As our readers know, we maintain a summary of the US state data breach notification laws, which we refer to as the “Mintz Matrix.” We update the Mintz Matrix on a quarterly basis, or more frequently if developments dictate.
We’ve updated the Mintz Levin State Data Breach Notification Matrix to reflect recent changes to Kentucky’s law and Iowa’s law. The Mintz Matrix is available here.
Today is the running of the 118th Boston Marathon.
There has been so much news swirling in the data privacy and security world in the last few days, that it has been difficult to keep up. We’ll give you a roundup here for your Friday and weekend reading.
Heartbleed – Where Are We?
By now, you should know whether your web-facing applications (customer log-in, secure web portals, shopping carts) were affected by the Heartbleed vulnerability, and patches should have been applied. If you have not checked into this yet, you can test your URL at any number of sites, but here is one. Test it now!
- Upgrade any software using OpenSSL to the latest, patched version. (should be done)
- Communicate with any hardware and software vendors to ensure they’ve also upgraded.
- Once that is secured, have everyone within your company change their passwords, or notify customers that passwords should be changed.
- Explain to employees and customers what you are doing and what you have done to take precautions against this bug.
The second bullet was the biggest nut to crack for many this week. Make sure that your network appliances (routers, conferencing, any hardware/software that connects to the Internet) are all checked. SANS (the security institute) has been keeping a running list of Heartbleed vendor patches and communications
. Many vendor sites also are posting technical communications with updates and notices regarding the availability of upgrades, patches or hotfixes. Further, many enterprises don’t know how many sites they own, such as external cloud-hosted sites, sites acquired via mergers and acquisitions – and temporary sites that everyone forgot about. All of those should be checked for the Heartbleed vulnerability, because if the door is open, it could allow malicious intruders in. Just ask Canada’s Revenue Agency
or the UK’s popular site, Mumsnet
As a follow-up to our commentary here on the headline-grabbing Heartbleed bug, I had the opportunity to discuss the subject with Colin O’Keefe of LXBN. In the brief interview, I explain how companies should respond to the bug and the uncertainty surrounding the liability they may face.
Written by Jake Romero, CIPP/US
Following a string of high-profile data breaches and new data suggesting that approximately 21.3 million customer accounts have been exposed by data breach incidents over the past two years, the California legislature has introduced legislation aimed at making retailers responsible for certain costs in connection with data breach incidents. If passed in its current form, Assembly Bill 1710, titled the Consumer Data Breach Protection Act, would have a substantial impact on retailers operating in California. Continue Reading
Last week was certainly the “week of the Heartbleed.” Unless you have been on vacation on a remote island (and if so, good for you!), you have heard and read much about the latest mass bug to infect the Internet.
If you do not know whether your servers are affected by Heartbleed, or have decided not to do anything about it, perhaps you should consider the potential for future liability arising out of breaches that could have been avoided by patching OpenSSL, and you may want to read this, and forward it to your C-suite.
If you have already checked your servers and feel relieved, you may want to check with other providers in your technology stack. For example, Cisco and Juniper Networks were scrambling last week to notify customers and issue patches for products and software. Cisco and Juniper said the security flaw affects routers, switches and firewalls often used by businesses. That means hackers might be able to capture usernames, passwords and other sensitive information as they move across corporate networks, home networks and the Internet. Cisco created an Event Response Page and Juniper has an “Out of Cycle Security Bulletin”
Rather than our usual “bits and bytes” on this Monday, below is a collection of articles on Heartbleed.
And Mashable has a great piece with a matrix of sites and whether you should change your password just yet.
Messaging to customers and site users is important and should be well-coordinated with technical, communications — and legal. Inaccurate, late to the party, or misleading messaging could lead to Heartbleed headaches.
Written by Kevin McGinty
The latest salvo in the Target data breach litigation is a class action brought by credit card issuing banks advancing a creative and somewhat misleading construction of the Minnesota’s Plastic Card Security Act. The banks allege that there was a violation of the statute’s prohibition on retaining PIN, security code and other magnetic swipe data more than 48 hours after a transaction. The problem with that theory is that Target’s system does not retain card holder data, nor was the theft of data directed toward stored data. Instead, the hackers loaded malware onto Target’s point of sale (POS) system which allowed the criminals to capture card holder data as cards were swiped. The hackers then tucked the card data away in a highjacked file location elsewhere on the Target system, before porting that data to locations in Russia and Miami. In other words, Target wasn’t storing the unauthorized data; the criminals were, without Target’s knowledge. Continue Reading
Written by Dianne Bourque and Cynthia Larose
April 8, 2014 marks the end of Microsoft’s support for the Windows XP operating system, which means the end of security updates from Microsoft and the beginning of new vulnerability to hackers and other intruders into systems still utilizing the operating system. But does the end of Windows XP support mean that HIPAA covered entities and their business associates using Windows XP are automatically out of compliance with HIPAA as of April 8th? Not necessarily.
Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) The Art. 29 Working Party, a key advisory body to the EU Commission, recently proposed draft model clauses to cover the transfer of personal data from EEA data processors to non-EEA sub-processors.
The draft model clauses have the potential to bring greater certainty to the rules applicable to data transfers from a data processor that is located within the EEA to a sub-processor located outside of the EEA. (The EEA, or European Economic Area, comprises the 28 EU members, plus Norway, Liechtenstein and Iceland.) While the Art. 29 Working Party does not have authority to put the model clauses into effect, the European Commission routinely considers its advice, so the model clauses are worth a read.
The model clauses run to over fourteen pages of text. Broadly speaking, the proposed model clauses would create a high level of transparency and accountability across various levels of sub-contracting of data processing. This is particularly relevant to cloud computing arrangements
Welcome to the first Monday in April.
Our Privacy Monday is a report on the Federal Trade Commission’s latest privacy notice-related settlements with Fandango and Credit Karma. These settlements should be reviewed by any company with (or planning to have) mobile applications and reinforces our mantra: Say what you do, and do what you say. And make sure you know what that is.
Stop Phoning it In on Mobile Security: What Your Business Needs to Know About the FTC Settlements with Fandango and Credit Karma