Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Privacy Monday – May 19, 2014 – Lessons Learned from Facebook

Posted in Privacy Monday

Promises to Keep: Lessons Learned from Facebook’s Recent Acquisitions of WhatsApp and Moves

Written by Jake Romero, CIPP/US

Mergers are never simple, but the acquisition of consumer products and technology requires the purchasing entity to consider a number of questions and issues beyond the standard concerns related to executive pay, corporate valuations and per share prices.  Will we be able to integrate our corporate cultures?  Will the service’s current users make angry reaction GIFs about us to demonstrate their disapproval?  Is this something we can fix with a rapping monkey video?  Are Beats by Dre headphones ‘extraordinarily bad’?  Following a number of high profile tech acquisitions, Facebook, Inc. has learned that among the questions that must be asked, is “What promises has the target entity made to its users regarding data the target is collecting?” Continue Reading

“Selfie” Assessment – 4 Key Lessons from Snapchat’s Settlement with the FTC

Posted in Data Breach, Federal Trade Commission, Privacy Regulation

Written by Jake Romero, CIPP/US

As a country we are quickly approaching a time in which most adults will be disqualified from being elected to public office because of something they posted on their social media account while growing up.  Against this backdrop of over-sharing, Snapchat, Inc. won over the hearts of its users with the promise that its mobile application would permit the user to send messages that would “disappear” after a designated number of seconds.  As the popularity of the mobile application grew, so too did concerns regarding its data security practices and its ability to deliver on the promises made to its users.  By December 2012, various methods for accessing or keeping photos and video sent through the mobile app (“snaps”) began circulating on the Internet.  Then, in the final days of 2013, a vulnerability in the application allowed hackers to obtain and publish millions of Snapchat usernames and phone numbers. Continue Reading

Privacy Monday – May 12, 2014

Posted in Data Breach, Data Breach Notification, Data Compliance & Security, Privacy Monday, Privacy Regulation

Another busy week in the privacy/security world.  We have some bits and bytes to start your week:

Verizon 2014 Data Breach Investigation Report – Something Old, Something New

Verizon is out with its 2014 edition of the comprehensive Data Breach Investigation Report (DBIR).   You can get your copy here for your reading pleasure — or heartburn.   Retailers should take particular note of this report.  “(2013) may be tagged as the ‘year of the retailer breach,’ but a more  comprehensive assessment of the InfoSec risk environment shows it was a year of  transition from geopolitical attacks to large-scale attacks on payment card  systems,” according to the report.    Random-access memory (RAM)scraping – a technique that was thought to be past its sell-by date — appears to have increased with alarming intensity.    Retail point-of-sale (POS) systems can be thwarted by weak or nonexistent passwords, allowing criminals to insert malware that will sit on a POS and collect card numbers.  The bad guys grab the numbers from the RAM and dump them into a file then return and pick them up at a later date.   New PCI DSS rules take effect in July that will shift the liability from banks and card issuers to the retailers.   Time to review the security of your systems.

State Legislation Roundup

We recently updated Florida Information Act,  will repeal the existing data breach notification law and replace it with a law that expands the definition of personal information (to include medical information, health insurance information, user names and e-mail addresses), reducing the notification period from 45 days to 30 days, additionally requires notification to the Attorney General’s office, and clarifies that if a vendor notifies individuals on a company’s behalf, the company is deemed to have violated the law where the vendor fails to provide proper notice. The Act adds civil penalties for violations not exceeding $500,000:  $1,000 for each day up to the first 30 days and $50,000 for each subsequent 30-day period up to 180 days.  If the violation continues more than 180 days, the penalty shall not exceed $500,000.   In the absence of Congressional action after the 2013 Target, Michaels, Neiman Marcus, et al, breaches — the states are continuing to lead the way.

Canadian Anti-Spam Law (CASL) Compliance Deadline is Approaching

At last week’s IAPP Canada Privacy Symposium, Canadian regulators held a jam-packed session on thebasic message was:  this our last warning, and the compliance onus is on you.   Warning to US marketers — CASL applies to any commercial email message sent to a Canadian email address.   It need not be “spam.”   If you are not preparing your compliance program and sorting your mailing lists, there is a maximum penalty of $10 million waiting.

 

 

 

 

 

Cyber Risks for the Boardroom Part 5: Coverage for Privacy Violations

Posted in Cybersecurity, Insurance, Privacy Litigation

The last installment in our series – “Coverage for Privacy Violations”

Written by Heidi Lawson and Danny Harary

Part 5 of 5:  Coverage For Privacy Violations

As we ensuring their cyber preparedness in the event of an attack, which, increasingly,  appear to be all but inevitable. In the event that a company does suffer a data breach, it will quickly look to its insurance policy to help defray the costs. In theory, litigation arising out of a data breach should be covered under a D&O policy. However, given the rise in hacking and cyber breaches, cyber liability policies have grown in popularity. As a result, D&O policies are increasingly drafted with a standard exclusion for privacy violations and data breaches, some of which has recently changed. Thus companies cannot simply assume that their D&O policy will respond to a cyber breach.  Also, the board of directors cannot assume a cyber policy will protect them.  Cyber policies may provide some protections, but certainly not for derivative suits or shareholder class actions.  Continue Reading

Cyber Risks for the Boardroom Part 4: Coverage for Investigations

Posted in Cybersecurity, Insurance

Part 4 in our continuing series:  “Cyber Risks – Director Liability and Potential Gaps in D&O Coverage”:  Coverage For Investigations

Written by Heidi Lawson and Danny Harary

One of the biggest gaps in coverage in D&O coverage today is the lack of meaningful coverage for investigations.  Although at first glance the policy language may look like it provides sufficient coverage, the reality is that the way most policies are written, it is almost impossible to trigger coverage in an SEC or Department of Justice investigation simply because the policy language does not match up to the reality of how those investigations are conducted. In the case of a subpoena, one of the costliest components of an investigation, coverage is often only extended for “targets” that are specifically identified on the face of the subpoena. As a matter of course, however, the subpoena target is rarely identified in this manner, rendering coverage illusory, or in everyday parlance, useless. As regulatory oversight has increased generally in the wake of the financial crisis, and the SEC cybersecurity initiative promises even greater scrutiny, broad coverage for regulatory investigations is a necessity. This is especially true for public companies, as the scope, protocols and frequency of cyber investigations by the SEC and other regulatory agencies remains to be seen. Continue Reading

Cyber Risks for the Boardroom Part 3: Top Questions Directors Should be Asking about D&O Coverage

Posted in Cybersecurity, Insurance

Our series “Cyber Risks – Director Liability and Potential Gaps in D&O Coverage” continues –

Part 3 of 5:  Top Questions Directors Should Be Asking About D&O Coverage

Written by Heidi Lawson and Danny Harary

Directors never want to be in the unenviable position of having to seek coverage under their D&O policy. Nevertheless the D&O policy is an indispensable corporate expense, particularly in the case of public companies, where exposures can be much higher. Especially today, when companies are experiencing a meteoric rise in cyber attacks and unauthorized attempts to access data, directors must ensure that that they are covered in the event of a cyber attack, or any other exposure.

The need for a D&O policy is clear: directors and officers potentially face personal liability for lawsuits filed against them, even for alleged acts undertaken on behalf of the company. Although the company may be required or permitted to indemnify the directors depending on the circumstances, in some situations, the company may be prohibited from offering indemnification, or may not have sufficient resources to extend permissive indemnification. Thus, the D&O policy is a director’s last resort before personal assets may be invaded. As such, directors should take the time to carefully consider the scope of coverage offered by their D&O policy. The breadth of coverage and policy wording differs significantly from policy to policy and from carrier to carrier.

So, with apologies to David Letterman, here is our “top 10 list” of the questions directors should be asking  about their D&O coverage:

  1.  What is typically covered under a D&O Policy?
  2. What are the exclusions that directors should be concerned about?
  3. What kinds of situations should be reported to the insurer to trigger coverage and when?
  4. Who controls the defense of the director in the event of a claim?
  5. Are the policy limits appropriate for the company’s risk profile?
  6. Does the policy exclude data breaches?
  7. Does the policy provide coverage for derivative shareholder claims?
  8. How broad is the coverage afforded for regulatory investigations?
  9. What is the priority of payments under the policy?
  10. What are the potential coverage gaps and how can they be bridged?

If a director really wants to know how the policy will respond in a claim, an independent legal review is always advised.  Often policy terms appear to be favorable, but the practical application of that language in the context of an investigation or derivative lawsuit often yields a different result.

Tomorrow:  Coverage for Investigations

Cyber Risks for the Boardroom Part 2: Why Corporate Directors Should be Concerned About Data Security Breaches

Posted in Cybersecurity, Data Breach, Insurance

All this week, we are featuring a series “Cyber Risks – Director Liability and Potential Gaps in D&O Coverage”

Part 2 of 5:  Why Directors Should Be Concerned

Written by Heidi Lawson and Danny Harary

A data breach is not a unitary or self-contained event.  The fallout from a breach could impact the directors as well. A security breach may lead to an investigation or an enforcement action by the Securities and Exchange Commission (SEC). The SEC may direct its investigation at the directors and subpoena the directors’ documents and records. Compliance with subpoenas may be extremely expensive and, depending upon how the D&O policy defines “claim”, there may not be coverage. Continue Reading

SEC Cybersecurity Initiative: Five Steps ALL Broker-Dealers and Investment Advisers Should be Taking

Posted in Cybersecurity, Privacy Regulation, Security

Originally posted on the Mintz Levin Securities Litigation Matters blog

Written by Bret Leone-Quick, Cynthia Larose, CIPP, Chip Phinney and Joel Rothman

Last week, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert announcing its Cybersecurity Initiative.    What does this mean to broker-dealers and investment advisers and, even if you are not one of the “chosen 50,” what should your firm be doing?    Read on…….

Continue Reading

Cyber Risks for the Boardroom Part 1: The Recent Increase in Focus on Privacy Issues

Posted in Cybersecurity

Each day this week, we are going to explore some of the issues in the rapidly growing area of cyberliability.  We will examine the recent increase in focus on privacy issues, why directors should be concerned, the top questions directors should ask when it comes to coverage for cyber investigations, and what kind of cover is available for privacy violations.

Written by Heidi Lawson and Danny Harary

Part 1 of 5:  The Recent Increase In Focus on Privacy Issues

Privacy issues have been the focus of many state efforts over the past few years.  However, the SEC has increased their focus tremendously over the past few months (see our blog posts guidance concerning public company cybersecurity disclosures. Otherwise, the SEC had remained relatively quiet. Recently, however, SEC involvement in this area has ratcheted up noticeably. Continue Reading

Privacy Monday: Cinco de Mayo, 2014

Posted in Cybersecurity, Data Breach, Privacy Monday

Happy Cinco de Mayo!

Breaking news this Privacy Monday:  The fallout from the massive Target board announced that Chief Executive Officer Gregg Steinhafel has resigned effective immediately.  The company has appointed Chief Financial Officer John Mulligan as interim president and chief executive.  Steinhafel spent 35 years with Target, and both his resignation letter and the board’s statement reference the data breach.  Steinhafel:  “The last several months have tested Target in unprecedented ways.”   The board:  “Most recently, Gregg led the response to Target’s 2013 data breach. He held himself personally accountable and pledged that Target would emerge a better company. We are grateful to him for his tireless leadership and will always consider him a member of the Target family. ”

Read more:   USA Today

Forbes

Time

A commercial interruption from Privacy & Security Matters:  Today, we start a new 5-part series – “Cyber Risks – Director Liability and Potential Gaps in D&O Coverage”   Make sure to check back later today and every day this week!

Sally Beauty CEO to Step Down

Steinhafel is not the only CEO hitting the bricks at a company following a data breach.   Sally Beauty CEO Gary Winterhalter will resign effective April 30, 2015.  The company was criticized for its handling of a recent data breach exposing credit and debit card data of customers.

AOL Admits Data Breach and Advises Users to Update Passwords

Details were few, but AOL did finally ‘fess up to a data breach that apparently allowed spammers to take control of user accounts and send massive amounts of spam through those accounts.   AOL recommended that users change passwords.   No other details were released regarding how long the breach had been ongoing.

 

And, we’ll leave you with Things you May Not Know About Cinco de Mayo