Cynthia Larose is a Member in Mintz Levin’s Corporate Group and leads our Privacy and Security practice. She is a Certified Information Privacy Professional, working with clients in various industries to develop comprehensive information security programs on the front end, and providing timely counsel when it becomes necessary to respond to a data breach.
If you are one of the many businesses licensed by the New York Department of Financial Services (DFS), and cannot avail yourself of the (very) limited exemptions, you must be ready for the first compliance transition date for the stringent DFS cybersecurity regulations – August 28, 2017.
Just in case you’d forgotten, the DFS cybersecurity regulations became effective March 1, 2017 and you can refresh your memory here. Continue Reading Are You Ready for the New York August 28th Compliance Deadline?
Recently, the Electronic Privacy Information Center (“EPIC”) asked the FTC to begin an investigation into a Google program called “Store Sales Management.” The purpose of Store Sales Management is to allow for the matching goods purchased in physical brick and mortar stores to the clicking of online ads, or as we refer to the practice, “Bricks to Clicks.”
The significance of this is immense. No longer will advertisers have to wonder how much revenue can be tied to a specific campaign, instead the Store Sales Management will give them insight into how actual consumers who viewed advertisements purchased certain products. Continue Reading FTC Asked to Investigate Google’s Matching of “Bricks to Clicks”
If you are a retailer with locations in New Jersey, you will need to review your procedures in anticipation of a new law effective October 1, 2017.
New Jersey Governor Chris Christie has signed the Personal Information Privacy and Protection Act (we can now add #PIPPA to the alphabet soup of privacy acronyms…..), which limits the ability of retailers to collect PII scanned from customer driver’s licenses and identification cards and restricts the usage of any PII collected for the purposes identified in the Act.
Within recent years, retailers have commonly started a practice of scanning the barcodes on customer ID cards to verify the authenticity of an ID presented, verify identity when credit cards are used, or to prevent and control fraudulent merchandise return practices (or to identify consumers who abuse return policies).
Under PIPPA, retailers will only be permitted to scan ID cards to:
- Verify the card’s authenticity or the person’s identity, if the customer pays for goods or services with a method other than cash; returns an item; or requests a refund or exchange.
- Verify the customer’s age when providing age-restricted goods or services to the customer.
- Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the retailer uses a fraud prevention company or service.
- Establish or maintain a contractual relationship.
- Record, retain, or transmit information as required by state or federal law.
- Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by federal laws, including the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Fair Debt Collection Practices Act.
- Record, retain, or transmit information by a covered entity under HIPAA and related regulations.
PIPPA prohibits retailers from sharing the information with marketers or other third parties that are unknown to consumers. It is unlikely that an online privacy notice describing sharing of scanned ID information with third parties would comply with PIPPA. In-store notice of any such practices will likely be required.
The big “however” in this legislation is the restrictions on retention of the information when collected for the permitted purposes. Under PIPPA businesses cannot retain information related to how the customer paid for the goods, whether the customer returned an item or requested a refund, and cannot store ages. Retailers will only be permitted to collect the customer’s name, address, and date of birth; the issuing state; and the ID card number. Any of this information collected from scanned ID cards Is required to be “securely stored” and PIPPA makes it clear that any security breach of this information is subject to New Jersey’s data breach notification law and must be reported to any affected individual and the New Jersey State Police.
And there are penalties. PIPPA provides civil penalties of $2,500 for a first offense, and $5,000 for any subsequent offices. Further the law allows for “any person aggrieved by a violation” to bring an action in NJ Superior Court to recover damages.
The “business compromise email” is what the FBI calls the “$5 billion scam,” but apparently an insurance company did not agree with an insured company that they had been the victim of a crime.
A federal court recently found that a crime policy afforded coverage for a $4.8 million wire transfer that an insured company was duped into making. See Medidata Solutions, Inc. v. Federal Ins. Co., 15-CV-907 (SDNY July 21, 2017). In this case, the thief took advantage of “real” facts, posing as the insured’s attorney for a corporate transaction. More specifically, the insured was contemplating an acquisition and, as part of that process, the president instructed the finance department to be prepared, on an urgent basis, to assist with the transaction. Continue Reading Court Holds Crime Policy Covers Business Compromise Email Loss
Decisions you make when founding and/or investing in an insurtech venture can dictate your regulatory obligations, tax liability, operational structure and, ultimately, profitability.
Here are five seemingly simple questions to ask when launching an insurtech venture (and do not miss question #3): Continue Reading Five Questions for Investors in Insurtech
Oregon’s legislature recently expanded the scope of statutory consumer protections by passing a bill to amend the state’s Unlawful Trade Practices Act (the “Act”). Recently, Oregon’s Governor Kate Brown signed H.B. 2090 into law after near unanimous passage by state lawmakers. The bill is particularly notable because it squarely targets online commerce and imposes liability on businesses for publishing false or misleading online privacy policies. Continue Reading Oregon Ramps up State Consumer Protections in an Era of Deregulation
It seems as though we have been writing about this case for a lifetime. Target Corporation’s data breach saga came one step closer to a conclusion this week. On Tuesday, Target reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the company’s 2013 data breach. Alabama, Wisconsin, and Wyoming were not part of the settlement. Continue Reading Target Reaches $18.5 Million Dollar Settlement in Data Breach with States
The latest edition of the Mintz TCPA Digest has been published and you can read it hot off the presses, here.
This month’s issue features updates on the latest regulatory activities and an article on a potential ruling that could have major implications for pending and future TCPA cases.
Mintz Levin’s TCPA and Consumer Calling Practice team should be on your speed dial.
Amid the flurry following former FBI Director James Comey’s firing last week, President Trump marked his 111th day in office on Thursday, May 11th by signing an executive order targeting national cybersecurity.
The long-awaited order is the first step in fulfilling Trump’s promise to address national cybersecurity concerns and it arrives as threats of international hacking and cyberattacks reach an all-time high. It establishes three overarching cybersecurity priorities for the United States: (1) protecting federal networks, (2) reinforcing critical IT infrastructure, and (3) protecting the American public in the online space. The full text of the executive order can be found here.
While the order includes few actionable items, it sets strict deadlines for government agencies to produce risk reports and recommendations for improving their data security practices, signifying an important call to action from the executive branch that places risk management at the forefront.
Modernizing & consolidating federal networks
Consolidating to the cloud will likely be the first major step toward overhauling the government’s administration-wide cybersecurity protocol. In a press briefing last Thursday, White House Homeland Security Advisor Tom Bossert addressed what he views as fractured, agency-specific IT security practices across the government, noting that “[if] we don’t move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts.”
The move to modernize is an extension of similar efforts from the Obama administration to bolster cybersecurity, an area in which Bossert says the administration made “a lot of progress … [but] not enough.” In line with advancing these efforts, the executive order requires federal agencies to use the Framework for Improving Critical Infrastructure Cybersecurity developed in 2014 by the National Institute of Standards and Technology (“NIST”) to manage cybersecurity risk. Coincidentally, the Framework may be revised soon as the NIST recently closed a comment period on an updated draft that it circulated in January 2017, and per the executive order any successor document to the Framework will become the operative version to be used by government agencies. Separately, Rep. Will Hurd (R-TX), Chairman of the House Information Technology Subcommittee, recently reintroduced H.R. 2227, the “Modernizing Government Technology Act,” which secures more efficient funding for the modernization of federal IT infrastructure and is expected to hit the floor of the House of Representatives within the next couple of weeks.
Reinforcing critical infrastructure
The second prong of the executive order requires the Secretary of Homeland Security to prepare an audit of potential vulnerabilities across the country’s infrastructure systems – from financial and telecommunications systems to utilities including water and electricity. Improving transparency about the security gaps in these systems is crucial, especially as traditional data breaches are losing ground to more devastating Distributed Denial of Service (DDoS) botnet attacks made possible by the growing Internet of Things, or “IoT” (see our blog post here for a discussion of the House’s efforts to address growing security concerns around the IoT).
Protecting the public online
Finally, President Trump’s executive order urges policies aimed at protecting U.S. citizens from domestic and foreign online threats. In addition to increasing the number of cybersecurity experts working with the White House, Bossert suggested that following through on such policies will require greater partnerships between the federal government and the private sector. Indeed, the government currently relies on technology from large, long-time vendors, many of which may not be prepared to grapple with the significant and evolving risks becoming apparent across the data security landscape. Independent technology startups are proving to be the heart of progress in new cybersecurity measures, and the government will need to cultivate solid relationships with these players if it wants to stay ahead in the cybersecurity arena.
President Trump’s executive order has received some criticism for its breadth, but overall has been commended by cybersecurity experts as a balanced step in the right direction. Time will tell whether the resulting policies will make a meaningful difference in the country’s ability to fend off attackers in the ever-evolving online battleground.