Round Four of The Personal Data Privacy and Security Act

On June 7, 2011, Senator Patrick Leahy introduced “The Personal Data Privacy and Security Act” — the fourth time he has introduced this particular piece of legislation.  According to the senator’s press release, the law would “establish a national standard for data breach notification, and require American businesses that collect and store consumers’ sensitive personal information to safeguard that information from cyber threats.”  This latest reincarnation of the law was likely prodded by the White House’s recent legislative call to action — a call to action that had listed first a national data breach notification law.

The 70 page bill proposes significant changes to existing laws – many of which make sense now that the theft of personal data has become a mainstay of organized crime.  For example, as recommended by the recent White House proposal, it amends the Computer Fraud and Abuse Act to add RICO-like language.  There are also significant obligations for data brokers as well as money penalties assessed to data brokers who violate these obligations.  Throughout the proposed law; and including the section regarding data broker duties, state attorney generals are given broad powers to bring civil actions and can obtain significant money penalties for violations of the law.

Another section of the proposed law seeks to ensure that any business “engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons” must adhere to “standards for developing and implementing administrative, technical, and physical safeguards to protect the security of sensitive personally identifiable information.”  Unlike the Red Flags regulations promulated by the FTC and subsequently clarified by Congress, these requirements would reach beyond creditors.  And, those businesses already subject to existing data safeguarding laws such as HIPAA and Gramm-Leach-Bliley would be exempt from these new requirements. Violations of this section would bring with it significant money penalties as well as possible enforcement by either the FTC or state attorney generals.  As with the other sections of the proposed law, there is no private right of action.

The final section of the proposed law provides for nationwide data breach notification which generally requires that all subject breaches be reported without unreasonable delay.  Again, state attorney generals are given broad enforcement rights:

The Attorney General may bring a civil action in the appropriate United States district court against any business entity that engages in conduct constituting a violation of this subtitle and, upon proof of such conduct by a preponderance of the evidence, such business entity shall be subject to a civil penalty of not more than $1,000 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $1,000,000 per violation, unless such conduct is found to be willful or intentional.

Without the ability to bring a private right of action, these enforcement powers and penalties still only indirectly stir the class action pot. 

Of the many competing privacy and data security laws being offered up in Congress, it remains to be seen which is the front runner.  Given that both parties have endorsed a federal breach notification law that would serve to harmonize the 47 state breach notice laws and this one apparently seeks to combine the best of current state law, it seems at least the breach notification section of Leahy’s proposed law might have a chance of passing both houses.    As well, this proposed law is not likely to upset privacy advocates given the Department of Commerce is given no new powers.  Most importantly, given that it has much of what was outlined in the recent White House proposal, the entire proposed law would likely be signed into law by the President.  For good or for bad, with only 40 legislative days left before the election that wouldn’t be happening any time soon.

Defense Contractors May Be Impacted by RSA Breach

On the heels of the breach that potentially exposed RSA’s source code for its SecurID tokens– the same tokens used every day by thousands of employees to access their corporate VPNs –  a defense contractor acknowledged on May 27, 2011 that its network may have been compromised as an indirect result of the RSA breach.  As reported by Reuters, Bloomberg, and the New York Times, the defense contractor “detected an intruder trying to break into its networks last Sunday. It shut down much of its remote access and has been providing new tokens and passwords to many workers.”

It is still not certain whether the two breaches are related but it is interesting to note that this story was first broke by a blogger and not the broader media.   Given the fact this incident may  involve military information, it is likely we will never fully learn what has happened.  When it comes to divulging secrets, misinformation is usually the stock in trade of the military.

What remains clear, however, is that advanced persistent threats continue to pose long term threats to corporate and governmental interests.   The good old days of naive hackers stumbling upon exposed databases and inadvertently helping to plug a previously unknown hole are no more.   We are now in the age where a state actor or sophisticated cyber criminal will gladly sit on vulnerabilities for as long as it takes.  Simply put, with enough patience, a determined and sophisticated thief will eventually get whatever information a buyer may want.

[Update:  June 10, 2011]
RSA conceded that the defense contractor breaches may be related to RSA’s March breach and has offered to replace corporate SecurID fobs.  There is some supposition that a large defense bid was the catylist leading to both the RSA breach and subsequent defense contractor breaches.  We may never know who caused the various attacks or why.   What we do know, however, is that RSA has decided to appoint its first chief security officer.

Law Firm Sues to Have Non-Lawyer Ownership

On May 18, 2011, Jacoby & Meyers Law Offices LLP filed lawsuits challenging state professional rules in New York, New Jersey and Connecticut that prohibit non-lawyers from having an ownership interest in law firms.  The New York lawsuit was filed in the United States District Court for the Southern District of New York and alleges that Rule 5.4 of New York’s Rules of Professional Conduct — which precludes a lawyer from practicing law with an entity where a non-lawyer owns any interest therein — causes “critical sources of funding (to be) unavailable to a majority of lawyers in New York (and elsewhere) which dramatically impedes access to legal services for those otherwise unable to afford them.” See Complaint at Paragraph 2.

In contrast to the well-thought out plan executed in the UK that will soon allow UK law firms to take on non-lawyer equity owners and managers, Jacoby & Meyers is doing what most plaintiffs’ counsel resort to when they don’t get their way, namely the filing of a lawsuit.  There is nothing new in the Complaint regarding this longstanding debate and certainly nothing that has not been argued before by law firms looking to combat a stagnating book of business. 

The gist of the Complaint turns on the purported need for law firms to have access to outside capital.  Specifically, the Complaint alleges that without such access firms like Jacoby & Meyers are unable to pay for necessary improvements in technology and infrastructure.  And, without such improvements, the disenfranchised will not have adequate legal services available to them.

Although it is unlikely that the three filed lawsuits will survive very long or directly change longstanding ethical requirements, there is certainly nothing wrong in having this issue come up for discussion.   And, it may be very timely given the American Bar Association ethics committee is now taking comments on whether to change its model ethics rules to allow for the joint ownership of law firms.  In fact, this ABA initiative may have actually precipitated the Jacoby & Meyers lawsuit given it is cited in the Complaint.

Do Not Track Law Comes Closer to Reality

Apparently seeking to mimic the success of the “do not call” registry, on May 9, 2011, Sen. Jay Rockefeller (D-W.Va.) introduced an online “do not track” privacy bill that would give consumers the ability to block companies from tracking their online activities.  The proposed Do-Not-Track Online Act of 2011 comes on the heels of another consumer privacy bill proposed by Senators Kerry and McCain.  The competing Kerry bill does not have a “do not track” feature, excludes the possibility of a private right of action (Sec. 406)  and was generally panned by privacy activists as potentially being too pro-business.   On the other hand, an ACLU spokesman described the Rockefeller bill as “a crucial civil liberties protection for the twenty-first century.

Given the support being offered by the White House, the Rockefeller bill has a real chance of being passed into law.  What it will eventually mean to the cost of “free” applications sponsored by marketers and their clients remains to be seen.

 

 

Location Tracking Class Action Suit is Filed Against Google

On the heels of the awareness created by a recent California Supreme Court decision, the actions of a German privacy advocate, and a widely tweeted Wall Street Journal article, Google has been sued for its holding of location-based tracking information.   This action differs from an earlier Apple lawsuit in several respects outlined by infosec island.

Given the broad scope of the five claims brought against Google, this suit is definitely worth monitoring.

Update — August 18, 2011

Korea gets into the action with a class action suit from 27,000 South Koreans claiming Apple violated Korean privacy law with the location based tracking feature found on the company’s iPhone smartphone, iPad tablet and iPod Touch.

Is it Time to Ditch Your Facebook Account?

A recently published study funded in part by the National Institutes of Health shows that the brain’s capacity to move back and forth from distractions diminishes with age.  The findings, which were reported in the online edition of the Proceedings of the National Academy of Sciences (April 11, 2011), ultimately suggest that multi-tasking may impact our working memory, i.e., the ability to hold and manipulate information in the mind.  According to one of the study’s authors, Adam Gazzaley, MD, PhD, director of the UCSF Neuroscience Imaging Center:

The impact of distractions and interruptions reveals the fragility of working memory.  This is an important fact to consider, given that we increasingly live in a more demanding, high-interference environment, with a dramatic increase in the accessibility and variety of electronic media and the devices that deliver them, many of which are portable.

Other researchers are more direct in pointing a finger at the potential cause of this problem.  According to Dr. Elias Aboujaoude, director of Stanford’s Impulse Control Disorders Clinic, “persons are suffering in terms of cognition and attention spans because of the time spent online.”  Interestingly, some studies have shown that students may be aware that technology is having a detrimental effect on their academic performance and are open to learning time management strategies and strategies for managing cognitive workloads.

What exactly does all of this research mean for the average tech junkie remains unclear.  At the very least, it may be an early wake up call to have a more measured approach to social media.  If the tweets are in the thousands and the blog posts number in the hundreds it may not be healthy to continually jump on an iPad to use Bizzy or check on a Facebook account.  In other words, give it a rest or the work product may ultimately suffer.

[Update:  June 14, 2011]
As per this article in the Daily Mail, Facebook fatigue may be catching on —  six million US users apparently deactivated their accounts in May 2011.

Location-Based Tracking Data Creates a New Privacy Concern

On March 25, 2011, Fordham Law School conducted a timely symposium on the legal and privacy policy implications of location-based technologies, i.e., those technologies that collect and use data indicating a person’s specific physical location.  The lively panel discussions all had one underlying theme – location-based tracking may be pervasive but the relevant policies are still in their infancy.  Although the “privacy-worthiness” of geo-location data has recently been in the news given the California Supreme Court’s ruling that Zip Code information can be considered “personal identifiable information”, location-based tracking of persons may actually loom as an even more fertile proving ground for privacy litigation given the ubiquitous nature of the activity.

It is commonly known that most smart mobile devices built today have some sort of GPS tracking capability.  Despite numerous media accounts, it is unlikely, however, that many mobile phone users also realize that their phone carriers ping their location every seven seconds and actually store this data.  Although consumers may not be fully aware of the location-based tracking that is going on, there are a number of startups banking on this capability.  Free mobile apps such as “Color” provide folks with the opportunity to share images and videos with those persons located in their very near geographic location.  And, start-ups such as Foursquare and Bizzy offer a more commercially viable application that provides consumers with opt-in shopping recommendations based on their geographic location.

Just how big an issue this will become remains to be seen given we are at the early stages of location-based data collection and marketing.  What should be of concern is the fact huge stores of data exist on pretty much every mobile phone user.  Although the EU has had rules in place since 2005 regarding located-based tracking, the FTC has only recently raised the privacy implications of the vast amounts of location-based data being collected.  See Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers (Preliminary FTC Staff Report, December 2010) at 23 – 25.

German privacy advocate Malte Spitz wanted to find out exactly how much of tracking data T-Mobile Germany was storing about him so he used German privacy laws to obtain the information.  What he got back from T-Mobile was six months of data including 35,831 points of location information.

According to a German newspaper that first wrote about the data trove maintained by Spitz’s phone company:

This profile reveals when Spitz walked down the street, when he took a train, when he was in an airplane. It shows where he was in the cities he visited. It shows when he worked and when he slept, when he could be reached by phone and when was unavailable. It shows when he preferred to talk on his phone and when he preferred to send a text message. It shows which beer gardens he liked to visit in his free time. All in all, it reveals an entire life.

On March 29, 2011, U.S. Reps. Edward Markey (D-Mass) and Joe Barton (R-Texas), Co-Chairmen of the House Bi-Partisan Privacy Caucus, responded to the public disclosure of the Spitz data request, by sending letters to the CEOs of the four major U.S. wireless carriers – AT&T, Verizon, Sprint, and T-Mobile.  These letters request information regarding data collection, storage and disclosure practices.

After the four major U.S. wireless carriers respond to Congressmen Markey and Barton, we may be in a better position to understand how companies plan on using the location-based data that is being collected.  More importantly, we will get a better handle on how the FTC and other regulatory bodies may eventually chime in on this privacy debate.  In the interim, companies looking to harness the marketing potential of location-based tracking data should evaluate whether it makes sense to refrain from selling available data.

CNIL Goes Easy With Google Fine

On March 17, 2011, CNIL fined Google €100,000 for improperly gathering and storing data for its Street View application.   Founded over thirty years ago, CNIL is an independent administrative authority that protects the privacy and personal data of French citizens.

Although this is the largest penalty ever awarded by CNIL, it certainly does not begin to move the needle when it comes to hurting Google’s very deep pockets.  This is nothing more than an interesting wrist slap in light of the significant privacy infraction.  The vast amount of personal data that was improperly collected by roaming “Google bikes” and “Google cars” – included e-mails and web browsing histories amounted to 600 gigabytes of unencrypted Wi-Fi data.

Even though US regulators have been hitting hard with recent fines of $4.3 million and $1 million, one lingering threat that was always out there on the privacy regulatory front was from an EU privacy agency holding a firm to unexpectedly high standards.   After seeing CNIL’s Google fine, that threat may have sputtered away.  What US firms need to continue to fear are the many class action suits that quickly sprout up — as they did when Google disclosed this “Wi-Spy” mishap — whenever there is a public disclosure of a privacy breach.

Latest APT Victim: RSA

In what has become an annual mecca for the data security industry, thousands visit San Francisco each February to attend “RSA” — a conference named after the network security company purchased by data storage firm EMC five years ago.  This mega-conference caters to the security cognoscenti — as well as those who only profess to be.

Well, a few days ago, RSA announced it was the latest high-profile victim of an APT exploit.  As recognized by RSA’s Executive Chairman, Art Coviello,”APT threats are becoming a significant challenge for all large corporations.”  These exploits are the same sort of attacks that the press were quick to blame the Chinese on last year.  In fact, the Wall Street Journal reported last year that these attacks impacted over 2,400 businesses.  How exactly can a company avoid an APT or “advanced persistent attack” when a firm like RSA also gets hit by such criminal activity?

By way of background, APTs are social engineering techniques — once upon a time simply known as confidence or con games — applied with a healthy dose of hacking and malware.  RSA’s attack is a bit more troublesome than most APTs given the possible repercussions to customers as per a recent alert:

We have determined that a recent attack on RSA’s systems has resulted in certain information being extracted from RSA’s systems that relates to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. RSA urges immediate action.

The reason that this breach is significant has to do with the fact RSA customers all over the world use RSA SecurID to protect outside access to sensitive data.  In order to access a computer protected by SecurID, users enter a traditional password as well as the number displayed on their RSA SecurID hardware token. The numeric value displayed on the token changes once every few minutes to provide added protection.

Although the security community gave RSA high marks for its quick disclosure, there are obvious concerns — not the least of which is the mere fact that a firm such as RSA was able to be compromised in the first place.  A leading security consultant voiced a complaint that the lack of information emanating from firm makes it hard for customers to know what exactly to do other than be really diligent regarding password usage.

Although exactly how RSA was compromised will likely never make it to the kitchen table, there are many vectors that can be compromised during a successful APT threat.  The key factor to a successful APT exploit is the level of trusted connection breached — whether that is an executive friend on FaceBook or a next door neighbor’s email address.  Another important success factor is the willingness to be patient and wait for the right time to retrieve the sought-after information.  This is where there is a significant disconnect from the typical financial data hacker.  Such hackers may wait before using card data to commit a fraudulent purchase but will not likely wait to steal the compromised data.  That is why most APTs are blamed on governmental entities — who are notoriously patient when moving on a target.  Those committing APTs may get very valuable data along the way but would never risk getting caught with such data until the final target is achieved.  In other words, the APT criminal may spend months lurking in a network before any information is even compromised.  That is one of the reasons why detecting APT activity is so difficult.

For now, the way to address this very real corporate threat is not necessarily to change a firm’s security posture.  The threat is more derived from employee policy lapses, i.e., use of social media at a workstation and use of infected thumb drives, than it is from brute force hacking.  Accordingly, employee training and testing that is tied to discipline and compensation is a step in the right direction.

Thinking like an intelligence agency can’t hurt.  If a senior executive does not need to know all aspects of a project, there is no need to provide her with constant email reports.   In other words, the old adage “on a need to know basis” becomes more and more important as APTs become more and more familiar to corporations.

Finally, the basic tenets of risk management should play a role in the defense of APTs — if there is even such as a thing as a viable defense.  Knowing the relative value of your assets and the costs to mitigate a loss in advance of a loss are the bread and butter of risk managers.  Applying such insight in the proper measure will remove from the equation some ego-driven security initiatives to be replaced by focused efforts aimed at the most sensitive data of an organization.  Risk managers are routinely given the task of protecting the personal assets of the chairman of the board — by, among other things, a D&O insurance placement — as well as coordinating large scale enterprise risk management initiatives.  Providing some guidance on this front should not be that much of a stretch.

New Amazon Class Action Based on Privacy Setting Circumvention

In a class action suit filed against Amazon.com, Inc.  on March 2, 2011, plaintiffs argue that “Amazon circumvents the privacy filters of IE users by spoofing [Internet Explorer] into categorizing Amazon.com as more privacy protective than it actually is” and seek relief “under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030; the [Washington State] Consumer Protection Act, RCW § 19.86.010 et seq.; and common law [unjust enrichment, trespass to chattels, and fraud].”  Although this suit appears to be similar to the flash cookie suits filed against against marketing firms such as Quantcast and their respective clients, the case has different implications.

By way of background, according to the Quantcast complaint filed last July, Quantcast used flash cookies to “respawn” previously deleted HTTP cookies in order to continue tracking web users.  The Quantcast suit was settled this past December using a cy pres fund akin to what was done by Google a few months prior.  It is worth pointing out that none of the settlement proceeds in a cy pres fund actually go directly to any victims.  Applying a class settlement strategy only previously deployed after plaintiffs were compensated, plaintiffs’ counsel now use cy pres funds — which usually go to non-profit organizations — even if plaintiffs receive zero actual compensation.  This stands apart as a troublesome trend in privacy class action settlements given it allows plaintiffs’ counsel to file and resolve class actions even when actual damages are not readily apparent.

At some point, the Amazon.com suit may also end up resolving itself via the cy pres route given the potential lack of actual damages.  Plaintiffs in the Amazon.com case are claiming that Amazon.com found a way to trick browsers into believing the site was more privacy conscious than it was.    Given that Internet Explorer automates for a user the process of reading a website’s privacy policy, such shenanigans can obviously lead visitors to go on a site she or he might not otherwise visit.   Not exactly a powder-keg of potential damages.  Plaintiffs up the ante by claiming that, in contravention to its privacy policy, Amazon.com was allegedly rewarded for its trickery by gaining access to a visitor’s personally identifiable information (PII) and providing it to third parties.  Specifically, the Complaint states:  “Amazon claims in its privacy notice that it does not share users’ information with third parties for advertising purposes and that, instead, it delivers third parties’ advertisements on their behalf.  In fact, Amazon shares users’ PII with third parties for those third parties’ independent use and does not disclose this fact to consumers.”  Complaint at paragraphs 64 – 65.  Despite several readings of the Complaint, it remains far from certain what quantum of damages were actually sustained by plaintiffs.

This suit should, nevertheless, be monitored given the new FTC online privacy framework set forth in December (“The FTC’s harm-based approach also has limitations. In general, it focuses on a narrow set of privacy-related harms – those that cause physical or economic injury or unwarranted intrusion into consumers’ daily lives.  But, for some consumers, the actual range of privacy related harms is much wider and includes reputational harm, as well as the fear of being monitored or simply having private information ‘out there.'”) as well as the bills currently being discussed that may very well use the FTC’s new perspective as a legislative springboard.  According to recent public statements from Representative Cliff Stearns, a senior member of the House Energy and Commerce Committee, he will soon propose online privacy legislation that will focus “on allowing Web users to know what personal information Internet companies are collecting about them and to control how it’s used.”

Legal and Business Advocacy