Tech Law


New Safe Harbor Pact Offers Temporary Port in Storm

Through an eleventh-hour maneuver, the United States and the European Union last week avoided action that could have choked the movement of data between the regions and caused financial harm to U.S. companies.

It may be only a temporary respite, however.

The problem stems from a European Court of Justice decision in October that blew up an agreement between the regions that provided more than 4,000 U.S. companies with a “safe harbor” from strict European privacy laws when handling the information of the region’s citizens.

The pact, called the EU-U.S. Privacy Shield, agreed to by both regions, includes the following provisions:

  • Strong obligations on how Europeans’ personal data is handled and individual rights are guaranteed. The U.S. Commerce Department will monitor compliance with the obligations, and the Federal Trade Commission provide enforcement.
  • A promise that access by U.S. law enforcement and national security agencies to Europeans’ personal data will be subject to clear limitations, safeguards and oversight mechanisms.
  • Establishment of several forms of redress for Europeans who believe their data has been misused.

Enforcement Uncertainty

The agreement aired last week is just a “draft.” Details will be worked out over the next two months. During that time — and very likely beyond it — uncertainty will persist.

“Uncertainty remains about the contents of the final wording of Privacy Shield and whether or not Privacy Shield will be approved by all EU member states,” said Neil Stelzer, general counsel forIdentity Finder.

Meanwhile, the Article 29 Working Party — the group within the European Union that’s charged with protecting the processing and movement of the personal information of EU citizens — has said it will hold off on enforcement actions until Privacy Shield is finalized.

“However, data protection authorities in each EU country may still bring enforcement actions if a company was transferring data under [the original] Safe Harbor and continues to without another legal method,” Stelzer told TechNewsWorld.

“Whether or not they will is unknown,” he added.

Kicking Can Down the Road

Although Privacy Shield has received kudos in many quarters, it appears to be a stopgap measure intended to buy more time for EU and U.S. negotiators.

“They had to rush the announcement so that European authorities didn’t start enforcement actions after the Jan. 31 deadline,” said Aytekin Tank, CEO ofJotForm.

As the deadline to create a new Safe Harbor approached, European authorities may have realized that their high court had placed them in an untenable position.

“Enforcement action on the scale required would be totally overwhelming for the national data protection authorities,” said Stuart Buglass, an international business expert atRadius who advises high-tech multinationals on regulations and compliance for overseas data protection and privacy.

“A prolonged moratorium was inevitable. The announcement on the Privacy Shield provided a reason for doing so,” he told TechNewsWorld.

“The draft agreement seems to be a kick-the-can method of buying time,” Identity Finder’s Stelzer added.

Legal Tempest Ahead

Even after Privacy Shield is finalized, its fate could be the same as its predecessor.

“I’d put my money on the agreement getting tossed by the European courts,” JotForm’s Tank told TechNewsWorld.

“The first agreement was tossed because the EU didn’t trust European personal data with the U.S. government. This new agreement is no different,” he noted.

Without a final document in hand, it’s difficult to predict Privacy Shield’s legal prospects, said Yorgen Edholm, CEO ofAccellion.

“If history is any indicator, it’s only a matter of time until Privacy Shield is challenged in the courts,” he told TechNewsWorld.

“Max Schrems, who brought down Safe Harbor, has already expressed doubt regarding the new framework’s potential effectiveness,” Edholm continued. “And without any commitment from the U.S. government to soften certain provisions of the Patriot Act, it is very unlikely Privacy Shield will be acceptable to European privacy advocates.”

Surveillance Reform Needed

Privacy Shield alone likely won’t satisfy Europe’s high court.

“Unless there is significant legal reform of the surveillance rights of U.S. government departments, then U.S. law will continue to fall short of EU data privacy standards and any data transfers will be unlawful,” Radius’ Buglass said.

“The issue with the agreement is that it simply provides a complaint mechanism for EU citizens to seek redress for a privacy breach rather than prevent the breach occurring in the first place through significant reform of the U.S. surveillance laws,” he added.

Both the U.S. and Europe need to get their intelligence houses in order if Privacy Shield is going to work, noted Jens-Henrik Jeppesen, director of European affairs for theCenter for Democracy & Technology.

“The U.S. Congress should move swiftly to reform FISA Section 702, and EU member states should also narrow their surveillance laws and practices to be more aligned with international human rights norms,” he said in a statement.

FISA Section 702 is the law the National Security Agency used to justify its mass collection of phone calls and emails by directly tapping into the physical infrastructure of communications providers.

Breach Diary

  • Jan. 29. Landry’s and Golden Nugget Hotels and Casinos releases list of facilities affected by three data breaches between May 4, 2014, and May 4, 2015. It is unknown how many customers may have had fraudulent charges on their payment cards because of the incident.
  • Jan. 29. Neiman Marcus informs an unspecified number of customers that unauthorized individuals compromised their accounts, and some of the accounts were used to make fraudulent purchases. Credentials to compromise accounts were obtained from a source outside Neiman Marcus, the company believes.
  • Feb. 1. The National Law Review reports a federal appeals court overturned a district court ruling dismissing a consumer class-action lawsuit against Neiman Marcus over a data breach in 2014 that exposed information about 350,000 credit cards.
  • Feb. 1. Waterloo Cedar Falls Courier of Iowa reports that Bernard Ogie Oretekor, 45, has filed papers in federal court stating he will plead guilty to charges stemming from a data breach at the University of Northern Iowa.
  • Feb. 1. Patrick McFarland, inspector general of the U.S. Office of Personnel Management, submits his resignation to President Obama. Last year, McFarland’s office found significant deficiencies in the first credit monitoring contract OPM issued following a data breach in which personal information for 22 million current and former federal employees was stolen.
  • Feb. 2. Humberside, UK, police confirm they are investigating a complaint by the North East Lincolnshire council of a possible data breach of electoral data prior to last year’s general election.
  • Feb. 2. Medfield, Massachusetts, announces it paid extortionists US$300 to unlock the town’s network. Town systems were offline for a week after they were infected with malware that encrypted most town hall files, as well as files on a backup system.
  • Feb. 2. NASA denies a group of data thieves calling themselves AnonSec hacked one of the agency’s drones. The group also posted to the Internet 250 GB of data it said it robbed from NASA’s systems, although the agency stated the information was freely available to the public.
  • Feb. 2. Morgorna Mohorne files a class-action lawsuit against for failing to employ adequate security, resulting in a data breach in August that exposed credit card and access credentials of nearly 100,000 users.
  • Feb. 3. TalkTalk reports a data breach last year cost the company 101,000 customers and Pounds 60 million.
  • Feb. 3. The U.S. House Oversight Committee subpoenas documents related to last year’s massive data breach from the Office of Personnel Management. Chairman Jason Chaffetz, R-Utah, says the action was necessary because the agency refused to cooperate with his panel’s probe of the breach.
  • Feb. 4. University of Central Florida announces that a data breach of its computer network resulted in unauthorized access to the Social Security numbers of some 63,000 current and former students.
  • Feb. 4. announces that some 8,800 customers may have had personal and tax-return information stolen by criminals who gained unauthorized access to its computers. Compromised credentials from a source outside TaxSlayer were used in the attack, the company believes.
  • Feb. 4. Republican Party of Iowa takes offline a database containing personal information for some 2 million people after being informed a security gap had exposed the database to public view on the Internet.
  • Feb. 4. Reuters reports data thieves attacked 20 million accounts at Taobao, an e-commerce website owned by Alibaba. Reuters noted the attackers obtained 99 million user credentials from sources outside Taobao and used them in a brute-force attack on Taobao launched from Alibaba’s cloud services.
  • Feb. 5. Jackson Health System announces it has fired two employees for inappropriately accessing the medical records of New York Giants defensive end Jason Pierre-Paul. ESPN published his medical records while he was in surgery having his right index finger amputated.

Upcoming Security Events

  • Feb. 11. Pulse on Advanced Threats: Findings from Arbor Networks’ Worldwide Infrastructure Security Report. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Feb. 11. SecureWorld Charlotte. Charlotte Convention Center, 501 South College St., Charlotte, North Carolina. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • Feb. 11. Data Breach & Privacy Litigation Conference. Julia Morgan Ballroom, 465 California St., San Francisco. Registration: attorneys and companies, $795; litigation service provider, $1,195; law firm assistant, $375; legal marketing attendee, $595.
  • Feb. 11-12. Suits and Spooks DC. The National Press Club, 529 14th St. NW, Washington, D.C. Registration: $599; government and academia, $499.
  • Feb. 16. Architecting the Holy Grail of Network Security. 1 p.m. ET. Webinar sponsored by Spikes Security. Free with registration.
  • Feb. 16. Security and Privacy in the World-Sized Web. 12 noon ET. Wasserstein Hall, Room B010 Singer Classroom (lower level), Harvard University Law School, Cambridge, Massachusetts. Also live webcast. Free.
  • Feb. 17. Stopping Breaches at the Perimeter: Strategies for Secure Access Control. 1 p.m. ET. Webinar sponsored by 451 Research and SecureAuth. Free with registration.
  • Feb. 18. Will the Real Advanced Threat Stand Up? Attack Campaigns in 2016 and Beyond. 1 p.m. ET. Webinar sponsored Arbor Networks. Free with registration.
  • Feb. 20. B-Sides Seattle. The Commons Mixer Building, 15255 NE 40th St., Redmond, Washington. Tickets: participant, $15 plus $1.37 fee; super awesome donor participant, $100 plus $3.49 fee.
  • Feb. 23. Rethinking Layered Security. 1 p.m. ET. Webinar sponsored by Dark Reading. Free.
  • Feb. 28-29. B-Sides San Francisco. DNA Lounge, 375 11th St., San Francisco. Registration: $25.
  • Feb. 29-March 4. RSA USA 2016. The Moscone Center, 747 Howard St., San Francisco. Registration: full conference pass before Jan. 30, $1,895; before Feb. 27, $2,295; after Feb. 26, $2,595.
  • Feb. 29-March 4. HIMSS16. Sands Expo and Convention Center, Las Vegas. Registration: before Feb. 3, $865; after Feb. 2, $1,165.
  • March 10-11. B-Sides SLC. Salt Palace Convention Center, 90 South West Temple, Salt Lake City. Registration: $65.
  • March 12-13. B-Sides Orlando. University of Central Florida, Main Campus, Orlando, Florida. Registration: $20; students, free.
  • March 14-15. Gartner Identity and Access Management Summit. London. Registration: 2,550 euros plus VAT; public sector, $1,950 plus VAT.
  • March 17-18. PHI Protection Network Conference. Sonesta Philadelphia, 1800 Market St., Philadelphia. Registration: $199.
  • March 29-30. SecureWorld Boston. Hynes Convention Center, Exhibit Hall D. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • March 31-April 1. B-Sides Austin. Wingate Round Rock, 1209 N. IH 35 North (Exit 253 at Hwy 79), Round Rock, Texas. Free.
  • April 9. B-Sides Oklahoma. Hard Rock Cafe Casino, 777 West Cherokee St., Catoosa, Oklahoma. Free.
  • April 15-16. B-Sides Canberra. ANU Union Conference Centre, Canberra, Australia. Fee: AU$50.
  • April 16. B-Sides Nashville. Lipscomb University, Nashville, Tennessee. Fee: $10.
  • April 20-21. SecureWorld Philadelphia. Sheraton Valley Forge Hotel, 480 N. Guelph Road, King of Prussia, Pennsylvania. Registration: conference Pass, $325; SecureWorld Plus, $725; exhibits & open sessions, $30.
  • May 4. SecureWorld Kansas City. Overland Park Convention Center, 6000 College Blvd., Overland Park, Kansas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open Sessions, $30.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: before April 16, $2,950; after April 15, $3,150; public sector, $2,595.
  • June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Tech Law

Technewsworld Channels