The news continues to pour in about the two-part massive hack into the federal government’s Office of Personnel Management (OPM) and the compromise of personal information of millions of present and former federal employees.
Today’s Privacy Monday has 3 things you should know about the incident — Continue Reading Privacy Monday – June 15, 2015 – OPM Hack
Happy June – the first day of meteorological summer!
In the last month, both a federal and state court denied coverage for claims relating to an insured’s handling of electronic data. In the first case, a federal court held that there was no coverage under a cyber insurance policy for a claim alleging that the insured had intentionally refused to return electronic financial data. In the second, a state supreme court held that there was no coverage under a general liability policy for a claim alleging that the insured had lost computer tapes storing personal information. Both of these decisions illustrate the importance of the specific language contained in an insurance policy as that language determines the scope and breadth of the coverage actually afforded under that policy. Continue Reading Privacy Monday – June 1, 2015 – Courts Affirm Insurers’ Denial of Coverage for Electronic Data Claims
It’s Monday morning — do you know your privacy/security status?
Here are a few bits and bytes to start your week.
SEC to Registered Investment Advisers and Broker-Dealers: It’s Your Turn to Pay Attention to Cybersecurity
The Division of Investment Management of the Securities & Exchange Commission (SEC) has weighed in on cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue because both funds and advisers increasingly use technology to conduct their business activities, and need to protect confidential and sensitive information related to these activities from third parties. That information includes information concerning fund investors and advisory clients. We’ve summarized key points from the recently-issued Guidance.
The Guidance recommends a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including:
Most of this should not be a surprise to any business dealing with sensitive financial information these days, but a recent SEC cybersecurity sweep examination by the SEC’s Office of Compliance Inspections and Examinations (OCIE) found that 88 percent of the broker-dealers (BDs) and 74 percent of the registered investment advisers (RIAs) they visited experienced cyber-attacks directly or indirectly through vendors.
Penn State University Confirms Cyberattack Originated in China
If you’re studying at Penn State’s College of Engineering, you will not have access to the Internet for a while. The University said last week that of two recent cyber attacks at the College, at least one was carried out by a “threat actor” based in China. Penn State was alerted to a breach by the FBI in November and has been investigating since – during that time, a 2012 breach was also discovered. The 2012 breach apparently originated in China, and compromised servers containing information on about 18,000 people.
For more: Cyberattack on Penn State University
Digital Advertising Alliance to Enforce Mobile App Principles
Starting September 1, the Digital Advertising Alliance (DAA) will begin to enforce its Application of Self-Regulatory Principles to the Mobile Environment. The DAA issued the mobile principles back in July of 2013 (see our post here), but delayed enforcement while the DAA implemented a choice mechanism for the mobile environment. Mobile tools for consumers were released in February: App Choices and the Consumer Choice Page for Mobile Web.
The Guidance addresses mobile-specific issues such as privacy notices, enhanced notices and opt-out mechanisms for data collected from a particular device regarding app use over time and cross-app data; privacy notices, enhanced notices and opt-in consent for geolocation data; and transparency and controls — including opt-in consent — for calendar, address books, photo/video data, etc. created by a user that is stored on or accessed through a particular device.
After September 1, any entity that collects and uses any of this type of data will be required to demonstrate compliance with the Guidance or risk being subject to the DAA’s accountability mechanism.
REMINDER — UPCOMING PRIVACY WEDNESDAY WEBINAR
Don’t forget to register for the next in our Privacy Wednesday Webinar series: The Long Reach of COPPA. Webinar is eligible for NY and CA CLE credit — register here.
On this Privacy Monday, we have some upcoming events that you might want to add to your calendar.
Wednesday, May 13 – Mintz Employment Law Summit (Boston)
A discussion of hot topics facing employers, including Privacy in the Workplace. Free event, breakfast and lunch included. Register here.
Wednesday, May 13 – National Security, Privacy, and Renewing the USA PATRIOT Act, Hudson Institute, NY
Live streaming starts at noon. #PATRIOTAct. More information here.
Wednesday, May 13 – Ninth Annual Law & Information Society Symposium – Fordham Law School
Trends in the global processing of data, developments in new technologies, privacy enforcement actions and government surveillance put international privacy at the center of the global law and policy agenda. Government regulators, policymakers, legal experts, and industry players need to find solutions to cross-border conflicts and to the issues presented by innovative technologies. This conference seeks to create a robust, but informal dialog that will explore possible solutions to current questions arising from the international legal framework, infrastructure architecture and commercial practices. Information here.
Thursday, May 14 – IAPP KnowledgeNet (Boston area)
Learn about data privacy issues posed by wearables, wellness tracking apps, company wellness programs and other technologies and services here in the U.S. and abroad. Register here.
Monday, May 18 – 36th IEEE Symposium on Security & Privacy – Fairmont Hotel (San Jose)
Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. The 2015 Symposium will mark the 36th annual meeting of this flagship conference. More information here.
Wednesday, May 27 – Mintz Privacy Wednesday Webinar – The Long Reach of COPPA
The fifth in our Wednesday Webinar series will focus on a discussion of COPPA, the long-awaited amendment and issues. We’ll also discuss the latest Federal Trade Commission settlements and how to avoid being the next target. Register here.
Some privacy & security bits and bytes to start your week:
FCC to Hold Public Workshop on Broadband Consumer Privacy Tomorrow
Over the last several months, the Federal Communications Commission has taken on a significantly expanded role on consumer privacy protection issues. Between the FCC’s expanded notion of the type of personal information subject to its authority under Section 222 of the Communications Act that surfaced in the TerraCom and YourTel cases last year and its recent reclassification of broadband Internet access service as a Title II telecommunications service – which was accompanied by a determination that the privacy requirements in Section 222 applicable to telephony could be extended to broadband service – the FCC is showing every intention of expanding its reach over privacy issues..
In the order reclassifying broadband service, the FCC recognized that the currently effective privacy rules are not a good match for broadband Internet access service, as those were written with telephone service in mind. For example, those rules include provisions for the use and disclosure of Customer Proprietary Network Information (CPNI) in connection with voice mail and caller I.D. Therefore, while the FCC applied the statutory privacy requirements of Section 222 to broadband service providers, it forbore from applying its rules implementing that statute pending further proceedings.
The FCC kicks off those further proceedings tomorrow with a public workshop on Broadband Consumer Privacy. The workshop will include discussions of what subscriber information is collected by broadband Internet access service providers and how that information is used. There will also be a panel discussion of how the Section 222 applies to broadband services. Speakers include FCC Chairman Tom Wheeler and other members of the FCC, as well as representatives from local governments, academia, public interest groups, and broadband service providers. The Commission will also provide audio and video coverage of the discussion on the FCC’s Web page at www.fcc.gov/live
RSA Conference 2015
It is clear that “security” is a big industry: there were more than 30,000 attendees with more than 9 acres of exhibitor space at last week’s record-breaking RSA Conference 2015 in San Francisco. BankInfoSecurity has published a “visual journal” here. I must say, I need to hang out with these guys next year. They are masters of the swag bag. CSO Online also has posted an interesting summary of the week here.
From the legal side, Smeeta Ramarathnam, the chief of staff to SEC Commissioner Luis Aguilar, told a Thursday morning panel hat the Securities and Exchange Commission (SEC) is about to “enter a “time of great change” as it pertains to regulation for disclosing cyber security incidents.
The discussion, called “Full Disclosure: What Companies Should Tell Investors about Cyber Incidents,” Ramarathnam, along with Jonas Kron, director of shareholder advocacy with Trillium Asset Management, discussed the growing concerns and sense of responsibility board of directors face in the wake of high-profile breaches, which will indelibly engage investors’ attentions.
“Hardly a day goes by without another breach being reported,” Ramarathnam said, explaining that the SEC is tasked with formally overseeing security incidents or issues that would impact the integrity of market systems, customer data protection and disclosure of material information.
While the SEC’s Division of Corporation Finance published guidance in 2011 to make companies aware of the agency’s views on what needs to be reported as far as material information disclosure related to cyber incidents, Ramarathnam noted that the guidance provided context for current SEC rules, but no new regulatory obligations for organizations. Although she did say she expects “much more to come in way of requirements from the SEC” in reporting and disclosure of cybersecurity risks and incidents, by the end of the panel, she had walked that statement back a bit.
REMINDER – Wednesday Webinar – April 29
Don’t miss the next in our 2015 Privacy Webinar series coming up this Wednesday. Mintz Levin’s Sue Foster will be discussing Compliance with EU Data Protection for US Companies. Register here.
Spring has finally arrived on the East Coast, and not a moment too soon.
Here are 3 privacy & security bits and bytes to start your week.
ICYMI – 60 Minutes’ Steve Krofft Story on Why the Sony Hack is Important
Fascinating piece by a reporter who has been looking at cybersecurity/cyberwarfare issues for 15 years. “You don’t have to be a superpower to inflict damage on US corporations….” Watch the entire story here. (Full disclosure – Mintz client Cylance is prominently featured in this story.)
As a Follow-on: New RSA Breach Readiness Survey Finds Majority Not Prepared
Now that you have seen the 60 Minutes eyeopener, read the latest study released by RSA, The Security Division of EMC, just ahead of next week’s RSA Conference in San Francisco. The opening few lines preview the content of Failures of the Security Industry: Accountability and Action Plan:
The information security industry is losing the cyberwar. Make that cyberwars. Plural. Black hat “hactivists,” organized crims syndicates, state-sponsored operatives, terrorists, and other threat actors attack computer systems and critical infrastructure on multiple fronts across the globe with seeming impunity….Cybercrime hurts the global economy.
Download the white paper here.
This is one you have to see – IT Governance, a UK consultancy, has a blog post with pictures — screen shots from live TV broadcasts that leaked passwords. Including one from the SuperBowl: a live shot showing the credentials for the stadium’s wireless network. Take a look at the article and pictures here.
Not only is it Privacy Monday – it is OPENING DAY! After this long, long winter … welcome back baseball!
It’s usually an end-of-season tradition for some baseball writers and announcers, but I like to revisit it in the spring for what is ahead “in a green field, in the sun” — one of the greatest odes to the game ever written:
It breaks your heart. It is designed to break your heart. The game begins in the spring, when everything else begins again, and it blossoms in the summer, filling the afternoons and evenings, and then as soon as the chill rains come, it stops and leaves you to face the fall alone. You count on it, rely on it to buffer the passage of time, to keep the memory of sunshine and high skies alive, and then just when the days are all twilight, when you need it most, it stops. … It breaks my heart because it was meant to, because it was meant to foster in me again the illusion that there was something abiding, some pattern and some impulse that could come together to make a reality that would resist the corrosion; and because, after it had fostered again that most hungered-for illusion, the game was meant to stop, and betray precisely what it promised.
Of course, there are those who learn after the first few times. They grow out of sports. And there are others who were born with the wisdom to know that nothing lasts. These are the truly tough among us, the ones who can live without illusion, or without even the hope of illusion. I am not that grown-up or up-to-date. I am a simpler creature, tied to more primitive patterns and cycles. I need to think something lasts forever, and it might as well be that state of being that is a game; it might as well be that, in a green field, in the sun.
Read “The Green Fields of the Mind” by A. Bartlett Giamatti here and hear him read it himself here. Or, watch the epic James Earl Jones monologue from Field of Dreams here.
Enjoy Opening Day!
Now back to your regularly-scheduled Privacy & Security Matters programming — Opperman v. Path Inc.‘s Impact on Privacy Notices Continue Reading Privacy Monday – April 6, 2015 – Play Ball! (and other privacy-related bytes)
On Friday, the FTC published updates to the COPPA FAQs, the Commission’s compliance guide for businesses and consumers, to address the applicability of COPPA and the Amended COPPA Rule to educational institutions and businesses that provide online services, including mobile apps, to educational institutions. Specifically, nearly a year after the last update to the “COPPA and Schools FAQs”, the Commission revisited its answers to FAQs M.1, M.2, and M.5 and deleted FAQ M.6 in an attempt to streamline the FAQs to provide further clarity on the key topics of notice and consent, best practices for educational institutions, and the interplay between COPPA and other federal and state laws that may apply in the education space. To access our blog post on the prior update to the COPPA and Schools FAQs please click here. Continue Reading Privacy Monday – March 23, 2015: COPPA Refresh
Taking another “step” toward developing comprehensive privacy legislation, the White House has released a discussion draft of the Consumer Privacy Bill of Rights Act of 2015. The draft reflects the Fair Information Practice Principles (“FIPPs”) long championed by the Obama Administration, and calls on businesses engaged in the collection of consumer information (“covered entities”) to either abide by a Privacy Bill of Rights or engage in self-regulation. While commentators have suggested the proposal is dead on arrival (read here, here and here) , the Privacy Bill of Rights warrants attention because it will serve as jumping-off point for further legislative and policy discussions on consumer privacy rights.
Welcome to March (and in the Northeast, the arrival of meteorological spring is welcome indeed……)
We start this month with a question: Have you looked at your cyber resilience?
The Federal Financial Institutions Examination Council (FFIEC) recently described “cyber resilience” as an organization’s ability to recover critical IT systems and resume normal business operations in the event of a cyberattack. On February 6, the FFIEC added a new Appendix J to its Business Continuity Planning booklet titled Strengthening the Resilience of Outsourced Technology Services (Guidance) which discusses the importance of cyber resilience in light of the increasing sophistication and volume of cyber threats and their ability to disrupt operations and challenge business continuity preparedness and provides recommendations for financial institutions and their services providers for addressing and mitigating cyber resilience risks and strengthening business resilience. Published in 2003, the Business Continuity Planning booklet is one of a series of booklets that comprise the FFIEC Information Technology (IT) Examination Handbook and provides guidance to assist field examiners from the FFIEC member agencies in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. The FFIEC has also set up a cybersecurity awareness website and in the past year piloted a cybersecurity assessment program at a number of financial institutions across the country. Although these most directly apply to financial institutions and their service providers, the question of cyber resilience is critical to every organization.
So what are cyber resilience risks?
Continue Reading Privacy Monday – March 2, 2015: How is Your Cyber Resilience?