UploadLanguage (EN)Support
BusinessMobileSocial MediaMarketingTechnologyArt & PhotosCareerDesignEducationPresentations & Public SpeakingGovernment & NonprofitHealthcareInternetLawLeadership & ManagementAutomotiveEngineeringSoftwareRecruiting & HRRetailSalesServicesScienceSmall Business & EntrepreneurshipFoodEnvironmentEconomy & FinanceData & AnalyticsInvestor RelationsSportsSpiritualNews & PoliticsTravelSelf ImprovementReal EstateEntertainment & HumorHealth & MedicineDevices & HardwareLifestyle
Upload
Sign in
Uploaded byIFLP
PDF, PPTX1,501 views

Cybersecurity and Data Privacy

This document discusses cybersecurity and data privacy laws. It begins by distinguishing between data security, which concerns who has access to data, and data privacy, which concerns how authorized entities use data. It then reviews American data privacy law, noting there are few inherent rights to personal data. Key cases and statutes on data breaches, privacy torts, standing requirements, and the Federal Trade Commission's authority over unfair and deceptive data practices are summarized.

Law
Download as PDF, PPTX
1 / 34
2 / 34
3 / 34
Most read
4 / 34
5 / 34
6 / 34
7 / 34
8 / 34
9 / 34
10 / 34
11 / 34
12 / 34
13 / 34
14 / 34
15 / 34
16 / 34
17 / 34
18 / 34
19 / 34
20 / 34
Cybersecurity and Data Privacy Professor Matthew Kugler IFLP Bootcamp Spring 2018
Data Security v. Data Privacy • Data Security: Do only the people who are authorized to have your data have your data? • Data Privacy: What can the people authorized to have your data do with it? 1
American Data Privacy • Gill v. Hearst Publishing, 40 Cal.2d 224 (1953). • That which is exposed to the public is no longer private. 2
American Data Privacy • Virtually no inherent rights in your personal information. – Fair Credit Reporting Act regulates use of some data in employment and financial transactions. (Spokeo). – Wiretap Act regulates some monitoring of electronic communications. (Google). But consent. 3
Data Privacy and Tort • Dwyer v. American Express, 273 Ill. App. 3d 742 (1995). – Cardholders are classified into groups based on their buying habits, such Rodeo Drive Chic or Value Oriented. – AmEx then sells lists of customers who fit particular profiles to merchants. Also offer to put together lists of customers interested in certain types of products, such as fine jewelry. 4
5
6
Data Breach Statutes • All states have them (as of 2018)! • All w/ statutes require notification to the affected person. – Some on mere acquisition of information, some only if probability of misuse. • Most civilized states require notification to the state AG or state agency (CA, IL, NY, VA etc.) • Few have private right of action (AK, CA, MD, MA, NC, WA). Some others allow under common law. 7
CA’s Law • Notify if unencrypted information is, or is reasonably believed to have been, acquired by an unauthorized person. • Information could be: Name + any of: – SSN, Driver’s L. #, fin account # + password, user names + passwords. • Requirement that companies use “reasonable security procedures” • Private right of action – but no statutory damages. 8
Article III Standing • Spokeo: “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” 9
Concrete and Particularized • A “concrete” injury must be “de facto”; that is, it must actually exist. Black’s Law Dictionary. When we have used the adjective “concrete,” we have meant to convey the usual meaning of the term — “real,” and not “abstract.” Webster’s • “For an injury to be ‘particularized,’ it ‘must affect the plaintiff in a personal and individual way.’” 10
Clapper • "Respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending," • Parties “cannot manufacture standing by incurring costs in anticipation of non- imminent harm.” 11
Types of Harm in Data Breaches • Emotion distress. • Increased risk of future harm/ID theft. • Precautions to reduce future harm. • Liability for fraudulent charges. • “Sorting out” costs. 12
Currently Circuit Split • If information is definitely taken and some people’s is definitely misused, is that enough? – Sometimes yes, sometimes no. • Issue with probability of harm – One case: 9,200 numbers used fraudulently out of 350,000 card numbers stolen. – 2.6%. 13
Notice and Consent Model • Tort basically fails to protect privacy in the data context. It doesn’t do much better in the data security context. • Leads to notice and consent model: – You have no inherent rights, but can hold firms to their promises: Privacy policies. – But you haven’t ever read them, wouldn’t understand them, and they don’t contain much real information. 14
Actual Data Privacy and Security Regulation • The Federal Trade Commission. 15
Scope of FTC Authority • Section 5: allows them to bring enforcement actions against companies engaging in “unfair or deceptive acts or practices in or affecting commerce.” • Does not cover: – Nonprofits – Airlines – Many financial institutions – Telecom 16
FTC Deceptive Acts • “A deceptive act or practice is: – a material representation, omission or practice – that is likely to mislead the consumer acting reasonably in the circumstances, – to the consumer’s detriment.” 17
FTC remedies • No private right of action • Can get injunctions under S5, but not issue fines except for violations of injunctions. • So all injunctions bar further unfair acts or practices…giving them fining authority on round 2. – 20 years of monitoring. 18
In re Matter Facebook (2012) • Shares more information with 3rd party apps than it claimed. • Allowed advertisers to see who clicks on their ads when claimed required more. • Wasn’t clear how the new privacy settings differed from old. • Photos lasting forever. 19
FTC Unfair Acts • An act is unfair if it: – “caused or is likely to cause substantial injury to consumers – which is not reasonably avoidable by consumers themselves – and is not outweighed by countervailing benefits to consumers or competition.” 20
In re Matter Nomi • Nomi installed sensors that tracked the MAC ids of phones in close proximity. Used by B&M stores to monitor traffic. • Can opt-out by going to the Nomi website and entering your MAC id. – “Nomi pledges to … Always allow consumers to opt out of Nomi’s Service on its website as well as at any retailer using Nomi’s technology.” 21
FTC and Data Privacy • Almost entirely about enforcing promises. • Even if the promises are dumb/irrelevant. • Only a handful of actions a year. – But only so many big companies in SV. 22
Data Security II: The FTC Strikes Back 23
FTC v. Wyndham • Wyndham Worldwide suffers repeated data breaches. FTC brings suit. • Wyndham argues: – the Section 5 unfairness authority does not extend to data security; and – the FTC has failed to give fair notice of what data security practices are required by law. 24
FTC Unfair Acts • An act is unfair if it: – “caused or is likely to cause substantial injury to consumers – which is not reasonably avoidable by consumers themselves – and is not outweighed by countervailing benefits to consumers or competition.” 25
What Happened? “In April 2008, hackers first broke into the local network of a hotel in Phoenix, Arizona, which was connected to Wyndham’s network and the Internet. They then used the brute-force method—repeatedly guessing users’ login IDs and passwords—to access an administrator account on Wyndham’s network. This enabled them to obtain consumer data on computers throughout the network. In total, the hackers obtained unencrypted information for over 500,000 accounts…” 26
What Happened….Again “In March 2009, hackers attacked again, this time by accessing Wyndham’s network through an administrative account. The FTC claims that Wyndham was unaware of the attack for two months….” “Hackers in late 2009 breached Wyndham’s cybersecurity a third time by accessing an administrator account on one of its networks….” 27
Flaws • Payment card information was stored in clear readable text (rather than encrypted) • Simple, easily guessed passwords • Did not segment networks • Did not use automated security patching • Remote access was not restricted to third party vendors • Did not use reasonable measures to detect and prevent unauthorized access 28
FTC v. Wyndham (3rd, 2015) • Unfairness like negligence tort. Not super clear, but we hold companies to it anyway. • Had notice that its procedures weren’t enough (3 breaches). • FTC sends out informational brochures. • FTC consent decrees with other companies. 29
Harm in Wyndham • 10.6 million in fraud losses. • From 600k sets of data. • $16 per. • FTC as best enforcer given the diffuse harm? 30
In The Matter Of Trendnet (2014) • TRENDnet marketed “secure” webcams to consumers for purposes such as home security. • In fact, the webcams were often anything but secure—even “private” feeds could sometimes be publicly viewed. • TRENDnet also repeatedly ignored warnings from third parties about its inadequate security practices. 31
Trendnet • What kind of harm here? • What problems with bringing private suits? 32
Data Security v. Data Privacy • Data Security: Do only the people who are authorized to have your data have your data? • Data Privacy: What can the people authorized to have your data do with it? – American answer: Almost anything not forbidden by contract or named in a small number of specific statutes. 33