Ireland’s Data Protection Commission has published guidance on data security.

Key Takeaways

  • The most effective means of mitigating the risk of lost or stolen personal data is not to hold the data in the first place.
  • A data controller should always know what personal data they hold, where it is held and how it flows through the organization.
  • Data processors are subject to the same security obligations as data controllers.

Access Controls

  • A data controller has a duty to limit access to personal data on a “need to know” basis and regularly review access controls.
  • Multiple independent levels of authentication may be appropriate where administrators have advanced or extra access to personal data or where they have access or control of other’s account or security data.
  • There should be strict controls on the ability to download personal data from an organization’s systems.


Continue Reading

“Company executives would face possible jail time for lying to the Federal Trade Commission about privacy and data security matters, under a new bill by U.S. Sen. Ron Wyden, a Democrat representing Oregon,” reports Daniel R. Stoller, Esq. for Bloomberg Law.

“The Mind Your Own Business Act would give the FTC new authorities and resources

In the age of digitization, personal information your business holds about your customers (or your customers’ customers) has become a strategic enterprise asset and should be treated as such.

Privacy considerations should be incorporated into your go-to-market strategies.

Gartner with some tips:

  • Customer-facing policies and communications should clearly explain what information is collected and why,

Shata Stucky writes:

Username and password login fields, online securityThe United States National Institute for Standards and Technology (NIST) has issued new guidelines for creating secure passwords.  NIST guidelines, which are directed to “federal government systems,” often become best practice recommendations across the security industry.

The new guidelines are a significant break from previous rules.  Security experts previously recommended frequent password

Businesses that relied previously on the EU’s Safe Harbor exception to transfer data from Israel to the United States have had that authorization revoked by the Israeli Law, Information and Technology Authority (ILITA).

It’s part of the ongoing ripple effect caused by the invalidation of Safe Harbor.

Now that Safe Harbor is off the table,

This blog post is the sixth and final entry of a six-part series discussing the best practices relating to cyber security. The previous post discussed the individuals and organizations that should be notified once a cyberattack occurs. This post will focus on what a business should not do after a cyberattack. Key points include (1) not using the network, (2) not sharing information with unconfirmed parties, and (3) not attempting to retaliate against a different network.
Continue Reading

This blog post is the third installment of a seven-part series discussing the best practices relating to cyber security. The first two blog posts discussed the best practices for preparing a business in case of a cyberattack. This post will discuss the initial steps that a business should take after a cyberattack occurs.
Continue Reading

In response to a data breach in 2014, employees of University of Pittsburgh Medical Center filed a two-count class action complaint against UPMC for (1) negligence and (2) breach of an implied contract for failing to protect their personal data. The employee plaintiffs alleged that their Social Security numbers, names, addresses, birthdates, W2 information and

The Security and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently released an initial summary of its findings from its 2014 OCIE Cybersecurity Initiative.  The OCIE examined 57 registered broker-dealers and 49 registered investment advisers to better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity.

Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.

The White House’s proposed Consumer Privacy Bill of Rights seeks to provide “a baseline of clear protections for consumers and greater certainty for companies.”  The guiding principles of