News Archives

Friday, March 31, 2017

House Committee Passes Controversial Wellness Bill

A controversial bill that would give employers greater leeway in obtaining genetic and other sensitive health information from employees and increase the financial incentives for employees to participate in workplace wellness programs was passed by the House Committee on Education and the Workforce along party lines on March 8, 2016.  Critics of the Preserving Employee Wellness Programs Act contend that it will gut key protections in the Americans with Disabilities Act (ADA) and the Genetic Information Non-Discrimination Act (GINA), coerce employees into giving up genetic and health information, and weaken the role of the EEOC in overseeing wellness programs.  Opposition to the bill has been expressed by a wide range of consumer, health and privacy advocacy groups, including the AARP, the American Diabetes Association, the American Academy of Pediatrics, the Epilepsy Foundation, the March of Dimes, the National Association for Rare Disorders, the American Society for Human Genetics and the ACLU.  HHS Secretary Tom Price reportedly is among those expressing concern about the bill, which still needs to be taken up by the House Ways and Means Committee before it could advance to the full House and the Senate.   

Human Factors Play Major Role in Data Breaches

According to Verizon’s recent 2017 Data Breach Digest, a 99-page report by the company’s data breach investigation team, breaches are becoming more complex and now touch every part of an organization. The Digest describes 16 common breach scenarios, divided into four clustered groupings:  (1) the human element; (2) device misuse or tampering; (3) configuration exploitation; and (4) malicious software.  Verizon data indicates that the human element was the major vulnerability relied upon in one-third of confirmed data breaches, ranking behind hacking and malware, while also being a factor in up to one-half of all breaches. Tactics and techniques used to exploit the human element include phishing (92%), pretexting (42%) and bribery/solicitation (3%).  Email is overwhelmingly the primary means of communicating with targets, highlighting the importance of employee education and training across the organization, as well as the need for multi-factor authentication.

Friday, March 24, 2017

Privacy Shield Update: EU Parliament Restive, No Complaints

On March 23, the EU Parliament’s civil liberties, justice and home affairs committee (LIBE) passed a resolution declaring Privacy Shield to be inadequate and calling upon the European Commission to examine the following deficiencies when it carries out its first annual review this summer:
  • Continued U.S. bulk surveillance of Europeans, in violation of the Schrems ruling by the CJEU
  • The viability of redress mechanisms, which are all U.S.-based
  • The lack of an independent oversight by the U.S. ombudsman 
  • Data retention provisions
The resolution includes explicit references to Yahoo’s October 2017 admission that it created software at the request of the NSA to scan users’ email and the decision of the Obama administration to share raw SIGINT data with 16 other agencies without court order.

The vote by the LIBE committee passed by a narrow margin of 29 to 25.  The resolution is expected to be taken up by the full EU Parliament during the first week of April.

Earlier, the U.S. Dept. of Commerce administrator for the Privacy Shield framework, Catlin Fennessy, stated at a recent IAPP seminar in London that over 1800 companies had certified compliance with the Privacy Shield framework, with another 300 companies in the pipeline. Confirming an earlier analysis by HR Privacy Solutions, Fennessy reported that participants are largely small-to-medium-sized enterprises, with some 70% having fewer than 500 employees.  In addition, participants are heavily slanted towards the technology and consulting sectors.  Perhaps most significantly, no complaints about Privacy Shield from data subjects have reached the FTC, the Commerce Department or the special arbitration mechanism set up as a last-resort option.

Thursday, March 2, 2017

Advocacy Groups Call on EU to Re-evaluate Privacy Shield

On February 28, two prominent advocacy groups, the American Civil Liberties Union (ACLU) and Human Rights Watch, called upon European officials to re-examine assurances about privacy protection they received from the U.S. government, assurances that form the foundation of both the Privacy Shield agreement and the U.S.-EU umbrella agreement concerning exchanges of information for law enforcement purposes.  The letter, sent to key officials in the European Commission, the EU Parliament and the Article 29 Working Party, argued that the assurances had been undermined by President Trump’s executive order on enhancing public safety and by the deterioration and lapse of the Privacy and Civil Liberties Oversight Board (PCLOB).  Although former and current FTC Commissioners have contended that the executive order does not impact recently-extended Privacy Act protections for Europeans, the advocacy groups offer a detailed analysis of three ways in which these protections have been significantly reduced by the order.  They also contended that oversight by a fully-functioning PCLOB was clearly an important factor in the European Commission’s adequacy decision with respect to Privacy Shield.

Two days later, in an interview with Bloomberg, EU Justice Commissioner Vera Jourova said she "will not hesitate" to suspend the Privacy Shield framework if the Trump administration makes significant changes in the understandings that underpin the agreement.  Jourova will be meeting with U.S. officials in Washington later this month, seeking reconfirmation and reassurances about these understandings.  According to Johannes Caspar, the Hamburg DPA, “the disruptive political style of the new U.S. administration fills anyone working in the field of privacy with concern,” adding that “You don’t need to gaze into a crystal ball to see that the air surrounding the Privacy Shield is becoming thinner.”