Archives: Security

Subscribe to Security

Updated at 8:50 pm GMT on 16 December 2015.

The new General Data Protection Regulation is effectively a “done deal” following the final trilogue meeting on December 15.  One might assume based on UK media coverage that the biggest change in EU privacy law is that kids under 16 will need their parent’s consent to sign up for social media services and apps.  As much consternation as that will cause at the breakfast table, it’s really the least of our worries.

It will take some time to process the new Regulation, and of course we don’t have the complete, official version yet (please read the important caveat at the end of this summary), but here are the key features of the Regulation in bullet point form so we can start mapping out the new legal landscape.  This summary focuses more on what’s new than what has stayed in place; generally speaking, rights of data subjects that existed under the Directive also exist under the Regulation.  On the other hand, the burdens on data controllers and processors have substantially increased. We’ll explore all of this in more detail over the coming weeks. Continue Reading The General Data Protection Regulation in Bullet Points

The years-long saga of the Federal Trade Commission’s suit against Wyndham Hotels over data breaches that occurred at least as early as April 2008 is finally coming to an end with a proposed settlement filed today with the court.  The original complaint, which is summarized in this post from 2012, alleged that Wyndham’s claims to use “standard industry practices” and “commercially reasonable efforts” to protect customers’ personal information were deceptive, and its actual practices unfair, in light of the company’s lax security practices.  Wyndham argued that the FTC lacks the authority to police data security practices, but in August 2015 the Third Circuit found against Wyndham, holding that the FTC’s authority to take action against a company’s unfair practices extends to enforcement of data security practices.

The proposed settlement, which is in effect for 20 years, reached between Wyndham and the FTC provides the first notice to companies of what they should expect from the FTC in the event of a data breach due to a failure to maintain reasonable data security standards.  The various settlement provisions are similar to those imposed in cases brought by the FTC over misrepresentations in privacy policies (as opposed to this case, which involved a suit over the laxity of the company’s actual data security practices).

Those provisions include Wyndham agreeing to undertake the following:

  • • Establishment a comprehensive information security program to protect credit card data, which must include risk assessments, reasonable safeguards, and regular monitoring for the next 20 years;
  • • Annual information security audits and independent assessments of its compliance with the Payment Card Industry Data Security Standard (PCI DSS) over the next 20 years;
  • • Obtain the certification of an independent certified assessor before implementing any “significant change” to its data security practices that the change would not cause it to fall out of compliance;
  • • Provide all assessments to FTC;
  • • Keep records relied on to prepare each annual assessment for three years; and
  • • Submit to compliance monitoring by the FTC.

Notably, and different from the settlements of privacy-related cases, Wyndham will not be required to pay a fine.

To take a step back from our continuing analysis of the situation and developments in Europe,  there are other things going on in the privacy and data security world!   Our October Wednesday Webinar is coming up and we will take a walk on the wild side:  data security litigation.    Registration is open now! Read more – Continue Reading Wednesday Webinar: Tricks, But No Treats – A Halloween Visit to the Frightening World of Data Security Litigation

The SEC has announced a new round of cybersecurity inspections at broker-dealer and registered investment advisory firms.  If that’s not enough to catch your attention, just days after issuing the Risk Alert, the SEC censured and fined a St. Louis-based investment advisor for a failure to adopt written policies and procedures to ensure the confidentiality of personal information as required by law.   According to the SEC, that failure led to a breach of the personal information of 100,000 investors held by R.T. Jones Capital Equities Management and led to a $75,000 fine.

Register now for our upcoming webinar — Wednesday, September 30 at 1 pm ET where the latest Risk Alert and enforcement action, along with other important developments, will be discussed by Mintz Levin’s Steve Ganis and Peter Day.

Another Cop on the Cybersecurity Beat: What to Do Before and After the SEC and FINRA Come Knocking

This webinar, the eighth in our Privacy series, will address regulatory compliance and risk management aspects of cyber attacks and data breaches at financial institutions and their service providers. Cybersecurity is one of the most significant issues facing the financial services industry — and vendors to financial services customers. Consequences of cyber attacks and data breaches are more costly than ever, and now the SEC and FINRA are conducting cybersecurity examinations. Enforcement actions are likely to follow. Meanwhile, the “fintech” revolution is radically and dramatically transforming how securities, banking, and money services firms collect, retain, protect, and monetize financial consumer data. Join us for guidance on crafting effective cybersecurity programs and insights into areas of likely cybersecurity focus uniquely critical for broker-dealers, investment advisers, and investment companies — intermediary and vendor due diligence, risk assessment, identity theft prevention, Gramm-Leach-Bliley safeguarding of customer information, referral and aggregator arrangements, suspicious activity monitoring, material nonpublic information protection, and front running prevention.

 

As always, the webinar is eligible for New York and California CLE credit.

Risks to sensitive data have never been greater. With the rise in cyber attacks and data breaches, outsourcing to third parties can present an exponential threat to corporations. New regulations, technologies, standards, and security threats require organizations to implement robust vendor oversight to meet and stay ahead of the latest risks and challenges from new payment methods and systems, data breaches, and cyber attacks.   Register here for our next Wednesday Webinar on this important topic and read on –   Continue Reading The Third Party Vendor Risk to Your Data – Wednesday Webinar

The first Privacy Monday of the summer!PrivacyMonday_Image1

It’s appropriate that the “boys of summer” feature prominently in today’s post.

Strike three for the St. Louis Cardinals?

On another summer Privacy Monday in 2014, we made note of a reported hack into the Houston Astros’ vaunted “Ground Control” database and GM Jeff Luhnow said he intended to prosecute whoever was responsible.   Last week’s New York Times reported that it was likely Luhnow’s old team, the St. Louis Cardinals.  Reportedly, the Astros contacted the FBI when confidential information stored in the “Ground Control” database was posted online last year. Investigators found information indicating the origin of the hack was the home of a Cardinals’ employee.

The most recent reporting on this story comes from CBS Sports, with an interview with Cardinals’ owner Bill DeWitt and the report of a potential third violation of the Astros’ database, purportedly by Cardinals’ employees.

Recommended reading into the background of why the Cards would have bothered to hack the Astros can be found at ESPN:  Why the Astros’ sophisticated database would be worth hacking Continue Reading Privacy Monday – June 22, 2015

California again has provided a model of privacy legislation for other states to follow.  New Hampshire Governor Maggie Hassan recently signed into law House Bill 520 (the “Bill”), a bipartisan effort to establish guidelines for the protection of student online personal information.

Who is covered by the Bill?

Modeled after California’s Student Online Personal Information Protection Act (SOPIPA), the Bill applies to operators of Internet websites, online services (including cloud computing services), and mobile applications with actual knowledge that their website, service or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes (“Operators”). Like SOPIPA, the Bill imposes certain obligations and restrictions on Operators with respect to the collection, use, storage and destruction of student personal information and becomes effective on January 1, 2016. We discuss SOPIPA in more detail here and provide recommendations for preparing to comply with the SOPIPA requirements.

The Bill does not apply to general audience websites, online services, and mobile applications, even if login credentials created for a covered site, service, or application may be used to access the general audience sites, services, or applications. The Bill also makes it clear that it is not intended to:

  • limit Internet service providers from providing Internet connectivity to schools or students and their families;
  • prohibit operators of websites, online service, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of “Covered Information” under the Bill;
  • impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with the Bill on those applications or software;
  • impose a duty upon a provider of an interactive computer service, as defined in 47 U.S.C. section 230, to review or enforce compliance with the Bill by third-party content providers; or
  • impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.

What information is covered by the Bill?

The Bill defines “Covered Information” very broadly to include personally identifiable information or materials, in any media or format, created or provided to an Operator by either a student (or his/her parent or guardian) while using the Operator’s site, service, or application or by an employee or agent of the K-12 school, school district, local education agency, or county office of education, as well as information gathered by the Operator that is related to the student, such as information that is “descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student’s educational record or email, first and last name, home address, date of birth, telephone number, unique pupil identifier, social security number, financial or insurance account numbers, email address, other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, other student identifiers, search activity, photos, voice recordings, or geo-location information.”

What do you have to do to comply with the Bill?


 Avoid the following prohibited activities:

  • Using any information (including persistent identifiers) created or collected through your site, service, or application to create a profile about a K-12 student;
  • Engaging in targeted advertising (either on your site, service, or application or any other site, service, or application) when the targeting is based on any information (including covered information and persistent identifiers) that you have acquired as a result of the use of your site, service, or application;
  • Selling, leasing, renting, trading, or otherwise making available a student’s information (including covered information), except in connection with a sale of your business provided that the buyer continues to be bound by this restriction with respect to previously acquired student information; or
  • Disclosing protected information, except where the disclosure is mandated to “respond to or participate in judicial process”.

Implement and maintain the following security and deletion requirements:

  • reasonable security procedures and practices (appropriate to the nature of the Covered Information) to protect Covered Information from unauthorized access, destruction, use, modification, or disclosure, and
  • delete covered information if the school or district requests deletion of data under the control of the school or district.

What can you do with Covered Information?

Although, as discussed above, there are many restrictions on the use of Covered Information, Operators are permitted to:

  • Use de-identified Covered Information within their sites, service, or application (or other sites, services, or applications owned by the Operator) to improve educational products and to demonstrate the effectiveness of their products or services (including in their marketing), and
  • Share aggregated de-identified Covered Information for the development and improvement of educational sites, services, or applications.

Although the effective date is January 1, 2016, if you are an “Operator” under the Bill, this is the time to begin thinking about what kind of changes you may need to make in your processes and procedures and to put in place an implementation plan to be compliant with the Bill by its effective date.

Register now for our June Wednesday Webinar.    This webinar, the sixth in our Privacy series, will address risk assessment best practices and data breach readiness. A risk assessment is the foundational step in the development of a comprehensive privacy and security program for your company. It is also a regulatory requirement under HIPAA and some state laws. Join us for a roundtable discussion with a group of privacy and security professionals, moderated by Mintz Levin’s Cynthia Larose, on risk assessment best practices and data breach readiness.

You can’t manage the risk if you do not know what it is — a risk assessment is the first step towards effective — and proactive — risk management.

Registration is open here.  Hope you will join us!

 

The U.S. Office of Personnel Management (OPM) announced that hackers have stolen the personal information of approximately 4 million current and former federal employees, including names, birthdates and social security numbers.  OPM serves as the human resources department -and holds employee records – for the entire federal government, ranging from security clearances to the identities of covert CIA agents.  Every federal agency is potentially affected by this breach.  Notifications to affected employees will begin going out on Monday, June 8th, via email or US mail.  OPM will provide credit monitoring, identity theft insurance and recovery services for 18 months to affected individuals.

OPM is working with the Department of Homeland Security’s Computer Emergency Readiness Team – CERT – and the FBI to assess the full extent of the breach.  Early reports suggest that the breach originated in China.

Compounding the pain for OPM and the affected individuals is the revelation in OPM’s website  notice that the agency recently implemented an “aggressive effort” to update its network security.  Unfortunately, this effort only revealed the hack, but was not implemented in time to prevent it.

OPM’s breach follows a highly publicized IRS data breach, in which hackers accessed the personal information of 100,000 taxpayers and used it to file false refund requests.  In 2014 alone, the US Postal Service, White House, National Weather Service and US Department of State were all victims of cyber-attacks, some of them suspected of originating in China.

As of now, federal data breach numbers pale in comparison to private sector breaches, but it will be interesting to see if these incidents create a credibility problem for federal regulators, who can’t seem to keep their own systems secure.  According to Mark Robinson, a former federal prosecutor and cyber defense litigator at Mintz Levin:

At a minimum, the government’s own inability to keep it’s cyber security house in order will be used defensively by private companies breach victims as a glowing example of how easily hackers can get in to even the most fortified government controlled computer systems.

It will also be interesting to see if this breach results in private litigation on behalf of affected employees, particularly those whose safety and ability to do their jobs depends on the secrecy of their identities.  According to Kevin McGinty, Mintz Levin privacy class action litigator:

As day follows night, class actions typically follow data breaches.  Here, most OPM employees would have a difficult time alleging any injury sufficient to confer standing to sue.  The most plausible harm that could flow from this data breach, identity theft, is addressed by the services already being offered by OPM.  Unless a would-be litigant could allege some additional and imminent risk of harm that would not be covered by the services that OPM is offering, a private lawsuit would be likely to face dismissal for lack of standing.

We will have more on this story as it evolves.