{"id":14781,"date":"2019-03-07T09:10:09","date_gmt":"2019-03-07T17:10:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/03\/07\/news-8530\/"},"modified":"2019-03-07T09:10:09","modified_gmt":"2019-03-07T17:10:09","slug":"news-8530","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/03\/07\/news-8530\/","title":{"rendered":"The not-so-definitive guide to cybersecurity and data privacy laws"},"content":{"rendered":"

Credit to Author: davidruiz| Date: Thu, 07 Mar 2019 16:00:00 +0000<\/strong><\/p>\n

US cybersecurity and data privacy laws are, to put it lightly, a mess.<\/p>\n

Years of piecemeal legislation, Supreme Court decisions, and government surveillance crises, along with repeated corporate failures to protect user data, have created a legal landscape that is, for the American public and American businesses, confusing, complicated, and downright annoying.<\/p>\n

Businesses are expected to comply with data privacy laws based on the data\u2019s type. For instance, there\u2019s a law protecting health and medical information, another law protecting information belonging to children, and another law protecting video rental records. (Seriously, there is.) Confusingly, though, some of those laws only apply to certain types of businesses<\/em>, rather than just certain types of data<\/em>.<\/p>\n

Law enforcement agencies and the intelligence community, on the other hand, are expected to comply with a different framework that sometimes separates data based on \u201ccontent\u201d and \u201cnon-content.\u201d For instance, there\u2019s a law protecting phone call conversations, but another law protects the actual numbers dialed on the keypad.<\/p>\n

And even when data appears similar, its protections may differ. GPS location data might, for example, receive a different protection if it is held with a cell phone provider versus whether it was willfully uploaded through an online location \u201ccheck-in\u201d service or through a fitness app that lets users share jogging routes.<\/p>\n

Congress could streamline this disjointed network by passing comprehensive federal data privacy legislation; however, questions remain about regulatory enforcement and whether states\u2019 individual data privacy laws will be either respected or steamrolled in the process.<\/p>\n

To better understand the current field, Malwarebytes is launching a limited blog series about data privacy and cybersecurity laws in the United States. We will cover business compliance, sectoral legislation, government surveillance, and upcoming federal legislation.<\/p>\n

Below is our first blog in the series. It explores data privacy compliance in the United States today from the perspective of a startup.<\/p>\n

A startup\u2019s tale\u2014data privacy laws abound <\/strong><\/h3>\n

Every year, countless individuals travel to Silicon Valley to join the 21st<\/sup> century Gold Rush, staking claims not along the coastline, but up and down Sand Hill Road, where striking it rich means bringing in some serious venture capital financing.<\/p>\n

But before any fledgling startup can become the next Facebook, Uber, Google, or Airbnb, it must comply with a wide, sometimes-dizzying array of data privacy laws.<\/p>\n

Luckily, there are data privacy lawyers to help.<\/p>\n

We spoke with D. Reed Freeman Jr., the cybersecurity and privacy practice co-chair at the Washington, D.C.-based law firm Wilmer Cutler Pickering Hale and Dorr about what a hypothetical, data-collecting startup would need to become compliant with current US data privacy laws. What does its roadmap look like?<\/p>\n

Our hypothetical startup\u2014let\u2019s call it Spuri.us\u2014is based in San Francisco and focused entirely on a US market. The company developed an app that collects users\u2019 data to improve the app\u2019s performance and, potentially, deliver targeted ads in the future.<\/p>\n

This is not an exhaustive list of every data privacy law that a company must consider for data privacy compliance in the US. Instead, it is a snapshot, providing information and answers to potentially some of the most common questions today.<\/p>\n

Spuri.us\u2019 online privacy policy <\/strong><\/h3>\n

To kick off data privacy compliance on the right foot, Freeman said the startup needs to write and post a clear and truthful privacy policy online, as defined in the 2004 California Online Privacy Protection Act<\/a>.<\/p>\n

The law requires businesses and commercial website operators that collect personally identifiable information to post a clear, easily-accessible privacy policy online. These privacy policies must detail the types of information collected from users, the types of information that may be shared with third parties, the effective date of the privacy policy, and the process\u2014if any\u2014for a user to review and request changes to their collected information.<\/p>\n

Privacy policies must also include information about how a company responds to \u201cDo Not Track\u201d requests, which are web browser settings meant to prevent a user from being tracked online. The efficacy of these settings is debated, and Apple recently decommissioned the feature in its Safari browser<\/a>.<\/p>\n

Freeman said companies don\u2019t need to worry about honoring \u201cDo Not Track\u201d requests as much as they should worry about complying with the law.<\/p>\n

\u201cIt\u2019s okay to say \u2018We don\u2019t,\u2019\u201d Freeman said, \u201cbut you have to say something.\u201d<\/p>\n

The law covers more than what to say in a privacy policy. It also covers how prominently a company must display it. According to the law, privacy policies must be \u201cconspicuously posted\u201d on a website.<\/p>\n

More than 10 years ago, Google tried to test that interpretation and later backed down. Following a 2007 New York Times report<\/a> that revealed that the company\u2019s privacy policy was at least two clicks away from the home page, multiple privacy rights organizations sent a letter to then-CEO Eric Schmidt, urging the company to more proactively comply.<\/p>\n

\u201cGoogle’s reluctance to post a link to its privacy policy on its homepage is alarming,\u201d the letter said<\/a>, which was signed by the American Civil Liberties Union, Center for Digital Democracy, and Electronic Frontier Foundation. \u201cWe urge you to comply with the California Online Privacy Protection Act and the widespread practice for commercial web sites as soon as possible.\u201d<\/p>\n

The letter worked. Today, users can click the \u201cPrivacy\u201d link on the search giant\u2019s home page.<\/p>\n

What About COPPA and HIPAA? <\/strong><\/h3>\n

Spuri.us, like any nimble Silicon Valley startup, is ready to pivot. At one point in its growth, it considered becoming a health tracking and fitness app, meaning it would collect users\u2019 heart rates, sleep regimens, water intake, exercise routines, and even their GPS location for selected jogging and cycling routes. Spuri.us also once considered pivoting into mobile gaming, developing an app that isn\u2019t made for children, but could still be downloaded onto children\u2019s devices and played by kids.<\/p>\n

Spuri.us\u2019 founder is familiar with at least two federal data privacy laws\u2014the Health Insurance Portability and Accountability Act (HIPAA<\/a>), which regulates medical information, and the Children\u2019s Online Privacy Protection Act (COPPA<\/a>), which regulates information belonging to children.<\/p>\n

Spuri.us\u2019 founder wants to know: If her company stars collecting health-related information, will it need to comply with HIPAA?<\/p>\n

Not so, Freeman said.<\/p>\n

\u201cHIPAA, the way it\u2019s laid out, doesn\u2019t cover all medical information,\u201d Freeman said. \u201cThat is a common misunderstanding.\u201d<\/p>\n

Instead, Freeman said, HIPAA only applies to three types of businesses: health care providers (like doctors, clinics, dentists, and pharmacies), health plans (like health insurance companies and HMOs), and health care clearinghouses (like billing services that process nonstandard health care information).<\/p>\n

Without fitting any of those descriptions, Spuri.us doesn\u2019t have to worry about HIPAA compliance.<\/p>\n

As for complying with COPPA, Freeman called the law \u201ccomplicated\u201d and \u201cvery hard to comply with.\u201d Attached to a massive omnibus bill at the close of the 1998 legislative session, COPPA is a law that \u201cnobody knew was there until it passed,\u201d Freeman said.<\/p>\n

That said, COPPA\u2019s scope is easy to understand.<\/p>\n

\u201cSome things are simple,\u201d Freeman said. \u201cYou are regulated by Congress and obliged to comply with its byzantine requirements if your website is either directed to children under the age of 13, or you have actual knowledge that you\u2019re collecting information from children under the age of 13.\u201d<\/p>\n

That begs the question: What is a website directed to children? According to Freeman, the Federal Trade Commission created a rule that helps answer that question<\/a>.<\/p>\n

\u201cThings like animations on the site, language that looks like it’s geared towards children, a variety of factors that are intuitive are taken into account,\u201d Freeman said.<\/p>\n

Other factors include a website\u2019s subject matter, its music, the age of its models, the display of \u201cchild-oriented activities,\u201d and the presence of any child celebrities.<\/p>\n

Because Spuri.us is not making a child-targeted app, and it does not knowingly collect information from children under the age of 13, it does not have to comply with COPPA.<\/p>\n

A quick note on GDPR<\/strong><\/h3>\n

No concern about data privacy compliance is complete without bringing up the European Union\u2019s General Data Protection Regulation (GDPR)<\/a>. Passed in 2016 and having taken effect last year, GDPR regulates how companies collect, store, use, and share EU citizens\u2019 personal information online. On the day GDPR took effect, countless Americans received email after email about updated privacy policies, often from companies that were founded in the United States.<\/p>\n

Spuri.us\u2019 founder is worried. She might have EU users but she isn\u2019t certain. Do those users force her to become GDPR compliant?<\/p>\n

\u201cThat\u2019s a common misperception,\u201d Freeman said. He said one section of GDPR explains this topic, which he called \u201cextraterritorial application.\u201d Or, to put it a little more clearly, Freeman said: \u201cIf you\u2019re a US company, when does GDPR reach out and grab you?\u201d<\/p>\n

GDPR affects companies around the world depending on three factors. First, whether the company is established within the EU, either through employees, offices, or equipment. Second, whether the company directly markets or communicates to EU residents. Third, whether the company monitors the behavior of EU residents.<\/p>\n

\u201cNumber three is what trips people up,\u201d Freeman said. He said that US websites and apps\u2014including those operated by companies without a physical EU presence\u2014must still comply with GDPR if they specifically track users\u2019 behavior that takes place in the EU.<\/p>\n

\u201cIf you have an analytics service or network, or pixels on your website, or you drop cookies on EU residents\u2019 machines that tracks their behavior,\u201d that could all count as monitoring the behavior of EU residents, Freeman said.<\/p>\n

Because those services are rather common, Freeman said many companies have already found a solution. Rather than dismantling an entire analytics operation, companies can instead capture the IP addresses of users visiting their websites. The companies then perform a reverse geolocation lookup. If the companies find any IP addresses associated with an EU location, they screen out the users behind those addresses to prevent online tracking.<\/p>\n

Asked whether this setup has been proven to protect against GDPR regulators, Freeman instead said that these steps showcase an understanding and a concern for the law. That concern, he said, should hold up against scrutiny.<\/p>\n

\u201cIf you\u2019re a startup and an EU regulator initiates an investigation, and you show you\u2019ve done everything you can to avoid tracking\u2014that you get it, you know the law\u2014my hope would be that most reasonable regulators would not take a Draconian action against you,\u201d Freeman said. \u201cYou\u2019ve done the best you can to avoid the thing that is regulated, which is the track.\u201d<\/p>\n

A data breach law for every state<\/strong><\/h3>\n

Spuri.us has a clearly-posted privacy policy. It knows about HIPAA and COPPA and it has a plan for GDPR. Everything is going well\u2026until it isn\u2019t.<\/p>\n

Spuri.us suffers a data breach.<\/p>\n

Depending on which data was taken from Spuri.us and who it referred to, the startup will need to comply with the many requirements laid out in California\u2019s data breach notification law<\/a>. There are rules on when the law is triggered, what counts as a breach, who to notify, and what to tell them.<\/p>\n

The law protects Californians\u2019 \u201cpersonal information,\u201d which it defines as a combination<\/em> of information. For instance, a first and last name plus<\/em> a Social Security number count as personal information. So do a first initial and last name plus a driver\u2019s license number, or a first and last name plus any past medical insurance claims, or medical diagnoses. A Californian\u2019s username and associated password also qualify as \u201cpersonal information,\u201d according to the law.<\/p>\n

The law also defines a breach as any \u201cunauthorized acquisition\u201d of personal information data. So, a rogue threat actor accessing a database? Not a breach. That same threat actor downloading the information from the database? Breach.<\/p>\n

In California, once a company discovers a data breach, it next has to notify the affected individuals. These notifications must include details on which type of personal information was taken, a description of the breach, contact information for the company, and, if the company was actually the source of the breach, an offer for free identity theft prevention services for at least one year.<\/p>\n

The law is particularly strict on these notifications to customers and individuals impacted. There are rules on font size and requirements for which subheadings to include in every notice: \u201cWhat Happened,\u201d \u201cWhat Information Was Involved,\u201d \u201cWhat We Are Doing,\u201d \u201cWhat You Can Do,\u201d and \u201cMore Information.\u201d<\/p>\n

After Spuri.us sends out its bevy of notices, it could still have a lot more to do.<\/p>\n

As of April 2018, every single US state has its own data breach notification law<\/a>. These laws, which can sometimes overlap, still include important differences, Freeman said.<\/p>\n

\u201cSome states require you to notify affected consumers. Some require you to notify the state\u2019s Attorney General,\u201d Freeman said. \u201cSome require you to notify credit bureaus.\u201d<\/p>\n

For example, Florida\u2019s law requires that, if more than 1,000 residents are affected, the company must notify all nationwide consumer reporting agencies. Utah\u2019s law, on the other hand, only requires notifications if, after an investigation, the company finds that identity theft or fraud occurred, or likely occurred. And Iowa has one of the few state laws that protects both electronic and paper records.<\/p>\n

Of all the data compliance headaches, this one might be the most time-consuming for Spuri.us.<\/p>\n

In the meantime, Freeman said, taking a proactive approach\u2014like posting the accurate and truthful privacy policy and being upfront and honest with users about business practices\u2014will put the startup at a clear advantage.<\/p>\n

\u201cIf they start out knowing those things on the privacy side and just in the USA,\u201d Freeman said, \u201cthat\u2019s a great start that puts them ahead of a lot of other startups.\u201d<\/p>\n

Stay tuned for our second blog in the series, which will cover the current fight for comprehensive data privacy legislation in the United States.<\/p>\n

The post The not-so-definitive guide to cybersecurity and data privacy laws<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: davidruiz| Date: Thu, 07 Mar 2019 16:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
In the first blog for Malwarebytes Labs’ cybersecurity and data privacy law series, we tackle US data privacy compliance from a startup’s perspective. GDPR, COPPA, HIPAA\u2014it’s all here. <\/p>\n

Categories: <\/p>\n