The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

California Soon to Have RFID Driver Licenses

A California bill, S.B. 397, would allow the Department of Motor Vehicles (DMV) to issue enhanced driver’s licenses (EDLs) and identification cards, that is, licenses and IDs containing radio frequency identification (RFID) technology.

Such EDLs would include a machine readable zone or barcode that could be electronically read from a distance. These cards would transmit an encrypted randomly assigned number, but would not contain any other personal data, biometric information, or number. They would only contain the information required by the federal Western Hemisphere Travel Initiative (WHTI) established by the Department of State and Department of Homeland Security.

Pro: Convenience and Speediness

The WHTI requires U.S. and Canadian travelers to present a passport or other document proving their identity and citizenship when entering the U.S.

Carrying an EDL would allow travelers to use the Ready Lanes already available at some port of entry, which make the process of entering the U.S. faster and easier. A summary of the bill made this month by the Assembly’s Appropriations Committee describes the process as “convenient and time-saving.” Four U.S. states, Michigan, New York, Vermont, and Washington are already issuing EDLs.

Con: Privacy and Security Risks

What may be the risks for privacy? The web site of the Department of Homeland Security (DHS) states that “[n]o personally identifiable information is stored on the card’s RFID chip or can be transmitted electronically by the card. The card uses a unique identification number that links to information contained in a secure Department of Homeland Security database. This number does not contain any personally identifiable information.”

S.B. 397 contains provisions addressing the security issues that the use of such cards may raise. It states that the DMV would include in the EDLs “reasonable security measures, including tamper-resistant features to prevent unauthorized duplication or cloning and to protect against unauthorized disclosure of personal information regarding the person who is the subject of the license, permit, or card.”

The American Civil Liberties Union of Northern California opposes the bill, and states that DHS has admitted that the personal information encoded on the RFID chip could be read from up to 30 feet away. Also, the EDLs do not include technological protections to prevent the personal information from being read without the individual’s knowledge or consent.

The ACLU mentions a scientific report which studied the security of the Washington EDLs. The authors of this report stated that RFID contained in such cards only have limited security features and, as such, could be surreptitiously scanned and reproduced.

A note from the ACLU of Washington, published that the time Washington state proposed to have EDLs, had noted that such cards do not have built-in security, and thus the Department of Licensing would had to provide users with a security sleeve designed to block the RFID transmission. Such sleeve indeed prevents a card to be scanned without authorization, but, as the EDL does not have an on/off switch, the card can broadcast information to compatible readers within its range if taken out of the protective sleeve by accident.

The site of the Washington State Department of Licensing informs users that the “[e]nhancements included in the EDLs… are industry best practices for security”, that is, “secure and isolated-dedicated (optic fiber) network connectivity; encryption of personal identifying information between Washington State and the Border Officer during transmission; closed and secure network design, including firewalls and limited and controlled access to the network, network equipment, and data centers.”

Big Data at the Borders

However, there is no clear information on whether data about travel is retained, and, if it is, for how long. As travel data is of particular interest to governments, there may be a temptation to store and analyze it. For example, the Australian Customs and Border Protection Service recently put in place a program using Big Data to analyze passenger information.  There is no such program yet in the U.S., and the EDLs cannot be used for air travel, but we should keep in mind that these cards may be used as intelligence/surveillance tools.

The California bill has been approved by the Senate, and is now under consideration in the Assembly. It is expected to pass. A Committee hearing is scheduled for next Friday, August 30th.

Advertisements


Leave a comment

New European Union Regulation about Notification of Personal Data Breaches Enters into Force

A new European Union Regulation applicable to the notification of personal data breaches entered into force on Sunday, August 25.

The Regulation is part of the effort to address the issue identified in article 35 of the Digital Agenda for Europe, to give guidance for implementing a new Telecoms Framework to better protect individuals’ privacy and personal data.

To do so, Directive 2009/136/EC of November 25, 2009 had amended Directive 2002/22/EC, the ePrivacy Directive, and had directed the Member States to add to their laws and regulations, by May 25, 2011, a duty for publicly available electronic communications service providers (ECPs) to report personal data breaches.

A Duty to Report Personal Data Breaches Under Directive 2009/136/EC

Under the modified ePrivacy Directive, ECPs, such as telecoms operators and Internet service providers must, “without undue delay,” notify their national authorities of any personal data breach.

Article 2(i) of the modified ePrivacy Directive defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.”

Under article 4 of the modified ePrivacy Directive, ECPs must notify individuals of the breach “without undue delay” if it is “likely to adversely affect [their] personal data or privacy,” unless the ECP affected by the breach can demonstrate to its national authority that it has implemented ”appropriate technological protection measures.”

A Regulation to Ensure Consistency in Implementing the Modified ePrivacy Directive

A Directive is not directly enforceable in the 28 Member States, but, instead, sets the goals to be achieved and leaves Member States the choice on how to implement these goals in their national systems. Therefore, there is always a risk that the 28 different ways to implement a particular Directive lead to some inconsistencies.

In order to ensure consistency in the implementation of these new data breach notification measures, article 4(5) of the modified ePrivacy Directive gave the EU Commission the power to adopt technical implementing measures.

This is why the Commission published a Regulation on June 24, 2013. Unlike a Directive, a Regulation is directly applicable in all Member States, and thus ensures that the law is the same in all the Member States.

Notification of Personal Data Breaches to the National Authorities

Article 1 of the Regulation defines its scope as notification by ECPs of personal data breaches. Annex 1 of the Regulation details the content of what must be notified to the national authority, divided in two sections:

Section 1

Identification of the provider

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Whether it concerns a first or second notification

Initial information on the personal data breach (for completion in later notifications, where applicable)

4. Date and time of incident (if known; where necessary an estimate can be made), and of detection of incident

5. Circumstances of the personal data breach (e.g. loss, theft, copying)

6. Nature and content of the personal data concerned

7. Technical and organizational measures applied (or to be applied) by the provider to the affected personal data

8. Relevant use of other providers (where applicable)

Section 2

Further information on the personal data breach

9. Summary of the incident that caused the personal data breach (including the physical location of the breach and the storage media involved):

10. Number of subscribers or individuals concerned

11. Potential consequences and potential adverse effects on subscribers or individuals

12. Technical and organizational measures taken by the provider to mitigate potential adverse effects

Possible additional notification to subscribers or individuals

13. Content of notification

14. Means of communication used

15. Number of subscribers or individuals notified

Possible cross-border issues

16. Personal data breach involving subscribers or individuals in other Member States

17. Notification of other competent national authorities

Recital 11 of the Regulation suggests that national authorities should provide ECPs with a secure electronic means to notify them about personal data breaches, which should be in a common format, such as XML, an online format, across the EU.

However, if some of this information is not available, an ECP can make an initial notification to the competent national authority within 24 hours, including only the information described in section 1. The ECP must then make a second notification “as soon as possible, and in the latest within three days after the initial notification” providing then the information described in section 2.  

This precise time frame is welcome as the phrasing “undue delay in the modified ePrivacy Directive was vague. However, a 24-hour delay for an initial notification, followed by only three more days to gather the information necessary for a complete notification, may leave some companies scrambling to meet their legal obligations.

Notification of Personal Data Breaches to the Subscriber or the Individual

Notifications to subscribers or individuals must contain all the information contained in Annex II of the Regulation:

1. Name of the provider

2. Identity and contact details of the data protection officer or other contact point where more information can be obtained

3. Summary of the incident that caused the personal data breach

4. Estimated date of the incident

5. Nature and content of the personal data concerned as referred to in Article 3(2)

6. Likely consequences of the personal data breach for the subscriber or individual concerned as referred to in Article 3(2)

7. Circumstances of the personal data breach as referred to in Article 3(2)

8. Measures taken by the provider to address the personal data breach

9. Measures recommended by the provider to mitigate possible adverse effects

According to article 3.3 of the Regulation, such notification must be made “without undue delay after the detection of the personal data breach.” As ECPs must provide a copy of this notification when notifying their national authorities of a breach, such notification has to be made, at the latest, 24 hours after the occurrence of the breach, again, a rather short delay.

A Safe Harbor: Implementation of Technological Security Measures  

Article 4 of the Regulation states that ECPs do not have to notify subscribers or individuals if they were able to demonstrate to their national authority that they have implemented “appropriate technology protection measures” which were applied to the data affected by the breach.

Such measures must render data unintelligible. Article 4.2(a) and 4.2(b) details when data will be considered unintelligible:

(a) it has been securely encrypted with a standardized algorithm, the key used to decrypt the data has not been compromised in any security breach, and the key used to decrypt the data has been generated so that it cannot be ascertained by available technological means by any person who is not authorized to access the key; or

(b) it has been replaced by its hashed value calculated with a standardized cryptographic keyed hash function, the key used to hash the data has not been compromised in any security breach, and the key used to hash the data has been generated in a way that it cannot be ascertained by available technological means by any person who is not authorized to access the key.

So far, only ECPs have a duty to report personal data breaches in the EU. However, the new data protection Regulation currently debated in the European Parliament would provide an obligation for all data controllers to report personal data breaches to their supervisory authority (article 31) and to the data subject affected by the breach (article 32).

The entering into force of the June 24, 2013 Regulation may provide an insight on how well ECPs are prepared to meet their obligations, and will also likely give clues on whether it will indeed be feasible for data controllers to meet their obligations under the new data protection Regulation, likely to enter into force next year.


Leave a comment

The Third Circuit Rules Consumers May Opt-Out of Autodialed Calls at Any Time

For the first time, a federal court of appeals ruled that a consumer may at any time revoke prior consent to receive autodialed or prerecorded calls to a cell phone number.  Gager v Dell Financial Services, LLC (3d Circuit, No. 12-2823, filed Aug. 22, 2013).  Under the Telephone Consumer Protection Act (“TCPA”), any person making a call to a cell phone using automatic telephone dialing equipment must have the prior express consent of the person called, unless there is an emergency. 47 U.S.C. §227(b)(1)(A).   The TCPA is silent as to what constitutes prior express consent or when express consent may be revoked.  In addition, the Federal Communication Commission (“FCC”) has not clearly defined when consent may be revoked.

The plaintiff in the case sued Dell Financial Service (“Dell”) for violating the TCPA by repeatedly placing debt collection calls to her cell phone after she sent a written letter to Dell listing asking Dell to stop making calls to her number.  The plaintiff had listed her cell phone number as her home phone on the credit application, but never informed Dell that it was her cell phone.

The Third Circuit’s ruling reverses the district court’s dismissal of the case.  The district court granted Dell’s motion to dismiss on the grounds that the TCPA does not provide for “post-formation revocation of consent” and that, although the plaintiff had the right to instruct Dell not to place autodialed calls to her cell phone, the request should have been made at the time she filled out her credit application.

On appeal, Dell argued that the TCPA’s silence on the right to revoke consent indicates that no such right exists.  In support of its argument, Dell pointed to the difference between the TCPA and the Fair Debt Collection Act, which expressly provides a right for consumers to stop unwanted debt collection calls.

The Third Circuit rejected this argument, reasoning that if Congress intended to displace the common law principle that consent may be revoked at any time, it would have done so clearly.  In addition, the court ruled that since the TCPA was enacted as a remedial statute to protect individuals from unwanted phone calls, it should be construed to benefit consumers.  Finally, the court reasoned that the FCC’s SoundBite Communications declaratory ruling last year implicitly supports the principle that consent may be revoked at any time.  In the SoundBite ruling, the FCC held that a one-time text message confirming a consumer’s request to opt-out of receiving text messages does not violate the TCPA if it is sent within five minutes of the opt-out request and does not contain any marketing consent.

Dell also argued that debt collection calls should not be subject to the prior express consent requirement because they are not telemarketing calls, but are an informational call and not covered by the TCPA.  The court rejected this argument because the TCPA does not distinguish between autodialed telemarketing and informational calls to cell phones.  Rather, the TCPA clearly prohibits any call to a call phone made using automatic equipment without the prior express consent of the called party, unless it is an emergency.  The exception for informational calls only applies to calls made to residential lines.

Importantly for businesses which may not know whether customers have provided cell phone numbers, the court also rejected Dell’s argument that the plaintiff’s number should be treated as a residential number because the plaintiff provided it as a home number and never informed Dell it was for her cell phone.  The court noted in a footnote that “Callers have a continuing responsibility to check the accuracy of their records to ensure that they are not inadvertently calling mobile numbers.” (citing In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, 19 FCC Rcd. 19215, 19219-20 ¶ 11 (Sept. 21, 2004)).

Finally, the court rejected Dell’s arguments that it would be unfair to allow the plaintiff to revoke consent.  Dell first argued it would be unfair because the consent was part of the original contract to extend credit.  Second, Dell argued it would be unfair to allow creditors to revoke consent because the inability of a creditor to use autodialing equipment would make it “difficult, if not impossible” for creditors to contact borrowers regarding their loan.  The court rejected these arguments because the ability to use autodialers to contact borrowers is not an essential term to a credit agreement and because the creditor could still contact borrowers with live calls.

Takeaways

Although the result of the Gager decision may not be surprising, it serves as a reminder of the breadth of the TCPA and important compliance steps:

  1. The TCPA requires prior express consent to make any call to a cell phone using automatic dialing equipment or prerecorded messages.
  1. It is the responsibility of the person making the calls to determine whether they are is placing calls to a cell phone.   Businesses should either scrub call lists to remove cell phone numbers or implement procedures to obtain and keep records of consent from their customers prior to placing autodialed or prerecorded calls.
  1. Businesses must have in place procedures to honor requests to stop making autodialed or prerecorded calls to cell phones.  These opt-out requests may be made by individuals through any means.  Additionally, there is no grace period for processing opt-out requests under the TCPA or the FCC’s rules, thus they should be processed as soon as possible.

It is also important to note that the Gager case comes less than two months before new FCC rules under the TCPA will come into effect.   As of October 16, 2013, the TCPA rules will require the following types of consent:

  1. Telemarketing Calls:  Autodialed or prerecorded calls to cell      phones and prerecorded calls to residential lines require prior express      written consent.  The request      for written consent must: (i) clearly and conspicuously disclose that      the consumer is consenting to receive future autodialed or prerecorded      calls, as applicable, to the number provided for telemarketing purposes;      (ii) include the recipient’s signature (which can be an electronic      signature if consistent with E-SIGN or state law); and (iii) not make the      consent to receive such calls a condition of purchasing any goods or      services.
  1. Informational Calls:  Autodialed or prerecorded calls to cell phones require prior express consent (which may be oral or written), but autodialed or prerecorded calls to residential lines do not require prior consent.

 

Obtaining, and retaining proof of, proper consent is important because the TCPA provides a private right of action for actual damages or statutory damages of up to $500 per violation (and up to $1,500 per knowing or willful violation).  As a result, TCPA violations can create significant liability.  For example, last year a Jiffy Lube franchisee settled a TCPA for between $35 and $47 million for sending text messages to customers without proper consent.


1 Comment

Amicus Briefs filed asking Court to determine if warrentless searches of cell phone data are permissible under the Fourth Amendment

Two recent petitions for certiorari were filed regarding whether the Fourth Amendment permits police officers to search all or some digital contents of an arrestee’s cell phone incident to arrest.  Federal courts of appeal and state courts of last resort are divided on this issue.  On July 30, 2013, a petition for certiorari was filed asking the Supreme Court to review a California Court of Appeal, Fourth District case, Riley v. California.  On August 19, 2013 the U.S. Solicitor General submitted an amicus brief asking the Supreme Court to reverse the First Circuit Court of Appeal’s decision in U.S. v. Wurie.  These cases are noteworthy since they touch on arrestee’s rights to their cell phone data and since the Fourth Amendment is a bedrock for privacy law in the United States.

In U.S. v. Wurie, the police confiscated the arrestee’s Verizon LG flip-phone and retrieved the phone number of an incoming call labeled “my house.”  The police used that phone number to determine the arrestee’s residence and gather further evidence.  In Riley v. California, the police searched the arrestee’s smartphone, made an extenstive search of its digital contents, and were able to gather evidence linking the arrestee to more serious crimes.  In both instances, the police made the searches without a warrant pursuant to the search-incident-to-arrest exception to the Fourth Amendment that allows police officers to perform a class of searches that have been deemed potentially necessary to preserve destructible evidence or protect police officers. 

The question of whether the search of cell phone data could ever be justified under the search-incident-to-arrest exception has come up in federal and state courts in the past, some finding that warrantless cell phone data searches are categorically lawful, others upholding a limited search.  In Riley v. U.S., the California Court of Appeal held that because the cell phone was immediately associated with the arrestee’s person at the time of his arrest, the warrantless search was valid.  The First Circuit joined at least two other state courts of last resort in creating a bright-line rule rejecting all warrantless cell phone data searches and declined to create a rule based on particular instances.  In its amicus brief, the Solicitor General argued that even if cell phone data searches do not fall under the search-incident-to-arrest exception, the First Circuit erred in imposing a blanket prohibition.

Cell phone data searches struck the First Circuit as “a convenient way for the police to obtain information related to a defendant’s crime of arrest—or other, as yet undiscovered crimes—without having to secure a warrant.”  In rendering its opinion, the court found that data contained on cell phones, such as photographs, videos, written and audio messages, contacts, calendar appointments, web search and browsing history, purchases, and financial and medical records is highly personal in nature, would previously have been stored in one’s home, and reflects private thoughts and activities.  Additionally, the court noted that certain applications, if installed on modern cell phones, provide direct access to the home by remotely connecting to a home computer’s webcam.  Given the highly personal nature of the data and the scope of the search, potentially a home search, the court found that cell phone data is categorically different from otherwise allowable categories of searches incident to arrest. 

The First Circuit rejected the government’s argument that the cell phone data search was necessary to prevent evidence from being destroyed by remote wiping before a warrant issued.  The First Circuit noted that the police have evidence preservation methods, such as removing the phone’s battery, turning off the phone, placing the phone in a device that blocks external electromagnetic radiation, or by making a mirror copy of the phone’s entire contents.  Unlike other circuits, the First Circuit viewed the “slight and truly theoretical risk of evidence destruction,” a risk that was “‘remote’ indeed,” as insufficient when weighed against the “significant privacy implications inherent in cell phone data searches.”  In its amicus brief, the Solicitor General argued that cell phone searches are more critical to preserving extractable evidence than previously allowed searches since co-conspirators could remove data remotely. 

The First Circuit also rejected the government’s argument that searches of items carried on one’s person are justified since the arrestee had a reduced expectation of privacy caused by the arrest.  This was the basis for the California Court of Appeal’s decision in Riley.  The Solicitor General tried to revive this argument in its amicus brief.  The First Circuit rejected this argument since at the time of the precedent cited, the court “could not have envisioned a world in which the vast majority of arrestees would be carrying on their person an item containing not physical evidence but a vast storage of intangible data—data that is not immediately destructible and poses no threat to the arresting officers.”   Allowing police to search such data at the time of arrest would create, in the court’s view, “a serious and recurring threat to the privacy of countless individuals.” 

In making its categorical ban on warrantless cell phone data searches under the search-incident-to-arrest exception, the First Circuit noted that the exigent circumstances exception to the Fourth Amendment warrant requirement might apply where the police have probable cause to believe that the phone contains evidence of a crime, as well as a compelling need to act quickly, that makes it impractical for them to obtain a warrant. 

 

 


1 Comment

PCI Council Highlights Changes to PCI DSS and PA-DSS

The PCI Council has announced expected changes to the PCI DSS and PA-DSS standards for the upcoming 3.0 release in November.  Key focus areas include the lack of education and awareness; weak passwords and authentication challenges; third party security challenges; slow self-detection in response to malware and other threats; and inconsistency in assessments.

While the updates are still under review by the PCI community, proposed updates include:

  • Recommendations on making PCI DSS business-as-usual and best practices for maintaining PCI DSS compliance
  • Security policy and operational procedures built into each requirement
  • Guidance for all requirements with content from the Navigating PCI DSS Guide
  • Flexibility and education regarding password strength and complexity
  • Requirements for point-of-sale terminal security
  • Requirements for penetration testing and validating segmentation
  • Considerations for cardholder data contained in memory
  • Enhanced testing procedures to clarify the level of validation expected
  • Expanded software development lifecycle security requirements for PA-DSS vendors, including threat modeling.

Final changes to the standards will be determined after PCI Community Meetings and published in November.  Registration for the 2013 Community Meetings is available here.  Additionally, the Council will host a webinar series to outline the proposed changes; registration available here.  PCI DSS and PA-DSS 3.0 will become effective on January 1, 2014.


Leave a comment

FTC Calls for Comments on COPPA Parental Consent Verification Method

Yesterday the Federal Trade Commission issued a call for public comment on a proposed method of verification of parental consent submitted by AssertID.  The revised COPPA rule recently went into effect on July 1, and invited companies to submit new methods of verifying parental consent for FTC approval.  The FTC in particular is looking for comments regarding whether the proposed verification mechanism is already covered by the existing methods in the rule and whether it meets the rule’s requirements that the method be reasonably calculated to ensure that the person providing consent is actually the child’s parent.  The comment period will last until September 20, 2013.

The Federal Register Notice can be found here.


Leave a comment

Federal Trade Commission Extracts Its Second Largest FCRA Fine

The Federal Trade Commission announced today that Certegy Check Services, Inc. has agreed to pay a $3.5 million fine to settle charges that it violated the Fair Credit Reporting Act (FCRA), 15 USC 1681 et seq.  This is the FTC’s second highest fine in an FCRA matter, falling behind ChoicePoint, Inc., which paid a $10 million fine in an FCRA case filed by the FTC in 2006.   

The FTC alleged that Certegy, which provides check authorization services to thousands of merchants, is a consumer reporting agency or CRA under Section 603(f) of the FCRA.  As such, Certify is alleged to have violated a number of obligations under the FCRA, such as failing to:

  • Use reasonable procedures to assure maximum possible accuracy of consumer report information in violation of Section 607(b) of the FCRA;
  • Comply with Section 611 of the FCRA by seeking to “shift the burden of conducting a reinvestigation to consumers rather than fulfilling its legal obligation to reinvestigate disputed information”;
  • Create a streamlined process for consumers to obtain free annual reports, as required by Section 612(a)(l)(C)(i) of the FCRA and its implementing regulation, 12 CFR 1022, subpart N; and
  • Establish and implement reasonable written policies and procedures regarding the accuracy and integrity of information it furnishes to other CRAs, as required by the Furnisher Rule, 12 CFR 1022, subpart E.

This case adds to the FTC’s activity in the FCRA front this year, which includes a settlement with a marketer of criminal background screening reports and a series of warning letters to businesses for conduct that may violate the FCRA, including letters sent in May to ten data brokers.