The National Institute of Standards and Technology (NIST), publishers of the Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”) last February, have published a Request for Information in the Federal Register seeking comments on industry experience with the Framework to date. Comments are solicited in three areas: the current awareness of the existence and content of the Framework, industry experiences in using the Framework to evaluate and improve cybersecurity, and where future revisions of the Framework should be focused. The list is not exclusive, and comments on other Framework related matters are welcome as well. Comments are due by October 10, 2014 and may be submitted to email@example.com Comments will be made publicly available at http://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm so no confidential information should be submitted.
Written by Cynthia Larose
Some weeks ago, we wrote a piece “What You Need to Know About Backoff Malware: The New Threat Targeting Retailers” . It’s apparently gotten worse. Any business utilizing point-of-sale (POS) terminals for “swiping” credit cards needs to pay attention to this threat and assess vulnerability. Hospitals, physicians’ offices, veterinary clinics, colleges and universities, municipalities — everyone — not just retailers. Read on.
Since our piece was published, it has become known that the Backoff malware or one of its multiple variants has been responsible for over 1,000 breaches of credit card information, including the Target mega-breach and two of the most recent, Supervalu and United Parcel Service. In fact, the fear is that is it so widespread, that the Department of Homeland Security and the US Secret Service issued a warning to retailers — regardless of size — to check their POS systems. Continue Reading
Written by Julia Siripurapu, CIPP/US
According to recent media reports, Google is allegedly designing a Google account for children under 13 which would permit children in this age group to officially create their own Gmail account and to access a kid-friendly version of YouTube. Google currently prohibits children 12 and under from creating a Google account by implementing an age neutral verification mechanism in the account creation process and using cookies to ensure that children cannot bypass the age screen on a subsequent try. As reported by the Wall Street Journal, “now Google is trying to establish a new system that lets parents set up accounts for their kids, control how they use Google services and what information is collected about their offspring… Google wants to make the process easier and compliant with the rules.”
The reported initiative, which has not yet been confirmed by Google, is certainly very interesting and would clearly require the tech giant to comply with the Children’s Online Privacy Protection Act (“COPPA”) and its implementing rule (as amended, the “COPPA Rule”). It will be especially interesting to see how Google handles the advertising component of the service, which is a major piece of its business. In order to comply with COPPA, Google would have to engineer and design the new service based on the requirements of the COPPA Rule. PC Magazine reported in its story that “as part of the move, Google will also introduce a dashboard where parents can oversee their kids’ activities.” This seems like a step in the right direction for Google, but it will be a long journey! As we all know, the COPPA Rule goes far beyond giving parents the right and ability to monitor their children’s online activities and includes, among other requirements, complex, parental notice and verifiable consent requirements. You can link here for a copy of the Mintz Levin Guide to COPPA.
As the first company that would offer an online service specifically targeting children under 13, Google would certainly be in the spotlight and the new service would be closely monitored by the privacy community and the FTC. In fact, privacy advocacy groups, like the Center for Digital Democracy (CDD), have already voiced concern, as reported by the Wall Street Journal, that “Unless Google does this right it will threaten the privacy of millions of children and deny parents the ability to make meaningful decisions about who can collect information on their kids.” CDD’s executive director, Jeff Chester, informed the Wall Street Journal that the CDD shared its concerns with the Federal Trade Commission on Monday and that the organization is in the process of creating an action plan for monitoring how Google rolls out the service to children. The Wall Street journal also reported that the FTC declined to comment on the matter, “saying the agency does not comment on specific companies’ plans.”
- Google Is Planning to Offer Accounts to Kids Under 13, Wall Street Journal
- Google is Planning to Target Kids with Child-Friendly Version of Gmail and YouTube, International Business Times – Australia
- What Google Can Gain From Special Accounts For Children, Newsy – USA
- Google ponders child online accounts, ITWeb
- Google Eyes Kid-Friendly Accounts, PCMag.com
- Google reportedly working to offer Gmail, YouTube accounts to kids under 13, TechSpot – USA
- Google has a clever plan to get your kids hooked on Gmail and YouTube, BGR (Boy Genius Report) – USA
Technology, retail, medical, financial services, education ….. and more experience data losses on a daily basis through employee negligence, poor controls, insider attacks, advanced persistent threats from malevolent outsiders or computer viruses.
Join Mintz Levin Privacy team members and other privacy and security experts in San Francisco on September 30 for a roundtable discussion of best practices for assessing the risk and preparing to respond to data breaches.
Register here by September 25.
Wearable devices, including health and activity monitors, video and audio recorders, location trackers, and other interconnected devices in the form of watches, wristbands, glasses, rings, bracelets, belts, gloves, earrings and shoes are being heavily promoted in the next wave of consumer electronics.
It is estimated that 90 million wearable data devices (“WDD”) will be shipped to customers in 2014. Many of these customers will bring them into the workplace, which will challenge employers to adapt employment and IT policies to these new visitors.
WDDs also are attracting the attention of the FTC and legislators. The FTC is investigating the collection and use of consumer location data transmitted by smartphones and other devices. Earlier this month, U.S. Senator Chuck Schumer (D-N.Y.) sent a letter to the FTC asking that fitness device companies be required to give users an “opt-out” before sending personal health data to third parties.
Corporate human resources and IT policies are not ready for an influx of these devices and employers do not want to be caught up in the potential for liability. Smart employers will put policies in place now to manage the integration of WDDs into the workplace, rather than trying to catch up after the fact. This Advisory outlines the principal issues that any workplace WDD policy should cover.
Community Health Systems, Inc. (the “Company”), one of the largest hospital organizations in the country, announced via a public filing (Form 8K) made yesterday with the Securities and Exchange Commission (“Report”) that the Company was the target of a cyber attack that compromised the health data of 4.5 million individuals. The Company operates 206 general acute care hospitals in 29 states with approximately 31,100 licensed beds.
According to the Report, the Company and its forensic expert, Mandiant, confirmed last month that the Company’s computer network was attacked in April and June, 2014 by an “Advanced Persistent Threat” group that was traced back to China. Using highly sophisticated malware and technology, the attacker bypassed the Company’s security measures and copied and transferred outside the Company protected health information (“PHI”) including names, addresses, birthdates, telephone numbers and social security numbers of individuals referred to or treated at hospitals operated by the Company in the last five years. The Company disclosed in the Report that it is providing the notifications required under state breach notification laws and HIPAA to the individuals affected by the attack and to the applicable regulatory agencies and will offer identity theft protection services to affected individuals. The Company also disclosed that immediately prior to the filing of the Report, it “completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type.”
The Company’s announcement of the breach, posted on its website in accordance with HITECH requirements, (the “Posting”) locates the breach at Community Health Systems Professional Services Corporation (“CHSPSC”), a Tennessee company that provides management, consulting and information technology services to clinics and hospital-based physicians. CHSPSC may be a business associate of the Company, although neither the Report nor the Posting confirmed CHSPSC’s status. The Posting provided additional information regarding breach remediation efforts which also include, audit and surveillance technology to detect unauthorized intrusions, the adoption of advanced encryption technologies, and requiring users to change access passwords. If these security measures were lacking prior to the breach, it will be an important fact in any ensuing enforcement by the Office for Civil Rights in connection with the breach.
This data breach ranks as the 2nd largest breach of medical data in the country to date, when compared to breaches of medical data affecting more than 500 individuals reported by the U.S. Department of Health & Human Services.
Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) Could the European Court of Justice’s May 13, 2014 Google Spain decision delay the adoption of the EU Data Protection Regulation?
In the Google Spain “Right to be Forgotten” case, the ECJ held that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant. The Google Spain decision has given a much sharper focus to the discussion about the Right to be Forgotten that may soon be adopted as part of the new Data Protection Regulation that is expected to be passed sometime in 2015. With the advent of the Google Spain decision, an issue that was on the sideline for most businesses – and which was expected by some to be quietly dropped from the draft Data Protection Regulation – has become a hot political issue. The Right to be Forgotten as interpreted by the ECJ has garnered international attention, deepened the UK/continental EU divide, and ultimately could delay the adoption of a final form of the Data Protection Regulation.
The Google Spain case has been controversial for various reasons. The decision takes an expansive approach to the long-arm reach of EU data protection law. It holds search engine providers liable to comply with removal requests even when the information in the search results is true, was originally published legally and can continue to be made available by the original website. The decision makes the search engine provider the initial arbiter of whether the individual’s right to have his or her information removed from publically available search results is outweighed by the public’s interest in access to that information. (For a pithy analysis of the “public record” aspects of the case, see John Gapper’s “Google should not erase the web’s memory” published in the Financial Times.)
The issue of cyberliability risk is finally making its way to the board room. We have written about the importance of board education and board involvement in the assessment of cyber threats and liability risk (see our series here) and the Securities and Exchange Commission is looking carefully at public company disclosures of cybersecurity risks as a factor for the investing public. Reputation, cybersecurity and social media are largely intertwined and the associated risk has captured the attention of most boards. However, the executives seem to lack significant understanding, and organizations are missing robust plans to address the identified concerns. The fifth annual board survey conducted by accounting firm EisnerAmper, “Concerns About Risks Confronting Boards,” reveals that concerns over cybersecurity/IT risks among the directors surveyed has increased by nearly 10% and has overtaken regulatory/compliance risk as the second most important concern to all boards. Further, the top concern is reputational risk, which is one of the main issues embedded in cybersecurity risk.
A recent Corporate Counsel article (authored by Mintz Levin colleagues David Barres and Dom Picca) provides an in-depth discussion of “Director Liability for Cybersecurity Risks” outlining specific steps that directors can take to improve board oversight of cybersecurity risks, and the fiduciary duty claims that could result without such oversight.
Reputation, cybeecurity and social media are largely intertwined and the associated risk has captured the attention of most boards. However, the executives seem to lack significant understanding, and organizations are missing robust plans to address the identified concerns.
These articles and studies should be on the agenda for September board meetings. The time is now.
There is another retail data breach to talk about in this Privacy Monday post – privacy & security bits and bytes to start your week.
Supermarket Chain Reports Data Breach
Minnesota-based food retailer Supervalu Inc. has reported breach of its point-of-sale (POS) system, apparently by hackers. A press release on the corporate website describes the incident as a “criminal intrusion” and says that it “may have” resulted in the theft of credit or debit card numbers. According to Supervalu, there is no evidence that data were stolen, and it has not had any reports of misuse of any such data. Affected stores are reported by the company to be operated under the Cub Foods, Farm Fresh, Hornbacher’s Shop ‘n Save and Shoppers Food & Pharmacy banners as well as other stand-alone liquor stores and franchised stores. The complete list is at the company’s Consumer Security Advisory on its website.
We are just two Mondays away from Labor Day, the traditional end of summer in the United States. Here are some privacy tidbits to get your week started. See especially Jake Romero’s piece on the new Delaware data destruction law.
Lack of Information on the Russian Hackers
A company called Hold Security dropped a bombshell last week at the Black Hat security conference in Las Vegas, but has since gone silent on what companies were affected, what websites, or any other specifics, except to sell a $120 corporate security package. I wrote a piece for JD Supra Perspectives last week on the “what now?” question, and on Friday, the Federal Trade Commission’s Business Blog posted a similar question. Read here to see what personal steps to take.
The question that has been most often asked since the Hold Security announcement is “what’s the value of what the hackers grabbed?” One of the best articles written about this question is from the Krebs on Security archives. Read here.
Cute ”Baby Walls” at the OB-GYN = HIPAA Violation!
An article in yesterday’s New York Times outlines one of the more unintended consequences of HIPAA. Read here.
Delaware’s New Data Destruction Law to Set Standard for Disposing of Consumer Data and Authorize Civil Claims (and treble damages) -by Jake Romero
We all have a general sense of what it means to “destroy” something. You know, like how that new Teenage Mutant Ninja Turtles movie just destroyed all of your fond memories of the 1990s cartoon. Well Delaware wants to make sure that when it comes to destroying and disposing of consumer information, everyone is on the same page. Delaware House Bill 295, recently signed into law by Governor Jack Markell, requires commercial entities, in the destruction of personally identifying information collected from consumers, to take reasonable steps to destroy such information to ensure that it is unreadable. Effective, January 1, 2015, the new requirements to be added as sections 50C-101 – 50C-104 of the Delaware Code will apply to a broad swath of entities and could lead to substantial damages in private rights of action. In preparation for the coming change, here are four things to keep in mind: