Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Craig A. Hoffman

Subscribe to all posts by Craig A. Hoffman

PayPal Reaches Settlement With Texas Over Venmo Privacy and Security Disclosures

Posted in Financial Privacy
Venmo is a peer-to-peer mobile payments service that PayPal acquired in 2013. Users can transfer money to another person using a mobile or web application (e.g., send money to a friend to split the cost of dinner). On May 20, 2016, Texas Attorney General Ken Paxton announced that Texas had entered into an Assurance of… Continue Reading

Deeper Dive: Merchant Liability Arising from Stolen Payment Cards

Posted in Incident Response, Payment Card Industry
For merchants, accepting payment cards is not really a choice. Many merchants, however, are unaware of how that “choice” subjects them to significant potential liability in the event payment card data from cards swiped at the point-of-sale is stolen from their payment network. Often casually (but incorrectly) referred to as “PCI fines and penalties,” the… Continue Reading

Five Questions Clients Asked Most Often in 2015 About Incident Response

Posted in Incident Response
We provided incident response and incident response preparedness services to hundreds of companies in 2015. The questions we answered were as unique and varied as the incidents companies faced. Some were challenging, and occasionally they were easy to answer (e.g., Can we create a fake employee to sign the notification letter?), but often they were… Continue Reading

How and Why to Pick a Forensic Firm Before the Inevitable Occurs

Posted in Cybersecurity, Incident Response
A forensic investigation by a security firm often does (and should) drive decision-making in response to an incident. Because the work of a security firm usually drives the critical path of a response, companies can become better prepared to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an… Continue Reading

2015 BakerHostetler Security Incident Response Report Provides Insight Beyond Technical Incidents

Posted in Cybersecurity, Data Breaches, HIPAA/HITECH, Incident Response, Information Security, Infrastructure, Retail Industry
There is no longer a debate – security incidents are inevitable. Organizations are working to be better prepared to respond when the first sign of an incident is detected (often at 4:30 p.m. on a Friday). So what kind of incidents should they prepare for and how should they prepare? Annual reports from forensic investigation… Continue Reading

2015 BakerHostetler Incident Response Report Deeper Dive—Retailer Liability Arising from Stolen Payment Cards

Posted in Data Breaches, Incident Response, Retail Industry
We released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. Over the next four weeks, we will post several blogs that will provide a more in-depth look at certain findings. In this post, we cover one… Continue Reading

BakerHostetler’s First Data Security Incident Response Report Shows Human Error is Most Often to Blame

Posted in Incident Response
We are pleased to announce the release of the first BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and… Continue Reading

Dear Lawmakers, Your New Breach Notice Laws Should Address These Issues

Posted in Breach Notification, Data Breach Notification Laws
The days of companies being so afraid of the reputational impact of a breach that they would look for any way possible to avoid disclosure are gone.  The pendulum has swung in the opposite direction.  Now companies, often in the name of being “completely transparent” with their customers, want to disclose incidents as soon as… Continue Reading

FCC Plans $10 Million Cybersecurity Fine Against Two Telecoms

Posted in Cybersecurity
On October 24, 2014, the Federal Communication Commission (“FCC”) took a big step into the cybersecurity regulatory space when it announced its intent to assess a $10 million fine against two telecoms, TerraCom and YourTel America (“Companies”), for failing to protect the privacy of personal information the Companies collected from consumers. According to the FCC,… Continue Reading

Why Worry About a Little Skimmer?

Posted in Retail Industry
Merchants—rightfully so—are worried about securing their payment card environments so that their name does not appear in a headline discussing how millions of cards were stolen from them. Faced with the challenge of evaluating the use of P2PE and tokenization, the conversion necessary to prepare for the October 2015 EMV liability shift, reading the tea… Continue Reading

Secret Service Raises Warning About Backoff POS Malware

Posted in Information Security, Online Privacy, Retail Industry
The Secret Service, which investigates financial crimes, issued a security Alert on July 31, 2014, warning of malware named “Backoff” that was being used to steal payment card data from point-of-sale (POS) systems.  The Alert notes that the attackers often gain initial network access by stealing or brute-forcing the passwords for remote desktop applications (e.g.,… Continue Reading

New Guidance for Merchants on Ensuring that Service Providers Share Security Responsibility

Posted in Cybersecurity, Information Security
For merchants, long gone are the days of using a card reader with a dial-up connection to their payment processor. Today’s omni-channel retailers rely on multiple third party service providers to complete payment card transactions. These third parties—call center operators, payment gateways, loyalty solution providers, managed security services, data-center hosts, mobile app developers, and fraud… Continue Reading

ICYMI – Recording of Managing Cardholder Data Security Risks in an Evolving Payments Landscape Webinar

Posted in Payment Card Industry
BakerHostetler recently hosted a webinar that provided a look back on significant payment card security events that occurred in 2013 and the security, risk mitigation, and customer relations lessons that can be learned from them.  The panelists also discussed what the continuing and emerging threats may be in 2014 and how to integrate security into… Continue Reading

January 15 webinar: Managing Cardholder Data Security Risks in an Evolving Payments Landscape

Posted in Payment Card Industry
Please join us from 2-3:30 pm ET on January 15 for a webinar that will provide a look back on significant payment card security events that occurred in 2013 and the security, risk mitigation, and customer relations lessons that can be learned from them. We will also discuss what the continuing and emerging threats may… Continue Reading

Visa Loses Motion to Dismiss in Genesco Case – Are the Days for PCI Assessments Numbered?

Posted in Financial Privacy
Co-Authored by: Judy Selby In a highly anticipated decision, a federal court in Tennessee let stand a retailer’s claims against Visa for violation of California’s Unfair Competition Law (UCL) and for common law claims for unjust enrichment and restitution arising out of fines and assessments levied by Visa in the wake of a massive data… Continue Reading

Mobile Apps and Websites Face New COPPA Requirements Starting July 1

Posted in Children’s Privacy, Online Privacy
Authored by Benjamin D. Pergament In one month, on July 1, 2013, the Federal Trade Commission’s most recent amendments to its Children’s Online Privacy Protection Act Rule (“COPPA Rule”) will go into effect. These changes include a variety of requirements intended to keep up with advances in technology and how children interact with mobile apps… Continue Reading

Highest Bidder Loses Spoliation Fight in Auction House Data Breach

Posted in Data Breaches
This blog post is a joint submission with BakerHostetler’s Discovery Advocate blog. Authored by: Karin Scholz Jenson and  Ganesh Krishna A recent case out of the Northern District of Ohio is an unsung victory for proportionality in that the Court twice declined to sanction a plaintiff’s “failure” to forensically image computers where computer logs showing the… Continue Reading