Imagine you are the CEO of company sitting across from an interviewer. The interviewer asks you the age old question, “So tell me about your company’s strengths and weaknesses?”  You start thinking about your competitive advantages that distinguish you from competitors.  You decide to talk about how you know your customers better than the competition, including who they are, what they need, and how your products and services fit their needs and desires.  The interviewer, being somewhat cynical, asks “Aren’t you worried about the liabilities involved with collecting all that data?”

In honor of National Cyber Security Awareness Month, we at Mintz Levin wanted to take the chance to remind our readers of data’s value as an asset and the associated liabilities that stem from its collection and use, as well as provide guidelines for maximizing its value and minimizing its liabilities.  Continue Reading 3 Guidelines to Maximize Value of Data


It’s time for a compliance check on those website or mobile app privacy policies, before the California Attorney General comes knocking.

Attorney General Kamala D. Harris has announced the release of a new tool for consumers to report websites, mobile applications, and other online services that may be in violation of the California Online Privacy Protection Act (CalOPPA).  The form is available at  As a reminder, a website owner or app operator may violate CalOPPA by failing to post privacy policies or posting incomplete or inadequate policies that do not meet the requirements of the statute.

As we have previously written on this blog, the potential cost for not meeting the CalOPPA requirements can be substantial.  Violations of CalOPPA may result in penalties of up to $2,500 per violation which, for mobile applications, means up to $2,500 for each copy of the non-compliant application that is downloaded by California consumers.

“In the information age, companies doing business in California must take every step possible to be transparent with consumers and protect their privacy,” said Attorney General Harris. “As the devices we use each day become increasingly connected and more Americans live their lives online, it’s critical that we implement robust safeguards on what information is shared online and how. By harnessing the power of technology and public-private partnerships, California can continue to lead the nation on privacy protections and adapt as innovations emerge.”

Mobile app creators should be aware that the Attorney General’s office will not only be relying on consumers to identify non-compliant apps.  The Office is also partnering with the Usable Privacy Policy Project at Carnegie Mellon University to develop a tool that will identify mobile apps that may be in violation of CalOPPA by looking for discrepancies between disclosures in a given privacy policy and the mobile app’s actual data collection and sharing practices (for example, a company might share personal information with third parties but doesn’t disclose that in its privacy policies).

If you have any questions regarding CalOPPA compliance, please do not hesitate to contact the team at Mintz Levin.



For the next few months, the Mintz Levin Privacy Webinar Series is focusing on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation.   The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

Next week, we’ll present a webinar focusing on the data security and accountability requirements of the GDPR, including reviews and documentation of internal policies and procedures and data impact assessments.   We will also take a look at the onerous breach notification requirements and recommend actions that companies can take in advance to mitigate the need for breach notification.

Make sure to join us for this important webinar!

Registration link is here.


The term “cloud computing,”  — a process by which remote computers are used to store, manage and process data — is no longer an unfamiliar term. According to at least one estimate, “approximately 90 percent of businesses using the cloud in some fashion.” American Airlines is assessing major providers of cloud services for an eventual relocation of certain portions of its customer website and other applications to the cloud.

What some may not realize is that there are actually three main types of clouds: public, private and hybrid.  Public clouds are those run by a service provider, over a public network.  For example, Amazon Web Services offers public cloud services, among others.  A private cloud is operated for a single entity, and may be hosted internally or by a third-party service provider.  A hybrid cloud is a composition of two or more clouds, such as a private cloud and a public cloud, such that the benefits of both can be realized where appropriate.  Each of these cloud infrastructure types has different advantages and disadvantages.

For a given company looking to migrate to the cloud, the appropriate option will be motivated in part by business considerations; however, data privacy and security laws, compliance best practices, and contractual obligations will provide mandatory baselines that companies cannot ignore. As such, relevant laws, best practices, and contractual obligations serve as a useful starting point when evaluating the appropriate cloud option.

Most every organization has data flow systems that receive data, and then process and use the data to deliver a service. Below are three initial steps a decision maker should take when evaluating a potential cloud infrastructure choice.


First, consider the statutory implications of the types of data being processed

For example, is the system collecting social security numbers and driver’s license numbers? Pursuant to California Civil Code Section 1798.81.5, businesses that “own or license” personal information concerning a California resident are required to “implement and maintain reasonable security procedures and practices . . . to protect the personal information from unauthorized access, destruction, use modification, or disclosure.”  Of course, many other state and federal laws may also provide additional obligations, such as the HIPAA Security Rule, which applies to certain health information under certain circumstances.

Deciding which relevant laws apply, and then interpreting language such as “reasonable security procedures and practices” is a complicated process. Companies should consult experienced legal counsel regarding these risks, especially in light of potential liability.

Second, consider any relevant contractual obligations

For example, many companies may have contracts that provide for certain service level availability (SLA) obligations for services they provide. It is also possible that these contracts could have their own security requirements in place that must be met.

Third, decide which cloud architecture option makes sense in light of the first two steps as well as business considerations

After senior decision makers, with the benefit of experienced legal counsel, have decided what elements of applicable laws, best practices, and contractual obligations apply, further business considerations may need to be addressed from an operational standpoint.  For example, interoperability with other services may be an issue, or scalability may be an issue.


Through these requirements, in conjunction with appropriate information technology stakeholders, the appropriate cloud architecture can be chosen. Private clouds can offer the strongest security controls, as they are operated by a single entity and can offer security options not present in public clouds.  As such, a private cloud may be appropriate where a very strong security stance is deemed necessary.  Public clouds are often less expensive, but offer a more limited range of security options.  A hybrid cloud may be appropriate where an entity hosts certain high security data flow systems, as well as other systems with less sever security requirements.  For example an entity that has an HR system that contains social security numbers, as well as an employee shift scheduling system might choose to host the HR system on a private cloud, while hosting the customer feedback system on a public cloud system, with limited cross over and interoperability between the two systems.

Once you have chosen which cloud suits your business and data flow, the real work of getting appropriate contract documents in place begins.   We’ll discuss those issues in a future blog post.


In the wake of the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), lower courts have begun to address whether alleged violations of statutes intended to protect privacy suffice, in the absence of any further alleged injury, to establish Article III standing.  In Matera v. Google Inc. No. 15-cv-04062-LHK (Sept. 23 2015) Judge Lucy Koh of the Northern District of California ruled that a complaint alleging violations of the federal Wiretap Act, 18 U.S.C. § 2511(a)(1), and the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 631, without more, pleads sufficient injury to satisfy the requirements for Article III standing as set forth in Spokeo.  In so ruling, the court concluded that Spokeo did not overrule prior authority finding Article III standing to sue for Wiretap Act and CIPA violations.

Continue Reading Alleged Wiretap Act and CIPA Violations Held to Satisfy Spokeo Test for Standing in Latest Gmail Privacy Class Action

The New York Department of Financial Services recently announced a new proposed rule, which would require financial institutions and insurers to implement strong policies for responding to cyberattacks and data breaches.  Specifically, the rule would require insurers, banks, and other financial institutions to develop detailed, specific plans for data breaches; to appoint a chief privacy security officer; and to increase monitoring of the handling of customer data by their vendors.

Until now, various regulators have been advancing similar rules on a voluntary basis.  This is reportedly the first time that a state regulatory agency is seeking to implement mandatory rules of this nature.

“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said New York Governor Cuomo. He added that the proposed regulation will ensure that the financial services industry upholds its commitment to protect customers and take more steps to prevent cyber-attacks.

The rule would go into effect in 45 days, subject to notice and public comment period.  Among other detailed requirements, it will mandate a detailed cybersecurity program and a written cybersecurity policy.  While larger financial institutions already likely have such policies in place, the rule puts more pressure on them to fully comply.  It also mandates the hiring of a Chief Privacy Officer at a time when privacy professionals are already in a very high demand.  To attract top talent, the financial institutions will need to allocate appropriate budgets for such hiring.

Additionally, the rules outline detailed requirements for the hiring and oversight of third-party vendors.  Regulated entities who allow their vendors to access nonpublic information will now have to engage in appropriate risk assessment, establish minimum cybersecurity practices for vendors, conduct due diligence processes and periodic assessment (at least once a year) of third-party vendors to verify that their cybersecurity practices are adequate.  More detailed specifications can be found here.  Other requirements include employment and training of cybersecurity personnel, timely destruction of nonpublic information, monitoring of unauthorized users, and encryption of all nonpublic information.  As DFS Superintendent Maria Vullo explained: “Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”

Among other notable requirements, the regulations further mandate that banks notify New York’s Department of Financial Services of any material data breach within 72 hours of the breach.  The regulations come at the time when cybersecurity attacks are on the rise.  The proposed rules also follow on the heels of recent legislative initiatives in 4 other states to bolster their cybersecurity laws, as we previously discussed.

The regulations are sweeping in nature in that they potentially affect not only New-York-based companies but also insurers, banks, and financial institutions who conduct business in New York or have customers who are New York residents.  If you are unsure about your company’s obligations and the impact of the proposed rules on your industry, contact Mintz Levin privacy team for a detailed analysis.

In its recent decision in Galaria v. Nationwide Mut. Ins. Co., no. 15-3386 (6th Cir. Sept. 12, 2016). Co., No. 15-3386 (6th Cir. Sept. 12, 2016), a divided Sixth Circuit panel held that plaintiffs had standing to assert claims arising from hackers’ alleged theft of data containing plaintiffs’ sensitive personal data, including dates of birth and Social Security numbers.  In so ruling, the court became the latest to hold that hackers’ targeted theft of personal identifying information (“PII”), standing alone, creates a substantial risk of harm that is sufficient to satisfy the concrete injury requirement for standing under Article III of the United States Constitution.

The lawsuit concerned a 2012 data breach in which hackers stole data that Nationwide collected for purposes of underwriting life insurance policies.  Plaintiffs were among those who received notice that hackers had stolen data containing the names, dates of birth, marital status, genders, occupations, employers, Social Security numbers and driver’s license numbers for individuals who had applied for insurance from Nationwide.  Criminals are increasingly targeting PII like that stolen here because it can be used to engage in fraudulent borrowing or to file false tax returns to obtain illegal refunds, making such data valuable on the black market.  However, as is true in many cases involving PII data breaches, plaintiffs did not allege that their PII had actually been misused.  Also, Nationwide offered a year of free credit monitoring and identity-theft protection insurance to individuals whose information has been stolen.  Based on those protections and plaintiffs’ failure to allege actual misuse of stolen data, the district court granted Nationwide’s motion to dismiss for lack of standing. Continue Reading Sixth Circuit Rules That Theft of PII from Insurance Company Results in Article III Standing

The FBI warned this summer that the “Business Email Compromise” (“BEC”) scam continues to grow, evolve, and target businesses of all sizes. As reported by the FBI in June, the scam had hit more than 22,000 victims for a combined dollar loss of greater than $3 billion – that’s billion with a B! And the latest evolution is even more threatening, potentially causing breaches of protected data.

What is the BEC scam? Why have so many been taken in? And how can you protect yourself?

The BEC scam is a smart, targeted scheme using emails that appear genuine, usually seeming to originate from within the victim’s company or from its suppliers/contractors.  For example, the company’s CFO may receive an email that seems to come from the CEO, urgently directing funds to be wired to a specified account for a seemingly legitimate purpose. Or the email may appear to come from a supplier or contractor and seek payment on an invoice that appears legitimate. If the company wires funds as directed, the funds are transferred offshore and become unrecoverable.

The scam has been highly effective because BEC emails mimic legitimate requests. The perpetrators research their victim to learn its protocols, its counterparties’ names, its payment methods, etc. They often use social engineering techniques (e.g., phishing emails requesting info) to learn details about the targeted business. The successful perpetrators learn which individuals are necessary to perform wire transfers and what protocols are used. They may learn when the CEO is traveling, so that an email from the CEO directing payment would not be questioned. The perpetrator may have hacked and used a valid email account for this purpose, or may have established an account with a similar domain name. Their level of sophistication has enabled the theft of billions of dollars.

Earlier this year, the FBI started receiving reports that this highly successfully scheme has evolved into a means to obtain confidential information, leading to data breaches. For example, an email request to the human resources department may prompt the disclosure of W-2 forms or other confidential, personally identifiable information (“PII”). The FBI reports that victims have fallen for this new data-theft BEC scenario, even if they were able to successfully identify and avoid the traditional BEC scam.

We all have learned (hopefully) not to click links in suspicious looking emails. But trusted emails receive less scrutiny. What steps can you take to avoid being hit?

  • If an email is directing payment by wire or seeks protected information, it merits special treatment.
  • TRAIN employees and establish clear protocols for wire transfers and data privacy.
  • Beware of sudden changes in business practices. Require secondary sign-off by company personnel when a change in payment method is requested.
  • Always verify requested changes via other channels. Don’t click “reply”. Instead, call the sender to verify; and use a trusted phone number, not a phone number appearing in the email. Or forward the email to the sender after typing a trusted email address, and seek confirmation.
  • Be suspicious of requests for urgent action or secrecy.
  • Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail.
  • In addition, diligently maintain data and email security. Educate employees to be alert to social engineering situations, and to delete phishing emails. Establish two-factor authentication for email accounts.

If you have questions about how to train employees and avoid these phishing scams, contact a member of the Mintz Levin Privacy team.

As has become typical in the data security space, there was quite a bit of activity in state legislatures over the previous year concerning data breach notification statutes.  Lawmakers are keenly aware of the high profile data breaches making headlines and the increasing concerns of constituents around identity theft and pervasive cybercrime.  In response, states are beefing up their data security statutes in order to provide greater protection for a broader range of data, to require notification to Attorneys General, and to speed up the timeline companies have to advise residents when their personal information has been compromised, to name a few steps. Please review our updated Mintz Matrix to make sure you understand the latest rules applicable to your business!

According to a recent summary published by the National Conference of State Legislatures, more than 25 states in 2016 have introduced or are currently considering security breach notification bills or resolutions.  While much legislation remains pending in statehouses across the country, statutory amendments passed in four states took effect over this past summer alone.  Here is a brief summary of significant amendments to data breach notification rules in Nebraska, Nevada, Rhode Island and Tennessee. Continue Reading Summer Round-Up: Four States Bolster Data Breach Notification Laws and More Changes on the Way

Last week the clothing retailer Eddie Bauer LLC issued a press release to announce that its point of sale (“POS”) system at retail stores was compromised by malware for more than six months earlier this year.  The communication provided few details but did specify that the malware allowed attackers to access payment card information related to purchases at Eddie Bauer’s more than 350 locations in the United States, Canada and other international markets from January 2 until July 17, 2016.  According to the company, its e-commerce website was not affected.

In an open letter posted online, Eddie Bauer’s CEO Mike Egeck explained that the company had conducted an investigation, involved third party experts and the FBI, and now is in the process of notifying customers and reviewing its IT systems to bolster security.  These are customary and important steps following a security breach to mitigate harm to customers, protect against future threats, and comply with state data breach notification laws.    Read on to find out more ….. Continue Reading Eddie Bauer Latest Victim of POS Malware Attack