The plethora of security incidents in the news have once again put security front and center of the international agenda. Predictably, this has triggered a number of responses from governments around the world. Some of these responses seem to have been ill-considered. However, one of the more comprehensive responses came out of the US President’s address to the Federal Trade Commission last week. A series of laws were proposed to address the increasing risks which are confronting individual security and privacy rights.

The President’s remarks at the FTC gives some valuable insight into where the US regulatory environment may end up in the next year or so. As a part of this analysis, one should focus on two very different agendas: Privacy and Security. These issues, while similar, are very different. Case in point, the UK PM’s comment around banning encryption could well result in increased security. However, it will absolutely damage individual privacy (and arguably also damage commercial security).
Continue Reading Privacy & Security Are Back on the Agenda in DC

A company faced with a security breach has a lengthy “to do” list, things to accomplish with respect to its incident response plan. It must, among other things, determine the root cause of the vulnerability or breach, investigate and eliminate the vulnerability or breach, determine the full nature and extent of the breach, determine who to notify and finalize the notifications.

If the American Postal Workers Union (APWU) has its way, a unionized employer facing a security breach involving employee personal information would have yet another responsibility – bargaining over the impact of or response to the security breach.
Continue Reading Union Files NLRB Complaint Regarding the USPS’ Handling of Security Breach Involving Employee Personal Information

This week, the Connecticut Supreme Court issued an opinion which upheld a state common law negligence action against a healthcare provider for violation of privacy and confidentiality laws and regulations using as evidence of the standard of care the Health Information Portability and Accountability Act (HIPAA) and its accompanying regulations. The court denied defense arguments that HIPAA, which expressly does not provide a private right of action, preempts such state law negligence claims.
Continue Reading Connecticut Supreme Court Grants Private Action for HIPAA Breach

The White House released a set of reports this month on Big Data and the privacy implications of Big Data. While a number of folks have been discussing the President’s Council of Advisors on Science & Technology (“PCAST”) report, I would offer that the Office of Science and Technology Policy (“OSTP”) report needs to be read in conjunction with the PCAST report. They do two different things. One is a report on the technical state of affairs, and the other is more of a policy direction piece, which is driven by the technologically-oriented findings. Various points-of-view have been put forth as to the relative merits of each report, but there seems to be an important element missing from both reports. Both reports discuss the need for policy decisions to be based on context and on desired outcomes. Unfortunately, neither report really gives a good taxonomy around the informatics ecosystem to allow for a clear path forward on “context” and “desired outcomes”. What I mean by this is best summed up in the comment in the PCAST report which states: “In this report, PCAST usually does not distinguish between “data” and “information”.”. “Data” and “Information” are very different things, and one really can’t have a coherent policy discussion unless the distinction between the two is recognized and managed.
Continue Reading How to Talk About Big Data: A Framework

When talking about EU privacy law many businesses bemoan the lack of a “commercially reasonable” basis for collecting and using personal information. Europe is usually seen as a consumer-protective regime which focuses on prohibiting business from doing anything with data unless the consumer has affirmatively agreed to the processing before the processing begins (e.g. the “cookie directive”). However, the Article 29 Working Party (“WP”) has just released an Opinion which signals a change in the winds. The rarely used “legitimate interest of the data controller” basis for processing now has a new importance in the realm of fair and legal criteria for processing personal information.
Continue Reading On Balance – the Legitimate Interest of a Controller

In recognition of the need for the world’s two largest economic blocks to coordinate data protection efforts, The Article 29 Working Party of the EU released a “Referential” to map the EU requirements for Binding Corporate Rules (“BCRs”) and the APEC Cross Border Privacy Rules System (“CBPRs”). This Referential is a tool for the two systems to determine common ground. Ultimately, it will be used by the EU in the process of determining what level of cross-recognition may exist between BCRs and CBPRs, in terms of the “adequacy” necessary to move data between the EU and Asia.
Continue Reading EU and Asian Privacy Models – Work Toward Interoperability

And now we come to the real sticking point. It actually isn’t specific to the Safe Harbor Framework. Access to data by law enforcement and intelligence assets is outside the Safe Harbor Framework. This is also the case in the EU. The proposed General Data Protection Regulation does NOT include law enforcement and intelligence activities. In some ways, this section of the “13 Recommendations” is the least connected to the Framework, as it really focuses on a country’s rights to manage its own national security and law enforcement activities. Unfortunately, this will be where the most difficulty will be in implementation – mostly because it is not directly part of the Framework, but a policy stance on national security, which has never been a part of the basis for the need Safe Harbor fulfills.
Continue Reading Access By US Authorities – The REAL Reason Safe Harbor is at Risk

The next set of recommendations seeks to improve how the individual can directly seek resolution to a potential violation of their privacy rights.

5.         The privacy policies on companies websites should include a link to the alternative dispute resolution (ADR) provider and/or EU panel.

Many companies who participate in the safe harbor framework already comply

The first set of recommendations in the Commission’s memo addresses a series of perceived deficiencies in how a Safe Harbor participating company makes its privacy practices available to the public at large.

1.         Self-certified companies should publicly disclose their privacy policies.

This is a foundational requirement for any Trustmark providing certification services around the US-EU