by Monique Altheim on February 23, 2014

Conferences

•  Powerpoint presentation of the closing plenary session on privacy @legaltechNY “Ripped from the Headlines: Cautionary Tales from the Annals of Data Privacy”        

COPPA

•  FTC Approves kidSAFE Seal Safe Harbor Program  

Data Breaches

•     
• Barclays’ Busted For Stealing, Selling Confidential Financial Data Of Thousands Of Clients
  
• UK: Barclays cybertheft involved cooperation of employee
  
• 2013 broke the previous all-time record for the number of exposed records caused by reported data breach incidents.  The 2,164 incidents reported during 2013 exposed over 822 million records, nearly doubling the previous highest year on record(2011) 
• Syrian Electronic Army hacks Forbes, steals and dumps employee and user data
  
• Email attack on vendor set up breach at Target
  
• Retailers Testify on Data Security at Senate Judiciary Committee Hearing, Express Support for Chip-and-PIN Technology
  
• Senate hearing on data breaches & cybercrime. Target and Neiman Marcus reps testify.
• New Federal Court Decision Affirms the Standing Doctrine as a Critical Hurdle to Data Breach Actions. Increased risk of becoming victims of fraud, identity theft, or phishing at some point in the future was insufficient to constitute “injury-in fact”.
•  http://www.insideprivacy.com/united-states/litigation/federal-court-dismisses-data-breach-suit-alleging-only-speculative-harms/
• Jay Cline: U.S. takes the gold in doling out privacy fines

Data Brokers/FCRA

•  Data Broker Accountability and Transparency Act Introduced By Senate Democrats

Data Security

• The White House released the National Institute of Standards and Technology’s (NIST) Final Cybersecurity Framework: a set of industry best practices and standards to help owners and operators of critical infrastructure develop better cybersecurity programs.
• Senate Democrats Introduce the Data Security and Breach Notification Act of 2014. The bill would require the Federal Trade Commission (FTC) to promulgate federal data security standards, establish federal data breach notification requirements, criminalize concealing breaches of security involving personal information, provide potentially harsh civil penalties, and preempt state data security and breach notification laws. 

• The FTC’s Data Security Guidelines
  

Drones

• WA: House Bill 2789, which was approved by an 83-15 vote, would limit the purchase and use of unmanned aircraft systems by state and local agencies.  House Bill 2178, passed by a vote of 92-6, would ban the unauthorized use of drones, or other unmanned aircraft with sensing devices, above private property. http://www.theolympian.com/2014/02/17/2990592/house-passes-drone-government.html

EU Data Protection

• Facebook must comply with German data protection law, the Higher Court of Berlin rules. The High Court of Berlin finds that Facebook’s data processing is handled by US parent company, not FB Ireland. If the court had found that the user data was processed by Facebook Ireland and not by Facebook US, the Irish Data Protection law would have applied; According to the EU Directive, the law of the EU Member State applies, where the company has an establishment and where the processing is carried out in the context of the activities of the establishment.(EU Directive 95/46/EC, Art.4,1(a)); In the absence of this condition (as was the case here, since the court decided that no processing was occurring in Ireland, but instead the processing happened through data centers in the US), the second rule of applicable law applies: the Member State on whose resident’s computers or other devices the data controller (FB here) sets cookies EU Directive 95/46/EC, Art.4,1(c)), in this case Germany;

•  The list of companies that have Binding Corporate Rules in place has been updated.
  

•  European Member States and ENISA Issue Standard Operational procedures (SOPs) to Manage Multinational Cyber Crises

• EU Commissioner Reding introduces her Eight Principles of Data Protection
  

EU Data Protection Reform

•  Merkel Backs Plan to Keep European Data in Europe. 

• Official declaration from Franco-German ministerial council: Adoption of #EUDataP not later than 2015.

• ICO has published comparative analysis of the EU Commission text and EP Justice Committee amendments.

EU-US Safe Harbor

• FTC Settles with Twelve Companies Falsely Claiming to Comply with International Safe Harbor Privacy Framework.
• Fantage: FTC settles with gaming site over privacy claims.

FCC

• Annual FCC CPNI Certification Due by March 1.

FCRA

• 9th Circuit Says Plaintiff Had Standing to Sue Spokeo for Fair Credit Reporting Violations.
  

• Judge Reduces Punitive Damages Against Equifax in FCRA Suit.

FERPA

• NY: Audit of charter school finds serious IT security deficiencies.
  

• New Laws Are Needed To Protect Student Privacy In The Digital Age. 

FTC

• FTC Announces Settlement with Medical Transcription Provider after Discovery of Patient Transcripts on the Internet.
  

• Dissection of a Twitter Chat on Privacy and Data Protection with @JulieBrillFTC .

HIPAA

• HHS Issues Guidance on Sharing Mental Health Information 

Q: Is a mental healthcare provider allowed to share psychotherapy notes with anyone?

A: NO, not even with another healthcare provider for treatment purposes, unless patient gives consent. As for sharing the notes with the patient, HIPAA leaves it to the discretion of the mental healthcare provider.

Q: What if patient threatens to blow up a school?

A: Yes, this is an imminent safety threat. Depending on the applicable State Law, there may even be a “duty to warn”.

Remember that in a State with stricter laws, the stricter State law prevails.

• Puerto Rico Hits Insurer with Record $6.8 Million Fine for HIPAA Breach.

•  The Workgroup for Electronic Data Interchange (WEDI) issues Guidance for Assessment of Potential Breaches under HIPAA.

IoT (Internet of Things)

•  Over 500,000 Belkin WeMo Home Automation Devices Vulnerable to Hackers’ Attacks.

NSA

•  AT&T has released its first transparency report, more than 300k government requests for data in 2013.
  

•  Transparency report from LinkedIn. 
  

• Transparency reports  from Google and Yahoo.

•  An American law firm was monitored while representing a foreign government (Indonesia) in trade disputes with the United States.

• Sen. Paul announces ‘historic’ class-action suit over NSA spying.
  

• How App Developers Leave the Door Open to NSA Surveillance.
  

•  Watchdog Report Says N.S.A. Program Is Illegal and Should End.
  

•  Obama’s Changes to Government Surveillance.
  

Technology and Lifestyles, New Developments in

• Dropbox’s new Privacy Policy, effective March 24, includes a Government Surveillance “Manifesto”. Its new Terms of Service include an arbitration clause, which you have 30 days to opt out of.

• Dutch telecom operator KPN has struck a deal with encrypted communications provider Silent Circle to start offering its Dutch, German and Belgian customers encrypted phone calls and text messages.
  

•  Apple promises fix “very soon” for Macs with failed encryption.
  

• Cryptolocker scrambles US law firm’s entire cache of legal files.
  

·

• Facebook Unveils New Tool to Read Posts and News, via @nytimes
  

•  Facebook to Buy WhatsApp for $19 Billion in Cash, Stock.