Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Category Archives: Cybersecurity

Subscribe to Cybersecurity RSS Feed

Illinois Enacts Sweeping Changes to the Illinois Personal Information Protection Act

Posted in Cybersecurity
On May 6, 2016, Illinois joined a growing number of states that have strengthened their data breach notification requirements and expanded the definition of protected personal information. Effective January 1, 2017, HB1260 amends the Illinois Personal Information Protection Act (PIPA) to broaden the definition of protected personal information, which will now include an individual’s first… Continue Reading

What Companies Need to Know About Cyber Threat Information Sharing Under CISA

Posted in Cybersecurity
Cyber threat information sharing has the potential to provide numerous benefits for organizations (both public and private) faced with cyberattacks, which are increasing in frequency and sophistication. Cyber threat information sharing can enable organizations to enhance their cyber preparedness and defenses by leveraging the knowledge and experience of a broader community and improve their awareness… Continue Reading

Deeper Dive: Plan for Regulatory Scrutiny in Financial Services Data Security Incidents

Posted in Cybersecurity, Financial Privacy
Financial services industry companies were involved in 18% of the over 300 data security incidents we helped manage in 2015, and reported in our 2016 BakerHostetler Data Security Incident Response Report (the “Report”). After healthcare, the financial services industry was the second most affected industry according to the data we reported. It is not surprising… Continue Reading

Mobile Apps That Appeal to Children Face Increased Regulatory Scrutiny

Posted in Children’s Privacy, Cybersecurity
In September 2015, the Online Interest-based Advertising Accountability Program (Accountability Program) of the Advertising Self-regulatory Council (ASRC) began enforcing the Digital Advertising Alliance (DAA) Guidelines for Mobile Advertising (Mobile Guidance) and now the inevitable has happened: the Accountability Program has issued three compliance decisions with mobile app publishers whose apps allegedly failed to comply with… Continue Reading

New Cop on the Block – FCC’s Proposed Data Privacy and Security Rulemaking for Broadband Internet Access Providers

Posted in Cybersecurity
In 2015, the Federal Communications Commission (FCC or global Commission) issued its Open Internet Order, applying Section 222 of the federal Communications Act to broadband Internet access services (BIAS), and in doing so took jurisdiction over privacy and data security matters for Internet Service Providers (ISPs). In doing so, it declined requests by some advocacy… Continue Reading

Internet Service Providers Face New Regulatory Environment in the FCC’s Privacy and Security Proposal

Posted in Cybersecurity
On March 31, 2016, the Federal Communications Commission (FCC) issued a Notice of Proposed Rulemaking (NPRM) of privacy and security regulations for Internet service providers (ISPs). The NPRM, In The Matter of Protecting the Privacy of Customer of Broadband and Other Telecommunications Service, available here, is intended to apply privacy requirements of the federal Communications… Continue Reading

Deeper Dive: Human Error Is to Blame for Most Breaches

Posted in Cybersecurity, Incident Response, Online Privacy
Each year, as companies implement the latest security technologies, attackers develop and launch new tactics, techniques, and procedures to circumvent those technologies. While investment in security defense and detection technologies is an essential component to building an effective defense-in-depth strategy, the reality is that most breaches can be traced back to human error. In our… Continue Reading

New Take on Old Phishing Scam Wreaking Havoc on HR Departments

Posted in Cybersecurity
From would-be Nigerian princes to foreign lottery officials, cybercriminals have been known to assume all sorts of false identities to carry out email phishing scams that trick unsuspecting consumers into clicking on fraudulent links or divulging personal information to strangers. We often see a spike in this type of activity around tax season, when fraudsters… Continue Reading

Legal Developments in Connected Car Arena Provide Glimpse of Privacy and Data Security Regulation in Internet of Things

Posted in Cybersecurity, Online Privacy
With the holiday season in the rear view, automobiles equipped with the newest technology connecting carmakers with their vehicles, vehicles with the world around them, and drivers with the consumer marketplace – Connected Cars – have moved from the lots to driveways. Automakers are remaking their fleets to offer unprecedented choice and convenience to drivers.… Continue Reading

Encryption: The Battle Between Privacy and Counterterrorism

Posted in Cybersecurity
For privacy advocates, it is universally accepted that encryption is a very good thing. After all, encrypted data is deemed a safe harbor under HIPAA and state breach-notification laws, providing an “out” from potential fines and penalties when an encrypted device is lost that contains sensitive health or other personal information. In addition to encouraging… Continue Reading

The CFTC’s Proposed Standards Identify Cybersecurity Best Practices

Posted in Cybersecurity
The Commodity Futures Trading Commission (CFTC) offered several reasons for proposing five new cybersecurity testing requirements for the commodity trading platforms it regulates in its December 23, 2015, Notice of Proposed Rulemaking: More than half of the securities exchanges surveyed in 2013 reported that they had been the victim of cyberattacks. 80 Fed Reg. at… Continue Reading

Incident Response Tip: Five Ways to Improve Information Security and Reduce the Impact of a Data Breach

Posted in Cybersecurity, Incident Response
The new year will arrive in a few short days and when the bell tolls, it will mark the end of another extremely active year of data breaches. High-profile breaches such as Anthem, Ashley Madison, and the Office of Personnel Management serve as a reminder that it is a matter of when, not if, your… Continue Reading

EU’s Network and Information Security Directive: Regulating “operators of essential services” and “digital service providers”

Posted in Cybersecurity
The European Union continues to move forward with a proposed unified framework to strengthen network and information security systems across its member countries. On December 18, 2015, the Permanent Representatives Committee (Coreper) approved a provisional agreement reached on December 7, 2015, by the European Parliament and European Council on the Network and Information Security Directive… Continue Reading

Disregard CISA Chicken Littles: CISA Boosts U.S. Cyber Defense While Protecting Privacy

Posted in Cybersecurity
Yes: the Cyber Information Sharing Act of 2015 (CISA) was slipped into the must-pass Omnibus Spending Bill last week by House negotiators and became law on Friday. No: despite protestations from some quarters, the sky has not fallen on our personal privacy. Although critics decry CISA for providing the National Security Agency (NSA) with a… Continue Reading

What the FTC’s Settlement With Wyndham Means for Your Company

Posted in Cybersecurity, Data Breaches
The recent settlement entered into between the Federal Trade Commission (FTC) Wyndham Hotels and Resorts and related companies (Wyndham) provides an important roadmap for companies seeking to avoid running afoul of the FTC’s regulation of data security. In particular, this settlement, as embodied in a Consent Order entered by the Court provides Wyndham Hotels and… Continue Reading

New York Department of Financial Services Sets Forth Extensive Cybersecurity Regulatory Framework Proposal

Posted in Cybersecurity, Information Security
On November 9, 2015, the New York State Department of Financial Services (NYDFS) issued a letter to the members of the Financial and Banking Information Infrastructure Committee (FBIIC) detailing a new cybersecurity framework proposal for “covered entities,” or financial institutions regulated by NYDFS. The framework builds on data from NYDFS reports surveying cybersecurity programs from… Continue Reading

Threat Intelligence Tools Help Defend Networks

Posted in Cybersecurity
Threat intelligence services provide information about the identities, motivations, characteristics, and methods of attackers. See Rob McMillan, Khushbu Pratap, “Market Guide for Security Threat Intelligence Services,” 3, Gartner (October 14, 2014). “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets to… Continue Reading

How and Why to Pick a Forensic Firm Before the Inevitable Occurs

Posted in Cybersecurity, Incident Response
A forensic investigation by a security firm often does (and should) drive decision-making in response to an incident. Because the work of a security firm usually drives the critical path of a response, companies can become better prepared to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an… Continue Reading

Challenging FTC Regulation of Cyber-security After FTC v. Wyndham

Posted in Cybersecurity
The Third Circuit interlocutory decision in Federal Trade Commission v. Wyndham Worldwide Corporation was widely reported as a big win for the Federal Trade Commission (“FTC”). But on closer examination, it was a split decision in which Wyndham Worldwide Corporation (“Wyndham”) can claim an important victory. While affirming the FTC’s authority to regulate cyber-security practices… Continue Reading

NAIC Adopts Cybersecurity Bill of Rights

Posted in Cybersecurity
The National Association of Insurance Commissioners (“NAIC”) continued its efforts to advance cybersecurity in the insurance industry when it recently adopted the Cybersecurity Bill of Rights. The Cybersecurity Bill of Rights provides a set of directives for insurance companies to follow that are aimed at protecting the data of consumers. The Cybersecurity Bill of Rights… Continue Reading

Colleges and Universities Are Prime Cyberattack Targets: What’s Behind the Threat?

Posted in Cybersecurity, Incident Response
When it comes to cyberattack targets, many think of retailers and associated credit card transactions or customer information, or perhaps healthcare providers with their ever-increasing storage and transmission of electronic information related to patients. But colleges and universities are increasingly under siege from hackers. In fact, the education sector, according to recent reports, comes in… Continue Reading

CA AG Requires Chief Privacy Officer and Privacy Compliance Program

Posted in Cybersecurity, Enforcement
California’s Attorney General, Kamala Harris, has required Houzz, a home décor information and e-commerce website and mobile app publisher, to hire a chief privacy officer (CPO), conduct a company-wide privacy assessment, and maintain a privacy compliance program to settle a lawsuit that alleged Houzz failed to follow California law that requires disclosure of the recording… Continue Reading

The SEC OCIE Announces Increased Scrutiny of Broker-Dealers’ and Investment Advisers’ Cybersecurity Programs

Posted in Cybersecurity
On September 15, 2015, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert (2015 Risk Alert) to provide broker-dealers and investment advisers with information on the focus areas of its upcoming round of cybersecurity examinations. OCIE is building on its previous cybersecurity examinations to increase… Continue Reading