The FTC does say that they did take theinitiative to warn Equifaxabout their vulnerabilities. However, there was no action taken to attempt to remove these vulnerabilities, even with a patch being placed on the security team to fix the problem. Unfortunately, by the time that action was taken it was already too late for Equifax. The FTC said that Equifaxwent against their prohibition against unfair and deceptive practices. As well as the Gramm-Leach-BlileyAct's Safeguards Rule. This rule was in place to make sure that financial institutions made necessary updates in order to protect the security, confidentiality, and integrity of their customers.
I think that this data breach could have certainly been prevented if the appropriate measures were taken. I understand that it was statedthat fixing the patch that had been waiting for about two months was a difficult process. But, had it been done, that may have been a crucial way for Equifaxto save themselves.
EU GDPR EU GDPR Provisions Penalties Compliance What’s different in the GDPR • Single set of rules valid across the EU • Entities must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours). • Entities will only have to deal with a single national data protection authority in the EU country where they have their main establishment. GDPR – 6 Data Protection Principles • Lawfulness, purpose and transparency • Tell data subject what you’re collecting and why • Purpose limitation • Only collect for stated purpose • Data minimization • Only collect what is necessary for the purpose EU GDPR – 6 PRINCIPLES • Accuracy • Includes data subject’s right to make corrections • Storage limitation • Delete data when it’s no longer necessary • Integrity and confidentiality • Security. Encryption. Pseudonymization. Data ProtectionDirective was updated, modernized and strengthened. • One law for all the EEA instead of laws in each country • Opt-in rather than opt-out • Stronger fines and penalties • Right to be forgotten • Data breach notification requirements (Articles 33 and 34) • Any data breach involving the personal data of EU residents must be reported to an EU DPA within 72 hours if possible. • If the breach is not reported within this time, the business must report possible reasons for the delay. • If a data processor suffers a data breach, they must inform the data controller immediately. • There are also requirements for notifying the individual data subjects Penalties (in addition to possible criminal liability) • Warning • First or non-intentional act of noncompliance • Regular data protection audits • Fine up to the greater of €10 million or 2 percent of the annual worldwide turnover of the enterprise in the preceding fiscal year for violations of the obligations of • The data controller and processor • The certification body • The monitoring body Penalties (in addition to possible criminal liability) • Fine up to the greater of €20 million or 4 percent of the annual worldwide turnover of the enterprise in the preceding fiscal year for violations of • The basic principles for processing, including consent from the data subject • The data subjects’ rights • Certain transfers of personal data to recipients in a third country • Certain state laws • Compliance with certain orders Who decided to block EU users rather than comply? VPN set to Netherlands So has anyone gotten fined yet? • British Airways • July 8, 2019 • £183 million fine • Poor security that resulted in a 2018 web skimming attack that compromised at least 500,000 customers • Payment page was compromised by malware in order to steal payment information US Compliance Alternatives • If you have a brick and mortar presence in the EU, you must follow the law in that country. • Binding corporate governance • Trans border contracts • The US Privacy Shield • It was approved as satisfying the requirements of the EU Data Protection Directive • It is one of the 3 mechanisms where EU personal data can be transferred to the US, but it is not a substitute for the GDPR • It superseded the Safe Harbor program, which EU courts found inadequately protected data privacy • It defines a framework for transatlantic data flows that requires US businesses to strongly protect EU citizens’ personal data. • It sets up extra monitoring and enforcement by the US Department of Commerce and the FTC • https://ec.europa.eu/info/law/law-topic/data- protection/international-dimension-data-protection/eu-us-data- transfers_en https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en Safe Harbor was declared invalid • On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.” http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=125031 Safe Harbor declared invalid • In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework. If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel. • http://www.export.gov/safeharbor/ http://www.export.gov/safeharbor/ “Privacy Shield” • Feb 2, 2016 factsheet • https://www.commerce.gov/news/fact-sheets/2016/02/eu-us- privacy-shield • Feb 29, 2016 factsheet – overview of the framework • https://www.commerce.gov/news/fact-sheets/2016/02/fact-sheet- overview-eu-us-privacy-shield-framework https://www.commerce.gov/news/fact-sheets/2016/02/eu-us-privacy-shield https://www.commerce.gov/news/fact-sheets/2016/02/fact-sheet-overview-eu-us-privacy-shield-framework Checklist for US companies • Conduct an audit for EU personal data • This will determine if you need to comply. If you are offering goods or services, regardless of whether payment is involved, then you are subject to the GDPR. • https://gdpr.eu/Recital-23-Applicable-to-processors-not-established-in-the-Union-if-data-subjects- within-the-Union-are-targeted/ • Tell your customers why you’re processing their data • Assess your data processing practices and improve security • Encryption • Designate an EU representative. Article 27, Recital 80 https://gdpr.eu/Recital-23-Applicable-to-processors-not-established-in-the-Union-if-data-subjects-within-the-Union-are-targeted/ • Know your duties in the event of a data breach • Articles 33 and 34 • Know your legal responsibilities for the transfer of personal data to non EU countries. • Article 45 and the Privacy Shield framework. Cases • Cases decided under the data protection directive illustrated the impact of the growth of technology and the problems with conflicting international laws How do you resolve competing legal requirements? • How do you reconcile competing legal requirements that may be mutually exclusive? • Ex: Sarbanes-Oxley whistleblowing requirements vs. EU prohibition on the processing of certain personal data. Swedish Data Authority/ SOX Whistleblowing Requirement • March 2008 • Swedish data protection law prohibits processing personal data about criminal offenses or suspected criminal offenses. Swedish Data Authority/ SOX Whistleblowing Requirement • Sarbanes – Oxley requires covered companies to establish an internal whistleblowing system to receive, review and solicit employee reports of fraud or ethical violations. Swedish Data Authority/ SOX Whistleblowing Requirement • Datainspektionen, the Swedish Data Authority, ruled on several requests for an exemption from this prohibition in order to comply with the SOX whistleblowing requirements. Swedish Data Authority/ SOX Whistleblowing Requirement • Datainspektionen acknowledges that whistleblowing programs pose a significant risk for violation of individuals' privacy, but it nevertheless recognizes that companies have a legitimate interest in implementing whistle-blowing programs – and that certain companies must comply with SOX. Swedish Data Authority/ SOX Whistleblowing Requirement • Datainspektionen allows an exemption for whistle-blowing programs - subject to certain restrictions. • Example Swedish decision (for a company subject to SOX) – what conditions are imposed under Swedish law on whistleblowing programs: Swedish Data Authority/ SOX Whistleblowing Requirement • Use of the whistleblowing program cannot be compulsory • It should only be used when there is good reason not to use the company's usual internal information and reporting channels Swedish Data Authority/ SOX Whistleblowing Requirement • it should be limited to addressing serious irregularities concerning the vital interests of the company (e.g. accounting, internal control, auditing, corruption, crime within the bank and finance sector, serious financial irregularities, serious environmental crimes, or major safety deficiencies in the workplace). • it may be used with respect to issues that would affect the lives and health of individuals. Swedish Data Authority/ SOX Whistleblowing Requirement • only staff in key positions or management can be reported and have their personal data processed under the program. Swedish Data Authority/ SOX Whistleblowing Requirement • the company implementing the whistleblowing provisions must ensure that the provisions of the Swedish Personal Data Act are upheld to the extent that the company is legally responsible for the processing of personal data (e.g, concerning sensitive personal data, information given to employees and the transfer of personal data to a country outside the European Economic Area). Swedish Data Authority/ SOX Whistleblowing Requirement • Datainspektionen will continue to monitor the use of the whistleblowing program and may revoke the exemption if they find that personal data is being processed processed in a way that is not in accord with these conditions. Swedish Data Authority/ SOX Whistleblowing Requirement • Datainspektionen sees use of a whistleblowing program as a last resort in situations where there would otherwise be a risk of irregularities not coming to the attention of the company. Swedish Data Authority/ SOX Whistleblowing Requirement • Companies that currently have a whistleblowing program or are looking to introduce one, whether in Sweden or elsewhere – EU or otherwise – “should be aware of the need to comply with relevant privacy restrictions and other requirements under local law.” Swedish Data Authority/ SOX Whistleblowing Requirement • Source: Eversheds The Directive and Rule 34? • Rule 34 of the Federal Rules of Civil Procedure • http://www.law.cornell.edu/rules/frcp/Rule34.htm • What happens when there is a conflict between the Directive and the FRCP? http://www.law.cornell.edu/rules/frcp/Rule34.htm The Sedona Conference • The Sedona Conference® International Principles on Discovery, Disclosure & Data Protection: Best Practices, Recommendations & Principles for Addressing the Preservation & Discovery of Protected Data in U.S. Litigation (European Union Edition, Public Comment Version, December 2011) • http://www.thesedonaconference.org/dltForm?did=IntlPrinciples201 1.pdf http://www.thesedonaconference.org/dltForm?did=IntlPrinciples2011.pdf Bodil Lindqvist • If a person in Sweden uses a computer to load personal data onto a home page stored on a server in Sweden — with the result that personal data becomes accessible to people in third countries — does that constitute a transfer of data to a third country within the meaning of the directive? • Would the answer be the same even if, as far as known, no one from the third country had in fact accessed the data or if the server in question is actually physically in a third country? • That is -- is the mere uploading of data to a web page in an EU member country a transfer to a third country within the meaning of the Directive if the page is accessible to persons in a third country but hasn’t actually been accessed by them? • EJC - the act of referring, on an Internet page, to various persons and identifying them by name or by other means (giving their telephone number or information about their working conditions and hobbies) constitutes "the processing of personal data wholly or partly by automatic means". • EJC - Reference to the state of health of an individual amounts to processing of data concerning health within the meaning of the 1995 directive. Who is Kalliopi Nikolaou? • www.curia.europa.eu/jcms/jcms/P_29487 Social Networking Sites? • Are social networking sites “data controllers” within the meaning of the Directive? • Article 29 Working Party • SNS (Social Network Service) providers are data controllers for purposes of the Directive YouTube? • February 2010 – In Milan, three Google executives were convicted of violating Italian privacy laws • Judge Oscar Magi sentenced the Google executives in absentia