Big Data / Artificial Intelligence
US – “Information Fiduciaries” Must Protect Your Data Privacy
Legislators across the country are writing new laws to protect data privacy. One tool in the toolbox could be “information fiduciary” rules. The basic idea is this: When you give your personal information to an online company in order to get a service, that company should have a duty to exercise loyalty and care in how it uses that information. Sounds good, right? We agree, subject to one major caveat: any such requirement should not replace other privacy protections. The law of “fiduciaries“ is hundreds of years old. It arises from economic relationships based on asymmetrical power, such as when ordinary people entrust their personal information to skilled professionals (doctors, lawyers, and accountants particularly). In exchange for this trust, such professionals owe their customers a duty of loyalty, meaning they cannot use their customers’ information against their customers’ interests. They also owe a duty of care, meaning they must act competently and diligently to avoid harm to their customers. These duties are enforced by government licensing boards, and by customer lawsuits against fiduciaries who do wrong. These long-established skilled professions have much in common with new kinds of online businesses that harvest and monetize their customers’ personal data. First, both have a direct contractual relationship with their customers. Second, both collect a great deal of personal information from their customers, which can be used against these customers. Third, both have one-sided power over their customers: online businesses can monitor their customers’ activities, but those customers don’t have reciprocal power. Accordingly, several law professors [e.g., Jack M. Balkin – PDF, Jonathan Zitttrain – here & Neil Richards & Woodrow Hartzog – PDF] have proposed adapting these venerable fiduciary rules to apply to online companies that collect personal data from their customers. New laws would define such companies as “information fiduciaries.” EFF supports legislation to create “information fiduciary” rules. While the devil is in the details, [the remainder of this post examines what] those rules might look like. [DeepLinks Blog (Electronic Frontier Foundation) | Data Protection Bill Series: Obligations on data fiduciaries and compromises made (India)]
Canada
CA – New Data Breach Rules Come Into Effect Nov 1, But Privacy Chief Says They Don’t Go Far Enough
Changes to the Personal Information Protection and Electronic Documents Act (PIPEDA), amendment & new reporting regulations come into force Nov. 1, requiring companies to quickly disclose security data breaches. Companies will be required to keep internal records for all breaches and security safeguards for two years, and in cases where there is a risk of significant harm, companies need to report a breach to the Office of the Privacy Commissioner and to the people affected. [see OPC guidance here & Reporting Form here] But critics, including Canada’s privacy commissioner Daniel Therrien, say that the new measures still don’t go far enough to protect citizens’ privacy. As long as companies report their breaches, there are no financial penalties, which is something that Therrien isn’t thrilled about. “The odd nature of this is that there are very hefty fines for failing to report, but there are no fines for failing to have the security safeguards that would have prevented the breach from occurring There could be actions in the civil courts by individuals whose data was disclosed improperly for any damages incurred, but that of course is very costly for individuals to bring companies to court.” As such, damage to reputation is the main risk for companies that get hacked or suffer other kinds of privacy breaches. In addition, Therrien complains that while he’ll get reports from companies that suffer privacy breaches, his office has yet to be allocated any additional funding to handle those reports. And his office is limited in terms of how it can respond. “What we cannot do is order companies to improve their security posture. So companies are free to accept our recommendations or not,” he said. [Financial Post | Final Breach Reporting Guidance just released by the Office of the Privacy Commissioner of Canada (OPC) | D.O.Eh: Here’s the new privacy law Canada can’t really enforce | New data breach reporting requirements come into force this week | New security breach reporting guidelines come into force on November 1st | New Data Breach Reporting Requirements in Canada | Canada Privacy Office Issues Data Breach Reporting Guidance | Many companies not ready for new data-breach rules, experts say
CA – Privacy Commissioner ‘Surprised’ by Liberal Party Arguments Against Privacy Rules for Parties ‘Harvesting Data On People’
Privacy commissioner Daniel Therrien said he was “surprised” and unpersuaded by the Liberal Party’s arguments against making political parties abide by Canada’s existing privacy rules. At an Access to Information, Privacy and Ethics Committee hearing November 1 [ETHI , hearing 124 notice, watch on ParlVU – Commissioner Therrien’s prepared comments] Liberal Party legal advisor Michael Fenrick [of Paliare Roland] argued that bringing political parties under the jurisdiction of Canada’s privacy laws would create a chilling effect on political involvement, with prospective volunteers fearing harsh punishments in the event of privacy breaches. That argument didn’t hold water for Canada’s privacy commissioner. Therrien said there are a number of jurisdictions, including British Columbia, where parties are regulated on their privacy practices and he sees no chilling effect. In Europe, political parties must abide by the onerous new rules created by the new General Data Protection Regulation that enforces hefty penalties for malfeasance. “So far as we see, I think, democracy continues to thrive in these jurisdictions,” said Therrien. Although the government currently has an election bill making its way through Parliament [Bill C-76 here], the commissioner has said it adds nothing of substance to privacy protection even though parties are “harvesting data on people.” .At the very least, Canadians should have the right to access any data the parties hold about them, said Therrien. That’s a rule that exists in Europe, but not in Canada. “It’s something eminently reasonable and that Canadians would expect,” said Therrien. Parties will also have no independent oversight and no requirement to report any data breaches they suffer, even though revamped privacy rules now require that for Canadian companies Earlier in the committee hearing, chief electoral officer Stéphane Perrault [here] also said he was disappointed that Bill C-76 didn’t provide privacy rules for political parties. “Canadians increasingly want to understand the nature and source of communications that are reaching them. An important part of understanding that is transparency,” said Perrault. [National Post | Gap in privacy law leaves elections open to ‘misuse’ of personal information: privacy commissioner | Liberals say political parties need privacy rules, but have no immediate plans to impose them | Some MPs worry as election looms without ‘any enforceable rules’ for parties on privacy | Politicians are dragging their feet on privacy rules]
CA – Privacy Commissioner Launches Investigation into Statistics Canada
The Office of the Privacy Commissioner of Canada has received complaints related to Statistics Canada and its collection of personal information from private sector organizations and has opened an investigation. The complaints follow media reports that Statistics Canada requested several banks provide the agency with the financial transaction information of hundreds of thousands of Canadians. Privacy Commissioner Daniel Therrien welcomes the Chief Statistician’s invitation for his office to take a “deeper dive” into StatCan’s collection of data from private sector organizations. The Commissioner’s office will be seeking details regarding the information requests the agency has made to various industry sectors. StatsCan had previously consulted with the Privacy Commissioner’s office on the privacy implications related to data collection from private sector organizations, but outside the context of an investigation. A summary of those consultations is included in the Commissioner’s 2017-18 Annual Report to Parliament. The Commissioner’s office has a legal obligation to investigate the complaints fairly and impartially under the law, and the Privacy Act, Canada’s federal public sector privacy law, includes confidentiality provisions. Therefore, no additional details can be provided at this time.[ Office of the Privacy Commissioner of Canada | Privacy Commissioner of Canada launches investigation into StatCan over controversial data project | Privacy commissioner launches investigation into Statscan’s efforts to obtain banking records | Privacy commissioner investigating StatCan’s attempt to get banking info| StatCan scooped up 15 years of personal financial data from Canadian credit bureau | Scheer opposed to StatCan plan to collect personal-banking data | StatsCan has already seized reams of our private financial info | Conservatives blast Trudeau government over StatCan collection of personal financial data | Toronto’s no fan of StatsCan info grab | Trudeau defends Statistics Canada move to collect banking info of 500,000 Canadians | Big Brother Liberal government wants your private banking info | ANALYSIS: StatCan’s push to scoop payment data on 500,000 Canadians deserves scrutiny | EXCLUSIVE: Stats Canada requesting banking information of 500,000 Canadians without their knowledge | Globe editorial: StatsCan needs to own up to its data breaches | NDP joins Conservatives, asks Trudeau Liberals to shut down controversial StatCan projects]
CA – NWT Privacy Report Laments Slow Pace of Change, City’s Issues
Elaine Keenan Bengts, Information and Privacy Commissioner of the Northwest Territories, had harsh words for the Department of Justice in an annual report tabled in the Legislative Assembly [66 pg PDF – the report was submitted in August and covers the period of April 1, 2017 – March 31, 2018]. The report stated the government was moving too slowly to update the Access to Information and Protection of Privacy Act. The commissioner’s office completed 18 review reports over the 2017-18 fiscal year and opened 53 files under the Act (down from 61 in the previous year). Fifteen of this year’s files fell under requests for review regarding access to information, while there were nine review requests relating to privacy issues. Keenan Bengts also drew attention to the many privacy issues plaguing the City of Yellowknife over the past year, from a possible email theft shared with local media to allegations that a senior employee was misusing City cameras to watch women. She said she offered assistance to help the City develop a stronger privacy policy but received no response. “This is not the first time I have offered to work with the City on privacy concerns. The non-response has, however, been consistent,” she charged. Keenan Bengts also took aim at the Health Information Act [here], pointing out that many breaches involved misdirected faxes or unencrypted emails. “I simply cannot understand the apparent reluctance of the health sector to adopt the better technology,” she said. She also noted there has been little progress made to ensure the public has a say in who can access their health information. She explained that while system-wide standards, policies, and procedures were issued in May 2017, they do not appear to be publicly available yet. She called for better public consultation regarding policies that directly affect the public. On October 29, the same day the annual report was presented to the legislature, Bill 29: “An Act to Amend the Access to Information and Protection of Privacy Act” was read for the first time [see debate in Hansard, October 30, 2018 – at PDF pg 62 (text pg 56) of 84 pg PDF here]. CABIN Radio
Consumer
CA – Senate Banking Committee Advises Greater Privacy Watchdog Powers
The Senate Committee on Banking Trade and Commerce released a study of cyber fraud and cyber security titled “Cyber Assault — It Should Keep You Up at Night” [see here and Executive Summary which recommends that Parliament give Canada’s privacy commissioner new authority to make binding orders and impose hefty fines on companies that fail to keep the private data of Canadians secure The importance of the privacy commissioner’s role is growing with the number of massive data breaches, and other cybersecurity threats facing Canadians, the senator suggested. The committee makes 10 sweeping recommendations, including calls for new powers for federal officials, including the privacy commissioner; the creation of national cybersecurity standards and guidelines so businesses know what they are supposed to be doing to protect their customers’ data; as well as co-ordinated sharing within the private sector and with governments of sensitive private information related to cybersecurity and cyberthreats The Senate committee criticized the Trudeau government for its “timid responses” so far to the “real and rising online threats” that have affected millions of Canadians who have been defrauded online, or who have had their personal data stolen and exploited as a result of corporate data breaches — many of which were not publicly revealed until months or years later. In addition to recommending that governments prioritize and fund cybersecurity education, both for businesses and citizens, the senators recommended the creation of:
- a federal cybersecurity task force to propose a national cybersecurity strategy establishing Canada as a global leader on cybersecurity;
- a consistent set of leading cybersecurity standards that are harmonized with the highest international standards and that would apply to all entities participating in 10 critical infrastructure sectors (e.g. health, food, water, communications and government);
- standards to protect consumers, business and governments from threats emanating from the Internet of Things that connects such smart digital devices as phones, TVs, cars and medical implants; and
- tax incentives for investment in cybersecurity (such as accelerated capital cost allowance deductions for businesses). [The Lawyers Daily | Government failing to protect Canadians from cyber threats, says Senate report
US – FTC Issues Paper on Informational Injury Workshop
The FTC recently issued a paper outlining key takeaways from its December 2017 workshop examining injuries consumers may suffer from privacy and data security incidents. The paper indicates that the FTC convened the workshop to better understand consumer injury for the following two purposes: 1) To allow the FTC to effectively weigh the benefits of governmental intervention against its costs when making policy determinations; and 2) To identify acts or practices that “cause or are likely to cause substantial injury” for purposes of bringing an enforcement action under the FTC Act for an “unfair” act or practice The paper discusses the examples of informational injuries given by participants. These examples involve injuries that may result from medical identity theft, doxing (i.e. the deliberate and targeted release of private information about an individual with the intent to harass or injure), exposure of personal information, and erosion of trust (i.e. consumers’ loss of trust in the ability of businesses to protect their data). The paper also reports that “there was some discussion of whether the definition of injury should include risk of injury [from certain practices]” and shares opposing arguments made by participants. The issue of whether informational injuries that may result from alleged statutory violations are sufficient to provide a consumer in a private action with Article III standing under the U.S. Supreme Court’s Spokeo standard continues to be litigated. In Spokeo, the Supreme Court [see 27 pg PDF decision here] indicated that, to satisfy the “injury-in-fact” requirement for Article III standing, a plaintiff must show that he or she suffered “an invasion of a legally protected interest” that is both “concrete” and “particularized.” To be particularized, an injury must affect the plaintiff “in a personal and individual way.” To be concrete, an injury must “actually exist;” it must be “real.” However, the Supreme Court also acknowledged that intangible injuries can satisfy the concrete injury standard and that in some cases an injury-in-fact can exist by virtue of a statutory violation. (The Spokeo standard does not apply to government enforcement actions.) [The National Law Review ]
E-Government
CA – Statscan Must Justify Request for Personal Banking Data: Former Chief
Former Statistics Canada chief statistician Wayne Smith who resigned two years ago said in an interview that banking records are second only to health files in terms of Canadians’ most sensitive personal information and that Statistics Canada needs to clearly explain why it is seeking access to people’s banking records. He said Statistics Canada should be able to say: ‘Okay, here’s the purpose and here’s why it’s important enough to justify this intrusion,’ he said. “If they don’t have an answer, they should stop now.” In 2016 Smith resigned in protest over the agency’s decision to house its computer servers with Shared Services Canada, a move he said could weaken the agency’s ability to protect its data. “By moving the data into the Shared Services Canada data centres, we moved it into a data centre that does have connections to the Internet and therefore it opens up the potential of hacking, however secure they might make it” His comments come as Canada’s statistics agency is at the centre of a political controversy after informing Canada’s banks that they will be required to provide consumer records, such as individual credit- and debit-card purchases, starting in January. The move caught Canada’s banking sector by surprise and bank officials are in discussion over how to respond. Royal Bank of Canada, Bank of Montreal, CIBC, National Bank and Scotiabank all confirmed via e-mail that they have not provided any client information to Statistics Canada, echoing a recent statement by the Canadian Bankers Association. While TD Bank told customers via Twitter that it has not agreed to share client data with Statscan. Senior Statscan officials held an online chat and were asked why banking records are now required. “It is becoming increasingly difficult to capture household expenditures by relying on traditional surveys,” the officials wrote. “People do not want to respond to hour-long surveys or keep a diary of their daily expenditures over a two-week period. Financial transaction data will give us more timely data at a greater level of granularity.” Federal Privacy Commissioner Daniel Therrien announced that his office will launch a formal investigation into Statscan’s plans. He told reporters that his investigation is unlikely to be finished by January. He said Statscan informed him about the agency’s general direction, but did not share specific plans related to banking data. He said he advised the agency to only ask for private data that has been anonymized, meaning no individual names are included. However, he acknowledged it is unclear to him at this stage how such a practice could comply with all relevant laws. For a fourth day in a row, Conservative MPs attacked the Liberal government in the House of Commons over Statscan’s plans. The critics say Statscan should not be receiving data that identifies individual Canadians without their consent. [The Globe and Mail ]
US – ‘Vote with Me’ App Reports Party Affiliation and Vote Record of Contacts
Social media platforms have been harvesting your personal data to fuel hyper-targeted advertising for years, but there hasn’t been a handy way for the average user to check the political gang affiliation in their social circle — until now, for better or worse. An app called “VoteWithMe,” claims to be an effort to get people to the polls. But VoteWithMe has a trick up its sleeve that we’re not used to seeing. It can tell you the party affiliation of everyone in your contacts list, and it can tell you what elections your contacts have voted in historically voter registration information like party affiliation and voting history is technically public information, there is no handy website where a person can ordinarily look this information up, at least until now. Having this information in an app that’s snooping on your phone contacts is not only potentially invasive but potentially incredibly divisive, given how far apart Democrats and Republicans have become. And as you might imagine, the app’s reach doesn’t stop with your social circle. Someone using VoteWithMe can now look up the affiliations and records related to any phone number that was used to register to vote, for free, with a few taps. The potential for voter intimidation reaches new heights, only days before the election. [The Download Blog (CNET) | | A new app called Vote With Me lets you see the voting record and political party of every contact in your phone | Vote With Me is a creepy new app that checks your contacts’ voting historyOr should we say, soon-to-be-ex-contacts | New app reveals your contacts’ voting history
Encryption
US – DHS Urged to Apply Encryption to Web Browsing
Senator Wyden expresses concerns to the Department of Homeland Security (DHS) about web browsing privacy. Metadata revealing specific federal website visits is currently transmitted over the internet without encryption; a U.S. Senator asks that DHS consider requiring federal agencies to use 1 of 2 encryption methods to prevent hackers from learning what particular website a user is visiting. [Letter to DHS Regarding Government Web Browsing – Senator Ron Wyden]
EU Developments
WW – 40th ICDPPC Sets the Way Forward for Ethics, Data Protection and Privacy
As the 40th ICDPPC Annual Meeting in Brussels October 21-26 came an end, the Closed Session, which gathered this year 236 delegates from 76 countries, has released the outcome of its two-day discussions, paving the way for the future of data protection and privacy at global [see 9 pg PDF road map]. The Closed session also adopted a landmark text, the ICDPPC Declaration a Declaration on ethics and data protection in artificial intelligence [6 pg PDF], in order to contribute to the global discussion on this matter. The declaration endorses six guiding principles, as core values to preserve human rights in the development of artificial intelligence. These principles first of all build upon data protection elements, but also expand to ethical considerations which are inextricably linked to the development of artificial intelligence. The Closed session also adopted three other resolutions on e-learning platforms [31 pg PDF], on the Conference Census [2 pg PDF] and on collaboration between Data Protection Authorities and Consumer Protection Authorities [3 pg PDF]. Two new members of the ICDPPC Executive Committee [here] have been elected: the Philippines’ National Privacy Commission (NPC) and the Office of the Australian Information Commissioner (OAIC). With the mandate of Isabelle Falque-Pierrotin [President/Commissioner of the CNIL] coming to an end, the ICDPPC has elected Elizabeth Denham, the UK Information Commissioner (ICO) as new Chair of the Executive Committee. [CNIL News (Commission Nationale de l’Informatique et des Libertés – France)]
UK – ICO Fines Facebook Over Data Privacy Scandal, EU Seeks Audit
The Information Commissioner Office slapped Facebook with a fine of 500,000 pounds ($644,000) [see ICO PR & Penalty Notice & Commissioner’s video statement] — the maximum possible — for failing to protect the privacy of its users in the Cambridge Analytica scandal. The OPC found that between 2007 and 2014, Facebook processed the personal information of users unfairly by giving app developers access to their information without informed consent. The failings meant the data of some 87 million people was used without their knowledge. The fine amounts to a speck on Facebook’s finances. It will take less than seven minutes for Facebook to bring in enough money to pay for the fine. But it’s the maximum penalty allowed under the law at the time the breach occurred [the UK’s Data Protection Act 1998]. Had the scandal taken place after new EU data protection rules [General Data Protection Regulation (GDPR)] went into effect this year, the amount would have been far higher — including maximum fines of 17 million pounds or 4% of global revenue, whichever is higher. Under that standard, Facebook would have been required to pay at least $1.6 billion, which is 4% of its revenue last year. Also, European Union lawmakers demanded an audit of Facebook to better understand how it handles information, reinforcing how regulators in the region are taking a tougher stance on data privacy compared with U.S. authorities. They said Facebook should agree to a full audit by Europe’s cyber security agency and data protection authority “to assess data protection and security of users’ personal data.” The EU lawmakers also call for new electoral safeguards online, a ban on profiling for electoral purposes and moves to make it easier to recognize paid political advertisements and their financial backers. [CTV News ]
EU – Top ENISA-Reported Incidents Involved E-Signature and E-Seal Creation
The EU Agency for Network and Information Security (“ENISA”) has published a report on security incidents reported by trust services providers (“TSPs”), pursuant to article 19 of Regulation 910/2014. Other affected services included certificate revocation lists, verification of e-signatures and seals, and e-signature devices; root causes were third party and system failures, human error and malicious actions (incidents varied in severity from significant (54%), severe (23%) to disastrous (23%)). ENISA – Annual Report Trust Services Security Incidents 2017
Facts & Stats
AU – 245 Breach Notifications to Australian DPA from July to September
Breach notifications received by the Office of the Australian Information Commissioner (“OAIC”) from July 1 – September 30, 2018. Malicious or criminal attacks caused 57% of reported breaches (phishing, credential theft, brute-force, insider threats, social engineering), 37% resulted from human error (PI sent to the wrong recipient, loss of device or paperwork, insecure disposal, failure to redact), and system faults caused 6%; PI compromised included contact, identity and health information, tax file numbers and financial details. [OAIC – Notifiable Data Breaches Quarterly Statistics Report – 1 July – 30 September 2018]
EU – CNIL Publishes Statistical Review of Data Breaches Since GDPR
On October 16, the French Data Protection Authority (the “CNIL”) [here & wiki here] published a statistical review of personal data breaches during the first four months of the EU General Data Protection Regulation’s (“GDPR”) entry into application [in French here & Google English text translation here]. Between May 25 and October 1, 2018, the CNIL received 742 notifications of personal data breaches that affected 33,727,384 individuals located in France or elsewhere. Of those, 695 notifications were related to confidentiality breaches. The accommodation and food services sector is the sector in which the highest number of breaches were observed, with 185 notifications. This is due to a specific case, where a booking service provider was affected by a data breach. More than half of the notified breaches (421 notifications) were due to hacking via malicious software or phishing. 62 notified breaches were related to data sent to the wrong recipients, 47 notified breaches were due to lost or stolen devices, and 41 notified breaches were due to the unintentional publication of information. The CNIL also reported that it will adopt an aggressive approach when the data controller does not comply with its obligation to notify the breach within 72 hours after having become aware of it. Failure to comply with that obligation may lead to a fine of up to €10 million or 2 percent of the total worldwide annual revenues. Conversely, if the CNIL receives the notification in a timely manner, the CNIL will adapt an approach that aims at helping the professionals involved take all the necessary measures to limit the consequences of a breach. When necessary, the CNIL will contact organizations for the purposes of: 1) Verifying that adequate measures have been taken before or after the breach; and 2) Assessing the necessity to notify affected data subjects. [Privacy & Information Security Law Blog (Hunton Andrews Kurth) ]
Finance
CA – Credit Card Purchases for Cannabis May Not Be Private
Federal legislation makes it legal for Canadians to enjoy cannabis in the privacy of their homes. That legislation, however, does not necessarily offer privacy protection for cannabis purchasers. Legal experts have raised concerns that credit card data may not be stored in this country and may be accessible to prying eyes in other countries. Credit card and other purchasing information stored outside of Canada, particularly in the United States, may be accessible by law enforcement there. This issue was recently raised in a new [October 16] guidance document released by the Office of the Information and Privacy Commissioner for British Columbia [see PR & PDF]. According to the guidance document, access to the personal information of cannabis users may be used by some countries to deny entry. It also points out that, in a digital age, the privacy issue is not moot. “Keep in mind,” it notes, “that storing data in the Cloud or in proprietary software means there is likely disclosure of that personal information outside of Canada. It is much more privacy protective to store personal information on a server located in Canada to prevent access by unauthorized third parties.” Mark Hayes, founder of Hayes eLaw LLP, an IP and technology firm in Toronto says “Until questions about the potential risks of using credit cards for cannabis purchases are resolved, purchasers may want to pay cash for cannabis purchases in provinces which allow in-person shopping and consider using only anonymous prepaid credit cards or gift certificates for online purchases.” [Canadian Lawyer | Warning: This Is Why You Should Never Buy Marijuana With A Credit Card In Canada | Cannabis IQ: Everything you need to know about pot and the border | Province pulls electronic ID scanners from cannabis stores | Privacy commissioner investigating personal data collection at cannabis stores | Think about your privacy before you purchase pot: federal watchdog | Can we Implement Random Cannabis Drug Testing? – (5 pg PDF here) | Cannabis Is Legal: Top Tips for Employers | Marijuana in the workplace: What your boss can and can’t do | Understanding Cannabis Rules for Employees who Travel to Canada or the United States for Business – (5 pg PDF here)
Genetics
WW – Treating ‘Genetic Privacy’ Like It’s Just One Thing Keeps Us from Understanding People’s Concerns
“Genetic privacy” is a complicated concept, and a new study published today in the journal PLOS One finds that decoding how people feel about the idea is equally complex. Researchers analyzed 53 studies (covering over 47,000 participants) that looked at how the general public, professionals, and patients viewed genetic privacy. The results paint a complex picture, says study author Ellen Clayton, a professor of law and health policy at Vanderbilt University. If you ask people “are you worried about genetic privacy?” most will say yes. But if you ask a patient whose genetic data was collected for medical testing about a more specific situation, like “are you concerned about sharing data with third parties?” the answers can vary widely. It’s simplistic to claim either that people “are” or “aren’t” concerned about genetic privacy when it’s an multifaceted term that can cover different (and often conflated) concepts like confidentiality, security, and control. “To get insight into how people actually feel, it’s important to ask them what particular outcomes they’re worried about,” says Clayton. For future studies and surveys, she recommends that instead of asking about “genetic privacy,” researchers should break the issue into different parts. That way, we’ll all have a better idea of what people want, so we can better respect their wishes. [The Verge | Genetic Privacy, Data Use by Employers, Insurers, Government Concern Study Participants | You Should Be Worried About Your DNA Privacy | How 23andMe thinks about genetic privacy in the age of forensic genealogy and Facebook’s woes | You don’t have to sequence your DNA to be identifiable by your DNA | New File Type Improves Genomic Data Sharing While Maintaining Participant Privacy | How your third cousin’s ancestry DNA test could jeopardize your privacy]
Health / Medical
US – FDA Issues Draft Guidelines for Medical Device Manufacturers
The US Food and Drug Administration provides draft nonbinding recommendations regarding the security of medical devices. The US FDA recommends devices be designed to protect critical functionality (even when security has been compromised), “deny by default” (i.e., generally reject all unauthorized connections), and detect, log and notify users of a potential cybersecurity breach; risk assessments must include a description of testing conducted on controls, and evidence of security effectiveness. When final, the guidance will supersede recommendations issued in 2014 [FDA – Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and FDA Staff]
US – Risk Assessment: HHS Improves Security Analysis Tool
The US Department of Health and Human Services (HHS) announced changes to its security risk assessment (SRA) tool. Covered entities and business associates can use the tool to meet their obligation to conduct a thorough and accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI; the assessment should cover all lines of business, and facilities and locations of the organization. [HHS – ONC and OCR Bolster the Security Risk Assessment (SRA) Tool with New Features and Improved Functionality]
US – New Guidance on Preparation and Response to Medical Device Cybersecurity Incidents
Recently, the MITRE Corporation, in collaboration with the U.S. Food and Drug Administration (FDA) announced the release of the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook [38 pg PDF]. The Playbook was designed to provide “tools, references, and resources” for Healthcare Delivery Organizations (HDOs) to better prepare for and respond to medical device cybersecurity incidents. The Playbook provides detailed insight and guidance for HDOs on, among other topics, how to prepare for, detect, analyze, contain, eradicate, and recover from “threats or vulnerabilities that have the potential for large-scale, multi-patient impact and raise patient safety concerns.” It’s not an official FDA rule, regulation, or guidance However, HDOs and medical device companies would do well to familiarize themselves with the Playbook and, wherever feasible, incorporate its recommendations into existing cyber incident response plans [since it is a real possibility that in the future] the agency [may] consider failure to abide by the Playbook an aggravating factor warranting a less favorable administrative outcome. [DBR on Data Blog (DrinkerBiddle)]
Horror Stories
US – ERS Online Coding Error Exposes 1.25M Users to Health Data Breach
Recently reported health data breaches include those from: The Employee Retirement System of Texas, Yale University, North Carolina’s Catawba Valley Medical Center, The Children’s Hospital of Philadelphia and Texas-based FirstCare Health Plans: 1) In a statement on its website, The Employee Retirement System (ERS) of Texas [here] explained that a coding error on its password-protected ERS Online portal allowed certain members who logged in with their username and password to view other members’ information. ERS said that members would have to use a specific function to input search criteria in order to view other members’ information. ERS reported to OCR [here] information on potentially 1.25 million people may have been exposed. Information that might have been exposed included first and last names, Social Security numbers, and ERS member identification numbers; 2) Yale University reported to OCR [here] on Oct. 17 an unauthorized paper disclosure that exposed PHI on 1,102 individuals. No additional information was provided. This comes after Yale admitted in July that a data breach occurred between 2008 and 2009 affecting 119,000 facility, staff, and alumni. In a release, Yale said that attackers gained access to a database stored on a Yale server; 3) North Carolina-based Catawba Valley Medical Center (CVMC) announced Oct. 12 it suffered a phishing attack. CVMC told OCR [here] that 20,000 individuals may have been impacted by the breach between July 4 and Aug. 17. Information that might have been compromised included patient names, dates of birth, health information about services, health insurance information, and, for some, Social Security numbers; 4) The Children’s Hospital of Philadelphia (CHOP) reported to OCR [here] on Oct. 23 an email hacking incident that put PHI on 5,368 at risk. In a press release, the hospital said that it discovered two email breaches that exposed PHI, including patient name, date of birth, and clinic information related to neonatal and/or fetal care provided at CHOP or at the Hospital of the University of Pennsylvania. The first breach, discovered on Aug. 24, occurred when an unauthorized user gained access to a CHOP physician’s email account. A second breach, discovered on Sept. 6, identified unauthorized access to an additional email account on Aug. 29. CHOP sent letters to potential victims on Oct. 23; and 5). Texas-based FirstCare Health Plans reported to OCR on Oct. 12 an email error exposing e-PHI on 8,056 individuals. In a press release, FirstCare said the breach may have compromised member name, identification number, treatment description, procedure costs, authorization number, and treating provider name. [Health IT Security]
US – Yahoo Agrees to $50M Settlement Package for Users Hit by Massive Security Breach
One of the largest consumer internet hacks has bred one of the largest class action settlements after Yahoo agreed to pay $50 million to victims of a security breach that’s said to have affected up to 200 million U.S. consumers and some three billion email accounts worldwide. [see wiki here] In what appears to be the closing move to the two-year-old lawsuit, Yahoo — which is now part of Verizon’s Oath business — has proposed to pay $50 million in compensation to an estimated 200 million users in the U.S. and Israel, according to a court filing [35 pg PDF here]. In addition, the company will cover up to $35 million in lawyer fees related to the case and provide affected users in the U.S. with credit monitoring services for two years via AllClear, a package that would retail for around $350. There are also compensation options for small business and individuals to claim costs for losses associated with the hacks. That could include identity theft, delayed tax refunds and any other issues related to data lost at the hands of the breaches. Finally, those who paid for premium Yahoo email services are eligible for a 25 percent refund. The deal is subject to final approval from U.S. District Judge Lucy Koh [wiki here] of the Northern District of California at a hearing slated for November 29. [TechCrunch | Yahoo Agrees to Pay $85M to Settle Consumer Data Breach Class Actions | Yahoo to pay $50M, other costs for massive security breach | Yahoo agrees to pay $50M in damages over biggest security breach in history | Yahoo must pay $50 million in damages for data breaches]
Internet / WWW
EU – Commission Provides Guidance on New Geo-Blocking Regulation
In the European Commission’s plan to create a unified “Digital Single Market” [see here & HL overview here & wiki here] In late September it updated its detailed guidance [download 45 pg PDF Q&A here] on the Geo-blocking Regulation 2018/302 [goes into effect December 3, 2018 – see here, 15 pg PDF here & overview here]. The underlying aim of the regulation is to ban unjustified geo-blocking [wiki here] and other forms of discrimination based on customers’ nationality, place of residence or place of establishment within the digital internal market. The term geo-block as such relates to the phenomenon that Internet users are either re-directed to another website or provided with differing terms & conditions because of their IP address or other identifiers. Accordingly, the Geo-Blocking Regulation includes provisions addressing online discrimination occurring when one accesses a website (Article 3), buys goods or services online (Article 4), or wants to do shopping abroad using means of payment labelled in Euros (Article 5). The Q&A list provided by the Commission covers a comprehensive range of aspects. It is intended for traders seeking to comply with the new rules, as well as for consumers seeking more information about their new rights, and Member States authorities who will have to apply and enforce the dispositions. The questions cover both the substantive provisions and the enforcement tools put in place to achieve the goal of the Regulation. The guidance also features a section putting the regulation in context by exploring how the new piece of legislation fits in the broader e-commerce framework, including its interaction with the Regulation (EU) 2018/644 on cross-border parcel delivery services, the Consumer Rights Directive 2011/83/EU and specific VAT rules. [Global Media and Communications Watch (Hogan Lovells) | The Geo-blocking Regulation]
Online Privacy
WW – Google Will Now Take You Through Your Privacy Settings Step-by-Step
On October 31, Google introduced a handful of new security measures, starting with a risk assessment feature that requires JavaScript [wiki here – to be activated] to run. It has also leveled up its Security Checkup feature, so that once you’ve signed in, it will ask you to delete any apps it thinks is harmful and to cut off any devices you don’t use anymore and now also let you know whenever you share any of your Google data with third-party apps. Finally, if the tech giant believes that your account has been compromised, it will automatically trigger a process that prompts you to perform a series of verifications. You’ll need to verify your settings and make sure nobody can access your account via a recovery phone number or email address, which means you have to secure your other accounts, as well. Google will then ask you to check your financial activities to make sure nobody made unauthorized charges to your credit card or Google Pay account. Finally, the company will ask you to review your Gmail and Drive data to check if anybody accessed or misused it. The process could save even those who aren’t that tech-savvy from getting their identities stolen. And by putting together a step-by-step process, Google is making it easier for even those who are tech-savvy to ensure that all aspects of their accounts are secure. [engadget ]
WW – Privacy by Proxy? VPN Extensions Aren’t As Secure As Users Think
New research published this week by an ethical hacker named “File Descriptor” [Twitter] examined some of the most popular VPN extensions [difference between VPN & VPN extensions here] available to download, including ZenMate [here], uVPN [here], and DotVPN [here] File Descriptor claims that “After several pentests and personal researches on VPN extensions almost all VPN extensions are vulnerable to different levels of IP leaks and DNS leaks. Ironically, although most of them are results of extensions’ misconfigurations, browsers are also responsible as there are a lot of pitfalls and misleading documentations on proxy configurations.” The researcher also noted that a number of VPN extensions were vulnerable to IP and DNS leaks through issues with misusing helper functions, whitelisting hostnames, unencrypted proxy protocols, and Chrome’s DNS prefetching. Ariel Hochstadt of VPNMentor echoed File Descriptor’s findings, telling The Daily Swig that extensions are “not safe as standalone software. Many times what VPN companies call ‘VPN extension’ is merely a limited proxy, and users should be concerned with that I would say that if you are looking for a quick, one-click solution to change your IP to watch blocked content, for example, you can use an extension. But if it is privacy that you are worried about, it is not suffice.” [The Daily Swig (PortSwigger)]
WW – Study of Google Data Collection Comes amid Increased Scrutiny Over Digital Privacy
According to research by Douglas C. Schmidt, Cornelius Vanderbilt Professor of Engineering at Vanderbilt University, if you use an Android device with the Chrome browser running, Google knows whether you are traveling by foot or car, where you shop, how often you use your Starbucks app and when you’ve made a doctor’s appointment [and a whole lot more]. His study commissioned by Digital Content Next looked at Google’s data collection practices under a “day in the life” scenario of an Android phone user [see overview here & 55 pg PDF here]. It detailed data mining over a 24-hour period from an idle Android phone with Chrome running in the background. In the study’s scenario, a researcher created a new Google account as “Jane” and carried a factory-reset Android mobile phone with a new SIM card throughout a normal day. The smartphone running Google’s Android operating system and Chrome sent data to the company’s servers an average of 14 times an hour, 24 hours a day. “These products are able to collect user data through a variety of techniques that may not be easily graspable by a general user,” Schmidt concluded in the paper “A major part of Google’s data collection occurs while a user is not directly engaged with any of its products.” Schmidt wrote, “Google collected or inferred over two-thirds of the information through passive means. At the end of the day, Google identified user interests with remarkable accuracy.” What qualifies as passive data? With Chrome running and location enabled, an Android phone is “pinged” throughout the day by other wireless networks, hot spots, cell towers and Bluetooth beacons. During a short 15-minute walk around a residential neighborhood, for example, Jane’s phone sent nine location requests to Google. The requests collected 100 unique identifiers from public and private Wi-Fi access points. Schmidt also studied data gathering from all Google platforms and products, such as Android mobile devices, the Chrome browser, YouTube and Google Photos, plus the company’s publishing and advertising services, such as DoubleClick and AdWords. The study also compared data collection from an idle Android phone running Chrome with an idle iPhone running Apple’s operating system and the Safari browser. “I found that an idle Android phone running the Chrome browser sends back to Google nearly 50 times as many data requests per hour as an idle iOS phone running Safari,” Schmidt said. “I also found that idle Android devices communicate with Google nearly 10 times more frequently as Apple devices communicate with Apple servers. These results highlight the fact that Android and Chrome platforms are critical vehicles for Google’s passive data collection.” After the study’s release, Google questioned its credibility. “This report is commissioned by a professional lobbyist group, and written by a witness for Oracle in their ongoing copyright litigation with Google. So, it’s no surprise that it contains wildly misleading information,” the company said in a statement. Schmidt replied: “Google has not been able to identify any specific aspects of my report’s methods or conclusions as erroneous.” [Vanderbilt News (Vanderbilt University)]
Other Jurisdictions
US – The Rise of Digital Authoritarianism: Fake news, data collection and the challenge to democracy
Freedom on the Net 2018: The Rise of Digital Authoritarianism [see overview & interactive map], the latest edition of the annual country-by-country assessment of online freedom, released today by Freedom House. The report assesses internet freedom in 65 countries that account for 87% of internet users worldwide. The report focuses on developments that occurred between June 2017 and May 2018, though some more recent events are included. Online propaganda and disinformation have increasingly poisoned the digital sphere, while the unbridled collection of personal data is breaking down traditional notions of privacy. At the same time, China has become more brazen and adept at controlling the internet at home and exporting its techniques to other countries. These trends led global internet freedom to decline for the eighth consecutive year in 2018. Beijing took steps during the year to remake the world in its techno-dystopian image. Chinese officials have held trainings and seminars on new media or information management with representatives from 36 out of the 65 countries assessed by Freedom on the Net. China also provided telecommunications and surveillance equipment to foreign governments and demanded that international companies abide by its content regulations even when operating abroad. A proliferation of data leaks has underscored a pressing need to improve protections for users’ information and privacy. Both democracies and authoritarian regimes are instituting changes in the name of data security, but some initiatives actually undermine internet freedom and user privacy by mandating data localization and weakening encryption. In India, a massive data breach affecting 1.1 billion citizens [see coverage at ZDNet] reiterated the need for reforms to the country’s data protection framework, beyond an ineffective government proposal to require that data be stored locally. Over the past 12 months, false claims and hateful propaganda helped to incite jarring outbreaks of violence against ethnic and religious minorities in Myanmar, Sri Lanka, India, and Bangladesh. One of the steepest declines in internet freedom occurred in Sri Lanka [see coverage at engadget], where authorities shut down social media platforms after rumors and disinformation sparked vigilante violence that predominantly targeted the Muslim minority. In India, internet users experienced an unprecedented number of shutdowns due in part to the spread of rumors on WhatsApp. In Egypt, a Lebanese tourist was sentenced to eight years in prison for “deliberately broadcasting false rumors” after she posted a Facebook video describing the sexual harassment she experienced while visiting Cairo [see coverage at Reuters]. In Rwanda, blogger Joseph Nkusi was sentenced to 10 years in prison for inciting civil disobedience and spreading rumors, having questioned the state’s narrative of the 1994 genocide and criticized the lack of political freedom in the country [see Human Rights Watch coverage here]. Key findings include:
- Declines outnumber gains for the eighth consecutive year;
- Internet freedom declines in the United States;
- Citing fake news, governments curb online dissent;
- Authorities demand control over personal data;
- More governments manipulate social media content;
- Internet freedom declines coincided with elections;
- Governments disrupted internet services for political and security reasons; and
- Digital activism fuels political, economic, and social change.
[Press Releases (Freedom House) | The global threat of China’s digital authoritarianism | China’s Web Surveillance Model Expands Abroad | Chinese-style ‘digital authoritarianism’ grows globally: study | China’s Internet Censorship Is Influencing Digital Repression Around the World, Report Warns]
Privacy (US)
US – FTC Announces Hearings on Consumer Privacy and Data Security
As part of its Hearings Initiative, the Federal Trade Commission will hold four days of hearings in December and February to examine the FTC’s authority to deter unfair and deceptive conduct in data security and privacy matters. The December hearings will focus on data security and will take place December 11-12 [Notice], 2018. Tthey will include five panel discussions and additional discussion of research related to data breaches and data security threats. The first day’s panel discussions will examine incentives to invest in data security and consumer demand for data security. Discussions on the second day will focus on data security assessments, the U.S. framework related to consumer data security, and the FTC’s data security enforcement program. Staff has already begun developing the agenda for the December data security hearing. The hearings on consumer privacy will take place in the same venue on February 12-13, 2019 [Notice]. They will provide the first comprehensive re-examination of the FTC’s approach to consumer privacy since 2012. The FTC is seeking comments from the public on what the agenda should include. To be included for consideration, the FTC is seeking comment by December 21 on specific questions to be discussed at the February event. In addition, FTC staff welcomes comments on both the data security and privacy hearings until March 13, 2019. [FTC Press Release | FTC Announces PrivacyCon 2019 and Calls for Presentations | Advocates push to beef up privacy regulator | FTC Commissioner Chopra Calls for Greater (and More Expensive) Enforcement
Privacy Enhancing Technologies (PETs)
WW – New Signal Privacy Feature Removes Sender ID from Metadata
Signal app [here] is testing a new technique called “sealed sender” that’s designed to minimize the metadata that’s accessible to its servers. A beta release announced Monday will send messages that remove most of the plain-text sender information from message headers. It’s as if the Signal app was sending a traditional letter through the postal service that still included the “to” address but has left almost all of the “from” address blank. Like most messaging services, Signal has relied on the “from” address in message headers to prevent the spoofing of user identities and to limit spam and other types of abuse on the platform. Sealed sender, which puts most user information inside the encrypted message, uses two new devices to get around this potential privacy risk: 1) Senders periodically retrieve short-lived sender certificates that store the sender’s phone number, public key, and expiration timestamp; and 2) Delivery tokens derived from the sender’s profile key are used to prevent abuse. Users who want to receive sealed-sender messages from non-contacts can choose an optional setting that doesn’t require the sender to present a delivery token. This setting opens a user up to the possibility of increased abuse, but for journalists or others who rely on Signal to communicate with strangers, the risk may be acceptable. Even under the sealed sender, observers said, Signal will continue to map senders’ IP addresses. That information, combined with recipient IDs and message times, means that Signal continues to leave a wake of potentially sensitive metadata. Still, by removing the “from” information from the outside of Signal messages, the service is incrementally raising the bar. [Ars Technica | Signal rolls out a new privacy feature making it tougher to know a sender’s identity | Apple’s 2018 MacBooks come a chip that protects against eavesdropping | Apple’s new T2 security chip will prevent hackers from eavesdropping on your microphone | Apple’s T2 security chip disconnects a MacBook’s microphone when users close the lid | Apple says its T2 chip can prevent hackers from eavesdropping through your MacBook mic
WW – Accelerating the Future of Privacy through SmartData Agents
Imagine a future where you can communicate with your smartphone – or whatever digital extension of you exists at that time – through an evolved smart digital agent that readily understands you, your needs, and exists on your behalf to procure the things and experiences you want. What if it could do all this while protecting and securing your personal information, putting you firmly in control of your data? George Tomko Ph.D, Expert-in-Residence at Privacy, Security and Identity Institute at the University of Toronto [here], Adjunct Professor in Computer Science at Ryerson University, and Neuroscientist, believes the time is ripe to address the privacy and ethical challenges we face today, and to put into place a system that will work for individuals, while delivering effective business performance and minimizing harms to society at large. I had the privilege of meeting George to discuss his brainchild, SmartData: the development of intelligent agents and the solution to data protection. The evolution of Privacy by Design, which shifts control from the organization and places it directly in the hands of the individual (the data subject) [see here] These ideas were published in SmartData: Privacy Meets Evolutionary Robotics, co-authored with Ann Cavoukian, former 3-term Privacy Commissioner in Ontario and inventor of Privacy by Design [wiki here]. This led to his current work, Smart Data Intelligent Agents, the subject of this article. [Forbes]
Security
CA – Gov’t Failing to Protect Canadians from Cyber Threats: Senate Report
The federal government is failing to protect Canadians from increasingly sophisticated cyber attacks that have already victimized millions, according to a scathing Senate Committee on Banking, Trade and Commerce report released October 29 that calls for the creation of a minister of cyber security [see here: Exec Summary & 34 pg report]. In 2017 alone, over 10 million Canadians had their personal information compromised through targeted attacks and — more often — through cyber operations directed against businesses that hold Canadians’ private information, says the executive summary. Among the committee’s recommendations: 1) all levels of government must prioritize cyber security education as part of the national cyber security strategy. there should be a national cyber literacy program, led by the newly-created Canadian Centre for Cyber Security, to educate consumers and businesses about how to protect themselves; 2) Ottawa should create a new national centre of excellence in cyber security and expand two existing centres to promote university-level research and encourage Canadians to pursue careers in cyber security-related fields. The centres of excellence should be the Canadian Institute for Cybersecurity at the University of New Brunswick, the Cybersecurity and Privacy Institute at the University of Waterloo, a third yet to be chosen in Western Canada. They would join the Montreal-based Smart Cybersecurity Network (SERENE-RISC) already receives funding as a centre of excellence; 3) the federal government should modernize PIPEDA, including empowering the Office of the Privacy Commissioner to make orders and impose fines against companies that fail to protect their customers’ information, and to allow information sharing about cyber threats within the private sector and between the private sector, government and relevant international organizations; 4) businesses should be given incentives to invest in cyber security improvements, for example, by making these investments tax deductible; 5) a new federal minister of cyber security should be created to co-ordinate cyber security efforts across all levels of government. The minister would have responsibility for the new Canadian Centre for Cyber Security — now overseen by the Defence department — and the RCMP’s National Cybercrime Co-ordination Unit; 6) Ottawa should create a federal expert task force on cyber security to provide recommendations regarding the national cyber security strategy that would establish Canada as a global leader in cyber security. The government released an update to its national security strategy in June; 7) the federal government develop standards to protect consumers, businesses and governments from threats related to the Internet of Things devices; and 8) it should also develop a consistent set of leading cyber security standards that are harmonized with the highest international standards and would apply to all entities participating in critical infrastructure sectors. “Governments, businesses and individual Canadians each have a role to play in protecting the country from this cyber scourge,” says the report. “It should keep you up at night.” [IT World Canada]
US – Best Practices for Preventing and Responding to Incidents
The US Department of Justice, Cybersecurity Unit updates existing best practices on how to prevent falling victim to a cyber incident. The US DoJ Cybersecurity Unit recommends prior to an incident, organizations educate senior management on risks, identify company assets, and have appropriate authorizations in place; following an incident, organizations should enact their incident response plan, notify stakeholders (internal personnel, regulators and potential victims), and avoid using a compromised system for further communication. [Best Practices for Victim Response and Reporting of Cyber Incidents – Department of Justice, Cybersecurity Unit]
US Legislation
US – Sen. Ron Wyden Proposes Bill That Could Jail Executives Who Mishandle Consumer Data
Sen. Ron Wyden (D-OR) released an early draft of legislation today that would create substantially stiffer guidelines for the misuse of consumers’ data. Among other provisions, the bill suggests creating a penalty of 10 to 20 years imprisonment for senior executives who fail to follow new rules around data use. called the “Consumer Data Protection Act” [see PR, 1 pg PDF hsummary, 2 pg PDF section overview & full 38 pg PDF text] it would give the FTC more authority and resources to police the use of data by adding a total of 175 new staff. Under the proposal, the FTC would also be allowed to fine companies up to 4% of revenue for a first offense. It would create a centralized Do Not Track list meant to let consumers stop companies from sharing their data with third parties, or from using it for targeted advertising. It would allow companies to block users who opt out and offer a paid version of the service in place of the tracking. Consumers could also ask to review and challenge the information collected on them. Companies that make more than $1 billion in revenue and that handle information on more than 1 million people, or smaller companies that handle information on more than 50 million people, would also be required to submit regular reports to the FTC that describe any privacy lapses. Failure to comply with the measure could lead to jail time. Wyden is accepting feedback on the bill at PrivacyBillComments@wyden.senate.gov. [The Verge | Senator Wyden wants to jail execs who don’t protect consumer data | Senator’s data privacy law draft could put CEOs in jail for lying | Sen. Ron Wyden Introduces Bill That Would Send CEOs to Jail for Violating Consumer Privacy | Oregon senator proposes privacy regulations with prison and revenue penalties for data misuse | California Consumer Privacy Act of 2018 – Full Text
Workplace Privacy
UK – Court Confirms Vicarious Liability for Rogue Employee
The UK Court of Appeal considers the liability of Morrisons Supermarket PLC (“Morrisons”) for the actions of an employee. The employee’s actions (stealing employee data and disclosing it to third parties) were within the field of activities assigned by the company (accessing payroll information, copying data to a USB stick), and the company had an obligation to reasonably ensure the reliability of any employee with access to personal data. [WM Morrison Supermarkets PLC and Various Claimants – 2018 EWCA Civ 2339 – England and Wales Court of Appeal]
+++
