Header graphic for print

Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Privacy Monday – May 4, 2015: Shaping Up — Update on the EU’s Draft General Data Protection Regulation

Posted By Susan Foster on Posted in Data Breach, Data Breach Notification, EU Data Protection Regulation, European Union, Events and Webinars, Uncategorized

On this Privacy Monday, we can definitely say that the long winter of our discontent (at least for some of our readers) is over.    Happy spring!

In case you missed it,  last Wednesday we presented the fourth in our Wednesday Webinar series on the progress of the EU draft Data Protection Regulation and what we might expect.

The EU’s draft General Data Protection Regulation is moving towards its final form now that the Council of the European Union has provided its views on most of its provisions.  Although the Council, Parliament and Commission need to negotiate the final form of the Regulation through the “trilogue” process, the overall outline of the Regulation is fairly clear.  Subject to the trilogue process, here’s a re-cap of what we expect to see:

The new Regulation will have a broader definition of personal data and will apply directly to data processors as well as data controllers.  Organizations based outside the EU will be covered if:PrivacyMonday_Image1

  • the data processing relates to an offer of goods or services to people in the EU (including free goods or services) OR
  • the data processing is aimed at monitoring people in the EU.

The Regulation will most likely include the following features:

  • Risk of very high fines based on a multiple of group global turnover
  • Mandatory appointment of Data Protection Officers in some or most circumstances
  • Privacy Impact Assessments
  • Data Breach Notification (stringency under negotiation)
  • New super-regulator: European Data Protection Board
  • One-Stop Shop (potentially with significant modification per the Council draft)
  • Non-EEA “adequacy” determinations can be sector-specific
  • COPPA-like parental consent for kids
  • Privacy Seals/Certifications promoted as a way to help companies show compliance with the law
  • Right to Erasure/Right to be Forgotten
  • Data portability
  • No more registration with national data protection authorities

To access the webinar recording, please click here.

 

Next up:   The Long Reach of COPPA–  Don’t forget to mark your calendars for the next presentation in our year-long series – Wednesday, May 27, 2015 from 1-2 pm EDT.   Remember, CA and NY CLE credit is available.

This webinar, the fifth in our Privacy series, will explain the Children’s Online Privacy Protection Act and how it is enforced by federal and state governments. We will discuss how to determine whether an online service is subject to COPPA and if so, the various compliance options. We will also focus on lessons learned from the Federal Trade Commission’s most recent settlements over alleged COPPA violations. The webinar will be presented by Julia Siripurapu and Ari Moskowitz of Mintz Levin’s Privacy & Security practice group.

Registration is open – please click here.

 

NAIC Adopts Cybersecurity Regulatory Principles – What’s Important to the Regulators

Posted By Cynthia Larose and Julia Siripurapu on Posted in Cybersecurity, Privacy Regulation, Security

File this under: A View Into What the Regulators Deem Important.  The National Association of Insurance Commissioners (NAIC), the standard-setting organization in the U.S. insurance industry created and governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories, recently published its “Principles for Effective Cybersecurity: Insurance Regulatory Guidance” (the “NAIC Guidance”).

Continue Reading

Target and Card Issuers Dispute Use of MasterCard Settlement to Resolve Data Breach Claims

Posted By Kevin M. McGinty on Posted in Class Action Litigation, Cybersecurity, Data Breach, Privacy Litigation

In the wake of Target’s April 15 announcement of a private $19 million settlement of the data breach claims of MasterCard-issuing banks, counsel representing the putative card issuer class in the consolidated Target data breach litigation moved to enjoin the proposed settlement, arguing that it is an improper end-run around the Minnesota federal court’s adjudication of card issuer claims.  Target has responded that the settlement appropriately uses dispute resolution processes in MasterCard’s operating agreements to address breach-related losses, and employs a process that has been endorsed by other federal courts in prior data breach cases.  The motion awaits action by Judge Magnuson, who is presiding over the consolidated cases pending against Target. Continue Reading

Privacy Monday – April 27, 2015

Posted By Cynthia Larose and Ari Moskowitz on Posted in Cybersecurity, Events and Webinars, Privacy Monday, Privacy Regulation

Some privacy & security bits and bytes to start your week:

FCC to Hold Public Workshop on Broadband Consumer Privacy Tomorrow

Over the last several months, the Federal Communications Commission has taken on a significantly expanded role on consumer privacy protection issues. Between the FCC’s expanded notion of the type of personal information subject to its authority under Section 222 of the Communications Act that surfaced in the TerraCom and YourTel cases last year and its recent reclassification of broadband Internet access service as a Title II telecommunications service – which was accompanied by a determination that the privacy requirements in Section 222 applicable to telephony could be extended to broadband service – the FCC is showing every intention of expanding its reach over privacy issues..

In the order reclassifying broadband service, the FCC recognized that the currently effective privacy rules are not a good match for broadband Internet access service, as those were written with telephone service in mind. For example, those rules include provisions for the use and disclosure of Customer Proprietary Network Information (CPNI) in connection with voice mail and caller I.D. Therefore, while the FCC applied the statutory privacy requirements of Section 222 to broadband service providers, it forbore from applying its rules implementing that statute pending further proceedings.

The FCC kicks off those further proceedings tomorrow with a public workshop on Broadband Consumer Privacy.  The workshop will include discussions of what subscriber information is collected by broadband Internet access service providers and how that information is used. There will also be a panel discussion of how the Section 222 applies to broadband services. Speakers include FCC Chairman Tom Wheeler and other members of the FCC, as well as representatives from local governments, academia, public interest groups, and broadband service providers.   The Commission will also provide audio and video coverage of the discussion on the FCC’s Web page at www.fcc.gov/livePrivacyMonday_Image

RSA Conference 2015

It is clear that “security” is a big industry:  there were more than 30,000 attendees with more than 9 acres of exhibitor space at last week’s record-breaking RSA Conference 2015 in San Francisco.   BankInfoSecurity has published a “visual journal” here.   I must say, I need to hang out with these guys next year.  They are masters of the swag bag.   CSO Online also has posted an interesting summary of the week here.

From the legal side, Smeeta Ramarathnam, the chief of staff to SEC Commissioner Luis Aguilar, told a Thursday morning panel hat the Securities and Exchange Commission (SEC) is about to “enter a “time of great change” as it pertains to regulation for disclosing cyber security incidents.

The discussion, called “Full Disclosure: What Companies Should Tell Investors about Cyber Incidents,” Ramarathnam, along with Jonas Kron, director of shareholder advocacy with Trillium Asset Management, discussed the growing concerns and sense of responsibility board of directors face in the wake of high-profile breaches, which will indelibly engage investors’ attentions.

“Hardly a day goes by without another breach being reported,” Ramarathnam said, explaining that the SEC is tasked with formally overseeing security incidents or issues that would impact the integrity of market systems, customer data protection and disclosure of material information.

While the SEC’s Division of Corporation Finance published guidance in 2011 to make companies aware of the agency’s views on what needs to be reported as far as material information disclosure related to cyber incidents, Ramarathnam noted that the guidance provided context for current SEC rules, but no new regulatory obligations for organizations.  Although she did say she expects “much more to come in way of requirements from the SEC” in reporting and disclosure of cybersecurity risks and incidents, by the end of the panel, she had walked that statement back a bit.

REMINDER – Wednesday Webinar – April 29

Don’t miss the next in our 2015 Privacy Webinar series coming up this Wednesday.   Mintz Levin’s Sue Foster will be discussing Compliance with EU Data Protection for US Companies.   Register here.

 

FCC Chairman Tom Wheeler Speaks about Cybersecurity at RSA Conference

Posted By Ari Moskowitz and Cynthia Larose on Posted in Cybersecurity, Legislation, Privacy Regulation, Security

As cyber week continues in Washington, Federal Communications Commission Chairman Tom Wheeler traveled to the west coast to speak about cybersecurity at the RSA Conference in San Francisco.  Wheeler noted that the FCC has several charges to protect against cyber-attacks and similar threats, including the agency’s responsibility to protect the safety of communications networks generally, as well as its responsibility to protect the privacy of consumer data collected by communications providers.

Wheeler centered his remarks on information sharing and accountability by the private sector.  He suggested that the communications industry’s approach to 911 calls – a combination of industry best practices and rules requiring that network outages be reported to the government – could serve as a model for cybersecurity information sharing.  Cyber-attacks should be subject to similar reporting requirements.

He praised the work of the National Institute of Standards and Technology for its Critical Infrastructure Framework, and the FCC’s cybersecurity advisory committee, the Communications Security, Reliability and Interoperability Council (“CSRIC”) for its recommendations, released last month, to assist and encourage communications providers with implementing NIST’s voluntary framework.  He focused specifically on one of CSRIC’s accountability proposals – that members of the communications sector periodically meet with the FCC to discuss their companies’ cyber-risk management efforts.  He acknowledged that the FCC’s goal is not to micromanage implementation of the NIST framework by communications companies, but instead to learn whether the framework and companies’ efforts are actually working to mitigate risk.  He stated that the meetings will not be framed as depositions and sensitive information shared would be protected from public disclosure, but that many of the details regarding the meetings still need to be worked out.  The FCC is seeking comment on this and the other CSRIC recommendations until June 26, 2015.

And, back in Washington, the House of Representatives passed the Protecting Cyber Networks Act on a 307-116 vote over the concerns of civil liberties groups.  Read more:

Wired 

PC World

New York Times

It’s Cyber Week in Washington, DC — and RSA Conference Week in San Francisco

Posted By Cynthia Larose on Posted in Cybersecurity, Legislation, Privacy Regulation

Security is on the agenda from coast to coast this week.

Cybersecurity information sharing legislation will hit the House floor this week.  H.R. 1731, the National Cybersecurity Protection Advancement Act was reported out of the House Committee on Homeland Security on April 17, and H.R. 1560, the Protecting Cyber Networks Act was moved by the House Permanent Select Committee on Intelligence on April 13.  The two bills will likely be merged before coming to a vote.  Similar to the Cybersecurity Information Sharing Act moving through the Senate – the most recent version of which, S. 754, was reported out of the Senate Select Committee on Intelligence in March – both House bills authorize and provide liability protections for companies to, for cybersecurity purposes, monitor their networks and share information on cybersecurity threats with both the government and other private companies.  The bills also authorize the use of defensive measures to protect networks from malicious threats, though they contain limits designed to restrict so-called “hack back” techniques.

Both bills include privacy protections designed to safeguard personal information and restrict companies from sharing it with either the government or other private entities, but some privacy advocates are still concerned about the adequacy of these safeguards.  Privacy has remained a hot-button issue surrounding cyber information sharing legislation since Edward Snowden’s exposure of the National Security Agency’s bulk collection of telephone metadata and PRISM surveillance program.

And, the RSA Conference — “where the world talks security” — opens today in San Francisco.  The conference kicks off this morning, with a keynote by RSA President Amit Yoran and another later in the day by Department of Homeland Security Secretary Jeh Johnson, but yesterday, things were already getting rolling as the Cloud Security Alliance held its CSA Summit, focusing on enterprise cloud adoption and security lessons learned. Trusted Computing Group had its panel discussion combining mobile computing, Internet of Things, and cloud security.    Follow the RSA Conference blog for summaries and updates.

 

Thanks to Mary Lovejoy for the Washington update.

WEBINAR: Compliance with EU Data Protection Laws for US Companies

Posted By Cynthia Larose on Posted in EU Data Protection Regulation, Events and Webinars, Privacy Regulation

Register now for the fourth installment in our monthly 2015 Privacy Wednesday webinar series, coming up next Wednesday, April 29th at 1:00 pm ET.  

Susan Foster, a CIPP/E in Mintz’s London office, will consider issues faced by US companies who do business in Europe or simply interact with European customers.  We will look at how to determine whether EU data protection laws apply to you, and what you need to do to comply.  We will also provide an overview of the upcoming major overhaul of EU data protection laws in the form of the draft Data Protection Regulation, which is likely to be finalized in late 2015 or 2016.

A link to our registration page is here.

 

UPDATE: Target Confirms It Has Negotiated A $19 Million Data Breach Settlement With MasterCard

Posted By Kevin M. McGinty on Posted in Class Action Litigation, Data Breach, Privacy Litigation

Target confirmed a report in the Wednesday edition of The Wall Street Journal of a settlement with MasterCard concerning claims of card-issuers arising from Target’s 2013 data breach.  The data breach, which occurred during the post-Thanksgiving holiday shopping season, compromised over 40 million credit and debit cards used to make purchases at Target stores. The settlement has not been presented to the court for approval but was described in a press release issued by Target after the close of business on Wednesday.  The settlement proposes payment of up to $19 million (previous reports had indicated a fund of $20 million) to reimburse issuers of MasterCard-branded payment cards for costs arising from reissuance of cards compromised by the data breach.  Target’s obligation to proceed with the settlement is conditioned on acceptance by issuers of at least 90% of the eligible payment card accounts.  Target indicates in its press release that it intends to “defend itself vigorously against any assessments made by MasterCard on behalf of MasterCard issuers that do not accept their offers.”  In order to accept Target’s offer, settling issuers must agree to release all claims that they may have against Target arising from the data breach.  The press release also states that the potential $19 million cost of the MasterCard settlement is included in the total cost of the data breach disclosed Target’s public securities filings (reported at 2014 year end to be $252 million before insurance offsets).

According to Target’s Wednesday press release, issuers that accept the MasterCard settlement are expected to be paid “by the end of the second quarter of 2015.”  Based on the description of the settlement and the expected timing, it appears that the MasterCard settlement will take place entirely outside of the card issuer class action that is still pending in federal court in Minnesota, although any releases given in connection with the MasterCard settlement would finally resolve claims of settling issuers as to MasterCard payment cards compromised by the breach.  The proposed settlement would not affect outstanding claims on behalf of issuers of other types of payment cards (including Visa, Discovery and American Express cards).

Report: Target Close To $20M Data Breach Settlement With Master Card

Posted By Kevin M. McGinty on Posted in Class Action Litigation, Data Breach, Privacy Litigation

According to a report published today in The Wall Street Journal, Target and MasterCard are close to reaching a settlement of the claims of MasterCard-issuing institutions in connection with Target’s 2013 data breach.  The settlement would reimburse the cost of reissuing debit and credit cards compromised by the breach, as well as a portion of the resulting fraudulent charges made using stolen payment card numbers.  A $20 million settlement would be comparable to the amount paid by TJX Cos. to MasterCard in connection with the 2008 TJX data breach.  News of a potential card issuer settlement comes less than one month after Target and class counsel filed papers seeking court approval of a proposed class settlement of consumer claims arising from that same data breach.  Sources informed the Wall Street Journal that a definitive MasterCard settlement could be announced as soon as this week.

Privacy Monday – April 13, 2015

Posted By Cynthia Larose on Posted in Privacy Monday

PrivacyMonday_ImageSpring has finally arrived on the East Coast, and not a moment too soon.

Here are 3 privacy & security bits and bytes to start your week.

ICYMI – 60 Minutes’ Steve Krofft Story on Why the Sony Hack is Important

Fascinating piece by a reporter who has been looking at cybersecurity/cyberwarfare issues for 15 years.  “You don’t have to be a superpower to inflict damage on US corporations….”  Watch the entire story here.  (Full disclosure – Mintz client Cylance is prominently featured in this story.)

 

As a Follow-on:  New RSA Breach Readiness Survey Finds Majority Not Prepared

Now that you have seen the 60 Minutes eyeopener, read the latest study released by RSA, The Security Division of EMC, just ahead of next week’s RSA Conference in San Francisco.   The opening few lines preview the content of Failures of the Security Industry: Accountability and Action Plan:

The information security industry is losing the cyberwar.  Make that cyberwars.  Plural.  Black hat “hactivists,” organized crims syndicates, state-sponsored operatives, terrorists, and other threat actors attack computer systems and critical infrastructure on multiple fronts across the globe with seeming impunity….Cybercrime hurts the global economy.

Download the white paper here.

This is one you have to see – IT Governance, a UK consultancy, has a blog post with pictures — screen shots from live TV broadcasts that leaked passwords.  Including one from the SuperBowl:  a live shot showing the credentials for the stadium’s wireless network.   Take a look at the article and pictures here.

 

 

 

Tweet Like Email linkedin
Comments Off