Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Cybersecurity is a Real Risk, So Become “Compromise Ready”

Posted in Cybersecurity

cyber security iStock_000041562536_LargeMany have heard that “it is not a matter of if a company will be attacked, but when.” Statements like this used to be met with skepticism – companies would say we do not have information hackers want, we outsource our security so we have no risk, or the IT department said it will never happen to us. Over the last few years and the litany of high profile incidents, however, there has been a noticeable shift in how companies assess their cybersecurity risks and the steps taken to lessen the likelihood of an incident and to be better prepared to respond if one occurs. There is no room for doubt–cybersecurity is an issue that the executive leadership teams and Boards of Directors must address.

After working with companies to respond to over 750 potential incidents, our advice to companies is to become and stay “compromise ready.” This is easier said than done and involves finding the right mixture of the following elements based on the company’s risk profile and appetite. Companies should also consider how these activities can be conducted so they are subject to the attorney-client privilege and work product protection.

Risk & Security Assessments – If you do not know what sensitive personal information and business data you have, where it resides, and who has access, you cannot implement appropriate safeguards to protect it. When facing a potential security incident, the inability to provide an accurate network diagram and describe the company’s sensitive data flow will complicate the forensic investigation. We often see companies (even large companies with sophisticated IT/IS departments) not able to provide these at the outset of an investigation. Continue Reading

Social Media’s Not For You—It’s About You: Risks for Organizations in a New Age of Sharing

Posted in Copyrights, Data Breaches, Employment, Information Governance, International Privacy Law, Mobile Privacy, Privacy Litigation, Social Media, Workplace Privacy

Group Of Multi-Ethnic People Social NetworkingSocial media and social networking, including websites and applications that allow users to create and share content, have become ubiquitous. Joining the social networking revolution may be very easy for individuals, but establishing best practices for organizations that want or need to be actively engaged with social media is not. Initial considerations tend to focus on the social media platform at issue (e.g., a Facebook post, LinkedIn recommendation, Reddit thread) and how best to manage corporate interactions within those frameworks. But a deeper dive reveals the gulf between how organizations think social media works (or should work) and what their employees are actually doing online – in some cases, as unintentional company representatives. Continue Reading

Obama Administration Recognizes Cyber Threats to U.S. Critical Infrastructure as a National Emergency

Posted in Cybersecurity, Privacy

CityatNight_187456931Many cybersecurity experts have warned that the United States is already engaged in covert cyber warfare against hostile actors around the world. The latest cybersecurity Executive Order reflects formal recognition that, regardless of whether we call it war, cyber threat activity directed at U.S. critical infrastructure has created a national emergency.

Exercising authority granted by the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C. 1601 et seq.) (among other statutes), President Obama issued an order on April 1, 2015, titled “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”. The Executive Order authorizes the Secretary of the Treasury – in consultation with the Attorney General and the Secretary of State – to impose sanctions on individuals or entities that engage in cyber-enabled activities from outside of the United States that create a “significant threat to the national security, foreign policy or economic health or financial stability of the United States.”

Continue Reading

Privacy and Data Protection Team Partner Craig Hoffman Named as a “Rising Star” by Law360

Posted in News

HOFFMAN_Craig_993Congratulations to Craig Hoffman, a partner and member of our Privacy and Data Protection team, who has been selected by Law360 as a Rising Star in the area of Privacy. Law360 editors reviewed a record 1,200 submissions to determine the 145 lawyers under 40 who were named for this honor. Winners were selected based on their career accomplishments in their respective practice areas.

Craig credits our hands-on approach for our success in resolving data security incidents, telling Law360 that “We go on-site with a client day one, and we stay there and work with them to make sure they get the support, and we act as the quarterback for the incident response.” In addition to leading companies through all aspects of security incidents, Craig serves as the lead attorney on engagements that include training executive leadership teams on cybersecurity, implementing new security solutions, developing emerging payments strategy, and addressing the challenges of data collection and use.

To learn more about Craig, read his full “Rising Star” profile in Law360.

Wyoming Broadens Data Breach Notification Law

Posted in Data Breach Notification Laws

Wyoming iStock_000003505950_FullWyoming recently joined the list of states passing laws that broaden the scope of their data breach notification laws. On March 2, 2015, Wyoming signed into law two bills (S.F. 35 and S.F. 36) that expand the definition of personally identifiable information (PII) and require additional minimum content requirements for notifications to affected individuals. Specifically, S.F. 36 broadens the scope of the definition of PII to include data containing the first name or first initial and last name of a person in combination with one or more of the following new data elements:

  • Bank account number or credit or debit card number in combination with any security code that would allow access to a financial account;
  • Shared secrets or security tokens that are known to be used for data-based authentication;
  • Username or email address in combination with a password or security questions and answer;
  • Birth or marriage certificate;
  • Medical information, defined as a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
  • Health insurance information, defined as a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application, and claims history; and
  • Unique biometric data used for authentication purposes.

Continue Reading

Global Privacy and Regulatory Compliance Attorney Will Daugherty Joins Privacy and Data Protection Team

Posted in News

Will Daugherty has joined BakerHostetler’s Chambers-ranked Privacy and Data Protection team in our Houston office as counsel. Our award-winning practice is known for effectively managing data security incidents, responding to regulatory investigations, providing risk assessments and compliance counseling, and defending class actions. Daugherty comes to us with eight years of experience at Baker & McKenzie LLP, representing companies in complex government investigations and enforcement actions, as well as parallel class actions and derivative suits. Most recently, he served as senior counsel for GameStop Corporation, the world’s largest video game retailer.

Read the Press Release >>

Bring Your Own Device (Everywhere): Legal and Practical Considerations for International BYOD Programs

Posted in Employment, Information Governance, International Privacy Law, Mobile Privacy, Privacy Litigation, Workplace Privacy

The cross-use of mobile devices for personal and professional purposes, commonly referred to as “Bring Your Own Device” or “BYOD”, is a relatively recent phenomenon that has created a host of legal and practical challenges for organizations of all sizes. Implementing a BYOD program is especially complex for companies that have employees who regularly travel internationally, taking their devices (and corporate data) along with them when they cross borders.

In a recent article published by the Richmond Journal of Law & Technology, Wherever You Go, There You Are (With Your Mobile Device): Privacy Risks and Legal Complexities Associated with International “Bring Your Own Device” Programs, we provide in-depth analysis of a number of key BYOD considerations, including:

  • Current BYOD adoption rates and trends around the world;
  • The tension between organizational control of mobile devices and employee privacy;
  • Existing laws, regulatory guidance, and jurisprudence applicable to BYOD programs;
  • Concerns associated with BYOD in the eDiscovery context; and
  • Approaches to BYOD in France, Germany, Spain, and the United Kingdom.

The article also provides a detailed list of questions and issues for organizations to consider when developing or improving a BYOD program.  For example, would the organization be better served by a “corporate-owned, personally enabled (“COPE”)” or a “corporate-owned, business-only (“COBO”) strategy?  How will the organization address employee separation and device disposal procedures?  And if the organization has operations in the European Union, how may the forthcoming revisions to the EU Data Protection Regulation impact the company’s BYOD program?  Thoughtful consideration of these and the many other issues discussed in the article should help organizations avoid implementation and compliance problems down the road.

Download a PDF of the article.

Editor’s Note: This blog post is a joint submission with BakerHostetler’s Discovery Advocate blog.

BakerHostetler Named Finalist for Chambers USA Awards “Team of the Year”

Posted in Privacy

Our Privacy and Data Protection team has been shortlisted by Chambers and Partners for a Chambers USA Award as “Privacy & Data Security Team of the Year” in recognition of our “outstanding work, strategic growth, and client service excellence” over the past year. We are one of only seven privacy and data security teams in the United States to be nominated. Nominees for the award are determined by research and interviews conducted by 150 full-time editors and researchers at Chambers and Partners. The winner of the award will be announced during the Chambers USA Awards 2015 ceremony on May 19 at Cipriani in New York City.

Our award-winning, cross-disciplinary Privacy and Data Protection team is led by Partners Ted Kobus and Jerry Ferguson and consists of more than 40 lawyers who counsel clients in the U.S. and internationally. We have helped organizations respond to more than 750 privacy incidents and that experience has created a high demand for the comprehensive, proactive compliance counseling we provide. Chambers USA ranked us with “considerable praise” in its 2014 edition and identified us as being “Recommended for Client Service” and “Recommended for Commercial Awareness.” Our team is also ranked in Chambers Global for “USA, Privacy & Data Security.” Law360 recognized us as one of the nation’s best practices, selecting the team as a “Practice Group of the Year” for Privacy in 2013 and 2014. Law360 also has named Kobus and Class Action Defense team leader Paul Karlsgodt as Law360 MVPs for Privacy & Consumer Protection. We have experienced exponential growth in 2014 and 2015 with the addition of high-profile laterals, including Randy Gainer in Seattle; Tanya Forsheit, Scott Koller, and Alan Friel in Los Angeles; Eric Packel in Philadelphia; Melinda McLellan in New York; and, most recently, Will Daugherty in Houston.

Read the Press Release >>

Continue to follow the Data Privacy Monitor for the latest developments in data privacy and information security with comprehensive analysis from BakerHostetler’s Privacy and Data Protection team.


“Like It” or Not, Big Data Decisions Affect Business Valuations

Posted in Big Data

Over the past decade, we have witnessed the emergence of data-driven enterprises, with business models built on the acquisition, use and sale of data. Included in that group are some of the most highly valued companies in the world, such as Facebook and Google. We also have seen more traditional businesses become increasing data dependent, with a majority of enterprises recognizing that they need to maximize the value of their data to compete in the global marketplace.

In our post, “Like It” or Not, Big Data Decisions Affect Business Valuations,” we discuss how business valuations in our modern economy are impacted by how companies govern their use of data and the effect those practices have on their reputations and valuation. Read the full article >>

BakerHostetler Recognized in LA Daily Journal’s Top Appellate Reversals of 2014

Posted in Cybersecurity, Data Breaches

A precedent-setting decision in a class action case alleging privacy violations under California’s Confidentiality of Medical Information Act (CMIA), litigated by our BakerHostetler team, was recognized by the LA Daily Journal as one of the “Top Appellate Reversals of 2014.” The lawsuit was filed against Eisenhower Medical Center (EMC) following the theft of a computer containing patient information. The decision eliminated $500 million in potential damages for EMC and narrowed the definition of “medical information” under the CMIA.

The unencrypted computer, stolen from EMC’s waiting room in 2011, contained the names, ages, birth dates, clerical record numbers, and partial Social Security numbers of more than 500,000 patients. Because CMIA violations provide a remedy of $1,000 per record without the need to demonstrate actual harm, the potential half billion dollars in penalties could have been detrimental to the hospital. However, the Fourth District Court of Appeal held that “medical information” under the CMIA must consist of both a patient’s individually identifiable information combined with a patient’s medical history, and ordered the trial court to grant summary judgment to EMC on its class action CMIA claim.

Continue Reading