Privacy and Cybersecurity Law 

On September 13, 2016, the New York Department of Financial Services introduced a new rule that would require banks, insurance companies and other financial institutions regulated by the Department to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety of New York’s financial services industry.  The proposed regulation is subject to a 45-day notice and public comment period, following the September 28, 2016 publication in the New York State register before final issuance.

Under the proposed rule, regulated financial institutions would be required to:

• Establish a cybersecurity program;
• Adopt a written cybersecurity policy;
• Designate a Chief Information Security Officer responsible for implementing and overseeing the new cybersecurity program and policy; and
• Have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to third-parties.

Establishment of a Cybersecurity Program

According to the proposed rule, regulated financial institutions will need to establish a “cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems that performs five core cybersecurity functions:”

• Identification of cyber risks.
• Implementation of policies and procedures to protect unauthorized access / use or other malicious acts.
• Detection of cybersecurity events.
• Responsiveness to identified cybersecurity events to mitigate any negative events.
• Recovery from cybersecurity events and restoration of normal operations and services.

Additional requirements for each “cybersecurity program” include:

• Annual penetration testing and vulnerability assessments.
• Implementation and maintenance of an audit trail system to reconstruct transactions and log access privileges.
• Limitations and periodic reviews of access privileges.
• Written application security procedures, guidelines and standards that are reviewed and updated by the CISO at least annually.
• Annual risk assessment of the confidentiality, integrity, and availability of information systems; adequacy of controls; and how identified risks will be mitigated or accepted.
• Employment and training of cybersecurity personnel to stay abreast of changing threats and countermeasures.
• Multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access.
• Timely destruction of nonpublic information that is no longer necessary except where required to be retained by law or regulation.
• Monitoring of authorized users and cybersecurity awareness training for all personnel.
• Encryption of all nonpublic information held or transmitted.
• Written incident response plan to respond to, and recover from, any cybersecurity event.

Adoption of a Cybersecurity Policy

The new rule would require regulated financial institutions to adopt a written cybersecurity policy, setting forth “policies and procedures for the protection of their information systems and nonpublic information that addresses, at a minimum, the following:”

• Information security.
• Data governance and classification.
• Access controls and identity management.
• Business continuity and disaster recovery planning and resources.
• Capacity and performance planning.
• Systems operations and availability concerns.
• Systems and network security.
• Systems and network monitoring.
• Systems and application development and quality assurance.
• Physical security and environmental controls.
• Customer data privacy.
• Vendor and third-party service provider management.
• Risk assessment.
• Incident response.

Creation of Chief Information Security Officer

The new rule would require regulated financial institutions to designate a qualified individual to serve as a CISO, responsible for “overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy.”  The new rule also would require the CISO to “report to the board, at least bi-annually to:”

• Assess the confidentiality, integrity and availability of information systems.
• Detail exceptions to cybersecurity policies and procedures.
• Identify cyber risks.
• Assess the effectiveness of the cybersecurity program.
• Propose steps to remediate any inadequacies identified.
• Include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.

Third Party Protections

The new rule also would require regulated financial institutions to have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, including the following:

• Identification and risk assessment of third-parties with access to such information systems or such nonpublic information.
• Minimum cybersecurity practices required to be met by such third-parties.
• Due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-parties.
• Periodic assessment, at least annually, of third-parties and the continued adequacy of their cybersecurity practices.

A draft of the proposed rule is here.

On July 26, 2016, President Obama issued a new Presidential Directive setting forth the framework for how the United States (US) federal government will respond to “cyber incidents,” whether involving government or private sector entities.  The new directive (PPD-41):

• Outlines guiding principles governing the federal government’s response to “cyber incidents”;
• Sets forth the concurrent lines of effort federal agencies shall undertake in responding to any “cyber incident,” whether private or public;
• Identifies the ways the federal government will coordinate its activities in responding to “significant cyber incidents,” including the establishment of lead US federal agencies; and
• Requires the US Departments of Justice (DOJ) and Homeland Security (DHS) to maintain updated contact information for public use to assist entities impacted by “cyber incidents” in reporting those incidents to the proper authorities.

Definitions

• Cyber Incident: PPD-41 defines “cyber incident” as an event “occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.”
• Significant Cyber Incident: PPD-41 defines a “significant cyber incident” as one that is “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”

Guiding Principles

In carrying out its incident response activities, the federal government is to be guided by the following principles:

• Shared Responsibility: Individuals, the private sector, and government agencies have a “shared vital interest and complementary roles and responsibilities” in protecting the US from malicious cyber activity and managing cyber incidents and their consequences.
• Risk-Based Response: The federal government will determine its response actions on an “assessment of the risks posed to an entity, our national security, foreign relations, the broader economy, public confidence, civil liberties, or the public health and safety of the American people.”
• Respecting Affected Entities:  Federal government responders will “safeguard details of the incident,” to the extent permitted under law, as well as “privacy and civil liberties, and sensitive private sector information[.]”  In the event a “significant” federal government interest is served by a public statement concerning the incident, federal responders are to coordinate their approach with the affected entity.
• Unity of Governmental Effort:  The efforts of the various governmental entities must be coordinated to “achieve optimal results.”  Therefore, whichever federal agency “first becomes aware of a cyber incident will rapidly notify other relevant” federal agencies in order to facilitate a unified response, and will coordinate with relevant state, local, tribal and territorial governments to coordinate the same.
• Enabling Restoration and Recovery: Federal response activities are to be conducted “in a manner to facilitate restoration and recovery of an entity that has experienced a cyber incident[.]”

Concurrent Lines of Effort

In responding to a cyber incident, federal agencies are required to take three “concurrent lines of effort:”

1. Threat response;
2. Asset response; and
3. Intelligence support and related activities.

Where a federal agency is the affected entity, it shall undertake a fourth concurrent line of effort “to manage the effects of the cyber incident on its operations, customers and workforce.”

Threat Response

Threat response activities include:

• Conducting appropriate law enforcement and national security investigative activity at the affected entity’s site;
• Collecting evidence and gathering intelligence;
• Providing attribution;
• Linking related incidents;
• Identifying threat pursuit and disruption opportunities;
• Developing and executing courses of action to mitigate the immediate threat; and
• Facilitating information sharing and operational coordination.

Asset Response

Asset response activities include:

• Furnishing technical assistance to affected entities to protect their assets;
• Mitigating vulnerabilities;
• Identifying other entities that may be at risk;
• Assessing potential risks to sector; and
• Facilitating information sharing and operational coordination.

Intelligence Support and Related Activities

Intelligence support and related activities will facilitate:

• The building of “situational threat awareness and sharing of related intelligence;”
• The integrated analysis of threat trends and events;
• The identification of knowledge gaps; and
• The ability to degrade or mitigate adversary threat capabilities.

Impacted Government Agency

An affected federal agency will engage in a fourth concurrent line of effort to manage the impact of a cyber incident, which may include:

• Maintaining business or operational continuity;
• Addressing adverse financial impacts;
• Protecting privacy;
• Managing liability risks;
• Ensuring legal compliance;
• Communicating with affected individuals; and
• Dealing with external affairs.

Architecture of Federal Government Response Coordination For Significant Cyber Incidents

PPD-41 directs the federal government to coordinate its activities in response to a “significant cyber incident” in three ways: (1) National Policy Coordination; (2) National Operational Coordination; and (3) Field-Level Coordination.

National Policy Coordination

The National Security Staff’s Cyber Response Group (NSC CRG) will “coordinate the development and implementation” of the US “policy and strategy with respect to significant cyber incidents affecting the” US or “its interests abroad.

The NSC CRG is a White House led Assistant Secretary level interagency policy coordination group that coordinates policy related issues for the National Security Council and the Homeland Security Council review as outlined in Presidential Policy Directive-1.

National Operational Coordination

• Agency Enhanced Coordination Procedures: Each federal agency that regularly participates in the CRG shall “establish and follow enhanced coordination procedures as defined in the annex” to PPD-41 “in situations in which the demands of responding to a significant cyber incident exceed its standing capacity.”
• Cyber Unified Coordination Group:  A Cyber Unified Coordination Group (UCG) will serve as the “primary method for coordinating between and among” federal agencies “in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts.”  The Cyber UCG will be formed at the direction of the National Security Council when two or more federal agencies request its formation.  A Cyber UCG will also be formed when a “significant cyber incident affects critical infrastructure owners and operators” identified by the DHS.
• Federal Lead Agencies:  In order to ensure the Cyber UCG “achieves maximum effectiveness in coordinating responses to significant cyber incidents,” the following agencies will serve as federal lead agencies:
  • Threat Response: The DOJ, acting through the FBI and National Cyber Investigative Task Force, will lead the government’s “threat response” activities.
  • Asset Response: The DHS, acting through the National Cybersecurity and Communications Integration Center, will lead the government’s “asset response” activities.
  • Intelligence Support: The Office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center, will lead the government’s “intelligence support” activities.

Field-Level Coordination

Field-level representatives of the federal asset or threat response lead agencies “shall ensure that they effectively coordinate their activities within their respective lines of effort with each other and the affected entity.”

Unified Public Communications

PPD-41 requires the DHS and DOJ to “maintain and update as necessary a fact sheet outlining how private individuals and organizations can contact relevant” federal agencies about a cyber incident.

To read the full text of PPD-41, click here

Another company that is well-known to consumers has agreed to enter into a compliance undertaking with the CRTC for alleged CASL violations.  Kellogg Canada Inc. has paid a monetary penalty of $60,000 and undertaken to enter into a compliance program to better address elements such as:

• written CASL compliance policies and procedures;
• training programs for employees;
• tracking CASL complaints and resolution; and
• monitoring and auditing mechanisms to assess compliance.

Notably, the compliance issues arose from messages that were sent: not only by Kellogg, but also by its third party service providers, and not long after CASL entered into force in July 2014.  This was a time when many companies were early on in the process of familiarizing themselves with the many CASL requirements, and implementing programs to make sure that databases, third party agencies (marketing companies and other service providers) and internal procedures were all in line.

The CRTC’s Notice regarding Kellogg’s 2014 compliance issues comes only a month after the CRTC issued its Enforcement Advisory to businesses and individuals on how to keep records of consent (see our recent blog post here), and less than a year before the Private Right of Action becomes available in Canada under CASL legislation, meaning that the CRTC will not be the only one taking businesses to task for CASL compliance.

On August 23, 2016, the Office of the Privacy Commissioner of Canada (OPC) released its joint report with the Office of the Australian Information Commissioner (OAIC) regarding its investigation of the 2015 Ashley Madison breach.

The report articulates several takeaways for all organizations. However, if there is one key lesson to be learned, it is that the OPC considers a solid information compliance and governance program to include documented policies and procedures. Organization’s safeguards should be adopted with “due consideration of the risks faced” and with a formal framework in order to ensure its proper management.

The following summarizes the report by the OPC and OAIC including several takeaways for all organizations.

The Breach

As many recall, on June 12 2015, a group identified as ‘The Impact Team’ hacked Avid Life Media, Inc. (ALM), headquartered in Toronto, Canada and operator of Ashley Madison and several other dating websites.

It is believed the intrusion took place over several months, beginning with the compromise of an employee’s valid account credentials and used to understand ALM’s systems until ALM’s information technology team detected unusual behavior on July 12. The next day, ALM computers projected warning notices from The Impact Team stating ALM had been hacked and threatened to expose the personal information of Ashley Madison users unless ALM shut down the website. The Impact Team published its actions and threats to the internet on July 19. The OPC contacted ALM soon after, and ALM voluntarily reported the details of the breach. On August 18 and 20, 2015, after its demands were not met, The Impact Team published information allegedly hacked from ALM of approximately 36 million Ashley Madison users from around the world.

The Personal Information Exposed

The sensitive personal information exposed by The Impact Team fell into three main categories:

1. Profile information that described the users, including names, physical descriptions, date of births, experiences sought through Ashley Madison, details relating to intimate desires, personal and sexual interests.
2. Account information such as e-mail addresses, security questions and answers and hashed passwords.
3. Billing information for users who made purchases on Ashley Madison, including real names, billing addresses and the last four digits of credit cards. (Note: As billing information was stored by ALM’s third party processor, it is strongly believed the third party processor was also hacked by The Impact Team).

The sophisticated and targeted hack made it a challenge to determine the extent of the access gained by The Impact Team. ALM reported to the OPC and OAIC, as well as notified affected individuals, that exposed information could also include photos and communications between users.

Canadian and Australian Joint Investigation

The OPC and OAIC did not focus or report any conclusions with respect to the cause of the breach itself. The report is an assessment of the practices by ALM against its obligations under both the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Australian Privacy Act. The OAIC established an “Australian link” (s.5B(1A) of the Australian Privacy Act)) with the foreign-based ALM as a result of ALM’s targeting of its services to Australians, the collection of personal information of Australian residents and advertising in Australia. The collaboration was made possible by the OPC’s and OAIC’s participation in the Asia-Pacific Economic Cooperation (APEC) Cross-border Privacy Enforcement Arrangement

Report of Findings and Takeaways for all Organizations

1.  Safeguards

Under both PIPEDA and the Australian Privacy Act, organizations must protect personal information by safeguards appropriate to the sensitivity of the information from loss and unauthorized access, use, disclosure, etc. Both jurisdictions require a similar assessment of the risk of harm to individuals. The Commissioners agreed the key risk for users of Ashley Madison was reputational harm.

Discretion and secrecy in being a member of AshleyMadison.com was a central marketing and legal representation to its users. ALM also stated to the OPC and OAIC that protection of its customer’s confidence was a core element of its business. ALM advertised a series of trust-marks including “Trusted Security Award”, “100% Discreet Service” and “SSL Secure Site” on the front page of AshleyMadison.com. It was later discovered some trust-marks were fabricated. Further, the Terms of Service warned users that security and privacy of information could not be guaranteed, a statement many organizations include in their policies. However, the OPC and OAIC found the qualifier in the Terms of Service did not absolve ALM of its obligations.

The Commissioners found ALM lacked appropriate safeguards considering the sensitivity of the personal information. The safeguards adopted by ALM allegedly did not consider the risks individuals could face as a result of unauthorized access.

Key elements ALM’s safeguards allegedly lacked included:

• a comprehensive information security program expected of an organization collecting and processing such sensitive personal information.
• documented information security policies and procedures for managing network permissions including critical gaps in security coverage indicative of the absence of documented policies and practices.
• an adequate intrusion detection system or prevention system , including a security information and event management system in place, or data loss prevention monitoring
• adequate training for all staff and senior management

Takeaways regarding safeguards for all organizations

• Organizations should have documented privacy and security practices as part of their compliance program
• The sensitivity of the personal information collected must be considered when determining and developing an organization’s information and security program
• Organizations should conduct regular and documented audits and risk assessments
• Documenting your privacy and security practices can assist your organization identify gaps
• Training of all employees, including senior management is part of a functional and robust compliance program.

        2. Indefinite Retention and Paid Deletion of User Accounts

Both PIPEDA and the Australian Privacy Act place require limits on the length of time that personal information may be retained and require organizations take reasonable steps to destroy or de-identify information no longer needed for any purpose.

The investigation highlighted that information of deactivated accounts as well as accounts that have not been used for a prolonged period were retained by ALM indefinitely. Further, at the time of the breach, Ashley Madison provided users with two methods to close an account; a basic de-activation that would allow users to re-activate their accounts in the future should they choose to, and a full deletion for a fee of CAD $19 that would delete all personal information within 48 hours (Note: This fee was not disclosed in ALM’s privacy policy or terms of service). However, it was alleged that ALM did not delete all personal information and retained certain financial information in the event of charge backs for a period of up to 12 months following the purchase of a full deletion. ALM presented statistics to the OPC and OAIC that if any chargebacks were to occur, they would happen within 6 months from the date of purchase. Among those affected by the breach were individuals who purchased the full deletion and likely believed their information was destroyed.

The OPC and OAIC had the following findings regarding retention and deletion:

• ALM had data that the vast majority of users who deactivated their account reactivated it within 29 days. As such, ALM was unable to justify an indefinite retention period of users who deactivated their accounts. Further, it was not clear to users that information would be retained indefinitely.
• Accounts that have been inactive for prolonged periods were retained indefinitely. While such account users did not provide an affirmative indication of their intent to no longer use their account, justification to retain the personal information diminishes over an extended period of time. Lack of clear retention limits and inability to justify retaining inactive profiles indefinitely contravened PIPEDA and the Australian Privacy Act.

The OPC and OAIC varied in their conclusions regarding the retention of information of users who purchased the full delete option.

• Under the Australian Privacy Act, ALM is required to destroy or de-identify personal information once it no longer needs it for any primary purpose (deliver its online dating services) and can only retain data for a secondary purpose (reasonably believes is necessary for charge backs to address the risk of fraud ) for a limited time period. ALM provided sound business and legal reasons to retain the financial data to which the OAIC found ALM provided a reasonable basis to retain the financial information for 12 months.
• The OPC also found ALM satisfied its retention of financial information to prevent chargebacks for 12 months following a full delete (Note: ALM has reduced the retention period to 6 months since the breach), however the OPC found ALM contravened PIPEDA as a result of photo’s that were retained by error following a full deletion.

The OPC found ALM’s practice of charging a CAD $19 fee for withdrawal of consent and full deletion contravened PIPEDA, as ALM did not disclose the fee at the time of sign up, as well, the OPC is not convinced ALM met the high burden to request such a fee. ALM no longer charges a fee for full deletion.

Takeaways regarding deletion and retention for all organizations

• While PIPEDA is silent on whether organizations may charge a fee to delete their personal information, the OPC has established a high bar in demonstrating such a fee is reasonable.
• If a fee were reasonable, it must be clearly disclosed and communicated prior to an individual providing consent.
• Organizations should document retention policies based on a demonstrable rationale and timeline
• Organizations must clearly disclose and communicate such retention timelines to individuals
• Organizations should review and audit their practices to ensure information is being deleted and de-identified accordingly.

         3. Accuracy of Email Addresses

Both PIPEDA and the Australian Privacy Act require organizations to take steps to maintain the quality and accuracy of the personal information they collect and use.

ALM collects e-mail addresses in order to create accounts and send confirmation, support and marketing e-mails. ALM’s practice was not to verify e-mail addresses as manner to enhance privacy. Also, ALM feared it would discourage some individuals from signing up. A subset of e-mail addresses involved in the breach belonged to people who never used Ashley Madison. ALM admitted it was aware that some users do no provide their real e-mail addresses when they register, and as such, was in possession of e-mail addresses that belonged to non-users.

Given the sensitivity of the Ashley Madison service and the possible harm a non-user could face, the OPC and OAIC found ALM did not take reasonable steps to ensure the e-mail addresses were accurate. The Commissioners did not agree with ALM’s argument that making the e-mail address field mandatory, but not verified, is a practice of enhancing the privacy of its users. The Commissioners found such approach creates an unnecessary risk in the lives of non-users in order to provide users with a possibility of denying their association with Ashley Madison. The Commissioners highlighted other options available to ALM to address this issue and emphasized that ALM has a responsibility for all information it collects, including considering the personal information provided from a user that does not belong to them (a user providing an e-mail address that is not theirs to register) and must consider the possible harm of the non-user.

Takeaways regarding accuracy for all organizations

• The level of accuracy required by organizations is impacted by the foreseeable consequences of inaccuracy
• Organizations must take reasonable steps to ensure information in their possession is accurate
• Organizations are responsible for all information in their control, including information that belongs to non-users, non-customers or other third parties who did not directly provide their information to the organization.
• The requirement to maintain accuracy must include considering the interests of all individuals about whom the information might be collected, including non-users, non-customers and other third parties.

           4. Requirement for transparency and informed consent

PIPEDA states that consent is only valid if it is reasonable to expect the individual would understand the nature, purpose and consequences of the collection, use and disclose of the personal information to which they are consenting. PIPEDA also requires organizations to make their handling practices readily available and understandable to individuals.

The OPC analyzed two issues, first whether the privacy practices of ALM were adequate under PIPEDA, and two, whether the privacy practices at the time individuals were consenting to provide their information to ALM was adequate and not obtained through deception.

Generally, the OPC found that while ALM did provide some information about its security safeguards, account closure options and retention practices, critical elements of their practices that would be material to users’ decision to join Ashley Madison were not as clear as they should be. For example:

• The fabricated “trusted security award” trust-mark
• Language in the privacy policy and terms and conditions were not consistent regarding retention of personal information and could confuse a user or lead them to expect that inactivity can alone lead to the deactivation or deletion of their information
• The required fee for a full deletion was not disclosed until after creating an account
• Users who requested a full deletion were not informed until after they paid the fee that their information would in fact be retained for an additional 12 months

The OPC found ALM did not meet its obligations under PIPEDA to be open and transparent about its policies and practices of its management of personal information. The OPC further found the lack of clarity regarding certain practices could materially impact a prospective user’s informed consent to join Ashley Madison and allow the collection, use and disclosure of their personal information.

Takeaways regarding transparency for all organizations

• Organizations must be cautious of the representations they make in their privacy policies and terms and conditions
• Omission or lack of clarity of material statements may also impact the validity of consent. Organizations should make effort to ensure an individual understands the nature, purpose and consequences of their consent.
• Organizations privacy policies, terms of service and other disclosure of practices should be clear and inform individuals prior to or at the time of consenting.

The Commissioners noted that ALM was cooperative during the investigation. ALM has entered into a compliance agreement with the OPC and an enforceable undertaking with the OAIC. The events of the hack and the report by the Commissioners provide important lessons for all organizations that collect personal information.

To read details of the compliance agreement with the OPC and the steps Avid Life Media has undertaken to take, click here.

The news release released by the OPC on August 23, 2016 can be found here.

The OPC’s summary of takeaways for all organizations can be found here.

To read the full joint report of the investigation by the OPC and OAIC click here.

The Office of the Privacy Commissioner of Canada (OPC) recently hosted a knowledge session to stakeholders to discuss its recent investigation against Compu-Finder. This was the first investigation by the OPC involving the address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). See our post summarizing the findings and the OPC’s full report here.

While the OPC could not disclose details of its investigation, the OPC provided attendees with information about its interpretation of its investigative powers, its approach to the investigation and tips for organizations.

The Investigation

Unlike its complaint-driven investigations, this investigation was an intelligence-driven case under the address harvesting provisions that were added to PIPEDA by Canada’s Anti-Spam Legislation (CASL). After significant intelligence gathering to meet its reasonable grounds burden, a Commissioner-initiated investigation was commenced allowing the OPC to collect further intelligence from Compu-Finder, affected individuals and third parties, including by affidavits. The OPC highlighted it applied a cross-functional investigation, using numerous departments and tools, including extensive use of the OPC technology LAB.

It is important to note that unlike the Canadian Radio-television and Telecommunications Commission (CRTC), which is the regulator with main responsibility for enforcement of CASL, the OPC must have reasonable grounds to start an investigation that has not been filed by an individual. The CRTC does not have to discharge that burden before commencing an investigation.

Key Takeaways

“The truth is in your records”. The OPC stressed the importance of record keeping. This has become a consistent theme regarding PIPEDA and CASL. (See our post on the CRTC’s guidance here.) The OPC highlighted that record-keeping was a fundamental issue in its investigation. Organizations must be able to meet their due diligence obligations and prove they have consent for the personal information they collect and use, and for every e-mail they send under CASL. The OPC found that Compu-Finder’s records were inadequate or in some cases may have contradicted their position.

Other lessons offered were:

• Exercise care when crafting responses to the OPC during investigation
• An established privacy compliance program can greatly assist you in demonstrating accountability
• Part of due diligence involves following up, double checking and auditing your policies and procedures

Stakeholders undoubtedly appreciated the OPC’s proactive gesture in providing this opportunity to learn more.