Hamburger Evron & Co.

  • 24.03.2015, The Challenge - to Protect the Privacy of Information, Haaretz

Data Protection and the Law
 

An unprecedented wave of cyber security regulation is sweeping the US, aimed at fighting cyber events. What can we learn from the Americans and how is it possible to strike a balance between protecting cyberspace from cybernetic risks and protecting fundamental and information privacy rights? Adv. Yaron Sobol, Adv. Shany Winder

In the past two years giant companies have experienced cyber disasters. One can count, among others, the well-known attack on the Target chain where hackers broke into the company’s systems and stole tens of millions of digital records of the company’s clients, including credit card details and other personal information. Additionally, the recent attack on Sony “scored” many headlines. This attack included the public distribution of internal-strategic information, including emails and commercial movies. The attack on Sony stood out in particular in light of the post-attack intervention of the highest echelons of the American administration - including President Obama himself - who threatened the State of North Korea, suspected of being behind the cyber-attack.

In the attack on Anthem, the second largest health insurer in the US, data was breached on about 80 million members. This attack apparently did not include leakage of medical records or financial details, but Social Security numbers, addresses, income data and other personal information. Yet the cyber-attack on a company that holds medical records that include the most sensitive personal information illustrates the inherent danger of doing so. For example, information of this type has great value in the gray market and in addition such information is not immediately “subject to cancellation” from the moment of exposure, in contrast, for example, to the numbers of credit cards that have been breached and that are subject to cancellation. These attacks and others best illustrate the sensitivity of every company, wherever it is, to cyber-attacks. In this article we shall focus on the interface points between cyber security and aspects of privacy on the great volume of information accumulated about us in the information databases of various organizations - Big Data.

Security Risks

Everyone knows that enormous quantities of digital information are created about us every day. “Big Data” relates to the collection, accumulation, storage, processing and analysis of a wide and complex range of vast volumes of information that exist on an unprecedented scale. This information is derived from a wide range of sources, such as the Internet network, social media, mobile applications, public records and information held by state entities. The potential uses of “Big Data” raise challenges and many practical consequences of great importance, including with regard to aspects of privacy protection and other values.

These challenges are in effect receiving greater importance with the rapid development of the “Internet of Things” (IoT). The “Internet of Things” relates to “things” - devices and in fact anything that can be connected to a network - which communicate with one another via the Internet through sensors. These connected devices use the Internet network for transmission, processing, analysis and sharing of the information. Prominent examples of this are energy management systems, “smart” cities like Chicago, “smart” homes, and “smart” cars (for illustration purposes - sensors in cars that inform drivers of dangerous road conditions) and even medical devices of patients.

The technology of the “Internet of Things” undoubtedly provides enormous advantages. At the same time, alongside these opportunities, there are no small number of difficulties and new challenges. Firstly, the development of these technologies creates security risks that could cause damage to consumers. The significances are especially severe when talking about IoT. So cyber-attacks on “Big Data” that collates the data received from these “things” allows exploitation of the personal information and even creates risks to personal safety. Among others, hackers could exploit security loopholes to gain unauthorized access and thus cause physical risk in terms of human life. This could be done, for example, by taking control of “things” such as cars in the civilian sphere or factories and national infrastructure facilities on the national-state sphere. Secondly, there is a real worry about creating discriminatory behaviors, misuse of the information, and making use of it for purposes other than the original objective, and other privacy risks. This could be done by direct collection of personal information - such as geographic location, financial information and even medical information, via “things.”

“Big Data” also allows us to indirectly deduce sensitive personal information about people, such as habits and behavior patterns, personality traits and preferences, and create “profiles.” Various entities, including companies holding “Big Data” information in an ostensibly legal manner, or third parties that received the information - could take decisions about people on whom information has been collected based on that data. For example, banks will make decisions with regard to credit, employers will make decisions on employee matters, or on potential employees, and insurers will make decisions on matters of insurance. We refer here to structural asymmetry between companies and other entities that collect, hold and control the databases, and between those that intentionally or unintentionally provide the information of most consumer details. Certainly, to the extent that third parties have access to such information - for example, following a cyber-attack - the risks generated are intensified.

Cyber Security Regulation

The laws and regulations in Israel regarding cyber security and privacy are also still relatively in their infancy and on many issues a judicial “vacuum” exists. It is therefore appropriate to learn about developments in the field from across the ocean. An unprecedented wave of cyber security regulation has been “sweeping” the US in recent years. Yet American legislation in the field of cyber security is not coherent and up-to-date enough to best fight cyber events in the private sector and on the national front. Therefore, in January 2015, the President of the United States, Barack Obama, initiated a number of important legislative proposals aimed at legislating the areas of cyber security and privacy in a coherent manner. We will review below the most important and interesting among them:

First, information sharing legislation

The goal of this proposed bill is to incentivize the private sector to share indicator-type information on cyber violations with the public sector - the American administration. To this end, the proposal provides immunity from legal liability - civil and criminal - to those entities that voluntarily shared information as mentioned. This is not the first time that a proposed bill on this issue has been submitted to the American legislator. Similar bills in the past failed because of the huge opposition that arose from the fear of violation of privacy and other human rights as a result of disclosure of information to the administration. The proposed bill requires that entities that disclose, or receive, information as stated, must take reasonable measures to minimize the possibility of being able to identify from this information details that are not relevant to the need to deal with the cyber threat.

It should be noted in this matter that the very existence and disclosure of meta-data, namely the data on the data itself, raises concerns about privacy protection. Information sharing legislation also raises legal difficulties, such as the relation between it and American legislation on the freedom of information. Concerns about potential violations of commercial antitrust laws are another stumbling block to fruitful cooperation between competing companies that share information with each other.

Second, proposed federal legislation for notification of data breaches (Personal Data Notification & Protection Act)

Today most US states have legislation requiring breaches of sensitive personally identifiable information (SPII) to be notified to those harmed. Many individuals therefore received notification that their personal information had been breached. Despite the presence of a certain amount of overlap in the legislative requirements at the state level, they are not identical among the states. There is currently no uniform federal legislation requiring notification of information leakage, but legislation applicable to certain sectors only, mainly health, finance and the civilian-federal. The proposed legislation establishes a uniform federal standard that will apply to all states in the US and in so doing create harmonization in the field. The proposed legislation establishes that any entity that uses, accesses, transfers, stores or collects sensitive personal information on more than 10,000 individuals, must notify individuals hit by a data breach of any unauthorized access to their information. The notice to those injured must be given within 30 days of the day of the discovery of the cyber breach. However, the proposed legislation establishes an exception under which there is no requirement to notify where that entity has conducted a risk analysis and reached the conclusion that there is no reasonable risk of the unauthorized access having caused or being likely to cause any damage to those particular individuals. This is so, for example, where information was encrypted in such a manner that it cannot be decrypted. That entity will be required to report the results of its risk analysis and its decision not to notify individuals about the breach to the governing authority (the FTC).

Third, proposed legislation for protecting student privacy (Student Digital Privacy Act)

This proposal aims to ensure that information collected in educational frameworks will serve educational objectives only and also to prevent companies from selling information on students to third parties, or using this information for discriminatory purposes. However the law would allow information about students to be shared for research purposes and for purpose of education improvement. This proposed bill is another one that is sectoral only - i.e., it protects the privacy of a specific sector - the students.

Fourth, proposed legislation for protecting consumer privacy (Consumer Privacy Bill of Rights)

This is an attempt to pass coherent legislation in the field of privacy (in contrast to sectoral legislation), but the chances of the legislation being passed are relatively low. The goal of the proposal is to create a uniform standard for producing and processing information for banks and other companies. The main rights which the proposal aims to protect are the right to decide which types of personal information are collected about consumers, the right to know and control how the personal information is used, and also the right that the information be saved in a safe and secure manner.

Ensuring Checks and Balances

Establishment of a national authority for cyber protection is a welcome step, but it must be ensured that the authority does not have too much power and wide-ranging capability to obtain access to the big-data databases

With the realization that the risks of cyber security are among the key risks threatening private entities and states alike, in February 2015 the government of Israel confirmed the establishment of a nation authority for cyber protection - a dedicated authority to protect the national cyber space. This authority is intended to serve as an operative entity that will act alongside the national cyber headquarters, which engages in the formulation of policy and will hold national responsibility, which includes protection of the cyber system. In this framework, the mandate of the national cyber authority will be to manage the protective activities and create a system-wide solution against cyber-attacks, including handling of threats and events in real time. It will also be the responsibility of the new authority to establish and operate an Israeli Cyber Event Readiness Team (CERT) - a center to help in meeting the challenges of cyber threats through testing mechanisms, investigation, updates and handling. The authority is expected to create mechanisms for information sharing in real time with entities that are harmed and assist both public authorities and private organizations in dealing with cyber-attacks.

Indeed, this is a vital and important step. At the same time, the scope of its powers and authorities is still not delineated, nor have exceptions and limitations of use been defined for the authority’s use of the enormous power that it is expected to be given. For example, it should be clarified which “information” is meant for sharing and the type of uses authorities are permitted to make. Additionally, it will be necessary to institutionalize control and supervision mechanisms over its activity, reporting mechanisms and arrangement of activities in relation to entities that in accordance with government decision are meant to be the beneficiaries of its work - the public sector and the private sector. One of the major fears is that in giving this authority approvals that are too wide-ranging, injury will be caused to protected fundamental rights, and in particular to the right to privacy. Thus, for example, without a suitable system of checks and balances, the National Cyber Authority will hold a great deal of power and wide ability to receive access to the big data databases.


As stated above, keeping track of the adventures of “Big Brother Law” (see inset) in the few years that have passed since its legislation, teach that from the moment investigative bodies were given the authority to collect information, there has been a disturbing landslide in the amount of personal information collected by them, at times simply because of the capability and the authority to collect and cut off from the central idea behind the legislation - an appropriate balance between enforcement needs and the protection of important public interests on the one hand, and a reduction in the possible harm to privacy on the other.

Organizations dedicated to the rights of the individual argue that investigative entities dawdle over providing reports on the scale of their invasion of privacy, that many warrants to provide personal information have been issued for investigations into minor offences of “disturbance of public or social order” and that about half of the requests to receive information have not passed a judicial test. The danger inherent in laws such as the “Big Brother” law is that additional government entities, whose main sphere of activity is not investigations and enforcement, will ask to make use of the tools that such a law provides, if only because of the availability and the possibility.

Preventing Injury to Fundamental Rights

The concern is that the more anyone who gets access to information is not an expert in investigations and enforcement, the lower his ability to separate the wheat from the chaff, and thus the more sweeping the collection of information will be. For example, the Ministry of Justice recently asked to expand the list of entities approved to receive information as part of the Communication Data Law, and to include in it authorities whose main area of activity is not investigations and enforcement - the Ministry of Environmental Protection, the Antiquities Authority and the Nature and Parks Authority.

In summary, the fears about potential violations of human rights face both the American legislator and regulator and his Israeli counterpart. The lesson learned from the “Big Brother Law” teaches that in the absence of appropriate barriers and limitations that strike a balance between the wish of the state to know and the rights of the individual, the state authorities tend to intrude on the realm of privacy and store information even if there is no significant need for this step. On the face of it, without a suitable system of brakes and balances, the National Cyber Authority will hold a lot of power and abilities to interface to big data and to the vast amount of information stored there (see inset).

Legislative regulation is also required with regard to the wording of existing legislation, such as the Freedom of Information Law and Commercial Antitrust Law, so that there will be maximal “harmony” of these laws and the laws to protect cyberspace against cybernetic risks. Therefore, and in order to avoid the dangers embedded in giving too wide a range of powers to the cyber protection authorities, there is a need to create a system of extensive rules of the game that will suitably balance between the need to protect the cybernetic space and protected fundamental rights and to be composed of legislation, regulation and advanced gatekeepers in the field, who on the one hand will provide powers and “teeth” to the authorities when needed, and on the other hand will prevent, because of presence and capability, non-proportionate harm to protected fundamental rights.

_____________________________________________________________________

Att. Yaron Sobol is a partner at law firm Hamburger Evron & Co. and head of the technology and cyber department; Att. Shany Winder is an associate in the technology and cyber department at law firm Hamburger Evron & Co.

There is nothing in this article to construe a legal opinion. It is only to be regarded as the expression of an opinion by the writers of the article. It is recommended to seek individual legal counsel for each individual case.