Part II: Fair Notice or No Notice? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security
Part I: The Elephant Emerges From the Mousehole: The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security
In support of its motion to dismiss the FTC’s complaint alleging data security deficiencies in violation of Section 5 of the FTC Act, Wyndham Worldwide Corporation cited the Supreme Court’s opinion in Whitman v. American Trucking Ass’ns, which cautioned against agencies utilizing vague statutory provisions to alter “fundamental details of a regulatory scheme”, and colorfully stating that “[Congress] does not, one might say, hide elephants in mouseholes.” See 531 U.S. 457, 468 (2001).
In recognition of the increasing threat that cyber-attacks pose to the state's infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a "Cyber Security Commission."
The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor's Office and Legislature on the status and progress of cyber security efforts.Continue Reading...
New Advisory Posted on NIST Cybersecurity Framework 1.0 and Growing Federal Concern Over Data Security and Cyber Crime
By Bob Scott
Check out our recent advisory analyzing the National Institute of Standards and Technologies’ newly-finished Cybersecurity Framework, which is intended to reduce cyber risks to critical infrastructure – including to banks, communications companies, utilities, and healthcare providers. The Framework adds to the growing prominence of data security issues: increased incidents of electronic data theft; extensive media coverage; rising class-action litigation. The Federal Trade Commission has assumed enforcement authority for data security and breach incidents under Section 5 of the FTC Act, while Congress and state legislatures consider legislative options. The Framework remains voluntary for the companies it addresses, but offers insight into evolving government expectations for data security, privacy and civil liberties. Access the advisory here.
"A" for Effort? Senator Markey Announces Latest Privacy Legislation Aimed at Protecting Student Data
On January 14, 2014, Senator Edward Markey (D-Mass) announced that he plans to introduce legislation in the coming weeks to ensure that safeguards are in place for student data shared with third parties. Citing concerns raised by recent changes to the Family Educational Rights and Privacy Act (FERPA) that have allowed for the increased sharing and use of student data in the private sector, Markey stated that the legislation will include the following components:Continue Reading...
Google Street View Class Action Survives: Ninth Circuit Holds Wi-Fi is Not "Radio" Under Wiretap Act
In the latest development in the Google Street View case, the Ninth Circuit once again upheld the lower court’s decision that Google’s collection of unencrypted Wi-Fi does not fit within an exception to the Wiretap Act that allows the interception and use of “radio transmissions” that are “readily accessible to the public,” although it narrowed the reasoning of its earlier opinion.
After initially upholding the district court order denying Google’s motion to dismiss the case because of the Wiretap Act exception, the court asked for briefing on Google’s petition for panel and en banc rehearing. Technically, the panel granted part of Google’s motion for rehearing and modified its opinion, but it did not change its decision that unencrypted Wi-Fi transmissions are protected from interception by the Wiretap Act. Google now could ask the U.S. Supreme Court to review the case, pursue further litigation in the district court, or settle.Continue Reading...
As has been widely reported, the popular retail giant Target announced yesterday that it suffered a data breach impacting approximately 40 million credit and debit card accounts used in Target stores across the country between November 27th and December 15th. It appears that the breach involved the theft of “track data” from the magnetic stripe on the back of credit and debit cards used in Target stores. Thieves use this stolen information to create counterfeit cards.Continue Reading...
- Focusing on “security, not compliance;”
- Making PCI DSS a “business as usual practice;”
- Providing “added flexibility on ways to meet the requirements;” and
- Clarifying “the level of validation the assessor is expected to perform.”
A House Divided: Federal Judges Take Conflicting Positions on Wiretap Act Claims Against Google in California's Northern District
When is the “course of business” considered “ordinary?”
By Bob Scott
Both cases challenge, among other things, Google’s practice of sharing data collected from its customers with advertising partners. In both cases, Google asked the court to dismiss claims that this sharing violates the Wiretap Act, on the basis of the Act’s exception that allows a provider of electronic communications services to intercept customer data “in the ordinary course of business.” Yet the cases reach opposite decisions on the applicability of that exception to very similar claims.Continue Reading...
By Lance Koonce
In 1891, Arthur Conan-Doyle wrote a Sherlock Holmes short story entitled “A Case of Identity”. In it, he solves a mystery in part by determining that several different letters were all typed on the same typewriter:
By Christin S. McMeley, Paul Glist, and Leslie Gallagher Moylan
A bipartisan, bicameral effort is again underway to extend current law and impose new restraints on the online tracking of children and teens under the age of 16. As promised, on Thursday, Nov.14, 2013, Senator Edward Markey (D-Mass) and Rep. Joe Barton (R-Texas) introduced their respective versions (S. 1700 and H.R. 3481) of the “Do Not Track Kids Act of 2013.” Specifically, the Do Not Track Kids Act would:
· Extend many of the privacy protections already afforded to children ages 12 and under in the Children's Online Privacy Protection Act (COPPA) to teens through age 15 ;
· Formally include online and mobile applications (the FTC already did this through enforcement actions and then by rule in its recent COPPA amendments);
· Expand the definition of “personal information” to include device identifiers;
· Extend COPPA protections to geolocation information;
· Prohibit targeted marketing to children and minors without verifiable parental consent for children or the consent of a “minor” (13-15 year old);
· Require the operators of a website, online service, or online or mobile application “directed to minors” to adopt and comply with a “Digital Marketing Bill of Rights for Teens” that is consistent with the Fair Information Practices Principles; and
· Attempt to arm parents and their children with an “eraser button” to eliminate publically available personal information online.
Using momentum gained from the ineffective attempts to establish broader, voluntary Do Not Track standards and mechanisms, California’s recent “Do Not Track” and “Eraser” laws, and increased interest by lawmakers in online tracking and privacy issues generally, Senator Markey and Congressman Barton have focused their efforts “to protect children and teens”—which may be the only way to advance the broader Do Not Track concept in a stymied Congress.Continue Reading...
By Robert Stankey
The European Parliament has finalized its version of the proposed Data Protection Regulation, which would substantially change personal data protection rules in the 31-country European Economic Area. The Parliament’s LIBE committee voted October 21 on a final package of amendments to the European Commission’s draft regulation in January 2012. After formal approval by the full Parliament, negotiations will begin with national governments (through the Council of the European Union) on a final version of the legislation.
Key features of the amendments are:
- Higher penalties - Violations could be punished through the imposition fines of up to the greater of €100 million ($137 million) or 5% of annual worldwide revenue (compared with €1 million or 2% proposed by the Commission).
- Breach notification – Regulators and, in certain circumstances, affected individuals still must be notified of data breaches, but the 24-hour notification deadline that had been proposed by the Commission has been eliminated.
- Consent – Affirmative action (such as through a writing or an online acceptance) is required to show consent. Implied consent through use of a service is not sufficient.
- Right of erasure – Existing rights to request the deletion of personal data have been strengthened as a replacement for the Commission’s controversial and ill-defined proposal for a “right to be forgotten”.
- Disclosure to foreign governments – New provisions would make it a violation to disclose information that is processed in the EU to a foreign government without the approval of a data protection authority.
- Standardized information disclosures – Standard information disclosures have been specified, including an icon-based compliance scorecard.
- Pseudonymous data – A new category of personal data that cannot be attributed to a specific individual will be subject to a different set of privacy rules.
- Profiling – Use of personal data for analytic or predictive purposes would require an individual’s consent and provide a mechanism to object to profiling.
- Extraterritorial application – Parliament has somewhat strengthened provisions that would make data protection rules applicable to all non-European companies that offer goods or services to Europeans or that monitor Europeans. Data processing within Europe would no longer be required for EU privacy rules to apply.
- Home regulator – Data controllers would be subject to enforcement by the regulator where they have their main establishment in Europe.
The text approved by European Parliament can be found here and here. The Parliament also finalized its changes to the Commission’s proposal for a directive protecting personal data held by European governments and public bodies.
On October 22, 2013, the National Institute of Standards and Technologies (NIST) released its “Preliminary Cybersecurity Framework” with comments due 45 days after publication in the Federal Register. NIST expects the window for comments to open expeditiously so that it may comply with the deadlines established in President Obama’s Executive Order 13636 (the “EO”). Under the EO, NIST must evaluate comments, revise the Preliminary Framework, and issue a final version by February 12, 2014 (see our earlier posts found here and here). The Administration seeks to encourage private sector adoption of the Framework through potential incentives, and given the increasing volume of and risk from hacking and data loss, private entities should be reviewing their cybersecurity and data protection practices as a matter of ongoing operations.
Google is seeking further review in two cases we wrote about last week on alleged Wiretap Act violations. In the Gmail case, where Google was charged with improperly reviewing subscribers’ emails, Google asked Judge Koh to certify her decision for interlocutory appeal to the Ninth Circuit. But even if Judge Koh grants Google’s motion, the Ninth Circuit still has to agree to take the appeal. And given the Ninth Circuit’s Decision in Google’s Street View case, where Google was found to have improperly “intercepted” unencrypted Wi-Fi signals, it is not clear that Google will succeed in gaining interlocutory review, except that….
Google may feel encouraged because the Ninth Circuit on Wednesday ordered the plaintiffs to respond to Google’s petition for panel and en banc rehearing in the Street View case, a precondition to any grant of rehearing. We will update on plaintiffs’ filing and the court’s action on Google’s petition.
While federal courts in California seem more inclined to let plaintiffs move forward with Wiretap Act claims, a U.S. District Court Judge in Delaware dismissed claims that Google violated computer users’ rights by placing “cookies” into user’s Web browsers to facilitate the placement of advertising, and disregarding Apple’s Safari browser’s default blocker. The court held that a URL is merely “a location identifier” and therefore, the cookies do not intercept “contents” as required for a Wiretap Act violation, nor does it “demonstrate that Google intercepted any ‘contents or meaning’” under California’s Invasion of Privacy Act.” The court also dismissed claims that the placement of such cookies violated the Stored Communications Act, stating that “[d]espite the temptation, the court declines to try to fit a square peg (modern technology) into the proverbial round hole (the intent of Congress as reflected in the statutory language of the SCA).” Even though the court found that, “while plaintiffs have offered some evidence that the online personal information at issue has some modicum of identifiable value to an individual plaintiff, plaintiffs have not sufficiently alleged that the ability to monetize their PII has been diminished or lost by virtue of Google's previous collection of it,” it went on to resolve and dismiss the substantive issues because when plaintiffs allege statutory violations with the possibility of collecting statutory damages, “the absence of any actual injury, may in some circumstances create standing.”
It is reasonable to expect that unless and until there are definitive appellate or SCOTUS rulings on standing or that the “round hole” of ECPA cannot easily accommodate the “square peg” of modern technology, we will continue to see the class action privacy bar testing the waters.
9th Circuit Joffe v. Google "Street View" Decision Raises Questions About Wiretap Act's "Radio Transmissions" Exception
By John Seiver
Latest FTC Enforcement Action Reflects Agency's Intent to Focus on Emerging Market Involving the "Internet of Things"
By K.C. Halm
In its first enforcement action against a company operating in the emerging market known as the “Internet of Things”, the FTC has secured a settlement agreement with a company that markets Internet-connected video cameras designed to allow consumers to remotely monitor their homes.
The increasing connectivity of consumer devices, such as cars, appliances, and medical devices, and the capability for these devices to communicate with other such devices, is commonly referred to as the Internet of Things. Many of the devices connected through the Internet of Things have the capability to communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.
But the benefits of such connectivity also present potential privacy and security risks, as the FTC’s latest action illustrates.Continue Reading...
By Robert G. Scott, Jr.
The National Institute of Standards and Technologies (NIST) has released the first draft of the Cybersecurity Framework required by President Obama’s Executive Order 13636 and Presidential Policy Directive 21, as detailed in our earlier posts (found here, here and here). The draft outlines the tentative format of the final Framework, which would include four major sections:
- A guide for senior executives and others on how to use the Framework to evaluate and manage their organizations’ cyber risk preparedness;
- A user’s guide for more detailed implementation of the Framework;
- The “core structure” of the Framework; and
- A compendium of references such as existing cybersecurity standards, guidelines and practices.
Last week Senator Pat Toomey (R-PA), along with one Independent and six other Republican Senators, introduced the “Data Security and Breach Notification Act of 2013.” The bill would provide businesses and consumers with a single set of rules for notifications in the event certain electronic records are compromised, preempting state data breach notification requirements and several federal laws that contain security requirements.Continue Reading...
Federal Cybersecurity Initiatives Demand Vigilance of Communication and Energy Infrastructure Owners and Operators
Cybersecurity initiatives are moving rapidly within the federal government and require owners and operators of critical infrastructure – including in particular Communication and Energy Systems, and those who supply and service them – to remain vigilant in managing cybersecurity risks. The National Institute of Standards and Technologies (NIST) is moving quickly to develop the Cybersecurity Framework required by President Obama’s Executive Order 13636 (EO-13636) and Presidential Policy Directive 21 (PPD-21), as detailed in our earlier posts here and here. At the same time, Congress continues to develop cybersecurity legislation to address concerns over the current state of cybersecurity and cyber-threat information-sharing in various sectors of the economy. Chief among these sectors are energy and communications, which are deemed “uniquely critical” in PPD-21 given their role in supporting all other critical infrastructure.Continue Reading...
By Dan Reing
On April 3, 2013, the National Institute for Standards and Technology (“NIST”) hosted its first of four planned Cybersecurity Framework Workshops on April 3, 2013 at the Department of Commerce consisting of five panel discussions among a variety of private and public stakeholders affected by the Executive Order on “Improving Critical Infrastructure Cybersecurity” (“EO”) issued February 13, 2013. As we previously discussed, the EO set in motion a process to develop and implement a national, voluntary Cybersecurity Standards Framework aimed at protecting the nation’s critical infrastructure and the provision of essential services to the American people. The EO tasked NIST with drafting the Cybersecurity Framework, and on February 24, 2013, it issued a Request For Information (“RFI”) seeking public comment on issues the Cybersecurity Framework should address. The RFI comment period closes on April 8, 2013.Continue Reading...
On February 12, 2012, President Obama signed an Executive Order as well as a complementary Presidential Policy Directive intended to improve the flow of information and cyber-threat intelligence between government agencies and the private sector, and to improve the security of the nation’s critical infrastructure. The policies and requirements in these documents outline an ever-increasing role for owners and operators of critical infrastructure in resisting cyber threats.Continue Reading...
Fourth Circuit Decision Deepens Split of Authority on Federal Computer Fraud and Abuse Act's Prohibition on Conduct that "Exceeds Authorized Access"
Joins Recent 9th Circuit Decision Narrowly Construing the Law
The U.S. Court of Appeals for the 4th Circuit has issued a ruling in WEC Carolina Energy Solutions v. Miller, holding that the federal Computer Fraud and Abuse Act (“CFAA”) prohibition on exceeding “authorized access” to a computer covers only the scope of access allowed and exceeded, not subsequent use of any information obtained by way of such access. In doing so, the 4th Circuit echoed the recent 9th Circuit en banc decision in U.S. v. Nosal adopting a similarly narrow construction of the statute, as described in our post here. As noted, the Nosal decision departed from broader interpretations of “exceeds authorized access” adopted by the 5th, 7th, and 11th Circuits, and the 4th Circuit’s WEC decision now makes that split even more attractive for possible Supreme Court review.Continue Reading...
By Randy Gainer
A recent story in the Washington Post that describes former FBI assistant director Shawn Henry’s plan to “name names” of governments that sponsor hackers to break into U.S. networks. He also suggests that the private firm he recently joined, CrowdStrike, may take countermeasures against hackers. Such “hack-back” strategies have been debated in the security community for several years. That Mr. Henry is talking openly about going on the offensive against hackers may mean that hacker battles are about to get more interesting.
In a Notice of Apparent Liability (NAL) released Monday by the Federal Communications Commission (FCC) against Google, the FCC found that Google’s collection of unencrypted data obtained from Wi-Fi networks in its Street View project did not violate the Communications Act provision that prohibits the unauthorized interception and either use or publication of radio communications. However, the FCC has proposed a $25,000 forfeiture penalty for Google’s initial failure to cooperate with the agency’s investigation of this matter.Continue Reading...
Oregon Supreme Court Decision Shows How Rapid Response to Data Breach Can Pay Off in Ensuing Litigation
Check out our new advisory, in which Doug Ross and Greg Chaimov explain how taking prompt and effective action to protect patients after a data breach paid big dividends in the Oregon Supreme Court, which affirmed dismissal of a class action against Providence Health & Services-Oregon. The case is significant in that it shows a prompt and substantial response to such data theft can play a vital role in prevailing in ensuing litigation, especially given that, when the data theft occurred, Oregon had no law governing how a custodian of records like Providence should respond. That Providence responded quickly to contact its patients and arrange for credit protection was a key factor in the outcome. Read more here.
European Commission Releases Formal Proposal on Data Protection Reform
On Jan. 25, 2012, the European Commission released the final version of its proposed revisions to the European Union’s data protection framework. The package of changes represents a comprehensive reform of the EU’s 1995 data protection rules.Continue Reading...
First Circuit Case Becomes One of First Successful Attempts to Assert Data Breach Class Action Liability
In a departure from the recent trend of courts refusing to allow data breach claimants to seek mitigation damages, the First Circuit recently held in Anderson v. Hannaford Bros. Co. that credit and debit card payment processors may be held liable for mitigation damages in the wake of targeted card-number theft by a criminal enterprise. In Hannaford, the appeals court reversed a decision below that dismissed negligence and implied contract claims arising out of a 2007 breach of grocer Hannaford’s electronic payment processing system, which resulted in the theft of 4.2 million credit and debit card numbers. The First Circuit’s decision suggests credit and debit card payment processors may be at a higher risk than previously thought of facing viable class action claims in the wake of data breaches.Continue Reading...
New Court Decision Upends U.C.C. Rule Typically Applied, Holds Bank Liable for Unrecovered Funds from a Phishing Attack
By: Micah Ratner
A U.S. District Court in the Eastern Disrict of Michigan has issued its decision in Experi-Metal, Inc. v. Comerica Bank, holding that a bank—instead of the bank’s customer—was liable for $560,000 in unrecovered funds from a phishing attack. The case is noteworthy because a customer is typically liable for unauthorized transfers under Uniform Commercial Code (“U.C.C”) Article 4A. Under U.C.C. Section 4A-202, the customer is responsible for unauthorized transfers if (1) the bank and customer agree that the bank will authenticate transfers through a security procedure, (2) the security procedure is commercially reasonable, and (3) the bank accepted the transfer in good faith.Continue Reading...
Those of you who were once frequent visitors to this blog may, by now, be asking one or more of the following questions:
(a) Why haven’t you guys posted anything for so many months?
(b) Why does the site look different?
(c) Who’s going to win the NBA playoffs?
(d) Why did they cancel My Name is Earl?
Well, the first two at least. The truth is that this blog was started in August 2005, and ran steadily (sometimes more steadily than others) for about three years. As blogs go, that’s a fairly distinguished record – there are more abandoned blogs lining the sides of the Information Superhighway than there are hubcaps along the Cross Bronx. Wait, did we actually just use the phrase “Information Superhighway”? Because that is so 2005. As is that phrase we just used.
So anyway, when our firm decided to revamp its website, we took this as an opportunity to think seriously (read: discuss over drinks) what we wanted to accomplish with this blog, and what we needed to do to keep it fresh and relevant. The process has taken a bit longer than we expected, but here’s where we are:
Rather than a long list of bloggers, you will be getting regular updates from just five of us – and henceforth there will be no more posts in this annoying third-person, royal we, voice. We may have some guest bloggers on occasion, but for the most part you can level any criticisms at the following:
Bruce Johnson, our Burgermeister-Meisterburger, who will be blogging on the topic of Personal Communications (blogging, employee/employer relations, etc.)
Randy Gainer, who will be captivating you with stories about the Government Surveillance (ECPA/CFAA, CALEA, REAL ID/travel issues, etc.)
Charlene Brownlee, who is by far the most stylish among us (and who will be blogging on the subject of Data Breaches and identity-theft laws)
Ronald London, who will endeavor to keep an eye on Congress and will be blogging about telemarketing, junk fax, CAN-SPAM, behavioral/advanced advertising, and CPNI (which we’ll call Marketing and Consumer Privacy)
Lance Koonce, who will try not to mangle any stories about Online Threats such as hacking, phishing, pharming, pretexting, malware/spyware, and offline versions such as dumpster diving and the theft/loss of data-containing devices.
We do not purport to be a source for all news that touches on privacy and security – the field has exploded and aggregating such information would be a full-time career. Rather, we hope to tease out interesting aspects of specific issues within our areas of coverage. We hope you’ll take a look, and keep coming back if what you see intrigues you.
The PrivSecBlog Team
And by the way:
Ratings. And possibly bad karma.