< Back

Share |

USA 2015 privacy and data security highlights

December 2015

EU Safe Harbor terminated

For many American companies and other multinationals, 2015 will be remembered as the year the US-EU Safe Harbor Framework was declared invalid, creating legal uncertainty for thousands of businesses that transfer personal data from the EU to the United States. On October 6, 2015, the Court of Justice of the European Union (CJEU) issued a highly anticipated judgment that effectively invalidated the European Commission’s “adequacy” determination with respect to the Safe Harbor Framework, which was established in 2000 as a mechanism to allow for the lawful transfer of EU citizens’ personal data across the Atlantic.

Safe Harbor questions

The CJEU’s decision raised numerous, complex questions about how entities that had relied on the Safe Harbor Framework for years will be able to continue normal business operations without potentially running afoul of EU data protection law. In the immediate wake of the decision, the use of model contract clauses as a replacement mechanism has proven an attractive alternative for some companies, but the clauses aren’t always a suitable or practical option. Further complicating the compliance outlook, the validity of the model contract clauses as a means for complying with EU data transfer restrictions has been questioned by certain European regulatory authorities and legal analysts. Notably, the data protection authorities in Germany issued a position paper on the CJEU's decision casting doubt on the legality of virtually every data transfer mechanism currently being used to comply with EU law.

This issue promises to make headlines throughout 2016 as companies, regulators, and governments grapple with the fallout from the CJEU’s decision as well as related conflicts that are coming to the fore with regard to data sharing across borders to support anti-terrorism efforts. For more on this, see What next for EU/US data exports?

The SEC announces increased scrutiny of broker-dealers’ and investment advisers’ cybersecurity programs

In September 2015, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert (2015 Risk Alert) to provide broker-dealers and investment advisers with information on the focus areas of its upcoming round of cybersecurity examinations. The 2015 Risk Alert provides an overview of OCIE’s key focus areas during the next round of examinations and includes in the appendix a sample request for information. OCIE is building on its previous cybersecurity examinations to increase scrutiny of firms’ cybersecurity practices, policies, and procedures. While the primary objective of last year’s initial cybersecurity initiative was gathering information on industry practices, this year OCIE will perform more testing to assess firms’ implementation of these policies and procedures. Given the increased regulatory scrutiny, as well as the rapidly evolving cyberthreat landscape, firms are well-advised to assess their current level of cybersecurity preparedness and be prepared to show the appropriateness of, and compliance with, their cybersecurity policies and procedures, with a particular focus on vendor management and preparation for incident response. A more detailed discussion of the 2015 Risk Alert as well as tips on how firms can get prepared are available here.

Courts curtail FTC’s data privacy and security reach

Both the Administrative Law Judge’s decision in LabMD case and the Third Circuit Court of Appeal’s recent decision in the Wyndham case, which we previously blogged about, put the FTC on notice that it cannot assume that in the wake of a security breach that allegedly inadequate data security will be an unfair practice under Section 5. Further, the FTC’s body of data security consent orders, basically private settlements of uncontested and unadjudicated cases (most of which also included deception claims), where the remedies include “fencing in” that goes Cybersecuritybeyond what the law requires, are merely indications of best practices and not some sort of 'common law' as some have contended. Indeed, to treat consent orders as precedential would fly in the face of the Congress’ purposeful curtailment of the FTC’s rulemaking authority under Mag Moss, as opposed to the APA standards applicable to other federal agencies.

The decisions are also consistent with the history of Section 5. In the late 1970s, the FTC was moving to prohibit or greatly limit advertising to children based on its unfairness authority. This was known as “Kid Vid.” There was a Congressional backlash and the end result was that the FTC’s unfairness authority was significantly curtailed statutorily. In order to prevail in its unfairness claim, the FTC has to prove that allegedly unfair data security practices in effect during the relevant time period of a breach:

  • caused or are likely to cause substantial injury to consumers [not, e.g., other businesses];
  • that this injury is not reasonably avoidable by consumers themselves; and
  • that this injury is not outweighed by countervailing benefits to consumers or to competition,

and the harm, to be substantial, has to be a real and substantial injury, arguably even with financial impact (15 U.S.C. § 45(n)[2]. ).

Compliance

Of course, this is not a free pass for companies. Some companies are subject to specific statutory security standards that have penalties attached to non-compliance. For instance, "Covered Entities" under the Health Insurance Portability and Accountability Act 1996 (HIPAA) still have to be concerned about failures to meet HIPAA privacy and security standards and the repercussions for such failures. In addition, the FTC still has its much used deception authority to go after companies which make statements about data security in privacy policies or otherwise that are inaccurate. Companies need to resist the temptation to make security assurances that could be seen as over-promising what they can, in reality, deliver. However, the wind has been taken out of the FTC’s sails when it comes to the use of unfairness authority to punish companies that are victims of hacking since the threshold establishing that a company’s data security was so woefully inadequate, and the resulting consumer harm so substantial, so as to be “unfair” is now properly being set as relatively high.

States continue to revise data breach notification requirement

It has been a busy year for state legislators. In 2015, ten separate states amended their breach notification statutes, including California, Connecticut, Montana, Nevada, New Hampshire, North Dakota, Oregon, Rhode Island, Washington, and Wyoming. The majority of amendments have expanded the definition of “personal information” to cover previously overlooked types of information, such as health information, student data, and usernames and passwords. Other states, such as California and Connecticut, have amended their statutes in an effort to change how entities notify affected individuals by requiring specific forms or requiring entities to offer credit monitoring services. To help navigate the continuing developments in state breach notification law requirements, BakerHostetler has assembled a state-by-state survey that is updated regularly to reflect newly enacted legislation available here. For a more detailed discussion on the changes to various state data breach laws that have been enacted in 2015, see our recent roundup.

About BakerHostetler

BakerHostetler is a 900+ lawyer U.S.-only law firm with a leading privacy and data security practice. For more information see our website and Data Privacy Monitor

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

US data privacy

Lawyers from US law firm BakerHostetler highlight the defining developments in the USA in 2015.

Alan Friel
Melinda L. McLellan

M. Scott Koller
William R. Daugherty

"It has been a busy year for state legislators. "