General Privacy & Data Security News & Developments

Austin, Texas, downtown skyline at sunsetThe American Bar Association is holding its upcoming 2018 Business Law Section Annual Meeting at the Austin Convention Center in Austin, TX, from September 13 to 15.

Fox partner Matt Kittay will moderate a panel entitled “Lawyer Ethical Issues in M&A Technology.” Featuring Haley Altman of Doxly, Steve Obenski of Kira Systems, and James Walker of Richards Kibbe & Orbe. The group will discuss ethical issues facing lawyers who use both emerging and globally accepted technology platforms to execute M&A and private equity transactions. The panel will take place on Friday, September 14 from 3:30 PM to 5:00 PM at the Technology in M&A Subcommittee Meeting of the Mergers & Acquisitions Committee. The Fairmont Hotel connected to the Convention Center will host the panel.

For more information and to register to attend the section’s Annual Meeting, please visit the ABA website.

Office copiers retain data on the files they process – securing that data is a must.

Digital copiers pose many of the same cybersecurity risks associated with computers. This is so because theyre also computers. Data thieves know that office copiers run on “smart” technology with hard drives that store information about printed, copied and scanned documents – a potential trove of sensitive data.

 What steps should businesses take to protect the data across a copier’s lifecycle?

 The Federal Trade Commission provides guidance online in Digital Copier Data Security: A Guide for Businesses. The guide details the process from integrating a copier into your company’s information security policies and offers best practices for printing to securing the hard drive after the device has run its course.

Manufacturers can also tell you about the security features of their copiers, which may include:

  • Encryption software that scrambles hard drive data, making it difficult to extract
  • Overwriting functionality that digitally changes data values so files can’t be reconstructed
  • Locking a hard drive via passcode

The FTC’s point is clear: businesses of all kinds are legally responsible for the information stored on digital copiers. In fact, institutions handling personal financial or health care information are required to have security plans for the information processed on digital copiers.

Facebook has failed to prevent its feud with an Austrian privacy activist over the legality of two widely used mechanisms for transferring data between the European Union and the U.S., from reaching the EU Court of Justice.

In a May 2nd ruling, the Irish High Court sided with activist Max Schrems and the Irish Data Protection Commissioner, rejecting Facebook’s request to stay the court’s October 2017 referral of the case to the EU Court of Justice to give the company time to appeal the referral to the Irish Supreme Court.

The decision carries with it potential consequences for thousands of international companies that use model contracts and Privacy Shield for transatlantic data transfers.

Schrems filed a grievance over Facebook’s use of model contracts with the Irish Data Commissioner in 2015 saying that Facebook failed to protect EU citizens’ data from the prying eyes of U.S. law enforcement and intelligence agencies.

The Data Commissioner referred the case to the Irish High Court in May 2016 after determining the compliant was “well founded.” The Irish High Court expanded the scope to include Privacy Shield in its 2017 decision to refer the matter to the EU Court of Justice.

In 2015, the EU Court of Justice invalidated the Safe Harbor accord, then a widely used mechanism for transferring data between the EU and U.S., ruling it failed to adequately protect the privacy of EU citizens. Privacy Shield was created to replace Safe Harbor. Details via Reuters, Fortune and Bloomberg.

In a daylong Privacy Summit at Citizens Bank Park in Philadelphia, the co-chairs of Fox Rothschild’s Privacy & Data Security practice group led a series of panel discussions with leading cybersecurity professionals and government officials.

Elizabeth Litten moderating “Looking Inward: Risk Management Part I”

Fox partner Elizabeth Litten, who serves as Fox Rothschild’s HIPAA Privacy & Security Officer, and partner Mark McCreary, the firm’s Chief Privacy Officer, moderated a two-part panel series examining cyber risk management for protecting company data. The first segment, “Looking Inward: Risk Management Part I,” focused on the best internal company practices, policies and training to combat cyber threats and protect valuable data. “Beyond Company Walls: Risk Management Part II” examined the ways businesses should approach vendor management and cyber insurance to further secure and safeguard their data assets.

Mark McCreary moderating “Beyond Company Walls: Risk Management Part II”

 Litigation partner Scott Vernick moderated the panel “Current State of Affairs in Regulation & Enforcement.” Discussion highlighted the domestic and international data privacy and security obligations relevant to U.S. businesses.

 The summit closed with a thought-provoking keynote address from Eric O’Neill, a former FBI counterintelligence operative who helped apprehend Robert Phillip Hanssen – one of the most notorious spies in U.S. history – who provided memorable insights about corporate diligence and defense.

 View the Event


Data privacy and security
Many company leaders appear to understand and recognize cyber threats, but far too few have implemented vital defenses.

In the fourth quarter of 2017, we spearheaded a sweeping, cross-industry survey of chief executives to gauge corporate cybersecurity preparedness. The results revealed important organizational issues.

The survey showed C-suite corporate leaders know their companies’ data is at risk but are not taking adequate measures to protect that data.

  • Awareness: More than half of C-level officers recognized their companies were at high or very high risk of a data breach. Three quarters said they had been hit recently by phishing attacks.
  • Inaction: Despite that, 53 percent of executives admitted their cybersecurity and data privacy budgets are insufficient to respond to a breach. Nearly a third don’t train all their employees on data breach prevention, a basic component of cybersecurity.

“Cyberattacks are growing in frequency and severity,” said Mark McCreary, Fox’s Chief Privacy Officer and co-chair of its Privacy and Data Security Practice. “Companies should take steps to manage that risk and prevent breaches, but it requires a clear-eyed, systematic approach.”

Survey findings offer big-picture takeaways to bolster a company’s approach to cyber threats and their prevention. The report examines five key areas of cybersecurity readiness:

  • Breach response plans
  • Budget priorities
  • Cyber liability policies
  • Determining risk severity
  • Training effectiveness

How does your organization compare? Read the full report.


Recent news that Facebook has suspended research firm Cambridge Analytica for improperly collecting users’ personal data without their knowledge may not constitute a classic “data breach,” but it poses real risks for the popular social media platform.

Fox Rothschild Partner Scott Vernick, founder of the firm’s Privacy & Data Security Practice, discussed the implications for Facebook, and the next steps the company should take, in an interview with the TD Ameritrade Network.

“Consumers do select companies and want to do business with companies that have control over their data and that can secure their data,” Scott said. “In turn, If you lose consumer confidence, you lose advertiser confidence, so that is the challenge for Facebook.”

View the full interview here.

The cost of cybercrime continues to rise, driven by increasingly sophisticated cybercriminals and a growing pool of new and often unsophisticated internet users, according to a new report from internet security firm McAfee and the Center for Strategic and International Studies.

“Cybercrime is relentless, undiminished, and unlikely to stop. It is just too easy and too
rewarding, and the chances of being caught and punished are perceived as being too low,” the report states.

The report, “Economic Impact of Cybercrime—No Slowing Down,” estimates cybercrime costs the global economy $600 billion a year, or 0.8 percent of global GDP, up from $500 billion in 2014.

It lists five trends that are most responsible for the increase:

  • Cybercriminals adopting new technologies.
  • Growth in new internet users, often from countries with weak cybersecurity.
  • The rise and growth of Cybercrime-as-a-Service.
  • Growth in cybercrime “centers” such as Brazil, India, North Korea, and Vietnam.
  • Improved black markets and digital currencies facilitating monetization of stolen data.

Security magazine also published a summary of the report.

Username and password login fields, online security
Usernames and passwords were exposed in a number of reported data breaches.

According to the monthly report from the Identity Theft Resource Center, the health care industry suffered more data breaches in January than government, educational and financial sectors combined.

Medical and health care-related data breaches accounted for 26.7 percent of the verified 116 data breaches in early 2018. The report defines a breach as a cybersecurity incident in which personal information such as emails, medical records, Social Security numbers or driver’s license information, is exposed and made vulnerable to risk.

While the report identifies “Business” as the sector most affected by data breaches, the category broadly encompasses many types of major service providers in retail, hospitality, trade, transportation and other industries.

For more detailed statistics of data breaches by industry, download the ITRC report.

The Federal Trade Commission (FTC) has offered businesses an updated anti-phishing toolbox. It’s contained in new guidelines the agency has issued for preventing cyberattacks. Share the recommendations with your IT department to provide your email servers and networks with the latest defenses. Doing so sends a message that your company takes the threat to personal information seriously and is taking prudent and reasonable steps to protect it.

Here are the email authentication technologies the FTC recommends:

  • Sender Policy Framework (SPF) – requires a business to designate the IP addresses it uses to send emails
  • DomainKeys Identified Mail (DKIM) – authenticates the source and integrity of messages
  • Domain Message Authentication Reporting and Conformance (DMARC) – reports on and excludes unauthenticated email sources.

The FTC has additional recommendations. Chief among them? Make sure your software is at the strongest security setting. It should block delivery of unauthenticated messages and scan attachments for sensitive personally identifiable information (PII).

A growing number of apps are using location data that is expected to be subject to tighter regulation under new European Union privacy laws, particularly the much anticipated General Data Protection Regulation, or GDPR.

The new rules are expected to toughen requirements for obtaining consent from consumers to access this data and place restrictions on how companies operating in Europe can use data consumers agree to provide. Despite widespread speculation, the extent of the changes are unclear. With a potential for higher noncompliance fines, U.S. companies that use location data in apps for passive tracking are urged to closely monitor GDPR development.

Location, Location

EU regulators are particularly concerned about location data because it can reveal private, sometimes intimate details about consumers’ lives. It can expose where people travel, what stores and restaurants they visit and even details of their everyday routines. Location data involving medical facilities and places of worship triggers even more stringent protections.

The new EU regulations will require more than the blanket consent provided in the U.S. when a consumer clicks a box to acknowledge an app’s or service’s privacy policies. They are expected to require informed notice and consent for each individual use of the data. Many mapping apps collect location data to provide traffic information, but also to target ads, for example. EU regulators are particularly concerned about such “secondary uses” of data.

To give citizens more control over their personal data, the EU expects companies to provide customers with detailed notice of when and how their data is being used. Personal data can only be gathered for legitimate purposes, just what is needed to support a company’s business model. If a company wants to repurpose or analyze the data it has collected, it would have to go back to the consumer for consent on each occasion. That means companies must proactively monitor how their partners are using data, and ensure they obtain consent for each occasion and use.

EU Data Collection Compliance Checklist

  • Inform consumers clearly and in detail about what location data is being gathered and the primary and secondary ways it being used, such as to target ads.
  • Give consumers the ability to refuse to allow their data to be collected, or opt out of any of the ways in which it will be used.
  • Put a mechanism in place to notify consumers of changes in company data collection policy,  for example if you plan to repackage and data to an aggregator in the future.
  • Sign agreements with partners to ensure they are complying with the data collection permission your company has obtained.

For a review of your company’s privacy policies and guidance on how these new regulations may impact your organization, contact the author or other member of the Fox Rothschild Privacy & Data Security team.