We are anxiously waiting to learn the fate of the data breach notification statute recently passed by state lawmakers in New Mexico. The bill remains on the desk of the governor who has until the end of the week to sign the legislation into law. If she does, New Mexico will join 47 other states (along with the District of Columbia, Puerto Rico, and the Virgin Islands) to impose at least some obligations on persons or entities holding personal information in the wake of a security incident. We may need to update the Mintz Matrix soon. Continue Reading Better Late Than Never: New Mexico on the Cusp of Enacting Data Breach Notification Statute
Privacy
A New FBI Warning for Healthcare Providers
The FBI has issued new guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode. FTPs are routinely used to transfer information between network hosts. As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients. In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity.
The FBI provides the following specific guidance, which Covered Entities and Business Associates should heed:
The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI [Protected Health Information] or PII [Personally Identifiable Information] is not stored on the server.
Coupled with recent advice from FBI Director James B. Comey on ransomware, which we blogged about here, this latest guidance from the FBI demonstrates the seriousness the potential cybersecurity threats facing healthcare entities.
March Fadness: Wearable Tech in the Workplace and Privacy
Wearable technology continues to do a full court press on the marketplace and in the process, the step counters of the world and health apps tied to devices capable of tracking real-time biostatistics, are revolutionizing the way companies think about wellness. Wearables are the latest in workplace fads and they’ve got the numbers to back it up: sales are likely to hit $4 billion in 2017 and 125 million units are likely to be shipped by 2019. Wearable technology has transformed the workplace just as more and more employers are utilizing wellness programs to improve employee motivation and health. As the popularity of these technologies soars, so too will concerns around the associated privacy and data security risks. In this blog post, we discuss just a few of the legal implications for employers who run wellness programs embracing this new fad. Continue Reading March Fadness: Wearable Tech in the Workplace and Privacy
EU General Data Protection Regulation Webinar Series
Since September, the Mintz Levin Privacy Webinar Series has focused on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation. The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.
Access, Correction and Erasure: How to Minimize the Burden (2/16/2017)
This webinar, the sixth and final in our EU General Data Protection Regulation Series, considers companies’ obligations to give individuals access to their data and to correct or erase it. We explore the new data portability requirements. The webinar concludes with some suggestions on how to make these requirements less burdensome.
Transferring Data from the EU (1/12/2017)
This webinar, the fifth in our EU General Data Protection Regulation Series, explores the ways in which the Regulation creates new avenues for data transfers, and narrows others. In particular, we consider sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses.
Data Protection Officers: Do You Need One? (12/15/2016)
This webinar, the fourth in our EU General Data Protection Regulation Series, examines the criteria that dictate whether or not your organization needs to appoint a Data Protection Officer. We discuss the role of the DPO, the significance of the “independence” requirement, and the qualifications required to hold the position.
Good-bye to the Cure-all: The New Rules on Consent (11/10/2016)
This webinar, the third in our EU General Data Protection Regulation Series, reviews the new restrictions on relying on user consent to data processing and data transfers. In addition to the general “imbalance of power” problem, we consider the implications of the Directive on unfair terms in consumer contracts and changes that may need to be made to terms of use and privacy policies when dealing with consumers.
Accountability, Data Security, Data Impact Assessments and Breach Notification Requirements (10/13/2016)
This webinar, the second in our EU General Data Protection Regulation Series, focuses on the data security and accountability requirements of the Regulation, including reviews and documentation of internal policies and procedures and data impact assessments. We also explore the breach notification requirements and actions that companies can take in advance to mitigate the need for breach notification.
One-Stop Shopping Mall? The New Regulatory Structure (9/14/2016)
This webinar, the first in our EU General Data Protection Regulation Series, explains the powers and role of the new European Data Protection Board, how a “lead supervisory authority” will be designated for each controller, and how the lead supervisory authority will interact with other interested supervisory authorities. We also look at the complaint process from the point of view of the individual who is claiming a violation, and explore the likely role that will be played by public interest organizations bringing group complaints.
More Broken Privacy Promises from Upromise: Key Takeaways From Upromise’s Latest Settlement with the FTC
“Don’t make promises that you don’t intend to keep” is an admonishment received by every child and delivered by every parent. This pithy maxim is equally applicable to consent orders entered into with regulatory authorities. Indeed, Upromise’s failure to abide by it is costing the company $500,000 in the form of a civil penalty from the Federal Trade Commission (FTC). Continue Reading More Broken Privacy Promises from Upromise: Key Takeaways From Upromise’s Latest Settlement with the FTC
Avoiding Employee Data Breaches Has Nothing to Do With Luck …..
We are well into March Madness … and Happy St. Patrick’s Day!
You may have already had your bracket busted by now…..but you should have Mintz Levin’s Third Annual Employment Law Summit on your schedule and the panel on Cybersecurity and Employee Data Breaches may help you avoid a security incident/personal data buster.
Teamwork is a key to advancing in the Big Dance and HR and IT could make a powerful team in fighting cybersecurity risks in your company. Just because cybersecurity threats affect cyberspace does not take the human element out of the prevention/mitigation loop. And the Luck of the Irish has nothing to do with it……
Even though IT plays the role of the center in managing the game flow with respect to the company’s data security, the HR department should not sit on the bench. HR has the point guard skills necessary to mitigate important insider threats and properly train the rest of the team to play it safe.
Businesses are a treasure trove of information about people – customers, employees, business contacts. Loss or theft of any of these can cost a company both in cold cash and in reputation. We’ll take a look at the crazy-quilt of laws and discuss how HR managers and counsel can make the important connections between HR professionals and security professionals and keep your company in the game.
We hope you will join us in New York on April 6th as our panel ventures into cyberspace. Please remember to register here, as you won’t want to miss this important event.
Cloudbleed: Three Risk Management Lessons Learned
Recently, a Google researcher discovered a serious flaw with the content delivery network (CDN) provided by CloudFlare. This vulnerability has now become known as Cloudbleed, in a nod to the earlier Heartbleed SSL vulnerability. The Cloudfare CDN allows users of the service to have their content stored at Cloudflare Network Points of Presence (PoPs) rather than a single origin server. This reduces the amount of time it takes to serve websites in disparate geographical locations. The service is popular, with Cloudflare having over five million customers, including Uber, OkCupid, and FitBit.
The Cloudbleed vulnerability involved a situation where sensitive data was inadvertently displayed or “leaked” when visiting a website that used certain Cloudflare functionality. Cloudflare has estimated that the leak was executed 1,242,071 times between September 22nd and February 18th. Search engines such as Bing, Yahoo, Baidu and Google also cached the leaked data. The researcher who discovered the leak found all sorts of sensitive data being leaked, including private messages from major dating sites, full messages from a well-known chat service, online password manager data and hotel bookings, passwords and keys.
The Clouldbleed vulnerability is a reminder that companies that leverage external vendors to receive, process, store, or transfer sensitive data must find ways to reduce the risk created by the relationship to an acceptable level. We have three steps that companies should consider taking to accomplish this.
First, companies should understand how external vendors will interact with their data flows. Companies that leverage Cloudflare services have given it access to sensitive data, including private messages, passwords, and keys. The risks of providing this data to external vendors cannot be understood if the company itself does not understand at a senior organizational level what is being transferred. Ask questions about the proposed procurement of vendor-provided services to understand what interaction the service/vendor has with your data.
Second, companies should make sure that they have permission to transfer user data to third parties, based on its existing terms of use and privacy policy documents that the relevant data subjects have agreed to. Generally speaking, in most cases, the company collecting the data from the data subject will remain responsible for any issues that occur downstream, including loss or breach of the data through a third party vendor relationship.
Third, companies should carefully negotiate their vendor contracts in light of their own risk tolerance. The contract should contemplate the data at issue, including by type and category, such as private messages and passwords, and should to the extent feasible transfer all risk of a breach on the vendor side to the vendor. In many cases, it will be appropriate to require that the vendor carry insurance to satisfy its obligations under the agreement, including data breach remediation should it become an issue.
Companies with any questions regarding this process should not hesitate to contact the Privacy and Security team at Mintz Levin.
A Deep Dive into Privacy/Security Disclosures in Snap’s S-1
Last week, Snap Inc. (“Snap” or the “Company”) – the parent company of the wildly popular app Snapchat (“Snapchat” or the “App”) – became a publicly traded company on the New York Stock Exchange in the biggest tech IPO since Alibaba in 2014. Priced at $17 per share, the Snap stock opened at $24 per share on Thursday morning and closed at $24.48 per share, bringing the Company’s market capitalization to approximately $28 billion. In today’s post, we’re taking a closer look at Snap’s S-1 filing (“Snap S-1”) with the U.S. Securities and Exchange Commission (SEC) with a particular focus on the Company’s disclosures of risk factors associated with cybersecurity and privacy risks. Continue Reading A Deep Dive into Privacy/Security Disclosures in Snap’s S-1
It’s March 1: The Cybersecurity Goal Post Has Been Moved
In an effort to combat the growing prevalence of large-scale corporate cyberattacks, the New York Department of Financial Services (“NYDFS”) is rolling out a revamped cybersecurity regulation for financial services companies to take effect TODAY (March 1, 2017). This ambitious regulation is broadly drafted and carries a heavy compliance burden intended to protect consumers and ensure the safety and soundness of New York State’s financial services industry. Even if you are not directly in banking or insurance, read on to see how these regulations may affect your company. Continue Reading It’s March 1: The Cybersecurity Goal Post Has Been Moved
Data Breaches Will Cost Yahoo and Verizon Long After Sale
Five Things You (and Your M&A Diligence Team) Should Know
Recently it was announced that Verizon would pay $350 million less than it had been prepared to pay previously for Yahoo as a result of data breaches that affected over 1.5 billion users, pending Yahoo shareholder approval. Verizon Chief Executive Lowell McAdam led the negotiations for the price reduction. Yahoo took two years, until September of 2016, to disclose a 2014 data breach that Yahoo has said affected at least 500 million users, while Verizon Communications was in the process of acquiring Yahoo. In December of 2016, Yahoo further disclosed that it had recently discovered a breach of around 1 billion Yahoo user accounts that likely took place in 2013.
While some may be thinking that the $350 million price reduction has effectively settled the matter, unfortunately, this is far from the case. These data breaches will likely continue to cost both Verizon and Yahoo for years to come. Merger and acquisition events that are complicated by pre-existing data breaches will likely face at least four categories of on-going liabilities. The cost of each of these events will be difficult to estimate during the deal process, even if the breach event is disclosed during initial diligence.
Continue Reading Data Breaches Will Cost Yahoo and Verizon Long After Sale