Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

State Data Breach Notification Law Updates

Posted in Cybersecurity, Data Breach Notification, Data Compliance & Security, Privacy Regulation

State legislatures are not waiting for Congressional action on a national data breach notification standard.

Montana — Montana has amended its 10-year old breach notification law (see Mintz Matrix) to expand the definition of “personal information” and require notice to the state attorney general’s consumer protection office.  H.B. 74, signed into law by Governor Bullock, adds medical record information and “identity protection personal identification number” issued by the Internal Revenue Service to the definition of “personal information.”   The amended statute takes effect October 1.

New Jersey — Governor Christie recently signed legislation into law requiring health insurance companies in that state to encrypt personal information of policyholders.  All health insurance carriers that compile computer records that contain personal information must protect those records through encryption or “by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person.”    In November 2013, two laptops with unencrypted information about 840,000 policyholders were stolen from an office at Horizon Blue Cross Blue Shield of New Jersey in Newark. The Barnabas Health Medical Group’s Pediatric branch in Livingston and the Inspira Medical Center in Vineland also had breaches in 2013, according to a NJ Advance Media report in September.

Connecticut — In the aftermath of the massive Anthem data breach, legislation has been introduced in the Connecticut General Assembly requiring a wide swath of insurance businesses to implement data security technology that encrypts personal information of insureds. The covered entities include health insurers, healthcare centers – similar to an HMO under Connecticut’s insurance laws, and “other entities licensed to do health insurance business in Connecticut,” pharmacy benefits managers, third-party administrators that administer health benefits, and utilization review companies.   The requirement is similar to that of New Jersey’s new law, except that the bill requires that entities subject to the law update their technology as necessary to ensure compliance.   Anthem is one of Connecticut’s largest health insurers, and reportedly that breach impacted more than 1 million people in the state. See “Act Concerning the Security of Consumer Data”.

Washington — The Washington House has unanimously passed a bill that would make the failure to notify consumers of a breach as required by the state’s data breach notification law (again, see the Mintz Matrix) a violation of the state’s Consumer Protection Act.  Washington’s House of Representatives has passed a bill (H.B. 1078) that would make the failure to notify consumers of a breach in the security of their personal information a violation of the state Consumer Protection Act. The measure would require notification to consumers — and the state’s AG — as quickly as possible and no later than 45 days after discovery of a breach of personal information such as a person’s name in combination with a Social Security number, driver’s license number or payment card number and payment card access code or password. Under the bill, the attorney general could bring an action on behalf of the state or consumers living in Washington.

New Mexico — New Mexico is only one of three holdouts from the state data breach notification crazy quilt (again, see the Mintz Matrix), but HB 217, the Data Breach Notification Act, is working its way through the state legislature.   The bill only applies to computerized data, and uses an “acquisition” trigger for breach notification.   “Personal information” under HB 217 is defined as the “usual suspects” and does not include username/password or other login credentials. The bill requires “reasonable security” and includes disposal provisions that apply to paper records as well as electronic.   Similar legislation failed in the 2014 session of the legislation, thus it remains to be seen whether New Mexico will join the Mintz Matrix this year.

 

Privacy Monday – March 2, 2015: How is Your Cyber Resilience?

Posted in Cloud Computing, Cybersecurity, Data Compliance & Security, Privacy Monday, Security

Welcome to March (and in the Northeast, the arrival of meteorological spring is welcome indeed……)

We start this month with a question:  Have you looked at your cyber resilience?

The Federal Financial Institutions Examination Council (FFIEC) recently described “cyber resilience” as an organization’s ability to recover critical IT systems and resume normal business operations in the event of a cyberattack. On February 6, the FFIEC added a new Appendix J to its Business Continuity Planning booklet titled Strengthening the Resilience of Outsourced Technology Services (Guidance) which discusses the importance of cyber resilience in light of the increasing sophistication and volume of cyber threats and their ability to disrupt operations and challenge business continuity preparedness and provides recommendations for financial institutions and their services providers for addressing and mitigating cyber resilience risks and strengthening business resilience. Published in 2003, the Business Continuity Planning booklet is one of a series of booklets that comprise the FFIEC Information Technology (IT) Examination Handbook and provides guidance to assist field examiners from the FFIEC member agencies in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. The FFIEC has also set up a cybersecurity awareness website and in the past year piloted a cybersecurity assessment program at a number of financial institutions across the country.  Although these most directly apply to financial institutions and their service providers, the question of cyber resilience is critical to every organization.

So what are cyber resilience risks?

Continue Reading

ICYMI: Privacy in the Workplace Webinar

Posted in Employee Privacy, Events and Webinars, Privacy Regulation, Social Media, Uncategorized

Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jennifer Rubin and Gauri Punjabi’s Privacy in the Workplace presentation. Jen and Gauri discussed the latest statutory and common law developments concerning employer monitoring of employee email, access to employee social media accounts, social media policies, and bring your own device (“BYOD”) policies.  We were pleased to host over 125 participants for this webinar.

For those who missed the webinar, some of the key takeaways for employers include the following:

  • While there is not much federal or state statutory authority on employer monitoring of employee email access, employers are advised to provide employees with prior notice of such monitoring and obtain their consent to do so.
  • Many states now prohibit employers from requesting access to their employees’ or job applicants’ social media accounts. This trend, along with the number of other states that have considered passing similar legislation, suggests that Congress may soon weigh in on this issue.
  • The National Labor Relations Act applies to all employers, regardless of whether the workplace is unionized, and protects employees who use social media to discuss their wages, hours, and other terms and conditions of employment (i.e., concerted activity).  Employers cannot prohibit employees from using work email accounts to have such discussions during non-working time.  Employees will lose the protection of the Act when their actions disparage the employer’s products or services and/or create a risk of harm to the employer or to others.
  • Social media policies should specify the nature of conduct that is permitted and prohibited and should not utilize broad language that could encompass the right of employees to engage in protected concerted activity.  Social media policies should also take into account an employer’s need to protect trade secrets, comply with industry regulations and applicable federal and state employment statutes, and preserve information relevant to litigation.
  • BYOD policies often result in lower employer costs related to device overhead (purchase/maintenance), improve employee productivity, and result in greater employee job satisfaction.  Prior to implementation, however, employers should consider the process for monitoring compliance with other company policies, keeping track of wages owed to non-exempt employees who use their personal devices to work outside of the office, and maintaining the security of company information that ends up on an employee’s personal device and ensuring its removal once the employee leaves the company.

For a recording of the webinar,  click here.   To download the presentation slides, click here.

The next webinar in the Privacy series — Responding to Insider Theft and Data Disclosure — will take place on Wednesday, March 25, 2015.  This webinar will offer practical advice about responding to data theft and disclosures by employees and former employees. We will cover such topics as conducting a proper investigation, utilizing state and local civil court processes to deter, halt, and remediate data thefts, and when and how to engage local and/or federal law enforcement. This webinar will be presented by members of Mintz Levin’s privacy and data security and white collar crime practice groups.

Sign up here to attend.

More than Employees Bargained For: Do Union Employees Have a Right to Bargain Over Company Data Breaches?

Posted in Data Breach, Data Breach Notification

Originally posted to Mintz Levin’s Employment Matters Blog

These days most employers manage a vast amount of electronic information about their employees, including the employees’ personal identifying information. But, what obligations do employers have to unionized employees with respect to managing that information and bargaining with them in the event of a breach of their private information? Continue Reading

Target Data Breach Price Tag: $252 Million and Counting

Posted in Class Action Litigation, Cybersecurity, Data Breach, Data Breach Notification, Privacy Litigation

In a recently-released Form 8-K filing announcing fourth quarter and year-end financial results, Target Corporation reported that expenses incurred in 2014 relating to its 2013 data breach totaled over $191 million.  Those expenses were offset by $46 million in insurance proceeds, resulting in a $145 million charge against Target’s 2014 operating results.  The expenses incurred in 2014 were in addition to $61 million in breach-related expenses incurred in 2013 which, after receipt of $44 million in insurance proceeds, yielded $17 million in net breach-related expenses for Target in 2013.  In all, Target has incurred $252 million in costs arising from the data breach through the end of 2014 which, after receipt of $90 million in insurance proceeds, has resulted in total net expenses to Target in 2013 and 2014 of about $162 million. Continue Reading

The YouTube Kids app is here! Now what?

Posted in Children

Google made good on the rumors and the company’s subsequent promise last December to create a family-friendly version of its popular YouTube service with its launch on Monday of the YouTube Kids app. Available on both the App Store and Google Play free of cost and only in the United States, the YouTube Kids app is described by Google as an “app designed for curious little minds to dive into a world of discovery, learning, and entertainment…delightfully simple and packed full of age-appropriate videos, channels, and playlists.” Continue Reading

Privacy Monday – February 23, 2015

Posted in Events and Webinars, Privacy Monday

It’s another Privacy Monday!

Privacy in the Workplace Webinar

Our next Wednesday Webinar is coming up on February 25th, with a focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss developments in the workplace privacy field, including statutory developments, mobile device regulation, social media’s impact on workplace privacy, recruiting and hiring, and some practical advice to keep your workplace policies in compliance with rapid legal developments.  Register here!

 

Are You Attending the IAPP Global Summit in D.C.?  Pre-Game with Mintz!

In the wake of the Anthem breach, we’ll be presenting a timely seminar in our Washington, D.C. office on Tuesday, March 3rd:  HACKED!  What to Do When It Happens to You

This roundtable, featuring national subject matter experts from the United States Secret Service and the Federal Bureau of Investigation, as well as forensic and legal professionals, will provide unique and important insights, tips, and advice on current cyber threats affecting your business and what to do when the cyber-thief strikes and the opportunity for in-person, live discussion with law enforcement officials.  Early registration (here) is encouraged, because space is limited.

Two Upcoming Privacy/Cybersecurity Events – Register Now!

Posted in Cybersecurity, Data Breach, Employee Privacy, Events and Webinars, Security

The Mintz Levin Privacy & Data Security Team invites you to register and join us at two upcoming events:

Our next Wednesday Webinar is coming up on February 25th, with a focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss developments in the workplace privacy field, including statutory developments, mobile device regulation, social media’s impact on workplace privacy, recruiting and hiring, and some practical advice to keep your workplace policies in compliance with rapid legal developments.  Register here!

In the wake of the Anthem breach, we’ll be presenting a timely seminar in our Washington, D.C. office on Tuesday, March 3rd:  HACKED!  What to Do When It Happens to You

This roundtable, featuring national subject matter experts from the United States Secret Service and the Federal Bureau of Investigation, as well as forensic and legal professionals, will provide unique and important insights, tips, and advice on current cyber threats affecting your business and what to do when the cyber-thief strikes and the opportunity for in-person, live discussion with law enforcement officials.  Early registration (here) is encouraged, because space is limited.

Cybersecurity Executive Order: Not Much New

Posted in Cybersecurity, Cybersecurity, Data Compliance & Security, Uncategorized

President Obama’s February 13 Executive Order, “Promoting Private Sector Cybersecurity Information Sharing” (the “EO”), turns out to be light on new measures to improve cybersecurity, but focused heavily on adjustments to prior Executive Orders implementing the rules for handling classified information.  This focus introduces concerns about government agencies picking winners and losers in the cybersecurity business by giving some access to data while keeping others out of the room when information about pending cyber threats and technical responses is being discussed.  Privacy concerns received only a passing mention in the EO, which irritated civil liberties groups.  Liability limitations for private companies sharing cyber security data received no attention at all, which irritated data industry players. Continue Reading

California May Limit Law Enforcement’s Warrantless Data Collection

Posted in Cybersecurity, Privacy Regulation

Eager to retain its spot among the principal laboratories for domestic privacy legislation, California’s legislature is set to debate Senate Bill 178, legislation restricting state law enforcement agencies from requesting data without a warrant. Five other states have adopted similar legislation in recent months, and California’s proposal largely follows that trend. Continue Reading