Welcome to Privacy Monday – here are five privacy & security bits and bytes to start your week:
1) California AG’s Data Breach Report: Who Is Handling Your Patients’ Confidential Health Information?
The California Attorney General and Department of Justice released its October 2014 California Data Breach Report (the “California Report”) last Tuesday to great fanfare, summarizing the number and extent of data breaches affecting California residents in 2012 and 2013. Buried within the findings is a serious wake-up call to the health care industry to encrypt patient and other confidential information in transit: In 2012-2013, simply encrypting records at rest, using means as straightforward as whole-disk encryption, would have prevented 70% of the reported health care breaches. Continue Reading
Written by Kevin McGinty
Substantive litigation in the flood of lawsuits concerning the recent Home Depot data breach awaits a determination of where the cases will be heard. Numerous overlapping lawsuits have been filed in courts throughout the United States asserting claims on behalf of consumers and financial institutions arising from the massive theft of credit card data that was confirmed by Home Depot in September.
Law360 has published expert analysis of the Palkon v. Holmes case and what it means for director liability in data breach-related cases, written by Mintz Levin’s David Barres (registration required).
D&O Liability For Data Breaches After Palkon V. Holmes
A federal district court in New Jersey recently dismissed with prejudice a shareholder derivative suit, Palkon v. Holmes, that sought damages from directors and officers of Wyndham Worldwide Corp. for a series of data breaches. The decision illustrates some of the steps that directors can take to reduce their risk of cyber-related liability, says David Barres of Mintz Levin Cohn Ferris Glovsky and Popeo PC.
REMINDER: Protecting Directors from Liability for Cybersecurity Risks Webinar Tomorrow
And David (along with Dom Picca) will be discussing how directors can best protect themselves from this shareholder litigation and other cyber-related risks in an upcoming webinar,Protecting Directors from Liability for Cybersecurity Risks, offered through the West LegalEdcenter. The webinar will be held TOMORROW, November 5, 2014, at 12:00 noon EST. Barres and Picca will provide an overview of cybersecurity litigation, review the governing principles of Delaware fiduciary law, review sample cases (including Palkon), and offer practical advice on how to minimize a board’s potential liability arising out of data breaches.
Welcome to the first Monday in November — don’t forget to vote tomorrow!
Chip-and-Pin Not Likely “Cure-All”
There is good news in the world of retail data breaches: US merchants are finally moving away from magnetic stripe payment cards to inherently more secure chip-and-pin or EMV type cards. But there is also considerable bad news. According to a new report by Javelin Strategy & Research, most smaller merchants won’t be ready for the rollout, and online payment card fraud is rising and will continue to increase.
Read more here.
REMINDER: Protecting Directors from Liability for Cybersecurity Risks Webinar Wednesday, November 5
Mintz Levin attorneys, David Barres and Dom Picca, will discuss how directors can best protect themselves from this shareholder litigation and other cyber-related risks in an upcoming webinar, Protecting Directors from Liability for Cybersecurity Risks, offered through the West LegalEdcenter. The webinar will be held November 5, 2014, at 12:00 noon EST. Barres and Picca will provide an overview of cybersecurity litigation, review the governing principles of Delaware fiduciary law, review sample cases (including Palkon), and offer practical advice on how to minimize a board’s potential liability arising out of data breaches.
Almost 1 in 3 Teenagers Has Online Regrets by Age 16
According to a new study by Internet security firm AVG Technologies, nearly one in three teenagers has online regrets by the age of 16. The survey says that 28% of teenagers surveyed said that they regret posting something online, while 32% had to ask someone to remove content posted about them because either they did not like, or thought it was too personal. Only 29% say they “know” all of their Facebook friends. “Everyone assumes that just because today’s teenagers grew up with laptops and smartphones, they somehow have an innate understanding of how to keep themselves safe online and how to behave,” said Tony Anscombe, senior security evangelist at AVG. “The reality is that we have all — teenagers included — embraced technology without much question and the result has been the steady erosion of our online privacy.” See the 2014 Digital Diaries survey results here.
And, while we are reporting on studies and white papers …
Do you think you are doing enough to manage your cyber risk? Read Whatever You’re Doing Isn’t Good Enough: Paradigm Shift in Approach to Cybersecurity Needed to Minimize Exposure, Liability and Loss and then see how well you sleep tonight…….get the report here.
Written by David Barres
A federal district court in New Jersey has dismissed with prejudice a shareholder derivative suit, Palkon v. Holmes, No. 14-CV-01234 (SRC) (D.N.J.), that tried to blame the directors and officers at hospitality company Wyndham Worldwide Corporation (“Wyndham”) for a series of data breaches. The court’s decision is notable because it illustrates some of the steps that directors and officers can take to help shield themselves from liability in cybersecurity litigation. Continue Reading
Written by Joshua T. Foust
In past posts we’ve taken a close look at the Framework for Improving Critical Infrastructure Cybersecurity put forth by the National Institute of Standards and Technology (NIST), exploring its wide-ranging implications for companies across a number of different industries. As we’ve explained elsewhere, cybersecurity is an increasingly hot issue for agencies like the SEC, and the NIST Framework continues to shape how governmental and private actors alike tackle cybersecurity issues.
And this month, the beat goes on: last week, the FDA released its final cybersecurity guidance for medical device manufacturers incorporating the NIST Framework. While not yet mandatory, the FDA strongly recommends that manufacturers follow the guidance in explicitly addressing cybersecurity risks in premarket submissions for medical devices, particularly those that rely heavily on software, access patient data, and connect with electronic networks.
So what, exactly, are the highlights of the FDA’s guidance for medical device manufacturers? And what are the take-away lessons for companies in the industry, whether or not they’re in the process of seeking premarket approval for new devices?
Written by Kristina Eastham
This marks the second week of National Cyber Security Awareness Month, and one focused on the Secure Development of IT Products, so it seems only appropriate to discuss security and The Internet of Things and a recent panel discussion on privacy and IoT.
Last week, privacy and security professionals gathered at CyberTech’s CyberFest 2014 in San Diego, which included a panel on IoT: War on Privacy. Continue Reading
A new month, a new Privacy Monday.
JPMorgan Chase: Baiting the Hook for Phishers
Cybercrime researchers say that the 83 million customer records (76 million consumer and 7 million small business) swiped from JPMC could be the fuel for years of fraud. In its 10-K filing with the Securities and Exchange Commission, JPMC disclosed the nature and scope of the information. See here. Pay attention to the fact that hackers penetrated one of the world’s largest banks and stole nothing of apparent value: they did not steal a single account number, Social Security number or password. Continue Reading
October is National Cyber Security Awareness Month. This is an opportunity to remind employees (and yourselves) about how to keep corporate networks and their own cyber lives secure. All month, we will post articles that might be useful for distribution as “reminders….” along with tips and reminders.