Monthly Archives: June 2016

FTC Increases Maximum Fines for Violations of Certain Sections of the FTC Act

On June 29, 2016, the Federal Trade Commission announced that, to account for inflation, it is increasing the civil penalty maximums for certain violations of the FTC Act effective August 1, 2016. The FTC’s authority for issuing these adjustments comes from the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The Federal Register Notice indicates which sections of the FTC Act the adjustments will apply to, and the corresponding increases. For example, the FTC has increased the maximum fine from $16,000 to $40,000 for certain violations of Section 5 of the FTC Act.

Second Reading of China’s Draft of Cybersecurity Law

On June 27, 2016, the Standing Committee of the National People’s Congress of the People’s Republic of China held a second reading of the draft Cybersecurity Law (the “second draft”). The law is aimed at strengthening the protection and security of key information infrastructure and important data in China. As we previously reported, the first draft of the Cybersecurity Law was published for comment almost a year ago, but the National People’s Congress has not published the full second draft of the Cybersecurity Law to date.

According to the website of the National People’s Congress, the second draft of the Cybersecurity Law stipulates that the State will adopt priority protection over key information infrastructure that would seriously jeopardize national security and the public interest if data was damaged or leaked.

The second draft also reiterates the requirement that key information infrastructure operators should store, within the territory of China, personal information and other important business data collected and produced during operations. If it is necessary to transfer such information and data to overseas individuals or organizations for business requirements, a security assessment should be conducted.

The second draft has a new provision requiring that information collected by competent government authorities during their protection of key information infrastructure be used only for the protection of network security. The second draft additionally states that big data applications must anonymize personal information, and that the State will support research on protecting data and promoting security.

Network operators will be required to comply with social morals and business ethics, and will be subject to governmental and public supervision. In addition, network operators will be required to preserve web logs for at least six months, and cooperate with the supervision and inspection of competent government authorities.

Revised Privacy Shield Documents Leaked to Politico

On June 29, 2016, Politico reported that it has obtained updated EU-U.S. Privacy Shield documents following the latest negotiations between U.S. and EU government authorities. Certain aspects of the prior Privacy Shield framework were criticized by the Article 29 Working Party, the European Parliament and the European Data Protection Supervisor.

Although there has been no official confirmation that the updated documents reflect the latest iteration of the Privacy Shield framework, the documents do address some of the criticisms levied by various European authorities. For example, the updated Privacy Shield documents:

  • clarify that the Privacy Shield applies to personal data transferred from Iceland, Liechtenstein and Norway in addition to the EU Member States;
  • require Privacy Shield-certified companies to include a provision in onward transfer contracts obligating the recipient to notify the Privacy Shield-certified company if the recipient can no longer provide the same level of protection as required by the Privacy Shield principles; and
  • include an express obligation for Privacy Shield-certified companies to delete or de-identify personal data after it is no longer relevant for the purposes of processing or compatible purposes, with limited exceptions (e.g., processing for public interests).

According to Politico, the Article 31 Committee’s vote on the EU-U.S. Privacy Shield framework will take place on July 8, before being formally adopted by the European Commission on July 11. Then, European Commissioner Jourová and U.S. Secretary of Commerce Penny Pritzker are expected to formally sign the deal and present it to the public on July 12.

China Publishes Provision to Regulate Internet Search Services

On June 25, 2016, the Cyberspace Administration of China published its new Administrative Provisions on Internet Information Search Services (the “Provisions”). The Provisions will come into effect on August 1, 2016.

Under the Provisions, Internet information search service providers (“service providers”), which include operators of search engines, are required to adopt information security management systems, such as systems enabling the review of information, real-time inspection of public information and protection of personal information.

Under the Provisions, service providers are prohibited from showing subversive and obscene content and other content prohibited by law and regulation. If legally prohibited content shows up in a search result, service providers should block the result and report it to the Cyberspace Administration.

In addition, service providers should provide search results that are objective, impartial and authoritative. When providing paid search results, service providers must review the qualifications of the paying clients and clearly identify paid results and natural search results, attaching clearly evident marks to paid search results on an item by item basis.

The release of the Provisions was triggered by the death of a young man, who chose a hospital based on an Internet search on Baidu (a popular search engine in China), but received ineffective hospital treatments and therapy that was not yet fully approved.

Draft Released in the Philippines Implementing Rules for the Data Privacy Act

This post has been updated. 

On June 17, 2016, the National Privacy Commission (the “Commission”) of the Philippines released draft guidelines entitled, Implementing Rules and Regulations of the Data Privacy Act of 2012 (“IRR”), for public consultation.

Under the IRR, the processing of personal data has to adhere to the principles of transparency, legitimate purpose and proportionality. The IRR defines personal data as personal information, sensitive information and privileged information. Sensitive information refers to personal information about an individual’s race, ethnicity, health, education, genetic or sexual life of a person, proceedings related to an offense committed by a person, health records and tax returns. According to the IRR, the personal information controller should take organizational, physical and technical security measures for data protection. Such security measures include the designation of a privacy officer, limitations on physical access and the adoption of technical and logical security measures.

The IRR stipulates general principles for data sharing. According to the IRR, in order to conduct lawful processing of personal data, the data subject must have given his or her consent prior to collection. Consent of the data subject has to be evidenced by written, electronic or recorded means. The IRR also specifies information that is not subject to the Data Privacy Act, such as information of a governmental officer that relates to his or her position or functions.

Under the IRR, the basic rights enjoyed by data subjects include rights to be informed, to object, of access, of correction, of rectification, erasure or blocking and to damages. The Commission and affected data subjects should be notified within 24 hours upon the knowledge of or reasonable belief that a security breach has occurred. The IRR also includes registration and compliance requirements, including a requirement to register data processing systems operating in the country.

The IRR stipulates penalties for unauthorized processing of personal information, improper disposal of personal information, unauthorized disclosure and other violations. Violations of the Data Privacy Act, the IRR and other orders may be subject to cease and desist orders, temporary or permanent bans on the processing of personal data and the imposition of fines.

The Data Privacy Act established the Commission earlier this year as an independent body to monitor and ensure the compliance of personal information controllers with international standards for data protection. The IRR specifies the functions, organizational structure and other details of the Commission. For example, the function of the Commission includes (1) making rules such as issuing guidelines for data protection and proposing legislation on privacy or data protection, (2) performing compliance and monitoring functions to ensure effective implementation of the Data Privacy Act, and (3) adjudicating on complaints and investigations of violations of the rights of data subjects.

The IRR also includes provisions on other issues such as data privacy and security in government, outsourcing and subcontracting of personal data.

The IRR contains some provisions that add new requirements going beyond those of the original text. These can vary from, or have potential to be more burdensome on enterprises than, the original requirements. Described below are some of the provisions:

  • The IRR defines “personal data” and “personal information” as two separate terms. “Personal information” is defined as the abstract information itself, while “personal data” is personal information that has been inputted into an information and communication system (which presumably means a computer system), and therefore has presumably been digitally and electronically formatted.
  • In addition to personal information that has been electronically formatted, the term “personal data” also includes “sensitive information” and “privileged information.”
  • The IRR expounds upon a provision in the original requirements that says when personal information has been collected in a foreign jurisdiction for processing in the Philippines, the data privacy laws of the foreign jurisdiction will apply in relation to the collection of personal information, but the Data Privacy Act will apply to processing that takes place within the Philippines.
  • The IRR requires that sharing of personal data in the private sector proceeds according to a data sharing agreement which is subject to the review of the Commission.
  • The IRR imposes some potentially elaborate and time-consuming rules on internal organizational operations and structure, such as the requirements to (1) appoint a privacy officer, (2) implement capacity-building, orientation and training programs in relation to privacy and security, and (3) carry out system monitoring.
  • The IRR gives the data subject an additional right to object or withhold consent to further processing. This appears to be a new right that did not appear in the original requirements.
  • The IRR requires notification of a data breach within 24 hours under normal circumstances, though notification may be delayed in some circumstances.
  • The IRR materially expands the circumstances under which a breach notification must be made. In effect, the IRR now requires notification for any security breach that involves personal, sensitive or privileged information.
  • The IRR now requires registration of data processing operations and data processing systems, and requires that the Commission be notified of any wholly or partly automatic processing operations.
  • In relation to the accountability principle, the IRR expressly establishes the potential for joint liability, along with the personal information controller, on the part of personal information processors, privacy officers, employees and agents. It also establishes the possibility of criminal liability.

Comments on the IRR should be sent by July 15, 2016, to the Commission at

Complete Our GDPR Readiness Survey

With the EU General Data Protection Regulation (“GDPR”) enacted and due to come into force in May 2018, the Centre for Information Policy Leadership at Hunton & Williams and AvePoint have launched a global survey to enable organizations to benchmark their readiness for the GDPR. The survey focuses on the key areas of impact and change for organizations under the GDPR, such as consent, legitimate interest, data portability, profiling, privacy impact assessments, DPOs, data transfers and privacy management program.

Please participate in this survey designed to help organizations:

  • assess their current state of readiness for the GDPR;
  • benchmark and evaluate their readiness in relation to industry peers on an ongoing basis;
  • understand key changes and compliance obligations under the GDPR; and
  • determine a best implementation path forward and make appropriate resources and budgetary requests to meet their goals.

The anonymous results will be aggregated, analyzed and used to publish an annual benchmark report that will provide your organization with an overview of the current state of preparedness for the GDPR and recommendations of identified best practices among the survey respondents. This will help Chief Privacy and Data Protection Officers who are looking to ramp up their privacy programs, as well as Chief Information Officers, Chief Information Security Officers, business leaders and the entire executive leadership within organizations as they are considering companywide change-management programs for the implementation of the GDPR.

By completing the survey, you will receive a report that outlines what organizations from different industries and regions are doing to prepare for the GDPR. The first report is expected to be ready in September 2016, and we plan to repeat the survey annually to track progress.

Take the survey.

*We ask that one representative from your organization complete the survey and encourage you to work with the appropriate individuals in your organization to fill-out the survey. Please complete the survey by July 8, 2016.

Great List of Hack Sites

The SANS Pen Test group has a poster they hand out at SANS conferences and put in mailings that has an awesome mind map of hacking challenge/skills sites.

Won't be going to conference soon or not on the mailing list? No worries, the poster can be downloaded here and all of the SANS posters are located here, including  DFIR, Threat Intelligence, CIS and some general information posters.

If you're not familiar with SANS posters, they're not just marketing tools (but of course they advertise an event, too) but are full of good, useful information. Like the hack sites mind map.


Ad Network to Pay Nearly 1 Million in Civil Penalties to Settle FTC Charges That It Geo-Tracked Consumers Without Permission

On June 22, 2016, the Federal Trade Commission announced a settlement with Singaporean-based mobile advertising network, InMobi, resolving charges that the company deceptively tracked hundreds of millions of consumers’ locations, including children, without their knowledge or consent. Among other requirements, the settlement orders the company to pay $950,000 in civil penalties. 

InMobi provides a platform for app developers to sell advertising space on their apps. The company offers geo-targeting products that allow advertisers to target consumers based on their physical location. According to the FTC’s complaint, InMobi represented that it tracks consumers’ locations in a manner consistent with device privacy settings, and only if the consumer provides opt-in consent. Nevertheless, the FTC alleged that the company tracked consumers locations and served geo-targeted ads, regardless of the users’ location settings. The complaint also states that even if a consumer had restricted an app’s access to location information, InMobi was able to track the consumer’s location by collecting information about the wifi networks that were connected to, or in-range of, the consumer’s device.

The FTC’s complaint includes charges that InMobi violated the Children’s Online Privacy Protection Act (“COPPA”) by knowingly collecting personal information from thousands of child-directed apps in order to track children’s locations and serve them with interest-based advertising. According to the complaint, this tracking was done despite InMobi’s promise not to do so without notifying parents or receiving their consent.

The FTC’s consent order imposes a $4 million civil penalty, to be suspended upon InMobi’s payment of $950,000 due to the company’s current financial situation. The settlement also requires InMobi to (1) comply with COPPA, (2) delete all personal information collected from children and all location information collected from other users, (3) obtain express affirmative consent prior to collecting location information that is not overridden by a consumer’s permissions or settings, and (4) implement a comprehensive privacy program and obtain independent assessments of the program biennially for the next 20 years.

UK Votes to Leave the EU: Data Protection Standards Unlikely to Be Affected

On June 23, 2016, the UK held a referendum to decide upon its continued membership in the European Union. The outcome has resulted in the decision for the UK to withdraw its membership from the European Union. Despite the result, data protection standards are unlikely to be affected.

The full details of how and when the UK will negotiate its exit from the EU is still unclear. The process for withdrawal will be a long one, and unless there is an agreement to the contrary, it will take a minimum of 2 years. The next step is for the UK to serve notice of its intention to exit the EU using the formal legal procedure set out in Article 50 of the Treaty on European Union. As yet, no notice has been served and is unlikely to be served until a new UK prime minister is in place, widely expected to be in October 2016.

From a data protection perspective, any change will not be immediate. Regardless of the referendum result, the incoming EU General Data Protection Regulation (“GDPR”) will become law on May 25, 2018, meaning that the UK will almost certainly experience life under the GDPR. Businesses will therefore need to continue to prepare for, and start to, comply with the GDPR despite the UK’s withdrawal from the EU. Other EU Member States must also comply with GDPR beginning May 25, 2018.

Given that businesses will want to trade in the EU, once the UK formally leaves the EU, it is highly likely that the UK would seek to put in place a legal framework that reflects the GDPR. In particular, it appears that the UK would seek recognition as an “adequate” jurisdiction in order to allow the free flow of data from the EU to the UK. This has been confirmed by the UK’s Information Commissioner’s Office (“ICO”) in its statement issued on June 24, 2016. The ICO highlighted that “the Data Protection Act remains the law of the land irrespective of the referendum result.” “If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”

The GDPR (or a UK equivalent) will be the prevailing data protection standard in the UK, and companies should continue their GDPR preparation as before. In due course, and subject to the outcome of the UK’s exit negotiations, companies will need to review and make adjustments to their compliance programs, including relevant data transfer mechanisms, to reflect the fact that the UK will have a separate (albeit similar) data protection law to the EU.

The Bavarian DPA Issues Paper on Certifications Under the GDPR

On June 22, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on certifications under Article 42 of the General Data Protection Regulation (“GDPR”). The GDPR will become effective on May 25, 2018.

This paper is part of a series of papers that the Bavarian DPA will be issuing periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasizes that these papers are non-binding.

The GDPR allows DPAs to issue data protection certifications to companies. According to the Bavarian DPA, such certifications would allow companies to demonstrate that their data processing activities comply with the requirements of the GDPR; however, certified companies must still comply with the law and can be subject to supervision by DPAs. Nevertheless, the Bavarian DPA states that certification can still be beneficial for companies in the event of a DPA investigation. According to the DPA, it is important that companies applying for certification have a thorough knowledge of their data processing activities and have documented them in a transparent manner. Furthermore, the DPA stated that companies that already have data processing inventories and good data protection management will be able to fulfill the essential requirements for certification.

The DPA emphasized the requirements of the GDPR that a certification should be issued for a maximum period of three years and that certifications can be withdrawn if companies no longer meet the requirements for such certification.

The Bavarian DPA believes that certification under the GDPR has great potential and can provide clarity as to whether data processing operations comply with legal requirements under data protection law. In particular, the DPA thinks that certification could be beneficial for cloud-providers as it would allow customers and individuals to get a better understanding of the level of compliance in relation to specific products. However, this requires that new practical certification processes be developed and existing certification processes be updated accordingly.

Security is Not, and Should not be Treated as, a Special Flower

My normal Wednesday lunch yesterday was rudely interrupted by my adequate friend and reasonable security advocate Javvad calling me to ask my opinion on something. This in itself was surprising enough, but the fact that I immediately gave a strong and impassioned response told me this might be something I needed to explore further… The UK … Read More

Enterprise Security Weekly #7 – Web Application Scanning

This week on Enterprise Security Weekly, tenable makes a strategic partnership to ease authenticated vulnerability scanning, avast announces a much faster antivirus engine, Risksense unveils cyber risk scoring that allows some other kind of scoring that you might be familiar with, and alert logic goes into the cloud. All that and more, so stay tuned!

Full Show Notes:

NTIA Releases Facial Recognition Technology Best Practices

On June 15, 2016, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced that its multistakeholder process to develop a code of conduct regarding the commercial use of facial recognition technology had concluded with the group reaching a consensus on a best practices document. As we previously reported, the NTIA announced the multistakeholder process in December 2013 in response to the White House’s February 2012 privacy framework, which directed the NTIA to oversee the development of codes of conduct that specify how the Consumer Privacy Bill of Rights applies in specific business contexts.

The best practices, which are voluntary, encourage “Covered Entities” (defined as any person, including corporate affiliates, that collects, stores or processes facial template data, but excluding government and law enforcement agencies) to take certain measures including:

  • Make available to consumers, in a reasonable manner and location, policies or disclosures describing Covered Entities’ practices regarding collecting, storing and using personal data;
  • Consider various factors when developing facial template data management practices, including the types of non-facial recognition sensitive data being captured and stored, how that data will be stored and used and reasonable consumer expectations with respect to the use of data;
  • Provide individuals the opportunity to control the sharing of their facial template data with unaffiliated third parties;
  • Take measures to protect covered data by implementing a program that contains reasonable administrative, technical and physical safeguards appropriate to the Covered Entity’s size and complexity, the nature and scope of its activities and the sensitivity of the facial template data;
  • Take reasonable steps to maintain the integrity of the facial template data they collect; and
  • Provide a process consumers can follow to contact the Covered Entity regarding its use of facial template data.

The document also notes that “the best practices are intended to provide a flexible and evolving approach to the use of facial recognition technology, designed to keep pace with the dynamic marketplace surrounding these technologies.”

Hack Naked TV – June 21, 2016

This week on Hack Naked TV, Beau Bullock talks about Bad Tunnel, GoToMyPC, and how Ransomware is all Javascript. Watch for full stories, here on Hack Naked TV!

Beau teaching SANS SEC504 in Marina del Rey, CA August 15, 2016:

The New Wave of Consumer Class Actions Targeting Retailers: What is the TCCWNA?

TCCWNA. The very acronym evokes head scratches and sighs of angst and frustration among many lawyers in the retail industry. You have probably heard about it. You may have even been warned about it. And you may currently be trying to figure out how best to minimize your risk and exposure this very moment. But what is it and why has virtually every retailer been hit with a TCCWNA class action demand letter or lawsuit in the past few months? And why are most retailers scrambling to update the terms and conditions of their websites?


As reported on the Hunton Retail Law Resource blog, the New Jersey Truth-in-Consumer Contract Warranty and Notice Act (“TCCWNA”) was passed in 1981 to protect consumers from allegedly deceptive practices in consumer contracts, warranties, notices and signs. In an often-quoted passage, the New Jersey legislature explained its rationale for the TCCWNA as follows:

Far too many consumer contracts, warranties, notices and signs contain provisions which clearly violate the rights of consumers. Even though these provisions are legally invalid or unenforceable, their very inclusion in a contract, warranty, notice or sign deceives a consumer into thinking that they are enforceable and for this reason the consumer often fails to enforce his rights.

To that end, Section 15 generally prohibits retailers from offering or displaying any provision that violates a clearly established right to any actual or prospective consumer in a consumer contract, warranty, notice or sign. Section 16 generally prohibits retailers from including language stating that any such provision is or may be void, unenforceable or inapplicable in “some jurisdictions” without specifically stating whether it is in New Jersey or not.

For nearly thirty years, TCCWNA was used sparingly by plaintiffs, who often brought TCCWNA claims only as a tack-on to claims brought under New Jersey’s notorious Consumer Fraud Act (“CFA”). But, in the past five or six years, things have changed. Indeed, as the following graphic by the New Jersey Civil Justice Institute (“NJCJI”) illustrates, the frequency of TCCWNA cases spiked sharply in 2009 and has been on the rise ever since:

graph bigger

While many attorneys have spent a great deal of time trying to figure out why TCCWNA cases have increased exponentially in recent years, the primary causes appear to be the following:

  • a series of judicial decisions that have led the plaintiffs’ bar to believe that TCCWNA claims are now even more plaintiff-friendly and more susceptible to class certification than CFA claims;
  • the TCCWNA’s potential applicability to “prospective” customers, not just actual customers, thereby potentially expanding the pool of interested plaintiffs and the scope of potential liability to customers who did not make a purchase and with no discernible injury; and
  • the availability of statutory damages of $100 per customer as well as attorney’s fees and costs under the TCCWNA, which could expose companies to enormous liability.

The original wave of TCCWNA cases focused on the terms and conditions in a variety of alleged consumer contracts, warranties, notices and signs, including restaurant menus, advertising materials, gift cards and all manner of contracts and written materials.

In the past six months, however, the NJCJI has noted that an “unprecedented” number of TCCWNA cases have targeted the terms and conditions of retailers’ websites, largely because the plaintiffs’ bar now views this type of class action as “a quick ticket to jackpot justice.” As a result, a wide variety of terms and conditions commonly found on many retailers’ websites, including exculpatory, indemnification, choice of law, severability, savings, privacy and limitation of liability provisions, have been coming under increasing scrutiny. Indeed, most of the major retailers – at least two dozen — have already been targeted with such lawsuits, and many more have received pre-lawsuit demand letters. Since most retail websites use the same or similar language in their website terms and conditions, there is an almost endless pool of potential targets for enterprising plaintiffs’ attorneys. In other words, if you are a retailer who has so far avoided being targeted with a TCCWNA demand letter or lawsuit, it may just be a matter of time.

For retailers grappling with such TCCWNA issues, there is currently a considerable amount of uncertainty. The courts have not yet had the opportunity to provide clear guidance, making it difficult to assess the potential viability of plaintiffs’ claims, and the potential liability is significant. As a result, retailers have reacted in different ways to the recent wave of TCCWNA demand letters and class action lawsuits targeting their websites. Some have settled out early on an individual basis. Others have moved to compel arbitration or to strike class allegations, and others have filed motions to dismiss that have raised a variety of arguments, including the applicability of the U.S. Supreme Court’s recent Spokeo decision and arguments that the TCCWNA does not apply to commercial websites by its terms or to the provisions contained therein for a variety of reasons.

We expect that some initial clarity will be forthcoming in the next six months as the initial wave of motions to dismiss in the commercial website cases are ruled upon. But, ultimately, this will likely be an issue that will need to be resolved by appellate courts down the road. In the interim, plaintiffs’ attorneys will continue to file more “copycat” TCCWNA class action lawsuits in the belief that the best way to achieve jackpot justice is to collect as many lottery tickets as possible.

In the meantime, what is a retailer to do to minimize its risk and exposure?

What Should I Do?

  • Compliance Review – Every retailer should undertake a thorough review of its website terms and conditions, as well as any other terms contained in written materials displayed to consumers as soon as possible. From a cost-benefit perspective, the effort and cost associated with ensuring that your website and other written materials comply with TCCWNA is relatively minimal compared to the potential cost associated with facing a TCCWNA class action lawsuit where every customer could potentially be entitled to $100 in statutory damages. For example, a simple review and slight modification of website terms and conditions, if necessary, may allow retailers to avoid becoming the next target and save them from a lot of headaches down the road.
  • Support Lobbying Efforts – A lobbying effort has also recently been launched to help address the recent TCCWNA abuses. The Retail Industry Leaders Association and the NJCJI has led efforts to highlight these abuses and to help support efforts to lobby the New Jersey legislature to address the underlying issues.
  • Take TCCWNA Demand Letters and Class Action Lawsuits Seriously – Some retailers may not initially take TCCWNA demand letters and class action lawsuits as seriously as they should, but the stakes are significant if a company is determined to be in violation. A few seemingly innocuous words or provisions on a commercial website, for example, could potentially translate into hundreds of millions of dollars in liability. Accordingly, retailers should treat a TCCWNA demand letter or class action lawsuit as seriously as any other major class action lawsuit presenting novel, complex issues with potentially significant liability, including hiring experienced, competent counsel and exploring insurance coverage issues early on.

CNIL Launches Public Consultation on EU General Data Protection Regulation

On June 16, 2016, the French Data Protection Authority (“CNIL”) launched a public consultation on the four priority topics identified by the Article 29 Working Party (“Working Party”) in its February 2016 action plan for the implementation of the EU General Data Protection Regulation (“GDPR”).

One of these priorities is to issue guidance to help data controllers and data processors prepare for the GDPR. Four topics have been selected:

  • the new right to data portability;
  • data protection impact assessments;
  • certification; and
  • the data protection officer.

The CNIL’s purpose in launching the consultation is to collect concrete questions, potential difficulties in interpreting the GDPR and examples of best practices in regards to interpreting the GDPR. The responses will inform the discussion of the Working Party who will issue guidelines or develop processes on these topics. The CNIL also encourages all relevant stakeholders to propose other topics on which the Working Party could provide guidance. Stakeholders may respond to the consultation through the CNIL’s website. The consultation will be open through July 15, 2016. The CNIL will publish a summary of the contributions, and will launch another consultation on new topics in a few months.

Belgian Privacy Commission Releases 2015 Annual Activity Report

On June 9, 2016, the Belgian Privacy Commission (the “Belgian DPA”) published its Annual Activity Report for 2015 (the “Annual Report”) highlighting its main accomplishments.

During the year 2015, the Belgian DPA focused on the following topics:

  • Cookies. The Belgian DPA issued a series of recommendations on the communication of information and direct marketing practices.
  • Drones. The Belgian DPA gave a favorable opinion on the Royal Decree draft on the use of drones.
  • Anti-terrorism. The Belgian DPA also was asked to provide an opinion on the Belgian government’s proposed anti-terrorism laws, in particular the processing of passenger data, the creation of a database for foreign terrorist fighters and on the end of anonymity for users of prepaid mobile telephone cards.
  • Privacy in the workplace. In light of an increasing number of questions regarding privacy in the workplace, the Belgian DPA released a new report on the use of personal data in the workplace, including recommendations on geo-location through company cars, the use of whistleblowing hotline, BYOD, CCTV surveillance of employees and email and internet monitoring.

In regards to the underlying figures of the year 2015, the Annual Report indicates that:

  • In 2015, the Belgian DPA processed 4,192 requests or complaints, including requests for information, mediation and control. Most requests for information were related to the use of CCTV, privacy in the workplace, the right of publicity, direct marketing and privacy on the Internet.
  • The number of registrations increased to 9,799 registrations in 2015, including 6,240 registrations for the use of a CCTV system.

Read the Annual Activity Report for 2015 (in French and Dutch) and the press release (in French and Dutch). View the brochure (in French and Dutch).

European Commission Could Approve Privacy Shield in Early July

According to Bloomberg BNA, the EU-U.S. Privacy Shield framework could be approved by the European Commission in early July. The Privacy Shield is a successor framework to the Safe Harbor, which was invalidated by the European Court of Justice in October 2015. Certain provisions of the Privacy Shield documents, previously released by the European Commission on February 29, 2016, have been subjected to criticism by the Article 29 Working Party, the European Parliament and the European Data Protection Supervisor. According to Bloomberg BNA, the previously released draft adequacy decision, one of the Privacy Shield documents released on February 29, 2016, is expected to be modified.

Once approved by the European Commission, the Article 31 Committee also must approve the Privacy Shield before it comes into force.

DHS and DOJ Issue Final Guidance on the Cybersecurity Information Sharing Act of 2015

On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and U.S. Department of Justice (“DOJ”) jointly issued final guidance on the Cybersecurity Information Sharing Act of 2015 (“CISA”). Enacted in December 2015, CISA includes a variety of measures designed to strengthen private and public sector cybersecurity. In particular, CISA provides protections from civil liability, regulatory action and disclosure under the Freedom of Information Act (“FOIA”) and other open government laws for “cyber threat indicators” (“CTI”) and “defensive measures” (“DM”) that are shared: (1) among businesses or (2) between businesses and the government through a DHS web portal. Congress passed CISA in order to increase the sharing of cybersecurity information among businesses and between businesses and the government, and to improve the quality and quantity of timely, actionable cybersecurity intelligence in the hands of the private sector and government information security professionals.

The document issued yesterday included final guidelines on privacy and civil liberties and on the receipt of CTI and DM by the government:

  • Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015. This document was developed by DHS and DOJ pursuant Section 105(b) of CISA. It establishes privacy and civil liberties guidelines governing the receipt, retention, use and dissemination of CTI and DM by a federal entity under CISA.
  • Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government. Developed by DHS and DOJ as directed in Section 105(a)(1)&(3) of CISA, this document establishes procedures on how the federal government receives CTI and DM. It also interprets statutory requirements for the processes by which federal entities receive and handle CTI and DM, and disseminate it to other appropriate federal entities.

Yesterday’s guidance builds on the four implementation guidance documents that the federal government issued in February of this year. Those documents included:

  • Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015. Developed by DHS and DOJ as directed in Section 105(a)(4) of CISA, this document provides information on how non-federal entities can share CTI and DM with the federal government under CISA, and describes the protections that non-federal entities can receive, including liability protection and other statutory protections.
  • Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act of 2015. This document covers federal cybersecurity information sharing within the federal government and with non-federal entities. It was developed by DHS, DOJ, Director of National Intelligence and Department of Defense as directed by Section 103 of CISA. Much of the document outlines current programs through which federal entities share CTI and DM with non-federal entities. The document provides limited guidance on the roles of entities involved in cybersecurity information sharing.
  • Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government. The final version of these guidelines were issued on June 15, 2016, as required by CISA.
  • Privacy and Civil Liberties Interim Guidelines: Cybersecurity Information Sharing Act of 2015. The final version of these guidelines were issued on June 15, 2016, as required by CISA.

Lisa Sotto Interviewed: What Do You Do with a Hacked Law Firm? (Part 2)

In a recent video segment, “What Do You Do with a Hacked Law Firm?”, from Mimesis Law’s Cy-Pher Executive Roundtable held in May, Lisa Sotto, chair of the firm’s Global Privacy and Cybersecurity practice, and other privacy professionals discussed the Federal Trade Commission’s jurisdiction in bringing enforcement actions against law firms in a breach event. “There’s no reason why law firms are exempt from [those actions],” says Sotto. However, if the information lost is financial information or trade secrets rather than personal information, “it’s not as simple.” She also discusses how law firms can manage their reputational risk and harm. Sotto says, “If somebody wants to get into your system, they will get in. The trick is being more secure than the next guy.”

View the video.

FTC Settles Charges of Misleading Consumers with Electronic Health Records Company

On June 8, 2016, the Federal Trade Commission announced that Practice Fusion, an electronic health records company, agreed to settle FTC charges that the company misled consumers about the privacy of doctor reviews submitted to the company.

According to the FTC’s complaint, Practice Fusion operated a website, Patient Fusion, which enabled patients to view and download their health records and transmit them to health care providers. In 2013, Practice Fusion created a public-facing directory on the website of health care providers. The directory would enable patients to search for providers and read patient reviews of those providers. To build the directory, Practice Fusion emailed surveys to patients asking for these reviews. The survey contained a free text box that advised patients to “Please leave a review for your provider,” which was accompanied by an admonition to “not include any personal information” in the review. A box stating “Keep this review anonymous” at the bottom of the survey was pre-checked, although that did not anonymize the information in the review, but rather only posted the review on the website as coming from “Anonymous.” Finally, patients were required to check a box agreeing to a Patient Authorization, but were not required to view the authorization, which stated that reviews would be posted publicly.

The Patient Fusion website published the patient reviews, which in some cases included patient names and phone numbers, as well as information regarding patients’ medical conditions and medications they were taking. Importantly, these reviews included those taken from patients before April 2013, when Practice Fusion updated its privacy policy to indicate, for the first time, that the patients’ doctor reviews would be “presumed public.” Taken together, the FTC alleged that Practice Fusion “failed to disclose adequately” that it would “publish the responses on its public healthcare provider review website.” Because this information would be “material to consumers in deciding whether or how to respond to the survey,” Practice Fusion’s failure to disclose it constitutes a deceptive act or practice.

The proposed Agreement Containing Consent Order will obligate Practice Fusion to:

  • not misrepresent the extent to which Practice Fusion uses, maintains and protects the privacy and confidentiality of any covered information, including the extent to which personal information shall be made publicly available, including by posting on the Internet;
  • prior to making any patients’ covered information publicly available:
    • clearly and conspicuously disclose to the consumer, separate and apart from “privacy policy,” “terms of use” page, or similar document, that such information is being made publicly available, including by posting on the Internet; and
    • obtain the consumer’s affirmative express consent;
  • not publicly display any healthcare provider review information, and not maintain any healthcare provider review information, except for review and retrieval by its healthcare provider customers;
  • deliver the order to relevant company officers, employees and others;
  •  submit compliance reports and notices to the FTC; and
  • retain certain specified records for five years, including any records necessary to demonstrate full compliance with the Consent Order.

In the press release announcing the settlement, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, stated that “[c]ompanies that collect personal health information must be clear about how they will use it – especially before posting such information publicly on the Internet.”

This is the second important FTC enforcement action in the healthcare space in 2016. In January, we reported on the FTC’s settlement with Henry Schein Practice Solutions, Inc., a dental office management software provider.

Bad analogy, bad. No biscuit.

If you use the “If I leave my door unlocked you don;t have the right to walk in…” analogy when discussing web disclosures, you really need to stop.  Bad analogies are bad.

You know the cases, folks find things on the Internet that people didn’t mean to make public, and a storm ensues and all kinds of people say all kinds of naïve stuff, including people who should know better.

Your website is not a house, and not just because of the physical vs. virtual difference.  If we have to use this analogy, let’s at least get it more accurate.

You live on a road, it may be public, or it may be private, but either way it is open to the public- in fact public use is encouraged.  That’s why you put your house there, because of good access in and out to the rest of the world.  You put sensitive data on signs in your yard, visible from the road.  There might even be a sign that says “only read your own data”, but it is all visible.  Someone drives by and reads someone else’s sign from the road.  Maybe they take pictures of the signs.

Still imperfect, but much more accurate.  And so convoluted it doesn’t help make any point.  These issues are not simple and misrepresenting them and oversimplifying things does not help.

Note that I have not made any judgements about who exposed what where, and who drove by and looked at it.  If it is your house and you post my data in an irresponsible manner, you are being irresponsible.  If someone feels the need to copy everything to prove a point, that causes problems, even when their intentions are good.

Without picking any specific cases, most of the ones that make the news are a combination of errors on both sides.  You should act like sensitive data is, I don’t know, sensitive.  And when you stumble across things like that (and you will if you use the Internet and pay attention), you should think about how folks will react, and keep the CFAA in mind.  Right or wrong, that’s the world we live in.  I think the CFAA is horrible and horribly out of date, as is the DMCA- but while they are the law and enforced, ignore them at your peril.  It is worth considering that when people find stuff that shouldn’t be posted publicly, it generally doesn’t require downloading the entire dataset to report the problem, in fact that is likely to create problems for everyone.

And yes, that’s a gross oversimplification from me in a post where I decry gross oversimplification.  Literary license or something.

And because I actually care about this mess we’re in, I’ll make an offer I hope I don’t regret: if you stumble across things which are exposed and you really don’t know how to handle it please pause and reach out to me.  I’ll ask friends in law enforcement for guidance for you if you wish to remain anonymous, or I’ll try to help you find the right folks to work with.  If you are outside of the US, I’m unlikely to be if much help, but I’ll still make inquiries.

Note that if you are on any side of one of these situations and act like a dumbass, I reserve the right to call you a dumbass.  I’ll still try to help, but I’m calling you a dumbass if you deserve it.  That’s as close to idealistic as you’ll get from me.



U.S. Government Seeks to Join Schrems Case

On June 13, 2016, the U.S. government expressed its wish to join the legal proceedings brought by Max Schrems concerning the validity of international data transfers under EU Standard Contractual Clauses.

Along with the U.S. government, the Irish Business and Employers Confederation and the Business Software Alliance, an industry trade group, also informed Ireland’s High Court of their desire to be added to the case as amici curiae, or “friends of the court.”

Each party will now have two weeks to file a motion seeking permission to be heard as an amicus curiae. If granted, the party will be allowed to file a written brief, which the High Court can take into account.

Security Weekly #468 – Chris Poulin, X-Force

This week on Security Weekly, Larry serves as our interim host alongside co-host Russell Beauchemin, who will be in studio with our guest Chris Poulin. Larry will discuss with Russell about his new Hololens! They talk about Typo squatting package managers, 20 years of red teaming, Spear Phishing, how InfoSec is a sham, and GPS DoS.

Is it the End of Angler ?

Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th,  Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January 2016 or maybe Infrastructure move. But something else is going on.

On the Week-End of the 4-5th of June I noticed that the ongoing malvertising from SadClowns was redirecting to Neutrino Exploit Kit (dropping Cerber)

EngageBDR malvertising redirecting to SadClowns infra pushing traffic to Neutrino to Drop Cerber Ransomware
On the 6th I noticed several group migrating to RIG, Neutrino or even Sundown.
But I got speechless when I noticed that GooNky had switched to Neutrino to spread their CryptXXX U000001 and U000006.
They were sticking exclusively to Angler EK since years and their vacation were synchronized with Angler's in January.

Checking all known to me infection path I could hardly find some Angler....last one were behind the EItest infection chain on the night of the 6th to 7th of June.

Last Angler pass I captured on 2016-06-07
EITest into Angler dropping CryptXXX 3.200 U000017
On June 7th around 5:30 AM GMT my tracker recorded its last Angler hit :

Last Hit in my Angler tracker.

After that...RIG, Neutrino instead of Angler almost everywhere.[Side note: Magnitude is still around...But as mentioned earlier it's a One Actor operation since some time]
Aside SadClowns and GooNky here are two other big (cf traffic volume) group which transition has not been covered already

"WordsJS"  (named NTL/NTLR by RiskIQ) into Neutrino > CryptXXX U000010
"ScriptJS" (Named DoublePar by RiskIQ and AfraidGate by PaloAlto) into Neutrino > CryptXXX U000011
This gang  was historically dropping Necurs, then Locky Affid13 before going to CryptXXX
Illustrating with a picture of words and some arrows:

MISP : select documented EK pass with associated tags.
1 arrow where you would have find Angler several days before.
(+ SadClowns + GooNky not featured in that selection)

With the recent 50 arrests tied to Lurk in mind and knowing the infection vector for Lurk was the "Indexm" variant of Angler between 2012 and beginning of 2016...we might think there is a connection and that some actors are stepping back.

Another hint that this is probably not vacation "only" for Angler is that Neutrino changed its conditions on June 9th. From 880$ per week on shared server and 3.5k$ per month on dedicated, Neutrino doubled the price to 7k$ on dedicated only (no more per week work). Such move were seen in reaction to Blackhole's coder (Paunch) arrest in October 2013.

So is this the End of Angler ? The pages to be written will tell us.

“If a book is well written, I always find it too short.” 
― Jane Austen, Sense and Sensibility

Post publication notes:

RIG : mentioned they were sill alive and would not change their Price.
Maybe unrelated to RIG mention, Neutrino updated his thread as announced previously on underground but conditions are revisited :
------Google translate:-----
Tarif week on a shared server:
Rent: $ 1500
Limit: 100k hosts per day
One-time daily discharge limits: $ 200

Rate per month on a dedicated server:
Rent: $ 4000
Limits: 500k hosts per day, and more - on an individual basis.
One-time daily discharge limits: $ 200
So now only price per week is doubled and month rate + ~20%


Thanks to Will Metcalf (Emerging Threats/Proofpoint) who made the replay of SadClowns' malvertising possible. Thanks to EKWatcher and Malc0de for their help on several points.

Read More :
XXX is Angler EK - 2015-12-21
Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News
Neutrino EK and CryptXXX - 2016-06-08 - ISCSans
Lurk Banker Trojan: Exclusively for Russia - 2016-06-10 - Securelist - Kaspersky

How we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList


There's a good article on Google Dorking on DarkReading here. If you're not sure what Google Dorking is, in essence, it's using Google (you can do the same with other search engines) with advanced operators to find information on the Internet that shouldn't be exposed. You can find files, passwords, user accounts, open webcams and all sort of other data. The concept was made popular by Johnny Long, who now resides in Uganda with his family helping educate needy kids (Hackers For Charity is his organization and and a worthy place to donate funds, equipment or time).

Lisa Sotto Interviewed: Are Law Firms Soft Targets for Hackers?

In a recent video published by Mimesis Law, Lisa Sotto, chair of the firm’s Global Privacy and Cybersecurity practice, was interviewed during Mimesis Law’s Cy-Pher Executive Roundtable in New York. Sotto, along with several other privacy professionals, discussed the risks that law firms face in protecting their clients’ confidential information, as well as their own data. “[Law firms] are seeing multiple restrictions from clients imposing safeguards on [firms] with respect to their data,” explains Sotto. “Companies that work with law firms need to understand that, while their environments could be fortress-like, their bridge is down to vendors that have authorized access to their systems or their data. Law firms, like all vendors, are potentially vulnerable.”

View the video.

A Close Look at TeslaCrypt 3.0 Ransomware

TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit. The Angler exploits vulnerability in Adobe Flash. The Angler exploit downloads a variant of the ransomware upon success.

TeslaCrypt 3.0 possesses various updates, one of which renders encrypted files irrecoverable via normal means.

Infection Indicator/s
Machines infected by TeslaCrypt will usually have the following files present in almost every directory:

  • +REcovER+[Random]+.html
  • +REcovER+[Random]+.txt
  • +REcovER+[Random]+.png

The recovery instructions for the encrypted files can be found inside these files.

TeslaCrypt ransom note

TeslaCrypt ransom note

Technical Details
Note: The file used for this analysis has an MD5 value of 1028929105f1e6118e06f8b7df0b3381.

The malware starts by ensuring it’s in its intended directory. For this sample, it checks if it is located in the Documents directory. If it’s not, it copies itself to that directory and executes its copy from there. It deletes itself after executing the copy.

The ransomware creates multiple threads that do the following:

  • Monitors processes and terminates those that contain the following strings:
    • taskmg
    • regedi
    • procex
    • msconfi
    • cmd
  • Contacts the C&C server and sends certain information like system information and the unique system ID.
  • File encryption routine

TeslaCrypt is not immune to recycling code from older malware families. The initial code is an encryption of the compressed binary. Upon decryption, the malware will call the RtlDecompressBuffer API and finally write the decompressed data into its own memory.

Call to RtlDecompressBuffer

Call to RtlDecompressBuffer

The malware also uses a technique to obscure API calls by using the hash of the API name and passing it to a function that retrieves the API address.

The malware passes an API hash to a function that returns the procedure address of the API.

The same code but labeled properly in a disassembler

The same code but labeled properly in a disassembler.

File Encryption
TeslaCrypt uses AES encryption and will send one part of the key to its C&C server, which will render the files irrecoverable on its own.

It will start by checking if the system already has its own recovery key. If not, it will begin generating the necessary encryption keys. These keys will be used for the encryption routine.

Figure 5

Checks if the recovery key already exists and generates it if it doesn’t.

TeslaCrypt will traverse all fixed, remote and removable drives for files with the following extensions:


The exception, however, is if the file contains the string “recove” or if it is found in the following directories:

  • %WINDIR% (C:\Windows)
  • %PROGRAMFILES% (C:\Program Files)
  • %COMMONAPPDATA% (C:\Documents and Settings\All Users\Application Data for Windows XP and C:\ProgramData for Windows Vista and above)
  • %LOCALAPPDATA%\Temporary Internet Files (C:\Documents and Settings\[USERNAME]\Local Settings for Windows XP and C:\Users\[USERNAME]\AppData\Local for Windows 7 and above)
Figure 6

Checking for fixed, removable and remote drives

 Once a file passes the extension check, the malware will proceed with the encryption. The ransomware variant first checks for its encryption header. If the file is not yet encrypted, it will proceed with the encryption.

Encrypted files’ headers contain data that includes – but isn’t limited to – the global recovery key, the global public key, the original file size and the encrypted data itself.

Sample of an encrypted file

Sample of an encrypted file

C&C Servers
The malware tries to connect to one of the following domains:

  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://
  • hxxp://

If it manages to connect to a server, it then sends a POST request using encoded data. The data it will send includes the following:

  • The shared key for the encryption
  • Bitcoin address
  • OS version
  • TeslaCrypt version
  • Unique ID for the infected system
HttpSendRequest with the encrypted data

HttpSendRequest with the encrypted data

Other Details
To ensure the malware only has one instance running, it creates a mutex as “8_8_8_8.”

Figure 9

CreateMutex function

It creates an auto start registry entry to ensure execution every startup.

Autostart registry

Autostart registry

It also adds a policy in the registry to remove permission restrictions on network drives, essentially allowing any user to access these network drives.

EnableLinkedConnections registry value

EnableLinkedConnections registry value

Interestingly enough, though, it appears the gang behind TeslaCrypt has had a change of heart and have publicly shared their master decrypt key. Before they shut down, the now-defunct payment site required a minimum of $500 in the form of bitcoin.

TeslaCrypt payment page

TeslaCrypt payment page

Advanced threat defense products like those used in this analysis help avoid ransomware infection. The advanced solutions catch the emerging threat before it can do any damage.  You’ve got two great lines of defense: The first is via email and the next is your network.

Advanced email defense solutions like ThreatSecure Email are designed to catch malware that evades traditional defenses. It’s a great tool to help stop attacks by detecting phishing links and exploits that deliver ransomware. That can stop TeslaCrypt from encrypting and taking the data from you.

The next stop is bolstering your network. Adding an advanced defense solution that identifies and correlates discovered threats with anomalous network activity is an invaluable tool to guard your data. ThreatTrack’s ThreatSecure Network, for instance, provides end-to-end network visibility and real-time detection to catch traffic hitting known malicious IPs associated with ransomware distribution and C&C.


The post A Close Look at TeslaCrypt 3.0 Ransomware appeared first on ThreatTrack Security Labs Blog.

Webinar on How to Discuss Cybersecurity with Your C-Suite and Board of Directors

On May 19, 2016, Hunton & Williams LLP and The Advisory Board Company hosted a webinar on How to Discuss Cybersecurity with Your C-Suite and Board of Directors. Hunton partner Matthew Jenkins moderated the session, and speakers included partner Paul Tiao, member of the firm’s Global Technology and Privacy practice, and The Advisory Board Company’s Chief Information Security Officer and Senior Research Director. Together, they provided insight and advice on how to have a productive conversation about security and risk with the most senior leaders in a health care organization.

View a recording of the webinar now.

Enterprise Security Weekly #6 – IDS/IPS

This week is, well, rough, ServiceNow buys threat intelligence company, memory scanning in the hypervisor, and next-generation network segmentation and NAC, and John and I discuss the evolution of IDS and IPS!

Full Show Notes Here:

Visit for all the latest episodes!

EU and U.S. Sign Umbrella Agreement

On June 2, 2016, the European Union and the U.S. signed an Umbrella Agreement, which will implement a comprehensive data protection framework for criminal law enforcement cooperation. The agreement is not yet in effect and additional procedural steps are needed to finalize the agreement. The European Council will adopt a decision on the Umbrella Agreement after obtaining consent from the European Parliament.

The Umbrella Agreement covers all personal data (e.g., names, addresses, criminal records, etc.) exchanged between police and criminal justice authorities of the EU Member States and the U.S. federal authorities for preventing, investigating, detecting and prosecuting criminal offenses, including terrorism.

The Umbrella Agreement will provide safeguards and guarantees of lawfulness for data transfers, including provisions on clear limitations on data use, the obligation to seek prior consent before any onward transfer of data, the obligation to define appropriate retention periods, and the right to access and rectification.

In addition, the Umbrella Agreement will grant to EU citizens equal treatment with U.S. citizens with respect to judicial redress rights before U.S. courts in case U.S. authorities deny access or rectification, or unlawfully disclose personal data. In this regard, the signature of the U.S. Judicial Redress Act, granting judicial redress rights to EU citizens, by President Obama in February 2016 paved the way for the signature of the Umbrella Agreement.

The Umbrella Agreement will complement existing EU-U.S. and Member State–U.S. agreements between law enforcement authorities.

Read the European Council’s press release.

New Do-Not-Call List Launched in France

On June 1, 2016, a new do-not-call list (the “BLOCTEL list”) was implemented in France. French residents who do not wish to receive marketing phone calls may register their landline or mobile phone number online at

The BLOCTEL list was created by French Consumer Law No. 2014-344 of March 17, 2014. This law prohibits companies from (1) making marketing calls to a consumer registered on the BLOCTEL list, except if the consumer is an existing customer of that company, and (2) selling or renting files containing the contact information of consumers registered on that list. According to the French Consumer Code, companies that do not comply with these requirements may face a fine of €15,000 to €75,000.

The French data protection authority (“CNIL”) stated that companies must inform consumers of the existence of the BLOCTEL list and ensure that the telephone numbers they call are not on the list before conducting any telephone marketing campaigns. In practice, companies will not have direct access to the BLOCTEL list, but they will have to regularly request access to the list (at least once a month) to ensure their telephone marketing activities comply with French law.

FTC to Host Consumer Disclosure Workshop in September

The Federal Trade Commission announced that it will host a workshop on September 15, 2016, “Putting Disclosures to the Test,” on the efficacy and costs of consumer disclosures in advertising and privacy policies. Planned discussion topics include examining disclosures meant to avoid deception in advertising, disclosures designed to inform consumers of data tracking, and industry-specific disclosures for jewelry, environmental and fuel-saving claims. The workshop is open to the public and will take place at the FTC’s Constitution Center offices in Washington, D.C. The FTC currently is soliciting presentation proposals for the workshop; submissions may be sent to

Security Weekly #466 – “8-Inch Floppy”

This week on Security Weekly, we interview Wade Baker, Vice President of ThreatConnect! Paul, Jack, Jeff, and Larry address listener feedback and questions. Paul discusses, Jeremiah Grossman, Apple hiring crypto-wizard Jon Callas to beef up security, Google killing passwords on Android, and lots more in Security News.

Belgian Court of Cassation Rules on Right to Be Forgotten

In a recently published decision, the Belgian Court of Cassation confirmed the broad interpretation given to the “right to be forgotten” by a Belgian Court of Appeal (i.e., Cour d’Appel de Liège, 2013/RG/393, September 25, 2014).

The judgment was rendered in a case initiated by an individual against a Belgian newspaper for not complying with a request to remove from its online archives an article from 1994 regarding a car accident causing the death of two persons in which the individual was involved.

In the contested judgment, the Court of Appeal decided that providing the name of the claimant in the article was not in the public interest and that instead, it was seriously damaging the reputation of the concerned individual. Therefore, it ordered the newspaper to anonymize the online version of the article. In the motivation of its decision, the Court of Appeal referred to the “right to be forgotten” developed by the Court of Justice of the European Union (the “CJEU”) in Google Spain S.L. and Google Inc. v Agencia Española de Protección de Datos and Mario Costeja González (Case C-131/12). The newspaper contested the Court of Appeal’s judgment and brought the case before the Belgian Court of Cassation.

In its decision, the Court of Cassation confirmed that the publication of articles in newspapers’ online archives could be considered as a new disclosure of facts of an individual’s judicial past, which could potentially infringe the individual’s right to be forgotten.

Striking a balance between the right to privacy and the freedom of expression, the Court of Cassation confirmed that the online publication of the non-anonymized article years after the accident had occurred was likely to cause damages to the individual, which are disproportionate to the interests related to the strict application of the newspaper’s freedom of expression. Therefore, the Court of Cassation held that in the present case, the right to privacy of the concerned individual could justify an interference with the newspaper’s right to freedom of expression. Hence, the Court of Cassation confirmed that the newspaper must remove all references to the individual from the article in its online archives.

Read the Belgian Court of Cassation’s decision (in French).

EDPS Releases Opinion on the EU-U.S. Privacy Shield

On May 30, 2016, the European Data Protection Supervisor (“EDPS”) released its Opinion (the “Opinion”) on the EU-U.S. Privacy Shield (the “Privacy Shield”) draft adequacy decision. The Privacy Shield was created to replace the previous Safe Harbor framework invalidated by the Court of Justice of the European Union (“CJEU”) in the Schrems decision.

Similar to the conclusion drawn from the Article 29 Working Party’s Opinion and the Resolution of the European Parliament, the Opinion recognizes the value of the Privacy Shield but calls for robust improvements in order to achieve a solid and stable legal framework for commercial transfers of data between the EU and the U.S. According to the EDPS, the draft adequacy decision, as currently formulated, does not adequately include all appropriate safeguards to protect the European rights of individuals to privacy and data protection.

In this respect, the Opinion provides three main recommendations:

  • Integrating all main data protection principles. According to the EDPS, the current adequacy decision omits substantive details of some of the main data protection principles. Therefore, efforts should be made to clarify these principles, in particular, the data retention, automated processing and purpose limitation principles. Further, provisions related to onward transfers, the right of access and the right to object should be clarified.
  • Limiting derogations. According to the draft adequacy decision and its annexes, the Privacy Shield principles can be limited, where necessary, to meet national security, law enforcement or public interest requirements, or in case of conflict with a statute, regulation or case law. In its Opinion, the EDPS recommends more detail regarding the exceptions to the Privacy Shield.
  • Improving redress and oversight mechanisms. The EDPS recommends to further develop the role of the Ombudsperson to ensure that he or she is able to act independently from the intelligence community and any other authority. In addition, the EDPS calls for more specific commitments that the request for information and cooperation, decisions and recommendations of the Ombudsperson will be effectively respected and implemented by all competent agencies and bodies. In addition, efforts should be made to increase cooperation between the different oversight layers.

The Opinion also provides additional recommendations on different aspects of the EU-U.S. Privacy Shield, including:

  • Provisions on transfers of data for commercial purposes. The EDPS recommends (1) integrating the data minimization and data retention principles in the draft adequacy decision, (2) adding safeguards for the legitimate interests of individuals where they are subject to a decision based solely on automated processing, (3) clarifying the purpose limitation principle, in particular, with respect to the use of personal data for marketing purposes, (4) limiting exceptions to the Privacy Shield principles, and (5) improving redress and oversight mechanisms.
  • Recommendations regarding access by U.S. authorities. According to the EDPS, additional safeguards should be implemented for independent supervision and redress, in particular where personal data is collected or accessed for law enforcement and other public interest purposes.
  • Assessing the impact of other relevant statutes and rules. According to the EDPS, the rules set forth by the draft adequacy decision should be assessed in light of the exceptions from the application of the Privacy Shield principles and other rules that may interfere with these principles.
  • A meaningful review. The EDPS recommends that the review of the application of the Privacy Shield includes on-the-spot verifications and covers access by U.S. authorities to the data transferred under the Privacy Shield.
  • Interaction with the GDPR. The EDPS notes that the draft adequacy decision is based on the current EU data protection legal framework, rather than the General Data Protection Regulation (“GDPR”), which will be implemented as of May 2018. Therefore, the EDPS urges the legislators to find an adequate, and long-term solution, taking into account new elements of the GDPR, such as the principles of privacy by design and data portability.

Read the EDPS’s press release.