Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Privacy Monday – March 2, 2015: How is Your Cyber Resilience?

Posted in Cloud Computing, Cybersecurity, Data Compliance & Security, Privacy Monday, Security

Welcome to March (and in the Northeast, the arrival of meteorological spring is welcome indeed……)

We start this month with a question:  Have you looked at your cyber resilience?

The Federal Financial Institutions Examination Council (FFIEC) recently described “cyber resilience” as an organization’s ability to recover critical IT systems and resume normal business operations in the event of a cyberattack. On February 6, the FFIEC added a new Appendix J to its Business Continuity Planning booklet titled Strengthening the Resilience of Outsourced Technology Services (Guidance) which discusses the importance of cyber resilience in light of the increasing sophistication and volume of cyber threats and their ability to disrupt operations and challenge business continuity preparedness and provides recommendations for financial institutions and their services providers for addressing and mitigating cyber resilience risks and strengthening business resilience. Published in 2003, the Business Continuity Planning booklet is one of a series of booklets that comprise the FFIEC Information Technology (IT) Examination Handbook and provides guidance to assist field examiners from the FFIEC member agencies in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. The FFIEC has also set up a cybersecurity awareness website and in the past year piloted a cybersecurity assessment program at a number of financial institutions across the country.  Although these most directly apply to financial institutions and their service providers, the question of cyber resilience is critical to every organization.

So what are cyber resilience risks?

Continue Reading

ICYMI: Privacy in the Workplace Webinar

Posted in Employee Privacy, Events and Webinars, Privacy Regulation, Social Media, Uncategorized

Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jennifer Rubin and Gauri Punjabi’s Privacy in the Workplace presentation. Jen and Gauri discussed the latest statutory and common law developments concerning employer monitoring of employee email, access to employee social media accounts, social media policies, and bring your own device (“BYOD”) policies.  We were pleased to host over 125 participants for this webinar.

For those who missed the webinar, some of the key takeaways for employers include the following:

  • While there is not much federal or state statutory authority on employer monitoring of employee email access, employers are advised to provide employees with prior notice of such monitoring and obtain their consent to do so.
  • Many states now prohibit employers from requesting access to their employees’ or job applicants’ social media accounts. This trend, along with the number of other states that have considered passing similar legislation, suggests that Congress may soon weigh in on this issue.
  • The National Labor Relations Act applies to all employers, regardless of whether the workplace is unionized, and protects employees who use social media to discuss their wages, hours, and other terms and conditions of employment (i.e., concerted activity).  Employers cannot prohibit employees from using work email accounts to have such discussions during non-working time.  Employees will lose the protection of the Act when their actions disparage the employer’s products or services and/or create a risk of harm to the employer or to others.
  • Social media policies should specify the nature of conduct that is permitted and prohibited and should not utilize broad language that could encompass the right of employees to engage in protected concerted activity.  Social media policies should also take into account an employer’s need to protect trade secrets, comply with industry regulations and applicable federal and state employment statutes, and preserve information relevant to litigation.
  • BYOD policies often result in lower employer costs related to device overhead (purchase/maintenance), improve employee productivity, and result in greater employee job satisfaction.  Prior to implementation, however, employers should consider the process for monitoring compliance with other company policies, keeping track of wages owed to non-exempt employees who use their personal devices to work outside of the office, and maintaining the security of company information that ends up on an employee’s personal device and ensuring its removal once the employee leaves the company.

For a recording of the webinar,  click here.   To download the presentation slides, click here.

The next webinar in the Privacy series — Responding to Insider Theft and Data Disclosure — will take place on Wednesday, March 25, 2015.  This webinar will offer practical advice about responding to data theft and disclosures by employees and former employees. We will cover such topics as conducting a proper investigation, utilizing state and local civil court processes to deter, halt, and remediate data thefts, and when and how to engage local and/or federal law enforcement. This webinar will be presented by members of Mintz Levin’s privacy and data security and white collar crime practice groups.

Sign up here to attend.

More than Employees Bargained For: Do Union Employees Have a Right to Bargain Over Company Data Breaches?

Posted in Data Breach, Data Breach Notification

Originally posted to Mintz Levin’s Employment Matters Blog

These days most employers manage a vast amount of electronic information about their employees, including the employees’ personal identifying information. But, what obligations do employers have to unionized employees with respect to managing that information and bargaining with them in the event of a breach of their private information? Continue Reading

Target Data Breach Price Tag: $252 Million and Counting

Posted in Class Action Litigation, Cybersecurity, Data Breach, Data Breach Notification, Privacy Litigation

In a recently-released Form 8-K filing announcing fourth quarter and year-end financial results, Target Corporation reported that expenses incurred in 2014 relating to its 2013 data breach totaled over $191 million.  Those expenses were offset by $46 million in insurance proceeds, resulting in a $145 million charge against Target’s 2014 operating results.  The expenses incurred in 2014 were in addition to $61 million in breach-related expenses incurred in 2013 which, after receipt of $44 million in insurance proceeds, yielded $17 million in net breach-related expenses for Target in 2013.  In all, Target has incurred $252 million in costs arising from the data breach through the end of 2014 which, after receipt of $90 million in insurance proceeds, has resulted in total net expenses to Target in 2013 and 2014 of about $162 million. Continue Reading

The YouTube Kids app is here! Now what?

Posted in Children

Google made good on the rumors and the company’s subsequent promise last December to create a family-friendly version of its popular YouTube service with its launch on Monday of the YouTube Kids app. Available on both the App Store and Google Play free of cost and only in the United States, the YouTube Kids app is described by Google as an “app designed for curious little minds to dive into a world of discovery, learning, and entertainment…delightfully simple and packed full of age-appropriate videos, channels, and playlists.” Continue Reading

Privacy Monday – February 23, 2015

Posted in Events and Webinars, Privacy Monday

It’s another Privacy Monday!

Privacy in the Workplace Webinar

Our next Wednesday Webinar is coming up on February 25th, with a focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss developments in the workplace privacy field, including statutory developments, mobile device regulation, social media’s impact on workplace privacy, recruiting and hiring, and some practical advice to keep your workplace policies in compliance with rapid legal developments.  Register here!

 

Are You Attending the IAPP Global Summit in D.C.?  Pre-Game with Mintz!

In the wake of the Anthem breach, we’ll be presenting a timely seminar in our Washington, D.C. office on Tuesday, March 3rd:  HACKED!  What to Do When It Happens to You

This roundtable, featuring national subject matter experts from the United States Secret Service and the Federal Bureau of Investigation, as well as forensic and legal professionals, will provide unique and important insights, tips, and advice on current cyber threats affecting your business and what to do when the cyber-thief strikes and the opportunity for in-person, live discussion with law enforcement officials.  Early registration (here) is encouraged, because space is limited.

Two Upcoming Privacy/Cybersecurity Events – Register Now!

Posted in Cybersecurity, Data Breach, Employee Privacy, Events and Webinars, Security

The Mintz Levin Privacy & Data Security Team invites you to register and join us at two upcoming events:

Our next Wednesday Webinar is coming up on February 25th, with a focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss developments in the workplace privacy field, including statutory developments, mobile device regulation, social media’s impact on workplace privacy, recruiting and hiring, and some practical advice to keep your workplace policies in compliance with rapid legal developments.  Register here!

In the wake of the Anthem breach, we’ll be presenting a timely seminar in our Washington, D.C. office on Tuesday, March 3rd:  HACKED!  What to Do When It Happens to You

This roundtable, featuring national subject matter experts from the United States Secret Service and the Federal Bureau of Investigation, as well as forensic and legal professionals, will provide unique and important insights, tips, and advice on current cyber threats affecting your business and what to do when the cyber-thief strikes and the opportunity for in-person, live discussion with law enforcement officials.  Early registration (here) is encouraged, because space is limited.

Cybersecurity Executive Order: Not Much New

Posted in Cybersecurity, Cybersecurity, Data Compliance & Security, Uncategorized

President Obama’s February 13 Executive Order, “Promoting Private Sector Cybersecurity Information Sharing” (the “EO”), turns out to be light on new measures to improve cybersecurity, but focused heavily on adjustments to prior Executive Orders implementing the rules for handling classified information.  This focus introduces concerns about government agencies picking winners and losers in the cybersecurity business by giving some access to data while keeping others out of the room when information about pending cyber threats and technical responses is being discussed.  Privacy concerns received only a passing mention in the EO, which irritated civil liberties groups.  Liability limitations for private companies sharing cyber security data received no attention at all, which irritated data industry players. Continue Reading

California May Limit Law Enforcement’s Warrantless Data Collection

Posted in Cybersecurity, Privacy Regulation

Eager to retain its spot among the principal laboratories for domestic privacy legislation, California’s legislature is set to debate Senate Bill 178, legislation restricting state law enforcement agencies from requesting data without a warrant. Five other states have adopted similar legislation in recent months, and California’s proposal largely follows that trend. Continue Reading

Could the Anthem Hack Happen in NY? New Report Highlights Risk for NY Insurers

Posted in Cybersecurity, Data Breach, HIPAA/HITECH, Security

The New York State Department of Financial Services (the “Department”) recently released a “Report on Cyber Security in the Insurance Sector” (the “Report”). The Report was released on February 8, 2015,  just four days after Anthem first reported the breach of its database estimated to contain as many as 80 million customer records. While the Report does not directly address the Anthem breach (the Department addressed Anthem’s breach in a separate alert), its findings provide a detailed look at the current cyber security landscape in which the Anthem breach occurred.

The Report analyzes survey data collected  from 43 insurance entities that collectively hold a staggering $3.2 trillion of combined assets. Of these 43 entities, 21 are health insurance providers, 12 are property and casualty insurance providers, and 10 are life insurance providers. The Report’s questions address six main topics: (1) the insurer’s information security framework; (2) the use and frequency of penetration testing and results; (3) the budget and costs associated with cyber security; (4) corporate governance around cyber security; (5) the frequency, nature, cost of, and response to cyber security breaches; and (6) the company’s future plans on cyber security.   In an effort to obtain a broader understanding of the context of these cyber security programs within the insurers’ overall risk management strategy, the Report also analyzes the statutorily required enterprise risk management (“ERM”) reports that certain insurers filed with the Department.

To read more on the Report, head over to our sister blog, Mintz Levin’s Health Law & Policy Matters.