Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Craig A. Hoffman

Subscribe to all posts by Craig A. Hoffman

How and Why to Pick a Forensic Firm Before the Inevitable Occurs

Posted in Cybersecurity, Incident Response
A forensic investigation by a security firm often does (and should) drive decision-making in response to an incident. Because the work of a security firm usually drives the critical path of a response, companies can become better prepared to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an… Continue Reading

2015 BakerHostetler Security Incident Response Report Provides Insight Beyond Technical Incidents

Posted in Cybersecurity, Data Breaches, HIPAA/HITECH, Incident Response, Information Security, Infrastructure, Retail Industry
There is no longer a debate – security incidents are inevitable. Organizations are working to be better prepared to respond when the first sign of an incident is detected (often at 4:30 p.m. on a Friday). So what kind of incidents should they prepare for and how should they prepare? Annual reports from forensic investigation… Continue Reading

2015 BakerHostetler Incident Response Report Deeper Dive—Retailer Liability Arising from Stolen Payment Cards

Posted in Data Breaches, Incident Response, Retail Industry
We released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. Over the next four weeks, we will post several blogs that will provide a more in-depth look at certain findings. In this post, we cover one… Continue Reading

BakerHostetler’s First Data Security Incident Response Report Shows Human Error is Most Often to Blame

Posted in Incident Response
We are pleased to announce the release of the first BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and… Continue Reading

Dear Lawmakers, Your New Breach Notice Laws Should Address These Issues

Posted in Breach Notification, Data Breach Notification Laws
The days of companies being so afraid of the reputational impact of a breach that they would look for any way possible to avoid disclosure are gone.  The pendulum has swung in the opposite direction.  Now companies, often in the name of being “completely transparent” with their customers, want to disclose incidents as soon as… Continue Reading

FCC Plans $10 Million Cybersecurity Fine Against Two Telecoms

Posted in Cybersecurity
On October 24, 2014, the Federal Communication Commission (“FCC”) took a big step into the cybersecurity regulatory space when it announced its intent to assess a $10 million fine against two telecoms, TerraCom and YourTel America (“Companies”), for failing to protect the privacy of personal information the Companies collected from consumers. According to the FCC,… Continue Reading

Why Worry About a Little Skimmer?

Posted in Retail Industry
Merchants—rightfully so—are worried about securing their payment card environments so that their name does not appear in a headline discussing how millions of cards were stolen from them. Faced with the challenge of evaluating the use of P2PE and tokenization, the conversion necessary to prepare for the October 2015 EMV liability shift, reading the tea… Continue Reading

Secret Service Raises Warning About Backoff POS Malware

Posted in Information Security, Online Privacy, Retail Industry
The Secret Service, which investigates financial crimes, issued a security Alert on July 31, 2014, warning of malware named “Backoff” that was being used to steal payment card data from point-of-sale (POS) systems.  The Alert notes that the attackers often gain initial network access by stealing or brute-forcing the passwords for remote desktop applications (e.g.,… Continue Reading

New Guidance for Merchants on Ensuring that Service Providers Share Security Responsibility

Posted in Cybersecurity, Information Security
For merchants, long gone are the days of using a card reader with a dial-up connection to their payment processor. Today’s omni-channel retailers rely on multiple third party service providers to complete payment card transactions. These third parties—call center operators, payment gateways, loyalty solution providers, managed security services, data-center hosts, mobile app developers, and fraud… Continue Reading

ICYMI – Recording of Managing Cardholder Data Security Risks in an Evolving Payments Landscape Webinar

Posted in Payment Card Industry
BakerHostetler recently hosted a webinar that provided a look back on significant payment card security events that occurred in 2013 and the security, risk mitigation, and customer relations lessons that can be learned from them.  The panelists also discussed what the continuing and emerging threats may be in 2014 and how to integrate security into… Continue Reading

January 15 webinar: Managing Cardholder Data Security Risks in an Evolving Payments Landscape

Posted in Payment Card Industry
Please join us from 2-3:30 pm ET on January 15 for a webinar that will provide a look back on significant payment card security events that occurred in 2013 and the security, risk mitigation, and customer relations lessons that can be learned from them. We will also discuss what the continuing and emerging threats may… Continue Reading

Visa Loses Motion to Dismiss in Genesco Case – Are the Days for PCI Assessments Numbered?

Posted in Financial Privacy
Co-Authored by: Judy Selby In a highly anticipated decision, a federal court in Tennessee let stand a retailer’s claims against Visa for violation of California’s Unfair Competition Law (UCL) and for common law claims for unjust enrichment and restitution arising out of fines and assessments levied by Visa in the wake of a massive data… Continue Reading

Mobile Apps and Websites Face New COPPA Requirements Starting July 1

Posted in Children’s Privacy, Online Privacy
Authored by Benjamin D. Pergament In one month, on July 1, 2013, the Federal Trade Commission’s most recent amendments to its Children’s Online Privacy Protection Act Rule (“COPPA Rule”) will go into effect. These changes include a variety of requirements intended to keep up with advances in technology and how children interact with mobile apps… Continue Reading

Highest Bidder Loses Spoliation Fight in Auction House Data Breach

Posted in Data Breaches
This blog post is a joint submission with BakerHostetler’s Discovery Advocate blog. Authored by: Karin Scholz Jenson and  Ganesh Krishna A recent case out of the Northern District of Ohio is an unsung victory for proportionality in that the Court twice declined to sanction a plaintiff’s “failure” to forensically image computers where computer logs showing the… Continue Reading

New gTLDs Raise Data Security Concerns

Posted in Online Privacy
Authored by: David A. Einhorn and Alan Pate ICANN is well on its way to the launch of new generic top-level domains (gTLDs) with the first ones being approved as early as April 23rd.  The handful of TLDs currently in use, such as “.com”, “.org”, and “.edu”, may soon be joined by over 1000 gTLDs… Continue Reading

International Compendium of Data Privacy Laws

Posted in Online Privacy
Privacy and data protection issues confront all organizations—whether you handle employee information, credit card data, sensitive financial information or trade secrets. Securing data is a daunting task that is further complicated by cross-border transfer issues and the differences in privacy laws around the world. These laws are complex and can pose myriad and sometimes conflicting… Continue Reading

APT Threat Report Shows Cybersecurity Risks Not Limited to Identity Theft

Posted in Cybersecurity
We often talk to companies who believe they are an unlikely target for hackers because they do not have financial account information, Social Security numbers, or medical information.  However, personal information is not the only item hackers are after.  Indeed, the chief of the United States Cyber Command and director of the National Security Agency… Continue Reading