Articles Posted in Cybersecurity and Privacy

A key finding in the Trustwave 2012 Global Security Report is that in 76% of data breach investigations a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies. This should concern any company that outsources the processing, storage or transmission of personally identifiable information (PII) to suppliers of IT or business process outsourcing services.

With the average cost of a data breach in excess of $5 million and the associated reputational risk, outsourcing customers should review their contracts to ensure they contain appropriate commitments and accountability from the supplier with respect to data security. Below is a brief outline of some of the key provisions that should be part of an outsourcing agreement.

Supplier Commitments: Suppliers should commit to the following:

Starting on 26 May 2012 the UK Information Commissioner’s Office (“ICO”) will begin enforcing sweeping changes to the EU cookie law put in place 12 months ago. By way of reminder, following a change to the EU’s Privacy and Electronic Communications Directive (the “E-Privacy Directive”) back in 2011, the rules on using cookies to track/store information on users are about to change.

Unless an exception applies, the new requirement essentially prohibits the use of cookies absent the consent of the user (unless the cookie is “strictly necessary”). The new rules apply regardless of where the website is based, if European personal data is collected.

In other words, a website operator over which the ICO has jurisdiction, wherever the operator is based in the world, will be unable to argue it was still getting its house in order if the ICO comes knocking.

India’s recent demand for European Union designation as a data secure country (see our blog) has brought the issue into the spotlight. Here we take a closer look at those nations which have achieved EU recognition and the benefits of doing so.

Article 25.1 of the Data Protection Directive (in the UK enacted through the eighth principle of the Data Protection Act, 1998) prohibits the transfer of personal data to a third county (i.e. a country or territory outside the EEA) unless that third country provides an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Several exceptions to this rule are available including, in particular, the use of the approved EC model clauses.

Data transfers to third countries can take place in many circumstances, such as where an EU- based business relocates functions to subsidiaries outside the EEA, establishes an offshore shared service centre which processes, for example, HR or payroll data, where data is transferred for offshore processing as part of an outsourcing agreement with a third party supplier or as part of a hosting or cloud computing deal. The onus is on the data controller to ensure that he complies with the eighth data protection principle in relation to any cross-border data transfer of personal data.

Since the start of the 112th Congress, there has been a heightened focus on cybersecurity. Congress has not passed new cybersecurity related legislation since 2002 when the Federal Information Security Management Act was enacted. In 2011, the Obama Administration announced its cybersecurity proposal, and a number of bills are currently active in both the House and Senate that focus on different aspects of cybersecurity and the mechanisms to protect private infrastructure and networks against cyber threats. One of the major philosophical differences between the various bills is which government entity should be responsible for cybersecurity – the Department of Homeland Security (DHS) or the National Security Agency (NSA). The Administration’s proposal favors DHS over NSA.

The most widely supported proposal is the bipartisan Cybersecurity Act of 2012 sponsored by Sens. Joe Lieberman (I-Conn) and Susan Collins (R-Maine). The hallmark of this Bill is the requirement that companies notify DHS of intrusions into their networks and the creation of mandatory compliance with industry specific cybersecurity standards. Senator John McCain (R-AZ) has a competing bill in the Senate, the Secure IT Act (S.2151), that focuses on self-regulation by the private sector rather than imposing government standards.

In the House, there are three notable active bills: (i) The Secure IT Act (H.R. 4263) , (ii) the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act “PRECISE Act” (H.R. 3674), and (iii) the Cyber Intelligence Sharing and Protection Act of 2011(H.R. 3523). The House Secure IT Act was introduced on March 27, 2012, and mirrors Sen. McCain’s version of the bill. The two other bills set cybersecurity standards for critical private networks and focus on information sharing mechanisms between the government (notably the NSA) and internet service providers so that threatening traffic can be blocked before causing harm.

In 2009, the EU issued Directive 2009/136/EC of the European Parliament. The Directive concerns the ‘regulatory framework for electronic communications networks’ and includes what has come to be known as the “EU Cookie Rule”; the part concerning the use of cookies is just a small part of the whole Directive. Other articles of the Directive included accessibility for disabled users, provision of public telephones, and the universality of affordable internet connections at a reasonable connection speed.

All EU Member States were to have implemented new laws to comply with the Cookie Rule by May 26, 2011, but not all have. In the case of the UK, the Directive was implemented and the government immediately suspended enforcement for 12 months to provide organizations with time to comply. We’re now about 10 weeks from May 26, 2012, when websites selling goods or services to individuals in the UK must comply with the UK implementation of the Cookie Rule or face investigation by the Information Commissioner’s Office with the potential for fines of up to £500,000.

If you operate a website that provides goods or services to residents of the EU, and the UK in particular, before May 26, 2012, you should download and read the UK ICO’s Guidance on the New Cookies Regulations (the “Cookie Guidance”), which sets out the steps you need to take now to ensure you comply. In particular, you should (if you haven’t already):

Given how busy the privacy world has been recently, we thought we’d take this “extra day” to catch up on some of the bigger recent developments:

• The White House unveiled its Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (see the White House “Fact-Sheet” on the proposal here). The Framework contains five key elements: a “Consumer Privacy Bill of Rights” (CPBoR); a “stakeholder-driven” process to specify how the principles in the CPBoR apply in particular business contexts; stronger enforcement by the FTC and states Attorneys General; a commitment to increase interoperability between the US privacy framework and those of the international partners of the United States; and various proposals and recommendations for data privacy legislation, including a call for a national standard for security breach notification.
• Google was accused of circumventing privacy protections in the Safari and Internet Explorer browsers, and the fallout continued from Google’s announcement of its new harmonized privacy policy in advance of its March 1 implementation.

Because evaluating a service provider’s security posture is more challenging in the cloud, in Part Three of this article we looked at ways to evaluate a cloud service provider’s security prior to signing the contract and some of the issues between customers and suppliers created by the SEC Guidance. In Part Four we’ll look at ways to monitor the provider’s security during the term of the agreement.

Auditing Security

For years customers of outsourced IT services have asked providers for a copy of their SAS 70 Type 2 audit report as a means of evaluating a supplier’s security. Since the SAS 70 wasn’t really designed to be a security audit, it isn’t really suited for this, but in the absence of a more security-specific standard, the SAS 70 was a suitable proxy.

In Parts One and Two of this article we discussed the new Guidance issued by the Securities and Exchange Commission (SEC) Division of Corporation Finance that provides guidance to companies with regard to whether and how a company should disclose the impact of the risk and cost of cybersecurity incidents (both malicious and accidental) on a company.

In particular, the Guidance suggests that companies need to evaluate cyber-related risks including:

• prior cyber incidents and the severity and frequency of those incidents;

Hot on the heels of the UK Information Commissioner’s approval of First Data’s binding corporate rules (BCRs), Viviane Reding, the Vice President of the European Commission and EU Justice Commissioner has signalled reform of the BCR scheme aimed at making BCRs even more effective. BCRs are a way of ensuring compliance with the complexities of European data protection law – they are particularly relevant to multinationals with business operations located in the EEA who need to transfer personal data to affiliates in jurisdictions outside of the EEA.

In a speech given to the International Association of Privacy Professionals’ (IAPP) inaugural Europe Data Protection Congress in Paris on 29 November 2011, Reding announced her plans as part of upcoming revisions to the EU data protection framework. Reding’s proposed reforms will be built around on 3 principles: simplification; consistent enforcement; and innovation. Above all, Reding proposes reform “compatible with small innovative companies’ endeavours to operate on a global scale” so that companies of all sizes and operating across all business models will be able to take advantage of BCRs.

Simplification. Under Reding’s proposal the BCR approval process would be streamlined with approval by one Data Protection Authority (DPA) resulting in automatic recognition by DPAs in all other member states without the need for consultation which currently operates across the 19 participating DPAs. This should help to speed up the approval process and reduce the burden on the applicant. Further, once BCRs are approved by a DPA, there would be no need for additional national authorisation prior to transfer, as is currently required in some member states (but not others, such as the UK).