News Archives

Monday, August 22, 2016

Survey Finds Insiders at Fault for Most Data Breaches

A new Ponemon Institute survey of 3,000 employees in the US, UK, France and Germany revealed that in most breaches of corporately-held data, negligent staff are usually the party creating the vulnerability, rather than external hackers acting independently.  Compromised employee accounts are the typical vector for these breaches, exacerbated by employees and third parties having more access to sensitive data than they need.  According to the study, while 76% of respondents said that their organization had experienced a breach over the past two years, only 29% of IT respondents said their organizations enforce a least-privilege model designed to keep information on a need-to-know basis.  A separate Ponemon study in June showed that the average cost of a data breach is now approximately $4 million, up 29% since 2013.  A third Ponemon study, the 2016 Global Visual Hacking Experiment, underscores the role of poorly-trained employees in preventing walk-around hacking in the workplace,

These findings are consistent with those reported by the Association of Corporate Counsel in December 2015 (“Survey Finds Employees the Leading Cause of Data Breaches”) and by Comp TIA and the SANS Institute in April 2015 (“Single Biggest IT Security Threat Remains Employees”).  Whether insiders are more responsible for breaches than external hackers – and this has varied over the past decade (see for example, the June 2009 Verizon study (“Growing Role of Organized Crime in Data Breaches”) – is hardly the point.  No matter what percentage of breaches are caused by employees and other insiders, these are known and well-established vulnerabilities that are amenable to remediation.  Accountability for not addressing them seems sadly to be in short supply.

Wednesday, August 17, 2016

Mexican DPA Affirms DP Law Applies to HR

On July 21, Mexico's National Institute of Access to Information and Data Protection (INAI) confirmed that companies are responsible for the processing of personal data of their employees under the Federal Law on Protection of Personal Data Held by Private Parties 2010.  The affirmation came in a INAI decision in which a company argued that it could rely upon the personal use exemption to process its employees' personal data without consideration of the federal data protection law.  The case concerned a complaint filed by an employee, after his employer refused to comply with his access request at first, and later granted only partial access, on the grounds that the processing was used exclusively for internal purposes and not disclosed or used for commercial purposes.  The INAI rejected this attempt to exploit ambiguity around the personal use exemption, and also warned that data concerning an employee or former employee, such as their position, email, and salary constitute personal information and must be processed in accordance with the DP law.

Slow Take-up for Privacy Shield Unlikely to Last

During the first 15 days that the Privacy Shield self-certification process was open for submissions, only 40 companies were placed on the list by the Department of Commerce, although the DOC announced that it was reviewing another 200 or so filings.  A review of the certifications conducted a few days ago showed that the only well-known companies on the list were Microsoft, Salesforce and Workday, with the balance appearing to be small niche-oriented firms.  At the present time, however, navigation past the handful of companies appearing on the first page of the list is unavailable, possibly due to traffic overload or other technical problems or disruptions. 

The take-up for the Safe Harbor framework was also slow back in 2000, much slower in fact, but back then companies were still discovering that they had compliance obligations under the EU Data Protection Directive and the program was quite novel, with considerable uncertainty attached to it.   These conditions don’t apply today, but there are new inhibiting factors at play:  (a) a gap of some nine months since the Safe Harbor adequacy decision was invalidated by the Court of Justice of the European Union, forcing many companies to switch to and settle into other transfer mechanisms, such as model contracts; and (b) continuing uncertainty about whether Privacy Shield will withstand the legal challenges likely to be brought against it by citizens or DPAs such as Hamburg's Johannes Caspar.   Nevertheless, Privacy Shield remains the only game in town for a large number of companies, making it very likely that the number of participants will swell, even if the mechanism proves to be only a temporary solution.  According to an August 16 press release, TRUSTe is working with over 500 companies to assess and verify compliance with the new requirements for Privacy Shied.

Increased numbers of submissions can be expected by September 30, the last day to take advantage of an official grace period to bring contractual relationships with third parties into alignment with Privacy Shield requirements.  However unfair and unjustifiable this grace period may be, companies submitting certifications after that date will have to attest that they have such relationships in order as of the date of filing.  

Tuesday, August 2, 2016

FTC Cracks Down on False APEC CBPR Certification Claims

In mid-July, the Federal Trade Commission issued warning letters to 28 companies about apparently false claims on their websites that they were certified participants in the APEC Cross-Border Privacy Rules (CBPRs).  Only APEC-recognized Accountability Agents, such as TRUSTe, can certify that the privacy policies and practices of participating companies are compliant with the CBPR system program requirements.  The letters ask the companies to immediately remove representations claiming CBPR participation from all public documents and threaten to take legal action if a timely and satisfactory response is not received.  The identity of the companies receiving the letters was not disclosed.  

The CBPR system is a self-regulatory initiative to protect data that moves among APEC member economies through a voluntary but enforceable code of conduct implemented by participating businesses. Four APEC members are currently participating in the CBPR system:  the US, Mexico, Japan and Canada.  At present there are 16 APEC CBPR-certified companies, including Apple, Box, Cisco, HP, IBM, Merck, Workday and Ziff Davis.  The operational use and value of the certifications, apart from positive public relations, remains opaque.

Friday, July 29, 2016

CJEU Finds Terms of Use Irrelevant as Basis for Determining Applicable DP Law

In a July 28 ruling in VKI v. Amazon EU, the Court of Justice of the European Union reaffirmed the reasoning about applicable data protection law it advanced in the Weltimmo and Google Spain cases.  Ignoring the contract between Amazon and its customers, which provided that Luxembourg law shall apply, the court held that “the processing of data in the context of the activities of an establishment is governed by the law of the Member State in whose territory that establishment is situated.”  Furthermore, the court found that it is up to national courts to determine whether Amazon is carrying out the data processing in question in the context of the activities of an establishment situated in their Member States.  As to when a company may be regarded as having an establishment, the CJEU reiterated its position that the establishment of a data processing operation “extends to any real and effective activity, even a minimal one, exercised through stable arrangements.”  The Court also held that a data processing operation will not be established “merely because the undertaking’s website is accessible” in a particular Member State.

Game On: Dept. of Commerce Launches Privacy Shield Website

On July 26, the same day as the Article 29 Working Party issued its statement of ongoing concerns about Privacy Shield, the U.S. Department of Commerce launched its website for the new data transfer framework.  The website contains the full text of the Privacy Shield Principles (both basic and supplemental), Annex I, and related letters and attachments from the Department of Commerce, the International Trade Association, the FTC, the Department of Transportation, the Department of State, the Office of the Director of National Intelligence and the Department of Justice.  It also contains guidance for organizations on how to self-certify for the program, for European companies and individuals on how to determine if a U.S. company is a Privacy Shield participant, and for European individuals to submit either a complaint or a request relating to U.S. national security access to their data.  (Note:  When launched, the website indicated, in a departure from Safe Harbor requirements, that the HR privacy policies of participants would have to be publicly available; however, this statement was subsequently retracted.)  A procedure for direct contact by DPAs to the DOC’s Privacy Shield team, as well as a link to a new FTC website about their oversight and enforcement activities, is also included. The Department of Commerce will begin accepting self-certifications under Privacy Shield on August 1.

Thursday, July 28, 2016

Art 29 WP Remains Concerned about Privacy Shield

On July 26, the Article 20 Working Party issued a statement praising improvements in the Privacy Shield mechanism secured by the European Commission over the past three months, but also indicating that “a number of concerns remain regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU.”  As examples of concerns with respect to commercial activities, the Working Party cited the lack of: (a) specific rules on automated decisions; (b) a general right to object; and (c) clarity as to how the Privacy Shield Principles apply to processors.  With respect to access by U.S. public authorities, the WP29 remains uncomfortable concerning the independence and powers of the Ombudsperson and regrets the lack of concrete assurances that mass and indiscriminate surveillance does not take place.

These concerns notwithstanding, the Working Party stated that the robustness and efficiency of the Privacy Shield mechanism will be best assessed during the first joint annual review, insofar as all members of the review team “shall have the possibility to directly access all the information necessary” to carry out the review.  The WP29 concluded its statement with a commitment to “proactively and independently” assist data subjects with exercising their rights under the Privacy Shield mechanism.  In addition, the Working Party stated that it would soon provide guidance on the mechanism to both data controllers and to citizens, along with its suggestions on the composition of the EU centralized body envisaged by the agreement and the practical organization of the joint annual review.

Contrary to numerous reports in the press, a careful reading of the Working Party statement reveals that they did not approve or endorse the Privacy Shield framework, nor did they say that they would not challenge the adequacy of the agreement for at least one year.  With the Commission formally adopting the mechanism on July 12, the WP29, as an advisory body, was not in a position to either approve or reject it.  Given the independence of data protection authorities, as well as their obligations to protect the privacy of data subjects, the Working Party was also not in a position to pledge to refrain from taking such steps as may be necessary to fulfill their responsibilities.  Buttressed by the Schrems ruling that affirmed their independence even in the face of an adequacy decision, one or more of the EU’s DPAs, such as those in Germany, may not be as patient as the Working Party appears to be.

A fairer summation of the position of the Working Party is that its assessment of Privacy Shield remains incomplete, that it looks forward to completing that assessment during the joint annual review, and that in the meantime it will vigorously and independently investigate any complaints from data subjects about how their personal data is handled under the mechanism. To read this as a "tepid endorsement," "temporary green light" or "moratorium" on challenging Privacy Shield reflects wishful thinking.

It is true that Isabelle Falque-Pierrotin, chairman of the Article 29 Working Party, stated verbally at a press conference on July 26 that the EU DPAs would not launch legal action on their own initiative in the next year.  However, this is not to say that they may not be involved in a legal action brought by another party, such as an individual, a Member State, the EU Parliament or another EU institution, that challenges the Privacy Shield mechanism.  Should a complaint from an individual come forth, such as the one promised by Max Schrems, they may feel obligated to request guidance from the courts as to the adequacy of Privacy Shield.