Dec 19, 2014, 1:49pm CST UPDATED: Dec 19, 2014, 3:55pm CST
Brandon N. Robinson, Guest columnist
This year has been incredibly active in the world of data privacy and security. Companies have seen a significant rise in data breaches – including a huge one just weeks ago at Sony.
Additionally, increased use of “big data” analytics and Internet-connected devices promise significant benefits, but also present major data privacy and security risks. Information privacy and security have therefore been primary focus areas this year for businesses, federal and state regulators and legal experts.
Here are some of the broader and more significant events that have occurred in 2014:
Breaches on the rise. 2014 saw a marked increase in data breaches nationwide. Well-publicized victims of data breaches include large companies such as Sony, Target, Home Depot, J.P. Morgan and P.F. Changs, but there were smaller victims such as Michael’s and Sally Beauty Supply.
Some of these breaches hit closer to home for Alabamians. In August 2014, Tennessee-based hospital chain Community Health Systems, which has 11 different locations around the state, suffered a cyber attack on their computer systems. 206 hospitals around the country had data stolen by the breach, although Birmingham’s Trinity Medical Center confirmed that none of its patients were affected. Dairy Queen also reported a data breach at five locations in Alabama.
Hackers install malware (e.g., “Heartbleed,” “Backoff”) to steal payment card data from point-of-sale systems. Many companies are combating these efforts with the use of encryption as well as EMV (“chip-and-PIN”) payment card technologies. On Oct. 17, President Obama issued an Executive Order which, among other things, directed federal agencies and departments to transition payment processing terminals and payment cards to employ enhanced security features such as the chip-and-PIN payment cards.
NIST Cybersecurity Framework. On Feb. 12, the National Institute of Standards and Technology ( released the first version of its Cybersecurity Framework, which consists of standards, guidelines and practices to promote the protection of critical infrastructure, and to assist operators of critical infrastructure across a variety of industries to manage cybersecurity-related risk. The framework, which NIST coordinated pursuant to a February 2013 Executive Order by President Obama, has received primarily positive initial feedback from industry, although the framework will continue to be updated.
Federal agency activity
2014 saw a flurry of activity by a number of federal agencies related to data privacy and security from both an enforcement and regulatory guidance perspective.
Here’s a look at some of the agencies and how they are responding:
• Department of Health and Human Services (HHS). 2014 saw a significant increase in HIPAA enforcement activity by the HHS Office for Civil Rights, including a record-breaking post-data breach investigation settlement for $4.8 million. In the wake of the Ebola outbreak, HHS issued a bulletin to guide HIPAA covered entities and business associates of “the ways in which patient information may be shared under the HIPAA Privacy rule in an emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.”
• Securities and Exchange Commission. In June 2014 remarks before the New York Stock Exchange, SEC Commissioner Luis Aguilar called on boards of directors to take an active and informed approach to managing cyber risk. The SEC’s Office of Compliance Inspection and Examinations also issued an “OCIE Cybersecurity Initiative” to guide regulated entities on protecting themselves and to highlight the regulatory risks of not implementing adequate cybersecurity.
OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisers, and provided a sample list of requests for information. Although the alert was geared towards the securities industry, the alert could be helpful to all public companies with shares trading on a U.S. securities exchange, in the event they receive inquiries from the SEC or other agencies about their cybersecurity controls, practices and data breach response plans.
• Federal Communications Commission (FCC). On Oct. 24, The FCC fined telecommunications providers TerraCom and YourTel $10 million for failing to properly protect the confidentiality of consumer personal information. This was the FCC’s first data security case and the largest privacy action in the Commission’s history.
Federal Trade Commission. In January, the FTC reached a $32.5 million settlement with Apple over billing in-app purchases made by children without parental consent, in violation of the FTC Act’s prohibition against “unfair and deceptive practices.”
In May, the FTC settled a case with Snapchat over allegations that it made “multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked,” including promises about the disappearing nature of messages sent through Snapchat. In September, the FTC assessed $750,000 in civil penalties against mobile app publishers Yelp and TinyCo for violations of the Children’s Online Privacy Protection Act (COPPA), which regulates the collection of certain data from children less than 13 years of age. Notably, one of the publishers operated a general audience website – not one specifically intended for children.
On Dec. 5, FTC approved a final consent order with Google in a case containing facts similar to those settled with Apple in January. The case alleged Google billed consumers millions of dollars for in-app charges incurred by children without consent from the parent account holders, without any password requirements or other methods to obtain account holder authorization. The consent order required express, informed consent before any further billing, as well as refunds of no less than $19 million of in-app charges.
The FTC also held a series of workshops. It followed its November 2013 workshop on the “Internet of Things” (exploring privacy and security issues posed by the growing connectivity of Internet-connected health and fitness devices, dishwashers and stoves, personal devices and vehicles) with another May 2014 workshop on data privacy issues concerning consumer-generated health data. Another May FTC report recommended more transparency and consumer control over information collected in the data broker industry.
• Department of Transportation. In August, the DOT’s National Highway Traffic Safety Administration (NHTSA) issued an advance notice of proposed rulemaking and a comprehensive report on vehicle-to-vehicle (V2V) communications technology which laid out key elements for future privacy assessments of V2V systems.
• Consumer Financial Protection Bureau (CFPB). The CFPB issued an October final rule that, among other things, eliminated the requirement of certain financial institutions to distribute paper copies of the initial and annual privacy notices required under Regulation P, which implements the Gramm Leach Bliley Act (GLBA). Financial institutions may now post their privacy policies online rather than providing paper copies, provided they satisfy certain conditions regarding consumers’ opt-out rights.
State vs. Federal Data Breach Notification Statutes. In addition to federal regulation, Kentucky became the 47th state to enact a data breach notification statutes. Iowa and Florida both expanded their existing statutes. New York and California’s state attorney generals both issued reports examining the growing number of data breaches and providing recommendations.
As this discussion shows, 2014 has been abuzz with privacy and security activity. Businesses should be prepared for a variety of potential regulatory actions as well as potential federal or state legislation. They should assess their privacy and security policies and practices, vendor agreements and external statements about their collection and use of personal consumer information. Businesses should also ensure that cybersecurity controls and data breach response plans are in place and consider reviewing insurance policies to ensure appropriate coverage.
Highly regulated industries may already comply with existing security or privacy requirements, but even relatively non-regulated businesses may wish to monitor potential activity by federal consumer protection agencies such as the FTC, their respective state attorneys general, or other general consumer protection agencies.
The focus in 2014 on privacy and security shows no clear signs of slowing down in 2015. In subsequent parts of this series, I will examine in more detail some steps that businesses can take.
Brandon N. Robinson is an attorney in Balch and Bingham’s Privacy and Data Security Practice Group, where he assists organizations in various industries to develop and maintain sound data privacy and security policies and practices, and to respond when privacy or security issues arise. He also works with a number of federal agencies to develop cybersecurity and data privacy standards and industry practices. Mr. Robinson pulls from his comprehensive understanding of data privacy and security issues to counsel business owners in developing key strategies to protect themselves.