Written by Kevin Mc Ginty
Federal District Judge Paul Magnuson has ruled that banks that issued credit and debit cards to customers whose data was stolen in the December 2013 Target data breach could continue to litigate claims against Target for negligence and violation of Minnesota’s Plastic Security Card Act (“MPCSA”), Minn. Stat. § 325E.64. The claims of the issuer banks originated in multiple lawsuits that were among the 71 separate actions filed nationwide that the federal Judicial Panel on Multidistrict Litigation consolidated for pretrial proceedings in the District of Minnesota. The December 2 ruling is significant both for its conclusion that Target owed a duty of care to issuer banks with respect to data security and for its rejection of Target’s argument that the MPSCA should not apply to all Target transactions nationwide, but instead should be limited to transactions that occurred in Minnesota stores. The decision does not, however, eliminate challenges that the issuer banks are likely to face both with respect to proving their allegations and obtaining certification of a plaintiff class.
Welcome to December – we hope you had a restful and enjoyable Thanksgiving holiday.
Here are a few privacy bits and bytes to start your week.
1. ICYMI – 60 Minutes Explains Credit Card Hacking
In preparation for Cyber Monday, 60 Minutes presented a well-researched and interesting story on
credit card hacking. For privacy and security professionals, it may be old news, but as a consciousness-raising and mainstream piece of reporting, it is first-rate. Some points:
- From the time of intrusion into a system, the average time to detection of the bad guys is a “whopping 229 days.”
- 80 percent of breaches involve stolen or weak passwords. The most common — “123456″ (Hey, it meets the minimum requirements of 6 characters!)
- “Detect it sooner. Respond sooner.”
See the entire script and video here
(or play it for your favorite CEO….).
2. Sony Pictures Entertainment Hit by Possible Retribution Attack
that Sony Entertainment Pictures has retained Mandiant, a forensics security firm, to investigate and remediate a cyber attack that knocked out the studio’s network a week ago. The FBI is also reportedly involved in the investigation into the possibility that hackers working on behalf of North Korea may be behind the attack. The timing coincides with the upcoming release of Sony’s “The Interview,” depicting a CIA plot to assassinate North Korean leader Kim Jong-Un. The nation’s state-owned outlets have threatened “merciless retaliation
” against the U.S. and other nations if the film is released.
The hack also apparently leaked five unreleased Sony films to file-sharing sites. The studio has confirmed that it is working with law enforcement to track down the leaks.
Read more here
3. The Microsoft Storm – The View from Ireland
Back in August, we wrote
about Microsoft’s court battle over production of email data held in its Irish data center. That battle continues on appeal from a New York court’s refusal to grant Microsoft’s request to quash the U.S. government’s warrant seeking that particular data. Karlin Lillington
, the technology columnist for the Irish Times
, writes about the view of this battle from the data’s country of residence — and its potential to influence the future of cloud computing. Worth a read here
4. Hey GC, When’s the Last Time You Spoke with Your CTO or CISO?
One would expect that corporate Chief Information Officers (CIO), Chief Information Security Officers (CISO) and General Counsels/Chief Legal Officers have a lot to talk about these days including data privacy, breach response, network security assessments, e-discovery, BYOD policies and cloud computing security risks. However, a recent Gartner survey of CLOs found that over half of them have conversations with the CIOs no more than once a month.
Take some time to view a free webinar discussing how CIO/CISOs and CLOs can (and should) collaborate to overcome the obstacles to effective cyber risk management including:
- Risk mitigation options
- Planning for the best, expecting the worst
Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) The highly influential Article 29 Working Party, composed in part of representatives of the EU’s national data protection offices, has announced that the right to be forgotten applies to .com as well as country-specific search results.
The Google Spain decision (discussed here) held that a search engine with advertising activities in Europe (directly or through a subsidiary) must delete search results that link to personal information that the person in question thinks is no longer “relevant.” Google implemented a removal process for its search domain names with European extensions, such as Google.fr, but not for Google.com search results. The Google Spain case makes Google the arbiter of removal requests in the first instance. If the request is rejected, the individual can appeal to his or her local EU Data Protection authority.
The Art. 29 Working Party has now issued an opinion that EU Data Protection authorities should interpret the Google Spain decision as applying globally. That means that Google would have to delete search results found through a search on Google.com. (It takes a bit of know-how to search Google.com from within Europe without getting automatically redirected back to the country-specific sites, but as of the date of this blog post, it is possible to do it.)
It is fair to assume that the national EU Data Protection authorities will follow the Art. 29 Working Party opinion, since the Working Party is made up largely of representatives of those authorities.
So EU law will affect what we see anywhere around the world when we search for information that involves an EU resident. Google’s reaction to the Google Spain decision has indicated that Google really doesn’t want to be the web’s censor – but it doesn’t seem to have much of a choice now.
Big Data can slice and dice just about anything. Big data analytics company, Datawatch, has created two fun demos using turkey and Thanksgiving dinner data. Although the page is promoting a download a 14-day free trial of the company’s software, no download (or registration) is required to see and manipulate the workbooks.
First tab gives you all the data you would ever want about turkey production and turkey consumption in the U.S. and the second tab .. well, let’s just say that manipulating the data in the second tab will drive one to exercise on Friday. Note for you lovers of turkey legs, no caloric data is included.
Often, privacy and security professionals are seen as “paranoid” or “Chicken Little” ….. statistics are pointing to something that more closely resembles the canary in the coal mine.
A new Internet Security Threat Report provides an overview and analysis of the year’s global internet threat activity. The report is based on data from the Symantec™ Global Intelligence Network, which Symantec’s analysts use to identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.
- 91% increase in targeted attacks campaigns in 2013
- 62% increase in the number of breaches in 2013
- Over 552M identities were exposed via breaches in 2013
- 23 zero-day vulnerabilities discovered
- 38% of mobile users have experienced mobile cybercrime in past 12 months
- Spam volume dropped to 66% of all email traffic
- 1 in 392 emails contain a phishing attacks
- Web-based attacks are up 23%
- 1 in 8 legitimate websites have a critical vulnerability
Read the full report here
Here are three privacy stories to start your week -
1. Dear “financial institution” : how is your data security?!
Senator Elizabeth Warren (D-Mass) announced (press release) that on November 18 the Senator together with Rep. Elijah E. Cummings (D-Md) sent letters to sixteen (16) financial services providers requesting detailed information about the providers’ data security programs (including vendor management practices) as well as disclosure of cyber-attacks and data breaches experienced by the entities over the past year. The previous week, Representative Cummings sent similar letters to certain organizations that experienced large data breaches in the recent past, including to the U.S. Postal Service and U.S. Investigations Services. Continue Reading
Sometimes the day just gets away from you…
Here are three privacy & security things you should know for your week:
1. FTC Cites TRUSTe With Misrepresenting Practices – Fines $200,000
Apparently TRUSTe hasn’t been quite so …. the fine is part of an agreed settlement with the FTC, under which the Commission has charged the “certification” company with misrepresenting practices to consumers and — contrary to its stated policies — failing to conduct annual re-certifications of companies around 1,000 times between 2006 and 2013. “TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge,” Edith Ramirez, the F.T.C.’s chairwoman, said in a statement. “Self-regulation plays an important role in helping to protect consumers. But when companies fail to live up to their promises to consumers, the F.T.C. will not hesitate to take action.”
FTC Press Release
PCWorld – TRUSTe Deceived Consumers About Recertification Program, FTC Says
Washington Post – Latest FTC enforcement action shows why it’s so hard to figure out who to trust online
UPDATE (11/19): TRUSTe’s Statement regarding the FTC action. Continue Reading
Corrective action taken by Verizon Communications to fix security issues with its FiOS and DSL routers resulted in the FTC closing its investigation to determine whether Verizon’s distribution of the routers was an unfair or deceptive practice.
According to the FTC, Verizon regularly shipped routers to consumers with the default security set to the outdated WEP standard, which has been known for a decade to have weaknesses that leave users of the routers vulnerable to hackers.
After the FTC initiated its investigation, Verizon took steps to mitigate the risks to its customers. It changed the default security setting on the routers going out to customers from the obsolete WEP standard to the current WPA2 standard, it initiated an outreach campaign to its customers to encourage them to update the security settings on their routers, and it offered customers with older routers incompatible with the WPA2 standard the opportunity to upgrade to a newer, WPA2-compatible device.
The FTC emphasized that closing the investigation did not mean that Verizon might not have violated the FTC Act. It cautioned that
what constitutes reasonable security changes over time as new risks emerge and new tools become available to address them. As most all consumer devices on the market today are compatible with WPA2, it would likely be unreasonable for Internet Service Providers (“ISPs”) or router manufacturers to continue to default consumer routers to WEP encryption. We hope and expect that all companies that provide consumers with these products will ensure reasonable and appropriate default security settings.
A copy of the FTC’s closing letter is available here.
Written by Stephanie Willis
This week, the HHS Office of Civil Rights (OCR) issued a bulletin (Bulletin) to remind covered entities and business associates that “the protections of the Privacy Rule are not set aside during an emergency.”
The Bulletin’s information on appropriate disclosures and protections under emergency circumstances is especially timely in the wake of the United States’ recent experience with disclosing information about patients diagnosed with and treated for Ebola and enterovirus-d68. Because the HIPAA Privacy Rule only provides a very limited waiver of sanctions and penalties against a covered hospital for acts during a public health or other emergency under the Project Bioshield Act and section 1135(b)(7) of the Social Security Act (and only if the U.S. President declares a public health emergency or disaster and the Secretary of HHS declares a public health emergency), covered entities and business associates cannot afford to abandon HIPAA’s privacy and security mandates. Continue Reading
With the 2014 election behind us, Congress returns this week for a Lame Duck session that will round out the 113th Congress. Our government affairs affiliate ML Strategies has published its take on what to expect in the coming weeks on Capitol Hill and from the Administration in the cybersecurity arena. Continue Reading