California Dreamin’ – A Blueprint for CCPA/CPRA Compliance

California coastal photo

  New U.S. Privacy Laws Follow GDPR Trend With the approval of the CPRA citizen’s initiative (Consumer Privacy Reform Act amending the CCPA – Proposition 24) and the introduction of new privacy legislation in New York and elsewhere all moving toward a U.S. equivalent of GDPR, it is time to face the fact that U.S. privacy compliance obligations are here to stay. When GDPR enforcement began in 2018, many U.S. businesses that were not operating in the EU considered it something that was happening “over there.” Enforcement of the California CCPA (California Consumer Privacy Act) began in January 2020. Now, the hope of avoiding strict privacy compliance obligations “over here” is now only a dream. The CPRA amended and strengthened the CCPA, moving it closer to the protections afforded to EU citizens, and post-Brexit, to UK citizens. (Proposition 24 approved November 2020; Effective 1/1/23.) it is time to face the fact that U.S. privacy compliance obligations are here to stay There are privacy bills pending before the New York Assembly that like CCPA/CPRA adopt many of the key privacy principles staked out by the GDPR: Consent, Privacy by Design, Data Minimization, Lawful Purpose, and Information Security. In addition, both the California …

Read more

RISKY BUSINESS: Technologies Requiring a Data Protection Impact Assessment (DPIA) under the GDPR

Roulette Wheel seen from space

Under the European Union GDPR privacy compliance obligations, Data Protection Impact Assessments (DPIA) are mandatory for data processing “likely to result in a high risk to the rights and freedoms of data subjects.” Failure to conduct such a risk assessment is a breach of the GDPR that is subject to significant fines. Whether an organization is required to comply with the GDPR is beyond the scope of this article but if your organization processes any of the following types of “risky” Personal Data of EU or UK citizens listed in the table below, now is the time to find out. Personal Data is broadly defined as any information relating to an identified or identifiable natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. How can an organization determine whether to incur the expense of conducting a DPIA? According to Article 35(3) of the GDPR, there are three types of processing that always require a DPIA: 1) systematic profiling with significant effects; 2) large scale use of …

Read more

Solar Winds Supply Chain Hack Wins Password Contest

In this picture, the Sun's surface is quite dark. A frame from a movie recorded on November 9th by the orbiting TRACE telescope, it shows coronal loops lofted over a solar active region. Glowing brightly in extreme ultraviolet light, the hot plasma entrained above the Sun along arching magnetic fields is cooling and raining back down on the solar surface.

Privacy and cybersecurity compliance issues are inextricably linked. In one sense, they are peas in a pod. A security breach can leak all sorts of information assets, from useless server logs to trade secrets to sensitive personally identifiable information, or PII. At the heart of many privacy compliance obligations is the recognition of a duty to make “reasonable” efforts to protect PII through technical and organizational means. Such balancing tests are necessarily a key aspect of enterprise risk management. The massive SolarWinds supply chain hack is a case in point. On January 12, 2021, security research company CrowdStrike reported discovery of a 3rd strain of malware named SUNSPOT that was deployed in September 2019 – that is 15 months before the first discovery of the hack by cybersecurity company FireEye on December 8, 2020. There are important questions to be answered about the scope and intent of the hack. Was it a massive penetration testing dry run? Can infected IT infrastructure be fully cleaned without burning it to the ground and rebuilding? Was it espionage on steroids or an act of war? How many more shoes will drop? News reports of the SolarWinds hack often speculate whether important PII was …

Read more

The GDPR is Coming

  Does GDPR Apply in the US? Yes. GDPR (European Union General Data Protection Regulation) is a comprehensive new law protecting the data privacy of EU citizens. GDPR takes effect on May 25, 2018.  It consists of 99 articles and will have sweeping impact on U.S. enterprises. It requires that all personal data be handled according to the GDPR Data Protection Principles. These includes the famous “right to be forgotten,” as well as transparency, data portability, breach notification, information security, etc. If you have a public facing website that collects user data and operates in EU countries, it is not too late to get advice. Watch this space as we roll out solutions for enterprises that are not ready.

The Top 10 Things to Know About GDPR

Graphic showing GDPR and padlock

10.    What is it?

GDPR (European Union General Data Protection Regulation) is a comprehensive new law protecting the data privacy of EU citizens. Enforcement begins on May 25, 2018. It consists of 99 articles and will have sweeping impact on U.S. enterprises. It requires that all personal data be handled according to the GDPR Data Protection Principles. These includes the famous right to be forgotten, as well as transparency, data portability, and information security. It incorporates the concept of “privacy by design.”

9.    Who does it protect?

The GDPR protects “personal data” of EU citizens. So, if you are only doing business outside the European Union then you don’t have to consider it at all, right? Think again. What about any business with a website?  What about an app or game?

The upshot of a new privacy and data security regulation of this scope and breadth is that non-EU companies must either comply or forego the market. Outside of the EU this regulation will impact call centers, sales management, advertising and promotion campaigns, marketing and customer relationship management, data processing including cloud computing, SaaS, IaaS, R&D, information security management, and information governance (IG).

8.    What data does it protect?

The GDPR defines personal data as “any information relating to a data subject.” (Article 4(1)). A data subject is not only a person who is actually identified by the data but is also a person who is identifiable. A person is identifiable if he or she “can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, economic, cultural or social identity” of that person. (Article 4(1)).

Personal Data is broadly protected including details about a person’s family, lifestyle, medical condition, genetics, education, training, employment, finances, contracts, IP addresses, cookie identifiers, RFID tags, website use, search history, and any other data that would be commonly understood as being personal.

Without special protections, GDPR prohibits the processing of personal data that reveals: race, ethnicity, politics, religion, philosophy, trade union membership, genetic data, biometric ID data, health data, sex life, and sexual orientation. Processing of this data is governed by strict limiting provisions in Article 9(2).

7.    When does Personal Data require protection?

According to a Working Group (W29) analyzing the impact of the GDPR, personal data that must be protected must implicate at least one of three elements:

  • Content: Information that is about a particular person regardless of the purpose of the data or the potential impact of the data on that person is covered.
  • Purpose: When data is or can be used in a way that can impact or influence the behavior of an individual, it is covered.
  • Result: When the use of data is likely to have an impact on a person’s rights and interests. For example, a gig-economy phone app tracks a person’s location ostensibly to provide better service and allow the app’s developers to improve the software. The app hypothetically contains evidence of: speeding, visiting marijuana dispensaries, and engaging in political demonstrations, perhaps resulting in termination of employment. Under the result element, it is covered.

6.    Data Controllers vs. Processors

Under the GDPR, controllers of data have more obligations than processors of data. However, processing of data is very broadly defined as carrying out any operation or set of operations on the data, including:

Collection Recording Organization
Structuring Storage Adaptation or Alteration
Retrieval Consultation Use
Restriction (marking as subset) Erasure Destruction
Disclosure by transmission Dissemination Alignment or combination

Obviously, almost any conceivable processing or storage of data is covered. Controllers have the auditable obligation to ensure that all their processors and sub-processors follow the GDPR Principles.

5.    What are the GDPR Data Protection Principles?

Both data controllers and data processors must comply with the GDPR Article 5 principles when processing personal data. Article 5 includes the following data protection principles:

  • Lawfulness, fairness and transparency. (Article 5(1)(a)). Transparency reflects the notion that EU citizens have rights to knowledge of their personal data and a meaningful understanding of its impact upon them. The requirements for lawful processing are in Article 6.
  • Purpose limitation. (Article 5(1)(b)). Personal data can be collected for specified, explicit, and legitimate purposes only. It cannot be processed in any way that is inconsistent with those purposes or enlarges those purposes. Think about the EU equivalent of Cambridge Analytica’s harvesting of Facebook user data or just banner website ads.
  • Data minimization. (Article 5(1)(c)). Similar in concept to Massachusetts’ and other jurisdictions’ mandate that the amount of data collected be kept to a necessary minimum, the GDPR requires that personal data be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. It is not appropriate for data controllers to collect information just in case a future need might arise. (Think server logs.)
  • Accuracy. (Article 5(1)(d). Not only must personal data which is collected and processed be accurate but it must be kept up to date. If inaccurate for its purposes, it must be rectified or erased without delay.
  • Storage limitation. (Article 5(1)(e)). Personal data must not be kept in a form in which data subjects can be identified from the data for longer than is necessary to accomplish the purpose. Longer periods are allowed for archiving purposes in the public interest or for purposes of scientific, historical or statistical research. These longer-term purposes are subject to data security safeguards, including anonymization.
  • Integrity and confidentiality. (Article 5(1)(f)). Technical and organizational security safeguards are required to ensure protection against unauthorized/unlawful processing and against accidental loss, destruction, and damage.
  • Accountability. (Article 5(2)) The data controller is responsible for and must document compliance with the data protection principles. This principle is critical because it requires data controllers to enforce and audit the effective application of the other principles with all data processors. Non-EU companies must analyze whether they “touch” a sufficient quantity of EU personal data records such that the GDPR is triggered. This could occur in a wide variety of examples such as payroll service, call center, medical records service, server hosting company, or app developer.

4.    What is lawful processing?

A data controller must be able to justify that the processing of personal data is lawful. Article 6 sets up a regime of legal grounds focused on the basic concept of freely given, informed, opt-in consent. The consent must be for specific purposes, necessary for the contract with the data subject. Article 4(11) defines consent as a “freely given, specific, informed and unambiguous” indication of the data subject’s wishes by a statement or by a clear affirmative action. A statement can be in writing, by electronic means, or oral. Examples of affirmative action include: checking a website dialog box; choosing settings for an online service; and any other clear affirmative act of acceptance. (Recital 32, GDPR).

Unlike many current opt-out practices, under the GDPR consent is not implied by silence, pre-selected dialog boxes or the burying of the consent inside the legalese of a Terms of Service statement. Also unlike current practices, the GDPR requires that data subjects have the right to withdraw consent at any time – consent must be as easy to withdraw as to give.

3.    What are data subjects’ rights?

The GDPR gives data subjects the right to obtain from a data controller access to his or her personal data. Also, the data controller must disclose:

  • The specific purposes of the processing of the data
  • The categories of personal data involved
  • The recipients or type of recipient of the personal data, especially recipients in third countries or international organizations
  • Period of anticipated storage of data
  • A statement of the right to request correction of, restriction on the processing of, or the erasure of the data – this is the “right to be forgotten” in Article 17
  • The statement of the right to file complaints about the processing with the appropriate authorities
  • Source information on the personal data that was not collected from the data subject
  • Information about automated decision making, including profiling, together with meaningful information about the logic involved and the possible consequences to the data subject of such profiling
  • If the data controller or processor transfers personal data to a third country or international organization, they must inform the person of the safeguards put in place – this impacts the right to data portability in Article 20
  • The controller must provide a copy of the personal data undergoing processing free of charge – generally in format that is readable without specialized software tools

Breach Notification. Another key provision of the GDPR is a mandate that information breaches be reported to authorities and to data subjects within 72 hours. This is a major change in the way security breaches have been handled.

2.    What are some other obligations of controllers and processors?

Unlike the prior European Data Protection Directive, the GDPR places significant new burdens on the data processor, as well as requiring effective audit trails by the controller to promote the key principle of accountability.

The controller must have legally binding contracts with data processors imposing the following obligations:

  • Limit processing only to the documented instructions
  • Because of concern with third country and international organization transfer, the instructions should clearly define any authorized cloud computing use
  • Comply with information security obligations imposed on controller in Article 32 of the GDPR
  • Require that all data processor staff with access to the personal data have a written confidentiality agreement or statutory obligation
  • Not to assign or subcontract to another sub-processer without the prior written consent of the controller
  • Assist the controller in carrying out its obligations to the data subjects such as access and the right to be forgotten
  • Assist the controller with its data security obligations in Articles 32 and 36 of the GDPR

Significant numbers of processors based in the U.S. who handle the personal data of EU citizens have been impacted by this contractual flow-down provision.

1.    What are the penalties?

The law has teeth. It authorizes administrative fines on controllers and processers (Article 83) reaching up to 20 million Euros (roughly $24M) or 4% of annual revenue (whichever is higher). It also authorizes a private right of action, which will be fleshed out on a country by country basis as time passes.

Boards and C-Level Executives Are Sailing in Dangerous Waters

Great White Shark

In 2005 the ABA Business Law Section published a short book titled, Sailing in Dangerous Waters: A Director’s Guide to Data Governance.  It warned in stark terms: Those Directors who defer or delegate to specialized personnel their understanding and command of data governance will be at increasing risk of incurring personal liability for failing to fulfill their fiduciary duty of care to ensure that their companies comply with rapidly emerging legal requirements concerning deficiencies in data governance.[i] To say that information is an asset to business enterprises is to recognize the obvious.  Certain intellectual property such as trade secrets and customer lists are universally considered to be assets and deserving of protection.  But, as enterprises have shifted to digital systems where work-flows, communications, collaboration systems, data analytics and other metrics now condition and drive business decisions, the value and integrity of these systems has become ever more fraught with risk.  Consider that the Ashley Madison hacking uncovered email correspondence between executives and legal counsel.  While Coca Cola might have been able to lock away a few copies of its secret formula in a steel safe a generation ago, today’s information assets, by their nature, must be widely distributed and available …

Read more

Cover Your Assets

C-Level Guide to Covering Your Information Assets The management and protection of information assets increasingly represent both the greatest potential value and the greatest risk to the enterprise.  Big Data and analytics are now being leveraged by companies well beyond Amazon, Facebook, Uber and Google.  Beginning with the Enron scandal and the advent of penalties (civil and criminal) for the improper destruction of electronically stored information (ESI), the existential risk from the disclosure of corporate mistakes or malfeasance through investigation, litigation discovery, or hacking has increased on pace with the explosion of digital data.  The reputational damage to Target, Sony, Home Depot and even the U.S. Office of Personnel Management is substantial. Many organizations now report a literal doubling of stored data each year.  The oft-heard antidote that the hardware cost of data storage has decreased over time obscures the reality that the combined hard and soft costs of this explosion are enormous.  The exponential growth of new data combined with an ocean of unstructured legacy data can only increase management costs and litigation response costs / risks. Too much data affects the bottom line in many ways.  Multiple surveys report that employees spend excessive time searching for and managing …

Read more

Cloudy Laws II – Only 65 Challenges to eDiscovery Forensics in the Cloud

clous over hawaii

Among the many types of challenges presented by the adoption of cloud computing are those involving computer forensics. Computer forensics can be thought of as the set of tools and techniques that make eDiscovery possible and reliable. It is defined in Wikipedia as, “a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media.” The National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) defines cloud computing forensic science more specifically as, the application of scientific principles, technological practices and derived and proven methods to reconstruct past cloud computing events through identification, collection, preservation, examination, …

Read more

Cloudy Laws I – Cloud Computing Security and Legal Challenges

Supercell clouds over Nebraska

Cloud computing presents innumerable opportunities and brings with it enormous security and legal challenges.  While there is no single accepted definition of the “cloud,” the National Institute of Standards and Technology created a reference model in 2011.  NIST defined cloud computing by describing its five essential characteristics, three service models, and four deployment models. (NIST Special Publication 800-145): Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Essential …

Read more

LocationGate – Where in the World Was Waldo?

Just look at his iPhone data Apparently I am not the only person troubled by the 2011 revelation that Google and Apple collect location data from smart phones.  Mike Elgan wrote a thoughtful piece for Computerworld. Who owns your location? – Computerworld The idea of tracking files existing on phones and on the computers used to synch data raises eDiscovery issues as well as obvious privacy and data security concerns.  Will employers be tempted to look at the data collected by company issued phones to see if their sales team or delivery drivers were on task?  Employers defending discrimination cases are …

Read more