Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Court Dismisses Shareholder Derivative Action Targeting Directors and Officers for Data Breaches

Posted in Cybersecurity, Data Breach, Privacy Litigation

Written by David Barres

A federal district court in New Jersey has dismissed with prejudice a shareholder derivative suit, Palkon v. Holmes, No. 14-CV-01234 (SRC) (D.N.J.), that tried to blame the directors and officers at hospitality company Wyndham Worldwide Corporation (“Wyndham”) for a series of data breaches. The court’s decision is notable because it illustrates some of the steps that directors and officers can take to help shield themselves from liability in cybersecurity litigation. Continue Reading

A Different Kind of “Virus”: FDA Follows NIST Framework in Cybersecurity Guidance for Medical Devices

Posted in Cybersecurity, Data Compliance & Security, Security

Written by Joshua T.  Foust

In past posts  we’ve taken a close look at the Framework for Improving Critical Infrastructure Cybersecurity put forth by the National Institute of Standards and Technology (NIST), exploring its wide-ranging implications for companies across a number of different industries.  As we’ve explained elsewhere, cybersecurity is an increasingly hot issue for agencies like the SEC, and the NIST Framework continues to shape how governmental and private actors alike tackle cybersecurity issues.

And this month, the beat goes on: last week, the FDA released its final cybersecurity guidance for medical device manufacturers incorporating the NIST Framework.  While not yet mandatory, the FDA strongly recommends that manufacturers follow the guidance in explicitly addressing cybersecurity risks in premarket submissions for medical devices, particularly those that rely heavily on software, access patient data, and connect with electronic networks.

So what, exactly, are the highlights of the FDA’s guidance for medical device manufacturers?  And what are the take-away lessons for companies in the industry, whether or not they’re in the process of seeking premarket approval for new devices?

Continue Reading

It’s 11:30 PM, do you know where your data is? Privacy & Connected Devices

Posted in Cybersecurity, Security

Written by Kristina Eastham

This marks the second week of National Cyber Security Awareness Month, and one focused on the Secure Development of IT Products, so it seems only appropriate to discuss security and The Internet of Things and a recent panel discussion on privacy and IoT.

Last week, privacy and security professionals gathered at CyberTech’s CyberFest 2014 in San Diego, which included a panel on IoT: War on Privacy. Continue Reading

Privacy Monday – October 6, 2014

Posted in Cybersecurity, Data Breach, Privacy Monday, Security

A new month, a new Privacy Monday.

JPMorgan Chase:  Baiting the Hook for Phishers 

Cybercrime researchers say that the 83 million customer records (76 million consumer and 7 million small business) swiped from JPMC could be the fuel for years of fraud.  In its 10-K filing with the Securities and Exchange Commission, JPMC disclosed the nature and scope of the information.   See herePay attention to the fact that hackers penetrated one of the world’s largest banks and stole nothing of apparent value:  they did not steal a single account number, Social Security number or password.  Continue Reading

Nude Photos and National Cyber Security Awareness Month

Posted in Cloud Computing, Cybersecurity

October is National Cyber Security Awareness Month.    This is an opportunity to remind employees (and yourselves) about how to keep corporate networks and their own cyber lives secure.   All month, we will post articles that might be useful for distribution as “reminders….” along with tips and reminders.

Continue Reading

Notes from the Joint OCR/NIST HIPAA Security Conference

Posted in Cybersecurity, HIPAA/HITECH, Privacy Regulation, Security

Written by:  Dianne BourqueKimberly GoldKate Stewart, and Stephanie D. Willis 

(original post in Mintz Levin’s Health Law & Policy Matters blog)

As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) andNational Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance through HIPAA Security” into three phrases:  (i) risk assessment, (ii) workforce training, and (iii) adequate encryption.  For those of you willing to read on, we elaborate on them below and provide our view on the important takeaways from the conference.

Continue Reading

Cyber Liability Insurance: Where’s the Beef?

Posted in Cybersecurity, Insurance, Privacy Litigation

Written by Heidi Lawson, CPCU and Danny Harary 

“Cyber liability insurance” is often used to describe a range of insurance policies, in the same way that the word cyber is used to describe a broad range of information security related tools, processes and services. Everyone is talking about the need for “stand alone” cyber liability insurance policies.  These stand-alone cyber liability insurance policies basically cover expenses related to the management of a breach, e.g, the investigation, remediation, notification and credit checking. However, cyber liability coverage is also found in some existing insurance policies, including kidnap and ransom and professional liability coverage.  There may also be some limited coverage through a crime policy if electronic theft is added to that policy.

Continue Reading

Time to Step Up Your COPPA Compliance

Posted in Children, Federal Trade Commission, Privacy Regulation

As we promised in our post on the Yelp and TinyCo Federal Trade Commission COPPA enforcement actions, the Mintz Privacy Team has prepared an extensive review and analysis of both actions, and a helpful guide to avoiding COPPA violations.

Client Advisory is available here. Continue Reading

Ninth Circuit Rules Marketing Consultant Can Be Held Vicariously Liable for Text Messages under TCPA

Posted in Class Action Litigation, Privacy Litigation

Written by Ernie Cooper 

In a ruling issued late last week, the Ninth Circuit held that a marketing consultant that hired a firm to send text messages for a third party could also be held vicariously liable for violations of the Telephone Consumer Protection Act (TCPA).  The marketing consultant acknowledged that Federal Communications Commission orders have established that a telemarketer can be held liable under the TCPA for calls made by agents they have hired to make the calls, but argued that vicarious liability should not extend to a marketing consultant that serves a middle-man role.  The Ninth Circuit disagreed, holding that it should apply “ordinary tort-related vicarious liability rules,” and saying that “[i]t makes little sense to hold the merchant vicariously liable for a campaign he entrusts to an advertising professional, unless that professional is equally accountable for any resulting TCPA violation.”

The Campbell-Ewald Company had been hired by the United States Navy to distribute text messages to targeted individuals as part of a multimedia recruiting campaign.  The plaintiff alleged that one of the text messages had been sent to him despite the fact that he had not consented to receive the message and despite the Navy’s testimony that messages were intended to be sent to only persons who had consented to receive them.  The TCPA prohibits use of autodialing equipment to send calls to wireless phones without the prior express consent of the called party.  Both the FCC and the courts have held that text messages are the equivalent of calls for purposes of the TCPA.

The court also rejected Campbell-Ewald’s argument that it should be granted some form of immunity because the calls were made on behalf of the Navy.

The Ninth Circuit’s ruling overturns a summary judgment order issued by the district court in favor of Campbell-Ewald and remanded the case to the district court for further proceedings.

Gomez v. Campbell-Ewald Co., No. 13-55486 (9th Cir. Sept. 19, 2014).

Privacy Monday – September 22, 2014

Posted in Cybersecurity, Data Breach, HIPAA/HITECH, Privacy Monday

Happy autumnal equinox —

Home Depot Breach – By the Numbers

56 million cards at risk (compare to Target = 40 million)

$62 million in estimated costs (compare to Target  =$146 million and counting)

$27 million insurance coverage (compare to Target = $100 million in cover)

Lawsuits filed – at least 1 in US and 1 in Canada

Filed 8-K with Securities and Exchange Commission on September 8 (Took Target 2 months to file)

Continue Reading