The ball fell, the confetti was thrown, and that Auld Lang Syne rung in another year. 2016 is officially here. It’s around this time that many like to reflect on the past, to think on how they’ve come to where they are. I invite you to do the same with the subject of data privacy, as 2015 was most certainly a dynamic year in this field. Let’s take a look back at some of the milestones that really impacted and changed the privacy status quo.
FTC v Wyndham Worldwide Corp.
Three years of legal sparring came to head in August 2015 when the United States Court of Appeals for the Third Circuit issued its ruling on FTC v Wyndham Worldwide Corp. Between 2008 and 2010, Wyndham was victim to three major data breaches that resulted in the export of hundreds of thousands of consumers’ payment card and personal information to a domain registered in Russia and more than $10.6 million in fraud loss. Arguing that these critical incidents were the consequences of Wyndham’s failure to employ several essential IT controls, the FTC charged the international hotel enterprise for violating Section 5 of the FTC Act, which prohibits deceptive and unfair practices in commerce. Instead of settling like most companies had in the past, Wyndham contested the charges, and moreover, posed the following questions in dispute of the FTC’s power to police cybersecurity:
Does the FTC have the statutory authority to bring deception and unfairness charges against companies that have failed to implement reasonable data security controls?
Does the FTC provide fair notice that sufficiently outlines what data security requirements and best practices are?
What are legitimate and factual considerations when determining avoidable, substantial injury to consumers impacted by the data security lapses?
The defense was a first of its kind in challenging the scope of the FTC’s congressional authority and the adequacy of its enforcement procedures. Albeit the appeal eventually rendered a verdict favoring the FTC, it certainly made us take a more critical look at the agency’s role as our national cyber watchdog and served as a foretoken for cases to come.
FTC v LabMD
Within that very same vein, LabMD was charged on similar grounds of maintaining unfair practices as it concerns data custodianship and found itself in the ring as the FTC’s second-ever challenger. In 2008, after a LabMD employee defied company policy and downloaded unauthorized peer-to-peer (“P2P”) software, the personal information belonging to thousands of consumers was exposed on its file-sharing network. Although a significant portion of the leak’s contents entailed medical and financial data, and LabMD’s established IT security framework was allegedly inadequate, the case was ultimately dismissed in November 2015 due to the prosecution’s inability to meet Section 5’s injury prong, dealing the FTC their first loss in this area of the law.
Chief Administrative Law Judge Michael Chappell’s ruling in FTC v LabMD clearly moved the dial on a longstanding point of extreme necessity in the realm of IT privacy: defining the harm in the divulgence of sensitive information. The dismissal was by and large due to the government’s failure to push the argument past the “possibility” of injury. Actual injury incurred or the consequential “probability” of harm was never substantiated. Going forward, counsel now more than ever will need to discern the fine line between possible injury and actual or probable injury and realize that claims of self-evident emotional harm in and of itself may not fit the bill anymore.
Cybersecurity Information Sharing Act
The Cybersecurity Information Sharing Act (CISA) was signed into law in December 2015 to improve national intelligence and to better defend against cybersecurity threats through the enhanced sharing of information. Simply put, it’ll now be easier for private companies to provide data to the government, if and only if it concerns cybersecurity. By taking a communal approach to information, the government hopes that companies will be able to react quicker to attacks. As CNN fittingly put it, “every cyberattack is like a flu virus and CISA is intended to be a lightning-fast distribution system for the flu vaccine. Opt in, and you get a government shot in minutes, not months.”
The CISA sprinted through Congress to the President at a remarkable rate, but some are worried that the bill opened a can of invigilating worms. Privacy advocates are concerned that heedless companies may fail to carry out proper data stripping procedures prior to sharing. Furthermore, many are suspicious that the bill was only drafted to bolster the government’s capacity to spy on the people.
Safe Harbor Invalidation
The European Union has long held the highest station in the crusade to protect the processing and free movement of personal data. After solidifying the foundation of its industry-overarching, comprehensive privacy model in 1995 with the passing of EU Directive 95/46/EC, the European Union has acutely regulated the relationships between member nations and non-member nations as it pertains to the exchange of information. By law, data exchange with nations outside of the European Union seen as having inadequate data protection standards, such as the United States’ sectoral privacy model, is forbidden unless organizations and businesses within such nations employ compensating data protection programs to satisfy the core principles of the Directive.
In 2000 the Safe Harbor framework, designed by the United States Department of Commerce to meet the Directive’s requirements, was adopted by the European Union, allowing compliant American organizations and businesses to transfer data across the pond. In an increasingly online global culture, the inception of Safe Harbor was especially vital for internet-based enterprises like web hosting companies. The certification was a badge with which companies could market their services to establish a higher level of trust for consumers between the two continents.
Since the birth of EU Directive 95/46/EC, the European Union has continued to ardently research and spend on privacy-related issues and technologies. In October 2015, the Safe Harbor Adequacy Decision fell as a casualty of this prolonged campaign for improving information security and privacy, with the European Union’s ruling to nullify the provision. Before the invalidation, Safe Harbor had been under European scrutiny for some time due to concerns that it failed to address many modern and emerging risks. Furthermore, the Safe Harbor self-attestation or self-certification process was almost laughable. American organizations could simply provide in-house verification and have independent mechanisms to test compliance if found to be in breach.
The last straw came with the verdict of the Europe vs. Facebook lawsuit held in Ireland’s High Court and filed by Austrian law student Max Schrems. The suit arose from a complaint Schrems submitted to the Irish Data Protection Commissioner requesting that his personal data on Facebook not be transferred to the United States. Out of fear of all that was exposed in the Edward Snowden whistleblowing controversy, Schrems claimed that the United States did not adequately protect personal data from the surveillance of its federal agencies and that Facebook lacked suitable transparency measures and opt-in (not opt-out) mechanisms. After the High Court ruled in favor of Schrems, he stated, “This decision is a major blow for US global surveillance that heavily relies on private partners. The judgement makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights,” a reference to the NSA’s surveillance program, PRISM.
The business world was left reeling. The Safe Harbor program, now under the executioner’s axe, no longer serves the more than 4,500 American companies that once used it as a bridge for European relations. Transfers of personal data between the United States and the European Union must now be sanctioned by data protection authorities (DPAs) or meet legal exceptions. Each individual European country may now be able to apply its own data privacy standards that American companies would have to comply with. This could prove to be extremely onerous for any company working in several European countries. It may even mean that data is stored on a per country basis and within that individual country, which could prove to be incredibly costly to implement and manage. The United States now anxiously waits until terms on a “Safe Harbor 2.0” are solidified. That could take a while.
This condensed overview of 2015 only shows that privacy will continue to be the centerpiece of discussions as we advance technologically. On the domestic front, we are still awkwardly grappling with the weight and magnitude of IT privacy, but we know it’s a worthy endeavor so we trudge on. For the intermittent idealist, on the topic of governance, it’d be great if the executive arm acted as our altruistic cyber shepherd in these chaotic times, but we know that we have to rebuff our public agencies if it means surrendering our natural rights in the process (I hope). From a global perspective we’re still trying to balance our prerogatives with the standards of the world. We must take a hard look at our country’s interests and attempt to align them with the strides that our international neighbors are making with new legislation and general awareness. This, my friends, is our current trajectory as we kickoff the new year.
About the Author
A manager with Schellman, Zach Schmitt has a concentration in IT security and privacy in the Washington D.C. attestation and compliance practice. He is a member of the International Association of Privacy Professionals (IAPP) and endeavors to share his observations and feelings on the certain evolution of data security and privacy. Zach is a graduate of Virginia Tech and has BAs in Accounting & Information Systems and Marketing Management.