. With the 2009 Directive, existing provisions are amended to provide more protection for personal data. In addition, a new framework for the disclosure of a breach of security of data held by electronic communications networks and services is defined. While these provisions resemble those of the state security breach disclosure laws that have been adopted in the United States since 2003, there are significant nuances and discrepancies with the American model.

2. Security Measures

a.  2002 Draft

The 2002 version of the ePrivacy Directive requires covered entities to ensure adequate security. These provisions have been enhanced by the 2009 Amendment.
Under Article 4(1) of the e-Privacy Directive, Member States’ national laws must require publicly available electronic communications service providers to take appropriate technical and organizational measures to safeguard the security of their services. If necessary, these security measures must be taken in conjunction with the providers of the public communications network with respect to network security.
These security measures must take into account the developments in technologies, the new risks created by new types of attacks, and the cost of implementing the measures in relation to the risks. Security is appraised in light of Article 17 of 1995 Data Protection Directive.
Article 17 of the 1995 Data Protection Directive requires the implementation of “appropriate technical and organizational measures” to protect personal data against accidental or unlawful destruction, accidental loss, alteration, or unauthorized disclosure of, or access to personal data. In addition, when the processing is carried out by a subcontractor, the data controller must:
  • Conduct due diligence before entering into a contract with this third party;
  • Require in a written agreement that the third party act only on instructions from the data controller and use security measures to protect personal data; and
  • Verify compliance with adequate and relevant security measures for so long as the data processor holds personal data on behalf of the data controller.

b. 2009 Additional Requirement

The 2009 Directive supplements Article 4(1) of the ePrivacy Directive with specific and precise instructions. The new Article 4(1a) directs that the security measures must:
  • Ensure that personal data can be accessed only by authorized personnel for legally authorized purposes;
  • Protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure, and;
  • Ensure the implementation of a security policy with respect to the processing of personal data.
In addition, the 2009 Amendment grants the relevant national authorities the ability to audit the measures taken by providers of publicly available electronic communication services and to issue recommendations about best practices concerning the level of security that these measures should achieve.

3. Notice of Risk of Breach of Security

The concept of disclosure of a breach of security already existed in the 2002 version of the e-Privacy Directive. Covered entities, however, only had to notify their customers of a “risk of breach of security.” This requirement was usually fulfilled by adding a provision in the entities’ terms of service, which stated that wire or electronic communications are not secure or confidential and instructed the customers to use other communications means when transferring sensitive or valuable data. The 2009 Amendment preserves the original version of Article 4(2) of the ePrivacy Directive, but it supplements it with a more specific requirement for the disclosure of the breach of security.
Under Article 4(2) of the ePrivacy Directive, Member States’ national laws must require providers of publicly available electronic communications services to inform subscribers of any special risks of a breach of the security of the network. Such risks may especially occur for electronic communications services over an open network such as the Internet or analog mobile telephony. If the risk lies outside the scope of the measures to be taken by the service provider, the provider must also inform subscribers of any possible remedies, and of the likely costs involved.
The preamble of the 2002 version of the e-Privacy Directive notes that providers of publicly available electronic communications services over the Internet should inform users and subscribers of the measures that they can take to protect the security of their communications, such as by using specific types of software or encryption technologies. This requirement to inform the subscriber, however, does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service.

4. Breach of Security

The 2009 Amendment goes beyond the mere notion of warning of a “risk of breach of security.” It defines the framework for a breach disclosure requirement that is similar to – but different from – the provisions that are in effect in the United States.

 a. Personal Data Breach

  The 2009 Amendment introduces the notion of “personal data breach.” The term is defined in the new Article 2(h) of the amended ePrivacy Directive as:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed in connection with the provision of a publicly available communications service.”

b. Notice Requirements

Article 4(3), which is introduced by the 2009 Amendment, requires providers of publicly available electronic communications services to give “without undue delay” a notice of the breach to the competent national authority. In addition, if the breach is “likely to adversely affect” the personal data or the privacy of a subscriber or individual, the service provider must also notify the subscriber or individual of the breach of security “without undue delay.”
Thus, in most instances, two categories of notices must be given:
* One to the competent national authority, and
* The other to the subscriber or individual whose personal data or privacy is likely to be adversely affected.
It is not clear whether the subscriber, once informed, has to provide notice to all individuals affected, and who would bear the cost of making this notification.
There must be a “likely adverse effect.” According to the preamble, a breach should be considered as adversely affecting the data or privacy of a subscriber or an individual if it could result, for example, in identity theft or fraud, physical harm, significant humiliation or damage to reputation.
Thus, service providers would have to conduct a risk assessment, and presumably, would have to keep track of the assessment made and the grounds for their determination that a notice to subscribers or individuals was not warranted.
This assessment must be conducted in an expedited manner. The Preamble of the 2009 Directive stresses that the provider should notify the breach to the competent national authority as soon as it becomes aware that the breach has occurred.
The competent national authority is given an important role. It may force a disclosure. If the service provider has not already notified the subscriber or individual of the breach, the competent national authority may require the service provider to do so, after the competent national authority has evaluated the likely adverse effects of the breach.

c. Exemption

There is an exemption to the obligation to notify subscribers or individuals of a breach. This happens if the provider of publicly available electronic communications services has demonstrated to the satisfaction of the competent national authority that it has implemented appropriate technological protection measures, and that these measures were applied to the data concerned by the security breach.
However, the service provider nevertheless would have to notify the competent national authority. An important aspect of this safe harbor is that the exemption applies only if the service provider has demonstrated to the competent authority that there was no adverse effect.
It should be noted, in addition, that the 2009 Directive grants the national authority the ability to require the service provider to make the notification, even if the service provider determined that it was not necessary, if the national authority has determined that the incident is likely to have an adverse effect.
In order to be able to take advantage of the exemption, the technological protection measures must be such that they render the data unintelligible to any person who is not authorized to access these data. There is no suggestion for the measures to be taken, and no specific requirement for the use of encryption. It is sufficient if the data are “unintelligible.” It is likely that the national law implementing the Directive will interpret this term differently, which in turn might cause significant discrepancies between the applicable regimes in the Member States.

d. Content of the Notice

The Directive specifies the content of the two notices that must be given, i.e., the notice that is to be provided to the competent national authority and the notice that is to be sent to the affected subscribers or individuals. Both notices must include the following information:
  • A description of the nature of the breach;
  • The contact points where information about the breach can be obtained; and
  • Recommended measures to mitigate the possible adverse effects of the breach.
In addition, the notice to the competent national authority must describe:
  • The consequences of the breach, and
  • The measure proposed or already taken by the provider to address the breach.

e. Inventory

  Under new Article 4(4), the national laws implementing the amendment must require service providers to maintain an inventory of breaches that comprise the facts surrounding the breach, the effects of the breach, and the remedial action taken. The information must be sufficient to enable the competent national authorities to verify compliance with the notice requirements.

f. Guidelines and Implementing Measures

Given the novelty of the requirement for most European Union Member States, the 2009 amendment provides several means to facilitate the implementation of these provisions. These include, the use of guidelines and instructions concerning the circumstances in which providers are required to make the notification, the format of such notification and the manner in which the notification is to be made. The 2009 Directive also suggests that implementing measures may be drafted in the future in order to specify the circumstances, format, and procedures applicable to the information and notification requirements.

The comments in the Preamble recommend that the rules concerning the format and procedures applicable to the notification of security breaches, should take into account the circumstances of the breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law enforcement authorities in cases where early disclosure could unnecessarily hamper the investigation of the circumstances of a breach.
While the Directive itself does not provide for sanctions, it suggests that national laws may include appropriate sanctions for those who fail to make the required notification.

5. For More Information

For more information on the ePrivacy Directive and the 2009 Amendments, see Chapter 8 of Francoise Gilbert’s two-volume treatise Global Privacy & Security Law available through www.globalprivacybook.com.