Photo of Julia Siripurapu

Julia Siripurapu is a Member in the firm’s Boston office and a Certified Privacy Professional (CIPP). She focuses her practice on commercial transactions involving technology and intellectual property and data privacy and security. Julia regularly advises clients of all sizes, from start-ups to large private and public companies, in the structuring, drafting, and negotiation of complex domestic and cross-border transactions involving technology licensing and development, systems integration and implementation, cloud computing, outsourcing of IT systems and business processes, strategic collaborations, and other business transactions directed to the use, transfer, and development of technology and other intellectual property assets.

 

Last week, Snap Inc. (“Snap” or the “Company”) – the parent company of the wildly popular app Snapchat (“Snapchat” or the “App”) – became a publicly traded company on the New York Stock Exchange in the biggest tech IPO since Alibaba in 2014.  Priced at $17 per share, the Snap stock opened at $24 per share on Thursday morning and closed at $24.48 per share, bringing the Company’s market capitalization to approximately $28 billion. In today’s post, we’re taking a closer look at Snap’s S-1 filing (“Snap S-1”) with the U.S. Securities and Exchange Commission (SEC) with a particular focus on the Company’s disclosures of risk factors associated with cybersecurity and privacy risks.  Continue Reading A Deep Dive into Privacy/Security Disclosures in Snap’s S-1

You may not realize how much personal information your insurance company has about you. Scarier still is that much of this data is sensitive and valuable to hackers – such as your Social Security number, financial information, medical history, even itemized schedules of your most expensive personal property.  As data breaches affecting insurers have piled up in the past couple of years (Anthem, Premera Blue Cross and Blue Shield, Excellus Health Plan, UCLA Health System just to name a few), so too have calls for stronger data security protections applicable to insurance data.  In response, the CyberSecurity Task Force of the National Association of Insurance Commissioners (“NAIC”), the standard-setting organization in the U.S. insurance industry created and governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories (“Task Force”) is racing to finish its Insurance Data Security Model Law (“Model Law” or “Law”) by the end of this year so that states can begin the adoption process as early as 2017.  Continue Reading Insurance Regulators Fine Tuning Cybersecurity Guidance

It is easy to see networks all around us. The printers at the office, your child’s videogame, the food ordering app on your phone, the fitness band or smart watch on your wrist, the electricity grid for your city, the self-driving cars being tested on our roads, all rely at least in part on networked solutions.  The ubiquity of networks is already staggering and the pace of research and development in this area is poised to increase for years to come.  As the things in our world get smarter and the network of these smart things grows larger, a little-known agency in the U.S. Department of Commerce, the National Institute of Standards and Technology (“NIST” or “Agency”), decided it was time that stakeholders smartened up about the way they discuss networks, connected “smart” things, and the privacy and security challenges associated with them.  Continue Reading Let’s talk about Networks of Things, baby. Let’s talk about you and me.

Colorado is the latest state to revisit, and expand upon, its laws pertaining to the use and protection of student data. Colorado Governor John Hickenlooper recently signed into law House Bill 16-1423 (the “Bill”) designed to increase the transparency and security of personal information about students enrolled in Colorado’s public education system (K-12).  Described by its sponsors and the media as “nation-leading” with respect to the extremely broad scope of the definition of “student personally identifiable information”, the Bill imposes additional, detailed requirements on the Colorado Department of Education, the Colorado Department of Education, the Colorado Charter School Institute, school districts, public schools, and other local education providers (each, a “Public Education Entity”) and commercial software providers (including education application providers) with respect to the collection, use, and security of student data. In this blog post, we focus only on the duties of commercial software or education application providers. Continue Reading Colorado Student Data Privacy Bill – What EdTech software providers need to know

Last week, the Federal Trade Commission (FTC) announced (press release) that Practice Fusion, the largest cloud-based electronic health company in the United States, has agreed to settle FTC charges over deceptive practices involving the public disclosure of healthcare provider review information collected from consumers that included sensitive personal and medical information. Below is our review of the circumstances of the basis of the FTC complaint, a summary of the terms of the settlement, and a few pointers on how to avoid a similar situation.    There are many lessons to be learned from this FTC complaint for all online providers, not only EHR providers.   Read on ….. Continue Reading Practice Fusion and FTC Settle Complaint Over Deceptive Statements About the Privacy of Consumer-Generated Online Content

Sophisticated phishing scams and muscular hacking efforts continue to compromise personal and sensitive information held by insurers, hospital systems, and businesses large and small. In response, many states have strengthened their data breach notification and have enacted data security laws to enhance data protection obligations imposed on data collectors and to ensure that residents and state regulators receive prompt and adequate notice of security breaches when they do occur.  By mid-summer, a range of new measures will be going into effect in Nebraska, Nevada, Rhode Island and Tennessee. Be sure to review the latest edition of the Mintz Matrix for these new measures.  Continue Reading Illinois Joins the Fray: Strengthens its Laws Around Data Breach Notification and Data Security

The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of its data security standard for the protection of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. PCI DSS is administered by the PCI SSC, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

The newly published version, PCI DSS version 3.2 (PCI DSS 3.2), contains the following three types of changes:   Continue Reading PCI DSS 3.2: It’s here, what does it mean for you?

Yesterday, we reviewed the staggering numbers in California Attorney General Kamala Harris’ 2016 Data Breach Report.california-flag-graphic

In addition to providing a comprehensive analysis of four years of data breaches, the report provides what is an answer to the vexing question of what her office considers to be “reasonable security.”

Continue Reading California by the Numbers (Part 2): How to Stay out of the 2017 Report

Look for Part 2 tomorrow:  Recommendations on how to stay out of future reportscalifornia-flag-graphic

California Attorney General Kamala Harris has released a report of the data breaches that have been reported to her office from 2012 until 2015. Although the California data breach notification law took effect in 2003, beginning in 2012, businesses and government agencies have been required to notify the Attorney General of data breaches affecting more than 500 California residents.

The number of personal records that were compromised is staggering; 178 breaches were reported during 2015 and 24 million personal records were compromised.

Continue Reading California by the Numbers (Part 1): 24 Million Compromised in 2015

The recent data breach of Hong Kong-based electronic toy manufacturer VTech Holdings Limited (“VTech” or the “Company”) is making headlines around the world for good reason: it exposed sensitive personal information of over 11 million parents and children users of VTech’s Learning Lodge app store, Kid Connect network, and PlanetVTech in 16 countries! VTech’s Learning Lodge website allows customers to download apps, games, e-books and other educational content to their VTech products, the Kid Connect network allows parents using a smartphone app to chat with their children using a VTech tablet, and PlanetVTech is an online gaming site. As of December 3rd, VTech has suspended all its Learning Lodge sites, the KidConnect network and thirteen other websites pending investigation. Continue Reading Happy Holidays: VTech data breach affects over 11 million parents and children worldwide