Avoiding Management Struggles When it Comes to Data Breaches: Part 8

Avoiding Management Struggles When it Comes to Data Breaches: Part 8

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

8

Avoiding Management Struggles When it Comes to Data Breaches: Part 7

Avoiding Management Struggles When it Comes to Data Breaches: Part 7

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

7

Avoiding Management Struggles When it Comes to Data Breaches: Part 6

Avoiding Management Struggles When it Comes to Data Breaches: Part 6

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

6

Avoiding Management Struggles When it Comes to Data Breaches: Part 5

Avoiding Management Struggles When it Comes to Data Breaches: Part 5

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

5

Avoiding Management Struggles When it Comes to Data Breaches: Part 4

Avoiding Management Struggles When it Comes to Data Breaches: Part 4

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

4

Avoiding Management Struggles When it Comes to Data Breaches: Part 3

Avoiding Management Struggles When it Comes to Data Breaches: Part 3

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

3

Avoiding Management Struggles When it Comes to Data Breaches: Part 2

Avoiding Management Struggles When it Comes to Data Breaches: Part 2

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

2

Responding To National Security Letters That Ask For Personal Information

Responding To National Security Letters That Ask For Personal Information

National Security Letters (“NSLs”) refer to a collection of statutes that authorize certain government agencies to obtain information and simultaneously impose a secrecy obligation upon the recipient of the letter.

Four statutes permit government agencies to issue NSLs: (1) the Electronic Communication Privacy Act,1 (2) the Right to Financial Privacy Act,2 (3) the National Security Act,3 and the (4) Fair Credit Reporting Act.4 Although differences exist between the NSLs issued under each statute, in general, all of the NSLs permit a requesting agency to prevent an organization that receives the NSL from disclosing the fact that it received the request, or the type of information that was requested, if disclosure may result in a danger to national security, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life or physical safety of a person. …

NATIONAL

Third-Party Vendor Management Programs

Third-Party Vendor Management Programs

Third-party service providers present difficult and unique privacy and cybersecurity challenges. Vendor management is important throughout the life of a relationship with your service provider. Vendor diligence starts during the vendor selection process, continues through contract negotiation, and ends when the parties terminate their relationship. The goal is to effectively improve the service your vendors provide and mitigate the risk inherent in the vendor relationship. …

THIRD

Healthcare Business Associates

Healthcare Business Associates

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified the Health Insurance Portability and Accountability Act (“HIPAA”) by expanding the definition of Business Associates (“BA”) and their responsibilities and liabilities. …

BUSINESS

Organizing Data Privacy Within A Company

Organizing Data Privacy Within A Company

Although organizations have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure, dedicated employees, and/or dedicated resources. While in some organizations “privacy” falls within the ambit of the legal department; other organizations have created offices that are focused solely on privacy issues and that report to a Chief Privacy Officer (“CPO”). There is little commonality in how these offices are staffed, funded, or organized. For example, while some CPOs report directly to senior management, others report through a General Counsel or a Chief Compliance Officer. …

ORG

Companies Perceived By The FTC as Top Violators

Companies Perceived By The FTC as Top Violators

As discussed in previous articles, the FTC collects complaints about organizations that allegedly violate the data privacy, data security, advertising, and marketing laws.

Each month the FTC creates a “Top Violators” report that ranks the fifty organizations with the greatest volume of consumer complaints. The report indicates whether each organization listed was included in the previous month’s report, whether its rank has changed, and the number of complaints received by the FTC that month. For organizations that are new to the report, the FTC reviews their complaints and summarizes the issue, or issues, that have been raised by consumers. …

FTC VIOLATORS

Ten Practical Steps Companies Should Take to Implement GDPR

Ten Practical Steps Companies Should Take to Implement GDPR

For those looking to implement GDPR ahead of time, here’s a quick round up of the steps you should be looking to take.

With the regulation only going into force 25 May 2018, there’s still time time to implement GDPR. Below are ten practical steps to help your company become compliant. …

GDPRRRR

Credit Card Breaches: A How-To Guide

Credit Card Breaches: A How-To Guide

For most retailers credit cards are the primary form of the payments that they receive. Accepting credit cards, however, carries significant data security risks and potential legal liability. In addition to the normal repercussions of a data security breach – e.g., reputation damage, the risk of class action litigation, and the risk of a regulatory investigation – if a retailer’s credit card system is compromised the retailer may be contractually liable to its payment processor, its merchant bank, and ultimately the payment card brands (e.g., VISA, MasterCard, Discover, and American Express). In many cases that contractual liability surpasses any other financial obligation that arises from the breach. The following provides a snapshot of information concerning credit card breaches.

credit cardsssssss

Vehicle Event Data Recorders

Vehicle Event Data Recorders

Event data recorders, also known as “black boxes” or “sensing diagnostic modules,” capture information such as the speed of a vehicle and the use of a safety belt. In the event of a collision this information can be used to help understand how the vehicle’s systems performed. In December of 2012, the National Highway Traffic Administration proposed a rule that would require automakers to install event data recorders in all new light passenger vehicles. Although the proposed rule would have required manufacturers to install the devices beginning in 2014, the rule was never finalized. Nonetheless, some estimates indicate that most passenger cars are already equipped by manufacturers with event data recorders. …

vehicle

Negotiating Payment Processing Agreements: A How-To Guide

Negotiating Payment Processing Agreements: A How-To Guide

Credit cards are the primary form of payment received by most retailers. In order to process a credit card a retailer must enter into an agreement with a bank and a payment processor. Payment processing agreements often have significant impacts on a retailer’s financial liability in the event of a data breach. In many cases, the contractual liabilities that flow from a payment processing agreement surpass all other financial liabilities that arise from a data breach including the cost to investigate an incident, defend litigation, and defend a regulatory investigation. The following provides a snapshot of information concerning payment processing agreements. …

nego

Security Due Diligence In A Merger Or Acquisition: A How-To Guide

Security Due Diligence In A Merger Or Acquisition: A How-To Guide

The FTC can hold an acquirer responsible for the bad data security practices of a company that it acquires. Evaluating a potential target’s data security practices, however, can be daunting and complicated by the fact that many “data” issues arise months, or years, after a transaction has closed. For example, the FTC has investigated data security breaches and unlawful data collection practices that occurred years before the company was acquired, but were discovered months after a transaction closed. The following provides a snapshot of information concerning hacking. …

secutiry

Privacy Due Diligence In A Merger Or Acquisition: A How-To Guide

Privacy Due Diligence In a Merger Or Acquisition: A How-To Guide

The FTC can hold an acquirer responsible for the bad data privacy practices of a company that it acquires. Evaluating a target’s data privacy practices, however, can be daunting and complicated by the fact that many “data” issues are first identified months, or years, after a transaction has closed. For example, although it is relatively easy to read a potential target’s privacy policies it is far more difficult to verify that the policy is accurate or complete. The following provides a snapshot of information concerning privacy violation penalties. …

privacy due

Credit Cards and the Payment Card Industry Data Security Standard

Credit Cards and the Payment Card Industry Data Security Standard

For most retailers the primary source of revenue comes from credit card transactions. In order to accept credit cards, a retailer must enter into a contractual agreement with a payment processor and a merchant bank. As discussed in previous sections, those agreements typically required that the retailer represent and warrant its compliance with the Payment Card Industry Data Security Standard (“PCI DSS”). Alternatively, they require a representation and warranty that the retailer complies with the rules of the payment card brands (i.e.,American Express, Discover, MasterCard, and Visa), and some of the payment brand rules could be interpreted as requiring that a retailer be compliant with the PCI DSS. …

credit cards and the

Passing Data Between Retailers To Facilitate Transactions: A How-To Guide

Passing Data Between Retailers To Facilitate Transactions: A How-To Guide

Online retailers often learn information about a consumer that may be used by them to help identify other products, services, or companies that may be of interest to the consumer. For example, if a person purchases an airplane ticket to Washington DC, the person may want information about hotels, popular restaurants, or amenities at the airport. …

passing

Class Action Litigation Trends: A How-To Guide

Class Action Litigation Trends: A How-To Guide

There is a great deal of misunderstanding concerning data security breach-related class actions. In large part the media and the legal media have exaggerated the quantity (and success) of class action litigation. …

class action lit

 

Fingerprint Identification Technology: A How-To Guide

Fingerprint Identification Technology: A How-To Guide

Fingerprint identification technology uses fingerprints to uniquely identify individuals. The technology has been used by law enforcement agencies for decades, and dozens of statutes regulate when government agencies may collect fingerprints, how they are permitted to use them, and with whom they can be shared. Advances in fingerprint recognition software have lead some private entities to begin using the technology to authenticate consumers. For example, some mobile devices have integrated fingerprint recognition technology to replace, or supplement, passwords or pass codes. Some employers are also using fingerprint recognition technology to increase the accuracy and efficiency of employee timekeeping systems. …

FIT

Cybersecurity Disclosures: A How-To Guide

Cybersecurity Disclosures: A How-To Guide

In October of 2011, the U.S. Securities and Exchange Commission (“SEC”) issued guidance regarding a public company’s obligations to disclose cybersecurity risks and cyber incidents (the “Cybersecurity Disclosure Guidance”).1 The Cybersecurity Disclosure Guidance applies to all SEC registrants and relates to disclosures under the Securities Act of 1933 and the Securities Exchange Act of 1934. …

cd

Facial Recognition Technology: A How-To Guide

Facial Recognition Technology: A How-To Guide

Facial recognition technology uses algorithms that map facial features – such as the distance between a person’s eyes, or the width of a person’s nose – and compares those features to a database of known individuals. Organizations may use the technology for security (e.g., cameras that “ID” employees or criminals), marketing to consumers (e.g., cameras that “ID” particular customers), or designing products that quickly categorize digital media (e.g., photograph sorting). …

facial recognition

 

Data Breach Notification Laws: A How-To Guide

Data Breach Notification Law: A How-To Guide

Although Congress has attempted to agree on federal data breach notification legislation, there is no national data breach notification law that applies to most companies. Instead, 48 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving personal information. The only states without such laws are Alabama and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data breach not

Collecting Information From Children: A How-To Guide

Collecting Information From Children: A How-To Guide

There are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information, post a specific form of privacy policy that complies with the statute, safeguard the information that is received from a child, and give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as on-line games or sweepstakes. …

collecting info

Reputation Management: A How-To Guide

Reputation Management: A How-To Guide

The reputational injury following a data breach can be severe. Indeed, reputational injury – including lost customers – often surpasses legal liability. Effective management of the reputational impact of a data security incident requires a proactive and reactive strategy. The proactive strategy assumes that the organization will control when, and what, information will be conveyed to the public, media, and impacted consumers. For many organizations the proactive strategy that they choose is to wait until their investigation of an incident is complete so that they can provide the public with the most accurate and meaningful information. …

reputation m

Separating Fact from Fiction: Understanding, Providing for, and Mitigating the Actual Liabilities of a Cyber Attack

April 26, 2017 (12:00 noon ET)

There are numerous data privacy and security laws, and considerable disinformation concerning the legal liabilities associated with their non-compliance. One of the most poorly understood areas by attorneys involves the costs that a security/privacy event  may have on their clients, or organizations, in terms of legal liabilities, first party expenditures and reputation. This program by David Zetoony and Tim Burke, Director of Cyber Risk at IMA, Inc.,  will discuss how an attorney can help a client identify and quantify the various legal risks involved with privacy and data security, and how to take steps to mitigate and deal with those liabilities.

For more information or to register, click here.

 

Credit Monitoring Services: A How-To Guide

Credit Monitoring Services: A How-To Guide

Organizations are not, generally, required to offer services to consumers whose information was involved in a breach.1 Nonetheless, many organizations choose to offer credit reports (i.e., a list of the open credit accounts associated with a consumer), credit monitoring (i.e., monitoring a consumer’s credit report for suspicious activity), identity restoration services (i.e., helping a consumer restore their credit or close fraudulently opened accounts), and/or identity theft insurance (i.e., defending a consumer if a creditor attempts to collect upon a fraudulently opened account and reimbursing a consumer for any lost funds). In addition, if you do offer one of these services a 2014 California statute and a 2015 Connecticut law prohibits you from charging the consumer for them. …

credit monitoring

Are Radio Waves Coming From My Wallet? The Privacy and Security Issues Involved With RFID Technology

Are Radio Waves Coming From My Wallet? The Privacy and Security Issues Involved With RFID Technology

Radio Frequency Identification (“RFID”) technology uses electromagnetic fields to transfer data. RFID systems typically operate by attaching tags to objects, devices, or cards. Some tags can be powered by a local power source, such as a battery (“active RFID”). Their local power source permits them to transmit a signal that may be registered hundreds of meters from an RFID reader. Other tags do not have a local power source and are instead powered by electromagnetic induction from the magnetic fields that are produced by a RFID reading device in close proximity (“passive RFID”). …

RFIDD

Selecting a Forensic Investigator: A How-To Guide

Many competent IT departments lack the expertise, hardware, or software to preserve evidence in a forensically sound manner and to thoroughly investigate a security incident. In-house counsel needs to be able to recognize such a deficiency quickly – and before evidence is lost or inadvertently destroyed – and retain external resources to help collect and preserve electronic evidence and investigate the incident. …

Forensic

Zetoony Quoted in ‘MLex’

Boulder Partner David Zetoony was quoted March 22 in MLex regarding the increase in data breaches for healthcare providers. In the last five years, the percentage of healthcare data breaches due to computer hacking rose from 1.7 percent to 80.7 by both criminal cyber attackers and state-sponsored actors. In the past few years, more regulators have entered the data security field, though the risks of being hacked are more financial than regulatory. The U.S. Department of Health and Human Services (HHS) collects breach data and issues security guidelines in areas such as risk analysis, remote use, and ransomware. “The larger story is that more regulators have entered the fold,” said Zetoony. “[HHS] didn’t exist in this space six or seven years ago, and now they are here.”

Knowing Where You Are, When You Are: Creepy or competitive? The privacy and security issues involved with geo-location tracking

Knowing Where You Are, When You Are: Creepy or competitive? The privacy and security issues involved with geo-location tracking

Smartphones, smartphone apps, websites, and other connected devices (e.g., “wearables”) increasingly request that consumers provide their geo-location information.  Geo-location information can refer to general information about a consumer’s location, such as his or her city, state, zip code, or precise information that pinpoints the consumer’s location to within a few feet, such as his or her GPS coordinates. …

Knowing

Incident Response Plans: A How-To Guide

Incident Response Plans: A How-To Guide

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. Furthermore, many organizations are required to maintain one. For example, any organization that accepts payment cards is most likely contractually required to adopt an incident response plan. …

incident

JD Supra Readers’ Choice Awards 2017

David Zetoony has been recognized as a JD Supra Top Author. The annual Readers’ Choice awards recognize authors who achieved the highest visibility and engagement for their written analysis and commentary all year. This year’s results reflect a deep dive into reader data from 2016 in 12 key industries, 13 cross-industry topics and, for the first time, nine emerging topics.

Boulder Partner David Zetoony was recognized as the top author on the emerging topic of EU-US Privacy Shield. Zetoony is the leader of Bryan Cave’s consumer protection practice, which includes corporate data security, data privacy, advertising and marketing practices. As such, he advises companies around the country on pressing consumer protection issues. He is also editor of the Bryan Cave blog BryanCaveDataMatters.com.

In addition to these individual awards, the 2016 Data Breach Litigation Report, written by Zetoony, Chicago Partner Jena Valdetero and Chicago Associate Joy Anderson, was highlighted as one of the top five most read articles in class action defense.

Click here to view the entire JD Supra Readers’ Choice Awards 2017 report.

Video Viewing Information: A How-To Guide

Video Viewing Information: A How-To Guide

The Video Privacy Protection Act (“VPPA”) was passed in 1988 in reaction to a fear that people other than a consumer and a video rental store could collect information on a consumer’s video rental history. This was not an academic concern at the time. Immediately prior to the passage of the VPPA, Judge Robert Bork, who had been nominated to the Supreme Court, had his video rental history published by a newspaper that was investigating whether he was fit to hold office. …

VVI

Wire Transfer Fraud: A How-To Guide

Wire Transfer Fraud: A How-To Guide

Businesses are increasingly falling victim to wire fraud scams – sometimes referred to as “man-in-the-email” or “business email compromise” scams. Although there are multiple variants, a common situation involves an attacker gaining access to the email system of a company, or the company’s vendor, and monitoring email traffic about an upcoming transaction. When it comes time to submit an invoice or a payment, the attacker impersonates one of the parties and sends wire instructions asking that payment be sent to the attacker’s bank account. …

Wire transfer

Online Behavioral Advertising: A How-To Guide

Online Behavioral Advertising: A How-To Guide

Behavioral advertising refers to the use of information to predict the types of products or services of greatest interest to a particular consumer. Online behavioral advertising takes two forms. “First party” behavioral advertising refers to situations in which a company’s website uses information that it obtains when interacting with a visitor. “Third party” behavioral advertising refers to situations in which a company permits others to place tracking cookies on the computers of people who visit the company’s website, so that those individuals can be monitored across a behavioral advertising network. …

online behavoiral

FDIC Cybersecurity Examinations: A How-To Guide

FDIC Cybersecurity Examinations: A How-To Guide

FDIC bank examinations generally include a focus on the IT systems of banks with a particular focus on information security. The federal banking agencies issued Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (“FFIEC”) to conduct IT examinations of service providers. …

FDIC

Data and Cybersecurity Audit Webinar Cited in Thomson Reuters Legal Executive Institute

February 2017

The Thomson Reuters Legal Executive Institute cited David Zetoony’s webinar, “Conducting Data Security and Cybersecurity Audit of your Organization: What In-House Counsel Should Know,” in their February 27 article on cybersecurity audits. The article discussed the complex issues that companies face in becoming compliant with state, federal and international data security standards, and referenced the questions and solutions raised in the January 31 webinar. To read the full article, click here.

David Zetoony and Joshua James will also be hosting another webinar addressing these issues on March 21, 2017.

For more information or to register for the March 21 webinar, click here.

Ransomware: A How-To Guide

Ransomware: A How-To Guide

Some forms of cyber extortion are automated and not targeted at any specific victim. For example, “ransomware” refers to a type of malware that prevents users from accessing their systems unless, and until, a ransom is paid. Although variants of ransomware operate differently many encrypt the contents of a victim’s hard drive using asymmetric encryption in which the decryption key is stored on the attacker’s server and is available only after payment of the ransom. Victims typically discover the ransomware when they receive an on-screen message instructing them to transfer funds using an electronic currency, such as bitcoin, in order to receive the decryption key and access to their files. “CryptoLocker” is the most famous ransomware family and first appeared in 2013. …

ransomware

 

Employee Monitoring: A How-To Guide

Employee Monitoring: A How-To Guide

Federal laws prohibit the interception of another’s electronic communications, but these same laws have multiple exceptions that generally allow employers to monitor employees’ email and internet use on employer-owned equipment or networks. As a result, under federal law, when private-sector employees use an organization’s telephone or computer system, monitoring their communications is broadly permissible, though there may be exceptions once the personal nature of a communication is determined. For example, under the National Labor Relations Act, employers cannot electronically spy on certain types of concerted activity by employees about the terms and conditions of employment. …

emp monitoring

Cyber-Extortion: A How-To Guide

Cyber-Extortion: A How-To Guide

Cyber extortion refers to a situation in which a third party threatens that if an organization does not pay money, or take a certain action, the third party will take an adverse action against the organization. Among other things, threats may include exploiting a security vulnerability identified by the extorter, reporting the organization’s security vulnerability to the press, or reporting the organization’s security vulnerability to regulators. …

cyber ext

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification in the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data breachhhh

Bounty or Bug Programs: A How-To Guide

Bounty or Bug Programs: A How-To Guide

Data security officers typically look for security risks by monitoring reports from automated security systems, listening to employees’ reports of security issues, and/or auditing IT systems. There is a great deal of debate, however, about the merits of listening to the security concerns of people outside of an organization. On one end of the spectrum, some organizations refuse to discuss any aspect of their security with the public. On the other end of the spectrum, organizations proactively encourage the public to report security vulnerabilities by paying well-meaning hackers (usually called “white hat hackers” or “independent researchers”) to report problems. …

bounty

Tax Filing Fraud

Tax Filing Fraud

Tax returns and W-2s are information rich documents that contain the name and Social Security Number of an employee, as well as information concerning their salary and address, and personal behavior and characteristics (e.g., the charities that they support, their sources of income, their investments, and their relationships with financial institutions). Each year cyber-attackers target these documents. If successful, an attacker may attempt to sell sensitive information contained in the file. Other attackers may attempt to use tax-related documents (e.g., an employee’s W-2) to submit a fraudulent income tax return in the hope of obtaining any refund owed to an employee. …

tax filing

Employer Privacy Policies: A How-To Guide

Employer Privacy Policies: A How-To Guide

In 2005 Michigan became the first state to pass a statute requiring employers to create an internal privacy policy that governs their ability to disclose some forms of highly sensitive information about their employees. Michigan’s Social Security Number Privacy Act expressly requires employers to create policies concerning the confidentiality of employees’ social security numbers (“SSN”) and to disseminate those policies to employees. New York adopted a similar statute. Several other states – Connecticut, Massachusetts, and Texas – have statutes mandating the establishment of privacy policies that could also apply in the employer-employee context. …EPP

Cyber Insurance: A How-To Guide

Cyber Insurance: A How-To Guide

Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But, a substantial portion of organizations don’t carry coverage for data breaches despite numerous high profile breaches. While many insurance companies offer cyber insurance, not all policies are created equal. The following provides a snapshot of information concerning cyber insurance. …

cyber insurance

Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. In the United States, incident response plans are commonplace. Since 2005, the federal banking agencies have interpreted the Gramm-Leach-Bliley Act as requiring financial institutions to create procedures for handling data security incidents.1 Although there is no federal statute that requires the majority of other types of organizations to create an incident response plan, state data safeguards and data breach notification statutes provide incentives for many other organizations to craft response plans. …

Response plans

Privacy Certifications and Trustbrands: A How-To Guide

Privacy Certifications and Trustbrands: A How-To Guide

Privacy certifications, or “trustbrands,” are seals licensed by third parties for organizations to place on their homepage or within their privacy policy. The seals typically state, or imply, that the organization which has displayed the seal has high privacy or security standards, or has had its privacy or security practices reviewed by a third party. Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes. …

privacy certs

Data Privacy and Security: A Practical Guide for In-House Counsel, 2017 Edition

David Zetoony published the 2017 edition of his handbook, Data Privacy and Security: A Practical Guide for In-House Counsel, on Jan. 28 – Data Privacy Day. The guide provides an overview of laws relevant to a variety of data matters topics, statistics that illustrate data privacy and security issues, and a breakdown of these data-related issues. Members of Bryan Cave’s Data Privacy and Security Team contributed to the publication. The 2016 guidebook was downloaded by more than 3,500 in-house attorneys. “We are extremely proud of the fact that it has become a desk reference for in-house attorneys worldwide,” Zetoony wrote. Click here to view the 2017 guide.

data privacy guide

Document Retention Periods: A How-To Guide

Document Retention Periods: A How-To Guide

Data minimization can be a powerful – and seemingly simple – data security measure. The term refers to retaining the least amount of personal information necessary in order for an organization to function. Less information means that there is less that the organization needs to protect, and less opportunity for information to be lost or stolen. …

Doc Retention

Webinar (1/31): Conducting a Data Security and Cybersecurity Audit of your Organization: What In-House Counsel Should Know

January 31, 2017 at 12:00 p.m. EST

Security incidents impact all types of businesses. Along with conducting regular data security evaluations, businesses in all industries should utilize risk management as part of their security practices. The NIST Cybersecurity Framework uses risk management processes to facilitate organizations in their cybersecurity policies.

Please join David Zetoony and Art Ehuan, Managing Director of A&M’s Global Cyber Risk Services practice, in a one-hour webinar on January 31 at 12:00 PM EST as they discuss various methods for auditing an organization’s compliance with data security laws. Additionally, they will discuss the use of the NIST CyberSecurity Framework (CSF) to define the cyber risk profile of a company and how to minimize the identified risk throughout the organization.

Click here for more information or to register.

We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.

Mobile App Privacy Policies: A How-To Guide

Mobile App Privacy Policies: A How-To Guide

Many of the most popular mobile apps collect personally identifiable information. Although most app developers are not required to display a privacy policy under federal law, they are contractually required to do so pursuant to the terms and conditions of the websites that market most major mobile device applications (e.g., the Apple Store, or Google Play). In addition, the California Attorney General has taken the position that applications that collect personal information are required to post a privacy policy pursuant to the CalOPPA discussed in the previous section. …

app provacy

What Will The Proposed New York Cybersecurity Requirements For Financial Institutions Really Make Companies Do?

What Will The Proposed New York Cybersecurity Requirements For Financial Institutions Really Make Companies Do?

In early September 2016, the New York Department of Financial Services (“DFS”) proposed a set of data security regulations (the “Proposal”) that would govern financial institutions, banks, and insurance companies subject to the jurisdiction of the agency (“covered entities”). After receiving public comments, DFS revised and resubmitted the Proposal on December 28, 2016. If the Proposal ultimately goes into effect it would require that covered entities have a written information security policy (“WISP”) and outline specific provisions (substantive and procedural) that must be contained in that document. While the Proposal has garnered a great deal of public attention, the majority of the provisions in the latest version are not unique. …

NYDFS

Collecting Information From Children In The EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Collecting Information From Children in the EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States there are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information from children under the age of 13, that a website post a specific form of privacy policy that complies with the statute, that a company safeguard the information that is received from a child, and that a company give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as on-line games or sweepstakes.

 

collecting

Social Security Number Privacy Policies: A How-To Guide

Social Security Number Privacy Policies: A How-To Guide

Social Security Numbers (“SSN”) were originally established by the Social Security Administration to track earnings and eligibility for Social Security benefits. Because a SSN is a unique personal identifier that rarely changes, federal agencies use SSN for purposes other than Social Security eligibility (e.g., taxes, food stamps, etc.). In 1974, Congress passed legislation requiring federal agencies that collect SSN to provide individuals with notice regarding whether the collection was mandatory and how the agency intended to use the SSN.1   Congress later barred agencies from disclosing SSN to third parties. Federal law does not, however, regulate private-sector use of SSN. …

social security

Privacy Certifications and Trustbrands In the EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Privacy Certifications and Trustbrands In the EU: A Comparison of US Law, EU Law, and Soon-to-be EU Law

In the United States, privacy certifications, or “trustbrands,” are seals licensed by organizations to place on their homepage or within their privacy policy. The seals typically state, or imply, that the organization has high privacy or security standards, or has had its privacy or security practices reviewed by a third party. Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes. Certifications or trustbrands, however, are voluntary in nature, and, for the most part are not offered by government agencies and companies are not required to obtain them. …

Privacy certifications

Data Privacy Alert Cited in ‘ID Experts’

A January 6 article in ID Experts cited information from a client alert written by Boulder Partner David Zetoony on state data breach notification laws. The alert includes questions for organizations to consider when evaluating various data breach notification laws, as well as the key provisions of state data breach notification laws and areas in which state laws diverge. Click here to read the original alert.

Data Maps and Data Inventories: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Data Maps and Data Inventories: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States companies are not required to inventory the type of data that they maintain, or map where that data flows in (and out) of their organization. That said, knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most mature data privacy and data security programs. For example, while the law does not require that companies inventory the data that they collect, federal and state law is being interpreted as requiring that companies use, at a minimum, reasonable and appropriate security to protect certain types of “sensitive” information such as Social Security Numbers. It is difficult for many companies to defend their security practices if they lack confidence as to whether they are collecting sensitive information and, if so, where it is being maintained. As a result, while it is not a legal requirement to conduct a data inventory it is, for many, a de facto step to comply with other legal requirements. …data-maps

Guidelines for Written Information Security Policies

Guidelines for Written Information Security Policies

Although federal law only requires that financial institutions and health care providers maintain a written information security policy or “WISP,” approximately thirty four states have enacted legislation that requires organizations in other industries to take steps to keep certain forms of personal information safe. These statutes are broadly referred to as “safeguards” legislation. In some states safeguards legislation requires that organizations adopt certain security-oriented practices such as encrypting highly sensitive personal information or irrevocably destroying sensitive documents. In other states safeguards legislation requires the adoption of a comprehensive written information security policy. …

written-info-securities

EU Binding Corporate Rules For Transferring Data: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

EU Binding Corporate Rules For Transferring Data: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States companies are permitted to transfer personal information – including sensitive personal information – as needed between their offices, locations, and corporate affiliates. For example, there are no restrictions that prevent a company from sending personal information collected within the US to a company data center located outside of the US. In the European Union, the EU Data Protection Directive 95/46/EC (the “Directive”) creates a legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. …

eu-binding

Guidelines for Negotiating Payment Processing Agreements

Guidelines for Negotiating Payment Processing Agreements

Credit cards are the primary form of payment received by most retailers. In order to process a credit card a retailer must enter into an agreement with a bank and a payment processor. Payment processing agreements often have significant impacts on a retailer’s financial liability in the event of a data breach. In many cases, the contractual liabilities that flow from a payment processing agreement surpass all other financial liabilities that arise from a data breach including the cost to investigate an incident, defend litigation, and defend a regulatory investigation. The following provides a snapshot of information concerning payment processing agreements. …

guidelines-for-payment-processing

Guidelines for Online Behavioral Advertising

Guidelines for Online Behavioral Advertising

Behavioral advertising refers to the use of information to predict the types of products or services of greatest interest to a particular consumer. Online behavioral advertising takes two forms. “First party” behavioral advertising refers to situations in which a website uses information that it obtains when interacting with a visitor. “Third party” behavioral advertising refers to situations in which a company permits others to place tracking cookies on the computers of people who visit the site, so that those individuals can be monitored across a behavioral advertising network. …

guidelines-for-online-behavioral-advertising

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Although organizations in the United States have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure and, in some cases, one, or more, dedicated employees. While in some organizations “data privacy” and “data security” falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues. There is little commonality in how these offices are staffed, funded, or organized. For example, while some organizations have “Chief Privacy Officers” or “Chief Information Technology Officers” that report directly to senior management, other organizations have privacy officers that report through a General Counsel or to a Chief Compliance Officer. …

data-protection-officers

 

Class Action Litigation Trends

Class Action Litigation Trends

There is a great deal of misunderstanding concerning data security breach-related class actions. In large part the media and the legal media have exaggerated the quantity (and success) of class action litigation. The following provides an overview of the risks associated with lawsuits following data security breaches. …

class-action

Guidelines for Radio Frequency Identification (“RFID”)

Guidelines for Radio Frequency Identification (“RFID”)

Radio Frequency Identification (“RFID”) technology uses electromagnetic fields to transfer data. RFID systems typically operate by attaching tags to objects, devices, or cards. Some tags can be powered by a local power source, such as a battery (“active RFID”). Their local power source permits them to transmit a signal that may be registered hundreds of meters from an RFID reader. Other tags do not have a local power source and are instead powered by electromagnetic induction form the magnetic fields that are produced by a RFID reading device in close proximity (“passive RFID”). …

rfid

Guidelines for Retaining a Forensic Investigator

Guidelines for Retaining a Forensic Investigator

Many competent IT departments lack the expertise, hardware, or software to preserve evidence in a forensically sound manner and to thoroughly investigate a security incident. In-house counsel needs to be able to recognize such a deficiency quickly – and before evidence is lost or inadvertently destroyed – and retain external resources to help collect and preserve electronic evidence and investigate the incident…

guidelines-for-retaining-a-forensic-investigator1

How to Prepare for an FDIC Cybersecurity Examination

How to Prepare for an FDIC Cybersecurity Examination

FDIC bank examinations generally include a focus on the IT systems of banks with a particular focus on information security. The federal banking agencies issued Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (“FFIEC”) to conduct IT examinations of service providers….
how-to-prepare-for-an-fdic-cybersecurity-exampination

Guidelines for Facial Recognition Technology

Guidelines for Facial Recognition Technology

Facial recognition technology uses algorithms that map facial features – such as the distance between a person’s eyes, or the width of a person’s nose – and compares those features to a database of known individuals. Organizations may use the technology for security (e.g., cameras that “ID” employees or criminals), marketing to consumers (e.g., cameras that “ID” particular customers), or designing products that quickly categorize digital media (e.g., photograph sorting). …

facial-recog

Data Breach Notification Laws: What to consider

Data Breach Notification Laws: What to consider

Although Congress has attempted to agree on federal data breach notification legislation, there is no national data breach notification law that applies to most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving personal information. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data-breach-notification-laws

 

Companies Perceived By FTC As Emerging Threats

Companies Perceived By FTC As Emerging Threats

As discussed in the previous section, the FTC collects complaints about organizations that allegedly violate the data privacy, data security, advertising, and marketing laws.Each month DPI creates a “Surge” report that identifies those organizations with the greatest increase in consumer complaint volume. For each organization listed the report indicates the quantity of complaints received in the past two months, the jurisdiction in which the organization is based, and a summary of the complaints filed. …

companies-perceived-by-ftc

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …data-breach-eu-us-comp

Data Breach Decision Points: Part 8

Data Breach Decision Points: Part 8

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.This is part 8 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1Part 2Part 3Part 4Part 5, Part 6, and Part 7. …data-breach-pt-8

Bryan Cave Data Security Breach Handbook 2016

Bryan Cave Data Security Breach Handbook 2016

Since the first publication of this handbook in 2014, the legal ramifications for mishandling a data security incident have become more severe.  In the United States, the number of federal and state laws that claim to regulate data security has mushroomed.  The European Union has also enacted a new General Data Protection Regulation which will extend the United States framework for responding to data breaches across the EU, but with significantly enhanced penalties.  This handbook provides a basic framework to assist in-house legal departments with handling a security incident. …hanbook-2016

 

Data Breach Decision Points: Part 7

Data Breach Decision Points: Part 7

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.

This is part 7 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1Part 2Part 3Part 4, Part 5, and Part 6. …

data-breach-part-7

2017 Data Team Survey

Thank you for subscribing to Bryan Cave’s Data Matters distribution list.

In order to make sure that we continue to provide information on data privacy and security topics that our clients and friends find useful and relevant, we would appreciate it if you would take a few minutes to respond to the following survey.

To access the survey, please click here.

 

Kind regards,

David Zetoony

Data Breach Handbook for the Restaurant Industry

Data Breach Handbook for the Restaurant Industry

Although statistics vary, in 2015 there were approximately 3,930 incidents involving data loss and, according to one watchdog group, those incidents impacted over 736 million consumer records. Many of those data security breaches involved nationwide restaurant chains. According to one study, the Food and Beverage industry was the victim of 10% of all security compromises and data breaches in 2015, ranking third behind Retail and Hospitality. This handbook provides a basic framework to assist in-house legal departments with handling a security incident keeping the industry in mind. …

restaurant-handbook

 

Guidelines for Reputation Management

Guidelines for Reputation Management

The reputational injury following a data breach can be severe. Indeed, reputational injury – including lost customers – often surpasses legal liability.

Effective management of the reputational impact of a data security incident requires a proactive and reactive strategy. The proactive strategy assumes that the organization will control when, and what, information will be conveyed to the public, media, and impacted consumers. For many organizations the proactive strategy that they choose is to wait until their investigation of an incident is complete so that they can provide the public with the most accurate and meaningful information. …

reputation

Data Breach Decision Points: Part 6

Data Breach Decision Points: Part 6

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.

This is part 6 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1Part 2Part 3Part 4, and Part 5. …

part-6

Webinar: Drafting Enforceable Class Arbitration Waivers

Many companies have been the victim of consumer class actions that allege data privacy and data security violations.  In order to mitigate the risk of receiving a class action, companies often consider drafting arbitration clauses that incorporate “class action waiver” provisions – i.e., requiring that consumers arbitrate a data privacy or security dispute, and prohibiting the consumer from litigating as part of a class action.

My partners Alex Grimsley and Meridyth Andresen will be providing a webinar tomorrow at 12 pm EST discussing how to draft an enforceable class arbitration waiver provision. Information on how to register for the program is below.  As CLE is provided by WestLegalEdCenter and Celesq  AttorneysEd Center there is normally a small charge for attending the program.  Any firm clients that plan on attending the program, however, can contact Tamara Lakic in order to receive a code that waives the fee.

Click here for more information or to register.

Data Security Breach Handbook for Hotels, Venues, & the Hospitality Industry

Media reports about data security breaches have become an almost daily occurrence. Increased publicity reflects the simple fact that data breaches have grown in frequency and scope. According to one study, the hospitality industry was the victim of 14% of all security compromises and data breaches in 2015, ranking second only to the broader retail industry. This handbook provides a basic framework to assist in-house legal departments with handling a security incident keeping the industry in mind. …

data-breach-handbook-hotels

 

 

 

Guidelines for Third-Party Vendor Management Programs

Guidelines for Third-Party Vendor Management Programs

Third-party service providers present difficult and unique privacy and cybersecurity challenges. Vendor management is important throughout the life of your relationship with your vendors. Vendor diligence starts during the vendor selection process, continues through contract negotiation, and ends when the parties terminate their relationship. The goal is to effectively improve the service your vendors provide to your company and allow your customers to realize the benefits of the arrangement, while mitigating the risk inherent in the vendor relationship. …third-party-vendors

Data Breach Decision Points: Part 5

Data Breach Decision Points: Part 5

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.

This is part 5 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1Part 2, Part 3, and Part 4. …

pt-5

Data Breach Decision Points: Part 4

Data Breach Decision Points: Part 4

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

data-breach-4

Guidelines for Collecting Information From Children: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Guidelines for Collecting Information From Children: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States there are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information from children under the age of 13, that a website post a specific form of privacy policy that complies with the statute, that a company safeguard the information that is received from a child, and that a company give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as on-line games or sweepstakes. …

 

guidelines-for-collecting

Guidelines for Privacy Certifications and Trustbrands

Guidelines for Privacy Certifications and Trustbrands

Privacy certifications, or “trustbrands,” are seals licensed by third parties for organizations to place on their homepage or within their privacy policy. The seals typically state, or imply, that the organization which has displayed the seal has high privacy or security standards, or has had its privacy or security practices reviewed by a third party. Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes. …

privacy-cert

 

Data Breach Decision Points: Part 3

Data Breach Decision Points: Part 3

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

This is part 3 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Part 1 can be found here, and Part 2 can be found here. …

data-breach-pt-3

Guidelines for Data Maps and Data Inventories

Guidelines for Data Maps and Data Inventories

Knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most data privacy and data security programs. The process of answering these questions is often referred to as a “data map” or a “data inventory.”Although the questions that a data map tries to solve are relatively straightforward, the process of conducting a data map can be daunting depending upon the size and structure of an organization. In addition, it is important to remember that data constantly changes within an organization. As a result, organizations must consider how often to invest the time to conduct a data map and, once invested, how long the information will be useful. …

guidelines-for-data-maps

Data Breach Decision Points: Part 2

Data Breach Decision Points: Part 2

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

This is part 2 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Part 1 can be found here. …

 

data-points-part-2

 

How to Avoid Risk When Renting, Selling or Streaming Video Content

How to Avoid Risk When Renting, Selling or Streaming Video Content

The Video Privacy Protection Act (“VPPA”) was passed in 1988 in reaction to a fear that people other than a consumer and a video rental store could collect information on a consumer’s video rental history. This was not an academic concern at the time. Immediately prior to the passage of the VPPA, Judge Robert Bork, who had been nominated to the Supreme Court, had his video rental history published by a newspaper that was investigating whether he was fit to hold office. …

video-viewing

Companies Perceived By The FTC as Top Violators

Companies Perceived by the FTC as Top Violators

As discussed in the previous section, the FTC collects complaints about organizations that allegedly violate the data privacy, data security, advertising, and marketing laws.

Each month the FTC’s Division of Planning and Information (“DPI”) creates a “Top Violators” report that ranks the fifty organizations with the greatest volume of consumer complaints in that month. The report indicates whether each organization listed was included in the previous month’s report, whether its rank has changed, and the number of complaints received by the FTC that month. For organizations that are new to the report, DPI reviews their complaints and summarizes the issue, or issues, that have been raised by consumers. …

 

companies

Data Breach Decision Points: Part 1

Data Breach Decision Points: Part 1

The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult. …

data-breach-pt-1

 

Guidelines for Written Information Security Policies

Guidelines for Written Information Security Policies

Although federal law only requires that financial institutions and health care providers maintain a written information security policy or “WISP,” approximately thirty four states have enacted legislation that requires organizations in other industries to take steps to keep certain forms of personal information safe. These statutes are broadly referred to as “safeguards” legislation. In some states safeguards legislation requires that organizations adopt certain security-oriented practices such as encrypting highly sensitive personal information or irrevocably destroying sensitive documents. In other states safeguards legislation requires the adoption of a comprehensive written information security policy. …

 

written-info

Healthcare Business Associates

Healthcare Business Associates

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified the Health Insurance Portability and Accountability Act (“HIPAA”) by expanding the definition of Business Associates (“BA”) and their responsibilities and liabilities. …
healthcare-business

Organizing Data Privacy Within A Company

Organizing Data Privacy Within a Company

Although organizations have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure, dedicated employees, and/or dedicated resources. While in some organizations “privacy” falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues and that report to a Chief Privacy Officer (“CPO”). There is little commonality in how these offices are staffed, funded, or organized. For example, while some CPOs report directly to senior management, others report through a General Counsel or a Chief Compliance Officer. …

 

organizing-data

Healthcare Data Breach Enforcements and Fines At A Glance

Healthcare Data Breach Enforcements and Fines At A Glance

The Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) is responsible for enforcing the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Enforcement of the Privacy Rule began on April 14, 2003, while enforcement of the Security Rule began on April 20, 2005. Furthermore, covered entities and business associates were required to comply with the HIPAA Breach Notification Rule beginning on September 23, 2009. ….

healthcare-data

How to Respond To Third Party (Non-Government) Civil Subpoenas And Document Requests That Ask For Personal Information

How to Respond To Third Party (Non-Government) Civil Subpoenas And Document Requests That Ask For Personal Information

Litigants in a civil dispute often use subpoenas, subpoenas duces tecum, and discovery requests to obtain personal information about individuals who may not be present in the litigation. A request for documents and information that include personal information about third parties may conflict with legal obligations imposed upon an organization not to produce information. For example, if an organization promises within its privacy policy that it will never share personal information with a “third party,” and does not include an exception for requests made in civil litigation or through judicial process, a consumer could argue that by producing information pursuant to a subpoena or discovery request an organization has violated its privacy policy and committed an unfair or deceptive practice in violation of federal or state law. …

how-to-respond

Causes of Healthcare Data Breaches

Causes of Healthcare Data Breaches

Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), covered entities (e.g. healthcare providers and health plans) must notify the Department of Health and Human Services (“HHS”) of breaches of unsecured protected health information (“PHI”).1 The information provided to HHS provides companies with a high level of insight concerning the types of breaches that occur in the healthcare industry.
The data collected by HHS concerning breaches affecting 500 or more individuals in 2015 shows that unauthorized access or disclosure, such as misdirected mailings, break-ins of physical premises, and employees accessing PHI that is not necessary for their duties, is the most common form of data breach in the health sector – surpassing theft of hardware, which was the leading cause for health data breach in 2014. …causes-of-healthcare-data-breaches

Guest Op-ed: Frequently Asked Questions Regarding Cyber Insurance

Our clients have a lot of questions when it comes to cyber insurance. For this week’s op-ed, we asked Tim Burke, director of cyber risk at IMA, Inc., if he could discuss the two main questions that he receives from clients who are investigating cyber insurance as well as his typical response. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.

– David Zetoony


Frequently Asked Questions Regarding Cyber Insurance

By Tim Burke, IMA, Inc.

We have now reached a recognition by most commercial entities that cyber insurance is a “need to have” as opposed to a “nice to have.” Having been involved with cyber insurance dating to 1999, I have seen quite a bit of change in the marketing and scope of this coverage. Today, my job often involves presenting on this topic to a wide variety of audiences who pose engaging questions. Therefore, I have addressed within this post some of the most commonly received inquiries pertaining to cyber insurance.

Q: What is the biggest mistake you see in consideration of purchase of this coverage?

A: One consistent issue I see is companies viewing this issue as exclusively related to privacy breaches. If I do not maintain a significant amount of confidential information (ex. PII, PHI, PCI) then we have no relevant exposure. That logic may be accurate to an extent but the primary intent of the coverage is to address operational risks associated with failures of security and safeguarding confidential information. This can extend to internal operational errors as well as outsourced functions. The scope of coverage is broader than most realize and extends to first-party risks such as business interruption and costs to replace data. A recent example of this is the number of highly publicized ransomware attacks where there was significant operational disruption, including down time and loss of data. Since most traditional property and casualty policies do not address new and emerging perils (malware, denial of service, encryption), cyber insurance policies have been specifically designed to address those gaps in your insurance portfolio. I often pose this guiding question: what is the enterprise value of your intangible property vs. tangible property and how does your insurance program reflect that?

Q: What suggestions can you provide for an effective procurement of this coverage?

A: The first suggestion is to recognize this is an enterprise risk issue, not an “IT” issue. As part of that consideration, you need to break down the silos within the organization to foster dialogue and awareness. Bring together a cross spectrum of relevant stakeholders (CISO, CIO, Legal, Risk Management, Finance, Marketing) to identify and quantify unique operational risks. Examples of unique “blind spots” we come across are outsourcing, industry specific regulation, M&A and reputational impact. Build a consensus and then develop a list of coverage priorities. These priorities should then dictate your marketing goals. The cyber market is highly competitive (50 + carriers) with creative underwriters eager to write new business. You should also engage in direct dialogue with a prospective insurer as underwriters welcome the opportunity to learn more about your operations. It also provides an opportunity for you and your broker to pose questions of them. As part of that discussion, include a representative from the claims department to discuss experience handling your peers’ claims, industry trends and expectations in the event of a claim. Ultimately, a well-thought-out strategy results in you dictating the pace to the marketplace as opposed to vice versa and eliminates any questions you may have on the viability of your coverage.


Tim Burke is the Director of Cyber Risk at IMA, Inc. As the national practice leader, he is in charge of researching emerging issues and creating proprietary solutions. Areas of focus include creation of custom risk transfer programs based on industry segment, loss control solutions and fostering partnerships with service providers. Tim has over 15 years of experience underwriting and selling cyber insurance. He has assisted numerous clients manage through high-profile data breaches. Those experiences allow him a unique perspective on both the design and claims protocol of cyber insurance. He specializes in working with companies in the energy, retail, hospitality, financial and healthcare industries. He is a frequent presenter at industry conferences and a recognized innovator in the rapidly evolving area of cyber risk. Tim can be reached by email at tim.burke@imacorp.com.