The validity of Model Clauses for EU personal data transfer to the United States is now in real doubt as a result of a new Irish High Court judgment stating that there are “well founded grounds” to find the Model Clauses invalid. The issue of Model Clauses as a legitimate data transfer mechanism will now be adjudicated by the European Court of Justice (ECJ), the same court that previously overturned the Safe Harbor arrangement. EU and US companies will need to consider various strategies in anticipation of this decision.
On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.
The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.
Read the full article here.
The National Institute of Standards and Technology (NIST) released its Cybersecurity Framework (Framework) almost 15 months ago and charged critical infrastructure companies within the United States to improve their cybersecurity posture. Without question, the Framework has sparked a national conversation about cybersecurity and the controls necessary to improve it. With regulators embracing the Framework, industry will want to take note that a “voluntary” standard may evolve into a de facto mandatory standard.”
Read the full On the Subject on the NIST Cybersecurity Framework on the McDermott website.
Executive Order 13694 is the Obama Administration’s latest tool to combat cybersecurity threats. On April 1, 2015, President Obama declared a national emergency to address the “increasing prevalence and severity of malicious cyber-enabled activities” originating from outside the United States that “constitute an unusual and extraordinary threat to the national security, foreign policy and economy of the United States.”
The order authorizes the U.S. Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions, including asset freezes and travel bans, on those persons and entities determined to be responsible for, or complicit in, malicious cyber-enabled activities that have the purpose or effect of:
- Harming or significantly compromising the provision of services by entities in a critical infrastructure sector;
- Significantly disrupting the availability of a computer or network or computers; or
- Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain.
Although the order does not define “malicious cyber-enabled activities,” the Department of Treasury, in its online FAQs, anticipates that the order will cover “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.”
This strategic move by the administration is intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. government. This sanction program does not target nation states, individuals acting on behalf of those nation states, or victims of malicious cyber activities.
Executive Order 13694 in Practice
The Department of Treasury FAQs and the White House Office of the Press Secretary’s Fact Sheet explain how the program will work. According to the literature, the Treasury’s Office of Foreign Assets Control (OFAC), in coordination with other U.S. government agencies, will identify individuals and entities whose conduct meets the criteria set forth in the order. These individuals and entities will then be designated for sanctions and added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List).
Once OFAC determines the specific entities and individuals that are subject to sanctions under the order, all U.S. citizens and permanent resident aliens, all persons and entities within the United States, and all U.S.-incorporated entities and their non-U.S. subsidiaries or branches will be prohibited from engaging in trade or any other transactions with these individuals or entities owned by these individuals.
OFAC cautions that individuals or firms that “facilitate or engage in online commerce are responsible for ensuring that they do not engage in unauthorized transactions of dealings with persons named on the sanctions list or operate in jurisdictions targeted by comprehensive sanctions programs.” At this point, it is unclear how the Treasury will enforce the order and what, if any, penalties will be levied against those not in compliance.
Complying with the Order
Because the order was issued without any persons yet in line to be instantly placed on the OFAC list, there are no immediate obligations for U.S. corporations. However, once the Secretary of the Treasury begins to populate the list, organizations and individuals must ensure that they do not engage in unauthorized transactions or dealings with those identified persons. FAQ 446 reminds us that the names and identifying information of all individuals and entities included on OFAC’s sanctions lists may be located at: http://sdnsearch.ofac.treas.gov.
While we wait for more instructions via the forthcoming regulations, organizations that already have a compliance program should confirm that it regularly checks the SDN list before doing business with foreign entities or individuals. For organizations that do not yet have a compliance program, the Department of Treasury suggests a tailored, risk-based compliance program that may include sanctions list screening or other appropriate measures.
We will be watching for the release of the regulations and for names to be added to the SDN list. We will report back on the blog with these developments.
Data security breaches affecting large segments of the U.S. population continue to dominate the news. Over the past few years, there has been considerable confusion among employers with group health plans regarding the extent of their responsibility to notify state agencies of security breaches when a vendor or other third party with access to participant information suffers a breach. This On the Subject provides answers to several frequently asked questions to help employers with group health plans navigate the challenging regulatory maze.
On May 1, 2014, the White House released two reports addressing the public policy implications of the proliferation of big data. Rather than trying to slow the accumulation of data or place barriers on its use in analytic endeavors, the reports assert that big data is the “new normal” and encourages the development of policy initiatives and legal frameworks that foster innovation, promote the exchange of information and support public policy goals, while at the same time limiting harm to individuals and society. This Special Report provides an overview of the two reports, puts into context their conclusions and recommendations, and extracts key takeaways for businesses grappling with understanding what these reports—and this “new normal”—mean for them.
Cybersecurity has become a dominant topic of the day. The Snowden revelations, the mega-data breaches of 2013, the pervasiveness of invisible online “tracking” and the proliferation of “ data broker” trading in personal data – all feed into the fears of individuals who struggle to understand how their personal information is collected, used and protected. Over the past year, these forces have begun to merge an old concern by individuals about the security of their personal information into a broader, more universal fear that the country’s infrastructure lay vulnerable.
In many respects, however, the concept of cybersecurity is not new. Cybersecurity is a form of information security, albeit perhaps with a broader, more universal view of required security controls. Decades-old statutes include information security requirements for certain types of information, the Health Insurance Portability and Accountability Act (HIPAA) addresses health information and the Gramm-Leach-Bliley Act (GLBA) addresses financial information. Add to those statutory regimes the U.S. Federal Trade Commission’s (FTC) enforcement authority over corporate information security practices pursuant to Section 5 of the FTC Act (recently upheld in Federal Trade Comm’n v. Wyndham Worldwide Corp.) and certain state-based data security regulations that require corporations to safeguard personal information (e.g., 201 CMR 17.00, et seq.). The net effect of these regulatory drivers is that many organizations have focused for decades on developing administrative, physical and technical safeguards for effective protection of personal information – resulting in a programmatic approach to information security.
Now, along comes the evolution of cybersecurity with its own emerging standards. Organizations are asking themselves whether they need to do something different or in addition to the programmatic steps already taken to comply with information security requirements that are applicable to the organization. The good news is that while some additional work likely will be required as described below, companies with solid programmatic approaches to information security are well on their way to meeting the following emerging cybersecurity standards.
NIST Cybersecurity Framework
On February 12, 2013, President Obama issued an Executive Order entitled “Improving Critical Infrastructure Cybersecurity.” The Executive Order has several key components, but most importantly, it contains a requirement for owners and operators of “critical infrastructure” to develop a cybersecurity framework. The Order directed the National Institute of Standards and Technology (NIST) to develop a baseline cybersecurity framework to reduce cyber risks to critical infrastructure. NIST subsequently developed its “Framework for Improving Critical Infrastructure Cybersecurity” (Framework), which was released on February 12, 2014. The goal of these efforts is to provide organizations with a cybersecurity framework as a model for their business. While at this point, the Framework is intended to provide a voluntary program for owners and operators of critical infrastructure, it is already starting to seep into federal “incentives” used to encourage the private sector to comply with the Framework. And the Framework itself may evolve into a sort of “security” standard of care.
SEC Cybersecurity and Disclosure Laws
In addition to the Framework, the U.S. Security and Exchange Commission (SEC) recently held a roundtable on cybersecurity to explore whether the current SEC guidance on cybersecurity is working and how it could be improved. SEC Chairwoman Mary Jo White has emphasized that the SEC’s 2011 guidance makes clear that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed.” After wrestling with what disclosures the SEC should require, SEC Commissioner Louis Aguilar recently stated “There is no doubt that the SEC must play a role in this area. What is less clear is what that role should be.” He proposed the creation of a cybersecurity task force to advise the Commission on its future demands and disclosure requirements. It is clear that the SEC is struggling with its role in cybersecurity incident response and how to guide without being too proscriptive.
Recommended Next Steps for Companies
Against this backdrop, companies in any industry trying to make sense of what they should do next with respect to cybersecurity and its emerging standards should consider taking the following next steps:
- Assign an accountable function to become knowledgeable about the NIST Framework and related ongoing governmental developments;
- Use the Framework’s recommended approach to undertake a review of the company’s infrastructure and security protocols;
- Examine the company’s existing security protocols (for example, those instituted in response to requirements for the protection of personal data) and develop a current profile of the company’s existing security posture;
- Establish the overall desired security objective – in other words, where the security profile should be in light of the company’s industry, type of information processed and other relevant factors;
- Develop a gap analysis of action steps needed arrive at the desired objective;
- Prioritize those actions steps, available resources and an appropriate timeline;
- Where possible, use the language of the Framework and its approach because even if the Framework is voluntary at this point, that Framework could become the standard by which companies are measured going forward.
It is increasingly clear that the issue of cybersecurity is no longer limited to traditional notions of information security designed to protect personal information. Rather, cybersecurity is about protecting all types of confidential information — as well as a company’s infrastructure — against unpredictable cyber threats. This can be new, developing, and difficult to predict. But one thing is clear: Information security is just one side of the security coin that companies must manage. Cybersecurity is the other, with a different focus, different emphasis and, in time, different regulatory expectations and requirements.
The Allegations and Order
According to this recent FTC complaint, Fantage.com failed to complete its annual recertification of Safe Harbor compliance but continued to make publically-available statements about its compliance with the U.S.-EU Safe Harbor Framework. From June 2011 (when the company made its initial self-certification) to January 2014 (when the company renewed its self-certification), the FTC examined the company’s privacy policies and online statements for representations concerning its Safe Harbor status.
In its complaint, the FTC alleged that the company, “…expressly or by implication…” misrepresented that it was a current participant in the Safe Harbor Framework when, from June 2012 until January 2014, its certification had lapsed. The FTC cited the following statement made on the company’s website as an example of the false and misleading representations:
“When we collect personal information from residents of the European Union, we follow the privacy principles of the U.S.-EU Safe Harbor Framework, which covers the transfer, collection, use, and retention of personal data from the European Union.”
While the FTC does not allege substantive violations of the Safe Harbor Framework, the sanctions that follow place compliance obligations on the company. The Settlement Agreement Containing Consent Order:
- enjoins Fantage.com from misrepresenting its compliance with any governmental or self-regulatory data privacy program for 20 years; and
- imposes on Fantage.com detailed record-keeping requirements for five years, including maintenance of records (i) for all advertisements or other statements containing representations about privacy program participation; (ii) all materials that form the basis for preparing such representations; and (iii) all materials that call into question the company’s compliance with the Order.
If Fantage.com violates the settlement agreement, the FTC is empowered to assess up to $11,000 per day in monetary penalties.
Based on these enforcement actions, any company that self-certifies under the U.S,-EU Safe Harbor Framework should immediately:
- check its certification status to ensure that it is marked “current” on the Department of Commerce website: https://safeharbor.export.gov/list.aspx;
- review any privacy policies and online statements referencing the Safe Harbor program to ensure that they properly reflect the status of their certification;
- institute a systemic reminder six months prior to the recertification date that triggers compliance review activity with a due date for completion prior to the recertification deadline, together with a requirement that the actual online recertification be completed prior to the annual deadline.
- remove all references to the Safe Harbor program from publicly available privacy policies and statements if the company’s certification status is unclear; and
- review substantive compliance with the Safe Harbor program and institute corrective action and controls to ensure that compliance is maintained.
In Boston, we celebrated Data Privacy Day (January 28) by presenting “U.S. Privacy and Data Protection: 2013 Year In Review and a Prediction of What’s to Come in 2014” for participants in an IAPP KnowledgeNet. Our panel of speakers discussed significant U.S. data privacy and protection events from 2013 and shared thoughts about what’s ahead for 2014 in U.S. data privacy and protection. You may download the presentation slides here.
We hope you find our presentation materials informative. Of course, please do not hesitate to contact any member of the Of Digital Interest editorial team with questions or comments.