Headlines that matter for privacy and data security

Federal US News

Regulatory Hurdles for AI

Federal discussions on AI involve both the executive branch and agencies: the Trump administration designated AI as a top research and development priority, and the FCC convened a forum on what AI means for the telecom industry. Telecom practitioners should be watching the following AI aspects:

  • Network management. Machine learning is becoming more powerful as mobile networks become more robust and demands for mobile spectrum increase. To meet these demands, experts foresee AI-trained networks that can automatically spot and troubleshoot inefficiencies or deftly direct spectrum users to unused portions of the airwaves.
  • Customer communications. AI has been identified as a way to help companies communicate with their customers more efficiently, as long as clear privacy and consent regimes are in place.

Self-driving cars. Automated vehicles require a plethora of connections to function properly, from access to spectrum to communication with sensors embedded in infrastructure, in addition to a computer's ability to quickly process information and make safe decisions about a vehicle's environment.

State US News

Illinois Rules Against Six Flags in Biometric Data Case

In Rosenbach v. Six Flags, the Illinois Supreme Court addressed the threshold issue of who is considered an “aggrieved” person who can sue under Illinois’ Biometric Information Privacy Act. A previous state appellate court ruling adopted a narrow view of this term, but the high court unanimously found plaintiffs could bring claims for alleged violations of BIPA’s notice and consent requirements without alleging separate, real-world harm. BIPA has already prompted an influx of litigation, and this ruling is expected to lead to even more, though with this threshold issue out of the way, there are a number of outstanding legal issues that remain to be litigated under the statute.

Massachusetts Amends Data Breach Law

The amendments, which take effect on April 11, 2019, include the following:

  • The notice to the AG and Office of Consumer Affairs and Business Regulation needs to include additional information: types of personal information compromised, person responsible for the breach (if known) and whether the entity maintains a written information security program.
  • If individuals’ Social Security numbers are disclosed, or reasonably believed to have been disclosed, the company must offer credit monitoring services at no cost for at least 18 months (42 months, if the company is a consumer reporting agency). Companies also must certify to the AG and the Office of Consumer Affairs and Business Regulation that their credit monitoring services are compliant with state law.
  • Prohibition on delaying notice to affected individuals on the basis that it has not determined the number of individuals affected. Rather, the entity must send out additional notices on a rolling basis, as necessary.
  • If the company is owned by a separate entity, the individual notice letter must specify “the name of the parent or affiliated corporation.”

Prohibition on asking individuals to waive their right to a private action as a condition for receiving credit monitoring services.

AG Holds Public Forums on CCPA

The California AG’s office has begun the rulemaking process for the California Consumer Privacy Act by holding public forums to give interested parties the opportunity to provide comments.

Most comments focused on the following aspects:

  • Clarification of the definition of “sale” of personal information; application of the CCPA to employee and HR data particularly when collected and used for employment and HR purposes;
  • Clarification of the monetary and numerical thresholds at which the CCPA applies, including when compliance requirements begin after meeting the threshold and whether the thresholds pertain only to California activities or take into account activities outside of California;
  • And clarification and interpretation of sections allowing companies to charge a consumer a different price or rate, or provide a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.

The AG has not published any proposed rules yet, but it must adopt these rules before July 1, 2020.

Washington State Considers European-Style Privacy Laws

Legislators are introducing a series of bills that would bring European-style privacy to the state, allowing people to correct or delete personal information held by companies, restricting the use of facial recognition and forcing data brokers to register with the state. The misuse of data, by one metric at least, is daunting: In a recent 12-month period, breaches in personal data affected nearly 3.4 million Washingtonians, according to a report by the state Attorney General’s Office. That’s more than half the state population. Only one state — California — has passed a data-privacy law similar to the European standard, although New Jersey, New Mexico and New York are considering proposals.

EU News

Dutch DPA Investigates Data Agreements

The Dutch Data Protection Authority requested 30 private organizations to provide information about their data processing agreements. The targeted organizations are mainly in energy, media and trade sectors. Under the GDPR, these agreements must specify, in particular, the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the data controller, and how personal data should be protected by the data processor.

The Problem of Fake DSARs

Data subjects have a right to request a copy of the information organizations have on them and organizations must respond to that request within one month. However, as privacy professionals have seen a suspicious trend regarding DSARs with nefarious motives, there’s an added complication of not only verifying that a data subject is who they claim to be, but verifying that the request is even a legitimate request. For example, Stanford University has been getting a number of DSAR requests from a site called deseat.me. This site sends canned messages asking for a specific email to be removed from a system, without any additional information. The team then had to determine not only which list the data subjects were on but also whether they had in fact meant to unsubscribe. They asked for more information to help determine, within the massive system that is Stanford, “Who are you? Are you an alum, student, patient, someone that randomly signed up to be notified for events?” After 30 days, if there was no response, it was considered a failed request. For now, companies are still parsing out legitimate requests from illegitimate. Relatedly, the Danish DPA issued guidance on app generated DSARs, stating that if a business receives a request through an app, the business is not required to respond via the app and can respond via digital mail or similar.

A Brexit Action Plan

We are still awaiting the final terms of the UK’s withdrawal from the EU. The implications for international data flows and privacy compliance generally will be severe in the event of a no-deal Brexit. Therefore, it’s prudent to consider a comprehensive action plan, which would cover: EU to UK data transfers arrangements; UK to “rest of the world” data transfers arrangements; alternative or additional lead supervisory authority to the UK ICO; EU representative if subject to the GDPR on the basis of Art. 3(2); for EU-based controllers, dealings with UK processors; and other GDPR compliance and documentation requirements.

Spain’s New Data Protection Act Now in Force

The Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights, which implements the GDPR in Spain, entered into force on December 7, 2018. Spain takes advantage of a number of the derogations under the GDPR, including the following:

  • Consent will not be a valid condition where the primary purpose of the processing of sensitive data is to identify e.g., the individual’s ethnicity. Instead, it will be necessary to rely on another condition under Article 9(2) of the GDPR.
  • A list of entities that must appoint a data protection officer. These include, for example, insurers, investment service companies and providers of information society services. Organizations have ten days from the date of appointment of a data protection officer, to notify the Spanish data protection authority of the appointment.
  • Only children aged 14 or over are able to provide valid consent with regard to the receipt of online services.

New digital rights for individuals which go beyond those provided in the GDPR e.g., the right to privacy and use of digital devices in the workplace. This includes a right to “digital disconnection” that applies to both public and private sector workers. And while the precise details of how those rights of disconnection will be exercised is generally left to the internal policies of employers as well as collective bargaining processes, it is nonetheless a significant development for the digital economy.

Validity of Consent Coupled with Free Online Services

The Austrian Data Protection Authority and chair of the European Data Protection Board (Board) has provided a clear way forward for advertising-based business models. Following a complaint against an Austrian newspaper, the Austrian DPA decided that the prohibition on making the provision of a service conditional on consent (“coupling prohibition”; Article 7(4) GDPR) can effectively be circumvented by additionally offering a consent-free equivalent service for a reasonable remuneration.

The newspaper offered its website only to users who either (i) consented to the use of cookies for personalized advertising or (ii) paid a subscription fee of € 6 per month. The DPA considered that the consequence of not giving one’s consent was (i) having to pay 6 Euro per month to access the newspaper website without ads or (ii) having to use another online newspaper. Neither of these consequences was considered to be to the “significant detriment” to the data subject. Thus, the consent was ruled valid by DPA.

This is in line with the Board’s guideline on consent, but is in stark contrast to a UK ICO decision on the same business model. The ICO took the position that, for the user to have a genuine choice, a consent-free alternative would have to be offered free of charge. This illustrates how unpredictable GDPR enforcement outcomes still are.

EDPB Releases Report on Privacy Shield

The European Data Protection Board adopted a report regarding the second annual review of the EU-US Privacy Shield. The EDPB welcomed efforts by EU and US authorities to implement the Privacy Shield, including the recent appointment of a permanent Ombudsperson in the US, but noted that certain concerns remain.

In particular, the report highlights concerns about a lack of oversight in substance; a need for further regulatory oversight over onward transfer contracts for compliance with the Privacy Shield; and a need for further clarity on the application of the Privacy Shield to human resources data. It also recalls remaining issues from a 2016 Article 29 Working Party opinion including the absence of or limitation on certain data subject rights; the absence of key definitions; and the lack of specific rules regarding automated decision-making. The report is not binding on the EU or US authorities directly; instead it will serve to guide regulators considering the implementation of the Privacy Shield.

Asia News

Data Breaches in Hong Kong are on the Rise

Hong Kong’s Office of the Privacy Commissioner revealed it received 129 reports of data breaches in 2018 (up 22 percent from 2017 and 80 per cent from 2014), though it only formally investigated four breaches. Of these four investigations, one involved Cathay Pacific Airways, where 9.4 million passengers were kept in the dark for seven months after their personal information was hacked. Another major inquiry was launched against TransUnion, the consumer credit reporting agency, where a security flaw allowed access to the details of 5.4 million local consumers. Because of the increase in data breaches, the Privacy Commissioner wants a 50 per cent increase in manpower to help with future investigations, but said his office would remain an “enterprise-friendly” regulator until it got more teeth.

Other Global News

PCI Council Releases New Software Framework

The PCI Security Standards Council released a new software security standard designed to help it validate the security of payment ecosystems in the face of newer software architectures and modern development methods like DevOps and continuous delivery. As a part of the new standard, organizations have greater freedom of choice in the security testing methods they use to find vulnerabilities in software. Notably, in addition to static, dynamic, and manual testing, the new framework also adds interactive application security testing as a viable method. This continuous testing architecture is one that is designed to monitor security in the face of rapid development cycles seen in mature DevOps organizations. Additionally, whereas PA-DSS is meant to guide traditional payment software developers in securing the software development lifecycle , the new framework expands beyond this to address overall software security resilience. The new standard will ultimately replace the PCI Payment Application Data Security Standard.

Smartwatch Recalled Over Data Issues

The European Commission ordered the recall of the Enox Safe-Kid-One, a children’s smartwatch, because it leaves children open to being contacted and located by strangers. “A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS,” the Commission wrote in its alert notice. Enox founder Ole Anton Bieltvedt said the watch had passed tests carried out by German regulators last year allowing it to be sold, and the version the Commission tested was no longer on sale. Enox is appealing the ruling.

26 Algorithms Advance to Post-Quantum Semifinals

Mathematicians and computer scientists have selected 26 cryptographic algorithms as the strongest candidates submitted to the National Institute of Standards and Technology Post-Quantum Cryptography Standardization project, whose goal is to create a set of standards for protecting electronic information from attack by the computers we have now and the ones we will have in the future.

Currently, the security of some cryptographic algorithms—which protect everything from online banking transactions to private email messages—relies on the difficulty conventional computers have with factoring large numbers. While quantum computers are still in their infancy, their design—which draws upon very different scientific concepts than conventional computers—may eventually enable them to factor these large numbers relatively quickly, revealing our secrets. Thus post-quantum algorithms must be based on different mathematical tools that can resist both quantum and conventional attacks. These 26 algorithms are being considered for potential standardization.

Zero-Day Attacks are on the Rise

Part of forming a cohesive cybersecurity strategy means understanding the various threats comprising it. One threat in particular that is important to understand centers around zero-day attacks. Zero-day attacks occur when a third-party exploits vulnerabilities in software, ransomware for example, and zero-day vulnerabilities are the vulnerabilities discovered by perpetrators to create their exploit/attack. They routinely catch an enterprise off-guard, causing more damage than would normally be inflicted because a business has to react instead of preventing the attack. Without an appropriate response strategy, downtime is guaranteed. Anything handled by a network is vulnerable to attack, but there are several forms of security that can be employed, including: advanced monitoring; behavior-based detection; AI-based monitoring/detection; staff education and awareness; and reactive updating.

Experian Report Makes Data Breach Predictions for 2019

Experian released its sixth annual Data Breach Industry Forecast, outlining the following predictions for 2019:

  • Attackers will zero in on biometric hacking and expose vulnerabilities in touch ID sensors, facial recognition and passcodes.
  • The new frontier in skimming will be an enterprise-wide attack on a national network or a major financial institution.
  • A major wireless carrier will be attacked, effecting both iPhones and Android, possibly disabling all wireless communications in the US.
  • A top cloud vendor will suffer a breach.
  • The online gaming community will be an emerging hacker surface, with cyber criminals posing as gamers.

Hackers will begin to use more multi-vector attacks against our broader digital identities.

Bug in iOS Allows FaceTime Eavesdropping

A newly discovered bug, which appears to trick the recipient’s phone into thinking a group call is already ongoing, allows FaceTime callers to listen in before users accept the call. Apple has disabled the group calling feature while it works on a patch to fix the bug.

Smart Parasite Stops Smart Speakers from Listening

Two designers have a “smart parasite” called Project Alias that fits on top of Google Home or Alexa devices and prevents it from listening in on conversations. The device feeds nonsense sounds to the always-on ear of the Google Home and Amazon Alexa. It only stops projecting when it hears its own wake word. Once Project Alias hears its wake word, the parasite shuts off its sound and allows the underlying device to hear and respond like normal. Project Alias will start blocking the microphones again after 30 seconds, an action signaled by an LED within the shell. The customizable part of Project Alias, however, also poses security concerns of its own. Until thorough privacy regulations are implemented, there will always be a risk to using voice-activated devices with always-on functionality.

40th International Conference of Data Protection and Privacy Commissioners

The theme of this conference, held in October 2018, was Debating Ethics: Dignity and Respect in Data Driven Life. The objective was to drive home the need to ensure dignity and respect with respect to personal data in a technology- driven world. Some core messages:

  • Implementing digital ethics is going to be an incremental, developing process, but we will not give up under the weight of the mission
  • This is not just about new rules, rather a new way of thinking that ensures ethics are included in our behavior, design and practice
  • New rights need to be developed including the right to be offline and to disconnect
  • Greater self-determination should be supported by institutions, infrastructures and new business models
  • Companies need to be incentivized to adopt a culture of ethics
  • New methodologies are needed to build ethics into the fabric of organizations and technology
  • We need empowered employees who use their ethical agency

Turning the spotlight on ourselves, we should all ask the question: What if I am the object of data processing, what if my loved ones are?