Photo of Amy C. Pimentel

 

 

Amy C. Pimentel focuses her practice on privacy and data security and general health law. Her clients operate in a variety of industries, including health care, consumer products, retail, food and beverage, technology, banking and other financial services. Read Amy Pimentel's full bio.

On January 6, the Federal Trade Commission (FTC) released a report that it hopes will educate organizations on the important laws and research that are relevant to big data analytics. The report, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, looks specifically at how big data is used after it is collected and analyzed and provides suggestions aimed at maximizing the benefits and minimizing the risks of using big data.

Risk and Rewards

The report argues that big data analytics can provide numerous opportunities for improvements in society. In addition to more effectively matching products and services to consumers, big data can create opportunities for low income and underserved communities. The report highlights a number of innovative uses of big data that provide benefits to underserved populations, such as increased educational attainment, access to credit through nontraditional methods, specialized health care for underserved communities, and better access to employment.

At the same time, the report shows that potential inaccuracies and biases might lead to detrimental effects for low-income and underserved populations. For example, organizations  could use big data to inadvertently exclude low-income and underserved communities from credit and employment opportunities, which may reinforce existing disparities or weaken the effectiveness of consumer choice.

Considerations for Using Big Data

The report outlines some of the consumer protection laws (in particular, the Fair Credit Reporting Act and FTC Act)  and equal opportunity laws that apply to the use of big data, especially with regard to possible issues of discrimination or exclusion. It also recommends that an organization consider the following questions to help ensure that its use of big data analytics does not lead to unlawful exclusion or discrimination:

How representative is your data set? 

If the data set is missing information from particular populations, take appropriate steps to address this problem.

Does your data model account for biases? 

Review data sets and algorithms to ensure that hidden biases do not have an unintended impact on certain populations.

How accurate are your predictions based on big data? 

Balance the risks of using correlative results, especially where the business’ policies could negatively affect certain populations.

Does your reliance on big data cause ethical or fairness concerns?

Consider whether fairness and ethical considerations advise against using big data in certain circumstances and whether the business can use big data in ways that advance opportunities for previously underrepresented populations.

Monitoring and Enforcement Ahead

The FTC stated that its collective challenge is to make sure that big data analytics continue to provide benefits and opportunities to consumers while adhering to core consumer protection values and principles. It has committed to continue monitoring areas where big data practices could violate existing laws and to bring enforcement actions where appropriate.  With that in mind, organizations that already use big data and those that are have been persuaded by reported benefits of big data should heed the FTC’s advice. The FTC is highlighting its interest in the consumer protection and equal opportunity ramifications of big data use. This report serves as a warning—a statement of intent—that the FTC will be evaluating data practices in light of these concerns.  It is clear that organizations must identify and mitigate the risks in using big data, not only those dealing with privacy and data protection but also those presenting consumer protection and equal opportunity issues. Thinking critically about and taking corrective action in line with the considerations listed above, and creating a record that such steps have been taken, may help organizations using big data to avoid FTC regulatory scrutiny.

As we reported on October 19th, the Article 29 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data challenged the EU member states to “open discussions with the US” to find a viable alternative to the Safe Harbor program. Today, the European Commission (EC) issued a public statement confirming its commitment to working with the United States on a “renewed and sound framework for transatlantic transfers of personal data.” The apparent trigger for today’s announcement are “concerns” from businesses about “the possibilities for continued data transfers” while the Safe Harbor Sequel is under negotiation.

In its statement, the EC confirms that during the pendency of the U.S.-EU negotiations, Standard Contractual Clauses and Binding Corporate Rules (BCRs) are viable bases for legitimizing data transfers that formerly were validated by the Safe Harbor Program.

The EC was careful to note that today’s guidance “does not lay down any binding rules” and “is without prejudice to the powers and duty of the DPAs (Data Protection Authorities) to examine the lawfulness of such transfers in full independence.”  In other words, a DPA still may decide that Standard Contractual Clauses and BCRs are not viable under its country’s laws.

The Judicial Redress Act of 2015 (H.R. 1428) (Judicial Redress Act) is on its way to the U.S. Senate. On October 20th, the U.S. House of Representatives voted in favor of passage.

The Judicial Redress Act extends certain privacy rights under the Privacy Act of 1974 (Privacy Act) to citizens of the EU and other specified countries.

The preamble to the Judicial Redress Act states that:

The Judicial Redress Act provides citizens of covered foreign countries with the ability to bring suit in Federal district court for certain Privacy Act violations by the Federal Government related to the sharing of law enforcement information between the United States and a covered foreign government. Any such lawsuit is subject to the same terms and conditions that apply to U.S. citizens and lawful permanent residents who seek redress against the Federal Government under the Privacy Act. Under current law, only U.S. citizens and lawful permanent residents may bring claims against the Federal Government pursuant to the Privacy Act despite the fact that many countries provide U.S. citizens with the ability to seek redress in their courts when their privacy rights are violated. Enactment of this legislation is necessary in order to promote and maintain law enforcement cooperation and information sharing between foreign governments and the United States and to complete negotiations of the Data Protection and Privacy Agreement with the European Union.”

The House’s passage of the Judicial Redress Act is expected to help mitigate one of the key criticisms of U.S. privacy protection from EU regulators. As discussed in our blog posts from earlier this month, in the Court of Justice of the European Union (CJEU) decision invalidating the U.S.-EU Safe Harbor Program, the CJEU noted that EU residents lack an “administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.”  Once passed by the Senate (as is generally expected), the Judicial Redress Act will provide that means of redress.

Check back for updates on the Senate’s consideration of the Judicial Redress Act and the ongoing EU-US negotiations about a Safe Harbor Sequel.

As we wrote on October 6, 2015, the Court of Justice of the European Union (CJEU) announced its invalidation of the U.S.-EU Safe Harbor program as a legally valid pathway for transferring personal data of European Union (EU) residents from the EU to the United States. An avalanche of reports, analyses and predictions followed the CJEU announcement because so many U.S. businesses operating in the EU relied on the validity of the Safe Harbor program.

As we expected, the CJEU decision was not the final chapter. On October 16, the Article 29 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (the Working Party, an independent advisory board to data protection authorities in EU members states) called on the EU member states to “open discussions with the US” to find a viable alternative to the Safe Harbor program.

Echoing the CJEU’s concern about “massive and indiscriminate surveillance” by the U.S. government, the Working Party challenged the United States and EU to produce by 31 January 2016, a new data transfer framework with “stronger guarantees” of EU residents’ “fundamental rights” to data privacy, as well as “redress mechanisms” for violations.

In the meantime, the Working Party affirmed that data transfers formerly validated by the Safe Harbor program are not legal. It also noted its intent to evaluate the validity of the two other key data EU-U.S. transfer pathways: Binding Corporate Rules (BCRs) and Standard Contractual Clauses.

What This Means for U.S. Businesses

While waiting for news of Safe Harbor: The Sequel, our Privacy and Data Protection Group continues to advise a business that relied on the Safe Harbor program to:

  1. Classify the data transferred from the EU to the United States (employee, consumer, business contacts, etc.).
  2. Determine which of the data transfers from the EU to the United States were formerly validated by Safe Harbor.
  3. Identify vendors that transfer EU personal data for the business and determine how those vendors validate their transfers (e.g., Did a vendor represent that it could make legitimate transfers via Safe Harbor, and, if so, what happens now?).
  4. Decide how best to address EU to U.S. personal data transfers under one of the other data transfer pathways based on data classification (e.g., Binding Corporate Rules for intra-company transfers; Standard Contractual Clauses for transfers to third parties that do not otherwise meet EU requirements; or consent of each EU data subject—an impractical option for high-volume transfers).

Stay tuned for more on Safe Harbor: The Sequel and guidance for businesses.

Law enforcement requests for electronic information, particularly from technology companies such as Google and Twitter, have skyrocketed in recent years. In response, several states—Maine and Texas in 2013, Utah in 2014 and Virginia earlier in 2015—passed laws that limit law enforcement searches of electronic data. On October 9, 2015, California joined these states by passing the California Electronic Communications Privacy Act (CalECPA), which is intended to protect California residents from unauthorized invasion of their digital privacy.

CalECPA applies to “electronic information,” which includes both electronic communication information” and “electronic device information”:

  • Electronic communication information means “any information about an electronic communication or the use of an electronic communication service including … any information pertaining to any individual or device participating in the communication.”
  • Electronic device information means “any information stored on or generated through the operation of an electronic device, including the current and prior locations of the device.”

CalECPA generally requires a warrant before any business turns over any individual’s electronic information. Specifically, CalECPA prohibits any government entity that does not have a valid warrant or court order:

  • Compelling an electronic communication service provider to produce or access electronic communication information;
  • Compelling any person or entity other than the authorized possessor of the device to produce or access electronic device information; or
  • Accessing electronic device information by physical interaction or electronic communication with the electronic device.

In addition, CalECPA requires:

  • A government entity to notify the target of an investigation about the electronic information covered by the search warrant; and
  • A “service provider” to verify the authenticity of electronic information that it produces pursuant to a warrant or government request.

CalECPA also permits a service provider to voluntarily disclose electronic communication information when disclosure is not otherwise prohibited by law.

Why CalECPA matters? CalECPA extends privacy rights to electronic data in a way that federal law has not: it bars any state law enforcement or investigative entity from compelling a business to turn over any metadata or digital communication—including emails, texts, documents stored in the cloud—without a warrant. It also requires a warrant to search or track the location of a business’ electronic devices like mobile phones. Also, no business (or its officers, employees and agents) may be subject to any cause of action for providing information or assistance pursuant to a warrant or court order under CalECPA.

Earlier today, the Court of Justice of the European Union (CJEU) announced its determination that the U.S.-EU Safe Harbor program is no longer a “safe” (i.e., legally valid) means for transferring personal data of EU residents from the European Union to the United States.

The CJEU determined that the European Commission’s 2000 decision (Safe Harbor Decision) validating the Safe Harbor program did not and “cannot eliminate or even reduce the powers” available to the data protection authority (DPA) of each EU member country. Specifically, the CJEU opinion states that a DPA can determine for itself whether the Safe Harbor program provides an “adequate” level of personal data protection (i.e., “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union” as required by the EU Data Protection Directive (95/46/EC)).

The CJEU based its decision invalidating that Safe Harbor opinion in part on the determination that the U.S. government conducts “indiscriminate surveillance and interception carried out … on a large scale”.

The plaintiff in the case that gave rise to the CJEU opinion, Maximilian Schrems (see background below), issued his first public statement praising the CJEU for a decision that “clarifies that mass surveillance violates our fundamental rights.”

Schrems also made reference to the need for “reasonable legal redress,” referring to the U.S. Congress’ Judicial Redress Act of 2015. The Judicial Redress Act, which has bi-partisan support, would allow EU residents to bring civil actions in U.S. courts to address “unlawful disclosures of records maintained by an [U.S. government] agency.

Edward Snowden also hit the Twittersphere with “Congratulations, @MaxSchrems. You’ve changed the world for the better.”

Background

Today’s CJEU opinion invalidating the Safe Harbor program follows on the September 23, 2015, opinion from the advocate general (AG) to the CJEU in connection with Maximilian Schrems vs. Data Protection Commissioner.

In June 2013, Maximilian Schrems, an Austrian student, filed a complaint with the Irish DPA. Schrems’ complaint related to the transfer of his personal data collected through his use of Facebook. Schrems’ Facebook data was transferred by Facebook Ireland to Facebook USA under the Safe Harbor program. The core claim in Schrems’ complaint is that the Safe Harbor program did not adequately protect his personal data, because Facebook USA is subject to U.S. government surveillance under the PRISM program.

The Irish DPA rejected Schrems’ complaint because Facebook was certified under the Safe Harbor Program. Schrems appealed to the High Court of Ireland, arguing that the Irish (or any other country’s) DPA has a duty to protect EU citizens against privacy violations, like access to their personal data as part of U.S. government surveillance. Since Schrems’ appeal relates to EU law (not solely Irish law), the Irish High Court referred Schrems’ appeal to the CJEU.

What This Means for U.S. Business

The invalidation of the Safe Harbor program, which is effective immediately, means that a business that currently relies on the Safe Harbor program will need to consider another legally valid means to legally transfer personal data from the EU to the United States, such as the use of EU-approved model contractual clauses or binding corporate resolutions.

We believe, however, that this is not the final chapter in the Safe Harbor saga. Please check back soon for more details and analysis.

On April 29, 2015, the Cybersecurity Unit in the Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice released a best practices document (Document) for victims of cyber incidents. The Document provides useful and practical tips that will assist organizations, regardless of size and available resources, in creating a cyber-incident response plan and responding quickly and effectively to cyber incidents. It iterates many of the important lessons that federal prosecutors and private sector companies have learned in handling cyber incidents, investigations, prosecutions and recoveries.

Assistant Attorney General Leslie Caldwell delivered a speech at the Criminal Division’s Cybersecurity Industry Roundtable on April 29, 2015, wherein she described the Document as “living,” and one that CCIPS will “continue to update as the challenges and solutions change over time.” Caldwell added that this Document is an example of the assistance CCIPS plans to continue to provide in order to elevate cybersecurity efforts and build better channels of communication with law enforcement.

Best Practices for Cybersecurity Preparedness

CCIPS recommends eight steps as part of an organization’s pre-planning activities to help limit computer damage, minimize work disruption, and maximize the ability of law enforcement to locate and apprehend perpetrators:

  1. Identify your “Crown Jewels”—an organization’s most valued assets that warrant the most protection.
  2. Have an actionable plan in place before an intrusion occurs—stressing the word “actionable,” CCIPS suggests organizations decide on specific, concrete procedures to follow in the event of a cyber incident.
  3. Have appropriate technology and services in place—equipment, such as data back-up, intrusion detection capabilities, data-loss-prevention technologies, and devices for traffic filtering or scrubbing, should be installed, tested, and ready to deploy before a cyber incident occurs.
  4. Have appropriate authorization in place to permit network monitoring—obtain employee consent to monitor and disclose, as necessary, their communications to facilitate early detection and response to a cyber incident.
  5. Ensure your legal counsel is familiar with technology and cyber incident management—legal counsel who are conversant and accustomed to addressing issues associated with cyber attacks will speed up an organization’s decision-making process and reduce the organization’s response time.
  6. Ensure organization policies align with the cyber incident response plan—preventative and preparatory measures should be implemented in all relevant organizational policies, such as human resources policies.
  7. Engage with law enforcement before an incident—meeting and engaging with local federal law enforcement offices will facilitate interaction and establish a trusted relationship.
  8. Establish a relationship with cyber information sharing organizations—information sharing organizations exist in every sector of critical infrastructure and may provide cybersecurity-related services.

The Cyber Incident Preparedness Checklist (included in the Document) succinctly outlines these eight steps, and is of practical use to an organization that is creating or improving its already-existing incident response plan. For an incident response plan, the Document provides explicit examples of the types of information an organization should evaluate when assessing the nature and scope of an incident. It also includes the information an organization should document in its initial assessment and the types of notes, logs and records it should retain related to the attack that will assist law enforcement, recovery time and post-incident review. These records include:

  • A “forensic image” of the affected computer(s)
  • Descriptions of incident-related events, including dates and times
  • Information about incident-related phone calls, emails, and other contacts
  • Identity of persons working on tasks related to the incident, including a description and the amount of time spent
  • Descriptions of the systems, accounts, services, data, and networks affected by the incident and how each were affected
  • Information relating to the amount and type of damage inflicted by the incident
  • Information regarding network topology, the type and version of software run on the network and any peculiarities in the organization’s network architecture

Putting Guidance to Practice

We agree with CCIPS that the best time to plan for a cyber attack is well before it occurs, and reviewing this guidance is a great first step. Other important steps include assembling  an effective incident response plan tested regularly through table-top exercises, and also having in place appropriate information-security controls designed to reduce the risk of an attack—or at least reduce the severity of the attack when it (inevitably) occurs.

The National Institute of Standards and Technology (NIST) released its Cybersecurity Framework (Framework) almost 15 months ago and charged critical infrastructure companies within the United States to improve their cybersecurity posture. Without question, the Framework has sparked a national conversation about cybersecurity and the controls necessary to improve it.  With regulators embracing the Framework, industry will want to take note that a “voluntary” standard may evolve into a de facto mandatory standard.”

Read the full On the Subject on the NIST Cybersecurity Framework on the McDermott website.

Executive Order 13694 is the Obama Administration’s latest tool to combat cybersecurity threats.  On April 1, 2015, President Obama declared a national emergency to address the “increasing prevalence and severity of malicious cyber-enabled activities” originating from outside the United States that “constitute an unusual and extraordinary threat to the national security, foreign policy and economy of the United States.”

The order authorizes the U.S. Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose sanctions, including asset freezes and travel bans, on those persons and entities determined to be responsible for, or complicit in, malicious cyber-enabled activities that have the purpose or effect of:

  • Harming or significantly compromising the provision of services by entities in a critical infrastructure sector;
  • Significantly disrupting the availability of a computer or network or computers; or
  • Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain.

Although the order does not define “malicious cyber-enabled activities,” the Department of Treasury, in its online FAQs, anticipates that the order will cover “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.”

This strategic move by the administration is intended to address situations where, for jurisdictional or other issues, certain significant malicious cyber actors may be beyond the reach of other authorities available to the U.S. government.  This sanction program does not target nation states, individuals acting on behalf of those nation states, or victims of malicious cyber activities.

Executive Order 13694 in Practice

The Department of Treasury FAQs and the White House Office of the Press Secretary’s Fact Sheet explain how the program will work.  According to the literature, the Treasury’s Office of Foreign Assets Control (OFAC), in coordination with other U.S. government agencies, will identify individuals and entities whose conduct meets the criteria set forth in the order.  These individuals and entities will then be designated for sanctions and added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List).

Once OFAC determines the specific entities and individuals that are subject to sanctions under the order, all U.S. citizens and permanent resident aliens, all persons and entities within the United States, and all U.S.-incorporated entities and their non-U.S. subsidiaries or branches will be prohibited from engaging in trade or any other transactions with these individuals or entities owned by these individuals.

OFAC cautions that individuals or firms that “facilitate or engage in online commerce are responsible for ensuring that they do not engage in unauthorized transactions of dealings with persons named on the sanctions list or operate in jurisdictions targeted by comprehensive sanctions programs.”  At this point, it is unclear how the Treasury will enforce the order and what, if any, penalties will be levied against those not in compliance.

Complying with the Order

Because the order was issued without any persons yet in line to be instantly placed on the OFAC list, there are no immediate obligations for U.S. corporations.  However, once the Secretary of the Treasury begins to populate the list, organizations and individuals must ensure that they do not engage in unauthorized transactions or dealings with those identified persons.  FAQ 446 reminds us that the names and identifying information of all individuals and entities included on OFAC’s sanctions lists may be located at: http://sdnsearch.ofac.treas.gov.

While we wait for more instructions via the forthcoming regulations, organizations that already have a compliance program should confirm that it regularly checks the SDN list before doing business with foreign entities or individuals.  For organizations that do not yet have a compliance program, the Department of Treasury suggests a tailored, risk-based compliance program that may include sanctions list screening or other appropriate measures.

We will be watching for the release of the regulations and for names to be added to the SDN list.  We will report back on the blog with these developments.