InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
President Obama Signs into Law the Judicial Redress Act
On February 24, President Obama signed the Judicial Redress Act, legislation that, according to the President, ensures “data is protected in the strongest possible way with our privacy laws.” The legislation is considered critical to EU-U.S. data flows in that it paves the way for the extension of Privacy Act rights to EU citizens, which will give them rights to seek Privacy Act remedies via civil action in U.S. courts. Regarding the Act, Věra Jourová, the EU Commissioner for Justice, Consumers, and Gender Equality, commented, “[t]he entry into force of this Judicial Redress Act will pave the way for the signature of the EU-U.S. Data Protection Umbrella Agreement. This agreement will guarantee a high level of protection of all personal data, regardless of nationality, when transferred across the Atlantic for law enforcement purposes.”
The signing of the Judicial Redress Act comes after the European Commission’s approval of the EU-U.S. Privacy Shield, a new framework for transatlantic data flows.
Washington Proposes Amendments to Money Transmitters Rules
Recently, the Washington Department of Financial Institutions (DFI) announced that on March 29, 2016 it will hold a hearing regarding proposed amendments to the 2015 Uniform Money Services Act. New sections to the proposal include requiring that money services licensees establish and maintain (i) an effective cybersecurity program; (ii) a written customer information security program; and (iii) a written privacy policy that complies with Regulation P of the Gramm-Leach-Bliley Act.
California AG Harris Issues Data Breach Report
On February 16, California AG Kamala Harris released a report analyzing data breaches reported to her office from 2012 through 2015. During that time period, the report identifies 657 data breaches that compromised more than 49 million Californians’ personal information. The report summarizes the scope of California’s existing breach notice law and notes that notification laws in 46 other states were modeled after California’s original law. According to the report, federal data breach proposals currently under consideration in Congress would, among other things, (i) set the consumer protection bar very low; (ii) infringe on state-based innovation; (iii) encroach on enforcement by state attorneys general; (iv) narrowly define harm and personal information; and (v) set “overly rigid timelines for notification.” The report provides recommendations for organizations and state policymakers on how to improve data security. Specifically, the report recommends that organizations: (i) adopt the Center for Internet Security’s Critical Security Controls relevant to the organization’s specific environment; (ii) use multi-factor authentication to protect critical systems and data, and make the multi-factor authentication available on consumer-facing online accounts containing sensitive personal information; (iii) consistently use strong encryption to protect personal information on laptops and other portable devices; and (iv) encourage persons affected by a breach of Social Security or driver’s license numbers to place a fraud alert on their credit files. Finally, the report recommends that state policymakers “collaborate in seeking to harmonize state breach laws on some key dimensions.”
Department of Homeland Security Publishes CISA Procedures and Guidance
On February 16, the DHS published guidance for both private and federal entities on the sharing of cyber threat indicators with the federal government. As required by the Cybersecurity Information Sharing Act of 2015 (CISA), the DHS and the DOJ jointly released the following four documents: (i) Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government; (ii) Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with the Federal Entities; (iii) Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government; and (iv) Privacy and Civil Liberties Interim Guidelines. The first two documents focus on assisting private sector and federal entities identify indicators and defensive measures for cybersecurity threats. The third document establishes procedures relating to the receipt of certain cyber threat indicators and defensive measures by all federal entities under CISA. The fourth document establishes interim privacy and civil liberties guidelines for federal entities on the receipt, retention, use, and dissemination of cyber threat indicators.
Obama Administration Announces Executive Orders: Commission on Enhancing National Cybersecurity; Establishment of the Federal Privacy Council
On February 9, President Obama issued two Executive Orders (EO) titled, Commission on Enhancing National Cybersecurity and Establishment of the Federal Privacy Council. The first EO creates a Commission on Enhancing National Cybersecurity (Commission), which will be comprised of top industry thinkers outside of the government. The President will appoint the Commission’s members, with the Speaker of the House of Representatives, the Minority Leader of the House of Representatives, the Majority Leader of the Senate, and the Minority Leader of the Senate each being invited to recommend one individual for membership. As outlined in the White House’s Fact Sheet on the EO, the Commission will, among other things, (i) assist in diagnosing and addressing the causes of cyber-vulnerabilities; (ii) “make detailed recommendations on actions that can be taken over the next decade to enhance cybersecurity awareness and protections throughout the private sector and at all levels of Government”; and (iii) report specific findings and recommendations to the President before the end of 2016.
With the creation of the Federal Privacy Council, senior privacy officials from various Government agencies will come together to (i) develop recommendations on government privacy policies and requirements; (ii) collaborate on ideas, best practices, and approaches for protecting privacy and implementing appropriate safeguards; (iii) evaluate how best to address the hiring, training, and professional development needs of the Federal Government with respect to privacy matters, making the appropriate recommendations; and (iv) perform other privacy-related functions, consistent with law, that the Chair designates. Ultimately, this “interagency support structure” will be the principal “forum to improve the Government privacy practices of agencies and entities acting on their behalf.”
European Commission Announces Agreement with the US on the Framework for Transatlantic Data Flows
On February 2, the members of the European Commission approved a new framework for transatlantic data flows: EU-US Privacy Shield. The European Commission and the United States agreed to a deal that reflects the requirements set forth in the Court of Justice of the European Union’s (CJEU) October 6, 2015 decision declaring the old Safe Harbor framework invalid. The agreement aims to protect “fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.” Specifically, the drafters of the new framework attempt to provide (i) robust obligations on U.S. companies to ensure that they are protecting Europeans’ personal data, such as strengthened monitoring by the Department of Commerce and the FTC and increased cooperation with European Data Protection Authorities; (ii) written commitments by the U.S. that “the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms”; and (iii) effective protection of Europeans’ rights regarding how their data is handled, including several redress possibilities and the creation of an Ombudsperson to whom they can raise inquiries or complaints. Commenting on the agreement, Commission Vice-President Ansip stated, “[t]oday’s decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US.” In the upcoming weeks, the U.S. will prepare to put in place the new framework while Vice-President Ansip and Commissioner Jourová prepare a draft “‘adequacy decision,’” which could be “adopted by the [Commission] after obtaining the advice of the Article 29 Working Party (WP29) and after consulting a committee composed of representatives of the Member States."
In a February 3 statement, the WP29 maintained that it has concerns regarding the current U.S. legal framework to protect non-U.S. persons’ data. While it recognizes recent efforts by the U.S. to improve protection of personal data to meet the four essential guarantees for intelligence activities, the WP29 emphasized it will need to “consider if its concerns regarding the U.S. legal framework can be alleviated following the introduction of the EU-US Privacy Shield . . . [and] analyse to what extent [the] new arrangement will provide legal certainty for the other transfer tools.”
European Commission Celebrates Data Protection Day; Deadline for US-EU Data Protection Framework Approaches
On January 28, the European Commission issued a statement in observance of its 10th European Data Protection Day. Vice President Ansip and Commissioner Jourová commented on the December 2015 agreement on EU data protection reform, noting that “[w]ith one streamlined set of rules across the European Union, we will cut red tape and ensure legal certainty, so that both citizens and companies can benefit from the Digital Single Market.” The United States and the European Union are scheduled to reach an agreement on the “Safe Harbor” data transfer program in the upcoming week, to which Ansip and Jourová commented: “These flows are essential, between EU countries, but also between the EU and its closest partners. The European Commission is currently working on a renewed and safe framework on transfers of personal data with the United States. We need an arrangement that protects fundamental rights of Europeans and ensures legal certainty for businesses.”
FTC Issues Report on Big Data
On January 6, the FTC published a report titled, “Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues.” The report, which draws from information from a September 2014 FTC workshop, as well as public comments and research, primarily focuses on the final stage in the life cycle of big data use by addressing the commercial use of consumer data and its effect on low-income and underserved populations. According to the report, participants in the 2014 workshop expressed concern that potential inaccuracies and biases from big data may lead companies to “exclude low-income and underserved communities from credit and employment opportunities.” For example, the report states that, “if big data analytics incorrectly predicts that particular consumers are not good candidates for prime credit offers, educational opportunities, or certain lucrative jobs, such educational opportunities, employment, and credit may never be offered to these consumers.” In order to minimize legal and ethical risks, and to avoid possible exclusion and/or discrimination, the report suggests that companies should obtain an understanding of various laws that may apply to their big data practices, including the FCRA, equal opportunity laws, and the FTC Act. The report provides a basic overview of these laws and presents companies with a number of questions to consider when examining whether or not their data practices comply with such laws, including, but not limited to, whether or not a company maintains reasonable security over consumer data, and whether it complies with requirements under the Equal Credit Opportunity Act regarding requests for information and record retention. In addition to these questions, the report advises companies to consider the following four key policy questions: (i) How representative is your data set? (ii) Does your data model account for biases? (iii) How accurate are your predictions based on big data? (iv) Does your reliance on big data raise ethical or fairness concerns? Finally, while the report acknowledges the benefits of big data, such as providing access to credit using non-traditional methods and increasing equal access to employment, the FTC’s report stresses the significance of examining and raising awareness about big data practices that have the potential to adversely impact low-income and underserved populations.
New York AG Requires Transportation Company to Enhance Data Security Practices
On January 6, New York AG Schneiderman announced a settlement with a California-based transportation network company that requires the company to enhance its data security protection practices to ensure protection of consumers’ personal information. In November 2014, the AG’s office launched an investigation into the company’s collection, maintenance, and disclosure of users’ personal information “amid reports that [company] executives had access to riders’ locations and that the company displayed this information in an aerial view, known internally as ‘God View.’” Moreover, in February 2015, the company reported to the AG’s office that, as early as September 2014, it had experienced a data breach where company drivers’ names and license numbers were exposed to an unauthorized third party. In addition to the $20,000 penalty for failure to provide timely notice regarding the data breach, the settlement requires the company to (i) limit access to geo-location information to designated employees through technical access controls and a formal authorization and approval process; (ii) designate at least one employee to coordinate and supervise its privacy and security program; (iii) conduct annual training for employees implementing its data security practices and the handling of private information; (iv) adopt protective technologies for the storage, access, and transfer of private information, and the credentials required to access such information; (v) conduct regular assessments of the effectiveness of internal controls and procedures related to securing private information and geo-location information, as well as implement updates to such controls based on the assessments; and (vi) include a separate section in its consumer-facing privacy policy describing policies regarding location information collected from riders.
OFAC Publishes Cyber-Related Sanctions Regulations
On December 31, OFAC issued regulations to implement Executive Order 13694 of April 1, 2015, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” Effective immediately, the regulations prohibit all transactions prohibited by Executive Order 13694, including dealing in the property or interests in property, that come within the United States, of blocked persons. Among other things, under Executive Order 13694, a party may be blocked if the U.S. government finds the party “to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States” and that have one of the purposes or effects enumerated in the Order. More information on the Executive Order is available here. OFAC’s Specially Designated Nationals (SDN) List will include persons blocked pursuant to the Executive Order and regulation. OFAC intends to supplement the new regulations with a more comprehensive set of regulations, “which may include additional interpretive and definitional guidance, regarding ‘cyber-enabled’ activities, and additional general licenses and statements of licensing policy.”