Privacy Law Blog : Privacy Lawyer & Attorney : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

The Ohio Court of Appeals, in State v. Wolf, No. 08-16, slip op. (Ohio Ct. App. 5d April 28, 2009), recently upheld application of Ohio’s computer crime law to an employee who used his work computer to engage in criminal conduct (solicitation of a dominatrix-prostitute). While this holding may seem uncontroversial, another aspect of the decision might open the door to imposing criminal liability on employees for violating employer computer use policies.

Wolf was a Shelby City Wastewater Treatment Plant employee. The plant superintendent discovered nude photographs on Wolf’s work computer while performing routine maintenance. The superintendent notified police, who discovered that Wolf used the city-owned computer to solicit a prostitute, visit pornographic websites and upload nude photographs of himself during work hours.  At trial, the jury found him guilty of soliciting prostitution, theft in office and unauthorized use of a On appeal, Wolf challenged the trial court decisions overruling his motion for acquittal on both the charge of theft in office and the charge of unauthorized access to a computer. The Court of Appeals agreed that the trial court should have acquitted on the theft in office charge, but ruled that Wolf’s use of the office computer was unauthorized under Ohio law.

• Email This
• Print
• Comments
• Trackbacks

Section 315 of FACTA requires institutions that utilize consumer reports (“users”) to develop and follow certain procedures when notified of an address discrepancy  by a national CRA (Equifax, Experian and TransUnion). Under FACTA, national CRAs are required to issue a “notice of address discrepancy” when an address provided by a user requesting a consumer report “substantially differs” from the address the CRA has on file for that consumer. The Address Discrepancy Rule then requires users of consumer reports to develop and implement written policies and procedures to respond to receipt of a discrepancy notice. There are two components to the policies required by the Rule: the first relates to the user’s evaluation of the address discrepancy; the second relates to the user’s potential obligation to report the consumer’s address to the CRA.

• Email This
• Print
• Comments
• Trackbacks

A new Nevada law, S.B. 227, will require entities doing business in that state to beef up their protections of personal information. Previously, we wrote about Nevada’s personal information encryption law. See our blog post here. The current law requires encryption of any personal information transmitted electronically (other than by facsimile). But S.B. 227, which becomes effective on January 1, 2010, will require encryption of all personal information leaving the “logical or physical controls of the data collector,” including electronic data on a “data storage device.”

• Email This
• Print
• Comments
• Trackbacks

On Thursday, the staff of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision and the Federal Trade Commission issued a set of Frequently Asked Questions (FAQs) to assist financial institutions, creditors, users of consumer reports, and card issuers in complying with the Red Flags and Address Discrepancies Rules under FACTA.  Among the answers to the FAQs:

• Although there is no specific record retention requirement under the Rules, covered entities must be able to demonstrate that they have complied with the requirements of the Rules;

• All banks, savings associations, and credit unions are covered by the Red Flags Rules as “financial institutions,” whether or not they hold a transaction account belonging to a consumer;

• The Red Flags Rules do not apply to the foreign branches of U.S. banks but, as a matter of safety and soundness, financial institutions are strongly encouraged to implement an effective identity theft prevention program throughout their operations, including in their foreign offices, consistent with local laws;

• “Covered accounts” include accounts established in the U.S. by non-U.S. residents;

• A broker, dealer, investment advisor, or investment or insurance company that is a “financial institution” or “creditor” under the FCRA is covered by the Red Flags Rules, including any such entity that is a subsidiary of a bank or savings association;

• Corporate credit unions are covered by the Red Flags Rules;

• If a consumer loan is purchased by another financial institution or creditor, then that entity becomes responsible for applying its Identity Theft Prevention Program to the loan as an existing covered account;

• The Address Discrepancy Rules only apply to notices of address discrepancy received from an NCRA (Experian, Equifax, and TransUnion).  However,  a notification of address discrepancy received from an entity that is not an NCRA may be a red flag for purposes of the Red Flags Rules;

• If a consumer withdraws his or her application to open a new account, a user of a consumer report that receives a notice of address discrepancy need not take steps to establish a reasonable belief that the consumer report relates to the consumer.

For more, check out the FAQs here, and our prior discussions of the Red Flags and Address Discrepancy Rules here.

• Email This
• Print
• Comments
• Trackbacks

The European Commission is considering modifying the standard contractual clauses (hereafter “SCCs”) established on December 27, 2001 and used by data controllers to transfer personal data to data processors located outside the EU. The new SCCs may introduce more flexibility in processing services and better reflect new business practices.

Although the European Commission has not yet released the new SCCs, the Working Party adopted an opinion on this topic on March 5, 2009.

As our readers know, the EU Directive of 1995 prohibits the transfer of personal data outside the EU/EEA, in countries which do not offer an adequate level of protection of the data. In the judgment of the EU Commission, the United States does not have an adequate level of protection of personal data for purposes of the EU Directive.

As a consequence, controllers that want to transfer personal data to processors located outside the EU/EEA must use one or more of the following compliance mechanisms: 

• Safe Harbor (which only applies if the processor is located in the US);
• Binding Corporate Rules;
• SCCs. 

Many have pointed out that SCCs may no longer be manageable for the complex onward transfers made not only from controllers to processors (as envisaged by the current SCCs) but also from processors to sub-processors or subsequent sub-sub-processors. This is the reason why the European Commission is considering a new set of SCCs.

The new SCCs are designed to: 

• regulate sub-processing;
• allow multi-layered sub-contracting;
• allow the local Data Protection Authorities to inspect the full chain of sub-processing and make binding decisions;
• function as the law of the Member State in which the data exporter is established. (According to some, such a process would be against normal commercial practices as it would have for effect to apply a foreign law to a sub-processor);
• repeal the current SCCs.

In its opinion about the new SCCs, the Working Party outlines three main issues:

1.      First of all, it draws attention to the fact that the transfer of data between a processor established in the EU/EEA to a sub-processor outside the EU/EEA is not envisaged by the SCCs while it is, in practice, a common processing nowadays. It underlines that there is a discrepancy on the rules applicable depending on the place where the processor is located.

The Working Party urges the European Commission to develop a new set of SCCs that would allow international sub-processing by processors located in the EU/EEA. However, given the time that the development of such a new set may take, the Working Party recommends that national Data Protection Authorities consider as an adequate guarantee the fact that the controller authorizes the transfer by a processor located in the EU/EEA to a sub-processor located outside the EU/EEA as long as it applies by analogy the same guarantees and principles in the SCCs.

2.      Second, the Working Party agrees that multi-layered sub-contracting must be taken into account and that a multi-layered sub-processing clause must be included in the new SCCs. However, it draws the attention of the European Commission to the fact that data transferred in such a case, especially if they contain sensitive data, must be processed in compliance with the EU Directive requirements. Indeed, the Working Party emphasizes that given the various number of sub-contractors that may be involved in the sub-contracting process, the liability of a processor that would not have complied with the controller’s instructions may be difficult to establish. This is the reason why the Working Party recommends that the data exporter keep an updated list of the various processors and sub-processors.

The Working Party also considers that applying new SCCs to all different layers of sub-processing is a good solution provided that the data exporter implements organizational solutions to facilitate the exercise of the data subjects’ rights (for instance putting in place a single corporate contact point for data subjects’ claims).

3.      Third, the Working Party recommends that transitional provisions be included in the new SCCs providing that the previous transfers authorized under the “old” SCCs remain in force as long as the transfer described has not changed. It is only if a change is made to the transfer that the parties would have to comply with the new SCCs.

• Email This
• Print
• Comments
• Trackbacks

Two months after Congress mandated notification for the breach of unsecured protected health information (PHI), the Secretary of Health and Human Services (HHS) defined what it means to be “unsecured.” As required by Section 13402 of the HITECH Act, H.R. 1, 111th Cong. (1st Sess. 2009) (which was part of the American Recovery and Reinvestment Act of 2009), the Secretary issued guidance and a request for comments on the technologies and methodologies rendering information unusable, unreadable or indecipherable. 74 Fed. Reg. 19006 (Apr. 27, 2009) (to be codified at 45 C.F.R. pts. 160, 164).

As we previously reported, the HITECH Act’s notification requirements for breaches of unsecured PHI apply to entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), their business associates, and non-HIPAA covered vendors of personal health records (PHR). To constitute a breach, the acquisition, use, access or disclosure of the PHI must “compromise[] the security or privacy of such information.” HITECH Act at §13400(1)(A). The newly issued HHS guidance lists technologies and methodologies that secure information, rendering the data unusable, unreadable, or indecipherable. If PHI is secured according to the HHS guidance, unauthorized access to such information will not trigger the HITECH breach notification requirements, although these breaches may still be subject to state law notification requirements.

• Email This
• Print
• Comments
• Trackbacks

I don’t know, but I could probably find out. 

There is an increasing amount of discussion within the information security industry about whether the use of “security questions” to unlock forgotten passwords is a sound practice.  Many web sites ask users to answer personal questions upon registration, so that those questions and answers can be used in the future to authenticate users when they have forgotten their passwords.  The problem is twofold:

(1) The answers to many of these questions can be relatively easily guessed by an unauthorized individual to gain access to the account.

(2) In many cases, the authorized user forgets the answer to the question when it is needed later to access the account.

A recent study conducted by researchers at Microsoft and Carnegie Mellon University (“It’s no secret: Measuring the security and reliability of authentication via ‘secret’ questions”) found that 17% of users’ security answers were guessed correctly by mere acquaintances, and 20% of the study participants forgot their answers within six months. 

• Email This
• Print
• Comments
• Trackbacks

On May 12, 2009, the UK Information Commissioner's Office (ICO) released a much anticipated report authored by the RAND Corporation assessing the strengths and weaknesses of the 1995 EU Data Protection Directive (95/46/EC) (the "Directive), the main source of privacy legislation in Europe. While the report highlighted a number of the Directive's positive attributes, it nonetheless concluded that as society becomes more globally networked, "the Directive as it stands will not suffice in the long term."

• Email This
• Print
• Comments
• Trackbacks

As our readers know, many of the 44 state data breach notification laws allow for (and may even require) a brief delay in notifying affected individuals of the breach if that notification would interfere with or impede a law enforcement investigation.  Last week, the governor of Maine, emphasizing the importance of providing notice "as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement," as articulated in the existing statute, amended that state's data breach notification law.  The amendment clarifies that notification may be delayed for no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.  The amended language can be found here.  It becomes effective 90 days following adjournment of Maine's 124th Legislature.

• Email This
• Print
• Comments
• Trackbacks