Blog

Lessons from FTC v. Twitter

Francoise Gilbert

Security is not just for credit card and social security numbers

The proliferation of security breach disclosure laws has brought companies’ attention to the need to protect financial information, social security, and drivers license numbers. Since most of these laws target only these categories of data, and most state laws that require the use security measures also have focused on these categories of data, many companies have limited their information security efforts to the protection of a small amount of data: credits cards, social security and drivers license numbers. As a result, other categories of data that have not been in the limelight or the subject of investigative reporting have been neglected. (more…)

Read More

Mexico’s New Federal Law on the Protection of Personal Data

Francoise Gilbert

Mexico’s new Ley Federal de Protección de Datos Personales en Posesión de los Particulares (Federal Law on the Protection of Personal Data Possessed by Private Persons) became effective on July 6, 2010. The Law is “of public order,” which means that contract provisions that conflict with it are unenforceable.

The Federal Institute for Access to Information and Data Protection (IFAI) is charged with issuing regulations and enforcing the Law. The regulations are expected to be issued within one year, and the Law will not be enforced until January 2012. (more…)

Read More

Of Cookies and Spam

Francoise Gilbert

What’s Cookin’ in the European Union?

The European Union Member States will soon change the rules that apply to cookies and unsolicited messages. Recent amendments to the ePrivacy Directive require the Member States to implement new restrictions in their national laws by June 2011. These changes are likely to significantly affect the procedures and processes used for marketing in, or with, the European Union. The most important change creates new rules for the use of cookies.

(more…)

Read More

Location Information in Consumer Contracts

Francoise Gilbert

The use of location-based services by consumers, such as for the provision of directions, traffic information, or mapping to locate nearby stores, should be subject to terms and conditions that address the quality of the service, and the reliability of the data. In addition, the contract should address the privacy concerns of the customer. The collection, use and sharing of location information might raise more concerns than that of other data such as their name, phone number or the duration of a call. Thus, special attention should be given to the protection of the location data.

(more…)

Read More

Remaining in Safe Waters

Francoise Gilbert

How to Ensure Continued Compliance with The Safe Harbor Requirements

The Safe Harbor created by the US Department of Commerce and the European Commission provides a convenient way for US companies with limited global transactions to address the “adequacy” requirement under the national laws of the European Union Member States. Being self-certified under the US Department of Commerce Safe Harbor allows them to reduce the amount of red tape that usually accompanies the transfer of personal data to the United States and from a European Union Member State, and EEA Member State or Switzerland.

However, the initial self-certification filing is only one of many obligations. In order for the self-certification to remain valid, the company must re-certify each year of its compliance with the Safe Harbor Principles and pay the related fee to the Department of Commerce. When a company wishes to renew its self-certification, it must go through the same due diligence as for the initial filing, and… much more. (more…)

Read More

Information Privacy and Security Current and Emerging Issues in the United States

Francoise Gilbert

Not so long ago, the Internet was a separate world.  We distinguished e-commerce and other activities in “cyberspace” from those that were conducted in the brick and mortar world.  Today, most companies are exploiting at the same, and to the fullest extent possible, all of the vast resources that are available through the Internet, the World Wide Web and otherwise.

Concurrent with the convergence of cyberspace with the brick and mortar world, telephone and information technologies are converging.  From one single device, we can make calls, send emails, browse the web, review our documents, and even pay for our lattes.  With this convergence, and the ubiquitous need for access to personal information databases, data protection issues have gained greater importance.  Without customer information, companies cannot create products adapted to client needs or target the right client for a sale.

However, holding personal information without adequate safeguards may lead to disaster.  Companies have lost goodwill, to the point of bankruptcy, for having failed to address privacy and information security issues.

This article will look at selected current issues and trends in information privacy and security. (more…)

Read More

HIPAA Security Rule

Francoise Gilbert

On February 20, 2003, the U.S. Department of Health and Human Services (HHS) published the final draft of the new National Standards for Safeguards to Protect Personal Health Information that is maintained or transmitted electronically (“Security Rule“). Required as part of the administrative simplification provisions included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), these standards are separate from, and in addition to, those set in the HIPAA Privacy Rule.

Most covered entities have until April 21, 2005 to comply with the standards; small health plans have an additional year to comply.

The Security Rule lists measures that health plans, health care clearinghouses, and health care providers (“covered entities”) must take to protect the confidentiality, integrity, and availability of individually identifiable health information in electronic form in their custody, or while transmitting it to third parties. These measures include Administrative, Physical, and Technical Safeguards, Organizational Requirements and Policy Procedures and Documentations Requirements. The Security Rule labels these measures as “standards” and “implementation specifications. (more…)

Read More

What Limits for Behavioral Targeting

Francoise Gilbert

An individual uses a travel site to check hotels in New York, but does not book any hotel room. Later the individual visits the website of a local newspaper to read about the Chicago Cubs baseball team. While on the newspaper’s website, the individual is served an advertisement from an airline featuring flights from Chicago to New York. The method used to develop the consumer’s profile – someone interested in travelling to New York from his home base in Chicago – in order to serve target ads is named “behavioral advertising” or “behavioral targeting.”

Behavioral targeting is a marketing technique that tracks a user’s online activities over time in order to build a profile of that individual and to deliver advertizing that is targeted to the assumed interests of this individual. The information about a user is collected through a combination of cookies and pixel tags. It could include what searches were conducted, what pages were visited, how long she stayed on a particular page, on which links or advertisements she clicked. This information may then be combined with other information about that individual, such as her geographic location. It is then shared with advertisement networks, which serve advertisements at websites across the Internet.

Many consumers and advocacy groups are concerned about the privacy issues that are associated with such practices. For example, the manner in which the consumer information is collected is not visible to the consumer. Further, sensitive information regarding health, finances, or children could be used for unanticipated purposes.

(more…)

Read More

Coming Soon to the European Union: Security Breach Disclosure Requirements

Francoise Gilbert

Directive 2002/58/EC (or “e-Privacy Directive”), which defines the restrictions that apply to the protection of personal data in the context of wire or Internet communications, was amended in late 2009. This amendment establishes the first mandatory security breach disclosure regime for the European Union and will soon be reflected in the national laws of the EU and EEA Member States.

While this new security breach disclosure regime affects only providers of a publicly available electronic communication services, it is likely that it will be the foundation for defining a security breach disclosure framework that applies to other personal data holders.

For example, when amending their national laws, some of the EU Member States may opt to apply this security breach disclosure regime to the entire spectrum of data controllers and data processors, rather than limiting it to the smaller subset of electronic communication service providers that are subject to the ePrivacy Directive. Further, when the 1995 EU Data Protection Directive is revised, it should be expected, as well, that the security breach provisions of the ePrivacy Directive (as amended), at a minimum, will serve as a starting point.

The amendments must be implemented in each of the national laws of the Member States of the European Union and the European Economic Area by June 2011.

Read More

How to Protect Children from Child Predators and Cyberbullies in Social Networking Sites

Francoise Gilbert

It is easy register as a user on a site using a different identity than the actual one. A 14 year old can pretend to be 25 and set up a profile on most social networking sites. As a result, minors have been able to find their way onto sites that were intended for adults. In some cases, they have become the victims of child predators whom they met online. Governments and legislators are looking at age verification as a way to protect minors from inappropriate contacts on the Internet. This article explores some of the issues raised by age verification and looks at the status of laws and government enforcement actions that focus on keeping minors out of sites that are not intended for them, or not prepared to handle them.

(more…)

Read More