CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘privacy’

Currently pending in the Massachusetts legislature is Bill S.120 entitled “An Act Relative to Consumer Data Privacy”

Posted on: April 25th, 2019

By: Eric Martignetti

The proposed bill defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or the consumer’s device.” “Personal information” includes “biometric information.” “Biometric information” is “an individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity,” including “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”

Under the proposed bill, a business that collects a consumer’s personal information shall, at or before the point of collection, notify a consumer of: (1) the categories of personal information it will collect; (2) the business purpose for which their personal information will be used; (3) the categories of third parties to whom the business discloses their personal information; (4) the business purpose for the third-party disclosure; and (5) the consumer’s right to request a copy of their personal information, the deletion of their personal information, and the right to opt out of the disclosure of their personal information to third parties. Also, a business must include these five items either in its online privacy policy or on its website.

Under the proposed bill, a business shall also make reasonably available to consumers two or more methods, including a link on the home page of its website, for submitting a consumer verified request. Through a consumer verified request, a consumer can request: (1) the specific pieces of personal information the business has collected about them; (2) the sources from which their personal information was collected; (3) the names of third parties to whom the business disclosed their personal information; and (4) the business purpose for third-party disclosure.

The proposed bill applies to a “business” that: (1) “is organized or operated for the profit or financial benefit of its shareholders or other owners”; (2) “collects Massachusetts consumers’ personal information”; and (3) “has annual gross revenues in excess of $10,000,000” or “derives 50 percent or more of its annual revenues from third party disclosure of consumers’ personal information.”

The proposed bill carves out an exception for “a business collecting or disclosing personal information of the business’s employees so long as the business is collecting or disclosing such information within the scope of its role as an employer.” This exception would, in most cases, protect employers from lawsuits brought by employees under the Act.

The proposed bill creates a private right of action for consumers. In a private right of action, a consumer need not suffer a loss of money or property, and they may recover $750 in statutory damages of their actual damages, whichever is greater. A consumer may also recover costs and attorneys’ fees.

If you have any questions or would like more information, please contact Eric Martignetti at [email protected].

New Cybersecurity Trend: Data Security and Disposal Laws

Posted on: February 7th, 2019

By: David Cole & Amy Bender

Tales of data breaches flood our news reports these days. By now, you hopefully are aware that all 50 states have laws requiring persons and organizations that own or maintain computerized data that includes personal information to notify affected individuals, and sometimes the government, in the event of a data breach involving their personal information. (You know those letters you’ve received from hospitals, retail stores, and other companies advising you that they experienced a data breach that may have exposed your personal information? They didn’t notify you out of the goodness of their hearts – it’s the law!)

In the past, these laws have focused solely on notifying affected individuals about compromises to their personal information. Outside of specific industries, such as healthcare or financial services, which are regulated by laws applicable only to them, such as HIPAA and the Gramm-Leach- Bliley Act, respectively, there have not been laws of general applicability regulating the standard of care required for protecting personal information in the first place. Recently, however, a trend has emerged among state legislatures to take this next step in cybersecurity legislation by setting standards for businesses’ protection of consumers’ personal information.

The majority of states now have enacted data security and/or data disposal laws that place affirmative obligations on entities (or, in some instances, certain types of industries) that own or use computer data containing personal information to safeguard and/or dispose of or encrypt that data. Below is a current list of states that have adopted these laws:

(Click here for our discussion of the significant and comprehensive data security law California passed last year.)

Unfortunately, there is not one universal standard for how to secure and destroy data containing personal information, but rather, the standard varies by state. Organizations that operate in multiple states thus may have to comply with multiple and differing requirements. In addition, many of these laws only provide general, and often vague, guidelines that do not specify particular technologies or data security measures that should be implemented. For instance, many laws only require that businesses implement “reasonable” administrative, physical, and/or technical safeguards to protect personal information from unauthorized use or disclosure, and then describe “reasonable” measures as those “appropriate based on the size of the business and the nature of information maintained.” That may be clear as mud, but at least it’s a start and enough to put businesses on notice that doing nothing is not an option.

For these reasons, we recommend that businesses work with legal counsel to understand the laws of the states where they do business and to conduct a security risk assessment to evaluate the information they maintain, the potential risks to it, and the current measures in place to protect it. Working with legal counsel, businesses should then work with an experienced cybersecurity provider to translate that risk assessment into an actionable plan for improving data security and privacy within their organization. The legal standards still might be vague, but going through a process like this will put businesses in the best position to demonstrate good faith and reasonable efforts to meet their legal obligations if and when an incident occurs or a claim is made by a third party.

Please contact David Cole, Amy Bender, or one of the other members of our Data Security, Privacy & Technology team at FMG for additional questions or to discuss conducting a risk assessment for your organization.

VISA Issues Security Alert Due to Increased Data Breaches Caused by Insecure Remote Access

Posted on: July 30th, 2014

By: David Cole

When a merchant experiences a data breach involving credit card information, it is often required by the card brands to hire a Payment Card Industry Forensic Investigator (PFI). The PFI investigates the incident and then provides a report to the card brands on what happened, how it happened, and whether the merchant’s system complied with the Payment Card Industry Data Security Standards (PCI DSS).  The card brands receive hundreds of PFI reports each year, and they occasionally issue security alerts when they see an emerging threat pattern in PFI reports.

Just this month, Visa issued a security alert titled “Insecure Remote Access and User Credential Management,” in which it reported an increase in data security breaches stemming from insecure remote access.  The alert notes that a number of remote access solutions are commonly used to provide remote management and support for merchants, such as LogMeIn, PCAnywhere, VNC, and Microsoft Remote Desktop.  When used correctly, applications like these are effective ways to provide technical support among large numbers of merchants.  But if used maliciously, they can expose payment card data and other sensitive information to cyber criminals. This is because insecurely deployed remote access applications create a conduit for cyber criminals to log in, establish additional “back doors” by installing malware, and steal payment card data.

The alert warns that the circumstances around multiple data breaches in the last several months suggest that an actor or group of actors are targeting merchants who share common Point-of-Sale (POS) integrators or remote support vendors.  It then identifies several common vulnerabilities that are allowing intruders to gain access through remote applications.  These include: (1) remote access ports and services always being available on the Internet; (2) outdate or unpatched systems; (3) use of default passwords or no passwords at all; (4) use of common usernames and passwords; (5) single factor authentication; and (6) improperly configured firewalls.

To protect against these vulnerabilities, the alert advises merchants to examine their remote management software for insecure configurations, use of outdated or unpatched applications, common or easily-guessed usernames and passwords, and ensure that overall payment processing environment is securely configured and maintained in accordance with the PCI DSS.  In addition, merchants should follow these other security practices to mitigate their risk:

  • Ensure proper firewalls rules are in place, only allowing remote access only from known IP addresses.
  • If remote connectivity is required, enable it only when needed.
  • Contact your support provider or POS vendor and verify that a unique username and password exists for each of your remote management applications.
  • Use the latest version of remote management applications and ensure that the latest security patches are applied prior to deployment.
  • Plan to migrate away from outdated or unsupported operating systems like Windows XP.
  • Enable logging in remote management applications.
  • Do not use default or easily-guessed passwords.
  • Restrict access to only the service provider and only for established time periods.
  • Only use remote access applications that offer strong security controls.
  • Always use two-factor authentication for remote access. Two-factor authentication can be something you have (a device) as well as something you know (a password).

FTC Guidance for Online Protection for Children

Posted on: May 14th, 2013

By: Matt Foree

A byproduct of widespread use of the internet is its inevitable use by young children. Today, children have access to the internet through computers, smartphones and countless other electronic devices. To protect the privacy of children online, Congress enacted the Children’s Online Privacy Protection Act (“COPPA”), which provides rules for operators of commercial websites and online services directed to or knowingly used by children under 13. COPPA required the Federal Trade Commission (“FTC”) to issue and enforce regulations concerning children’s online privacy. The FTC’s original COPPA Rule became effective on April 21, 2000.

Significantly, the FTC issued new, stricter rules under COPPA on December 19, 2012, the first time the rules have been amended since COPPA was enacted in 1998. (See video of Chairman John D. Rockefeller IV’s remarks regarding the amendment and the modernization of COPPA here.) Obviously, much of the relevant technology has evolved since COPPA was enacted. The new rules go into effect on July 1, 2013. The new rules can be found here. on the FTC’s website.

The stricter rules under COPPA came shortly after the FTC issued a report entitled “Mobile Apps For Kids: Disclosures Still Not Making the Grade” on the state of mobile app privacy protections for children in December 2012. This report characterized the results of its recent survey on mobile apps as “disappointing,” and noted that the mobile app industry “appears to have made little or no progress in improving its disclosures” since the FTC’s previous report.

Generally, COPPA applies to operators of commercial websites and online services, such as mobile apps, directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. COPPA also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. “Personal information” includes, among other things, first and last name, a home or other physical address, a screen or user name, a telephone number, certain geolocation information, a social security number, and a photograph, video, or audio file that includes a child’s image or voice.

The rules provide that operators covered by COPPA must, among other things, post a clear and comprehensive policy describing their information practices for personal information collected online from children, provide direct notice to parents and obtain verifiable parental consent, with some exceptions, before collecting personal information online from children, and give parents access to their child’s personal information to review and/or have the information deleted.

The FTC has recently released a document providing further COPPA guidance.  Entitled “Complying with COPPA:  Frequently Asked Questions, a Guide for Business and Parents and Small Entity Compliance Guide” (the FAQ), this compliance document sets forth 92 frequently asked questions related to COPPA.  As stated in the document, the “primary goal of COPPA is to place parents in control over what information is collected from their young children online.”  The FAQ provides specific guidance about obligations regarding use or disclosure of previously collected information that will be deemed personal information once the amended rule goes into effect on July 1, as well as an explanation of the differences between the new and old COPPA rules.

The new COPPA rules provide pitfalls for covered operators of commercial websites and online services. Covered businesses should review COPPA and the FTC guidance to ensure compliance with COPPA, which authorizes civil penalties of up to $16,000 per violation. COPPA gives states and certain federal agencies authority to enforce compliance.

Supreme Court to Decide Whether Police Dog Sniffs Pass the Fourth Amendment “Smell Test”

Posted on: November 2nd, 2012

By: Brian Dempsey

This past week, the United States Supreme Court heard two cases which are expected to clarify the Fourth Amendment limitations on police officers’ use of drug-sniffing dogs.

In the first case, Florida v. Jardines, the Supreme Court granted certiorari to decide whether a dog sniff at the front door of a suspected marijuana grow house by a trained narcotics detection dog is a search requiring probable cause and a warrant.  In the second case, Florida v. Harris, the issue is whether an “alert” by a well-trained detection dog establishes probable cause for the search of the interior of a vehicle for further evidence of illegal drugs.

In some general law enforcement contexts, a canine drug sniff has been held not to be a search which requires Fourth Amendment scrutiny.  In Jardines, however, the Court will – for the first time – consider whether the Fourth Amendment “reasonableness” standard applies when the search is conducted outside a private home.  This is an important factor in light of the Court’s recognition in prior cases that the area immediately outside a home is subject to the same Fourth Amendment privacy protections which apply to the interior of the residence.  In contrast, the Court has recognized a lesser degree of privacy expectations in a vehicle which is operated on public roads, as was the case in Harris.

The Court’s upcoming opinions in these cases will provide welcome guidance regarding the constitutional limitations of searches conducted by narcotics detection dogs.  In the meantime, a plain-language discussion of the issues can be found here.

For more commentary, analysis, and links to the oral argument transcripts and briefs in both cases, see these websites:

SCOTUS Blog – Florida v. Jardines

SCOTUS Blog – Florida v. Harris

ABA Journal – “Chemerinsky: The Fourth Amendment Goes to the Dogs”

The Volokh Conspiracy – “A Few Thoughts the Dog Sniff Cases: Florida v. Jardines and Florida v. Harris”