Thursday, April 21, 2016

Privacy - Privacy Shield in trouble?

    On April 13, 2016, the European Union Article 29 Working Party released a statement and an official but non-binding opinion regarding the adequacy of the EU-U.S. Privacy Shield agreement (the replacement for the EU-U.S. Safe Harbor) concerning the transfer of data between the EU and the U.S.

     In that opinion, the Working Party, which consists of all 28 EU member state data protection authorities (DPAs), stated that Privacy Shield brought significant improvements compared to Safe Harbor.

     However, the Working Party expressed that there was an overall lack of clarity concerning the principles and guarantees offered by Privacy Shield is Privacy Shield consists of numerous documents and annexes.  Additionally, the Working Party expressed concern about the commercial aspects of Privacy Shield, such as the application of the purpose limitation principle to data processing, the failure to discuss the data retention principle, and that the new redress mechanism may be too difficult for EU residents to use.  Finally, the Working Party expressed concern about access by public authorities to data transferred under the Privacy Shield.  According to the Working Party, there was insufficient information to assess whether EU data would be subject to massive and indiscriminate collection, and there is concern that the Ombudsperson is not sufficiently independent or vested with sufficient powers.

     Fortunately, some law firms have examined whether the US offers "essentially equivalent" privacy and data protections.  The Hogan Lovell report concludes that in the context of Privacy Shield the US does offer such protections.  See Hogan Lovell report (To prevent link rot, I am hosting a copy of the report on  The Sidley Austin report similarly concludes (albeit not in the context of Privacy Shield) that the US offers "essentially equivalent" privacy and data protections. See Sidley report.  Importantly, both reports addressed and dispatched the concern that EU data would be subject to massive and indiscriminate collection.

     Given the concerns raised by the Working Party, one might think that there could be some last minute changes to Privacy Shield.  However, the U.S. government appears disinclined to make any changes.

     Until there is a final decision on Privacy Shield, it is still possible to use Binding Corporate Rules and Standard Contractual Clauses to move data between the US and the EU according to the Working Party's Chairperson Isabelle Falque-Pierrotin (the head of France's DPA).

- Henry Park

updated on 5/4

USPTO and Java v8 update 91 build 14

    On my Macintosh, I received a notice that there is an updated version of Java v8 update 91 build 14 (released on April 19).

      I called the US Patent Electronic Business Center (EBC), and talked to Agent 39. She said that the update is still being tested, and that she recommended not upgrading yet.

Updated April 28, 2016 -- A colleague points out that as of today, EBC has approved this update for use. 

- Henry Park

Monday, April 18, 2016

New Jersey - Reciprocity is coming soon

    New Jersey currently does not offer reciprocity with any other jurisdiction.  See New Jersey Board of Bar Examiner's FAQ.

    However, that will change soon.

    On April 14, 2016, the New Jersey Supreme Court adopted a proposal to allow admission by motion.  See New Jersey Courts - April 14, 2016 News Release.  To be eligible for admission by motion, the applicant must:
1.  hold a juris doctor degree from an ABA-accredited law school;
2.  demonstrate fitness and character to practice law;
3.  attain a qualifying score on the Multi-State Professional Responsibility Examination or pass an approved law school ethics course;
4.  have practiced for five of the last seven years in another jurisdiction;
5.  have previously passed a bar examination in another jurisdiction;
6.  be admitted in a jurisdiction that would extend a reciprocal license by motion to New Jersey lawyers;
7.  complete a course on New Jersey ethics and professionalism as a condition precedent to admission;
8.  and be certified by the Committee on Character and meet all other criteria for admission.
See News Release.  Of these eight criteria, all but number 6 are within the control of the applicant.  Moreover, for an experienced attorney, satisfying these criteria should not be burdensome.

    Thus, the remaining questions are:  Which states will extend a reciprocal license and when?  And when will this process be official?

- Henry Park

Tuesday, April 12, 2016

Data security - What are reasonable security practices?

     Privacy policies always state that the data holder will use “reasonable” and “appropriate” measures to keep the data they collect secure. This language is used because almost all state laws and regulations require that the data holder use “reasonable measures”, “appropriate measures”, or both to keep the data secure.

     What are reasonable and appropriate measures?  One could look to Federal standards or third-party standards.  Alternatively, a few states have addressed this issue.

    Massachusetts has the most detailed data security regulation, 201 CMR 17.00.  This regulation applies to any person who owns or licenses “personal information” concerning Massachusetts’ residents.  This regulation requires that every person:
develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.
201 CMR 17.03(1).  The regulation requires the creation of a written information security program (WISP) with elements, such as, (1) designating persons to maintain the information security program, (2) identifying internal and external risks and evaluating and improving safeguards, (3) developing security policies concerning transportation of personal information, (4) at least annual reviews, and (5) overseeing service providers.  Additionally, the regulation requires the WISP to include a section concerning one’s security systems that should address “at a minimum, and to the extent technologically feasible”: (a) secure user authentication protocols, (b) secure access control measures, (c) encryption of all personal information, (d) reasonable monitoring of systems, and (e) the education and training of employees.  201 CMR 17.04.  Due to the breadth of this regulation, Massachusetts released a compliance checklist to assist with complying with this regulation.

     Rhode Island recently addressed this issue, with its amended Identity Theft Protection Act, which becomes effective on June 26, 2016.  This statute applies to any person who has “personal information” about a Rhode Island resident.  Rhode Island General Laws 11-49.3-2; 3-3(8).  Under the statute, everyone
shall implement and maintain a risk-based information security program which contains reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction or disclosure and to preserve the confidentiality, integrity, and availability of such information.
R.I. Gen. Laws § 11-49.3-2 (effective June 26, 2016).  While this statute requires the creation of a “risk-based information security program”, it doesn’t detail the substance of that program.  Thus, the program could be modeled after the Massachussetts program or, possibly, after a HIPAA program.

    A couple of other states, Nevada and Connecticut, have limited data security statutes.

    Nevada’s statute applies to any “data collector” that maintains “personal information” concerning Nevada residents.  Nevada Revised Statute 603A.210(1). The statute requires that any data collector who receives payment card information must comply with the Payment Card Industry (PCI) Data Security Standard.  NRS 603A.215(1).  Alternatively, if a data collector does not collect payment card information, it must encrypt personal information.  NRS 603A.215(2).

     Connecticut’s statute applies only to state contractors and health care related businesses.  State contractors are required to “implement and maintain a comprehensive data-security program”. Conn. Gen Stat. § 36a-701b, 2015 S.B. 949, Public Act 15-142.  That statute then enumerates a few elements to be included in the program, such as: security policy for contractor employees related to the storage, access and transportation of data containing confidential information, at least an annual review of policies and security measures, requiring electronic data be stored “(A) in a secure server; (B) on secure drives; (C) behind firewall protections and monitored by intrusion detection software….”  The statute also prohibits the storage of confidential information on removal storage media unless approved by the contracting state agency.  Health care related businesses are required to “implement and maintain a comprehensive information security program”. Conn. Gen Stat. § 36a-701b, 2015 S.B. 949, Public Act 15-142.  The program must be in writing and “contain administrative, technical and physical safeguards appropriate to (A) the size, scope and type of business of such company, (B) the amount of resources available to such company, (C) the amount of data compiled or maintained by such company, (D) and the need for security and confidentiality of such data.”  The statute goes on to require the program to include at least: secure computer and Internet user authentication protocols, secure access control measures, identification and assessment of reasonably foreseeable internal and external risks, at least annual reviews of the program, and reasonable restrictions on physical access to personal information in paper format.

     Finally, we would be remiss not to mention California’s entry into the data security field.

     California’s Attorney General in its 2016 Data Breach Report (see this older blog post - Security - What are "reasonable" information security practices?) provided a recommendation concerning what would constitute “reasonable” security.  Although the AG’s recommendations are not law or regulations, they influential.  In the report, the AG stated that:

Report, at page 30.  The 20 Controls can be broken down as follows:

Report, at page 31.

    If your business collects personal information from visitors, users or customers, then you need to assess the information you collecting.  What information is being collected?  Which state laws and regulations do you need to comply with?  Is that information "personal information"?  Are you providing reasonable and appropriate security measures?

    Be forewarned, the bar for what is considered reasonable and appropriate is rising.

- Henry Park

Sunday, April 10, 2016

Data breach - Tennessee requires notification even if encrypted

   Earlier this year, Tennessee revised its data breach law, Tennessee Code 41-18-2107.  Under the old law, an entity need only disclose a data breach where the unencrypted "personal information" of a Tennessee resident was or is reasonably believed to have been acquired by an unauthorized person. Tennessee Code 41-18-2107(b).  The revised law removes the encryption safe harbor.  Now, an entity must disclose any data breach where the "personal information" of a Tennessee resident was or is reasonably believed to have been acquired by an unauthorized person -- regardless of encryption status.  TN S.B. 2005.

   Thus, an entity must be mindful that encrypting personal information may not excuse it from complying with state data breach laws.

- Henry Park

Monday, April 4, 2016

Privacy - US businesses and GDPR

    Privacy for Europeans is a big issue, and their concerns are expressed in the forthcoming General Data Protection Regulation (GDPR) in Europe.  The GDPR should be adopted by the middle of 2016, and enforcement is scheduled to begin two years later -- by Spring 2018.

    US businesses without a European presence could collect data about European residents because the old Data Protection Directive was limited to businesses with a European presence.  The new GDPR is not so limited.  It specifically covers data controllers (which are entities that "determine[] the purposes, conditions and means of the processing of personal data", see GPDR Article 4(5) at page 41) based outside of the EU that (1) offers goods or services to EU residents or (2) monitors the behavior of EU residents.  See GPDR Article 3(2) at page 41.

     What does this mean?

     It means that US businesses that collect information about EU residents need to start considering how to comply with the terms of the GDPR.  Among the options are: (1) compliance with the Privacy Shield, (2) binding corporate rules, and (3) standard contractual clauses.

- Henry Park