Tag: USA

USA and UK sign Cross Border Data Access Agreement for Criminal Electronic Data

10. October 2019

The United States and the United Kingdom have entered into the first of its kind CLOUD Act Data Access Agreement, which will allow both countries’ law enforcement authorities to demand authorized access to electronic data relating to serious crime. In both cases, the respective authorities are permitted to ask the tech companies based in the other country, for electronic data directly and without legal barriers.

At the base of this bilateral Agreement stands the U.S.A.’s Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which came into effect in March 2018. It aims to improve procedures for U.S. and foreign investigators for obtaining electronic information held by service providers in the other country. In light of the growing number of mutual legal assistance requests for electronic data from U.S. service providers, the current process for access may take up to two years. The Data Access Agreement can reduce that time considerably by allowing for a more efficient and effective access to data needed, while protecting the privacy and civil liberties of the data subjects.

The Cloud Act focuses on updating legal frameworks to respond to the growing technology in electronic communications and service systems. It further enables the U.S. and other countries to enter into a mutual executive Agreement in order to use own legal authorities to access electronic evidence in the other respective country. An Agreement of this form can only be signed by rights-respecting countries, after it has been certified by the U.S. Attorney General to the U.S. Congress that their laws have robust substansive and procedural protections for privacy and civil liberties.

The Agreement between the U.K. and the U.S.A. further assures providers that the requested disclosures are compatible with data protection laws in both respective countries.

In addition to the Agreement with the United Kingdom, there have been talks between the United States and Australia on Monday, reporting negotiations for such an Agreement between the two countries. Other negotiations have also been held between the U.S. and the European Commission, representing the European Union, in regards to a Data Access Agreement.

Category: General · UK · USA
Tags: , , , ,

CJEU rules that Right To Be Forgotten is only applicable in Europe

27. September 2019

In a landmark case on Tuesday the Court of Justice of the European Union (CJEU) ruled that Google will not have to apply the General Data Privacy Regulation’s (GDPR) “Right to be Forgotten” to its search engines outside of the European Union. The ruling is a victory for Google in a case against a fine imposed by the french Commission nationale de l’informatique et des libertés (CNIL) in 2015 in an effort to force the company and other search engines to take down links globally.

Seeing as the internet has grown into a worldwide media net with no borders, this case is viewed as a test of wether people can demand a blanket removal of information about themselves from searches without overbearing on the principles of free speech and public interest. Around the world, it has also been perceived as a trial to see if the European Union can extend its laws beyond its own borders.

“The balance between right to privacy and protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world,” the court stated in its decision.The Court also expressed in the judgement that the protection of personal data is not an absolute right.

While this leads to companies not being forced to delete sensitive information on their search engines outside of the EU upon request, they must take precautions to seriously discourage internet users from going onto non-EU versions of their pages. Furthermore, companies with search engines within the EU will have to closely weigh freedom of speech against the protection of privacy, keeping the currently common case to case basis for deletion requests.

In effect, since the Right to be Forgotten had been first determined by the CJEU in 2014, Google has since received over 3,3 million deletion requests. In 45% of the cases it has complied with the delisting of links from its search engine. As it stands, even while complying with deletion requests, the delisted links within the EU search engines can still be accessed by using VPN and gaining access to non-EU search engines, circumventing the geoblocking. This is an issue to which a solution has not yet been found.

Settlement of $13 Million for Google in Street View Privacy Case

30. July 2019

In an attempt to settle a long-running litigation of a class-action case started in 2010, Google agrees to pay $13 million over claims that it violated U.S. wire-tapping laws. The issue came from vehicles used for its Street View mapping Project that captured and collected personal data from private wifi networks along the way.

Street View is a feature that lets users interact with panoramic and detailed images of locations all around the world. The legal action began when several people whose data was collected sued Google after it admitted the cars photographing neighborhoods for Street View had also gathered emails, passwords and other private information from wifi networks in more than 30 countries.

While the company was quick to call this collection of data a mistake,  investigators found out that the capture of personal data was built and embedded by Google engineers in the software of the vehicles to intentionally collect personal data from accessed networks.

The new agreement would make Google to be required to destroy any collected data via Street View, agree not to use Street View to collect personal data from wifi networks without consent, and to create webpages and instructions to explain to people how to secure their wireless content.

Google had been asked to refrain from using and collecting personal data from wifi networks in an earlier settlement in 2013, which raises questions as to why it was necessary to include it in the current settlement as well.

Category: Cyber security · General · USA
Tags: , ,

Texas amends Data Breach Notification Law

2. July 2019

The Governor of Texas, Greg Abbott, recently signed the House Bill 4390 (HB 4390), which modifies the state’s current Data Breach Notification law and introduces an advisory council (“Texas Privacy Privacy Protection Advisory Council”) charged with studying data privacy laws in Texas, other states and relevant other jurisdictions.

Prior to the new amendment, businesses had to disclose Data Breaches to the Data Subjects “as quickly as possible”. Now, a concrete time period for notifying individuals whose sensitive personal information was acquired by an unauthorized person is determined by the bill. Individual notice must now be provided within 60 days after discovering the breach.

If more than 250 residents of Texas are subject to a Data Breach the Texas Attorney General must also be notified within 60 days. Such a notification must include:
– A detailed description of the nature and circumstances of the data breach;
– The number of the affected residents at that time;
– The measures taken regarding the breach and any measures the responsible person intends to take after the notification;
– Information on whether the law enforcement is engaged in investigating the breach.

The amendments take effect on January, 1 2020.

Category: General · USA
Tags: , ,

Consumers should know how much their data is worth

27. June 2019

US Senators Mark R. Warner (Democrats) and Josh Hawley (Republicans) want to know from Facebook, Google and Co. exactly how much the data of their users, measured in dollars and cents, is worth to them.

Last Sunday, the two senators announced their intention for the first time in a US talk show: Every three months, each user is to receive an overview of which data has been collected and stored and how the respective provider rates it. In addition, the aggregated value of all user data is to be reported annually to the US Securities and Exchange Commission. In this report, the companies are to disclose how they store, process and protect data and how and with which partner companies they generate sales with the data. All companies with more than 100 million users per month will be affected.

The value of user data has risen enormously in recent years; so far, companies have protected their internal calculations as company secrets. In addition, there is no recognized method for quantifying the value of user data; only when a company is sold or valued by means of an initial public offering (IPO) does it become obvious. In the case of the WhatsApp takeover it was  $ 55 per user, in the case of Skype it was $ 200.

But one can doubt the significance of these figures. A further indication can be the advertising revenues, which are disclosed by companies per quarter. At the end of 2018, Facebook earned around $6 per user worldwide, while Amazon earned $752 per user. These figures are likely to rise in the future.  “For years, social media companies have told consumers that their products are free to the user. But that’s not true – you are paying with your data instead of your wallet,” said Senator Warner. “But the overall lack of transparency and disclosure in this market have made it impossible for users to know what they’re giving up, who else their data is being shared with, or what it’s worth to the platform. […]” Experts believe it is important for consumers to know the value of their data, because only when you know the value of a good you are able to value it.

On Monday, Warner and Rawley plan to introduce the  Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data (DASHBOARD) Act to the parliament for its first reading. It remains to be seen whether their plans will meet with the approval of the other senators.

New Jersey changes data breach law to extend it to online account information

20. May 2019

On May 10, 2019, Phil Murphy, Governor of New Jersey, signed a bill amending the law regarding notification of data breaches in New Jersey. The purpose of the amendment is to extend the definition of personal data to include online account information.

The amendment requires companies subject to the law to notify New Jersey residents of security breaches concerning the user name, e-mail address or other account holder identifying information.

The amendment states that companies should notify their customers affected by violations of such information electronically or otherwise and instruct them to promptly change any password and security questions or answers or take other appropriate measures to protect their online account with the company. The same shall be done for all other online accounts for which the customer uses the same username or e-mail address and password or the same security question and answer.

In addition, the amended law prohibits the company from sending notifications to the e-mail account of a person affected by a security breach. Instead, notifications must be sent in another legally required manner or by a clear and unambiguous notification sent online when the customer’s account is connected to an IP address and the company knows that the customer regularly accesses their account from that online location.

The amendment will take effect on 1 September 2019.

San Francisco took a stand against use of facial recognition technology

15. May 2019

San Francisco is the first major city in the US that has banned the use of facial recognition software by the authorities. The Board of Supervisors decided at 14th May that the risk of violating civil rights by using such technology far outweighs the claimed benefits. According to the current vote, the municipal police and other municipal authorities may not acquire, hold or use any facial recognition technology in the future.

The proposal is due to the fact that using facial recognition software threatens to increase racial injustice and “the ability to live free from constant monitoring by the government”. Civil rights advocates and researchers warn that the technology could easily be misused to monitor immigrants, unjustly target African-Americans or low-income neighborhoods, in case governmental oversight fails.

It sent a particularly strong message to the nation, coming from a city transformed by tech, Aaron Peskin, the city supervisor who sponsored the bill said. However, the ban is part of broader legislation aiming to restrict the use of surveillance technologies. However, airports, ports or other facilities operated by the federal authorities as well as businesses and private users are explicitly excluded from the ban.

Aetna to pay fine for HIV privacy breach

31. January 2019

Healthcare insurer Aetna will have to pay a 935,000$ fine after letters had been sent to nearly 12.000 patients in 2017, disclosing highly sensitive information on the windows of the envelopes.

The information revealed that the recipients were taking HIV-related medications.

In addition, the insurance company will have to complete privacy risk assessments annualy for three years.

The patients have received compensation through a private class action settlement.

 

Yahoo agreed to pay US$ 85 million after data breaches in 2013 and 2014

24. October 2018

As part of a court settlement filed Monday, Yahoo agreed to pay $50 million in damages and to provide two-years of free credit monitoring for services to 200 million people.

Around 3 billion Yahoo accounts were hacked in 2013 and 2014 but the company, which is now owned by Verizon, did not disclose the breach until 2016. Affected are U.S. and Israel residents and small businesses with Yahoo accounts at any time from January 1, 2012 to December 31, 2016. Apart from usernames and email addresses, millions of birthdates and security questions and answers were stolen. Not among the stolen information were passwords, credit card numbers and bank account information.

According to the settlement, the fund will compensate accountholders who paid for email services, who had out-of-pocket losses or who already have credit monitoring services. A refund of $25 per hour will be made for the time spent handling issues caused by the breach. Those with documented losses can ask for up to 15 hours of lost time ($375) whereas those who cannot document losses can ask for up to 5 hours ($125).

A hearing to approve the preliminary settlement is scheduled for November 29.

Nationwide: multistate data breach investigation settled by paying $ 5.5 million

11. August 2017

According to Hunton & Williams, on the 9th of August, Nationwide Mutual Insurance Company (“Nationwide”), agreed to pay $ 5.5 million to settle a data breach investigation by attorneys general from 32 states concerning a data breach that exposed personal data of about 1.2 million individuals. They also published the settlement.

In October 2012, Nationwide and its wholly-owned subsidiary Allied Property & Cansualty Insurance Company (“Allied”) experienced a data breach that led to an unauthorized access to and exfiltration of certain personal data of their customers, as well as other consumers. Since Nationwide and Allied provide customers with insurance quotes, inter alia the following personal data are collected: full name, Social Security number, date of birth or credit-related score.

The attorneys general alleged that the data breach occurred when hackers exploited a vulnerability in the companies’ web application hosting software. Further, it is alleged that, after the data was exfiltrated, Nationwide and Allied applied a software patch, that was not previously applied, to address the vulnerability.

Besides the $ 5.5 million Nationwide and Allied agreed to implement a series of steps to update its security practices. Besides other measures that are listed in the settlement a technology officer shall be appointed that should manage and monitor security and software updates to ensure that future patches and other security updates are applied.

Pages: 1 2 Next
1 2