Cybersecurity

Subscribe to Cybersecurity via RSS

A data security incident can be daunting for an organization, quickly spurring it into full-blown crisis mode. Once an incident is discovered, IT and security personnel may work around the clock to attempt to identify and fix security vulnerabilities, assess and mitigate any damage from the incident, and report their findings and efforts to senior management. The organization’s attorneys may review the incident from a legal risk perspective and engage experienced outside counsel and forensics firms to better assess how the organization should respond to the incident in light of its legal and contractual obligations. The communications and customer service teams may need to respond to customer inquiries about system performance and strange system behavior, while IT personnel are following emergency protocols to attempt to strengthen system security and investigate the incident. In addition, the communications team may be involved in any required data breach notifications. Finally, senior management will need to analyze technical details and legal advice to make organizational decisions that may significantly affect the organization’s customers, reputation, and bottom line.
Continue Reading Breach Notification: Timing Is Everything

A trial court in the Seventh Circuit recently dismissed a data breach class action case against Barnes & Noble (B&N) due to the plaintiffs’ failure to allege actual or imminent injuries.1 This is one of the first data breach cases following the U.S. Supreme Court’s recent decision about pleading actual damages in Clapper v. Amnesty Int’l USA.2 The trial court relied on Clapper to dismiss the case rather than follow Seventh Circuit precedent, which may have allowed the case to continue. Clapper appears to provide defendants with a strong defense in data breach cases.
Continue Reading Barnes & Noble Dodges Suit over PIN Pad Data Breach

California, which enacted the pioneering security breach notification law in 2002, again has taken the lead in security breach notification legislation. In an effort to protect consumers against unauthorized access to their online accounts, California has extended its security breach notification law to cover individuals’ online account credentials (i.e., a user name or email address, in combination with a password or security question and answer, that would permit access to an online account) in amendments that will take effect on January 1, 2014.1 This article discusses California’s existing security breach notification obligations, as well as the changes provided for in these amendments.
Continue Reading California Extends Security Breach Notification Requirements to Online Account Credentials

On April 2, 2013, the European data protection regulators (the “Article 29 Working Party” or the “WP29”) issued a 70-page opinion providing guidance on how to comply with the core EU data protection principle of “purpose limitation.”1 This opinion gives a good indication of how EU regulators would apply their national data protection law to specific processing activities such as email marketing, behavioral advertising, profiling, and tracking of user behavior and big data. It is relevant for companies of all sizes, including non-EU-based companies, offering online services to users in the EU, since the EU regulators tend to take a broad approach regarding the applicability of EU data protection law.2 This article addresses certain aspects of the opinion.3
Continue Reading European Regulators Opine on “Purpose Limitation” Principle – What Constitutes “Compatible Use” in the Context of Big Data?