Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Privacy Monday – January 26, 2015

Posted in Cybersecurity, Data Breach, HIPAA/HITECH, Legislation, Privacy Monday, Privacy Regulation, Uncategorized

Good Monday – The East Coast prepares for Apocalypse (Sn)ow.

In the meantime, here are three privacy-related tidbits for your day.

Privacy Concerns Cause Scale Back of Release of HealthCare.gov Data

We spend a fair amount of time warning about third party vendors and the risk that such vendors can pose to sensitive data.   Just ask Target.   Last week, the Associated Press revealed that the healthcare insurance exchange, HealthCare.gov, was connecting with third party analytics sites and others and operating much like any commercial website — except that it is not.  The AP reported over the weekend that the Obama Administration has “reversed itself” and scaled back the release of (or access to) consumer data — including anonymized data.     According to the AP’s Saturday follow-up, an analysis of the Federal exchange showed that the number of third party companies with connections embedded in the site, thus giving them access to consumer data, “dropped from 50 to 30.”

Read more:

The Hill – The Centers for Medicare and Medicaid Services will encrypt additional data when customers use the Window Shopping feature on HealthCare.gov.

New York Times — Is the data usage “industry standard” and much ado about SOP?

CNN Money

 

Continue Reading

Cybersecurity and Privacy in State of the Union Address

Posted in Children, Cybersecurity, Data Breach, Data Breach Notification, Data Compliance & Security, Legislation, Privacy Regulation, Security

As expected in his State of the Union address last night, President Obama made it very clear that cybersecurity is on his agenda for 2015.  After stating that:

 “No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids,”

the President urged Congress to “finally” pass “legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information” and cautioned law makers that “if we don’t act, we leave our nation and our economy vulnerable.”

Just days before the State of the Union address, in a speech delivered at the Federal Trade Commission on January 12, the President highlighted the measures he discussed in the State of the Union and unveiled the next steps in his comprehensive approach to better protect American companies, consumers, and infrastructure against cyber threats. These steps include:

  1. Improving consumer security by establishing a national standard for companies to notify employees and customers about security breaches and identifying and preventing identity theft. For more information about the proposed Personal Data Notification & Protection Act, please see our prior blog post. The President announced that in an effort to tackle identity theft and assist consumers in spotting identity theft early on, several large financial companies have committed to offer free credit scores to their customers, joining an existing list of financial companies that already engage in this practice.
  2. Improving consumer confidence online by passing a Consumer Privacy Bill of Rights to establish an enforceable code of conduct for online interactions and protect consumers’ privacy. This proposed legislation will be based on the Obama Administration’s 2012 Consumer Privacy Bill of Rights and is expected to be released within the next month and a half.
  3. Safeguarding student data in the classroom and beyond by passing legislation to promote student privacy, convening the private sector to pledge to help enhance the privacy of students, and offering  new tools via the Department of Education  to help schools and teachers better protect the privacy of students. Sometime in the next two months, the Obama administration will release a proposal to update the Family Educational Rights and Privacy Act (FERPA). The President highlighted that the proposed Student Digital Privacy Act would: (i) limit the use of data collected “in an educational context” to educational purposes; (ii) prohibit companies from selling student data to third parties for unrelated purposes; and (iii) prohibit targeted advertising derived from data collected in school, however, the bill would still permit the use of such data for certain types of research, as well as for improving the effectiveness of learning technology products. The President noted that the bill would be modeled on a recently passed California law covering the collection and use of student data. For more information on the California law, please see our prior blog post.
  4. According to a recent White House press release on the subject, as part of the Obama Administration’s comprehensive plan to better protect the privacy of consumers, on January 12, the Department of Energy and the Federal Smart Grid Task Force released a new Voluntary Code of Conduct (VCC) “for utilities and third parties providing consumer energy use services that will addresses privacy related to data enabled by smart grid technologies.” For more information about this initiative, please click here.

The next item on the law makers’ agenda is a hearing before the House Energy and Commerce subcommittee next Tuesday entitled “What are the Elements of Sound Data Breach Legislation?” According to new subcommittee Chairman Michael Burgess (R-TX), “data security will be the focus of our subcommittee’s first hearing as we drill down on what components should be included in a bill that will give consumers the peace of mind they deserve.”

We will keep you updated on proposed legislation and new initiatives that are part of the Administration’s cyber security plan.

If cybersecurity and data privacy are on the President’s agenda, shouldn’t those issues be on the top of your company’s agenda this year?!

 

Privacy Monday – January 19, 2015: New Additions to Mintz Levin’s Privacy & Security Group

Posted in Privacy Monday

We are pleased to announce important additions to Mintz Levin that clearly strengthen the Privacy & Security Group’s bench.

Mark Robinson, Member (Boston) – Mark is a nationally recognized authority in government investigations and enforcement and cybersecurity defense, and a former deputy chief of the Criminal Division of the US Department of Justice (DOJ).   He serves as Co-chair of the firm’s White Collar Defense Practice.

Mark represents public and private sector clients in connection with internal investigations, regulatory enforcement actions, commercial litigation, and large scale data breaches. He has been called upon by CEOs, directors and officers, audit committees, and senior executives in industries as varied as energy, automotive, media, health care, and financial services. His areas of focus include data breaches and cyber incidents, securities and procurement fraud, bid rigging, pharmaceutical pricing practices, accounting misconduct, false claims, and commercial bribery.  Mark’s already been quoted in last week’s Wall Street Journal article, “The Rise of Cybercrime Extortion” (registration may be required).

Ari Moskowitz, Associate (Washington, DC) - Ari provides guidance to clients on complying with various federal and state privacy laws, including the Children’s Online Privacy Protection Act, cross-border data protection regulation, and data breach notification laws.   With Ari, Mintz Levin’s Privacy & Security Group now boasts five attorneys with Certified Information Privacy Professional (CIPP) credentials.

Peter Day, Associate (San Diego) – Our newest addition (joining today!), Peter advises and defends companies responding to governmental inquiries. He has represented clients facing inquiries from congressional committees, the Department of Justice, the Securities and Exchange Commission, the Federal Trade Commission, numerous state attorneys general, and several foreign regulators.   Peter represents clients in connection with data breaches, breach notification laws, post-data breach remediation, network security, corporate compliance, and the Payment Card Industry Data Security Standard (PCI DSS). He has also represented and advised clients in the financial services, defense, technology, and retail sectors regarding the collection, use, and disclosure of personal information, financial information, and geo-location information.

 

You’re Invited: Tips for Surviving a HIPAA Audit

Posted in HIPAA/HITECH

Celebrate Data Privacy Day!  On Wednesday January 28th, Mintz Levin’s Dianne Bourque, will be presenting a webinar on how to survive a HIPAA audit. 

With the New Year in full swing, the HHS Office of Civil Rights (“OCR”) is resuming its random audit program to assess compliance with HIPAA privacy, security and breach notification rules.  While Phase I of the OCR audit program involved on-site visits, OCR will conduct Phase II audits by performing desk review of documentation.  Findings during a Phase II audit can lead to enforcement and failure to comply can lead to the imposition of civil monetary penalties.

During this webinar, Dianne will discuss lessons learned from Phase I of the audit program and how best to incorporate those lessons into Phase II preparations.  She will also discuss how to identify and eliminate compliance gaps, in case you are chosen for an audit.

Phase II audits can happen to covered entities and business associates alike.

Learn more about how you should be preparing and register for this webinar by clicking here.

White House Proposes National Data Breach Notification Standard

Posted in Cybersecurity, Data Breach, Data Breach Notification, Federal Trade Commission, Legislation, Privacy Regulation

Written by Cynthia Larose, CIPP and Ari Moskowitz, CIPP

This has been a big week for cybersecurity announcements from Washington.   In what the White House has called a series of “SOTU Spoilers,” President Obama announced his intention to follow through on some of the recommendations in his administration’s Big Data report — the culmination of the White House’s 90-day “Big Data” review in 2014.  Specifically, the President proposed following through on the report’s recommendations that the following legislation be passed:  a consumer privacy bill of rights, a national data breach notification law, and a law to promote student privacy. Continue Reading

Privacy Monday – January 12, 2015

Posted in Cybersecurity, Data Breach Notification, Data Compliance & Security, Employee Privacy, Federal Trade Commission, Legislation, Privacy Monday, Privacy Regulation, Security

Three privacy/security stories that you should know as you start your week:

 

President Obama to Offer Cybersecurity/Privacy Previews to State of the Union Proposals

In a series of speeches this week, President Obama will preview important issues to appear in his January 20th State of the Union address.    A White House official said in a statement to reporters over the weekend that the president would “lay out a series of legislative proposals and executive actions that will be in his State of the Union that will tackle identity theft and privacy issues, cybersecurity, and access to the Internet.”   The President will reportedly speak at an event at the Federal Trade Commission today and outline a plan to tackle identity theft and improve consumer and student privacy.    Tuesday, the President will discuss cybersecurity at the National Cybersecurity and Communications Integration Center.    We will keep readers updated on what the White House is calling “SOTU Spoilers.”

Read more here:Privacy and Security Updates Monday

CNBC

CNET

New York Times

 

ICYMI:  The January 2015 Edition of the Mintz Matrix Is Out — and State Changes are in the Works

On Friday, we released the updated version of the Mintz Matrix of state data breach notification laws.   In case you missed it, you can get the updated chart here.

Now that the state legislatures are getting into session, we are expecting more action amending and tightening up state laws.    For example, legislators in Washington state have already filed an amendment to that state’s data breach notification law.

At the end of 2014, several proposals were introduced and we will be following where these bills head in the  2015 session.     New York‘s proposal (Bill A10190) imposes requirements on entities conducting business in New York and which own/license computerized data that includes private information that are nearly identical to those required under Massachusetts 201 CMR 17.   Most importantly (as you will recall), the Massachusetts regulations require that entities develop, implement and maintain a comprehensive written information security program.     A proposed New Jersey amendment would expand the definition of “personal information” to include a combination of user name or email address with any password or security question and answer that would permit access to the online account.  Attorneys general in Indiana and Oregon closed out the year with calls for more robust data breach protection legislation in their states.    Stay tuned.

 

Tax Time is a Good Time For a “Security Check”

Businesses and their employees are all dealing with receipt of documents, filings, etc. during this taxing time of year.  Tax season is also a prime time for personal information scams and can expose lax internal controls.   Here are a few things to remember as you begin preparing for tax season:

Secure your data – Do you prepare your business’ taxes on a company computer? If so, you likely have some very sensitive financial information on your hard drive. Make sure your files are secured with password-protected directories and accounts, and that your entire system is protected from outside threats. Also, if you plan to use a wireless network to electronically file your taxes, be sure to use a secure Internet connection and never use public wireless hotspots.  Do NOT send personal information to employees or service providers via email.   Make sure that you only use secure transmission methods for sending W2 and other forms that contain Social Security or other sensitive information.   If a tax preparer asks you to send documents via unencrypted email — find another tax preparer.

Back up financial data – When was the last time you backed up your company data?  If you don’t already follow a backup schedule, tax season can be a great reminder that you need to regularly back up your data. Regularly backing up your data not only protects you at tax time in the event your data is compromised, it can also help protect you against future events such a natural disaster.  Remember that whether you back up to the cloud or a separate physical device/location, electronic data needs to be kept in a secure environment.

Keep your security software updated – You don’t have the time or resources to keep track of each and every new scam, phishing attack, or threat that comes around – that’s what your security software is supposed to do. But just as you can file your taxes without the most accurate tax information, your security software can’t do its job if it’s not up-to-date. The threat landscape changes daily, so keeping your security software up-to-date helps ensure that it will be able to address the most current threats to your information. After all, your ability to run an effective business depends on making sure your confidential data is safe and secure from outside threats.

Remind employees of phishing threats — Use this time of year as an opportunity to remind employees to protect themselves from tax-related phishing scams.    The IRS will never ask for personal information via email.  Ever.    Some of these reminders from the IRS may be useful to send to your employees as a reminder to protect themselves — and as a result, protect your business.

Have a safe and secure week!

For the New Year – A New Mintz Matrix of State Data Breach Notification Laws

Posted in Data Breach, Data Breach Notification, Legislation, Privacy Regulation, Uncategorized

Make sure to get your January 2015 Mintz Matrix!    

Available here for downloading and always linked through the blog right hand navigation bar.

Things you will not want to miss:

  • California has significantly amended its breach notification requirements
  • Kentucky’s new data breach law (2014) is expanded effective January 1
As always, this chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.
Credit – Photobucket: bjaco6

Save the Date — HIPAA Audit Preparedness Webinar January 28, 2015

Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation, Security

The First Rule of How to Survive a HIPAA Audit:  Be Prepared

2015 is bringing along with it the start of the HHS Office for Civil Rights random audit program to assess compliance with the HIPAA privacy, security and breach notification rules.   It is anticipated that 300-400 business associates will be the subject of a desk audit and an undisclosed number of lucky business associates and covered entities will be chosen for intensive, on-site audits.  Remember, if your business provides services to a healthcare entity covered by HIPAA, you are likely a business associate.

So, here’s the question:  are you audit-ready?  

In a free webinar, Mintz Levin’s Dianne Bourque will walk you through how to prepare now in the event that you are one of the chosen.

Save the date:   Wednesday, January 28, 2015   1:00 PM ET/10:00 AM PT

Registration information will follow!

 

 

Privacy Monday – January 5, 2015

Posted in Cybersecurity, Data Breach, Data Compliance & Security, Privacy Monday

Welcome to the first Privacy Monday of 2015!

We hope that you enjoyed our 12 Days of Privacy series (and if you missed it, they are all linked in the right column of the blog…).

Three things that you should know for your Privacy Monday:

1. The FTC approved the Snapchat final order on New Year’s Eve

Following a public comment period, the Federal Trade Commission has approved a final order settling charges that Snapchat deceived consumers with promises about the disappearing nature of messages sent through the service.

We dissected the FTC’s complaint on this blog in May (here), and according to the FTC, Snapchat also deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure.

According to the FTC’s release, “[t]he settlement with Snapchat is part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers,” and prohibits Snapchat from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information.

2.  Chick-fil-A is latest breach victim

Chick-fil-A, one of America’s most popular fast food restaurants, is the latest corporation to investigate the possible hacking of its customers’ credit card data.

“Chick-fil-A recently received reports of potential unusual activity involving payment cards used at a few of our restaurants,” the company said in a statement last week.

“We are working with leading IT security firms, law enforcement and our payment industry contacts to determine all of the facts.”

The company promised that if a security breach was confirmed, it would assume financial responsibility for fraudulent charges to customers’ accounts, and arrange for free identity protection services — including credit monitoring — for any affected consumer.

With over $5 billion in annual sales Chick-fil-A, based in Atlanta, Georgia, is the biggest fast-food chicken restaurant in the United States.

3.  The Experian 2015 “Crystal Ball” Report is out

Regular readers of this blog will know that we have been saying this for some time, but this appears in the 2015 Experian Data Breach Industry Forecast:  “Board members and the C-suite can no longer ignore the drastic impact a data breach has on company reputation.  Meanwhile, consumers are demanding more communication and remedies from businesses after a data breach occurs.  As a result, the topic is one of the highest priorities facing businesses and regulators in 2015.”

The Experian report predicts that:

  • top data breaches expected in 2015 include the following – payment breaches (with the adoption requirements for EMV “Chip and PIN” technology in the US in October 2015, the window may be closing for hackers to easily profit from point-of-sale attacks, however attackers may look for new ways to compromise these companies given how profitable the payoff can be),
  • hackers will target cloud data (cloud services have become a more attractive target for attackers because consumers rely more on online services such as online banking and mobile payments), and
  • growth in healthcare breaches (it is expected that healthcare breaches will increase, due to increased movement to electronic medical records and the introduction of wearable technologies).

Get the full report here.

Consumer Claims Survive Motion to Dismiss in Target Data Breach Class Action

Posted in Class Action Litigation, Data Breach, Privacy Litigation

Written by Kevin McGinty

A recent ruling by Federal District Judge Paul Magnuson will permit most of the consumer claims in the Target data breach litigation to survive Target’s motion to dismiss.  This most recent ruling follows on the heels of the court’s December 2 decision partially denying Target’s motion to dismiss consolidated complaint of the banks that issued the credit and debit cards that were subject to the breach.  The late 2013 data theft that gave rise to the consumer and issuer bank claims was caused by malware placed by hackers on Target’s point-of-sale (“POS”) terminals.  The malware allowed the hackers to record and steal payment card data as customers’ credit or debit cards were swiped.  In the consolidated consumer complaint, 117 named plaintiffs allege that Target wrongfully failed to prevent or timely disclose the data theft.  Plaintiffs also contend that Target failed to disclose the purported insufficiency of Target’s data security practices.  The consumers assert claims under the laws of 49 states and the District of Columbia for negligence, breach of contract, breach of data notification statutes and violation of state unfair trade practice statutes.  The consumer complaint also purports to assert those claims on behalf of a putative plaintiff class consisting of every Target customer whose credit or debit card information was stolen in the data breach. Continue Reading