The Weekly Privacy Rewind

Data Breaches

Portable Oxygen Device Maker Inogen Announces Data Breach

• Inogen Inc., which makes portable oxygen devices, reported to the U.S. Securities and Exchange Commission that it experienced a data breach that involved approximately 30,000 current and former customers.

• According to the company’s Form 8-K, sometime between Jan. 2 and March 14, unauthorized individuals gained access to an employee’s email account, which contained personal information belonging to Inogen oxygen rental customers.

• Inogen “is notifying approximately 30,000 current and former customers of this incident and will provide resources, including credit monitoring and an insurance reimbursement policy, to assist them.”

Continue Reading

U.S. Senate Duo and California Ballot Initiative Propose to Radically Alter U.S. Consumer Internet Privacy and Upend Digital Advertising

Amid growing concerns over the improper use of user information and data breaches, and in the same week as the Senate examines the Cambridge Analytica controversy, a duo of U.S. senators who have long advocated for federal consumer privacy legislation seized the moment to propose a bill that would give the Federal Trade Commission (FTC or Commission), for the first time, the authority to promulgate regulations to govern internet publishers’ and service providers’ privacy practices regarding adults and proposes seemingly European Union (EU)-inspired privacy protections, including opt-in consent to broad categories of data use and sharing. If passed, the law, and the FTC regulations to be promulgated under it, could radically alter the internet economy by making it significantly harder for publishers to monetize data to provide more relevant advertising to users, so-called interest-based advertising (IBA), which is the economic underpinning of the business model of the publishers and services that provide their content and services to users for free on an advertiser-supported basis. The proposal actually goes further in some ways than EU law, in that it would prohibit limiting services to users who consent to data use and sharing necessary for IBA, and would give the FTC the authority to determine whether pricing based on “discounts or other incentives in exchange for express affirmative consent” is “reasonable.” Although scores of prior attempts by Congress to pass broad federal consumer privacy legislation have gone nowhere, the circumstances of the moment may have created a tipping point. And even if a federal consumer privacy law fails to get through Congress, a California advocacy group is attempting to qualify a ballot initiative for EU-style privacy laws for the November general election that could also threaten ad-supported digital media.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Uber Data Breach Suits Consolidated in California

• The U.S. Judicial Panel on Multidistrict Litigation has settled on the U.S. District Court for the Central District of California in which to centralize the class actions arising from the data breach that Uber announced in November 2017, involving the personal information of approximately 57 million drivers and riders.

• According to the panel’s transfer order, “California has a significant connection to [the] litigation, as Uber … has its headquarters in [the] state, where much of the common evidence, including witnesses, will be located.” Continue Reading

Deeper Dive: Take Action to Close the Largest Cause of Data Security Incidents – Your Employees

If you work at a typical company, employee actions and inadvertent disclosures present the greatest threat to the security of your data. Therefore, providing proper training and technical safeguards is one of the most important means to enhance your company’s security profile.

In BakerHostetler’s newly-released 2018 Data Security Incident Response Report, we assisted our clients with over 560 incidents, more than a third of which stemmed from phishing incidents in which an employee was tricked by an email message into providing access credentials to an unauthorized party, visiting a phony website, downloading an infected document or clicking on a link that installed malware. Other sizeable incident types also involved employee errors: 17 percent of incidents were inadvertent disclosures and 11 percent were due to stolen or lost devices.

Because people are fallible, training is not enough. Technological safety nets are needed. Companies should consider implementing the following data security measures, which can make it more difficult for criminals to succeed with attacks that prey upon employee vulnerabilities:

Continue Reading

The Weekly Privacy Rewind

Canada

Data Breach Notification Provisions of PIPEDA Act Go Into Effect Nov. 1, 2018

• Pursuant to a March 26, 2018 Order in Council, the mandatory breach notification provisions of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will become effective on November 1, 2018.

• Under the provisions, organizations must notify affected individuals and Canada’s Office of the Federal Privacy Commissioner about a data breach when the breach creates a “real risk of significant harm to the individual,” which includes, among other things, humiliation, damage to reputation and identity theft.

• Notification must be given as soon as possible after the breach has occurred.

Continue Reading

Deeper Dive: Key findings From Baker Hostetler’s 2018 Data Security Incident Report

In our 2018 Data Security Incident Report, “Building Cyber Resilience: Compromise Response Intelligence in Action,” we identify and analyze the most important trends and takeaways from the more than 560 incidents we handled last year. These incidents affected nearly every industry and impacted anywhere from a single individual to millions of people. Our report distills the lessons learned from those incidents into eight key takeaways for boards, senior management, auditors, IT leaders and general counsel. In this post, we dive a little deeper into the Report’s key findings.

Continue Reading

Connecting the Dots Between Security Practices and Legal Obligations: California’s Connected Devices Bill

Turning on the lights, hearing the weather forecast, learning fun facts, and playing your favorite song in the kitchen are simple when one can give short voice commands to a personal assistant device that is connected to the internet and to other devices in your home. Connected devices are increasingly being used in the home, not just for everyday tasks, but for babysitting children, securing the home, tracking fitness, and acting as marital aids. There are even connected devices marketed for use in the office or while traveling. It’s almost unavoidable to encounter a device that cannot connect to the internet, a smartphone, or other devices. However, as we have reported previously, these devices can present serious privacy and security issues.

In light of these privacy and security issues, U.S. and international regulators alike have published guidance with the goal of standardizing internet of things (“IoT”) device privacy and security. Mandatory regulations, however, are lacking, leaving companies to rely on best practices to minimize privacy and security risks.

Continue Reading

Deeper Dive: Minimizing Risk

For organizations of any size, making sense of the constantly evolving cyber risk landscape can seem daunting. With new threats materializing on a constant basis, it can be difficult for organizations to efficiently allocate resources and respond to security incidents.

In BakerHostetler’s newly-released 2018 Data Security Incident Response Report, we use our experience from more than 560 security incidents to offer some suggestions on how to minimize your cyber risk footprint, including reduced liability following a security breach, lower costs investigating incidents, and a reduced likelihood for lawsuits and regulatory actions in the aftermath. While new threats to systems and data continue to emerge, the means to secure these critical assets and minimize the risk to your organization often comes down to basic hygiene practices that many organizations fail to utilize.

Continue Reading

The Weekly Privacy Rewind

EU/GDPR

GDPR a ‘Learning Curve’ According to CNIL Head Falque-Pierrotin

• Speaking at the Global Privacy Summit of the International Association of Privacy Professionals (IAPP), Commission Nationale de l’Informatique et des Libertés (CNIL) president Isabelle Falque-Pierrotin described GDPR compliance as a “learning curve” for everyone involved, including the regulators.

• Stating that the role of the GDPR regulators was to be “pragmatic and proportionate, Falque-Pierrotin indicated that it’s important to have begun preparing for GDPR and that the regulators would recognize that not everyone will have all of their GDPR compliance programs complete by the GDPR’s go-live date.

• In an added wrinkle, another panel at IAPP focused on managing so-called GDPR derogations, or areas in which GDPR explicitly permits member states to pass laws supplementing GDPR, making compliance exponentially more difficult for companies with operations across the E.U.

Continue Reading

Fourth Annual Data Security Incident Response Report Released – Building Cyber Resilience

On Monday we published our fourth annual Data Security Incident Response Report, which provides an analysis of the more than 560 cyber incidents handled by the team in 2017. Reflecting on the increasingly sophisticated nature of attacks, the aggressiveness by regulators in researching breaches and the expectations of highly developed responses, the report offers intelligence to help entities reduce their risk profile, build resilience, and be better prepared to respond when incidents occur.

While all incidents cannot be prevented, there are measures entities can take to minimize their attack surface and reduce the frequency and severity of incidents. Equally important, given the increase in attacks intended to disrupt operations, is a focus on building cyber resilience for an agile response. It can be hard to know where to begin, especially in an environment of constant change – but taking steps to proactively address these issues is what we call being Compromise Ready.

Continue Reading

LexBlog