Archive for June, 2012

CNIL on Cloud Computing

Posted by fgilbert on June 28th, 2012

On June 25, CNIL – the French Data Protection Authority – published its recommendation on the use of cloud computing services. This recommendation is the result of a research project on cloud issues, which started in the Fall of 2011 with a consultation with industry. The documents released by CNIL include a summary of the research and documents; a compilation of the responses received to the consultation, and a set of recommendations.

The recommendations includes:

  • Clearly identify the type of data and type of processing that will be in the cloud
  • Identify the security and legal requirements
  • Conduct a risk analysis to identify the needed security measures
  • Identify the type of cloud service that is adapted for the contemplated type of processing
  • Choose a provider that provides sufficient guarantees

The CNIL document also provides an outline of the contractual clauses that should be included in a cloud contract and contains “Model Clauses” that may be added to contracts for cloud services.  These model clauses are provided as a sample, are not mandatory, and can be changed or adapted to each specific contract.

Except for a high level summary in English, the documents described above are currently available only in French on the CNIL website.  According to CNIL representatives, English translations of these documents should be available shortly.

  • Overview of CNIL Recommendation – Summary in English:

http://www.cnil.fr/english/news-and-events/news/article/cloud-computing-cnils-recommandations-for-companies-using-these-new-services/

  • Overview of CNIL Recommendation – Summary in French

http://www.cnil.fr/la-cnil/actualite/article/article/cloud-computing-les-conseils-de-la-cnil-pour-les-entreprises-qui-utilisent-ces-nouveaux-services/

  • Compilation of the responses to the CNIL consultation on cloud computing (in French)

http://www.cnil.fr/fileadmin/images/la_cnil/actualite/Synthese_des_reponses_a_la_consultation_publique_sur_le_Cloud_et_analyse_de_la_CNIL.pdf

  • Recommendation for companies wishing to use cloud services (in French)

http://www.cnil.fr/fileadmin/images/la_cnil/actualite/Recommandations_pour_les_entreprises_qui_envisagent_de_souscrire_a_des_services_de_Cloud.pdf.

 

 

Outline of BCR for Processors Published by Article 29 Working Party

Posted by fgilbert on June 20th, 2012

On June 19, 2012, the Article 29 Working Party adopted a Working Paper (WP 195) on Binding Corporate Rules (BCR) for processors, to allow companies acting as data processors to use BCR in the context of transborder transfers of personal data, such as in the case of cloud computing and outsourcing.

WP 195 includes a full checklist of the requirements for BCR for Processors and is designed both for companies and for data protection authorities.  The document provides a checklist outlining the conditions to be met in order to facilitate the use of BCR for processors, and the information to be found in the applications for approval of BCR to be presented in the application filed with the Data Protection Authorities.

 

Remove any P2P Filesharing Software from your Network

Posted by fgilbert on June 7th, 2012

Remove any P2P filesharing software from your network or be prepared to enter into a 20-year relationship with the Federal Trade Commission. This is what will happen to EPN, Inc., a debt collection business based in Provo, Utah and to Franklin’s Budget Car Sales, Inc., of Statesboro, Georgia, a car dealership. In both cases, the P2P software caused sensitive personal information of thousands of consumers to be accessible to users of other computers connected to the same peer-to-peer network.

On June 7, 2012, the FTC published proposed settlement agreements with these two businesses because they had allowed peer-to-peer file sharing software to be installed on their network.

The FTC case against EPN, Inc. alleges that the lack of security measures at the company allowed the company’s COO to install P2P file-sharing software on the company’s network. As a result, sensitive information including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients were available to any computer connected to the P2P network.

The case against Franklin’s Budget Car Sales, Inc. alleges that the installation of P2P software on the company’s network resulted in sensitive financial information of 95,000 consumers such as, names, addresses, Social Security Numbers, dates of birth, and driver’s license numbers to be made available on the P2P network.

In both cases, the companies were charged with failure to observe commonly used best practices:

  • Failure to have an appropriate information security plan;
  • Failure to assess risks to the consumer information collected and stored online;
  • Failure to use reasonable measures to ensure security of the network, such as scanning its networks to identify any P2P file-sharing applications operating on them
  • Failure to adopt policies to prevent or limit unauthorized disclosure of information;
  • Failure to prevent, detect and investigate unauthorized access to personal information on the company’s networks;
  • Failure to adequately train employees;
  • Failure to employ reasonable measures to respond to unauthorized access to personal information.

Failure to implement reasonable and appropriate data security measures as described above was an unfair act or practice and violated federal law, namely Section 5 of the FTC Act. In addition, Franklin Car Sales, as a “financial institution” subject to the Gramm-Leach-Bliley Act (GLBA) was found to have violated both the GLBA Safeguards Rule and Privacy Rule by failing to provide annual privacy notices and a mechanism by which consumers could opt out of information sharing with third parties.

The proposed consent order against EPN and Franklin would require the companies to establish and maintain comprehensive information security programs, and cease any misrepresentation about their data handling practices. The settlement orders with the two companies are substantially similar. They:

  • Bar any future misrepresentations about the privacy, security, confidentiality, and integrity of any personal information;
  • Require the companies to establish and maintain a comprehensive information security program; and
  • Require the companies to undergo data security audits by independent auditors every other year for 20 years.

As always with FTC consent orders, each violation of such an order may result in a civil penalty of up to $16,000.

 

Posted in FTC