Archive for August, 2010

Mexico’s New Federal Law on the Protection of Personal Data

Posted by fgilbert on August 17th, 2010

 

Mexico’s New Federal Law on the Protection of Personal Data

Mexico’s new Ley Federal de Protección de Datos Personales en Posesión de los Particulares (Federal Law on the Protection of Personal Data Possessed by Private Persons) became effective on July 6, 2010. The Law is “of public order,” which means that contract provisions that conflict with it are unenforceable.

The Federal Institute for Access to Information and Data Protection (IFAI) is charged with issuing regulations and enforcing the Law. The regulations are expected to be issued within one year, and the Law will not be enforced until January 2012.

While the Law incorporates many principles found in the major privacy drivers such as the OECD Privacy Guidelines and the 1995 EU Data Protection Directive, it clearly opts to follow the guidance in the APEC Privacy Framework. This choice is especially evident with the provisions that address “accountability,” and the departure from the prohibition from data transfers to countries that do not offer an adequate level of privacy protection, which has been the hallmark of 1995 EU Data Protection Directive. Instead, for crossborder data transfers, the Mexican Law requires notice and consent of the data subjects, and makes the data controller responsible for ensuring that the recipient of the data abide by the same principles as those that are set forth in the sender’s privacy policy.

Scope of the Data Protection Law

The entities that are subject to the Law are individuals or legal persons that process personal data, other than credit information companies. In addition, like most other countries’ data protection laws, Mexico’s Law excludes from its scope individuals who collect, store, and use personal data for personal purposes.

The Law regulates the processing of personal data. The definition of the term “processing” encompasses a broad range of activities that include collection, use, disclosure, storage, access, management, transfer and disposal of personal data.

Protected Information

The Law applies to personal data that are processed, transferred, or disposed by private persons or entities. “Personal data” includes any information pertaining to an identified or identifiable natural person.

More stringent provisions apply to the handling of sensitive data, that is, those data that pertain to the race or ethnicity, health, genetic information, religion, philosophical and moral beliefs, union membership, political opinions and sexual preference of an individual. Further, even though financial and economic data are not included in the definition of “sensitive data,” their processing requires the express consent of the data subject.

Obligations of the Data Controller

The Law identifies restrictions to the collection and use of personal data. Most provisions apply to “data controllers,” the individuals or private corporations that determine how and by whom, personal data are processed.

Data controllers must collect and process personal data in a lawful manner. The data must be relevant, necessary, accurate, and updated for the purposes for which they were collected.

Data controllers may process personal data only for the purposes stated in their privacy notice unless the data subject consents to a new use of the data for a purpose that is not compatible with or analogous to the purpose that is set out in the privacy notice. Data controllers may keep the data only as long as necessary in order to fulfill the purposes for which the data were collected, and must delete any data that are no longer necessary for these purposes.

Conditions to the Collection and Processing

The general rule is that data controllers must obtain the consent of the data subjects in order to process their personal data. The consent may be expressed or implied. In the case of sensitive data, or financial and economic data, the expressed and written consent of the data subject is required.

There are several cases where the data subject’s consent is not required for the processing of personal data to be lawful. For example, consent is not required when the collection and processing of the data is provided by law or is necessary to comply with obligations derived from a legal relationship between the data subject and the data controller. There are other exceptions for data that have been anonymized, are included in publicly available sources, or are needed for medical care, prevention, diagnosis, or medical treatment while the data subject is unable to provide his consent.

Security and Breach of Security

Data controllers must have in place appropriate administrative, technical, and physical safeguards in order to ensure that personal data are protected from loss, damage, alteration, destruction, and unauthorized access or use. The safeguards must be at least as secure as those that the data controller uses to manage its own data. Further, data controllers must keep data in a manner that allows the prompt exercise of the data subjects’ rights.

In the case of a breach of security, the Data Protection Law requires that the data subjects be notified of the breach if the breach significantly affects the concerned data subjects’ economic or moral rights. The Law does not require that other entities or government agencies be notified as well.

Obligation to Inform the Data Subjects

Data controllers are required to give data subjects a privacy notice that identifies among other things, the entity that collects the data, what personal data are collected from them, the purposes of the collection and processing of their personal data and the proposed transfers of personal data. In addition, the notice must indicate the options and means that data subjects may use in order to control the use and disclosure of their personal data and the means by which they can exercise their rights of access, rectification, cancellation, or opposition.

The notice must be provided to the data subject when the data are collected, unless the data were not collected directly from the data subject. The notice can be in printed form, electronic form, or other format. Special provisions apply when personal data are collected through mobile phones or text messages.

Accountability

In keeping with the APEC Privacy Framework, the Mexican Data Protection Law stresses accountability. Data controllers are held accountable for the personal that data they hold, even if a third party processes the data. They must ensure that the third party complies with all data protection provisions stated in the Law.

Data controllers, subcontractors, and any other parties that have access to personal data must ensure the protection of the confidentiality and security of the personal data, even after their relationship with the data subject is terminated, or in the case of subcontractors and third parties, after the relationship with the data controller is terminated.

Crossborder Transfer of Personal Data

On the issue of crossborder transfers of personal data, the Mexican Law significantly diverges from the principles set forth in the 1995 EU Data Protection Directive. Instead of requiring data controllers to ensure that, when data are transferred to a third country, the receiving country provide an adequate level of protection, the Mexican Law makes the data exporter responsible for ensuring the protection of the data.

Specifically, the transfer of personal data to a third country requires several components:

  • The data controller must inform the data subjects of the proposed transfer, and the data subject must consent to the transfer;
  • A data controller that intends to transfer personal data to a third country, other than to a subcontractor, must identify the purposes for which the data are transferred to the third party, and must inform the third party of the restrictions that are set forth in the data controller’s privacy notice; and
  • The third party that receives the data must assume the same obligations as those that apply to the data controller.

There are several exceptions were consent is not required. These exceptions include where the transfer is made to a subsidiary or affiliate, or to a parent company or an associated company that operates under the same processes and internal policies; and where the transfer is in the interest of the data subject in connection with a contract that has been, or is to be concluded between the data controller and a third party. Another exception allows for the crossborder transfer of personal data when necessary for the maintenance or fulfillment of a legal relationship between the data subject and data controller.

Rights of the Data Subjects

Data subjects have the right to consent to the processing of their personal data (unless an exception applies), and to be informed of how and by whom their personal data will be processed.

In addition, data subjects have the rights of “access, rectification, cancellation, and opposition” or ARCO rights. The right of access and rectification grants them the ability to access their personal data in the hands of data controllers, and have inaccurate or incomplete data pertaining to them rectified.

The right of cancellation allows individuals to require that their data be blocked in the database, which has the same effect as if the data were erased from the data controller’s database. If the data have been transmitted to a third party, the data controller must bring the correction or cancellation request to the third party’s attention.

The right of opposition entitles individuals to object to the processing of their personal data, with a valid reason.

Data Protection Official Required

The Law requires data controllers to designate a data protection official within their organization. The data protection official will be responsible for processing data subject requests for access, and for promoting the personal data protection within the organization.

Self-Regulation Schemes

Organizations are allowed to use binding self-regulation schemes or codes of conduct. These schemes need to measure the effectiveness of the protection that the organization provides to personal data and address the consequences and remedies for violations of the rules. The self-regulation schemes should also contain rules and standards that harmonize the data processing performed by the parties and facilitate the exercise of data subjects’ rights.

Penalties

If a data controller does not solve a matter after receiving a complaint from an individual, the individual can submit his complaint to the IFAI for the dispute to be resolved. If the IFAI identifies a violation of the Data Protection Law, it will notify the data controller of its findings. The data controller has 15 days to respond and provide evidence proving that it has not breached the Law. The IFAI will make a decision within 50 days after the date on which the process began.

The Law provides for significant fines (up to $1.2 million) for violations such as collecting or transferring personal data without the consent of the data subject where such consent is required, or collecting data in a misleading or fraudulent manner. If sensitive data are involved, the penalties will be doubled. In the case of continued violations, an additional fine will be imposed.

In addition, the Law provides for imprisonment from three months to three years for data controllers who, for profit, cause a security breach of the database in their custody. The processing of personal data by deception or by taking advantage of a data subject’s mistake or the mistake of an authorized person may be sanctioned by six months to five year prison terms if done for profit.

Violators may also be liable for the payment of damages to the affected individual to compensate for harms or damages to the individual’s property or rights that result from the lack of compliance with the obligations of the data controller or its subcontractors.

Action Items

The new Data Protection Law of Mexico finds its roots and inspiration in many of the seminal documents that are the foundation of the global privacy and data protection framework. Thus, companies that have global operations and a global privacy program in place should be able to find numerous common elements with their existing structures. However, idiosyncrasies in the Law will also need to be addressed.

While the Law will not be enforced until January 2012, it is time for companies doing business in Mexico or with Mexico-based entities to begin evaluating their new obligations and start planning accordingly. The first step should be to conduct a survey of the personal data that the company collects or processes in Mexico, and of the purposes for which these data are collected. In addition, companies should start evaluating whether the collection or processing of these data meet the adequacy and relevancy requirements of the new Law, so that unneeded data can be weeded out from existing database. Companies should also start planning how they will respond to their obligation to provide individuals with access to their personal data, and the ability to have their data corrected or blocked.

Further, caution will be needed when trying to make the Mexican Law requirements fit within a global privacy program where they have to coexist with other laws that might be more restrictive. This is in particular the case for cross-border data transfers, where the Mexican law does not clearly and fully meet the restrictions and requirement for “adequate protection” that are set forth in the national laws that follow the principles of the 1995 EU Data Protection Directive. Thus, the processing of personal data that originate from EU and other countries that follow the Directive will continue to meet the hurdles of establishing the existence of the adequate protection.

Lessons from FTC v. Twitter

Posted by fgilbert on August 17th, 2010

 

Security is not just for credit card and social security numbers

The proliferation of security breach disclosure laws has brought companies’ attention to the need to protect financial information, social security, and drivers license numbers. Since most of these laws target only these categories of data, and most state laws that require the use security measures also have focused on these categories of data, many companies have limited their information security efforts to the protection of a small amount of data: credits cards, social security and drivers license numbers. As a result, other categories of data that have not been in the limelight or the subject of investigative reporting have been neglected.

The recent FTC action against Twitter provides a significant warning that information security measures must not be limited to a small set of data. Rather, companies that collect personal data must provide adequate security measures to all types of data in their custody, according to the nature and probability of the risks to which these data are exposed. Each category of data is to be protected with measures that are appropriate to the nature of these data, the risks to these data, and the promises made by the company to its users.

Series of Security Breaches

Not so long ago, Twitter was an early stage start-up with a tight budget. As such, the company had its own ways of doing business on a dime. The company grew very quickly to become a prominent social networking company with users on all continents.  However, in the course of this commercial expansion, it failed to adapt its security practices to the magnitude of its reputation and nature of its subscribers.

A succession of security breaches in January through May 2009 revealed significant deficiencies to the Twitter information systems and networks. During this period, Twitter suffered security breaches that allowed hackers to access users’ accounts and non-public personal data, such as email and IP address and mobile phone number. The hackers were also able to reset passwords and send messages from user accounts. Among the widely reported hacks were fake tweets purportedly from sources such as then-President elect Obama and Fox News.

Access to user accounts was possible due to inadequate administrative controls. According to the FTC complaint, hackers accessed Twitter’s administrative accounts by submitting “thousands of guesses” using a password guessing tool. It was not that difficult to guess the passwords of the administrative accounts because many passwords were a dictionary word without numbers or other characters.

Failure to provide reasonable and appropriate security

In its privacy policy, Twitter claimed that it employed “administrative, physical, and electronic measures designed to protect” nonpublic user information from unauthorized access. It also stated on its website that direct messages “are not public; only author and recipient can view direct messages” and that if users did not want to keep their account public they could make their account private, which would give users control over who follows them and who can view their tweets.

The FTC investigation, however, revealed that for three years from July 2006 to July 2009, Twitter did not take reasonable and appropriate measures to prevent unauthorized administrative control of its system. Among the deficiencies, the FTC found that Twitter failed to:

  • Require administrative passwords to be complex;
  • Prohibit administrative passwords from being stored in plain text in personal email accounts;
  • Disable or suspend administrative accounts after a certain number of unsuccessful login attempts;
  • Provide an administrative login page exclusive to authorized persons and separate from the login webpage provided to other users;
  • Require and enforce that administrative passwords be changed periodically;
  • Restrict access to administrative controls to only those who need access;
  • Impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Consent Decree

The proposed consent decree, for which comments were to be sent by July 26, 2010, provides that Twitter, Inc. will enter into a consent agreement for its violation of Section 5 of the FTC Act. Under the terms of the settlement, Twitter is barred for 20 years from misleading its users about the extent to which it protects the security, privacy, and security of non-public consumer information. The agreement requires Twitter to establish, implement, and maintain a comprehensive information security program that is “reasonably designed to protect the security, privacy, confidentiality, and integrity” of nonpublic user information.

The program must be documented in writing and must contain appropriate administrative, technical, and physical safeguards. The safeguards must be appropriate to Twitter’s size and complexity, the nature and scope of its activities, and the sensitivity of the nonpublic user information. Among other things, Twitter must:

  • Designate an employee to be responsible for coordinating the information security program.
  • Identify reasonably foreseeable, internal and external material risks that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or compromise of nonpublic user information, and assess the adequacy of the safeguards in place to control these risks.
  • Design and implement reasonable safeguards to control the risks identified through risk assessment;
  • Regularly test and monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
  • Take reasonable steps to select service providers capable of appropriately safeguarding nonpublic user information and entering into a contract that requires them to implement and maintain appropriate safeguards.
  • Periodically evaluate and adjust its information security program.

In addition, Twitter must obtain assessments and reports on the efficacy of its security program, from a qualified independent third party professional every two years for 10 years. The assessment must include a review of the administrative, technical, and physical safeguards that Twitter has implemented and maintained during the reporting period; an explanation of how the safeguards are appropriate to Twitter; and an explanation how the safeguards meet or exceed the requirements set out above.

Lessons from the Twitter Case

Since the late 1990’s, the Federal Trade Commission has developed a common law of privacy and data protection that was based on the FTC Act Section 5 bar against unfair and deceptive trade practices. Numerous FTC enforcement actions have targeted companies that suffered a breach of security that compromised financial information, credit information, or credit card information.

In its first case against a social networking site regarding information security, the FTC passes in a higher gear, and reminds companies of the need to apply adequate security measures to all information, and not just to credit card and social security numbers.

The significance of the Twitter case is not that it is the first case that targets a social networking company. What is more important is that the case focuses on the protection of data other than “the big four” (i.e. social security, drivers license, financial, and credit card information). The Twitter case is an important reminder that a company information security plan must address all categories of personal data that the company collects or hosts, and provide for each category of data such level of information as reasonably adapted to the nature of the information and the risks to this information.

Twitter has learned the hard way that its unique power to reach the world in a few seconds is assorted with a commensurate obligation to protect adequately that same information that is needed to launch a tweet. Like Twitter, each company has its own set of data, with its own unique vulnerability. It needs to address these vulnerabilities in accordance to the level of risk to each category of data, which is unique to the particular circumstances of the company.