See the following article on a recent decision in the UK.
An interesting new article by Jeff Gould on email privacy and data mining.
An interesting article from Kurt Wimmer and Meena Harris
ISO/IEC Develop First-Ever International Standard Focusing on Privacy in the Cloud
Kurt Wimmer, Co-Chair, Privacy and Data Security Group, Covington & Burling LLP
Meena Harris, Associate, Covington & Burling LLP
Those who long have been concerned about a lack of consistent principles to guide the implementation of cloud services now have access to a new tool — one that promises to provide a useful guide to categories and controls in this important and expanding area of our practice.
This past summer, the International Organization for Standardization (“ISO”) together with the International Electrotechnical Commission (“IEC”) published ISO/IEC 27018, a new voluntary code of practice for the protection of personally identifiable information (“PII”) that is processed by a cloud-service provider. Used in conjunction with and as an expansion of ISO/IEC 27002, a best-practice guide for implementing information-security management, ISO/IEC 27018 creates a common set of security categories and controls intended specifically for cloud services. As the first-ever security standard for the cloud, ISO 27018 has the following key objectives:
• Help cloud-service providers that process PII to address applicable legal obligations as well as customer expectations.
• Enable transparency so customers can choose well-governed cloud services.
• Facilitate the creation of contracts for cloud services.
• Provide cloud customers with a mechanism to ensure cloud providers’ compliance with legal and other obligations.
While ISO/IEC 27018 does not replace existing laws and regulations, it provides a global common standard, which is particularly helpful for those cloud providers that offer services to customers in different countries. Because the requirements of such laws and regulations governing the protection of PII vary significantly from country to country, and obligations as between cloud-service providers and their customers can differ according to individual contract terms, ISO/IEC 27018 addresses the special challenges faced by cloud services operating internationally.
ISO states that the new standard is “applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.” Still, ISO notes that the new standard should be adopted only as a “starting point.” In other words, not all aspects of the standard will be appropriate for all cloud services, and additional controls not included in ISO/IEC 27018 might be necessary for particular services to develop. Likely sometime next year, ISO will release ISO/IEC 27017, which more broadly will address information-security best practices for cloud computing.
In order to achieve ISO/IEC 27018 certification, a cloud service must undergo an audit by an accredited certification body that ensures that the cloud provider:
• Helps customers comply with their obligations to allow end-users to access, correct and/or erase their personal information.
• Processes PII only in accordance with a customer’s instructions.
• Processes PII for marketing or advertising purposes only with the customer’s express consent.
• Discloses information to law-enforcement authorities only when legally bound to do so.
• Discloses the names of any sub-processors and the possible locations where personal information may be processed prior to entering into a cloud-services contract.
• Helps customers comply with their data breach notification obligations.
• Implements a policy for the return, transfer, or disposal of personal data that specifies the retention period following the termination of a contract.
• Agrees to independent information-security reviews at planned intervals or when significant changes occur.
• Enters into confidentiality agreements with staff who have access to personal data and provide them training.
To maintain certification under ISO 27018, a cloud-services provider must undergo periodic third-party reviews.
Key cloud players in the U.S. and Europe already have announced intentions to become certified under ISO/IEC 27018.
An interesting article by Chris Castle:
“Before u send any photo, msg or video, consider how u would feel if it reached a broader audience than you intend”, the FTC tweeted today after announcing a settlement with Snapchat, a popular messaging app that promised its users that their messages disappeared once expired. Users are able to take photos, record videos, add text and drawings, known as snaps, and send them to a controlled list of recipients. Users also set a time limit for how long recipients can view their snaps (up to 10 seconds), and Snapchat claimed that after the time limit expired, the snaps would “disappear”. However, the Commission alleged the snaps can be saved in several ways, such as using a third-party app or taking screenshots of snaps, without detection.
The FTC also alleged that Snapchat misled consumers about how much personal information was collected and the security measures in place to protect such information through its Find Friends feature. For example, the app transmitted users’ location information and collected data like address book contacts, despite stating that it did not collect such information. Further, the Commission charged that Snapchat’s failure to secure this feature resulted in a security breach that allowed hackers to compile a database of 4.6 million Snapchat usernames and phone numbers.
The settlement prohibits Snapchat from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information. Snapchat is also required to implement and maintain a comprehensive privacy program for the next 20 years. The Commission stated that the settlement with Snapchat is part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers.
On April 8, Microsoft officially ended all support and ceased providing updates for their Windows XP operating system. This “end of life” (EOL) announcement is not uncommon with software platforms, where continued support of aging software (XP is over 12 1/2 years old) becomes too expensive or too impractical, and the user is thus encouraged to upgrade to a newer version of that software. This all makes sense on the surface. As we’ve seen time and time again, software–especially large, complex pieces of software like operating systems–tends not to age well. Due to the sheer complexity of systems like XP, retrofitting patches to fix errors and vulnerabilities can be quite difficult, and may even lead to unintended consequences (i.e., more bugs). Thus, over time, software companies may urge their customers to migrate to the (relatively) clean slate provided by upgraded versions of their software.
The XP EOL announcement came as no surprise. Microsoft has been urging customers to start planning for upgrades since it terminated all retail sales of the operating system in 2008. But according to recent statistics provided by Net Applications, nearly 28% of Internet users are still running some version of Windows XP. Even worse, this number does not include those computers running XP that aren’t use for web browsing, e.g., servers, point-of-sale (POS) systems, medical systems, industrial systems, security systems, and ATMs. This number includes large organizations such as banks and governments which, due mainly to their size and conservative technology adoption policies, take more time to migrate away from software platforms, especially those that provide core services, such as operating systems. This has led to multi-million dollar agreements between these organizations and Microsoft in order to provide continued support for the short term.
But what about those companies and organizations who don’t necessarily have the wherewithal to negotiate individual support contracts with Microsoft? In addition, these smaller companies too often don’t have the depth of IT support required to keep up with these updates, and some organizations may not even be aware they’re still running XP within their network. For these companies, the fact that Microsoft will no longer be providing public patches for future vulnerabilities could prove to be a serious problem.
The first example of this problem showed up this week. On Monday, a new “zero-day” vulnerability in Microsoft’s Internet Explorer (IE) web browser was announced. This vulnerability is quite serious, as it could allow for remote code execution on a user’s computer, and had already been detected as an attack being used in the wild. Technology news sources were referring to this bug as the first sign of the “XPocalypse,” where users and organizations still running the unsupported platform would be left to the wolves, so to speak.
Yesterday, Microsoft took the unusual step of issuing a patch for this IE vulnerability for all of its platforms, including the “unsupported” Windows XP. While this step may have averted disaster for XP users–at least for the time being–many technology experts are warning that providing retroactive support for EOL platforms will not solve the larger problem of a significant number of users running aging, vulnerable software. This should concern not only the companies still running XP, but the entire Internet ecosystem, since compromised computer systems are often repurposed as platforms for further attacks.
It’s still too early to tell whether any of the dire predictions presented by the so-called XPocalypse will come to pass. Some cynics have pointed out that we are not likely to see a sudden surge of attacks on XP, since XP has been quite vulnerable to attack for some time, even when it was supported. Either way, companies would do well to make software security a priority, from the C-Suite on down. Companies are coming to realize that many (or most) of them are actually in the software business, as so much of their operation depends on the software that sits behind the scenes. There may come a time that the FTC views the unsupported use of XP as failing to take reasonable security measures. Adopting a wait-and-see approach to software security is bound to make a potentially bad situation even worse.
The White House released its report on big data, “Big Data: Seizing Opportunities, Preserving Values,” on Thursday, May 1, 2014, which looks at the ways that businesses and the government are able to perform analytics on massive data sets culled from a wide variety of sources to develop new observations and measurements about individual consumers. The Report offers findings and recommendations, based on 90 day review of big data and privacy led by White House counselor John Podesta and an executive branch working group, including the Secretaries of Commerce and Energy, the President’s Science and Economic Advisors and other administration officials at the request of President Obama. The working group sought public input from academic researchers, privacy advocates, advertisers, civil rights groups and the public during its review in an effort to evaluate the opportunities and challenges presented by big data.
The Report recognizes the inherent value big data has added to society, citing as examples the ability of big data analysis to enhance and improve medical treatment of premature infants, increase efficiencies across transportation networks and utility providers, and identify fraud and abuse in Medicare and Medicaid reimbursements. However, the Report also acknowledges serious privacy concerns, noting that big data may reveal intimate personal details of an individual user, and that big data tools may lead to discriminatory outcomes, particularly with regard to housing, employment and credit.
The Report offered several policy recommendations:
- Move forward with the Consumer Bill of Rights. In 2012, the President announced the concept of a Consumer Bill of Rights, which establishes certain baseline consumer privacy principles such as offering transparency about data privacy and security practices, providing consumers control over data practices, respecting the context in which the data was collected, increasing the accuracy of data files, and providing the opportunity for consumers to access collected data. This Report reiterates the importance of passing legislation to enforce the Bill of Rights principles, but also questions whether the principles are well-suited to the world of big data. Perhaps, the Report suggests, there should be a greater emphasis placed on how the data is used and reused rather than an emphasis on establishing notice and consent for the initial data collection.
- Pass National Data Breach Legislation. The Report notes that the amalgamation of so much information about consumers results in much greater harm to the consumer in the event of a data breach, and finds an even greater need for Congress to pass national data breach legislation to preempt the 47 different state laws currently in effect.
- Extend privacy protections to non-US persons. The Report urges government departments and agencies to apply the Privacy Act of 1974 and other privacy protections to all individuals, regardless of nationality.
- Ensure data collected on students in schools is used for educational purposes. Acknowledging the growing and valuable use of educational technologies in schools, the Report calls for protections to ensure that student data is not used inappropriately when it is collected in an educational setting. The Report suggests modernizing COPPA and FERPA to protect student data in the digital age, while still encouraging innovation in the educational technology industry.
- Expand technical expertise to stop discrimination. Businesses decisions affecting consumers’ access to healthcare, education, employment, credit and goods and services are increasingly made on the basis of big data algorithms. The Report calls on the DOJ, the FTC, the CFPB and the EEOC to develop their technical expertise to be able to detect whether these automated decision-making processes have discriminatory effects on protected classes of people, and to develop tools to redress such discrimination.
- Amend the Electronic Communications Privacy Act (ECPA). The Stored Communications Act, which is part of the ECPA, articulates the rules for obtaining the content of stored communications including email and cloud servers, but was written well before personal computing, email, texting, cloud storage, and smart phones were used as the primary means of communication. The Report calls on Congress to amend the ECPA to ensure the standards of protection for digital online content is consistent with the protections afforded in the physical world.
While the Report provides a useful overview of the big data phenomenon, its benefits and its challenges, it remains to be seen what impact this Report will have on the industry. By and large, the Recommendations do not contain wholly new ideas. The ECPA is widely considered to be antiquated and there have been repeated calls for reform. There have been many attempts to offer national data breach notification legislation, but no bill has made it through Congress to date. The White House first offered its support for a Consumer Bill of Rights in 2012, but spent the last 2 years involved in multi-stakeholder meetings without producing draft legislation. This recent Recommendation shows little evidence of advancing the ball significantly on that front, as calls for additional “stakeholder and public comment” before crafting the legislative proposal. However, the call for greater protections for student data is well-timed, as one of the largest school technology providers, inBloom, was forced to shut down over privacy concerns just a few weeks prior to the Report’s release.
The 2014 Verizon Data Breach Investigations Report (DBIR) was released on April 22, providing just the sort of deep empirical analysis of cybersecurity incidents we’ve come to expect from this annual report. The primary messages of this year’s DBIR are the targeting of web applications, continued weaknesses in payment systems, and nine categories of attack patterns that cover almost all recorded incidents. Further, despite the attention paid to last year’s enormous data breach at Target, this year’s data shows that attacks against point of sale (POS) systems are actually decreasing somewhat. Perhaps most importantly, the underlying thread that is found throughout this year’s DBIR is the need for increased education and application of digital hygiene.
Each year’s DBIR is compiled based on data from breaches and incidents investigated by Verizon, law enforcement organizations, and other private sector contributors. This year, Verizon condensed their analysis to nine attack patterns common to all observed breaches. Within each of these patterns, Verizon cites the software and vectors attackers are exploiting, as well as other important statistics such as time to discovery and remediation. The nine attack patterns listed in the DBIR are POS intrusions, web application attacks, insider misuse, physical theft/loss, miscellaneous errors, crimeware, card skimmers, denial-of-service (DoS) attacks, and cyber-espionage. Within industry verticals, most attacks can be characterized by only three of the nine categories.
Attacks on web applications attacks were by far the most common threat type observed last year, with 35% of all confirmed incidents linked to web application security problems. These numbers represents a significant increase over the three-year average of 21% of data breaches from web application attacks. The DBIR states that nearly two thirds of attackers targeting web applications are motivated by ideology, while financial incentives drive another third. Attacks for financial reasons are most likely to target organizations from the financial and retail industries. These attacks tend to focus on user interfaces like those at online banking or payment sites, either by exploiting some underlying weakness in the application itself or by using stolen user credentials. To mitigate the use of stolen credentials, the DBIR advised companies to consider implementing some form of two-factor authentication, a recommendation that is made to combat several attack types in this year’s report.
The 2014 DBIR contains a wide array of detailed advice for companies who wish to do a better job of mitigating these threats. The bulk of this advice can be condensed into the following categories:
- Be vigilant: Organizations often only find out about security breaches when they get a call from the police or a customer. Log files and change management systems can give you early warning.
- Make your people your first line of defense: Teach staff about the importance of security, how to spot the signs of an attack, and what to do when they see something suspicious.
- Keep data on a ‘need to know basis’: Limit access to the systems staff need to do their jobs. And make sure that you have processes in place to revoke access when people change role or leave.
- Patch promptly: Attackers often gain access using the simplest attack methods, ones that you could guard against simply with a well-configured IT environment and up-to-date anti-virus.
- Encrypt sensitive data: Then if data is lost or stolen, it’s much harder for a criminal to use.
- Use two-factor authentication: This won’t reduce the risk of passwords being stolen, but it can limit the damage that can be done with lost or stolen credentials.
- Don’t forget physical security. Not all data thefts happen online. Criminals will tamper with computers or payment terminals or steal boxes of printouts.
These recommendations are further broken down by industry in the DBIR, but they largely come down to a liberal application of “elbow grease” on the part of companies and organizations. Executing on cyber security plans requires diligence and a determination to keep abreast of continual changes to the threat landscape, and often requires a shift in culture within a company. But with the FTC taking a more aggressive interest in data breaches, not to mention the possibility of civil suits as a response to less-than-adequate data security measures, companies and organizations would do well to make cyber security a top priority from the C-Suite on down.
The rise of social media for contests and marketing campaigns has captured the attention of the Federal Trade Commission (FTC), particularly campaigns that provide for contest entry based on what amounts to social media endorsements. “Like Company XYZ now to enter!” The FTC is taking stock and beginning to weigh in on this relatively recent practice. Just ask Cole Haan. Late last month, the FTC sent the popular shoemaker a letter marking the end of its investigation into a marketing campaign that turned on “pinning” Cole Haan products for entry into a contest. In it, the FTC concluded that Cole Haan needed to do more to disclose the connection between the contestants’ “pins” and the company’s contest.
It all started last year when Cole Haan launched its Wandering Sole marketing campaign. Cole Haan encouraged consumers to create Pinterest boards that included five shoe images from Cole Haan’s own Pinterest board and another five images of the contestants’ favorite places to wander. Whoever created the board that the company dubbed most creative would win a $1,000 shopping spree. To identify the contestants, Cole Haan asked that the Pinterest users include the hashtag #WanderingSole in the description of their images.
According to the FTC, Cole Haan allegedly created a “deceptive” situation with its Pinterest campaign because consumers may not have realized that the authors of the pinned content were receiving incentives for their endorsements, even if that incentive was the mere chance to win a contest. Notably, the FTC determined that Cole Haan’s request that contestants include the contest-specific hashtag was insufficient to overcome the potential for deception.
The foundation for the FTC’s letter lies in 16 C.F.R. Part 255, Guides Concerning the Use of Endorsements and Testimonials in Advertising. In § 255.5, the FTC explains that companies must “fully disclose” any connection between the company and an endorser of its products when that connection “might materially affect the weight or credibility of the endorsement.” As for social media uses, the Guides specifically acknowledge the difficulty of determining the link between an individual’s Internet activity and a manufacturer’s marketing activity. The FTC specifically points out that the marketer “presumably would not have initiated the process that led to the endorsements being made in these new media had it not concluded that a financial benefit would accrue from doing so.” The importance of the FTC’s Cole Haan letter is that it explicitly states that a pin on a Pinterest board constitutes an “endorsement” and a contest entry constitutes a “connection” between the company and the endorser under § 255.5. The FTC deliberately publicized its closing letter as a means to put companies on notice of its interpretation of the endorsement guidelines in connection with Pinterest contests. The message is not that social media contests need to stop, but rather that they must be plainly disclosed for what they are. What the FTC considers an adequate disclosure, however, remains to be seen. #StayTuned.
Cheryl A. Falvey of Crowell & Moring, LLP contributed to this post.
Technology companies – from startups to megacorporations – should not overlook an old privacy foe: the Federal Trade Commission (FTC). Since its inception in 2002, the FTC’s data security program has significantly picked up steam. In the last two years, the FTC has made headlines for its hefty privacy-related fines against Google and photo-sharing social network, Path. In January 2014 alone, the agency settled with a whopping 15 companies for privacy violations. What is more, many of these companies’ practices were not purposefully deceptive or unfair; rather the violations stem from mere failure to invest the time and security resources needed to protect data.
Vested with comprehensive authority and unburdened by certain hurdles that class actions face, the FTC appears poised for more action. The FTC’s basis for its authority in the privacy context originates from the Federal Trade Commission Act (FTC Act) and is quite broad. Simply put, it may investigate “unfair and deceptive acts and practices in or affecting commerce.” In addition to this general authority, the FTC has authority to investigate privacy violations and breaches under numerous sets of rules, including the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act including disposal (FCRA), the Gramm-Leach-Bliley Act (GLB), and the Telemarketing and Consumer Fraud and Abuse Prevention Act. Nor is the FTC hampered with the requirements of private class action litigation. For example, successful privacy class actions often must establish that consumers were harmed by a data breach (as in In re Barnes & Noble Pin Pad Litigation), consumers actually relied on a company’s promises to keep the information confidential (as in In re Apple iPhone Application Litigation), or the litigation will not be burdened with consumer-specific issues (such as whether the user impliedly consented to the disclosure, as in In re: Google Inc. Gmail Litigation).
The FTC has often focused on companies failing to adhere to their own stated policies, considered a “deceptive” practice by the FTC. More recently, the FTC settled with the maker of one of the most popular Android Apps, “Brightest Flashlight Free.” While the App informed users that it collected their data, it is alleged to have failed to disclose that the data would be shared with third parties. And though the bottom of the license agreement offered consumers an opportunity to click to “Accept” or “Refuse,” the App is alleged to have already been collecting and sending information (such as the location and the unique device identifier) prior to receiving acceptance. Just last week, the FTC settled with Fandango for failing to adequately secure data transmitted through its mobile app, in contravention of its promise to users. The FTC alleged that Fandango disabled a critical security process, known as SSL certificate validation, which would have verified that its app’s communications were secure. As another example, the FTC recently settled with a maker of a camera device used in homes for a variety of purposes, including baby monitoring and security. The device allows the video to be accessed from any internet connection. The devices are alleged to have “had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address.”
Companies have also been targeted for even slight deviations from their stated policies. For example, the FTC recently reached settlements with BitTorrent and the Denver Broncos. The entities were blamed for falsely claiming they held certifications under the U.S.-EU Safe Harbor framework. In reality, the entities had received the certifications but failed to renew them. The safe harbor is a streamlined process for US companies (that receive or process personally identifiable information either directly or indirectly from Europe) to comply with European privacy law. Self-certifying to the U.S.-EU Safe Harbor Framework also ensures that EU organizations know that the organization provides “adequate” privacy protection.
Being a target of an FTC action is no walk in the park. In addition to paying for attorney fees, the FTC often demands significant remedial measures. For instance, the company may be asked to (1) create privacy programs and protocols, (2) notify affected consumers, (3) delete private consumer data, (4) hire third-party auditors, and (5) subject itself to continual oversight by the FTC for 20 years. What is more, if a company ever becomes a repeat offender and violates its agreement not to engage in future privacy violations, it will face significant fines by the FTC. In this regard, for example, Google was required to pay $22.5 million for violating a previous settlement with the FTC.