Sam Castic

Senior Associate

Seattle


Read full biography at www.orrick.com
Sam Castic helps clients to successfully collect and use personal information while minimizing the risk of a regulatory investigation or class action lawsuit. Sam is part of the firm's Cybersecurity and Data Privacy team.
Sam is recognized as a Certified Information Privacy Professional (CIPP) U.S. by the International Association of Privacy Professionals, and he works with clients on a variety of privacy, data protection, and cybersecurity matters, such as the following:
  • Behavioral Advertising. Sam helps clients with online behavioral advertising, including compliance with privacy law and industry codes, vendor and service provider agreements, and data collection and use.
  • Marketing Campaigns and Compliance. Sam advises clients on telemarketing, outbound calls and text messaging, email, and direct marketing law.
  • Contract Negotiations. Sam negotiates vendor contracts, service agreements, and business transactions that involve the collection, purchase, hosting, and,  use of personal information and Big Data.
  • Privacy By Design.  Sam counsels technology companies and service providers on Privacy By Design principles when developing and bringing innovative new products and services to market.
  • Online and Mobile Privacy. Sam has extensive experience with mobile and online privacy issues, including drafting privacy policies.
  • Cybersecurity Incident Response.  Sam has handled numerous multi-jurisdictional and national data breach responses, including in the investigation, remediation, strategy development, notification, and regulator inquiry phases. He also helps clients prepare incident response plans.
  • International Transfers. Sam assists companies in international privacy and data protection issues, including regarding cross-border transfers or accessing of personal information.
  • Investigations and Disputes. Sam has assisted clients in responding to governmental inquiries and investigations with respect to consumer protection issues and privacy and data protection practices, and he has experience defending against privacy class actions.

Posts by: Sam Castic

First Privacy Shield Guidelines for Companies published by German DPA

First EU-U.S. Privacy Shield Guidelines by German DPA

On September 12, 2016, the Data Protection Authority of the German Federal State of North Rhine-Westphalia (“DPA NRW”) became one of the first EU data protection authorities to issue guidance on the implementation of the Privacy Shield. Although the guidance is primarily directed at German companies that engage U.S. providers (any third party service providers), U.S. providers should understand the guidance to better understand what German and EU customers may ask of them in addition to EU/U.S. Privacy Shield certification.

Background

 Since August 1, 2016, U.S. companies have been able to certify for the EU-U.S. Privacy Shield (“Privacy Shield”) for personal data transfers from the EU to the U.S.  Companies electing to certify under the Privacy Shield with the U.S. Department of Commerce will be recognized by the EU as providing an adequate level of protection for personal data transferred from the EU to the U.S. The Privacy Shield, which was adopted on July 12, 2016 by the European Commission, replaces the EU-U.S. Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union (“CJEU”) on October 6, 2015.  Certifying under the Privacy Shield requires U.S. entities to undertake certain steps and assessments to verify that they can comply with the Privacy Shield principles for the data that they transfer from the EU, such as having a Privacy Shield-compliant privacy policy, giving people choice about how their data will be used, implementing data protection controls, selecting a third party to adjudicate individual privacy complaints, and verifying that vendors and service providers they allow to access the data also follow equivalent principles.  Failure to comply with the principles can subject the companies to investigations and liability from the FTC (or Department of Transportation for entities regulated by that agency).

The DPA NRW raised the following issues that U.S. companies should consider:

1. Privacy Shield Alone May Not Be Sufficient For Transfers of Personal Data

Pursuant to the guidance, European companies considering transfers of personal data abroad must make a two-step assessment of data privacy compliance.

First, there must be a statutory basis for the transfer that is consistent with the local law of the concerned EU Member State, and as of May 2018, also with the EU General Data Protection Regulation. Second, the personal data held by EU companies should only be transferred to countries with an adequately high level of data protection comparable to the protection in the EU.

Privacy Shield, however, only addresses the latter. More specifically, the EU Commission’s adequacy decision of July 12, 2016 held that U.S. companies certified under the Privacy Shield provide an adequate level of protection.

Practically, what does this mean? In addition to the Privacy Shield certification, U.S. companies may need to enter into a data processing agreement with their EU partner that satisfies the relevant EU Member State statutory provisions that apply to data processing agreements. One example of such statutory provisions is Section 11 of the German Federal Data Protection Act, which contains fairly detailed requirements on the content of data processing agreements. In particular, it requires both parties to agree on rather specific technical and organizational measures that the processor has implemented to protect the security of the data to be processed.

2. Data Controllers Transferring Personal Data under the Privacy Shield Have Additional Duties

Under the guidance, even if a U.S. company is Privacy Shield certified, data controllers are still responsible for independently verifying that data privacy protections are upheld. That means that before transferring personal data to a Privacy Shield certified U.S. company the data controllers must confirm that:

  • the Privacy Shield certification actually exists;
  • the Privacy Shield certification is up to date (the certification has to be renewed annually); and
  • the personal data the data controller intends to transfer is covered by the certification.

Thus, U.S. companies should expect that data controllers will ask the U.S. company questions regarding these points, and likely require the U.S. company to attest that it complies with its privacy obligations with respect to the concerned data subjects. For verification of the status of a Privacy Shield certification, the U.S. Department of Commerce keeps and updates a list of certified companies https://www.privacyshield.gov/list.

For U.S. companies that are using the nine month grace period for compliance with the onward transfer principle of the Privacy Shield, the guidance indicates that the EU data controller should have the U.S. company confirm when it has completed compliance with the onward transfer principle. For U.S. companies, this will underscore the importance of reviewing, and where necessary updating, vendor and service provider contracts to ensure compliance with the Privacy Shield’s onward transfer principle by, among other things, contractually restricting the vendor or service provider’s data processing activities and requiring protection consistent with the Privacy Shield Principles.

3. Employee Data is Special

The Privacy Shield contains special provisions regarding transfers of employee data. If the Privacy Shield certification covers employee data, the company must agree to cooperate and comply with the EU DPAs with respect to such data. This means that the use of such data will still remain subject to EU law, and complaints from data subjects about the use of the data will be adjudicated by the EU DPAs.  In addition, the following principles must also be followed by the EU companies transferring employee data to the United States:

  • The Privacy Shield Principle of choice may be impacted by generally applicable regulations from EU Member States that do not allow for the continued processing of employee data for purposes other than the purpose for which they were collected. EU data controllers (e.g. in general, the employing entities) may further restrict U.S. companies from such uses and require contractual restrictions.
  • U.S. companies and/or the data transferring EU entity (employer) need to respect an employee’s exercise of his/her right of choice against processing their personal data and must not disadvantage the employee in any way.
  • If specific protection for employee data is needed, appropriate measures have to be taken, e.g. pseudonymization or anonymization of data should be considered.

4. Privacy Shield May Not Be a Long Term Solution.

Despite raising various concerns about the EU/U.S. Privacy Shield, the DPA NRW agreed to give the program one year to address those concerns. After this initial year, the Article 29 Working Party plans to review whether its concerns have been addressed, and if the Privacy Shield is effective and functioning. Depending on the outcome of this annual assessment, the DPA NRW reserves the right to reevaluate and potentially stop data transfers under the Privacy Shield. Accordingly, U.S. companies relying on the Privacy Shield should carefully weigh the uncertainty it offers as a long term solution.

At the same time, the DPA NRW guidance points out that the outcome of this assessment will also have an impact on other methods of transatlantic data flows such as binding corporate rules and EU model contractual clauses which are currently likewise under scrutiny.

For more details on the Privacy Shield, or for help exploring whether it is appropriate for your company, please contact any member of Orrick’s Cybersecurity and Privacy team.

Financial Institutions Going First? New York Proposes Mandatory Minimum Cybersecurity Compliance Standards

Cybersecurity Standards Financial Services Institutions

Just as it promised a year ago, New York State proposed new proscriptive, minimum cybersecurity requirements for regulated financial services institutions.  The regulations go final after a 45-day notice and public comment period.  At that point, entities regulated by the NYDFS will be subject to the nation’s first proscriptive set of cybersecurity requirements in contrast to the usual risk-based cybersecurity programs mandated by other financial regulators to date.  Thus, unlike previous guidance and reports issued by financial regulators such as FINRA and the SEC, New York’s rules are specific requirements that all regulated financial institutions must adopt..  In this Part I, we review the proposed requirements, and offer some specific steps that regulated financial services institutions should begin to consider for compliance readiness.

READ MORE

EU-U.S. Privacy Shield: Companies Can Now Certify

Privacy Shield

As of, August 1st, 2016, U.S. companies can now join the Safe Harbor successor EU-U.S. Privacy Shield (the “Privacy Shield”) for personal data transfers from the EU to the U.S.

This post gives a high level summary of what companies should consider with the Privacy Shield.

Background:

On July 12, 2016, the European Commission (the “Commission”) formally adopted the adequacy decision necessary to implement the Privacy Shield. This means that transfers of personal data from the EU to the U.S. that are made pursuant to the Privacy Shield’s requirements are lawful under EU law.  The Privacy Shield replaces the EU-U.S. Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union (“CJEU”) on October 6, 2015.

READ MORE

Is Ransomware a Notifiable Data Breach Event?

There is no doubt that companies face unprecedented volume and variation in both disruptive and intrusive cyberattacks on their networks.  Among the different attack methodologies today, ransomware is quickly becoming a major concern for CISOs and security professionals.  According to Interagency Guidance from the U.S. Government, there are currently over 4,000 daily ransomware attacks – up over 300% from the 1,000 daily ransomware attacks experienced in 2015.

Ransomware can potentially hold hostage critical corporate, customer and employee data, but in-house legal and communications teams are also concerned about whether these attacks trigger notification rules.  The Department of Health and Human Services Office of Civil Rights (“HHS OCR”), which enforces the HIPAA Security and Breach Notification Rules, stated in recently issued guidance that ransomware incidents may be considered a breach that require notification.  The guidance is a poignant reminder to all companies, whether regulated by HIPAA or not, to carefully consider how evolving attack methodologies can directly implicate incident response strategies and compliance obligations.

READ MORE

EU-U.S. Privacy Shield Approved by EU Member States

safe harbor

Today the EU-U.S. Privacy Shield was approved by the EU Member States, which sets the stage for the European Commission to grant final approval to the Privacy Shield as a basis for EU-U.S. transfers of personal data.

This development follows criticisms of the Privacy Shield this past April from the Article 29 Working Party, an advisory group comprised of the EU privacy regulators. We summarized the primary criticisms in a prior blog post.  The Working Party was responding to the draft adequacy decision that was released by the European Commission on February 29, 2016, which we summarized here. The revisions to the Privacy Shield are intended to address the criticisms of the Working Party but it is not yet clear if the criticisms have been fully reflected.

READ MORE

FCC Privacy Regulations: The Next Litigation Trend?

Last month the Federal Communications Commission (“FCC”) closed the comment period for its proposed privacy regulations, which we previously wrote about here.  The million dollar question on everyone’s minds is whether the final regulations will be broader or narrower in scope than the initial proposal, which included not only a significant expansion of the definition of personal information, but also sweeping new obligations and raised serious questions in areas where the obligations could become even stricter still.[1]  Accordingly, companies subject to the new regulations are bracing for tighter FCC Enforcement Bureau scrutiny of broad data collection and handling practices.

READ MORE

Germany Issues Privacy Guidelines for Employer Access to Employee Email and Internet Use

employee email

Can employers look at the company email accounts of employees, such as when they do not show up to work? Can employers monitor employee Internet use during working hours? Can employers read employee emails if they use the company email account for personal purposes?

Companies face these and many more questions about employer-provided email accounts and Internet access every day. To give employers guidance on this, the German Data Protection Authorities (“DPAs”) published “privacy guidelines” about using email and the Internet at the workplace. These guidelines provide essential information, practical tips and helpful advice on this topic.

READ MORE

IP Addresses as Personal Data – Website Providers To Come Under Even More Scrutiny With EU Data Privacy Law

IP address

Website providers that collect dynamic Internet Protocol addresses (“IP address”) from website visitors may soon be subject to even more scrutiny from data protection authorities in the EU.

Last week, Europe’s Advocate General Manuel Campos Sánchez-Bordona (one of the advisors to the European Court of Justice, “ECJ”) released an opinion which, if followed by the ECJ would end a long debated question whether IP addresses are personal data subject to EU data privacy law. The Advocate General takes the view that dynamic IP addresses are personal data when being in the hands of a website provider when a third party (e.g. the internet access provider) has access to additional information that would enable identification of the Internet user.

READ MORE

Data transfers in limbo – U.S. companies face fines by German data protection authorities

international data transfers

While EU regulators determine whether to adopt a new agreement for transfers of personal data from Europe to the United States to replace the invalid EU-U.S. Safe Harbor Framework, German data protection authorities have not been idly twiddling their thumbs.

Hamburg’s data protection commissioner, the head of one of 16 Federal German data protection authorities (“DPA”), announced in February that his agency is investigating Hamburg-based subsidiaries of large U.S. companies engaging in transfers of personal data of EU citizens to the U.S.

READ MORE

2016 IAPP Global Privacy Summit: Key Themes and Takeaways

global privacy

Last month, privacy and security professionals from around the world gathered in Washington, D.C. for the International Association of Privacy Professionals’ Global Privacy Summit 2016.  The conference focused on the new perspectives in privacy that welcome (back) the human element, the increasing role of governmental regulators in establishing and enforcing security and privacy practices, and new EU-centered developments in privacy that will likely have long lasting impacts through the industry.

We were there to take it all in, and offer these five key areas of emphasis and takeaways.

READ MORE