Last Friday, October 11, 2019, one day after the California Attorney General issued proposed regulations to implement the California Consumer Privacy Act of 2018 (“CCPA”), the California Governor, Gavin Newsom, announced that he signed all five of the September 2019 legislative amendments to the CCPA into law.  Those amendments include AB-25, AB-874, AB-1146, AB-1355, and AB-1564.  The governor had until Sunday, October 13 to either sign or veto the bills.

Among other changes to the CCPA, the amendments make the following notable changes:

  • Create a one-year exemption for HR data which sunsets Jan 1, 2021 (AB-25)
  • Create a one-year exemption from applicability for business-to-business customer representative personnel date, which sunsets Jan 1, 2021 (AB-1355)
  • Make various changes to the definitions of
    • “personal information” (AB-874 and AB-1355) to add reasonableness into the capability of being associated with an individual consumer or household; clarifies that personal information does not include de-identified or aggregate consumer information
    • “publicly available” information (AB-874); and
    • “verifiable consumer request” (AB-1355);
  • Create revisions to the private right of action (AB-1355) to clarify that class action lawsuits may only be brought for breaches pursuant to CA data breach notification law when the person information is “nonencrypted and nonredacted”.
  • Create limited exemptions for personal information necessary to fulfill a product warrant or recall or vehicle repair covered by a vehicle warranty or recall (AB-1146)
  • Clarify that a business does not need to retain or collect information that is in addition to that it would otherwise collect in the ordinary course of business (AB-1355)
  • Revise the anti-discrimination right (AG-1355); and
  • Clarify that a business only operating online needs to only provide an email address as a designated consumer request method (AB-1564).

To view the various amendments, click on the following links: AB-25, AB-874, AB-1146, AB-1355, AB-1564.

Today, on October 10, 2019, the California Attorney General (“AG”) issued long-awaited proposed regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”).  The AG also issued a notice of proposed rulemaking action and an initial statement of reasons elaborating on the purposes of the proposed regulations. The proposed regulations are intended to “establish procedures to facilitate consumer’s new rights under the CCPA and provide guidance to businesses for how to comply.”

While the CCPA’s statutory compliance date is January 1, 2020, the AG stated in a related press conference that July 1, 2020 is the expected date of final regulations and enforcement.

The deadline for comments on the proposed regulations is 5:00pm local (Pacific) time on December 6, 2019.  Interested parties may also attend and provide comment at four scheduled public hearings on December 2 (Sacramento), December 3 (Los Angeles), December 4 (San Francisco), or December 5 (Fresno).

To access the notice of proposed rulemaking, click here.
To access the text of the proposed regulations, click here.
To access the initial statement of reasons (ISOR), click here.

Today, the FTC announced that Equifax, Inc. will pay at least $575 million (and potentially up to $700 million) as part of a proposed global settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories. Their complaint alleges that Equifax failed to take reasonable steps to secure its network in ways that led to a 2017 data breach affecting approximately 147 million people. The proposed settlement will be filed along with a complaint today in the U.S. District Court for the Northern District of Georgia.

As part of the proposed settlement, Equifax will pay $300 million to a fund which will provide affected consumers with credit monitoring. It will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the breach.  Equifax will add up to $125 million if the initial payment proves insufficient. The company also has agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties.

In addition to the monetary penalties, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide.

Equifax must also implement a comprehensive information security program under which it will be required to, among other things, implement the following:

  • Designate an employee to oversee the information security program;
  • Conduct annual assessments of internal and external security risks and implementing safeguards to address potential risks, such as patch management and security remediation policies, network intrusion mechanisms, and other protections;
  • Obtain annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;
  • Test and monitor the effectiveness of the security safeguards; and
  • Ensure service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data.

Under the proposed settlement, Equifax must obtain third-party assessments of its information security program every two years. The assessments must specify evidence supporting its conclusions and must include independent sampling, employee interviews, and document reviews. The order grants the FTC authority to approve the third-party assessor for each two-year assessment period. Equifax must also provide an annual update to the FTC about the status of the consumer claims process.

The Commission authorized the filing of the complaint and proposed order in a 5-0 vote.

This last week saw significant compliance and enforcement activity with respect to both GDPR and the FTC.  Specifically, we saw two significant GDPR fines handed down by the UK Information Commissioner’s Office (ICO) against British Airways (approx. $230 million) and Marriott International (approx. $130 million).  In addition, Facebook settled with the FTC for the largest privacy-related penalty ever at $5 billion. Discussed in more detail below, these developments provide some valuable insight into the landscape of data privacy governance and compliance.

Marriott International

On July 9, 2019, the ICO issued a notice of its intention to fine Marriott International £99,200,396 for violating the EU’s General Data Protection Regulations (GDPR).  The fine relates to an incident that Marriott brought to the ICO’s attention in November 2018. Specifically, a variety of personal data containing approximately 339 million guest records were exposed by the incident.  Approximately 30 million records were thought to relate to residents of 31 countries in the European Economic Area (EEA), with 7 million related to UK residents. It is believed the vulnerability began with systems of the Starwood hotel group that were compromised in 2014. Marriott acquired Starwood in 2016, but the exposure was not discovered until 2018.

The ICO found that Marriott failed to undertake sufficient due diligence when it bought Starwood. It also found that Marriott should have done more to secure its systems, specifically “putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” according to Information Commissioner Elizabeth Denham.

The ICO further stated that Marriott has cooperated with the ICO investigation and made improvements to its security arrangements since discovery of the events in question.  As allowed under the GDPR’s “one stop shop” provisions, the ICO has been investigating the case as lead supervisory authority on behalf of other EU Member State data protection authorities, who will have an opportunity, along with Marriott, to comment on the ICO’s findings. The ICO states it will carefully consider the representations of both the company as well as other data protection authorities before making a final decision.

In a statement filed the same day with the U.S. Securities Commission announcing the ICO’s proposed fine, Marriott stated that it “intends to respond and vigorously defend its position.”  Marriott CEO, Arne Sorenson, stated that, “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”  Marriott also stated that the Starwood database that was attacked is no longer used for business operations.

British Airways

Similarly, the day before (July 8, 2019), the ICO issued notice of its intent to fine British Airways £183.39 million for GDPR infringements.  British Airways notified the ICO of the incident in September 2018, which involved user traffic to the British Airways website being diverted to a fraudulent site.  The attackers harvested customer details through this fraudulent site, compromising approximately 500,000 customers. The ICO found that the company had poor security arrangements which compromised a variety of data, including log in, payment card, and travel booking details as well name and address information.

In her statement, Commissioner Denham stated that “[w]hen an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The ICO noted that British Airways cooperated with the investigation and has since made improvements to its security arrangements. As with Marriott, the ICO was investigating the case on behalf of other EU Member State data protection authorities as the “lead supervisory authority”. Both British Airways and those data protection authorities will be given an opportunity to comment on the ICO’s findings, which it will consider carefully before making a final decision.

In its announcement to the London Stock Exchange regarding the ICO’s proposed sanctions, British Airways chairman and chief executive Alex Cruz stated: “We are surprised and disappointed in this initial finding from the ICO.  British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.  We apologize to our customers for any inconvenience this event caused.”  Willie Walsh, International Airlines Group chief executive, also stated that it intends “to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

Facebook Settlement

The FTC also voted this past week to approve a record settlement with Facebook over the company’s 2018 Cambridge Analytica scandal.  The settlement of $5 billion represents the largest fine ever approved by the FTC against a technology company – over 200 times larger than the previous largest fine.

The settlement was adopted along party lines – with the three Republicans supporting it and two Democrats against it, and signals the end of a wide-ranging probe into Facebook’s mishandling of personal information that began more than a year ago. From here, the Department of Justice must approve and finalize the FTC settlement, which it typically does.

The two Democrat votes against the settlement suggest some desire for stronger accountability in terms of executive accountability as well as internal processes, and concerns that even such a large fine may not be sufficient to incentivize change.   Despite the record fine, critics have assailed the FTC for approving a fine that is small (approximately 9%) in comparison to Facebook’s massive profits, calling the agency’s efforts a “slap on the wrist.”  The real test of the agency’s work should depend on the final terms and conditions of the settlement agreement, which have not yet been disclosed. Facebook’s stock closed nearly 2% higher after the news broke.  In April, Facebook had warned Wall Street that it could face a fine as high as $5 billion, and had set aside a $3 billion charge during its first quarter earnings report when it announced it earned $15 billion in quarterly revenue.

The FTC’s investigation began in March 2018, in response to reports that political consulting firm Cambridge Analytica had improperly accessed personal data of 87 million users, which critics charged had violated a previous settlement agreement between Facebook and the FTC from 2011 to protect users’ privacy. Cambridge Analytica’s quiz app had harnessed information on both users installing the app as well as their Facebook friends, a form of data collection that Facebook has previously allowed under an earlier version of its privacy policy. This harnessed information may have helped Cambridge Analytica create profiles of users that clients could target with political messages.  The FTC investigation then expanded beyond Cambridge Analytica to cover other privacy and security activities at Facebook, including a discovery that Facebook had provided popular websites and the makers of some smartphones and other devices with access to users’ social data without adequately notifying them.

Under the FTC’s new settlement, Facebook could have to document every decision it makes about data before offering new products, closely monitor third-party applications that collect users’ information, and require Facebook CEO Mark Zuckerberg and other top executives to attest that the company has adequate privacy protections.  Facebook had agreed to broad versions of these terms as part of the confidential settlement talks with the FTC, according to the Washington Post. These provisions are broader than the 2011 settlement agreement, which had required Facebook to give users greater notification about what happens to their data and how their information is used. It also required Facebook to submit to 20 years of regular privacy checkups from outside watchdogs, even though those reviewers had not flagged any major mishaps at the company.

Takeaways

As more frequent and significant fines continue to emanate from both Europe and the U.S., heightened responsibilities for companies and their management translate to larger budgets for privacy programs and data governance, which require systems and technologies to be managed at scale. It is becoming increasingly apparent that GDPR compliance is real (and not just for the tech industry, as the Marriott and British Airways proposed sanctions make clear), and that the California Consumer Privacy Act (CCPA) compliance is around the corner. (Often compared to GDPR, the law becomes effective Jan. 1, 2020.). Although some criticize the significant FTC fine as a “slap on the wrist”, such fines could be crippling to companies with less revenue, and the non-monetary terms of the settlement, once revealed, could forecast more about what to expect in terms of the new standards of “reasonableness”. Other states, such as Nevada and New York, are also passing more stringent laws.  Data privacy as an enterprise-wide risk management issue is clearly here to stay, and will require a cross-functional collaboration across multiple departments and business units. Compliance and best practices, both abroad and at home, should be a top priority for companies of all industries.

 

*written with assistance from co-author and W&L law student, Isabella Gray.

On May 28, 2019, the Cyberspace Administration of China (“Cybersecurity Administration”) released a set of draft Measures for Data Security Management (the “Draft Measures”).  The Draft Measures provide articles governing how network operators, defined as someone who owns and administrates a network or a network service provider, can collect, use, and store different types of data.

The articles contained in the Draft Measures were developed to expand China’s existing Cybersecurity Law and to safeguard national security and the public interest while also protecting the rights of Chinese citizens, legal persons, and other organizations in cyberspace. The Draft Measures apply to the collection, storage, transmission, process, and use of data as well as the protection, supervision, and administration of cybersecurity within the territory of China.

Required Consent for Data Collection or Use

Under the Draft Measures, each network operator must develop and disclose separate rules for the collection of data and the subsequent use. The developed rules for collection and use may both be presented in a privacy policy but must be specific, easy to understand, and presented in a clear and obvious way to encourage reading. Additionally, the rules must highlight:

  • general information about the network operator;
  • the name and contact information for the network operator’s main person responsible for data security;
  • how data is collected and used;
  • how data is stored;
  • a summary of the rules the network operator must comply with when disclosing collected data to others;
  • how the collected data is protected by the network operator;
  • how users can withdraw consent to collection and can access or delete collected personal information;
  • how users can file complaints; and
  • any additional information required by other laws or regulations.

A network operator may only collect data after a user acknowledges the rules for collection and use and gives express consent to those actions. If a user is under the age of 14, consent from a parent or guardian is required prior to collecting data. Additionally, network operators cannot mislead users into consenting to data collection or discriminate against users who do not consent.

Means of Collecting Data

The Draft Measures further prescribe what network operators must do after collecting two types of data: important data and personal information. “Important data” is defined as the kind of data that, if divulged, may directly affect national security, economic security, social stability, or public health and security. “Personal information” is defined as data which could be used to identify a person specifically, such as their name, date of birth, or telephone number.

If a network operator is collecting important data or personal information, the network operator must file information about its collection and use of such data with the Cybersecurity Administration.  The network operator must describe the purpose of its data collection, the scope and type of data collected, and how long it will retain the data.

Additionally, a network operator collecting important or personal data must specify the person responsible for data security. Such designated person must:

  • create data protection plans and ensure proper implementation of such plans;
  • conduct data security risk assessments and rectify potential risks;
  • report data security incidents to the Cybersecurity Administration; and
  • oversee the resolution of complaints and reports from users.

In addition to cooperating with data users, the Draft Measures require that network operators cooperate with website owners.  If a network operator uses automatic means to collect website data, the means must not interfere with the normal operation of the websites. If a website owner requests that the network operator stop collecting data from its site, the network operator must stop.

Use and Storage of Data

Data collected by network operators can be used for a variety of purposes such as more effectively displaying advertisements. In some instances, network operators must tell users how that are using certain data. For example, when conducting targeted pushes of information, network operators must clearly identify that the information presented to a user is a “targeted push” and give the user the option to reject the targeted push information.  Additionally, network operators must identify when they are synthesizing information.

Under the Draft Measures, network operators are permitted to publish, share, and sell data after assessing potential security risks. Approval from the Cyberspace Administration is required to publish, share, or sell data internationally. The uses for data prohibited by the Draft Measures include publishing market predictions, statistics, credit, or any other information that would endanger national security or damage the lawful rights and interests of any person.

A network operator generally needs consent from a user to share collected data with a third party. However, consent is not required for a network operator to share data where:

  • the data was collected from legal public channels;
  • the data was voluntarily disclosed by the user;
  • the data was anonymized so that it could not be traced back to any specific user;
  • sharing the data is necessary for compliance with law enforcement agencies in accordance with the law; or
  • sharing the data is necessary for safeguarding national security, public interest, or the life of the user.

Under the Draft Measures, a network operator may only keep data for the retention period specified in its filing with the Cyberspace Administration. Should a user request that its data be deleted prior to the end of the retention period, the network operator must comply. Network operators must also take steps to urge users to be responsible with their network behavior and encourage self-regulation.

Finally, security is a large issue with data collection, use, and storage. To address this, the Draft Measures require that network operators categorize, back-up, and encrypt data to strengthen the protection of it. In the event of a security incident where data is divulged, a network operator must immediately take remedial measures to inform users about the incident and additionally report the incident to the Cyberspace Administration.

Penalty for Noncompliance

A network operator’s violation of any of the Draft Measures could result in disciplinary actions, such as confiscating income received as a result of the violation, suspending the network operator’s business operations, or revoking the network operator’s business permit. If the violation amounts to a crime, the network operator could be subject to applicable criminal punishments.

The Draft Measures will remain open for comment until June 28, 2019.

In our Southeast Financial Litigation Monitor, our own Lindsey Catlett posts about a recent opinion in Southern Independent Bank vs. Fred’s Inc., in which the Middle District of Alabama denied class certification following a data breach which allegedly affected over 2,000 financial institutions across the country. Southern Independent, a community bank located in south Alabama, brought a class action complaint against Fred’s in response to a data breach in which hackers, using malware installed on servers, harvested payment data from consumer debit cards used at Fred’s stores.  The issuing banks claim damages stemming from Fred’s alleged negligent failure to maintain adequate cybersecurity in compliance with the PCI-DSS standards. To view Lindsey’s post, click here.

In an opinion issued today (January 25, 2019), the Illinois Supreme Court found that a Six Flags season pass holder can claim a violation of the state’s biometric privacy law by collecting the thumbprint of plaintiff Stacy Rosenbach’s son without permission, even without alleging any actual harm.  This is an important ruling that could impact hundreds of similar pending cases.

In a unanimous decision, the court wrote that Rosenbach’s son can be considered an “aggrieved person” under the state’s Biometric Information Privacy Act (“BIPA”) based on a technical violation of the statute and without alleging that her son’s data was stolen or misused.

Under the statute, “aggrieved persons” may file a right of action and recovery for each violation the greater of $1000 liquidated damages or actual damages, reasonable attorney fees and costs, and any other relief, including an injunction, that the court deems appropriate.  The central issue was whether one qualifies as an “aggrieved person” if he or she has not alleged some actual injury or adverse effect, beyond violation of his or her rights under the statute.  In the lower appellate court’s view, “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person”. 2017 IL App (2d 18-317, P 23). Today, the Illinois Supreme Court reversed and remanded the appellate court’s decision for further proceedings.

The Six Flags fingerprinting system involved two steps. First, the pass holder went to a security checkpoint, where he was asked to scan his thumb into the biometric data capture system. After that, he was directed to a nearby administrative building, where he obtained a season pass card.  The card and his thumbprint, when used together, enabled him to gain access as a season pass holder.  Upon returning home, the son was asked by plaintiff Rosenbach for the booklet or paperwork he had been given in connection with his new season pass. The son responded that Six Flags did “it all by fingerprint now” and that no paperwork has been provided.  The complaint alleged that neither the son, who was 14 years old and thus a minor, nor the plaintiff mother Rosenbach, were informed in writing or any other way of the specific purpose and length of term for which his finger print had been collected or that they sign any written release regarding taking of the fingerprint. Moreover, neither of them consented in writing “to the collection, storage, use, sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [defendants] to otherwise profit from, [son’s] thumbprint or associated biometric identifiers or information.”

The defendants sought dismissal, among other grounds, that the plaintiff had suffered no actual or threatened injury and therefore lacked standing to sue.  In rejecting this position, the court noted that, “[w]hen the General Assembly has wanted to impose such a requirement in other situations, it had made that intention clear”, citing Illinois’s consumer Fraud and Deceptive Business Practices Act, which requires actual damage to bring a private right of action. See 815 ILCS 505/10a(a) (Action for actual damages).  In contrast, Illinois’s AIDS Confidentiality Act (410 ILCS 305/1) did not require proof of actual damages in order to recover. The court noted that Section 20 of the Act in question, followed the latter model, providing simply that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”

The court then discussed the historical and popular use of the term “aggrieved”, concluding that it was sufficient that the plaintiff’s legal rights were adversely affected. Specifically, the Act codified that individuals possess right to privacy in and control over their biometric identifiers, and when a private entity fails to comply with one of those requirements, that violation “constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach.” Therefore, such a person or customer would “clearly be ‘aggrieved’ within the meaning of Section 20 of the Act” and entitled to seek recovery.  The court added that the appellate court’s characterization of the violation as merely technical in nature “misapprehends the nature of the harm our legislature is attempting to combat through this legislation”, noting that these procedural protections “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers – identifiers that cannot be changed if compromised or misused.”  When a private entity fails to adhere to these statutory procedures, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.”  For these reasons, the court stated, the procedural injury is “real and significant”.

To view the court’s opinion, click here.

On January 21, 2019, the French Data Protection Authority, the Commission Nationale de L’Informatique et de Libertés (“CNIL”) announced a sanction of 50 million euros against Google.  On May 25 and 28, 2018, the CNIL received complaints from two different associations, asserting that Google did not have a valid legal basis for the processing of personal data of the users of its services, particularly with respect to ad personalization.  The complaints were brought by “None of Your Business”, a nonprofit organization chaired by Max Schrems (yes, that Max Schrems), and “La quadrature du Net”, a French digital rights advocacy group. The decision is significant for at least two reasons: (1) because it reveals CNIL’s analysis in how it was permitted to issue the decision and sanction despite Google’s European headquarters and (2) because it is the first time the CNIL has leveraged its new powers under GPDR to issue a sanction greater than its € 20 million pre-GDPR limits.

Coordination of Enforcement

The GDPR establishes a “one stop shop mechanism”, providing that an organization with a main establishment in the European Union shall have only one interlocutor, the Data Protection Authority (“DPA”) in the country where its main establishment is located, which shall serve as the “lead authority”.  In Google’s case, their European headquarters is in Ireland.  The lead authority must coordinate the cooperation between the other DPAs before taking any decision about cross-border processing carried out by the company. The CNIL cited the definition of “main establishment” in Article 4(16)(a):  “as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment …”.  It then discussed several elements of Google’s European headquarters in Ireland,

After lengthy discussion, the CNIL concluded that the restricted training taking place at Google’s European headquarters reveals that it could not be considered as a main establishment within the meaning of Article 4(16) when it is not established that the Ireland headquarters had decision making power as to privacy policies presented to the user during the creation of this account during the configuration of the Android mobile phone.  In the absence of a main establishment, therefore, the CNIL was competent to initiate this procedure and to exercise its powers. The CNIL therefore asserted authority to make decision regarding Google’s processing operations, and implemented the new European framework interested by all European authorities in the EDPB’s guidelines.

CNIL’s restricted committee carried out online inspections in September 2018 to verify the compliance of the processing operations implemented by Google with the French Data Protection Act and the GDPR by analyzing the browsing pattern of a user and the documents he or she can have access to when creating a Google account during the configuration of Android mobile equipment. On the basis of its inspections, the CNIL’s restricted committee observed two types of breaches of the GPDR.

Violation of Transparency and Information.

First, the CNIL noticed that the information provided by Google was not easily accessible for users:

“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have complete information on his or her data collected for the personalization purposes or for the geo-tracking service.”

The restricted committee also observed that some information is not always clear or comprehensive:

“Users are not able to fully understand the extent of the processing operations carried out by Google. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), and the amount and the nature of the data processed and combined. The restricted committee observe[d] in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.”

Violation of the obligation to have a Legal Basis for ads Personalization Processing.

Although Google stated that it obtained user consent to process data for ads personalization purposes, the committee considered that the consent was not validly obtained for two reasons:

“First, the restricted committee observed that the users’ consent was not sufficiently informed.   The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.”

Second, the committee observed that consent collected by Google was neither “specific” nor “unambiguous”.  Admittedly, when a user creates an account he or she can modify some account options by clicking on the button <<More options>>, accessible above the button <<Create Account>>.  It is notably possible to configure the display of personalized ads.  However, the use not only has to click on <<More options>> to access the configuration, but the display of ads personalization is pre-checked. However, the GDPR requires that consent is “unambiguous” only with a clear affirmative action from the user (e.g., opting in by ticking a non-pre-ticked box for instance, as opposed to opting out by clearing a pre-ticked box). Finally, before creating an account, the user is asked to tick the boxes << I agree to Google’s Terms of Service>> and “I agree to the processing of my information as described above and further explained in the Privacy Policy” in order to create the account.  In other words, the user gives his or her consent in full for all of the processing operations purposes carried by Google based on this consent (e.g., ads personalization, speech recognition, etc.). However, GDPR requires that consent is “specific” only if it is given distinctly for each purpose.

Sanctions.

As a result of its findings, the committee publicly imposed a financial penalty of 50 million euros against Google, representing the first time that the CNIL applied the new sanction limits provided by the GDPR.  CNIL stated that the amount and publicity of the sanction was “justified by the severity of the infringements observed regarding the essential principles of the GDPR:  transparency, information, and consent.”

Despite the measures implemented by Google (documentation and configuration tools), CNIL stated that the infringements observed “deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services, and almost unlimited possible combinations.”  The committee recalled that the extent of the processing operations in question “imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent.”  Moreover, the committee, stated, the violations were continuous breaches of the regulation as they are still observed to date; it Is not a one-off, time-limited infringement.  The CNIL also noted the important place the Android operating system has on the French market, with thousands of French citizens creating Google accounts everyday when using their smartphone. Finally, the restricted committee points out that the economic model of the company is partly based on the ads personalization.

Google Response.

In a statement obtained by ABC News, a Google spokesperson said the company is “studying the decision” to determine its next steps:

“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

To view the CNIL press release, click here.

To view the CNIL decision (in French), click here.

On July 19, 2018, the Federal Energy Regulatory Commission (FERC) issued a final rule (Order No. 848) directing the North American Electric Reliability Corporation (NERC) to develop and submit modifications to NERC Reliability Standards related to Cyber Security Incident reporting. FERC recognized that, under the current Cyber Security Incident reporting Reliability Standard, incidents are only required to be reported if they have compromised or disrupted one or more reliability tasks. FERC issued Order No. 848 to strengthen Cyber Security Incident reporting requirements.

The Commission’s directive consists of four elements:

  • Responsible entities must report Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or Electronic Access Control and Monitoring Systems (EACMS) associated with an ESP;
  • Required information in Cyber Security Incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information;
  • The filing deadline for Cyber Security Incident reports should be established once a compromise or disruption to reliable BES operation, or an attempt to compromise or disrupt, is identified by a responsible entity; and
  • Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Finally, NERC must file an annual, public, and anonymized summary of the reports with the Commission.

FERC also suggested that NERC develop a flexible reporting timeline that reflects the severity of a Cyber Security Incident to help address the administrative burden of reporting attempted compromises.

NERC is required to develop modifications to the Reliability Standards within six months. The final rule will take effect 60 days after publication in the Federal Register.

To view FERC’s final rule, click here.

The Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement providing guidance for financial institutions about the role of cyber insurance in risk management of informational technology systems. The FFIEC comprises the principals of the following: The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.

On April 10, 2018, the FDIC, as a member of the FFIEC, issued statement FIL-16-2018, applicable to all FDIC-supervised institutions. Similarly, on April 11, 2018, the Office of the Comptroller of Currency (OCC) issued a similar bulletin (OCC Bulletin 2018-8) on the FFIEC’s joint statement, noting that the joint statement applies to all institutions supervised by the OCC.  The joint statement and associated FDIC letter and OCC bulletin include the following highlights:

  • FDIC-supervised institutions are not required to maintain cyber insurance. However, cyber insurance could offset financial losses from a variety of exposures—including data breaches resulting in the loss of confidential information—that may not be covered by more traditional insurance policies.
  • Traditional general liability insurance policies may not provide effective coverage for all potential exposures caused by cyber events.
  • Cyber insurance does not replace a sound and effective risk management program.
  • Cyber attacks are increasing in volume and sophistication and that traditional general liability coverage insurance policies may not provide effective coverage for potential exposures caused by cyber events
  • Cyber insurance may help reduce financial losses from a variety of exposures, such as data breaches resulting in the loss of sensitive customer information.
  • Cyber insurance does not diminish the importance of a sound control environment; rather, cyber insurance may be a component of a broader risk management strategy.
  • As institutions weigh the benefits and costs of cyber insurance, considerations may include: (a) involving multiple stakeholders in the cyber insurance decision; (b) performing proper due diligence to understand available cyber insurance coverage; and (c) evaluating cyber insurance in the annual insurance review and budgeting process.

The FFIEC’s statement is not intended to contain new regulatory expectations, but instead to provide awareness of the potential role of cyber insurance in financial institutions’ risk management programs.  Financial institutions ultimately remain responsible for maintaining a control environment consistent with the guidance outlined in the FFIEC IT Examination Handbook.

Click here to see the FFIEC press release.

Click here to see the full 3-page joint statement.