Data law bytes

A patchwork of acts

Tue, 29 Dec 2020 00:14:41 +0000

Current privacy laws developed as responses to sector-specific concerns. The United States operates from a patchwork of federal and state laws, budded in common-law doctrines. It’s from this jigsaw framework that we have our current data privacy regulations.

The list

In alphabetical order, the following is a list of some laws that protect privacy in the U.S.

The Children’s Online Privacy Protection Act (“
coppa
”)* of 1998 protects information collected from children over the internet. “Children” is defined as persons under 13. Websites that collect such information must
- notify parents of information practices;
- obtain verifiable parental consent for the collection, use, or disclosure of children’s personal information;
- let parents prevent further maintenance, use, or future collection of their child’s personal information;
- provide parents access to their child’s personal information;
- not require a child to provide more personal information than is reasonably necessary to participate in an activity; and
- maintain reasonable procedures to protect the confidentiality, security, and integrity of the personal information.
The Computer Fraud and Abuse Act (“
cfaa
”)* of 1984 “prohibits intentionally accessing a computer without authorization or in excess of authorization,” meaning you can’t access data in a computer beyond what you’re allowed. One example could be illegally gaining access to a computer. However, this act also prevents users who are authorized to access a computer from obtaining information to which they aren’t authorized on that computer.
The Controlling the Assault of Non-Solicited Pornography and Marketing (“
can-spam
”)* Act of 2003 regulates who can send unsolicited commercial email. A permitted commercial email must include the following: accurate and non-misleading routing and heading information (i.e., “From,” “To,” and “Reply to” fields), a subject line that’s non-deceptive, and a notice to the recipient of the email providing the right to opt out. (The law, though, doesn’t state where the notice must appear; it merely states that it must be clear and conspicuous so that the recipient need not search for it.) Also required are: an internet-based opt-out mechanism capable of receiving opt-out requests; a clear identification that the email is an advertisement or solicitation (note: this requirement isn’t applicable if the sender is given the recipient’s consent to send such an email); and the sender’s physical mailing address.
The Electronic Communications Privacy Act (“
ecpa
”)* of 1986 updates the Federal Wiretap Act of 1968 to include protection of not only telephone communications but also “computer and other digital and electronic communications.”
The Fair Credit Report Act (“
fcra
”)* of 1970 applies to consumer reporting agencies and the reports generated to consumers regarding their credit reports and activity.
The Family Educational Rights and Privacy Act (“
ferpa
”)* of 1974 “protects the privacy of student education records.”
The Federal Trade Commission Act (“
ftc
Act”)* of 1914 prohibits unfair or deceptive practices and has been applied to offline and online privacy and data security policies.
The Health Insurance Portability and Accountability Act (“
hipaa
”)* of 1996 governs individuals’ health information.
hipaa
also revised the Security Breach Notification Rule, which requires covered entities to provide notice of breach of protected health information.*
The Gramm–Leach–Bliley Act (“
glba
”)* of 1999 was enacted to regulate the collection, use, and disclosure of financial information. It applies to personal information collected by financial institutions for financial products and services.*
The Telephone Consumer Protection Act (“
tcpa
”)* of 1991 limits robocalls—though additional limits can’t hurt. Generally, these callers can’t do the following:
- “call before 8 a.m. or after 9 p.m.”;
- call if you’ve chosen to opt out of calls from that specific caller or if you’ve added your name to the Do Not Call List,
- send unsolicited fax messages to your home or office (yes, some people and places still send faxes (e.g., law firms)); and
- “refuse to provide their name, the name of the person or organization on whose behalf they are calling, and contact information for that person or organization.”

On the state side, California was the first state to enact a security breach notification law. To date, forty-eight states have enacted their own laws that notify users of a data breach.* With California as a main hub for technology innovation, it’s little surprise to see California as the first state to issue a law that, on its face, deals with the collection of digital information. The California Consumer Privacy Act (“

ccpa

”),* which strongly resembles the

gdpr

, was passed in 2018 and went into effect in 2020. Significant takeaways are that consumers in the state of California now have the right to request the deletion of their data, so long as other laws are not affected by this request; businesses are required to disclose how information is collected and shared; and consumers have the right to instruct a company not to sell their information.

Works cited

The Federal Trade Commission’s authority to enforce cybersecurity in the U.S.

Fri, 04 Dec 2020 17:41:21 +0000

FTC v. Wyndham gave the power of enforcing cybersecurity in the United States to the hands of the Federal Trade Commission. The Third Circuit of the United States Court of Appeals held that Wyndham violated the

ftc

Act when it deceived its customers about its cybersecurity measures. Following a number of data breaches against Wyndham’s systems, thousands of guests of Wyndham suffered fraudulent financial charges. The

ftc

then brought suit against Wyndham. In the end, the Third Circuit ruled that the

ftc

ʼs power to regulate unfair and deceptive practices extends to cybersecurity.

An overview

Wyndham is a company running hotels throughout the U.S. At the time of the breaches, each hotel was part of a property management system that processed sensitive guest information; this information comprised “names, home addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes.”* Starting in April 2008, attackers broke into the local network of a Wyndham hotel located in Phoenix, Arizona. This computer, like those in other hotels, was connected to Wyndham’s central hub of its property management system. The attackers used brute-force methods—i.e., “repeatedly guessing user’s login IDs and passwords”*—to access an administrator account on Wyndham’s network. By doing this, the attackers then were able to steal unencrypted information of “over 5000,000 accounts, which they [then] sent to a domain in Russia.”* In March 2009, Wyndham suffered another attack. This time, the attackers easily accessed Wyndham’s network with the administrative account they previously obtained. They then stole thousands of unencrypted payment card information. Wyndham’s network was breached yet again later in 2009. The attackers accessed even more payment card information by stealing information of “approximately 69,000 customers from the property management systems of 28 hotels.”* Wyndham didn’t learn about these incidents until January 2010, when a credit card company received many complaints from cardholders about fraudulent charges they were receiving.

Following these fraudulent charges, the

ftc

brought suit against Wyndham alleging, among other things, that Wyndham:

practiced deceptive practices by allowing its hotels to store payment card information in unencrypted form,
didn’t monitor its network for malware,
allowed easy access to its passwords,
didn’t employ reasonable security measures like firewalls, and
failed to restrict unauthorized access to its networks. Due to 619,000 customers being affected, fraudulent charges led to a loss of 10.6 million USD.

As a consequence, the

ftc

further argued that the customers suffered financial injury by expending time and effort to resolve these issues.

So the FTC can regulate cybersecurity now?

Section 5* of the

ftc

Act gives the

ftc

great power to prevent deceptive trade practices. Wyndham argued whether this applied to cybersecurity practices. It also argued that, even if the

ftc

did have the authority, Wyndham wasn’t given fair notice that its cybersecurity measures fell short of the

ftc

’s standards, as required by Due Process.* It claimed that practices are “unfair” only if they’re marked by injustice, partiality, or deception.* Wyndham reasoned this was so because it didn’t engage in unfair practices per its own privacy policy. The Third Circuit, however, disagreed: a “company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”*

Wyndham alleged it didn’t receive notice of what specific cybersecurity practices were necessary to avoid liability. The court countered that “[f]air notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.”* In fact, the

ftc

previously advised businesses on how to establish security practices: in 2007, they published a manual called “Protecting Personal Information: A Guide for Business,” which contained several recommendations for basic security measures. The guidebook “described a data security plan ‘checklist’ for companies to follow. The guidebook encouraged practices like data encryption, strong passwords, and the use of firewalls that Wyndham failed to implement; the guidebook therefore could have helped Wyndham determine in advance that the

ftc

would view its data security measures as inadequate.”*

The court’s holding

In the end, the Third Circuit held that the

ftc

indeed has power to regulate data security through the “unfair” and “deceptive” practices definitions dictated in § 5.* It’s this power that gave the

ftc

the authority to enforce data security practices in the U.S., and it began only in 2015. It’s a new power, sure, but a power that hasn’t dwindled. Breaches have come long before Wyndham, they have come in the years since, they will continue to come, and the

ftc

will continue enforcing basic security standards whenever possible. ❖

Works cited

The right to our digital info

Mon, 30 Nov 2020 20:33:10 +0000

The United States lacks a single law regulating the collection and maintenance of data from individuals. With life becoming digital, information becomes easier to steal. While industries already have implemented self-regulating standards, perhaps the U.S. could benefit from an over-arching law—similar to the

gdpr

—that would regulate data protection. People should have rights to this information, and those rights should be protected.

The ideal right to privacy for U.S. citizens can be presumed by the Fourth Amendment:*

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

U.S. citizens have the right to be secure from unreasonable searches and seizures of property from their government. In the digital globe, technology accelerates life, and laws are slow to make pace. Laws arise when needs arise (thank you, common law.)* The current U.S. system of privacy protection is a messy patchwork of statutes governing privacy rights in separate sectors. This odd system mostly works, but it works because they met the needs as they arose. Of most privacy regulations in the United States, few are digital. Our rights to privacy have been on the forehead of our concerns during current worries of data protection. Can U.S. citizens know exactly who holds their personal information? Even if they do, can they be assured their information is properly protected?

Currently, there is no U.S. federal regulation that covers all data. Sure, there are several acts that cover certain sectors (like

hipaa

* does for health, the

glba

* does for banking,

coppa

* does for children, etc.), but nothing like what Europe has in the

gdpr

.* An individual’s right to their digital identity is recognized by the

gdpr

, as well as California’s Consumer Privacy Act (“

ccpa

.”)* Leave it to the states to figure things out beforehand, even if such an act was “quickly negotiated.”* Other countries* are weaving similar regulations to clothe their citizens with the same rights.

The right to a digital I.D.

Sullivan* advocates for the right to identity in the U.S., thereby protecting individuals with an enforceable, all-encompassing regulation. Digital identities are being recognized not just by industries but by governments as well. Sullivan* explains how many government transactions are performed solely over the internet with little human interaction, if at all. People hope these systems store their digital information in secure frameworks, and store only the information required for processing. Hand signatures and photographs are becoming replaced by a digital signature—mere initials in some instances, full names in others. Wet ink is not required. Governments, both state and federal, are seeing this digital signature as a preferred form of identity, claiming the digital signature reduces costs, increases efficiency, and reduces fraud.* Because governments require online transactions, they ought to protect the information in those transactions. The right to a digital identity is about the individual’s right to be recognized and to transact as an individually identifiable person within the digital universe. ❖

Works cited

The digital I.D.

Tue, 24 Nov 2020 04:46:05 +0000

In Barclay’s article* there is this idea of a digital identity, a persona created entirely in digital reality that is like you but isn’t you. Instead, it’s an identity created from information a user provides, separate from their physical self. This information is plucked arbitrarily from website to website, dependent on what each site requests. From social media, it would be every bit of personally identifiable information provided, from plain text to image to video. From healthcare providers, it would be records submitted. From online bankers, it would be transactional information required to dish money out. Some of this revealing information can public, though many believe most of it should be private. Such information could be metadata pin-pointing a person’s location over a period of time. Surprise: this information belongs to the company providing the geolocation service.

In criminal procedure* there lies a theory called the mosaic theory,* which proposes that many disparate parts may add to a complete (and seemingly correct) whole. In Carpenter,* the Supreme Court found that government tracking of a user’s global position over a fixed amount of time outside the scope of the warrant constitutes a search. If tracking a user over an extended period of time to determine criminal activity could be deemed a violation, what about tracking them without their informed consent?* Third-party trackers can create a second identity of a user, even if those trackers are providing beneficial services. Users equip technology that tracks their browsing, that tracks their movement, that tracks their cardiac information, that tracks their spending habits, that tracks their “Likes.”* Advertising companies target this juicy information so they can tailor products better suited to individual preferences. These companies are large miners of data; what they possess many would consider extremely sensitive. ❖

Works cited

The right to privacy

Wed, 18 Nov 2020 23:19:38 +0000

Over 100 years ago, Samuel Warren and Louis Brandeis helped kindle the American lust for a right to privacy in their article “The right to privacy.”* Decades later, Brandeis (now Justice) got to revisit his march for privacy in his dissenting opinion in Olmstead:* privacy is “the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment.” Fast-forward to Katz,* the Supreme Court held that citizens have a reasonable expectation of privacy from governmental intrusion.

With technology creating digital I.D.s, does our “right to privacy” translate well into our digital lives, where our information is collected and stored by many others? We submit sensitive information like our name, date of birth, weight, and height; most information collectors store this and users go on with their lives. With data breaches becoming far too familiar, more U.S. citizens are becoming concerned with digital privacy. Security systems are fallible; locks can be broken. The only solution: never provide sensitive information. But even governments are moving into exclusively digital services requiring citizens to transact online. Filing taxes online is nothing new, and many other applications and forms usually are submitted digitally to federal and local governments. Our dealings with governments via the internet indicates our governing bodies want us to live digitally, yet there still is no one data-protection law covering us. Perhaps it is time for a federal digital privacy-protection act. ❖