privacy

Internet giant Google has signed up to the Privacy Shield, a framework designed to facilitate the transfer of personal data between the EU and US by businesses.

Data storage and software provider Dropbox has also self-certified under the Privacy Shield. The companies are the latest major US technology businesses to sign up to the scheme. Google's certification was registered on 22 September and Dropbox's on 23 September.

Microsoft self-certified under the Privacy Shield in August. >Amazon also announced that it was in the process of self-certifying last month, but it appears that it has still to complete that process as its certification is not yet listed.

Since 1 August, US businesses have been able to self-certify their compliance with a set of privacy principles that make up part of the Privacy Shield.

Data protection law expert Cerys Wyn Davies of Pinsent Masons, the law firm behind Out-Law.com, previously explained that businesses that sign up to the Privacy Shield within the first two months of it becoming operational can do so without first having to update arrangements for sharing data with others. Wyn Davies said, though, that those businesses then only have a limited time in which to put new contracts in place.

The European Commission has set out its view that businesses that transfer personal data from the EU to the US in line with the Privacy Shield principles and self-certify under the framework will adhere to EU data protection law requirements regarding the transfer of personal data outside the European Economic Area (EEA).

However, Hamburg's data protection authority has said it is considering raising a legal challenge against the European Commission's endorsement of the Privacy Shield.

Earlier this summer the Article 29 Working Party, a committee representing national data protection authorities from across the EU, stated that it retains some concern about aspects of the Privacy Shield, including in respect of "mass and indiscriminate collection of personal data" by US authorities as well as on some "commercial aspects" of the framework. It said it "regrets … the lack of specific rules on automated decisions and of a general right to object" and said it "also remains unclear how the Privacy Shield Principles shall apply to [data] processors".

Despite its concerns, however, the Working Party indicated that the watchdogs will not challenge the legitimacy of data transfer arrangements under the new Privacy Shield during the first year of its operation.

Copyright © 2016, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Sponsored: Optimizing the hybrid cloud


The Register - Security

The authors of the HIPAA wrote a law designed to protect the security and privacy of health information in many...

different locations. They identified healthcare providers, insurance companies and health information clearinghouses as the most likely places where protected information would reside and imposed requirements that covered entities must protect that information.

Today, Fitbits and other fitness trackers, like the Apple Watch and HealthKit, and online communities offer individuals the possibility to engage far more in managing their own health, generating additional personal health information. The authors of HIPAA never imagined this new world of consumer health technology and, as such, HIPAA generally does not apply in these cases.

The holes in HIPAA controls stem from the definition of HIPAA-covered entities. These entities fall into three categories: healthcare providers, health insurers and health information clearinghouses. HIPAA also covers the business associates of covered entities that exchange information with covered entities. Consumer health companies normally do not fit into these categories. For example, the maker of a fitness tracking device doesn't provide medical care to a patient or receive information from a medical professional, so there is no HIPAA-covered relationship.

What currently falls through the cracks?

Consumers and patients may incorrectly assume that HIPAA provides privacy and security for their health information, no matter how such information is gathered, distributed or used. As a result, they may agree to information practices of noncovered entities collecting their health information, incorrectly believing that they are protected by HIPAA. A 2014 study published in the Journal of the American Informatics Association suggested that less than one third of mobile health applications had privacy policies and that, on average, these policies were written at the reading level of a college senior.

Without the requirement to observe the HIPAA Security Rule, consumers have little insight into the quality of the security controls used by consumer health companies. These companies may gather substantial health information about individuals and in a generally unregulated fashion.

Should HIPAA controls apply to consumer health companies?

HIPAA is likely to be too onerous for many health-related applications. If HIPAA controls were imposed on fitness companies and similar businesses, the burden of compliance would prevent them from operating effectively and would limit the services that they make available to the public. These companies currently don't have the expertise required to comply with the many technical nuances of HIPAA and would be forced to hire compliance staffers and implement expensive controls that are probably overkill for many of their businesses.

This means that simply adding consumer health companies to the scope of HIPAA is not a viable solution. Indeed, the blanket application of HIPAA controls to consumer health companies would likely cause many of them to eliminate or reduce the services they provide or raise their costs to cover the new requirements. If Congress wishes to regulate consumer health technology, it must consider dedicated legislation that specifically addresses the nuances of this space.

Other ways to protect personal health information

Fortunately, there are other potential paths to protecting personal health information that does not currently fall under the auspices of HIPAA. Two of the current tools available to regulators include:

  • The FTC Act: The Federal Trade Commission applies statutes and rules that oblige businesses to protect consumer data, and to refrain from unfair or deceptive acts or practices. The FTC Act is the main federal statute regulating privacy and security practices for consumer health companies that do not fall under HIPAA and could be an area of increased focus for regulators.
    The FTC Health Breach Notification Rule: This rule requires that certain types of organizations dealing with personal health records notify individuals, the FTC, and possibly even the media if a health information breach occurs.

Currently, the United States does not have an overarching consumer privacy framework similar to the one found in the European Union. While it's unlikely that the U.S. will see this type of legislation in the near future, a general privacy framework would likely be the best solution to the issues the U.S. experiences with gaps in its current patchwork of laws.

Next Steps

Discover the effects of the FTC controlling cybersecurity regulations

Learn how to meet HIPAA requirements with personal cloud storage

Find out why wearable health devices and apps aid patient engagement

This was first published in September 2016

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Google Retreats on Some Allo Privacy Promises

September 21, 2016 , 2:13 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am

Browser Address Bar Spoofing Vulnerability Disclosed

August 17, 2016 , 12:54 pm


Threatpost | The first stop for security news

As Britain prepares to leave the European Union, privacy professionals on both sides of the ocean may find their...

lives becoming more complicated. The Brexit referendum leaves the U.K. in tumultuous state as the world waits to see how the exit proceeds. Britain may now have to negotiate new, separate agreements both with the EU and the U.S., requiring that international companies comply with multiple sets of data privacy regulations.

This turmoil creates changes for organizations on both sides of the Atlantic Ocean. U.S. and EU companies will need to quickly adapt to the changing U.K. privacy environment and be prepared to approach U.K. privacy issues separately than those of EU member states. British companies will need to come up to speed on their "less favored" status when they suddenly find themselves outside of the EU privacy umbrella.

Data sharing agreements

On October 6, 2015 the European Court of Justice invalidated the EU-U.S. Safe Harbor agreement on the grounds that the agreement allowed American government authorities to gain routine access to Europeans' online information. This led to one of the new data privacy regulations, the EU-U.S. Privacy Shield framework for transatlantic data flows, which imposes stronger obligations on companies handling Europeans' personal data. This framework was an attempt to restore business as usual and, if it passes, it will restore the flow of information between EU and U.S. entities.

If Britain leaves the European Union, it will find itself outside of the Privacy Shield agreement negotiated between the EU and the U.S. If the U.K. chooses to continue to apply privacy protections similar to those currently used in data privacy regulations in the EU, the U.S. and the U.K. will need to adopt a separate agreement, which may wind up being modeled after the Privacy Shield. This uncertainty will put a significant burden on businesses seeking to expand operations within the U.K.

What will happen with GDPR?

The new EU General Data Protection Regulation (GDPR) is also due to come into force in 2018. Companies around the world were already preparing to comply with the GDPR throughout the EU and will now need to see how changes in British law affect those efforts. There are two likely courses of action for the U.K. First, Britain could decide to simply adopt the GDPR framework, independently of the EU. Second, the U.K. could decide to develop its own data privacy regulations or framework. Either way, there will likely be changes afoot.

Organizations working with the private information of U.K. residents should adopt a wait-and-see attitude on this issue. There are simply too many changes ahead to make any other response reasonable. Proceeding with GDPR compliance efforts seems to be a prudent strategy, especially for organizations that must comply with the data privacy regulations in other EU member states. Britain's departure from the EU won't take place for at least a couple of years, preserving the status quo from a regulatory perspective. The eventual withdrawal will leave many regulatory gaps, affecting many more issues than data privacy, and the U.K. will need time to react. Organizations should therefore still closely watch the unfolding of Britain's exit from the EU, but there is little action to be taken from a cybersecurity perspective in the immediate future.

Next Steps

How to stay compliant in life after Safe Harbor

Find out how regulators feel about Privacy Shield

Learn why some experts think Privacy Shield is imperfect and incomplete

This was first published in August 2016

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

IDG.TV | Jul 28, 2016

In the latest episode of Security Sessions, CSO Editor-in-Chief Joan Goodchild chats with Ted Harrington of Independent Security Evaluators about how different generations (mainly millennials and Baby Boomers) view both security and privacy matters. These differences and attitudes can have a big effect on how companies train them on proper security procedures.


InfoWorld Security

“The confidentiality of online communications by individuals and businesses is essential for the functioning of modern societies and economies. The EU rules designed to protect privacy in electronic communications need to reflect the world that exists today,” European Data Protection Supervisor (EDPS) Giovanni Buttarelli opined after reviewing a new proposal on the ePrivacy Directive.

European privacy advisor wants encryption without backdoors

The existing ePrivacy Directive is currently under revision. The European Commission is collecting feedback on the proposal, and should prepare a new, updated version of the legislation by the end of 2016. One of the purposes of the EDPS is to advise EU institutions on policies and legislation that affect privacy.

In his opinion, the EDPS says that the scope of new ePrivacy rules needs to be broad enough to cover all forms of electronic communications irrespective of network or service used, not only those offered by traditional telephone companies and internet service providers. Individuals must be afforded the same level of protection for all types of communication such as telephone, Voice over IP services, mobile phone messaging app, Internet of Things (machine to machine).

The updated rules should also ensure that the confidentiality of users is protected on all publicly accessible networks, including Wi-Fi services in hotels, coffee shops, shops, airports and networks offered by hospitals to patients, universities to students, and hotspots created by public administrations.

Any interference with the right to confidentiality of communications is contrary to the European Charter of Fundamental Rights.

No communications should be subject to unlawful tracking and monitoring without freely given consent, whether by cookies, device-fingerprinting, or other technological means. Users must also have user-friendly and effective mechanisms to give, or not give, their consent. In order to better protect the confidentiality and security of electronic communications, the current consent requirement for traffic and location data must be strengthened.

The existing rules in the ePrivacy Directive protecting against unsolicited communications, such as advertising or promotional messages, should be updated and strengthened and require prior consent of the recipients for all forms of unsolicited electronic communications.

The new rules should also clearly allow users to use end-to-end encryption (without “backdoors”) to protect their electronic communications. Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited.

A new provision for organisations to periodically disclose aggregate numbers indicating EU and non-EU law enforcement or government requests for information would offer some welcome transparency in the sensitive, complex and often contentious area of government access to communications.

The new rules should complement, and where necessary, specify the protections available under the General Data Protection Regulation (GDPR). They should also maintain the existing, higher level of protection in those instances where the ePrivacy Directive offers more specific safeguards than in the GDPR.


Help Net Security