Beware of March Madness!  Scammers and phishers take advantage of increased web traffic by impersonating popular March Madness websites, including bracket sites and game live streams.  Will your employees take the bait?

Last year, it was reported that traffic activity from users streaming games and checking brackets for updates increased by 100% during the first round of the NCAA tournament.    Monitoring sites also observed an increase in malicious activity related to this category and discovered a clear upward spike in malicious activity, such as phishing pages, adware downloads, improper handling of user data, and attempts at domain squatting.   All of this is likely going on again this year, and it will be on your corporate networks.

  • Have you implemented solutions to limit the impact of nefarious phishing campaigns?
  • Have you trained employees to recognize phishing emails?
  • Do you remind employees about the dangers of falling victim to click bait in emails?
  • Do you remind employees about simple password hygiene and to not reuse corporate passwords outside the network?

The best advice we can offer is only use NCAA-sanctioned bracket applications through your web browser. There are many third-party sites out there that attempt to probe the user to create login credentials. In 2017, it was observed that one such application collected a username and password and then transmits it in the clear. This plain text credential transfer makes the connection vulnerable to sniffing attacks. Since users commonly set the same login credentials for multiple websites, the attackers might gain access to users email accounts, bank accounts, tax preparation accounts etc., or even worse, your corporate network.

Good luck!

A circuit split on whether actual misuse of personal data is required to have standing to assert data breach claims remains unresolved.  Last week the Supreme Court rejected a petition to review that issue in CareFirst v. Attias.  In CareFirst, the D.C. Circuit joined several other circuits in holding that the threat of misuse of data, in and of itself, gives rise to standing. Other circuits require more concrete harm in the form of actual misuse of data. Until the Supreme Court settles the issue, companies will remain susceptible to data breach lawsuits in jurisdictions adhering to the liberal standard endorsed in CareFirst.

Continue Reading Supreme Court Declines to Address Circuit Split on Data Breach Standing Issue

The Supreme Court on Tuesday will hear arguments in United States v. Microsoft Corp., in which the court will decide whether a US technology service provider, Microsoft, must obey a search warrant for data stored in a foreign country. “It’s going to set the tone for cross-border data demands on a global scale,” said Gregory Nojeim, senior counsel and director of the Freedom, Security, and Technology Project at the Center for Democracy & Technology.    All briefs and other documents are catalogued here at SCOTUSBlog.   We’ll be watching …..

CNNMoney (2/25)

Mintz Levin Benefits attorney Patricia Moran recently authored an article for  the Society for Human Resources Management’s latest publication describing the cybersecurity risks involved with 401(k) Plan sponsorship.  The article is a great resource for employers who sponsor 401(k) or other retirement plans, especially those who share employees’ sensitive information with third party administrators. For the full story, click here.

We’ve discussed privacy compliance with regulations, legal requirements, etc. in the space since this blog’s inception.   “Privacy by design” – while not a new concept – is certainly enjoying a new spot in the sunshine thanks to the European Union’s General Data Protection Regulation (“GDPR”) (93 days and counting…) and its codification of “privacy by design and default” in Article 25.

Privacy can also be a key differentiator and a competitive advantage.  Read on for some points that can help drive your data privacy/data management program. Continue Reading How to Leverage Privacy as a Key Competitive Advantage

Mintz Levin’s TCPA and Consumer Calling Practice Team has published its latest TCPA Digest.

This month’s issue examines an FCC rulemaking proceeding concerning whether providers should be required to establish a challenge mechaniskm for incorrectly blocked robocalls.  In addition, the Digest examines the factors defendants should consider in whether to make an early offer of judgment (a “Rule 68” offer) in a TCPA class action and relevant case law about early offers.

The TCPA Digest can be read here.



If your company is one of the broad group of businesses licensed by the New York Department of Financial Services (NY DFS), a very important deadline is bearing down on February 15.    Continue Reading Deadline Approaching under NY Cybersecurity Regulations

In case you had not heard, the European Union is replacing its current privacy laws with a new, comprehensive General Data Protection Regulation (GDPR), which takes effect May 25, 2018. The essential principles of the EU’s privacy laws are unchanged, but the new Regulation imposes many new obligations on many more entities – all backed up by fines modeled on European antitrust laws. US Life Sciences companies are likely to find that the GDPR applies to their use of personal information that originated in the EU. This post suggests some pragmatic steps companies can take to assess and begin to meet their GDPR obligations.   We’ll be presenting the next webinar in our GDPR series particularly targeted to life sciences and biotech companies and that will be coming up in March.  Watch this space for more information and registration.

Step 1 – Confirm that the GDPR Applies Continue Reading Practical GDPR Steps for US-Headquartered Life Sciences Companies

The U.S. Supreme Court heard oral arguments in what may become one of the defining consumer privacy cases of our generation. The central question in Carpenter v. United States asks whether the government violates the Fourth Amendment by accessing an individual’s historical cell phone locations records without a warrant. The Court’s decision, expected by June 2018, could draw a more concrete legal line for what constitutes “reasonable search and seizure” when government agencies seek to gather potentially incriminating smartphone data from third-party communication providers. The outcome of the case may significantly reshape consumer expectations of electronic privacy, and even alter the disclosures companies across all sectors must make in their privacy policies.

Continue Reading Carpenter v. United States Privacy Case Pushes Supreme Court to Decide Fourth Amendment Protections of Cell Phone Metadata

The European Commission has launched a new data protection website aimed at educating the public and helping businesses and other organizations comply with their new obligations under the General Data Protection Regulation.  The Commission’s website contains some infographics to help readers get to grips with the key points of the GDPR.  It also contains Q&A and examples that may be helpful in assessing when the GDPR’s various obligations are triggered in different situations.

While the infographics approach to explaining companies’ GDPR obligations have the virtue of simplicity, the Commission’s explanation of what smaller companies must do is far from exhaustive and might mislead readers into thinking they are in compliance when they are not.  For example, the explanation of the record keeping requirements mentions three criteria that trigger the requirements for companies with under 250 employees (SMEs), but omits a critical “or” between the infographic’s second (risky processing of any personal data) and third criteria (processing of sensitive data or criminal records).  Small companies could easily be misled into thinking that only processing that meets all three criteria requires record-keeping.

Larger companies that are subject to the GDPR will likely find the Commission’s SME-focused infographics useful, but should approach with a bit of caution.  Their data processing activities will require record-keeping and, since larger companies are typically more complex, it may require deeper analysis to get to grips with their GDPR obligations.

That said, companies looking for a digestible, visually engaging explanation of their responsibilities under the GDPR will find this a useful addition to their GDPR preparation toolkit.