The plethora of security incidents in the news have once again put security front and center of the international agenda. Predictably, this has triggered a number of responses from governments around the world. Some of these responses seem to have been ill-considered. However, one of the more comprehensive responses came out of the US President’s address to the Federal Trade Commission last week. A series of laws were proposed to address the increasing risks which are confronting individual security and privacy rights.

The President’s remarks at the FTC gives some valuable insight into where the US regulatory environment may end up in the next year or so. As a part of this analysis, one should focus on two very different agendas: Privacy and Security. These issues, while similar, are very different. Case in point, the UK PM’s comment around banning encryption could well result in increased security. However, it will absolutely damage individual privacy (and arguably also damage commercial security). Continue Reading Privacy & Security Are Back on the Agenda in DC

A company faced with a security breach has a lengthy “to do” list, things to accomplish with respect to its incident response plan. It must, among other things, determine the root cause of the vulnerability or breach, investigate and eliminate the vulnerability or breach, determine the full nature and extent of the breach, determine who to notify and finalize the notifications.

If the American Postal Workers Union (APWU) has its way, a unionized employer facing a security breach involving employee personal information would have yet another responsibility – bargaining over the impact of or response to the security breach. Continue Reading Union Files NLRB Complaint Regarding the USPS’ Handling of Security Breach Involving Employee Personal Information

This week, the Connecticut Supreme Court issued an opinion which upheld a state common law negligence action against a healthcare provider for violation of privacy and confidentiality laws and regulations using as evidence of the standard of care the Health Information Portability and Accountability Act (HIPAA) and its accompanying regulations. The court denied defense arguments that HIPAA, which expressly does not provide a private right of action, preempts such state law negligence claims. Continue Reading Connecticut Supreme Court Grants Private Action for HIPAA Breach

Cross Posted from Trading Secrets

The security breach news cycle continues. There remains a deluge of news stories about point-of-sale terminals being compromised, the ease of magnetic stripes being cloned, and the need for Chip and PIN technology being deployed on credit cards. The legal ramifications of all these events is just starting to become apparent – and it’s complicated. Individual liability is beginning to develop. Continue Reading Security Breach Liability – its Complicated

While the Supreme Court has taken some heat in the past for seeming to misunderstand technology and how it impacts the normal person’s life, with Riley v. California the Court demonstrated not only an unexpected fluency with how mobile phone technology has evolved, but also with how it has caused our daily sphere of privacy expectations to evolve. Just like when the police want to rifle through your house, when they want to go through your phone, the Chief Justice makes it very simple – get a warrant.

The CJEU’s judgment against Google has been hailed as a “Landmark Ruling“. I agree that this judgment is a landmark ruling – however, not for the reason everyone else is making it out to be. As noted earlier, the “Right to be Forgotten” isn’t really in the holding of the judgment. Further, the “long-arm” application of EU law isn’t something new (at least to US attorneys). What is new is the reason for allowing a right of deletion against a search engine and not the underlying publisher of the original facts. Continue Reading The CJEU’s Judgement Against Google: What It Does Mean

The Court of Justice for the European Union (“CJEU”) issued a judgment in the case Google v. AEPD which has garnered a significant amount of attention. The two primary reasons for this attention (besides it is a case against Google – which usually is newsworthy) are 1) the seeming expansion of EU law into extra-territorial reach, and 2) the recognition of the “Right to be Forgotten”. Several authors have taken it upon themselves to spill quite a bit of ink on this judgment. And, there is some trepidation that business will be negatively impacted in a new and significant way under this judgment. A careful reading of both the Advocate General’s Opinion as well as the CJEU’s judgment in this matter does show how the EU is progressing in the matter of cross-border privacy protections. However, this judgment may not be as far reaching as some commentators have thought. Continue Reading The CJEU’s Judgment Against Google: What It Doesn’t Mean

The White House released a set of reports this month on Big Data and the privacy implications of Big Data. While a number of folks have been discussing the President’s Council of Advisors on Science & Technology (“PCAST”) report, I would offer that the Office of Science and Technology Policy (“OSTP”) report needs to be read in conjunction with the PCAST report. They do two different things. One is a report on the technical state of affairs, and the other is more of a policy direction piece, which is driven by the technologically-oriented findings. Various points-of-view have been put forth as to the relative merits of each report, but there seems to be an important element missing from both reports. Both reports discuss the need for policy decisions to be based on context and on desired outcomes. Unfortunately, neither report really gives a good taxonomy around the informatics ecosystem to allow for a clear path forward on “context” and “desired outcomes”. What I mean by this is best summed up in the comment in the PCAST report which states: “In this report, PCAST usually does not distinguish between “data” and “information”.”. “Data” and “Information” are very different things, and one really can’t have a coherent policy discussion unless the distinction between the two is recognized and managed. Continue Reading How to Talk About Big Data: A Framework

To continue my prior post on the Article 29 Working Party’s Opinion 6/2014, it is important to take a closer look at the specifics of the notion of a Controller’s “Legitimate Interests”

Unlike all the other criteria for lawful processing, Article 7(f) is the only one which specifically articulates the idea that commercial interests should have weight in the calculus of “fair and lawful” processing. In each of the other criteria, if the criteria is met, the grounds for processing are considered a priori legitimate. In Article 7(f), each purpose for processing will need to have the balancing test engaged. This is going to require a bit more analysis than the other criteria. However, because of the fact that this analysis is internal to the business, it may well be less onerous than other options would be (e.g. having the DPA opine as to the legitimacy of the processing). Continue Reading Legitimate Interests – Alternative to Notice & Choice?

When talking about EU privacy law many businesses bemoan the lack of a “commercially reasonable” basis for collecting and using personal information. Europe is usually seen as a consumer-protective regime which focuses on prohibiting business from doing anything with data unless the consumer has affirmatively agreed to the processing before the processing begins (e.g. the “cookie directive”). However, the Article 29 Working Party (“WP”) has just released an Opinion which signals a change in the winds. The rarely used “legitimate interest of the data controller” basis for processing now has a new importance in the realm of fair and legal criteria for processing personal information. Continue Reading On Balance – the Legitimate Interest of a Controller