InfoBytes Blog

U.K.’s ICO fines real estate management company for data security failures

On July 19, the United Kingdom’s Information Commissioner’s Office (ICO) issued a £80,000 fine against a London-based real estate management company for allegedly leaving over 18,000 customers’ personal data exposed for almost two years. According to the ICO, when the company transferred personal data from its server to a partner organization, the company failed to switch off an “anonymous authentication” function, which exposed all the data—including personal data such as bank statements, salary details, copies of passports, dates of birth, and addresses—stored between March 2015 and February 2017. The ICO alleges that the company failed to take appropriate technical and organizational measures to protect customers’ personal data and concluded the failures were “a serious contravention of the 1998 data protection laws which have since been replaced by the [General Data Protection Regulation] GDPR and the Data Protection Act 2018.”

Privacy/Cyber Risk & Data Security GDPR Information Commissioner's Office

U.K.’s ICO announces two GDPR data breach actions

On July 8 and 9, the United Kingdom’s Information Commissioner’s Office (ICO) issued two notices of its intention to fine companies for infringements of the General Data Protection Regulation (GDPR). On July 8, the ICO announced it intended to fine a U.K.-based airline £183.39M for a September 2018 cyber incident, which, due to “poor security arrangements,” allowed attackers to divert user traffic on the airline’s website to a fraudulent site, making consumer details accessible. The airline notified the ICO about the incident, which compromised the data of approximately 500,000 consumers, and has cooperated with the ICO in the investigation and made improvements to its security arrangements. Additionally, on July 9, the ICO announced it intended to fine a multinational hotel chain £99,200,396 for failing to undertake sufficient due diligence when the chain purchased a hotel group in 2016, which had previously exposed 339 million guest records globally in 2014. The exposure was discovered in 2018, and the hotel chain thereafter reported the incident to the ICO, and has cooperated with the investigation and made improvements to its security arrangements. In both announcements, the ICO notes that it will, “consider carefully the representations made by the company and the other concerned data protection authorities” before issuing the final decision.

Privacy/Cyber Risk & Data Security GDPR Information Commissioner's Office Of Interest to Non-US Persons

FTC holds fourth annual PrivacyCon to address hot topics

On June 27, the FTC held its fourth annual PrivacyCon, which hosted research presentations on a wide range of consumer privacy and security issues. Following opening remarks by FTC Chairman Joseph Simons, the one-day conference featured four plenary sessions covering a number of hot topics:

• Session 1: Privacy Policies, Disclosures, and Permissions. Five presenters discussed various aspects of privacy policies and notices to consumers. The panel discussed current trends showing that privacy notices to consumers have generally become lengthier in recent years, which helps cover the information regulators require, but often results in information overload for consumers more generally. One presenter advocated the concept of a condensed “nutrition label” for privacy, but acknowledged the challenge of distilling complicated activities into short bullets.

• Session 2: Consumer Preferences, Expectations, and Behaviors. This panel addressed research concerning consumer expectations and behaviors with regard to privacy. Among other anecdotal information, the presenters noted that many consumers are aware that personal data is tracked, but consumers are generally unaware of what data collectors ultimately do with the personal data once collected. To that end, one presenter advocated prescriptive limits on data collection in general, which would take the onus off consumers to protect themselves. Separately, with regard to the Children’s Online Privacy Protection Act (COPPA), one presenter noted that the law generally aligns with parents’ privacy expectations, but the implementing regulations and guidelines are too broad and leave too much room for implementation variations.

• Session 3: Tracking and Online Advertising. In the third session, five presenters covered various topics, including privacy implications of free versus paid-for applications to the impact of the EU’s General Data Protection Regulation (GDPR). According to the presenters, current research suggests that the measurable privacy benefits of paying for an app are “tenuous at best,” and consumers cannot be expected to make informed decisions because the necessary privacy information is not always available in the purchase program on a mobile device such as a phone. As for GDPR, the panel agreed that there are notable reductions in web use, with page views falling 9.7 percent in one study, although it is not clear whether such reduction is directly correlated to the May 25, 2018 effective date for enforcement of GDPR.

• Session 4: Vulnerabilities, Leaks, and Breach Notifications. In the final presentation, presenters discussed new research on how companies can mitigate data security vulnerabilities and improve remediation. One presenter discussed the need for proactive identification of vulnerabilities, noting that the goal should be to patch the real vulnerabilities and limit efforts related to vulnerabilities that are unlikely to be exploited. Another presenter analyzed data breach notifications to consumers, noting that all 50 states have data breach notification laws, but there is no consensus as to best practices related to the content or timing of notifications to consumers. The presenter concluded with recommendations for future notification regulations: (i) incorporate readability testing based on standardized methods; (ii) provide concrete guidelines of when customers need to be notified, what content needs to be included, and how the information should be presented; (iii) include visuals to highlight key information; and (iv) leverage the influence of templates, such as the model privacy form for the Gramm-Leach-Bliley Act.

Privacy/Cyber Risk & Data Security FTC Research COPPA GDPR Gramm-Leach-Bliley

Consumer advocates testify before Senate Commerce Committee on need for federal consumer data privacy legislation

On October 10, the Senate Committee on Commerce, Science, and Transportation held the second in a series of hearings on the subject of consumer data privacy safeguards. The hearing entitled “Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act” heard from consumer privacy advocates on lessons from the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018, and what types of consumer protections should be considered in future federal legislation. Committee Chairman, Senator John Thune, opened the hearing by emphasizing the importance of promoting privacy without stifling innovation. Senator Thune stated that, while understanding the experience of technology and telecommunications companies in this space is important, any new federal privacy law must also incorporate views from affected industry stakeholders and consumer advocates.

The consumer privacy advocate witnesses agreed there is a need for heightened consumer protections and rights, and that the time is ripe to have a debate on what a consumer data privacy law at the federal level would look like and how it would work with state level laws. However, witnesses cautioned that federal legislation should create a floor and not a ceiling for privacy that will not prevent states from passing their own privacy laws. One of the witnesses who led the effort behind the California ballot initiative that resulted in the CCPA emphasized that federal legislation should contain a robust enforcement mechanism, while a witness from the Center for Democracy & Technology said that (i) lawmakers should give the FTC the ability to fine companies that violate consumers’ privacy and provide the agency with more resources; and (ii) a federal law should cover entities of all sizes and clarify what secondary and third-party uses of data are permissible.

Among other things, the hearing also discussed topics addressing: (i) GDPR open investigations; (ii) support for state Attorney General enforcement rights; (iii) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; and (iv) consumers’ rights to control their personal data.

Privacy/Cyber Risk & Data Security Data Breach U.S. Senate GDPR State Attorney General State Legislation Enforcement CCPA

Department of Commerce requests comments on new federal approach to consumer privacy rules

On September 26, the National Telecommunications and Information Administration (NTIA) published a notice and request for comments on behalf of the Department of Commerce seeking input from stakeholders on ways to address consumer privacy concerns while protecting prosperity and innovation. The NTIA’s notice seeks comments on a proposed set of “user-centric privacy outcomes” to be addressed by future federal action on consumer privacy policy, along with a set of high-level goals that would establish the outlines for the direction these protections should take. Among other things, the NTIA also seeks feedback on ways to (i) increase harmonization across the regulatory landscape; (ii) ensure a balance between legal clarity, flexibility for innovation, and consumer privacy; (iii) prevent a fragmented regulatory approach by ensuring that any law is applied equally to all businesses not covered by sectoral laws; (iv) develop a regulatory framework “consistent with the international norms and frameworks”; and (v) provide the FTC with the necessary tools and resources to effectively enforce such rules.

The NTIA’s proposal follows the European Union’s General Data Protection Regulation (GDPR), which was implemented this past summer, and the recently enacted and amended California Consumer Privacy Act of 2018 (see previous InfoBytes coverage here). Comments on the notice must be received by October 26.

Federal Issues Department of Commerce Privacy/Cyber Risk & Data Security GDPR FTC

European Commission Publishes Draft ePrivacy Regulation

Commission announced the release of its Proposal for a Regulation of the European Parliament and of the Council on Privacy and Electronic Communications (Proposed Regulation), which is set to repeal Directive 2002/58/EC (ePrivacy Directive). The Proposed Regulation— as discussed previously on InfoBytes—is intended to update the current rules to keep up with technical developments and adapting them to the General Data Protection Regulation (GDPR). Among other things, the Proposed Regulation will expand the scope of the ePrivacy rules to include internet-based voice and internet-messaging services, and to cover the content of communications, including metadata such as the time and location of a call. Furthermore, with regards to cookies, the Proposed Regulation does not require the consent of the user for non-privacy intrusive cookies, which either improve internet experience or measure the number of visitors to a specific website. The proposed Regulation also includes an opt-in requirement for telemarketing calls, unless national laws provide the recipient with a right to object. The Proposed Regulation also contains language extending the remedies currently provided under the GDPR. Once passed, the Proposed Regulation would become effective on May 25, 2018. Links to other related documents and information may be accessed through the following links:

1. Proposal for a Regulation of the European Parliament and of the Council
2. Ex-post REFIT evaluation of the ePrivacy Directive 2002/58/EC
3. Executive summary of the ex-post REFIT evaluation
4. Impact Assessment - part 1
5. Impact Assessment - part 2
6. Impact Assessment - part 3
7. Summary of the Impact Assessment

Federal Issues International GDPR Privacy/Cyber Risk & Data Security

EU Releases First Guidance on New Privacy Regulation

On December 16, the European Union’s (EU) data protection regulator, the Article 29 Working Party (WP29), released its first official guidance on the General Data Protection Regulation (GDPR), EU’s new privacy regime. Composed of three sets of guidelines and FAQs, the guidance covers a range of issues, including the qualification, appointment, and personal liability of data protection officers (DPOs). Links to the six guidance documents follow:

• (i) Guidelines & FAQs on the right to data portability;
• (ii) Guidelines & FAQs on DPOs; and
• (iii) Guidelines & FAQs on identifying the “lead supervisory authority” for cross-border activity.

The WP29 also announced that it is accepting additional comments on this guidance through the end of January 2017, and that it will release guidelines on Data Protection Impact Assessments and Certifications in 2017. The GDPR is set to take effect in May 2018.

International European Union Miscellany GDPR Privacy/Cyber Risk & Data Security