Privacy goofs, gaffes and tidbits for the last Monday in July —

NSA Surveillance Causes More Grief –Germany Calls for a Stop to Safe Harbor:  Time for Binding Corporate Rules?

According to news sources the federal and state German data protection commissioners late last week sent a letter to German Chancellor Angela Merkel, requesting the suspension of the U.S.-EU Safe Harbor regime (the press release is available in German here).   The commissioners argue that mass surveillance conducted by the U.S. National Security Agency (NSA) prevents US companies from protecting personal data of Germans in compliance with data protection law.

The European Commission’s data protection directive prohibits the transfer of personal data to non-E.U. countries that do not meet the EU “adequacy” standards for privacy protection. To allow exchange of personal data with U.S. organizations, the U.S. Department of Commerce and the European Commission developed the “Safe Harbor” framework, allowing the transfer of personal data from the EU to the US as long as specified standards in notice, choice, onward transfer, access, security, data integrity and enforcement are met.

“The Safe Harbor agreement may not be so safe after all,” said Viviane Reding, vice president of the European Commission.  “U.S. data protection standards are lower than our European ones. I have informed ministers that the Commission is working on a solid assessment of the Safe Harbor Agreement which we will present before the end of the year.”

The Commissioners have stopped issuing approvals for international data transfers pending the German government’s demonstration that the processing of German citizens’ personal data by foreign national intelligence services is in line with the requirements of the data protection law.  The Commissioners argue that extent of the surveillance conducted by the NSA makes interception of personal data routine and that is not in compliance with the Safe Harbor framework.

If the German government agrees with the Commissioners and suspends Safe Harbor all companies relying on Safe Harbor for the legal transfer of personal data from the EU to the U.S. would either have to suspend such transfers or face fines by the data protection authorities.

With elections approaching, this has become a heated political debate in Germany.  Chancellor Merkel has supported the U.S. surveillance and echoed President Obama’s claims that surveillance prevents terrorist attacks and protects American and Germans alike, but according to a news source Merkel pushed back last week calling for the U.S. to respect German data privacy on German soil.

We will keep you updated on developments in this area.  In the meantime one way for multinational companies to circumvent the effects of a suspended Safe Harbor program is to develop binding corporate rules, which satisfy EU standards and are an alternative means of authorizing transfers of personal data outside of Europe.  Contact the Mintz Levin privacy team for more information.

SEC Employees Victimized by Thumb Drive Data Breach:  “You ARE the Weakest Link”

A serious data breach at the Securities and Exchange Commission transferred  personal data about current and former employees into the computer system of  another federal agency, a letter sent by the SEC to staff reveals.

The July 8 letter, obtained by The Hill, is from Thomas Bayer, the SEC’s  chief information officer and senior agency official on privacy. It warned that  personal employee data had been discovered on the networks of another, unnamed  federal agency.  SEC employees’ Social Security numbers were exposed after a former worker unwittingly downloaded sensitive human resources data to a thumb drive, underscoring privacy risks posed by the ubiquitous devices.

Mintz Levin’s Cynthia Larose is quoted in Law 360 (registration required):  “Talk to most security people and they will say that the USB port is the biggest ‘You are the weakest link’ problem in corporate networks, and the government is no exception to that, obviously,” she said. “Allowing files of any kind of size whatsoever to be downloaded to a USB drive is trouble.”

Read more:

Tech Companies Want Federal Data Breach Notification Law

Will the fourth time be the charm?   For the fourth time in eight years, the U.S. House of Representatives is considering a federal law requiring companies to notify customers in the event of a data breach.   Tech companies have weighed in on the side of such legislation, hoping to put an end to the “crazy quilt” problem currently facing companies experiencing a data breach.  Corporate general counsels look for some compliance assistance in such a “breach notification standard.”

Read more:   Corporate Counsel (registration required)

Comprehensive Security Plans Should be the Rule, Not the Exception

The deadline for compliance with the HIPAA Omnibus Rule is fast approaching and the stakes will be rising. 

Not only have the threats increased for healthcare organizations, but so have the government fines as well. One-time violations stay under $50,000, but repeat violations within the same year can carry a fine of $1.5 million across all HIPAA violation categories (up substantially from the previous $250K minimum). The average economic impact of a data breach has also increased by $400K to a total of $2.4 million since 2010. Investigation and legal efforts, business downtime and decreased credibility all drive up costs beyond those of fines.   As we have been preaching for many years (at least since the implementation of the Massachusetts Security Regulations (201 CMR 17)), a comprehensive security plan is the best offense — for every sector, and now particularly for those businesses dealing with protected health information.   The plan should address hardware, software, paper records, training — and it should be in writing.

Read more:  HealthIT Security