Cybersecurity

Subscribe to Cybersecurity via RSS

In August 2014, the Federal Trade Commission (FTC) published a staff report that evaluates the consumer disclosures made by a number of popular mobile shopping applications and makes recommendations to the providers and users of those apps.1 The FTC staff did not address or find any fault with app platforms, like Google Play or Apple’s App Store, with respect to the consumer disclosures of those apps. This report follows the FTC staff’s March 2013 mobile payment report that recommended mobile payment providers convey clear policies regarding fraudulent and unauthorized charges, encouraged all stakeholders to raise consumer awareness about mobile payment security, and stressed the applicability of its general privacy recommendations to companies in the mobile payment marketplace.2
Continue Reading FTC Recommends Improved Transparency and Security in Mobile Shopping Apps

Recent large-scale data breaches provide a stark reminder of the risks and challenges associated with today’s data-driven economy. The exploding number of devices connected to the Internet and amount of information collected about people by organizations make it increasingly important for officers, directors, and senior management to fully understand the privacy and data security risks faced by their organizations.

One of the most effective techniques for managing those risks is conducting a comprehensive privacy and data security risk assessment. Organizations use such risk assessments to maintain appropriate risk profiles based on the organization’s contractual, regulatory, and governance obligations. Regulatory schemes in some industries, including health1 and finance,2 may require risk assessments for compliance. Organizations that collect payment information to process payments as merchants or payment processors3 or deal with data collected about individuals residing in specific states4 may also have risk assessment obligations. Organizations commonly tailor risk assessments to meet these types of obligations for their risk tolerance and profile. A comprehensive risk assessment may include considerations of scope, documentation, timing, management, and oversight.5
Continue Reading Privacy and Data Security Risk Assessments: An Overview

Despite reaching settlements with more than 50 organizations on data security issues since the late 1990s, no organization seriously challenged the Federal Trade Commission’s (FTC’s) authority to bring such cases until FTC v. Wyndham Worldwide Corp. made headlines in 20121 The case brought rampant speculation from the privacy and data security community on the likely outcome and potential impact on a number of issues, ranging from the FTC’s enforcement authority to national and state data security laws. Recent rulings rejecting Wyndham’s motions to dismiss may not break new ground for the FTC, but the commission’s ability to overcome the first challenges to its data security enforcement authority are significant and continue the agency’s trajectory as the country’s leading data security enforcer.2
Continue Reading The Wyndham Rulings and the FTC’s Leadership on Data Security Enforcement

In January 2014, President Barack Obama charged his counselor John Podesta with looking at: (a) how the challenges inherent in big data are being confronted in the public and private sectors; (b) whether the United States can forge international norms on how to manage big data; and (c) how the United States can continue to promote the free flow of information in ways that are consistent with both privacy and security. Two reports were published on May 1, 2014, in response to this charge, one focusing on policy and big data (the “Policy Report”)1 and the other complementing and informing the Policy Report with a focus on technology and big data (the “Technology Report”).2

Both reports acknowledge that there is no one definition of “big data.” However, big data is differentiated from data historically collected about individuals (“small data”3) in two ways: big data’s quantity and variety, as well as the scale of analysis that can be applied to big data. And, while both reports view big data as potentially providing great benefits to the economy, society, and individuals, they also identified its potential to cause significant harm.
Continue Reading President’s Counselor Makes Recommendations on Privacy and Other Values in Big Data Age

A proposed California law, the Consumer Data Breach Protection Act (A.B. 1710),1 has the potential to upend the calculus of determining liability after retail data breaches, create additional data security requirements for retailers and other consumer-facing businesses operating in California, and establish new standards for data breach reporting for breaches affecting California residents. The bill, introduced by California State Assemblymen Bob Wieckowski and Roger Dickinson in February 2014 and currently pending before the California Assembly Committee on the Judiciary, may in part represent an effort to respond to the recent data breaches affecting Target Corp. and Neiman Marcus Ltd., and aims to strengthen one of the most prescriptive state statutes already in existence.

The heightened concern over data privacy in recent months might enable the passage of the bill, which is a variation of past bills that were vetoed by former Governor Arnold Schwarzenegger.2 If passed, A.B. 1710 would place California alongside Washington, Minnesota, and Nevada as the states mandating particular data security provisions with respect to payment card data,3 and would increase the data breach reporting requirements and liability associated with breaches for entities doing business in California.
Continue Reading Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses

Kaiser Foundation Health Plan, Inc. (Kaiser) recently agreed to settle charges brought by California Attorney General Kamala Harris alleging that Kaiser, a component of Kaiser Permanente, the largest health maintenance organization in the U.S., violated California’s unfair competition law by taking too long to notify more than 20,000 current and former employees that their personal information had been compromised.1 The case and its settlement may have significant implications for businesses that suffer data security incidents requiring notification to affected persons.
Continue Reading Kaiser Foundation Health Plan Settles California Attorney General Charges over Delayed Data Breach Notification