Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Privacy Monday – March 31, 2014 OPENING DAY!

Posted in Cybersecurity, Data Breach, Data Breach Notification, Employee Privacy, Uncategorized

Last Monday in March (Opening Day for you baseball fans) - some privacy/security bits and bytes to close out the month.

Microsoft:  “We won’t access private e-mail accounts …  Promise.”

Microsoft has committed to no longer accessing the private e-mail accounts of its users after criticism that the company looked at the e-mail of a former employee during an internal investigation. The company said it will turn such matters over to law enforcement. Microsoft has “advocated that governments should rely on formal legal processes and the rule of law for surveillance activities,” so “it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations,” Microsoft’s General Counsel Brad Smith wrote in a blog post.

Read More:  The Hill’s Hillicon Valley Blog

Reuters

Continue Reading

Law360: Microsoft Steps in Privacy Quagmire with Email Snooping

Posted in Employee Privacy

Mintz Levin employment lawyer Don Schroeder was recently quoted in this Law360 Article entitled Microsoft Steps in Privacy Quagmire With Email Snooping. The article focuses on the controversial choice by Microsoft Corp. to search a blogger’s e-mail account for evidence of leaked trade secrets by its former employee.  The article also explores whether or not the company will face charges and how it will fare against public opinion.

 

Online Protection for Children: Delaware following California?

Posted in Children

Written by Julia Siripurapu, CIPP/US

Delaware state representative Darryl Scott recently introduced the Child Online Protection Act (House Bill 261 or the “Bill”), to the state’s House of Representatives. If passed, the Bill would: (1) prohibit the online marketing and advertising of certain products and services to children under the age of 18 (“Minors”) as well as using a Minor’s personally identifiable information (“any information about a person that permits the physical or online identifying or contacting of a person,” such as a home or other physical address, e-mail address, telephone number, social security number (or other government issued ID), geolocation data, DNA or other genetic material) to market or advertise certain products or services to the Minor, (2)  permit individuals to delete or request the deletion of content they posted online (either via a website or mobile application) as Minors, except in certain prescribed circumstances, and (3)  requires online operators to establish an age verification system “that can be reasonably expected to identify the age of the child who is a prospective or registered user.” Continue Reading

REMINDER – Cybersecurity event at Mintz Levin Boston tomorrow

Posted in Cybersecurity

Mintz Levin is presenting a roundtable discussion tomorrow titled:  NIST Framework:  How to Best Mitigate Cyber Risk for Your Organization

With the threats facing even the largest companies highlighted by recent disclosures by Target, Neiman Marcus, and others that the security of millions of customer credit and debit cards has been compromised, companies of all types are taking a closer look at what they can do to mitigate their risks and protect their customers and suppliers. In addition, agencies including the SEC, FTC, Defense Department, and GSA are paying increased attention to companies’ cyber vulnerabilities.

In this informative discussion, we’ll look at the Cybersecurity Framework’s recommendations and how you can use them to assess and improve your organization’s security practices. Our speakers have been actively involved in the development of the NIST framework and private sector cybersecurity policy. You won’t want to miss their insights into the framework’s key elements and the most effective approaches for developing a program that best suits your individual organization’s risks and circumstances.

To join us, register here — REGISTRATION LINK

 

Privacy Monday – March 24, 2014

Posted in Cybersecurity, Data Breach, Data Compliance & Security, Privacy Monday

Welcome to March Madness — although if your brackets look anything like mine do this morning, it is not particularly “welcome.”   Let’s just say that there is no danger of my winning Warren Buffet’s $1 billion.

Privacy and cybersecurity continue to be hot topics and the breaches roll on.   Here are some privacy and security bits and bytes for this Monday morning.

Wall Street Journal Article Jeopardizes Security of Grid?

Last week, the Wall Street Journal published an article detailing how the U.S. “could suffer a coast-to-cost blackout” if someone took out just nine specific substations. The article doesn’t name the nine substations, and most of the later half of the article is actually devoted to a rehashing of the Pacific Gas & Electric Metcalf substation attack from last year.   But, it was certainly enough to raise the hackles of regulators and utility executives.

Acting FERC Chairman Cheryl A. LaFleur said:   [The] publication by The Wall Street Journal of sensitive information about the grid undermines the careful work done by professionals who dedicate their careers to providing the American people with a reliable and secure grid. The Wall Street Journal has appropriately declined to identify by name particularly critical substations throughout the country. Nonetheless, the publication of other sensitive information is highly irresponsible. While there may be value in a general discussion of the steps we take to keep the grid safe, the publication of sensitive material about the grid crosses the line from transparency to irresponsibility, and gives those who would do us harm a roadmap to achieve malicious designs. The American people deserve better.

Read more:

Intelligent Utility article

NERC Critical Asset Report

University of Maryland Reports Second Data Breach in Four Weeks

University of Maryland Chief Information Officer Ann Wylie must feel like a woman under siege.   Last Thursday, she reported to administrators and department chairs that the university network had been hacked — again — and personal information had been stolen — again.  Wylie says that this latest incident is not related to the February data breach we wrote about here.

For more reading about data breaches in higher education (one of the very hottest of hot spots), see this article from The Chronicle of Higher Education.

 California Department of Motor Vehicles Investigating Potential “Large Scale Breach”

Security blogger Brian Krebs — who broke the Target breach story — is out in front of another potential large breach.   The California DMV confirmed over the weekend that it is investigating a potential security breach, but that it had no immediate evidence that its computer system had been hacked.   The important part of this statement is that Krebs is reporting that the breach is likely to have been at the DMV’s credit card processor, which would make this a much bigger story.

Stay tuned.  Read more:

Krebs on Security

Mashable

 

 

 

 

 

Unauthorized Children’s In-App Purchases Round Two: Google Faces Class Action

Posted in Children, Class Action Litigation

Written by Julia Siripurapu, CIPP/US

Just two months after Apple’s settlement with the FTC over lax parental controls over children’s in-app purchases (see our prior blog post), Google takes the spotlight with claims of unauthorized children’s in-app purchases in the Google Play Store! This time, it’s not an FTC action, but a class action. The suit was filed on ­March 7 in the U.S. District Court for the Northern District of California.  The suit was brought by a New York mother (“Plaintiff”) on behalf of herself and other parents whose minor children downloaded free or relatively inexpensive child-directed games from the Google Play store and then incurred charges for purchasing items that cost money within the app without parental consent or authorization. For example, the Plaintiff’s five year old son spent over $65 dollars on virtual Crystals while playing the game “Marvel Run Jump Smash!” on an Android device.

According to the complaint, the apps directed to children that are offered for sale in the Google Play store are “designed to induce purchases of what Google refers to as ‘In-App Purchases’ or ‘In-App Content,’ i.e. virtual supplies, ammunition, fruits and vegetables, cash, and other fake  ‘currency,’ etc. within the game  in order to play the game as it was designed to be played (‘Game Currency’)”. As noted in the complaint, while Google required users to enter a password to authenticate their account before purchasing and downloading an app or Game Currency, once the account is authenticated, the user, including children, could purchase “several hundreds of dollars” in Game Currency during a 30 minute window without having to re-enter a password. This billing practice allowed Google to automatically charge the account holder’s credit or debit card or PayPal account, without notifying the account holder or obtaining further consent of the account holder. Continue Reading

Over 20 Million Customer Accounts Affected by Data Breaches in California; Attorney General Harris Promises Increased Enforcement

Posted in Cybersecurity, Data Breach, Privacy Regulation

Written by Jake Romero, CIPP/US

When you think of catastrophic events that take place online and have a devastating effect on millions of people, you probably think of HBO Go crashing during the True Detective finale.  However, California Attorney General Kamala Harris wants to remind you that you should be thinking about data breaches.  New data and statements released by the office of Attorney General Harris disclose that more than 20 million customer accounts been affected over the past two years by the ever-increasing number of data breaches, and also provide insight into the central role the Attorney General’s office hopes to play in remedying the problem. Continue Reading

Privacy Monday – March 10, 2014

Posted in Cybersecurity, Privacy Monday, Privacy Regulation

We hope that you remembered to “spring forward” over the weekend —

Today’s Privacy Monday is a bit longer than usual – but an important read, particularly if you are a mobile app developer.

California Public Utilities Commission Declines to Develop New Regulations and Standards for Wireless Carriers and Mobile App Providers  . . . for Now, at Least

Written by Jake Romero

Certain things in life are a certainty; death and taxes, for example, or Jennifer Lawrence falling down at the Oscars.  Until recently, a good argument could have been made that California agreeing to implement new data privacy regulations was one of those certainties.  At its January 16, 2014 meeting, however, the California Public Utilities Commission (“CPUC”) declined a request to develop privacy standards for wireless carriers and mobile applications.  The denial comes in response to a Petition for Rulemaking filed by a collection of consumer groups (the “Petition”) such as the Consumer Federation of California, the Privacy Rights Clearinghouse and the Utility Reform Network.  The CPUC Decision (which can be read in its entirety here) concludes that “[g]iven the lack of documented examples of actual breaches of customer privacy by telecommunications corporations, as well as the existence of a variety of laws and regulations governing the treatment of potentially sensitive customer information by businesses in general and telecommunications providers in particular, it is not clear that a review of the company privacy practices in California is needed at this time.”

The Petition, which was originally filed on November 8, 2012, requested that the CPUC (1) initiate a new rulemaking to review the customer information that telephone corporations collect or have access to, along with those companies’ practices in handling and using that information; (2) develop standards for the collection, handling, and sharing of customer information to ensure that customers are aware of what information may be collected and how that information may be used; and (3) extend the applicability of its privacy rules to third parties under contract with telecommunications providers, as well as other third parties that use the phone as a platform, such as mobile applications.  Had the CPUC agreed with the petitioners, the additional rules would have added to an already crowded regulatory mix in California.  However, the petitioners argued that additional rules are necessary because of the rapid development of communication technologies, and that any additional rules promulgated by the CPUC could help to update and modernize current regulations.

Opposition comments to the Petition were filed by CTIA, AT&T and its affiliated companies and MetroPCS California.  The opposing party comments made two primary arguments in favor of denying the Petition; one procedural and one substantive.  On procedural grounds, the opposing parties argued that the Petition attempts to reach non-regulated services and providers, over which the CPUC has limited authority, without clear justification.  Substantively, the opposition argued that additional rulemaking is unnecessary because existing laws and policies already protect the privacy of customer information available to telecommunications carriers, and carriers already have internal privacy policies in place to comply with California state law.

In denying the Petition, the CPUC agreed with the opposing parties that federal and state laws governing the protection and use of, among other things, information that relates to the use of telecommunications services, already address privacy issues related to customer data, and that such laws had been updated and revised on an ongoing basis in response to further technological development.  The CPUC noted that the Petition was specifically focused on third-party applications, but found that the Petition was unable to identify types of information collected or accessible by these parties that would not already be covered by federal or state privacy laws.  Moreover, the application of the federal and state laws applicable to mobile application providers are primary enforced by entities other than the CPUC, such as the Federal Trade Commission or States’ Attorneys General.  In the absence of “clearer documentation of gaps in existing privacy laws and regulations, as well as examples of actual harm from such privacy violations” the CPUC denied the Petition.

There are a few key takeaways from the CPUC decision.  First, notwithstanding its conclusions, the CPUC left the door open for the petitioners to return with further information and developments in the future.  The CPUC noted that because of rapid changes in communications technology, it is possible that concerns may develop that would need to be addressed.    Second, the Petition’s focus on mobile applications is yet another indication that concerns about mobile privacy and continuing to grow.  Following months of front-page news stories about data breaches and Apple’s own high-profile security update, it is unlikely that these concerns will diminish any time soon.  On the other hand, online service providers just recently dealt with a barrage of new California regulations.  The CPUC’s decision not to add to the regulatory web at this point will likely be welcome news for online service providers.

Boston Discussion – NIST Framework – March 25

Posted in Cybersecurity

NIST Framework:  How to Best Mitigate Cyber Risk for Your Organization

The National Institute of Standards and Technology (NIST) last month released its final Cybersecurity Framework. Developed under an executive order from President Obama with extensive input and feedback from industry security professionals, the new NIST framework is designed to help companies in the financial services, communications, energy, transportation, healthcare, and other critical infrastructure sectors identify their cybersecurity risks and develop effective programs to prevent and respond to attacks.

With the threats facing even the largest companies highlighted by recent disclosures by Target, Neiman Marcus, and others that the security of millions of customer credit and debit cards has been compromised, companies of all types are taking a closer look at what they can do to mitigate their risks and protect their customers and suppliers. In addition, agencies including the SEC, FTC, Defense Department, and GSA are paying increased attention to companies’ cyber vulnerabilities.

On March 25, we will be hosting a panel discussion in our Boston office, and we’ll look at the Cybersecurity Framework’s recommendations and how you can use them to assess and improve your organization’s security practices. Our speakers have been actively involved in the development of the NIST framework and private sector cybersecurity policy. You won’t want to miss their insights into the framework’s key elements and the most effective approaches for developing a program that best suits your individual organization’s risks and circumstances.

Topics will include:

  • An update on cybersecurity legislative policies
  • The NIST Cybersecurity Framework and federal regulatory initiatives affecting government and private sector suppliers
  • Recent developments in the SEC’s approach to disclosure of cybersecurity threats for public companies
  • The current state of the market for cybersecurity insurance and considerations for potential insureds

Click here for more information and registration details.