DBR ON DATA

Security, Privacy and Information Governance

Month: January 2018 (page 1 of 2)

Battling Botnets – Evolving U.S. Government Policies and Frameworks to Address Security and Resiliency Challenges

Share

The Secretaries of the Department of Commerce and the Department of Homeland Security, through the National Telecommunications and Information Administration (NTIA), in early January 2018 issued a draft report to further public discussion about enhancing the resilience of the Internet and communications ecosystem against botnets and other automated distributed threats. This report continues work initiated under Presidential Executive Order 13800, “Strengthening the Cyber Security of Federal Networks and Critical Infrastructure.”  The report seeks additional public comment on known and evolving risks within and to the ecosystem and aims to forge consensus on what approaches warrant consideration for the government either to adopt or to encourage.  Commenters are asked to evaluate a range of proposed goals and actions to achieve a more resilient ecosystem as well as to address the roles various stakeholders play in achieving and maintaining resiliency of the ecosystem nationally and globally. Comments are due on the draft report by February 12, 2018 and the final report is due the president by May 11, 2018.

Six principal themes emerged from the government’s analysis of prior comments on identifying and mitigating botnet and other cyber threats, namely that:

  • Automated distributed attacks are a global problem;
  • While effective tools exist, they are not widely used
  • Products should be secured during all stages of their life cycle.;
  • Improved education and awareness are necessary;
  • Current market incentives are misaligned; and
  • Automated distributed attacks are an ecosystem-wide challenge.

Continue reading

Connecticut Supreme Court Establishes Private Right to Sue Over Medical Record Breaches

Share

The Connecticut Supreme Court has joined several other states by holding that health care providers owe patients a common law duty to maintain the confidentiality of their medical records. In a unanimous reversal of the lower court’s ruling, the court determined that the unauthorized disclosure of confidential information obtained in the course of a physician-patient relationship gives rise to a cause of action in tort against the health care provider, unless the disclosure is otherwise allowed by law.

Emily Byrne sued the Avery Center for Obstetrics and Gynecology, P.C. (“Avery”) for negligence and negligent infliction of emotional distress in connection with Avery’s release of her medical records in response to a subpoena issued by her ex-boyfriend, Andro Mendoza, in the course of a paternity action.  The subpoena instructed Avery to send the custodian of its records to appear, together with Byrne’s medical records, at the New Haven Regional Children’s Probate Court.  Avery did not alert Bryne about the subpoena, file a motion to quash it, or appear in court – it mailed Byrne’s medical records.  Bryne alleges that she suffered harassment and extortion threats from Mendoza because Avery gave him access to her medical records without her knowledge or consent.

Continue reading

VTech Settlement Resolves COPPA Allegations in FTC’s First Connected Toy Case

Share

The Federal Trade Commission announced a settlement with VTech Electronics Limited and its U.S. subsidiary in the FTC’s first case involving Internet-connected toys.

VTech had been charged with violating the FTC Act and the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children without providing direct notice and obtaining their parent’s consent, as well as failing to properly secure the data it collected.  The settlement includes a payment of $650,000 in civil penalties, injunctive relief, and the establishment of a comprehensive security program.

Background

VTech, a Hong Kong corporation, and VTech Electronics North America, advertise, market and distribute electronic learning products (ELPs).  The companies offer online games available through the ELPs and operate the Learning Lodge Navigator online service, a platform similar to an app store that allows customers to download child-directed apps, games, e-books and other online content.  As of November 2015, approximately 2.25 million parents had created accounts with Learning Lodge for nearly 3 million children, according to the FTC.

Continue reading

Article 29 Working Party Releases Guideline WP260 on Transparency under the GDPR

Share

The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency.  Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP 29 working party will issue final guidance. WP29 is an independent European advisory body on data protection and privacy.

This blog post focuses on WP260, the guideline on transparency. Our companion post on WP259, the guideline on consent can be read here.

Transparency has long been a fundamental feature of EU privacy law and is an overarching obligation under the GDPR. The draft guideline notes that a central consideration of the principle of transparency is that the data subject should be able to determine in advance what the scope and consequences of the processing entails. Transparency applies in three central areas:

  • The provision of information to data subjects related to the fair processing of their personal data.
  • How data controllers communicate with data subjects in relation to their rights under the GDPR.
  • How data controllers facilitate the exercise by data subjects of their rights.

Continue reading

Article 29 Working Party Releases Guideline WP259 on Consent under the GDPR

Share

The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency in November.  Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP29 will issue final guidance.   WP29 is an independent European advisory body on data protection and privacy.

This blog post focuses on WP259, which is the guideline on consent. We have also written a companion blog on WP260, the guideline on transparency.

Guideline on Consent

The guideline provides a thorough analysis of the notion of consent, which is one of the six lawful bases to process personal data under the GDPR. Article 4(11) stipulates that consent of the data subject must be:

  • Freely given.
  • Specific.
  • Informed.
  • Unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Continue reading

Georgetown Law Center Releases Report on Biometric Face Scans at Airport Departure Gates

Share

The Georgetown Law Center for Privacy & Technology released a report that takes a harsh look at the Department of Homeland Security (DHS)’s “Biometric Exit” program.  The “Not Ready for Takeoff: Face Scans at Airport Departure Gates” report  highlights the myriad number of privacy and fairness issues associated with the use of biometric data for screening and other purposes.   The Biometric Air Exit program uses biometric data to verify travelers’ identities as they leave the U.S. and has been deployed at Boston’s Logan International Airport and eight other airports.  The program is operated by DHS and uses photographs of passengers taken at the gate while boarding to verify travelers’ identities as they leave the country.  Prior to departure of an outbound international flight, DHS prepopulates the Traveler Verification Service (TVS) with biometric templates from the travelers expected on the flight.  TVS either confirms the travelers face or rejects the face as a “non-match.”  Non-matched travelers credentials will then be checked manually.

Continue reading

Older posts

© 2018 Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

Disclaimer/Privacy Policy