Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Category Archives: Information Security

Subscribe to Information Security RSS Feed

As FCC Flexes New Consumer Protection and Privacy Regulatory Enforcement Muscles Against ISPs, Some Call for Expanded Authority Over Online Services

Posted in Big Data, Information Security, Mobile Privacy
The Federal Communications Commission (FCC) has imposed a record $100M forfeiture fine against a global telecommunications company for alleged deceptive data plan promotions. The FCC’s fine comes on the heels of revisions to its 2010 Open Internet rules that expanded its enforcement authority over “telecommunications service” providers to cover broadband Internet service providers (ISPs). Under… Continue Reading

A Deeper Dive: Regulatory Investigations Following a Reported Breach

Posted in Breach Notification, Incident Response, Information Security
In our inaugural Data Security Incident Response Report (the Report), we found that regulators inquired about a company’s breach 31% of the time and multi-state state Attorneys General investigations were launched less than 5% of the time. A post-breach investigation is not guaranteed. Certainly, in large, highly public incidents, companies can expect at least an… Continue Reading

To Err Is Human; to Indemnify, Divine?: Human Foibles in the Cloud

Posted in Data Breaches, Incident Response, Information Security
BakerHostetler’s inaugural Data Security Incident Response Report (the “Report”) concluded that employee negligence and theft were two of the top five causes of data security incidents for the more than 200 incidents that we handled in 2014. Needless to say, this raises some important and concerning questions when it comes to the cloud. We note… Continue Reading

SEC Adopts Rules to Improve Systems Compliance and Integrity

Posted in Information Security
On November 19, 2014, the Securities and Exchange Commission (SEC) unanimously voted to adopt Regulation Systems Compliance and Integrity (Reg SCI), which will govern the technology infrastructure of the U.S.’s securities exchanges and certain other trading platforms and market participants.[1] Reg SCI will supersede and replace the SEC’s current Automation Review Policy (ARP). The new… Continue Reading

#Ubergate Makes Plain That Privacy Cannot Be a Passing Thought for Start-Ups

Posted in Information Security, Online Privacy
The long-brewing behind-the-scenes tensions of privacy, big data, and mobile finally came to a head last week in the public relations disaster known as #Ubergate. Uber’s meteoric rise to the pinnacle of the rideshare start-up economy has been fueled in part by its collection and usage of sensitive consumer geolocation information. An Uber executive’s recent… Continue Reading

Indecent Exposure: FTC Obtains Injunctions Against Debt Brokers for Improperly Published Consumer Information

Posted in Information Security
On November 12, 2014, the Federal Trade Commission announced that the District Court for the District of Columbia had entered preliminary injunctions against two debt sellers which, together, had improperly posted personal information of over 70,000 consumers online. The FTC filed complaints seeking permanent injunctions and other equitable relief against Cornerstone and Co., LLC, and… Continue Reading

Secret Service Raises Warning About Backoff POS Malware

Posted in Information Security, Online Privacy, Retail Industry
The Secret Service, which investigates financial crimes, issued a security Alert on July 31, 2014, warning of malware named “Backoff” that was being used to steal payment card data from point-of-sale (POS) systems.  The Alert notes that the attackers often gain initial network access by stealing or brute-forcing the passwords for remote desktop applications (e.g.,… Continue Reading

New Guidance for Merchants on Ensuring that Service Providers Share Security Responsibility

Posted in Cybersecurity, Information Security
For merchants, long gone are the days of using a card reader with a dial-up connection to their payment processor. Today’s omni-channel retailers rely on multiple third party service providers to complete payment card transactions. These third parties—call center operators, payment gateways, loyalty solution providers, managed security services, data-center hosts, mobile app developers, and fraud… Continue Reading

What Companies Can Do to Protect Themselves in the Face of Yet Another Massive Data Breach

Posted in Cybersecurity, Data Breaches, Information Security, Online Privacy
Last week it was reported that a small group of Russian computer hackers illegally obtained an unprecedented quantity of internet credentials, including 1.2 billion username and password combinations, and over 500 million unique email addresses. The compromised companies have not yet been identified, but it is believed that the information came from over 420,000 websites.… Continue Reading

Major Transformation in Cyber-Liability Insurance is Underway

Posted in Cybersecurity, Information Security
Editor’s Note: the following blog post was authored by Ben Beeson from Lockton Companies LLC In the beginning The emergence of the Internet as a business platform at the end of the nineties also announced the arrival of new risks to organizations. In those early days, there was a widely held belief that the primary concern was operational,… Continue Reading

Florida Gives Breach Notification Statute More Teeth

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Identity Theft, Information Security
On June 20, 2014, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 (“FIPA”), which will repeal Florida’s current breach notification statute at Fla. Stat. § 817.5681 and replace it with a new statute at Fla. Stat. § 501.171 effective July 1, 2014.  On the same day, Governor Scott also signed SB… Continue Reading

HHS Attorney: Major HIPAA Fines and Enforcement Coming

Posted in Data Breaches, Enforcement, HIPAA/HITECH, Information Security, Medical Privacy
As regularly blogged about on the Data Privacy Monitor, the past 12 months have seen record-breaking HIPAA enforcement activity by HHS OCR.  But according to recent remarks by a high-ranking HHS attorney, if you thought these past 12 months were significant, just wait for the next 12 months. According to Law360, Jerome B. Meites, Chief… Continue Reading

Iowa Breach Notification Law Now Requires AG Notification, Applies to Paper Records

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Identity Theft, Information Security
Iowa recently joined an increasing number of states that require notification of state regulatory authorities following a breach, as well as a handful of states in which paper records can trigger notification obligations.  On April 3, 2014, Iowa Governor Terry Branstad signed S.F. 2259 into law, amending Iowa’s Personal Information Security Breach Protection statute (Iowa… Continue Reading

Kentucky Enacts Data Breach Notification Statute

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Information Security
On April 10, 2014, Kentucky Governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation.  Prior to H.B. 232, Kentucky was one of only four states—including Alabama, New Mexico, and South Dakota—that had not adopted data breach notification legislation.  H.B. 232 also includes a separate section… Continue Reading

With OpenSSL Compromised by Heartbleed, an Opportunity for Companies to Diversify Cyber Security Efforts

Posted in Data Breaches, Information Security
The recent discovery of the “Heartbleed” online bug has sent shockwaves through the internet, causing companies and individuals alike to question very basic assumptions about cyber security. The bug has allegedly existed for the past two years and was only recently inadvertently discovered by the software developer Codenomicon. Heartbleed renders useless Open Secure Socket Layer (SSL)… Continue Reading

Privacy Law in a Nutshell

Posted in Cybersecurity, Federal Legislation, Information Security, International Privacy Law, Marketing
BakerHostetler Privacy and Data Protection Partner Erica Gann Kitaev is a co-author of the recently published Privacy Law in a Nutshell, Second Edition, through West Academic Publishing. Legal issues related to privacy are exploding in the U.S., and virtually all businesses face privacy considerations, particularly as technology and the law evolves.  The Privacy Nutshell is… Continue Reading

License to Hack? DOJ Seeks Expanded Authority to Use Hacking Techniques

Posted in Cybersecurity, Information Security
As part of its increased focus on combating cybercrime, the U.S. Department of Justice is pushing to loosen requirements for obtaining search warrants in order to allow them greater freedom to hack into the computers of criminal suspects.  Late last year, DOJ submitted a request to modify Federal Rule of Criminal Procedure 41, which governs… Continue Reading

BakerHostetler adds Privacy and Security Pro Randy Gainer to Privacy and Data Protection Team

Posted in Information Security
BakerHostetler is proud to announce that Randy Gainer has joined the firm as partner, resident in the Seattle office and practicing in the Intellectual Property Group, and as a key member of the Privacy and Data Protection team. Gainer’s practice focuses on data breach response, compliance counsel and risk assessment, and computer-related litigation involving intellectual… Continue Reading

Moving Towards a Global Harmonized Approach to Cross-Border Data Transfers?

Posted in Information Governance, Information Security, International Privacy Law, Online Privacy
Today, data can be transferred around the world instantaneously, making the global marketplace seem almost borderless.  As any multinational company knows, however, compliance with each country’s data transfer and privacy laws can be onerous.  As the U.S. contemplates data protection legislation, the FTC last week announced a joint initiative with agency officials from the European… Continue Reading

Governing Big Data

Posted in Cybersecurity, HIPAA/HITECH, Information Governance, Information Security, Medical Privacy
Sources and volumes of data are growing exponentially.  Website clicks, social media, sensors, and card swipers are generating massive amounts of data every second.  More and more enterprises are beginning to collect and utilize this Big Data for all kinds of purposes, including improved business intelligence, targeted marketing and fraud detection.  With so much attention… Continue Reading

Information Governance – The importance of putting your data house in order

Posted in Information Security
This blog post is a joint submission with BakerHostetler’s Discovery Advocate blog. Information is the lifeblood of businesses today. As the volume of data continues to grow exponentially, intelligent governance of information is essential for enterprises to survive and thrive. Data security concerns, privacy, compliance requirements and the costs of ediscovery all militate toward implementation… Continue Reading

Second Circuit Rejects Strict Liability But Imposes Reasonable Care Standard on Disclosure of Personal Motor Vehicle Information

Posted in Information Security
In a lengthy opinion that closely examined the legislative history of the Driver’s Privacy Protection Act (DPPA), the Second Circuit refused to impose strict liability on data brokers and resellers of personal information sourced from motor vehicle records. Eric Gordon v. Softech, et al., 12-661-cv (2d Circuit July 31, 2013). The court did hold, however,… Continue Reading

HHS Office of Civil Rights Hosts Webinar on Final Rule

Posted in HIPAA/HITECH, Information Security, Medical Privacy, Mobile Privacy, Online Privacy
Today, the Department of Health and Human Services, Office of Civil Rights (OCR), joined with the Workgroup for Electronic Data Interchange and hosted an online seminar discussing HITECH requirements in the new Final Rule. The presentations covered many points about the Final Rule previously outlined on this blog (see here, here, and here). Rachel Seeger,… Continue Reading