Tuesday, July 5, 2016

Business Associates of HIPAA Covered Entities Beware!

If your organization is a business associate of a HIPAA covered entity (such as a health care provider or employee health benefit plan), you should know that the Department of Health and Human Services' Office of Civil Rights (OCR) is actively pursuing business associates over privacy and information security violations.

Business Associate Fined >$15,000 Per Patient

This past week, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle with OCR after alleged violations of the HIPAA Security Rule that came to light after the loss of an iPhone containing protected health information (PHI) of 412 nursing home residents. The settlement requires a monetary payment of $650,000 and a corrective action plan. (For those who have not already done the math, the fine alone will cost CHCS more than $15,000 per patient!)

In announcing the settlement, OCR's Director Jocelyn Samuels emphasized the importance of a comprehensive program: “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities. This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”  In the case of CHCS, the iPhone was unencrypted and was not password protected. To make matters much worse, OCR learned that CHCS had no policies addressing the loss of mobile devices containing PHI, no security incident response plan, no risk analysis, and no risk management plan.

As part of the settlement, OCR will monitor CHCS for two years to ensure compliance. You can read the Resolution Agreement and Corrective Action Plan on the OCR website at:

Business Associate Audits
This announcement comes just months after the launch of the second phase of OCR's much-anticipated audit program for business associates. Rather than awaiting reports of violations, the OCR is actively auditing business associates. When announcing the audit program, OCR explained the process:
  • First, OCR will contact organizations by email to verify contact information and complete a pre-audit questionnaire.
  • Organizations selected will be subject to either a desk audit, an onsite audit, or both.
  • Organizations will have a about 10 business days to produce requested documents, so there will be insufficient time to create or update HIPAA privacy and security policies, security risk assessments, breach notification documentation, business associate agreements, and other HIPAA documentation after notification.
Business associates should not wait until an audit is initiated.  Now is the time to ensure that HIPAA programs are in place, complete, and up to date.  If this week's CHCS settlement is any indicator, the OCR will be seeking large fines when it uncovers violations.

Matt Cordell is a North Carolina lawyer with expertise in HIPAA and health care privacy and information security. 

Tuesday, June 28, 2016

BREXIT: Unchartered Territory for EU and UK Data Protection Standards

My law partner, Deana Labriola, has written a piece about the Brexit and its impact on the GDPR. 

BREXIT: Unchartered Territory for EU and UK Data Protection Standards

| Deana A. Labriola
So what changed on June 23, 2016? Maybe everything, and then again, maybe nothing at all.  The UK is leaving the EU.  While this decision will have far reaching implications for years to follow, it may be far less impactful for data protection laws, at least in the short term.

You can read the rest here:   http://www.wardandsmith.com/articles/brexit-unchartered-territory-for-eu-and-uk-data-protection-standards

Tuesday, June 14, 2016

Don't Be Tardy. Get Schooled on North Carolina's New Education Technology Law Now!

Photo of Education Tech Privacy North Carolina Data Security Lawyer Matt Cordell Best Lawyer Raleigh North Carolina Privacy Attorney RTP North Carolina

New NC Law Enhances Student Privacy Rights and Restricts Providers of Online Educational Resources

Education technology (or "EdTech") organizations will want to pay close attention to a new North Carolina statute that was signed into law a couple of days ago.  On Thursday, June 9, 2016, a new law titled "An Act to Protect Student Online Privacy" was enacted to further protect the privacy of K-12 students in North Carolina.  It becomes effective October 1st, so education technology companies have very little time to prepare before the upcoming school year begins.  They should review their data collection, storage, use and sharing policies and procedures in light of the new law, and adjust their practices if necessary.  In some cases, this may require changing or disabling the features and functions of websites or applications.

Who Is Affected?

The law is primarily aimed at the fast-growing Ed Tech sector.  Organizations may be affected whether or not they have a contract with a school, school board, or the State of North Carolina.  The statute applies to the operators of websites, online services, online applications, or mobile applications who know that the site, service, or application is used primarily for K-12 school purposes.  School boards are also affected, because they should ensure that their contracts with providers of online services require those providers to comply with the new law.
Like the existing student privacy statute, the law applies to public schools only.  Private schools, and their service providers, will remain unaffected.  (If private schools wish to protect the privacy of their students, they must do so by including contractual protections with their service providers.  I would strongly suggest that they do so.)

New Prohibitions

Online operators are prohibited from selling or renting a student's information without parental consent.  They are also generally prohibited from disclosing a student's covered information (defined below) except for six specific purposes.  The permissible disclosures include disclosures to a subcontractor who is contractually prohibited from further disclosure of the information and who agrees to implement reasonable security procedures.

Online operators may not engage in so-called "targeted advertising" (better known as "behavioral advertising") based on information received for "school purposes."  "Targeted advertising" means presenting an advertisement to a student where the advertisement is selected based on information obtained (or inferred over time) from that student's online behavior, usage of applications, or covered information.  Furthermore, they are prohibited from "amassing a profile" of a student except for school purposes.

New Requirements

In addition to proscribing new limitations, the statute imposes two new obligations on online operators.  All operators must "implement and maintain reasonable security procedures" and "protect covered information from unauthorized access, destruction, use, modification, or disclosure."  Operators are also required to delete a student's information at the request of the school board, or when the operator stops providing service to the school board, unless the student's parent consents to the record retention.

Broader Scope of Covered Information

Although the student privacy statute already contained a definition of the term "personally identifiable information," the new statutes creates a significantly more broad definition of the same term that is applicable only for purpose of online privacy protections.  It includes twenty nine (29) categories of information.

Interaction with Existing Law

You may recall that I wrote in mid-2014 about a then-new student privacy law in North Carolina.  You can read that summary here.  Titled "An Act to Ensure the Privacy and Security of Student Educational Records," the law prohibited schools from collecting certain categories of information, restricted the disclosure of personally identifiable student data, required school boards to give parents an annual summary of parental rights and opt-out opportunities, and directed the State Board of Education to make rules regarding privacy standards, audits, breach notification and data retention and destruction policies.  The 2016 law described in this article amends and enhances the 2014 statute.

It should be noted that the federal Children's Online Privacy Protection Act (better known as COPPA) already protects children's online privacy in the educational context as well as in all other contexts.  Any organization affected by North Carolina's new statute should already be in compliance with COPPA, but if it is not, there is no better time than now to become compliant.

Don't Get Sent to the Principal's Office!

Education technology companies and school boards have very little time to revise their policies and practices in order to comply with the new statute.  They should consult with their privacy counsel quickly so that they will not be "sent to the principal's office" when the summer break ends!

You can find more posts like this by Ward and Smith, P.A. attorney and Certified Information Privacy Professional (CIPP/US) Matt Cordell at the North Carolina Privacy and Information Security Law Blog: www.PrivacyLawNC.com.  Matt Cordell practices in the areas of privacy law, information security law, data use law and related consumer protection laws, and has offices in Raleigh, New Bern, Greenville, Wilmington and Asheville.  This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.

Monday, May 30, 2016

European Data Protection Supervisor Rejects Proposed U.S. Privacy Shield

Today, the European Data Protection Supervisor (EDPS) delivered a crushing blow to the proposed Privacy Shield, sending U.S. and European negotiators back to the drawing board.

Readers of this blog know about the collapse of the EU/US data privacy Safe Harbor framework (which had been in place since 2000) and the efforts to negotiate a trans-Atlantic resolution (see my prior posts here, here and here).  The EU/US Safe Harbor was struck down by the EU Court of Justice last year, and officials have been scrambling to replace it.  This spring, the U.S. Department of Commerce released a proposal (the "Privacy Shield") designed to satisfy European officials that U.S. organizations could be trusted with information about Europeans.  I have already described that proposal in relative detail, here.

The European Data Protection Supervisor (EDPS), appointed in 2014, is an independent institution of the EU, responsible European law "for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected." Under Article 28(2) of Regulation 45/2001, the European Commission is required, "when adopting a legislative Proposal relating to the protection of individuals' rights and freedoms with regard to the processing of personal data", to consult the EDPS. Since the submission of the proposed Privacy Shield to the EDPS, officials on both sides of the Atlantic have been holding their respective breaths in anticipation of this Opinion.

Earlier today, EDPS Giovanni Buttarelli declared that the Privacy Shield was "not robust enough." Although "a step in the right direction" it was deemed inadequate. Specific criticisms involve safeguards, judicial redress, and routine access by U.S. governments.  In Opinion 4/2016, titled "Opinion on the EU-U.S. Privacy Shield draft adequacy decision", the EDPS outlined three main recommendations (integrating data protection principles, limiting exceptions, which are referred to in EU law as "derogations", and improving redress and oversight mechanisms) as well as five secondary recommendations. You can read the full text of the EDPS Opinion for yourself here

The sense of urgency is real. The General Data Protection Regulation (technically regulation EU 2016/679, but known simply as the "GDPR") becomes effective in May 2018, and the Privacy Shield was intended to take effect before the GDPR in order to satisfy its requirements in addition to the existing EU legal framework.

Stay tuned, as there is certainly much more to come.

Sunday, March 6, 2016

Has The U.S. Found A "Privacy Shield" That The E.U. Can Live With?

Regular readers know I've been writing recently (here and here) about the collapse of the EU/US data privacy Safe Harbor framework and the efforts to negotiate a trans-Atlantic resolution. This is a major issue for U.S. organizations that do business in Europe or with Europeans. 

On Monday (February 29), the U.S. Department of Commerce released a proposal (the "Privacy Shield") designed to "provide[] a set of robust and enforceable protections for the personal data of EU individuals." The Privacy Shield release is *just* 132 pages, which you can read here

To rely upon the Privacy Shield framework, a U.S. based organization would be required to self-certify to the Department of Commerce and publicly commit to comply with the Privacy Shield's requirements. While joining the Privacy Shield framework will be voluntary, once an organization undertakes to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. Key elements are outlined in a "fact sheet" here, including the following:
  • The Privacy Shield contains seven distinct categories of "principles" including notice, choice, accountability for onward transfer, purpose limitation, recourse, enforcement and liability among others. (These should sound familiar to those who previously complied with the Data Protection Directive.)
  • U.S. entities will continue to self-certify.
  • U.S. entities will adopt a privacy policy statement which will become legally enforceable.
  • When a U.S. entity's privacy policy is available online, it must include a link to the Department of Commerce’s Privacy Shield website and a link to the website or complaint submission form to investigate individual complaints.
  • A U.S. entity must inform individuals of their rights to access their personal data, the requirement to disclose personal information in response to lawful request by public authorities, which enforcement authority has jurisdiction over the organization’s compliance , and the organization’s liability in cases of onward transfer of data to third parties.
  • Privacy Shield participants must limit personal information to the information relevant for the purposes of processing. Additional personal information may not be collected and retained.
  • To transfer personal information to a third party acting as a data controller, a Privacy Shield participant must:
    • Comply with the Notice and Choice Principles.
    • Enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles.
  • To transfer personal data to a third party acting as an agent, a Privacy Shield participant must:
    • Transfer such data only for limited and specified purposes;
    • Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;
    • Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
    • Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and
    • Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
  • Privacy Shield participants must respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield Framework.
  • Privacy Shield participants must make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC if the organization becomes subject to an FTC or court order based on non-compliance.
  • If an organization leaves the Privacy Shield Framework, it must annually certify its commitment to apply the Principles to information received under the Privacy Shield Framework if it chooses to keep such data or provide “adequate” protection for the information by another authorized means.
There's still a big question mark: A genuine uncertainty exists as to whether the proposal will be approved (i.e., deemed "adequate") in Brussels.  If the EU determines that the Privacy Shield framework is adequate, the U.S. Department of Commerce will begin accepting certifications from U.S. organizations promptly.

Wednesday, December 16, 2015

New European Privacy Plan Released!

Yesterday the European Parliament and Council announced they have (finally) agreed upon a new General Data Protection Regulation (the GDPR).  This is really big news for all U.S. companies that do business in Europe or with Europeans!

The GDPR has not yet been voted into law, but the agreed-upon language is probably quite close to the final law.  The International Association of Privacy Professionals (of which I'm a certified member) has published a great, concise list of the key provisions, which I commend to you:

• The law applies to any controller or processor of EU citizen data, regardless of where the controller or processer is headquartered.

• Notification of a data breach that creates significant risk for the data subjects involved must be made within 72 hours of the discovery of the breach.

• New powers are provided to data protection authorities, including the ability to fine organizations up to four percent of their annual revenue.

• Many organizations will now be required to appoint a data protection officer.

• Personal data may only be collected for “specified, explicit and legitimate purposes."  The text also introduces principles of “data minimization,” “accuracy,” “storage limitation” and “integrity and confidentiality.”

• The GDPR requires “accountability,” which means the “controller shall be responsible for and be able to demonstrate compliance” with the law.

• Processing of data will only be allowed with explicit consent, to perform a contract, to comply with a legal obligation, to protect the vital interests of the data subject, or to perform a task in the public interest.

• That consent has to be demonstrable upon demand, can be retracted by the data subject at any time.

• There will still be variation from member state to member state.

• Children under the age of 16 will need to get parental approval to give consent unless the member nation passes a law to lower the age no lower than 13.

• Special categories of personal data are established that include genetic, biometric, health, racial and political data, among others.

• Data controllers have to provide any information they hold about a data subject free of charge and within one month of request.

• A “right to erasure” is established, where controllers are required to delete personal data...even if the data has been made public already.

The next legislative step is for the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs ("LIBE Committee") to vote on the text tomorrow  (December 17) and if it passes, the full Parliament is expected to vote in January.

There is much more to come on this very significant development.  I will be sharing commentary on Twitter (@MattCordell and @PrivacyLawNC) and on LinkedIn as I come across it.

Source: https://iapp.org/news/a/gdpr-we-have-agreement/

Tuesday, December 1, 2015

New N.C. Privacy Statute Becomes Effective


Several new North Carolina laws become effective today, December 1st, 2015. Among them are some privacy law enhancements including provisions that are known as the "revenge porn" statute. [Session Law 2015-250] Just over half of the states currently have such laws on the books, and about nine states' statutes create a civil remedy. The statutes are designed to address a troubling trend of people posting intimate images or video of another person, usually a former partner, on the internet to gain "revenge" by humiliating the person. Some states' courts recognize common law legal theories that can be used to combat this activity, but many states concluded that a specific statute was necessary and appropriate. As of today, North Carolina is among them.

The new statute makes it unlawful to "disclose a private image" if all five of the following facts and circumstances are present:

   (1) Intent. The person knowingly discloses an image of another person with the intent to coerce, harass, intimidate, demean, humiliate, or cause financial loss to the depicted person (or cause others to do so).

  (2) Identifiable. The depicted person must be identifiable from the disclosed image itself or information provided in connection with the image.

   (3) Private Parts or Conduct. The depicted person's intimate parts are exposed or the depicted person is engaged in sexual conduct in the image.

  (4) Lack of Consent. The person discloses the image without the affirmative consent of the depicted person.

  (5) Expectation of Privacy. The person discloses the image under circumstances such that the person knew or should have known that the depicted person had a reasonable expectation of privacy.

A violation of the statute is a felony and gives the person who is the subject of the image a right to sue the offending person. In a lawsuit, the subject of the image can recover his or her actual damages (which are assumed to be the higher of $1,000 per day for each day of the violation or $10,000); punitive damages (to punish the offender); and attorneys' fee and other litigation costs. A court can also order the destruction of the image(s). The lawsuit must be filed no later than one year after the discovery of the offense, and no later than seven years after the last known disclosure of the image.  

The criminal penalties may be subject to a Constitutional challenge in the future, because the First Amendment guarantees rights that the statute could be interpreted to limit. Similar statutes in several other states have been challenged on Constitutional grounds. It will be interesting to see how North Carolina's statute will fare when the inevitable challenge comes.

You can read more about the statute here.







Tuesday, October 6, 2015

The EU/US Safe Harbor Is No Longer Safe, Says The EU's Highest Court. Is Your Data A Liability?

Today, Europe's top court, the European Court of Justice, ruled that a 15-year-old pact between the United States and the European Union which allowed American organizations to handle the personal data of Europeans (the EU/US Safe Harbor) was invalid. The decision will have massive, far-reaching implications for American businesses and other organizations that are active in Europe.

The Backdrop

Trans-Atlantic data transfers involving the personal information of Europeans must comply with the Data Protection Directive, which is a European pact that has been adopted by each member state (i.e., most of Europe, but not Switzerland). The Directive requires that a transfer of personal data to a non-EU country may take place only if that country ensures an adequate level of data protection and privacy. The Directive also provides that the EU Data Protection Commission may determine that a non-EU country ensures an adequate level of protection as a result of that country's own domestic privacy laws or an international treaty.

The Facts

The challenge to the Safe Harbor arose in legal proceedings between an Austrian citizen, Mr. Maximilian Schrems, and the Irish Data Protection Commissioner concerning the Commissioner's refusal to investigate a complaint made by Schrems. Schrems has been a Facebook user since 2008, and some or all of the data provided by Schrems to Facebook was transferred from Facebook’s Irish subsidiary to servers located in the United States. Schrems lodged a complaint with the Irish Commissioner, alleging that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services (specifically the NSA), the law and practice of the United States do not offer sufficient protection against surveillance.

The Issues

In response to Schrems' allegations, Facebook pointed out that it was fully compliant with the EU/US Safe Harbor and the US Department of Commerce's requirements for participation in the Safe Harbor. The Irish Commissioner refused to consider the complaint because the EU Data Protection Commission had long ago ruled (in 2000) that the EU/US Safe Harbor was a valid basis for the trans-Atlantic transfer of personal data of European citizens. (As a technical legal matter, the case was a challenge of the validity of Commission Decision 2000/520/EC (26 July 2000) pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbor privacy principles and related FAQ issued by the US Department of Commerce.)

The Court's Conclusions

The Court concluded that the decision by the EU Data Protection Commission that the EU/US Safe Harbor is valid did not preclude a member nation's Data Protection Commissioner (in this case Ireland) from reaching the opposite conclusion. The Court ruled that the Irish Commissioner should have heard the complaint and made an independent determination whether the EU/US Safe Harbor provides adequate protection of the personal information of EU citizens in light of the fact that the US government's surveillance programs might not respect the privacy of EU citizens as interpreted under EU law.

The Court went further to evaluate the 2000 decision of the EU Data Protection Commission. It determined that in the US, national security, public interest, orlaw enforcement interests prevail over the Safe Harbor scheme, so that US organizations are required by US law to disregard the protective rules laid down by the Safe Harbor when they conflict with US policy interests. The Court then concluded that US law, and the Safe Harbor, enable interference by United States national security and law enforcement authorities with the fundamental rights of Europeans. This interference is incompatible with the Directive, said the Court.

Having reached these conclusions, the Court held that the Irish Commissioner was required to evaluate Schrems’ complaint "with all due diligence" and following its "investigation," was obligated to "decide whether, pursuant to the Directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data." The Court essentially remanded the case to the Irish Commissioner with instructions to evaluate the issues, and with the subtext that the EU/US Safe Harbor is inadequate.

You can read the Court's decision here, and the Court's press release here.

No appeal is possible, because the European Court of Justice is the equivalent of the U.S. Supreme Court--the court of last resort. Simultaneously, European leaders and US officials are negotiating a new agreement on trans-Atlantic data transfers. Today's decision will no doubt create a new degree of urgency in those talks.

What Does It Mean to Your Organization?

In other words, the Safe Harbor is no longer SAFE at all!The likely outcome of this decision is that transfers of personal data made under the auspices of the Safe Harbor may violate European data protection laws. In other words the Safe Harbor is not really "safe" after all. Without the Safe Harbor, each country in the EU could reach different conclusions as to whether US privacy laws and practices satisfy the EU's Directive, which would require US companies to address each member nation's laws individually rather than satisfying a single set of EU requirements. This could create enormous obstacles to US organizations doing business in Europe.

As a result, organizations are well-advised to take a belt-and-suspenders approach (or "belt-and-braces" as they say across the Atlantic) by ensuring that data transfers are justified on another basis (in addition to compliance with the Safe Harbor). Those other bases include "binding corporate resolutions" (in which the organization essentially passes a binding corporate resolution and to comply with EU law with respect to EU personal data) and "model clauses" (which are contractual obligations to comply with EU privacy requirements). The binding corporate resolutions and model clauses have frequently been deemed more onerous for US organizations than the Safe Harbor's requirements, and have historically been less popular among US organizations.

- Matt Cordell

Friday, July 3, 2015

I'm a Certified Information Privacy Professional. (What Does That Mean?)

I recently became IAPP CIPP/US certified.  "What does that mean?" you ask?  Good question! 

What is the CIPP/US designation?

The International Association of Privacy Professionals (IAPP) is a nonprofit association of privacy professionals--the largest in the world. The IAPP issues the Certified Information Privacy Professional (CIPP) designations, which are the most recognized information privacy certifications globally. The CIPP/US credential demonstrates an understanding of privacy and security concepts, best practices, and international norms, with a specific emphasis on U.S. privacy and information security laws.   Applicants are tested to ensure they have the requisite knowledge in the following areas:

I. The U.S. Privacy Environment
A. Structure of U.S. Law
i. Constitutions
ii. Legislation
iii. Regulations and rules
iv. Case law
v. Common law
vi. Contract law
c. Legal definitions
d. Regulatory authorities
i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking regulators
vi. State attorneys general
vii. Self-regulatory programs and trust marks
e. Understanding laws
i. Scope and application
ii. Analyzing a law
iii. Determining jurisdiction
iv. Preemption
B. Enforcement of U.S. Privacy and Security Laws
a. Criminal versus civil liability
b. General theories of legal liability
i. Contract
ii. Tort
iii. Civil enforcement
c. Negligence
d. Unfair and deceptive trade practices (UDTP)
e. Federal enforcement actions
f. State enforcement (Attorneys General (AGs), etc.)
g. Cross-border enforcement issues (Global Privacy Enforcement Network (GPEN))
h. Self-regulatory enforcement (PCI, Trust Marks)
C. Information Management from a U.S. Perspective
a. Data classification
b. Privacy program development
c. Incident response programs
d. Training
e. Accountability
f. Data retention and disposal (FACTA)
g. Vendor management
i. Vendor incidents
h. International data transfers
i. U.S. Safe Harbor
ii. Binding Corporate Rules (BCRs)
i. Other key considerations for U.S.-based global multinational companies
j. Resolving multinational compliance conflicts
i. EU data protection versus e-discovery
II. Limits on Private-sector Collection and Use of Data
A. Cross-sector FTC Privacy Protection
a. The Federal Trade Commission Act
b. FTC Privacy Enforcement Actions
c. FTC Security Enforcement Actions
d. The Children’s Online Privacy Protection Act of 1998 (COPPA)
B. Medical
a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
i. HIPAA privacy rule
ii. HIPAA security rule
b. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
C. Financial
a. The Fair Credit Reporting Act of 1970 (FCRA)
b. The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
c. The Financial Services Modernization Act of 1999 ("Gramm-Leach-Bliley" or GLBA)
i. GLBA privacy rule
ii. GLBA safeguards rule
d. Red Flags Rule
e. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
f. Consumer Financial Protection Bureau
D. Education
a. Family Educational Rights and Privacy Act of 1974 (FERPA)
E. Telecommunications and Marketing
a. Telemarketing sales rule (TSR) and the Telephone Consumer Protection Act of 1991 (TCPA)
i. The Do-Not-Call registry (DNC)
b. Combating the Assault of Non-solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
c. The Junk Fax Prevention Act of 2005 (JFPA)
d. The Wireless Domain Registry
e. Telecommunications Act of 1996 and Customer Proprietary Network Information
f. Video Privacy Protection Act of 1988 (VPPA)
g. Cable Communications Privacy Act of 1984
III. Government and Court Access to Private-sector Information
A. Law Enforcement and Privacy
a. Access to financial data
i. Right to Financial Privacy Act of 1978
ii. The Bank Secrecy Act
b. Access to communications
i. Wiretaps
ii. Electronic Communications Privacy Act (ECPA)
1. E-mails
2. Stored records
3. Pen registers
c. The Communications Assistance to Law Enforcement Act (CALEA)
B. National Security and Privacy
a. Foreign Intelligence Surveillance Act of 1978 (FISA)
i. Wiretaps
ii. E-mails and stored records
iii. National security letters
b. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA-Patriot Act)
i. Other changes after USA-Patriot Act
C. Civil Litigation and Privacy
a. Compelled disclosure of media information
i. Privacy Protection Act of 1980
b. Electronic discovery
IV. Workplace Privacy
A. Introduction to Workplace Privacy
a. Workplace privacy concepts
i. Human resources management
b. U.S. agencies regulating workplace privacy issues
i. Federal Trade Commission (FTC)
ii. Department of Labor
iii. Equal Employment Opportunity Commission (EEOC)
iv. National Labor Relations Board (NLRB)
v. Occupational Safety and Health Act (OSHA)
vi. Securities and Exchange Commission (SEC)
c. U.S. Anti-discrimination laws
i. The Civil Rights Act of 1964
ii. Americans with Disabilities Act (ADA)
iii. Genetic Information Nondiscrimination Act (GINA)
B. Privacy before, during and after employment
a. Employee background screening
i. Requirements under FCRA
ii. Methods
1. Personality and psychological evaluations
2. Polygraph testing
3. Drug and alcohol testing
4. Social media
b. Employee monitoring
i. Technologies
1. Computer usage (including social media)
2. Location-based services (LBS)
3. Mobile computing
4. E-mail
5. Postal mail
6. Photography
7. Telephony
8. Video
ii. Requirements under the Electronic Communications Privacy Act of 1986 (ECPA)
iii. Unionized worker issues concerning monitoring in the U.S. workplace
c. Investigation of employee misconduct
i. Data handling in misconduct investigations
ii. Use of third parties in investigations
iii. Documenting performance problems
iv. Balancing rights of multiple individuals in a single situation
d. Termination of the employment relationship
i. Transition management
ii. Records retention
iii. References
V. State Privacy Laws
A. Federal vs. state authority
B. Marketing laws
C. Financial Data
a. Credit history
b. California SB-1
D. Data Security Laws
a. SSN
b. Data destruction
E. Data Breach Notification Laws
a. Elements of state data breach notification laws
b. Key differences among states

Why did you decide to get the CIPP/US certification? 

More and more people are claiming to be privacy experts these days, including a number of lawyers.  Although very few law firms advertised a privacy practice group as of just a few years ago, almost all
large law firms do now...with varying degrees of credibility.  Some lawyers are holding themselves out as privacy experts when their expertise is limited to a couple of privacy laws and a specific context.  They are nonetheless re-branding themselves as "privacy" lawyers.  While there certainly are more lawyers who are competent in a range of privacy and information security issues than ever before, they remain few and far between.  The CIPP/US certification is perhaps the best way to clearly and immediately demonstrate an understanding of the core concepts and legal issues of privacy and information security. 

Does the CIPP/US designation guarantee expertise?

The CIPP/US designation does not guarantee expertise in any particular area of privacy law. The certification tests (there are currently two) do not require the depth of understanding that a true expert must have. For example, the study guides and tests cover financial privacy issues at a level of depth just beyond the surface. There is much more to know about financial privacy law and practice. However, the CIPP/US designation does provide assurance that the certificate holder is at least aware of the salient issues and knows where to find answers or guidance, and those two items are very important. Furthermore, certification requires ongoing learning. Mainting IAPP CIPP certification requires the holder to fulfill 20 hours of continuing privacy education (CPE) per two-year period, to ensure the holder's knowlege remains up to date.
The CIPP/US certification is no guarantee of true legal expertise, but it does provide an independent confirmation of basic competence across a broad spectrum of privacy and information security law. It also tells you that the holder is continuing to build upon his or her knowledge in these areas.

* The N.C. State Bar, the regulatory body that supervises and disciplines lawyers licensed in North Carolina, prohibits a lawyer from using the term "specialized" to describe anything other than a N.C. Bar-issued certificate of specalization in one of a very limited number of fields of law. There is no specalization certificate available from the N.C. State Bar for privacy, information security, or any related field of law. 

Sunday, March 1, 2015

Information Security Breaches, Unauthorized Transactions, and Account Takeovers...or "What You Missed"

On Friday, I had the honor to join some distinguished speakers for an all-day continuing legal education seminar on computer technology and the law.  My fellow presenters were:
  • Clark Walton, former CIA forensic computer analyst, lawyer with Alexander Ricks, and founder of computer forensic firm Reliance Forensics (and formerly Chair of the NCBA Young Lawyers Division and the American Bar Association's Young Lawyer of the Year).
  • Ashden Fein, lead prosecutor of Private Bradley Manning in the WikiLeaks trial and now lawyer with Covington & Burling in Washington, D.C.
  • Chris Swecker, former Assistant Director of the FBI, lawyer, and security consultant.
  • Kim Korando, employment lawyer with Smith Anderson.
  • Joyce Brafford, law practice technology guru with the NCBA's Center for Practice Management.
It was a fascinating day, and I enjoyed hearing from these great speakers more than I enjoyed speaking myself. 

In the course of my presentation, we discussed the various legal response requirements following a data security breach, as well as liability for unauthorized transfers in consumer and commercial accounts. 

The program was well-attended in person and by webinar, but if you missed the opportunity to attend, I am providing a link to my slideshow here.  I hope you find it useful.