Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Craig Hoffman

Subscribe to all posts by Craig Hoffman

FCC Plans $10 Million Cybersecurity Fine Against Two Telecoms

Posted in Cybersecurity
On October 24, 2014, the Federal Communication Commission (“FCC”) took a big step into the cybersecurity regulatory space when it announced its intent to assess a $10 million fine against two telecoms, TerraCom and YourTel America (“Companies”), for failing to protect the privacy of personal information the Companies collected from consumers. According to the FCC, … Continue Reading

Why Worry About a Little Skimmer?

Posted in Credit Card, Retail
Merchants—rightfully so—are worried about securing their payment card environments so that their name does not appear in a headline discussing how millions of cards were stolen from them. Faced with the challenge of evaluating the use of P2PE and tokenization, the conversion necessary to prepare for the October 2015 EMV liability shift, reading the tea … Continue Reading

Secret Service Raises Warning About Backoff POS Malware

Posted in Credit Card, Information Security, Online Privacy, Retail
The Secret Service, which investigates financial crimes, issued a security Alert on July 31, 2014, warning of malware named “Backoff” that was being used to steal payment card data from point-of-sale (POS) systems.  The Alert notes that the attackers often gain initial network access by stealing or brute-forcing the passwords for remote desktop applications (e.g., … Continue Reading

New Guidance for Merchants on Ensuring that Service Providers Share Security Responsibility

Posted in Credit Card, Cybersecurity, Information Security
For merchants, long gone are the days of using a card reader with a dial-up connection to their payment processor. Today’s omni-channel retailers rely on multiple third party service providers to complete payment card transactions. These third parties—call center operators, payment gateways, loyalty solution providers, managed security services, data-center hosts, mobile app developers, and fraud … Continue Reading

ICYMI – Recording of Managing Cardholder Data Security Risks in an Evolving Payments Landscape Webinar

Posted in Payment Card Industry
BakerHostetler recently hosted a webinar that provided a look back on significant payment card security events that occurred in 2013 and the security, risk mitigation, and customer relations lessons that can be learned from them.  The panelists also discussed what the continuing and emerging threats may be in 2014 and how to integrate security into … Continue Reading

January 15 webinar: Managing Cardholder Data Security Risks in an Evolving Payments Landscape

Posted in Payment Card Industry
Please join us from 2-3:30 pm ET on January 15 for a webinar that will provide a look back on significant payment card security events that occurred in 2013 and the security, risk mitigation, and customer relations lessons that can be learned from them. We will also discuss what the continuing and emerging threats may … Continue Reading

Visa Loses Motion to Dismiss in Genesco Case – Are the Days for PCI Assessments Numbered?

Posted in Financial Privacy
Co-Authored by: Judy Selby In a highly anticipated decision, a federal court in Tennessee let stand a retailer’s claims against Visa for violation of California’s Unfair Competition Law (UCL) and for common law claims for unjust enrichment and restitution arising out of fines and assessments levied by Visa in the wake of a massive data … Continue Reading

Mobile Apps and Websites Face New COPPA Requirements Starting July 1

Posted in COPPA, Online Privacy
Authored by Benjamin D. Pergament In one month, on July 1, 2013, the Federal Trade Commission’s most recent amendments to its Children’s Online Privacy Protection Act Rule (“COPPA Rule”) will go into effect. These changes include a variety of requirements intended to keep up with advances in technology and how children interact with mobile apps … Continue Reading

Highest Bidder Loses Spoliation Fight in Auction House Data Breach

Posted in Data Breaches
This blog post is a joint submission with BakerHostetler’s Discovery Advocate blog. Authored by: Karin Scholz Jenson and  Ganesh Krishna A recent case out of the Northern District of Ohio is an unsung victory for proportionality in that the Court twice declined to sanction a plaintiff’s “failure” to forensically image computers where computer logs showing the … Continue Reading

New gTLDs Raise Data Security Concerns

Posted in Online Privacy
Authored by: David A. Einhorn and Alan Pate ICANN is well on its way to the launch of new generic top-level domains (gTLDs) with the first ones being approved as early as April 23rd.  The handful of TLDs currently in use, such as “.com”, “.org”, and “.edu”, may soon be joined by over 1000 gTLDs … Continue Reading

International Compendium of Data Privacy Laws

Posted in Miscellaneous, Online Privacy
Privacy and data protection issues confront all organizations—whether you handle employee information, credit card data, sensitive financial information or trade secrets. Securing data is a daunting task that is further complicated by cross-border transfer issues and the differences in privacy laws around the world. These laws are complex and can pose myriad and sometimes conflicting … Continue Reading

APT Threat Report Shows Cybersecurity Risks Not Limited to Identity Theft

Posted in Cybersecurity
We often talk to companies who believe they are an unlikely target for hackers because they do not have financial account information, Social Security numbers, or medical information.  However, personal information is not the only item hackers are after.  Indeed, the chief of the United States Cyber Command and director of the National Security Agency … Continue Reading

Magistrate Recommends Dismissal with Prejudice of Claims Against Global Payments

Posted in Payment Card Industry, Privacy Class Actions
Global Payments, which processes credit card transactions, announced on March 30, 2012 that an unauthorized person gained access to a portion of its processing system.  Global Payments later disclosed that Track 2 data (card number, expiration date, verification code but not cardholder name or address) of 1.5 million cardholders were taken.  Three individuals brought a … Continue Reading

Recorded Webinar: New Cybersecurity Executive Order

Posted in Cybersecurity
     Recorded Webinar:New Cybersecurity Executive Order President Obama has declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cybersecurity.” In an increasingly interconnected and interdependent world, the threats posed by … Continue Reading

Do Merchants That Outsource Payment Processing Still Have Risk From a Breach?

Posted in Data Breaches, Payment Card Industry
Last week a small New England bakery announced that its point-of-sale (POS) devices were infected with malware that may have put card data at risk.  The bakery’s letter to its customers stressed that it did not store card data on its computer systems, but the malware allowed an unauthorized person to gather card data as … Continue Reading

Proposed FFIEC Guidance on Financial Institution Social Media Use

Posted in Financial Privacy, Social Media
The Federal Financial Institutions Examination Council (FFIEC) released for comment on January 17 its proposed Social Media: Consumer Compliance Risk Management Guidance.  There is a 60-day comment period.  The purpose of the guidance is to help banks, savings associations, credit unions, and non-bank entities supervised by the Consumer Financial Protection Bureau (CFPB) understand and address … Continue Reading

2012 Payments Systems Year-in-Review

Posted in Payment Card Industry
The interchange fee and the potential of mobile payments were the dominant payment system issues in 2012.  From a landmark antitrust settlement to seemingly daily announcements of a new prepaid or mobile payment product, there was plenty of activity in 2012.  However, following opt-outs and objections to the settlement, the rise-and-fall of new products, and … Continue Reading

Recent Trends in Class Actions for Telephone and Fax Solicitation and Advertising

Posted in Privacy, Privacy Class Actions
Authorship Credit: Justin T. Winquist Editor’s Note: This post is a joint submission to BakerHostetler’s Class Action Lawsuit Defense blog. Class actions under the Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227, continue to be an active trend in consumer and privacy class action litigation. The TCPA, which was historically called the “fax blast” statute, … Continue Reading

Bank Agrees to Reimburse Company for Funds Taken Through Online Bank Account Theft

Posted in Financial Privacy
We reported in July on a First Circuit Court of Appeals decision finding that a bank failed to implement commercially reasonable security methods to prevent unauthorized transfers by a criminal that gained the online banking credentials of a construction company.  The criminal was able to steal $345,000 from the construction company’s account.  It was then reported on … Continue Reading

The NLRB Finds No Protected Activity Involved Where Employee is Fired for a Facebook Posting

Posted in Social Media
Authorship credit: Jay Seegers  Like many people, Robert Becker, a salesperson at Karl Knauz Motors’ BMW dealership in Chicago, had his own Facebook page. When the BMW dealership served hot dogs, chips, and bottled water at an event to introduce a new BMW vehicle, Mr. Becker posted sarcastic comments questioning whether the dealership’s choice of … Continue Reading