The EU Privacy Shield and Data Security Obligations
On July 12, 2016, the EU approved a framework for transferring European citizen data to the US. Known as the Privacy Shield Framework or, “Privacy Shield,” it requires US companies to take extra precautions to protect the privacy of personal information belonging to EU citizens when that data crosses the Atlantic.
The need for a Privacy Shield arose in 2015 when the EU’s highest court ruled a 15-year-old “Safe Harbor” pact did not adequately protect the personal data of EU citizens. The Safe Harbor pact, used by companies like Google and Apple, had the potential to expose personal data to surveillance by the US government. Even after the US and EU reached an agreement (pending approval), privacy advocates still voiced concerns about how US companies processed data, transferred data to third parties, and how the US government performed “bulk collection” of data. The US government clarified that it performs bulk collection for national security purposes and not as part of a general surveillance scheme.
The Principles are largely analogous to black letter law requirements. They explicitly state that they do not “limit privacy obligations that otherwise apply” under US law. US data security laws, in their many manifestations, are still effective and don’t change.
The definition of personal information is critical to any data security analysis. If there’s no personal information, there’s much less duty, if any, for businesses to protect it. Compared to data security laws in the US, the EU definition of personal information is broader. The Principles, by reference to Directive 95/46/EC, define “personal information” and “personal data” as “any information relating to” a “natural person . . . who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
In contrast, while there is no US catch-all definition of personal information, US law is not so broad. California is generally seen as the leader in data security protection laws and many states have followed its lead. California’s data security laws define personal information in two ways: (1) “An individual’s first name or first initial and his or her last name” in combination with specific criteria, like social security number, financial account numbers, and medical information, or (2) “username or email address in combination with a password or security question and answer that would permit access to an online account.” California law, and most state data security laws, specifies the types of personal information whereas the EU law keeps it open with topics like “social” or “cultural” information.
While the Privacy Shield expands the definition of personal information, that expansion means little if companies utilize adequate security protocols to keep it secure. The Principles specify the kind of security that needs to be in place, which matches US legal standards.
The Principles require organizations using or possessing personal information to take “reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.” If a company fails to take reasonable measures to protect the personal information of an EU citizen, it could be liable and either must work with EU agencies or submit to mandatory arbitration, enforced by the US Department of Commerce.
Like the definition of personal information, the security enforcement standards are different across jurisdictions in the US. However, the “reasonable” standard appears in many places. The Federal Trade Commission (FTC) expects companies to take “reasonable steps to protect consumers’ devices from hackers, snoops and thieves” and expects financial institutions to also take “reasonable steps to prevent attacks, quickly diagnosing a security incident, and having a plan in place for responding effectively” to data breaches. The US Department of Health and Human Services (HHS), the agency responsible for enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), “requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting” electronically stored health information, like online medical records. Finally, states like California and Texas also require “reasonable” security procedures and practices for data security to secure consumers’ personal information.
The “reasonable” standard also appears in litigation. As identified in a previous post about the DNC hacks, many legal theories drive data security breach litigation, with negligence being the most common. The most standard negligence argument is that an entity owed a duty of care to protect consumers’ personal information and breached that duty by using deficient security measures. The entity’s alleged breach allowed a hacker, or hackers, to steal the consumers’ personal information. Some experts have doubts about the viability of data breach claims as it has been hard for plaintiffs to prove damages. This perspective is particularly apt after Spokeo Inc. v. Robins where the US Supreme Court confirmed that victims have to prove they suffered an actual injury, or will likely suffer injury, as a result of a data breach even if a company’s security measures were unreasonable.
What It Means
Because the US and EU similarly expect security measures to be “reasonable,” it’s arguable that US companies that already meet US security standards will meet EU standards. You should already be OK. However, US companies will have to safeguard a higher volume and diversity of private information, which internal systems may or may not already account for. Additionally, if US companies’ unreasonable security measures result in a data breach, then they may be responsible for both US and EU citizens’ stolen data.
If companies have a robust data security program, it reduces the likelihood of a data breach, and thus the likelihood of enforcement actions by the Department of Commerce, FTC, HHS, or Consumer Financial Protection Bureau (CFPB), as well as exposure to consumer class action lawsuits.
Fortunately, there are many valuable resources out there to build a robust security program. The Center for Internet Security (CIS), recommended by the California Attorney General’s Data Breach Report, identifies the minimum level of information security that organizations should meet. Further, Verizon’s 2016 Data Breach Investigations Report provides up-to-date information on trends in the ever-evolving data security realm.
As most data breaches are caused by human error, through phishing scams and spoof websites, a training element should be introduced into companies’ data security programs, protocols, and practices. Effective online training that takes a realistic approach to how personal information is hacked should matter to Chief Technology Officers. It can add an extra layer of protection that helps companies meet the standards established by the US and EU laws.