Interest-based advertising (IBA), also known as behavioral advertising, creates profiles of consumers based on their online activities over time and across services, and uses them to send consumers relevant, targeted ads. To try to prevent the kind of opt-in legal requirements imposed in other countries on this kind of Internet user tracking and targeting, the U.S. advertising industry’s leading trade organizations came together, through the Digital Advertising Alliance (DAA), to develop self-regulatory requirements that include transparent notice to consumers when IBA is occurring (both for data collection and ad targeting) and choice through an opt-out option. The ad networks and exchanges that serve IBA have been actively policed by the DAA for years through its enforcement vehicle, the Online Interest-Based Advertising Accountability Program (OIBAAP). The OIBAAP has recently issued decisions in four cases that it initiated against web sites, and regarding nine consumer-generated complaints. This brings the number of actions concluded regarding web site publisher compliance since the OIBAAP’s 2013 compliance warning to approximately 30. In that warning, the OIBAAP announced that beginning in 2014 it would start a campaign to educate web site publishers on their obligation to give certain enhanced notice on every page of a web site that (1) serves IBA ads; (2) collects information for IBA (e.g., through third-party cookies associated with the site); and/or (3) enables retargeting of the user after the user leaves the publisher’s service (e.g., dropping a cookie that other publishers, or their ad servers, will recognize when the user goes to another site, for the purposes of serving the user an ad related to something they may have looked at on the original site.) Continue Reading
BakerHostetler’s inaugural Data Security Incident Response Report (the “Report”) concluded that employee negligence and theft were two of the top five causes of data security incidents for the more than 200 incidents that we handled in 2014. Needless to say, this raises some important and concerning questions when it comes to the cloud. We note in the Report that companies cannot eradicate security risk solely through the use of better technology. This bumps up against the common claim of cloud service providers that they are better suited to provide technological security controls than many organizations, even large Fortune 500 companies. This may be true, but it cannot avoid the human element. Human beings ultimately operate those technological controls, and human beings are imperfect. And while an enterprise may not have the best security, it does have the internal ability to vet its employees – but transparency is lacking with respect to the employees of cloud service providers. Continue Reading
The EMV liability shift is coming. Sounds ominous, but what does it really mean? And how can retailers and merchants determine the potential impact of the shift on their business? Like many issues in the payment card industry, there is confusion and misunderstanding. Through an FAQ format, we cover the basics and address some of the common misperceptions. Continue Reading
Editor’s Note: The author is the most recent attorney to join our Privacy and Data Security Team. Paul represents clients in responding to potential data security incidents, counsels on incident response preparedness, and works with clients to develop appropriate policies to ensure compliance with applicable law, industry standards, or self-regulatory guidelines. He also counsels clients on the permissible collection of data and usage in online advertising. Paul received his undergraduate degree from Allegheny College and his law degree from Washington and Lee University School of Law.
Organizations face threats to their data from all fronts, from sophisticated external attacks by hackers to employee error (as the 2015 BakerHostetler Incident Response Report showed). Recognizing the prevalence of these incidents, the Department of Justice (DOJ) recently issued a guidance document intended to help organizations prepare for a data security incident. The document, titled “Best Practices for Victim Response and Reporting of Cyber Incidents,” is derived from the DOJ’s experiences investigating and prosecuting cybercriminals. The Guidelines focus primarily on the proactive and reactive measures a company may take with a data breach. First, the Guidelines provide detailed suggested best practices for data breach incident preparation, which are summarized as follows: Continue Reading
We released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. Over the next four weeks, we will post several blogs that will provide a more in-depth look at certain findings.
In this post, we cover one of the largest potential financial consequences retailers face after a payment card data security incident involving magnetic stripe data from cards swiped in stores—assessments of non-compliance fines, fees, and liability to reimburse affected issuing banks by the card networks (i.e., Visa, and American Express). In the Report, we identified two liability ranges: (1) PCI DSS non-compliance fines of $5,000 – $50,000; and (2) liability to reimburse affected issuers of $3 – $25 per at risk card. Below we discuss when this liability is triggered, how it is calculated, and steps companies are taking to avoid this liability.
When payment card data may be at risk, the card networks may require a retailer to hire a Payment Card Industry Forensic Investigator (PFI) to conduct a forensic examination. The PFI is required to submit a final PFI report containing its investigative findings to the card networks using a report template issued by the PCI Security Standards Council (SSC). Appendix A of the template requires the PFI to identify whether the retailer was compliant with all sub-requirements of PCI DSS at the time of the incident and, if the retailer was not, identify whether the noncompliance caused or contributed to the breach.
We are pleased to announce the release of the first BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and the consequences that follow. The report shows that human error was the number one cause of data security incidents we worked on last year, with employee negligence responsible for incidents 36% of the time. Other leading causes were theft by outsiders (22%), theft by insiders (16%), malware (16%) and phishing attacks (14%). The full report can be found here.
The report also makes clear that no industry is immune from threats to its sensitive information. Industries represented in the report include education, financial services, retail, insurance, technology, entertainment, hospitality and, in particular, healthcare sectors. While healthcare topped the chart of industries affected, that is due in part to strict data breach notification laws that all healthcare providers must follow.
It is important for companies to understand that data security is not just an issue for retailers, financial firms and hospitals. Incidents do not only occur at businesses that have payment card data or protected health information. Privacy and data security issues are firmly entrenched as a significant public and regulatory concern and a risk that executive leadership and boards of directors must confront.
Rapid Response is Critical
Our report shows that incidents were self-detected 64% of the time. Of the incidents reported by a third party, 27 % were due to theft. A quick response to an incident is important for several reasons, including creating the opportunity to stop an attack in its early stages before sensitive data is accessed, preserving available forensic data to enable a precise determination of what occurred, and generating affirmative evidence to help the company respond in a way that protects affected individuals and minimizes potential financial and reputational consequences.
Detection Times Must be Shortened Continue Reading
Co-authored by: Hannah Bloink
Dynamic pricing is the practice of offering different prices to consumers based on various factors designed to maximize sales and profits, which may include the retailer’s perception of the willingness of a particular consumer to pay at a given price point, often in connection with other factors such as a given point in time. Airlines use dynamic pricing based on complex data analyses involving a myriad of factors including time of day and week, fare class and availability. The ride share service Uber’s surge pricing dynamically bases fares on supply and demand at a given moment. Making projections of whether consumers will pay more or less under different circumstances is an evolving art that can be aided by data analytics, including, now that the data is increasingly available, consumer profiling based on historical consumer behavior and even A/B testing – the practice of testing for different reactions by the same subject based on variables. This can be the basis for personalized pricing, also known as first-degree or primary price differentiation, the “holy grail” of which is to develop a methodology for “perfect price discrimination” that maximizes the amount each individual consumer is willing to pay. Perfect price discrimination is only theoretically possible since the seller must know each buyer’s reservation price (the maximum they will pay) and individualize an offer to them at that price, thus not leaving any potential revenues uncaptured. Beyond the difficulty in ascertain that information, the market prevents perfect price discrimination through competition and data enables real time competitive offering. However, since less price conscious consumers may be less inclined to shop the competition and more cost conscious consumers are more inclined to look for lower equivalent offers, retailers have an incentive to try to identify which consumers are which when they are in front of them and offer them personalized pricing based on their price sensitivity.
Many have heard that “it is not a matter of if a company will be attacked, but when.” Statements like this used to be met with skepticism – companies would say we do not have information hackers want, we outsource our security so we have no risk, or the IT department said it will never happen to us. Over the last few years and the litany of high profile incidents, however, there has been a noticeable shift in how companies assess their cybersecurity risks and the steps taken to lessen the likelihood of an incident and to be better prepared to respond if one occurs. There is no room for doubt–cybersecurity is an issue that the executive leadership teams and Boards of Directors must address.
After working with companies to respond to over 750 potential incidents, our advice to companies is to become and stay “compromise ready.” This is easier said than done and involves finding the right mixture of the following elements based on the company’s risk profile and appetite. Companies should also consider how these activities can be conducted so they are subject to the attorney-client privilege and work product protection.
Risk & Security Assessments – If you do not know what sensitive personal information and business data you have, where it resides, and who has access, you cannot implement appropriate safeguards to protect it. When facing a potential security incident, the inability to provide an accurate network diagram and describe the company’s sensitive data flow will complicate the forensic investigation. We often see companies (even large companies with sophisticated IT/IS departments) not able to provide these at the outset of an investigation. Continue Reading
Social media and social networking, including websites and applications that allow users to create and share content, have become ubiquitous. Joining the social networking revolution may be very easy for individuals, but establishing best practices for organizations that want or need to be actively engaged with social media is not. Initial considerations tend to focus on the social media platform at issue (e.g., a Facebook post, LinkedIn recommendation, Reddit thread) and how best to manage corporate interactions within those frameworks. But a deeper dive reveals the gulf between how organizations think social media works (or should work) and what their employees are actually doing online – in some cases, as unintentional company representatives. Continue Reading
Many cybersecurity experts have warned that the United States is already engaged in covert cyber warfare against hostile actors around the world. The latest cybersecurity Executive Order reflects formal recognition that, regardless of whether we call it war, cyber threat activity directed at U.S. critical infrastructure has created a national emergency.
Exercising authority granted by the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C. 1601 et seq.) (among other statutes), President Obama issued an order on April 1, 2015, titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”. The Executive Order authorizes the Secretary of the Treasury – in consultation with the Attorney General and the Secretary of State – to impose sanctions on individuals or entities that engage in cyber-enabled activities from outside of the United States that create a “significant threat to the national security, foreign policy or economic health or financial stability of the United States.”