Archives: Privacy Monday

Welcome to March (and in the Northeast, the arrival of meteorological spring is welcome indeed……)

We start this month with a question:  Have you looked at your cyber resilience?

The Federal Financial Institutions Examination Council (FFIEC) recently described “cyber resilience” as an organization’s ability to recover critical IT systems and resume normal business operations in the event of a cyberattack. On February 6, the FFIEC added a new Appendix J to its Business Continuity Planning booklet titled Strengthening the Resilience of Outsourced Technology Services (Guidance) which discusses the importance of cyber resilience in light of the increasing sophistication and volume of cyber threats and their ability to disrupt operations and challenge business continuity preparedness and provides recommendations for financial institutions and their services providers for addressing and mitigating cyber resilience risks and strengthening business resilience. Published in 2003, the Business Continuity Planning booklet is one of a series of booklets that comprise the FFIEC Information Technology (IT) Examination Handbook and provides guidance to assist field examiners from the FFIEC member agencies in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. The FFIEC has also set up a cybersecurity awareness website and in the past year piloted a cybersecurity assessment program at a number of financial institutions across the country.  Although these most directly apply to financial institutions and their service providers, the question of cyber resilience is critical to every organization.

So what are cyber resilience risks?

Continue Reading Privacy Monday – March 2, 2015: How is Your Cyber Resilience?

It’s another Privacy Monday!

Privacy in the Workplace Webinar

Our next Wednesday Webinar is coming up on February 25th, with a focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss developments in the workplace privacy field, including statutory developments, mobile device regulation, social media’s impact on workplace privacy, recruiting and hiring, and some practical advice to keep your workplace policies in compliance with rapid legal developments.  Register here!


Are You Attending the IAPP Global Summit in D.C.?  Pre-Game with Mintz!

In the wake of the Anthem breach, we’ll be presenting a timely seminar in our Washington, D.C. office on Tuesday, March 3rd:  HACKED!  What to Do When It Happens to You

This roundtable, featuring national subject matter experts from the United States Secret Service and the Federal Bureau of Investigation, as well as forensic and legal professionals, will provide unique and important insights, tips, and advice on current cyber threats affecting your business and what to do when the cyber-thief strikes and the opportunity for in-person, live discussion with law enforcement officials.  Early registration (here) is encouraged, because space is limited.

Happy Groundhog Day!   While we were recovering from last night’s heart-attack Super Bowl 2015,  Punxsutawney Phil saw his shadow this morning …. predicting 6 more weeks of winter, for an already winter-weary US. #sixmoreweeksofwinter

Three things you should know on this Privacy Monday:

Over 110,000 Facebook Uses Hit With Malware
Cybercriminals are targeting Facebook users with malware embedded in videos that are pushed to their timeline and in which their friends are tagged. Security researchers from Bitdefender say victims are taken to a video, which redirects them to a site that analyzes their operating system for weaknesses and eventually installs malicious software that give hackers access to their machines.   The malware is described in a post via the Full Disclosure mailing list.    Read more about the malware at CSO Online.
Continue Reading Privacy Monday – February 2, 2015

Good Monday – The East Coast prepares for Apocalypse (Sn)ow.

In the meantime, here are three privacy-related tidbits for your day.

Privacy Concerns Cause Scale Back of Release of Data

We spend a fair amount of time warning about third party vendors and the risk that such vendors can pose to sensitive data.   Just ask Target.   Last week, the Associated Press revealed that the healthcare insurance exchange,, was connecting with third party analytics sites and others and operating much like any commercial website — except that it is not.  The AP reported over the weekend that the Obama Administration has “reversed itself” and scaled back the release of (or access to) consumer data — including anonymized data.     According to the AP’s Saturday follow-up, an analysis of the Federal exchange showed that the number of third party companies with connections embedded in the site, thus giving them access to consumer data, “dropped from 50 to 30.”

Read more:

The Hill — The Centers for Medicare and Medicaid Services will encrypt additional data when customers use the Window Shopping feature on

New York Times — Is the data usage “industry standard” and much ado about SOP?

CNN Money


Continue Reading Privacy Monday – January 26, 2015

We are pleased to announce important additions to Mintz Levin that clearly strengthen the Privacy & Security Group’s bench.

Mark Robinson, Member (Boston) – Mark is a nationally recognized authority in government investigations and enforcement and cybersecurity defense, and a former deputy chief of the Criminal Division of the US Department of Justice (DOJ).   He serves as Co-chair of the firm’s White Collar Defense Practice.

Mark represents public and private sector clients in connection with internal investigations, regulatory enforcement actions, commercial litigation, and large scale data breaches. He has been called upon by CEOs, directors and officers, audit committees, and senior executives in industries as varied as energy, automotive, media, health care, and financial services. His areas of focus include data breaches and cyber incidents, securities and procurement fraud, bid rigging, pharmaceutical pricing practices, accounting misconduct, false claims, and commercial bribery.  Mark’s already been quoted in last week’s Wall Street Journal article, “The Rise of Cybercrime Extortion” (registration may be required).

Ari Moskowitz, Associate (Washington, DC) – Ari provides guidance to clients on complying with various federal and state privacy laws, including the Children’s Online Privacy Protection Act, cross-border data protection regulation, and data breach notification laws.   With Ari, Mintz Levin’s Privacy & Security Group now boasts five attorneys with Certified Information Privacy Professional (CIPP) credentials.

Peter Day, Associate (San Diego) – Our newest addition (joining today!), Peter advises and defends companies responding to governmental inquiries. He has represented clients facing inquiries from congressional committees, the Department of Justice, the Securities and Exchange Commission, the Federal Trade Commission, numerous state attorneys general, and several foreign regulators.   Peter represents clients in connection with data breaches, breach notification laws, post-data breach remediation, network security, corporate compliance, and the Payment Card Industry Data Security Standard (PCI DSS). He has also represented and advised clients in the financial services, defense, technology, and retail sectors regarding the collection, use, and disclosure of personal information, financial information, and geo-location information.


Three privacy/security stories that you should know as you start your week:


President Obama to Offer Cybersecurity/Privacy Previews to State of the Union Proposals

In a series of speeches this week, President Obama will preview important issues to appear in his January 20th State of the Union address.    A White House official said in a statement to reporters over the weekend that the president would “lay out a series of legislative proposals and executive actions that will be in his State of the Union that will tackle identity theft and privacy issues, cybersecurity, and access to the Internet.”   The President will reportedly speak at an event at the Federal Trade Commission today and outline a plan to tackle identity theft and improve consumer and student privacy.    Tuesday, the President will discuss cybersecurity at the National Cybersecurity and Communications Integration Center.    We will keep readers updated on what the White House is calling “SOTU Spoilers.”

Read more here:Privacy and Security Updates Monday



New York Times


ICYMI:  The January 2015 Edition of the Mintz Matrix Is Out — and State Changes are in the Works

On Friday, we released the updated version of the Mintz Matrix of state data breach notification laws.   In case you missed it, you can get the updated chart here.

Now that the state legislatures are getting into session, we are expecting more action amending and tightening up state laws.    For example, legislators in Washington state have already filed an amendment to that state’s data breach notification law.

At the end of 2014, several proposals were introduced and we will be following where these bills head in the  2015 session.     New York‘s proposal (Bill A10190) imposes requirements on entities conducting business in New York and which own/license computerized data that includes private information that are nearly identical to those required under Massachusetts 201 CMR 17.   Most importantly (as you will recall), the Massachusetts regulations require that entities develop, implement and maintain a comprehensive written information security program.     A proposed New Jersey amendment would expand the definition of “personal information” to include a combination of user name or email address with any password or security question and answer that would permit access to the online account.  Attorneys general in Indiana and Oregon closed out the year with calls for more robust data breach protection legislation in their states.    Stay tuned.


Tax Time is a Good Time For a “Security Check”

Businesses and their employees are all dealing with receipt of documents, filings, etc. during this taxing time of year.  Tax season is also a prime time for personal information scams and can expose lax internal controls.   Here are a few things to remember as you begin preparing for tax season:

Secure your data – Do you prepare your business’ taxes on a company computer? If so, you likely have some very sensitive financial information on your hard drive. Make sure your files are secured with password-protected directories and accounts, and that your entire system is protected from outside threats. Also, if you plan to use a wireless network to electronically file your taxes, be sure to use a secure Internet connection and never use public wireless hotspots.  Do NOT send personal information to employees or service providers via email.   Make sure that you only use secure transmission methods for sending W2 and other forms that contain Social Security or other sensitive information.   If a tax preparer asks you to send documents via unencrypted email — find another tax preparer.

Back up financial data – When was the last time you backed up your company data?  If you don’t already follow a backup schedule, tax season can be a great reminder that you need to regularly back up your data. Regularly backing up your data not only protects you at tax time in the event your data is compromised, it can also help protect you against future events such a natural disaster.  Remember that whether you back up to the cloud or a separate physical device/location, electronic data needs to be kept in a secure environment.

Keep your security software updated – You don’t have the time or resources to keep track of each and every new scam, phishing attack, or threat that comes around – that’s what your security software is supposed to do. But just as you can file your taxes without the most accurate tax information, your security software can’t do its job if it’s not up-to-date. The threat landscape changes daily, so keeping your security software up-to-date helps ensure that it will be able to address the most current threats to your information. After all, your ability to run an effective business depends on making sure your confidential data is safe and secure from outside threats.

Remind employees of phishing threats — Use this time of year as an opportunity to remind employees to protect themselves from tax-related phishing scams.    The IRS will never ask for personal information via email.  Ever.    Some of these reminders from the IRS may be useful to send to your employees as a reminder to protect themselves — and as a result, protect your business.

Have a safe and secure week!

Welcome to the first Privacy Monday of 2015!

We hope that you enjoyed our 12 Days of Privacy series (and if you missed it, they are all linked in the right column of the blog…).

Three things that you should know for your Privacy Monday:

1. The FTC approved the Snapchat final order on New Year’s Eve

Following a public comment period, the Federal Trade Commission has approved a final order settling charges that Snapchat deceived consumers with promises about the disappearing nature of messages sent through the service.

We dissected the FTC’s complaint on this blog in May (here), and according to the FTC, Snapchat also deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure.

According to the FTC’s release, “[t]he settlement with Snapchat is part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers,” and prohibits Snapchat from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information.

2.  Chick-fil-A is latest breach victim

Chick-fil-A, one of America’s most popular fast food restaurants, is the latest corporation to investigate the possible hacking of its customers’ credit card data.

“Chick-fil-A recently received reports of potential unusual activity involving payment cards used at a few of our restaurants,” the company said in a statement last week.

“We are working with leading IT security firms, law enforcement and our payment industry contacts to determine all of the facts.”

The company promised that if a security breach was confirmed, it would assume financial responsibility for fraudulent charges to customers’ accounts, and arrange for free identity protection services — including credit monitoring — for any affected consumer.

With over $5 billion in annual sales Chick-fil-A, based in Atlanta, Georgia, is the biggest fast-food chicken restaurant in the United States.

3.  The Experian 2015 “Crystal Ball” Report is out

Regular readers of this blog will know that we have been saying this for some time, but this appears in the 2015 Experian Data Breach Industry Forecast:  “Board members and the C-suite can no longer ignore the drastic impact a data breach has on company reputation.  Meanwhile, consumers are demanding more communication and remedies from businesses after a data breach occurs.  As a result, the topic is one of the highest priorities facing businesses and regulators in 2015.”

The Experian report predicts that:

  • top data breaches expected in 2015 include the following – payment breaches (with the adoption requirements for EMV “Chip and PIN” technology in the US in October 2015, the window may be closing for hackers to easily profit from point-of-sale attacks, however attackers may look for new ways to compromise these companies given how profitable the payoff can be),
  • hackers will target cloud data (cloud services have become a more attractive target for attackers because consumers rely more on online services such as online banking and mobile payments), and
  • growth in healthcare breaches (it is expected that healthcare breaches will increase, due to increased movement to electronic medical records and the introduction of wearable technologies).

Get the full report here.

Our series last year was a reader favorite, so we decided to put our prognosticator hats on again and present:


Rather than look back at 2014, starting tomorrow, the Privacy & Security blog will count down The 12 Days of Privacy, looking ahead to what we might expect in 2015 and what we might be talking about in the year to come.

Don’t miss a day starting tomorrow!

Day One – 12/9 – Does Santa Claus Have to Comply  with EU Data Protection Laws: 2015 Compliance Considerations for Non-EU Companies

Day Two – 12/10 – Through the Looking Glass: Privacy Litigation

Day Three – 12/11 -What the 2015 Proxy Season Might Bring……

Day Four – 12/12 – Cyberliability Policies: What to Expect in 2015

Day Five – 12/15 – California Dreaming … New Legislation Effective January 1

Day Six – 12/16 – Hacks and the State Actor:  What Sony Portends…

Day Seven – 12/17 — Questions of Authority:  Who is “the cop” on the Privacy and Data Security Beat?

Day Eight – 12/18 – Health Data Sharing – How much is too much?

Day Nine – 12/19 — OCR Corrective Action Planning in 2015:  The Gift That Keeps on Giving

Day Ten – 12/22 —Wearables:  What will that new gadget be spilling about you?

Day Eleven – 12/23 –ISO and the Courts:  How Your Coverage is Likely to Narrow in 2015 (and why….)

Day Twelve – 12/24 –On the Twelfth Day…..


Join us each day as we celebrate the 12 Days of Privacy, v.2014!

Welcome to December –  we hope you had a restful and enjoyable Thanksgiving holiday.

Here are a few privacy bits and bytes to start your week.

1. ICYMI – 60 Minutes Explains Credit Card Hacking

In preparation for Cyber Monday, 60 Minutes presented a well-researched and interesting story on

Privacy & Security Matters Monday Blog Series Image

credit card hacking.   For privacy and security professionals, it may be old news, but as a consciousness-raising and mainstream piece of reporting, it is first-rate.  Some points:

  • From the time of intrusion into a system, the average time to detection of the bad guys is a “whopping 229 days.”
  • 80 percent of breaches involve stolen or weak passwords.   The most common — “123456” (Hey, it meets the minimum requirements of 6 characters!)
  • “Detect it sooner.  Respond sooner.”
See the entire script and video here (or play it for your favorite CEO….).
2.  Sony Pictures Entertainment Hit by Possible Retribution Attack
Reuters reports that Sony Entertainment Pictures has retained Mandiant, a forensics security firm, to investigate and remediate a cyber attack that knocked out the studio’s network a week ago.    The FBI is also reportedly involved in the investigation into the possibility that hackers working on behalf of North Korea may be behind the attack.  The timing coincides with the upcoming release of Sony’s “The Interview,” depicting a CIA plot to assassinate North Korean leader Kim Jong-Un.  The nation’s state-owned outlets have threatened “merciless retaliation” against the U.S. and other nations if the film is released.
The hack also apparently leaked five unreleased Sony films to file-sharing sites.  The studio has confirmed that it is working with law enforcement to track down the leaks.
Read more here at re/code.
3.  The Microsoft Storm – The View from Ireland
Back in August, we wrote about Microsoft’s court battle over production of email data held in its Irish data center.     That battle continues on appeal from a New York court’s refusal to grant Microsoft’s request to quash the U.S. government’s warrant seeking that particular data.   Karlin Lillington, the technology columnist for the Irish Times, writes about the view of this battle from the data’s country of residence — and its potential to influence the future of cloud computing.  Worth a read here.
4.  Hey GC, When’s the Last Time You Spoke with Your CTO or CISO?

One would expect that corporate Chief Information Officers (CIO), Chief Information Security Officers (CISO) and General Counsels/Chief Legal Officers have a lot to talk about these days including data privacy, breach response, network security assessments, e-discovery, BYOD policies and cloud computing security risks. However, a recent Gartner survey of CLOs found that over half of them have conversations with the CIOs no more than once a month.

Take some time to view a free webinar discussing how CIO/CISOs and CLOs can (and should) collaborate to overcome the obstacles to effective cyber risk management including:

  • Risk mitigation options
  • Planning for the best, expecting the worst
See the webinar here.



Here are three privacy stories to start your week –

1.  Dear “financial institution” : how is your data security?!

Senator Elizabeth Warren (D-Mass) announced (press release) that on November 18 the Senator together with Rep. Elijah E. Cummings (D-Md) sent letters to sixteen (16) financial services providers requesting detailed information about the providers’ data security programs (including vendor management practices) as well as disclosure of cyber-attacks  and data breaches experienced by the entities over the past year. The previous week, Representative Cummings sent similar letters to certain organizations that experienced large data breaches in the recent past, including to the U.S. Postal Service and U.S. Investigations Services.  Continue Reading Privacy Monday – November 24, 2014