Category: Regulations

Smith says updating both laws will help provide greater legal certainty related to cloud computing.

While lawmakers, industry, public interest groups and others debate how to update ECPA, there has been little discussion of also updating the CFAA. In an interview following his speech to the Gov 2.0 Expo this week, Smith noted one area that an update of CFAA could address is the ability of cloud service providers to sue those who may attack data stored by an indivdual in the cloud operated by a third party.

During a Senate Judiciary hearing late last year on legal issues related to cyber attacks, at least one witness also cited the need to update the CFAA.

“This includes the right of private response to computer penetrations, such as cyber counterattacks, by our government or private individuals or companies in retaliation for cyber intrusions.”

http://techdailydose.nationaljournal.com/2010/05/microsoft-official-calls-for-u.php

In fact, with no penalties for failure to notify security breaches, the provisions may do more harm than good since Canadians will expect to receive notifications in the event of a breach, but companies may err on the side of not notifying (given the very high threshold discussed below) safe in the knowledge that there are no financial penalties for failing to do so.

The bill changes the definition of business contact information (which is not treated as personal information) by expressly including business email addresses. This overturns a successful complaint I filed years ago against the (now defunct) Ottawa Renegades over their use of my email address. The change further confirms that PIPEDA cannot be used in spam cases, but C-28 should provide far more effective tools.

The bill establishes a new prospective business transaction exception that permits use and disclosure of personal information in various business transactions. The provision creates some limits on the use of the information, but is designed to address concerns from the business community that PIPEDA could create barriers to mergers and acquisitions as well as other transactions.

The bill creates a new work product exception for the collection, use, and disclosure for information produced by an individual in the course of the employment.

The bill purports to clarify “lawful authority” (ie. disclosure to lawful authority without a court order) but as David Fraser notes it really doesn’t clarify much of anything.

Rather, it encourages disclosures without court oversight by confirming that businesses are not required to verify the validity of the lawful authority. The organization makes its own determination of whether there is a real risk having regard to the sensitivity of the information and the probability that the personal information has been, is being, or will be misused.

By comparison, the California law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person.

In other words, the only threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm (other states merely require harm, not significant harm).

Security breach disclosure was widely recognized as a major hole in the Canadian law framework, yet this proposal is a major disappointment that falls far short of striking the right balance between protecting Canadians, encouraging appropriate safeguards of personal information, and guarding against overwhelming Canadians with too many notices.

http://www.michaelgeist.ca/content/view/5059/125/

Multinational companies can use binding corporate rules to send data to parts of the company in different countries, and companies can also use model contract clauses produced by the European Commission to bind companies outside of the EU to its high data protection standards.

The Düsseldorfer Kreis has said, though, that there are worries about how thorough US companies are being when they claim they have complied with the Safe Harbor deal, and has told German companies that they must make their own checks on US firms. “Any certification older than seven years old is not valid.” The group also said that companies must check how US companies tell the subjects of the data being transferred that it is processing their data and ensure that privacy regulators can check that this has been done.

A large number of organisations failed to comply with Principle 7 — Enforcement and Dispute Resolution, as they did not identify an independent dispute resolution process for consumers. Many of these false claims have continued for several years,” said the study, which examined compliance with just one of the scheme’s seven Safe Harbor Framework Principles. The study was not the first to find problems in the implementation of the Safe Harbor programme.

“Overall the study found that the problems identified in previous reviews of the Safe Harbor have not been rectified, and that the number of false claims made by organisations represents a significant privacy risk to consumers,” it said.

Louise Townsend of Pinsent Masons, the law firm behind OUT-LAW.COM, said that companies should be making basic checks on any firm they hire to process data for them even if they are part of the Safe Harbor programme.

http://www.theregister.co.uk/2010/05/25/eu_us_privacy/

Lawyers speaking at the Law Seminars International event on Monday offered advice about the types of research companies should do before signing up for cloud services to make sure they can protect themselves from potential legal fallout.

One of the most important issues facing companies that wish to store or process data in the cloud is determining which legal systems have jurisdiction over the data. A company using a cloud service could have users all over the world and those users’ information could be shifted to facilities around the globe. “So there are four possible legal locations for the information at any moment,” James said. Laws applicable to the location of the company’s headquarters, the location of the servers, the location of the consumer and the location of the communications equipment transmitting the information between the user and the provider could all potentially apply.

On the federal level, legislation like the Health Insurance Portability and Accountability Act and the Children’s Online Privacy Protection Act defines how businesses handle certain kinds of data like information related to health and children.

In addition, 45 states have laws covering how companies must secure customer data. “Although many state statutes are similar, there are enough outliers that you need to think about them,” said Reingold. For instance, some states define personally identifiable information as including a mother’s maiden name, biometrics and birth dates while others only include more basic information like name, Social Security number and driver’s licence number.

“The reason we can have this service that is inexpensive is because [cloud providers] can put their servers anywhere and can shift loads based on things like where the cost of energy is lower,” said Francoise Gilbert, a lawyer with IT Law Group.

Some companies may initially think it’s a good strategy to find a provider with data centers in countries that have no data protection laws. Europe and a few countries that have adopted a similar model including Tunisia, Morocco and Uruguay have clear laws covering what kinds of personal data companies can store and whether they can move that data in and out of the country. In the U.S., companies may collect some of that information to look for diversity in their workforce. But if they use a cloud provider with data centers in Europe, European law prohibits them from storing that kind of data.

“The legal system has been far, far outpaced by technology,” said Reingold.

http://www.pcworld.com/businesscenter/article/196578/cloud_service_users_face_confusing_legal_landscape.html

When things go wrong, a security breach can cause real harm and great distress to thousands of people,” said Information Commissioner Christopher Graham at the time. “UK businesses should take note of the new rules and ensure they have effective data protection compliance measures in place to meet the ICO’s standards,” he added.

Nugent suggested that the new powers may also pave the way for other measures under consideration, including potential prison sentences for criminal offences involving the misuse of personal data.

However, William Malcolm, an information law expert at international lawfirm Pinsent Masons, warned that the new powers represent a “step change” for the ICO that many firms may not be aware of. While this is a significant deterrent now, they need to make sure they carry out reviews of how personal data is handled, and implement sensible controls to ensure that data is protected,” he said.

The ICO has stepped up enforcement in recent years, and would undoubtedly have used the powers to deal with some of the cases it has dealt with over the past six months had they been available.”

Richard Turner, chief executive of data security firm Clearswift, agreed that education efforts need to be stepped up. “The ICO will have a wide scope of interpretation when applying its new regime, as the fines can be levied for breaches of principles, rather than against the underlying detailed legal requirements…The first few fines the ICO levies will therefore set the tone,” he said.

“While the largest fines may only be dealt out to larger companies for serious breaches of the DPA, all organisations are now faced with a very real threat of significant financial penalties over and above any existing operational clean up costs and reputational damage should they suffer a breach.”

http://www.v3.co.uk/v3/analysis/2260796/firms-warned-guard-ico-powers

Olympia Snowe (R-Maine), was introduced last April and then re-introduced last week with some key changes. Notably, it no longer gives the president unilateral power to disconnect networks from the Internet in the event of a major cyberattack. The bill also includes amendments for how the president and private sector can work together to help secure critical infrastructure.

During the hearing, senators expressed how important it is that the Senate passes the legislation quickly, as it’s long overdue. “The government hasn’t gotten its act together; the private sector has had problems getting its act together,” he said. Bill Nelson (D-Florida) said that might even be too much time in light of potential cyber threats.

The House last month passed its own cybersecurity bill, the Cybersecurity Enhancement Act of 2009 (HR 4061), first introduced by Rep. Daniel Lipinski (D-IL) last year.

http://www.darkreading.com/security/government/showArticle.jhtml?articleID=224200245&cid=RSSfeed