The DPPA covers transfers of data between EU and US law enforcement agencies and focuses on "the exchange of information which is critical to prevent, investigate, detect and prosecute criminal offenses, including terrorism…" It is posted on the EU Commission website here:
Yesterday, tentative agreement was reached on the successor to the Safe Harbor, known as the 'Privacy Shield', with text to follow in 4-6 weeks. A summary from the EU Commission of the new framework is here: http://europa.eu/rapid/press-release_IP-16-216_en.htm Can we look to the DPPA to find language and terms that will emerge in the Privacy Shield?
The DPPA agreement has significant elements that are noteworthy.
*It will improve EU citizen administrative and judicial redress in the US court system, upon a claimed violation of their privacy rights. This requires passage of the Judicial Redress Act, now in the US Senate.
*DPPA Article 9 calls for "appropriate technical, security and organizational arrangements for the protection of personal information…against unlawful destruction, loss or unauthorized disclosure." We are seeing more requirements for appropriate technical security, which standard will that be, NIST?
*Following proper security is a Notice provision. Upon discovery of a breach, notice shall be given to the "Competent Authority" and the individual, unless that notice could impact national security or ongoing investigations or criminal proceedings. The GDPR has an EU breach notice provision, expect some form of notice provision in the Privacy Shield.
*Using logs for data processing will be acceptable provided the data is "not retained for longer than necessary." Additional controls related to "national origin, political opinions or religious beliefs, trade union membership or sexual life" shall require added restrictions and may be 'case by case.' This language goes to profiling of terror suspects as a class. Using data science to find context is very common and useful. Will that be addressed under processing of data/metadata in commercial data centers?
*Individuals will be able to seek "rectification or correction" of personal information that is inaccurate or improperly processed. Is this language geared toward Google and Facebook and the EU notion of privacy as a Fundamental right? From what I have read, if they don’t, we can expect more challenges to this agreement before it gets off the ground. See article here: http://europe-v-facebook.org/PS_update.pdf
*The EU backlash that undermined the Safe Harbor was the PRISM program of bulk analysis of phone records and personal data. This agreement says that the Parties will ensure that personal information is processed (that includes collection) in a way that is "directly relevant to and not excessive or overbroad in relation to the purposes of such processing." The US will also establish an Ombudsman position for fair oversight with the power to "accept and act upon complaints made."
*Transparency is called for when a Competent Authority processes information of an individual. Notice shall be given on "the purpose of processing the information…sharing with other authorities…third parties to whom data is disclosed.." How does this work with the USA Freedom Act and FISA warrants?
Under "Territorial Application", the EU Commission will notify the US if UK, Denmark or Ireland, "has decided that this agreement applies to its state." Isn't it ironic that Max Schrems brought his case against Facebook before the Irish Data Protection Commissioner, for transferring data from Irish data centers to US data centers?
And at the end of all this, Ireland could reject the agreement or the US fail to pass Judicial Redress, which would undermine the DPPA and probably Privacy Shield. This is far from settled. More details are needed. How will the Privacy Shield address bulk commercial collection, mining and targeted advertising of US citizens at home and within the EU? This agreement gives us some indication of what the EU will want for the commercial transfer but there are many approvals required at home and in the EU, with stakeholders lobbying for their best result.
Cyberlaw, technology, insurance, social media, breaches and global regulation were under the microscope this past week at the ABA Cyberlaw Winter Meeting. Law geeks convened at the Nova Southeastern University Shepard Broad College of Law in Fort Lauderdale and over the course of three days, thoughtful discussion revealed a patchwork of dependent issues. Some of the topics are covered in this blog post, as they are timely. The ABA presentations were well researched and current, if you are a member, you can access them here:
Prof. Jon Garon, Dean of the hosting law school, delivered a colorful and revealing look at cyberlaw in 2015 including heinous events and sticky court rulings. His paper, “2015 Cyberlaw Year in Review – Seeking Security Over Privacy, Finding Neither” is available at: http://ssrn.com/abstract=2707756. His key takeaway was that global terrorism combined with state sponsored cyber attacks put the focus on security in 2015, not on enhancing privacy for individuals. What struck me was how much we are still living with events from 2015 or earlier and how they shape the current landscape. Dean Garon points to Snowden as the tipping point for the Safe Harbor rebuke by the EU Court of Justice as well as an impetus for hacktivists. He cites the attack on (whitehat?) spyware company Hacking Team, that released 400 gig of data and showed their ties to authoritarian regimes. Hacktivism not only exposed those claiming the moral high ground, Anonymous “released 9,200 ISIS Twitter accounts” being used in the ground war which enabled Twitter to shut them down (hacktivism for good?).
Dean Garon also links the Snowden impact to the Patriot Act successor the USA Freedom Act and notes the relatively modest changes that have resulted, after global outrage at the bulk telephone call collection by the NSA. The new Act prevents bulk collection unless the government has a “specific selection term, that specifically identifies a person, account, address or device in a way that limits to the greatest extent reasonably practicable, the scope of tangible things sought consistent with the purpose for seeking the tangible things.” That’s good, or better.
But, the NSA “will continue to make use of data collected by the phone companies [including] NSA collection of foreign internet content from US tech companies, which sweeps up lots of data.” Epic.org reports that the FBI issued over 14,000 National Security Letters (NSL’s) in 2013, seeking call records, email records, billing, credit and other data, all subject to a gag order. Security v. privacy, the balance shifts based on real world events.
The EU Court of Justice ruling in Schrems v. Data Protection Commissioner, exposes the rift in relations created by the Snowden disclosures. The rebuke of the Safe Harborrule for its lack of oversight to ensure the privacy of EU citizen data, leaves corporations to adopt Binding Corporate Rules or Model Contract Clauses, which are reviewed by an EU Data Protection Agency for approval. Dean Garon questions whether Notice and Choice which underpin the Safe Harbor, were illusory to begin with, “given the lack of transparency and the difficulty of opt-out schemes.” A balkanization of the internet is shaping up as nations require data centers be located in their country to hold the PII of their citizens.
Pointing to the violent attacks on French soil and the outward use of social media by ISIS to further their interests, Dean Garon suggests law enforcement monitoring and terrorist use of social media are here to stay, with “a reported 95% of police agencies” using the approach. We want to protect privacy but we shudder when we hear that the attackers are using our software tools and applications to wage war.
The passage of the General Data Protection Regulation in the EU maintains key elements of privacy and security: consent, transparency and data minimization. The EU will require notice of breaches across all member countries, something the US has yet to do. All of this regulation is designed to prevent a breach or minimize the damage when it occurs. We have seen the long tail of a breach and some notable incidents cited by Dean Garon express the breadth and ripple effect to unsuspecting recipients.
The Sony breach involved nation state actors, IP theft, company sensitive data, attempts at ‘hackback’ and NSA knowledge of the attack prior to its disclosure. We now have greater sharing of threat intel under the newly passed CSIA but would that have helped Sony? Threat intel sharing requires companies to operationalize knowledge in security operations, in an effective and timely manner. The CSIA removes liability for companies which may increase sharing but will that prevent breaches? Nation state hacks of IP and sensitive data, trade secrets, strip the US government and companies of a competitive edge. Stolen secrets could cost billions as competitors bring their product to market and as with Sony, create losses on existing investments.
The Office of Personnel Management (OPM) breach had millions of records lost combined with highly sensitive data on US operatives. The circle of data extends wide when a top secret clearance or higher is sought by an applicant, dragging friends and family sensitive records into the breach. Dean Garon noted that journalists with access to government officials were swept up in the hack. Further, he cites reports that discuss the ability of foreign governments to “cross reference employees in a government facility….anyone not in the OPM database could be presumed to be hired by the CIA.” The OPM breach created long term risk to many Americans for identity theft, financial crime and to our national security.
The Ashley Madison hack affected 37 million members of a tawdry online business. So many victims here beyond the members. Poorly encrypted passwords were downloaded and brute forced. Open source solutions like Pythia: https://testpypi.python.org/pypi/pythia/1.0 offer client and server password hardening to prevent such an attack. Even worse than the attack on the business is the unfortunate fallout on member families. Cyber crime is the king of cottage industry formation and within hours the blackmail began against member families.
Hackers downloaded the database and then began sophisticated, US Mail based blackmail campaigns citing family, friends and work address and emails. They attacked with impunity and suicides were reported after demands for upward of $4,000 were received to keep quiet. Remote, online blackmail leaves its victim with no assurances, especially here where many blackmailers could re-use the same data. This breach brought out the worst in everyone.
One last breach covered by Dean Garon was the VTech Holdings loss of five million adults and six million children (according to the HK based company). Names, chat logs, emails, passwords, mailing addresses, download histories and 2.3 million headshots were stolen with an SQL injection attack which enabled them to dump the database. Techcrunch reported that there was no encryption, no SSL anywhere, hard to believe. The VTech Kid Connect service falls under the COPPA legislation and could result in the highest fines ever, up to $16,000 per child under age 13 who had private information compromised.
VTech devices that are connected show us how the surface area is vastly expanded from an Internet of Things (IoT) attack. Our children’s credit history is clean and sought after by criminals trading such data. Devices used by children combined to online services (think earlier Sony Nintendo breach) can affect tens of millions in an instant. Dean Garon added another twist, what if Hello Barbie gets hacked? Mattel and ToyTalk have taken Barbie into the 21st century reports Forbes Magazine. Talking Barbies that record child input through a necklace microphone, upload the data to online servers, use AI to parse/process data and then provide a contextual response to the child. Its creepy to think of companies storing a child’s musings, a hacker will release those audio files and bring new meaning to the loss of innocence.
The internet speeds things along, making it hard to keep up with law, regulations and enforcement. Its obvious that keeping up with developing malware is a challenge, we only need to look at the ITRC daily breach blog to see all of the affected companies that didn’t make the headlines. Perhaps they managed their breach better or there is only so much room to lament the losses but chances are, one of your relationships close to home just had a breach.
We will continue to ask what seem obvious questions. Whose data is it? Are you a data contributor or a data steward? Does your company benefit from a stagnant data regulation process or new stringent rules for presence in a certain country? US based companies with data from a foreign country must navigate all of these issues at once and pay steep penalties if they falter along the way.
Thanks to the folks at the ABA Cyberlaw Committee, we are one step closer to the action and perhaps, some answers.