In the age of digitization, personal information your business holds about your customers (or your customers’ customers) has become a strategic enterprise asset and should be treated as such.

Privacy considerations should be incorporated into your go-to-market strategies.

Gartner with some tips:

  • Customer-facing policies and communications should clearly explain what information is collected and why, as well as any applicable customer rights.
  • Policies should be readily accessible and understandable for customers — and are reinforced internally.
  • Managers and senior leaders should echo the standards in small team discussions, all-company meetings and other forms of messaging.
  • There should be a coherent approach to working with third parties. Codify what third parties can and can’t do with user data, and define consequences for failure to comply. Make sure to follow through and monitor compliance.
  • Compare your customers’ privacy appetite to your organization’s overall risk appetite — and be prepared to manage any gaps between the two.

Details from the International Association of Privacy Professionals.

Shata Stucky writes:

Username and password login fields, online securityThe United States National Institute for Standards and Technology (NIST) has issued new guidelines for creating secure passwords.  NIST guidelines, which are directed to “federal government systems,” often become best practice recommendations across the security industry.

The new guidelines are a significant break from previous rules.  Security experts previously recommended frequent password changes and using a mixture of upper case letters, symbols, and numbers.  The NIST guidelines acknowledge that users often work around these types of restrictions in a way that is counterproductive.  The most effective passwords are those that are easy for the user to remember so that it is less likely they will be written down or stored electronically in an unsafe manner.

Accordingly, NIST recommends dropping complexity requirements and requirements for frequent password changes.  Instead organizations should emphasize password length:  Passwords should be at least 8 characters in length, and users should be allowed a maximum length of at least 64 characters.

Additional recommendations can be found in the NIST guidelines, accessible on the NIST’s website.


Shata L. Stucky is an associate in the firm’s Privacy & Data Security practice, resident in its Seattle office.

Businesses that relied previously on the EU’s Safe Harbor exception to transfer data from Israel to the United States have had that authorization revoked by the Israeli Law, Information and Technology Authority (ILITA).

It’s part of the ongoing ripple effect caused by the invalidation of Safe Harbor.

Now that Safe Harbor is off the table, businesses must rely on standard contractual clauses, binding corporate rules or other legal strategies, to transfer data out of the EU, and now Israel.

Israel is not an official member of the so-called “Euro Data Zone,” but it was granted an exception in 2011 under the EU Data Protection Directive, allowing data to be transferred out of the EU to Israel without requiring companies to use standard contractual clauses or binding corporate rules.

Israel’s 2001 Privacy Protection Regulations permitted moving data from Israel to a database outside the country if the transferee country had laws regulating data protection that were at least as strict as Israeli law. It included an exception for companies located in countries with inadequate legal protections by allowing data transfers to nations to which the EU allows data transfers.

In effect, that allowed Safe Harbor compliant U.S.-based companies to transfer data out of Israel.

After a Cyberattack

This blog post is the sixth and final entry of a six-part series discussing the best practices relating to cyber security.  The previous post discussed the individuals and organizations that should be notified once a cyberattack occurs.  This post will focus on what a business should not do after a cyberattack.  Key points include (1) not using the network, (2) not sharing information with unconfirmed parties, and (3) not attempting to retaliate against a different network.

Do Not Search Through the Network

Once a cyberattack has been identified, most individuals may feel compelled to immediately examine their network and search through all of their system’s files.  This sudden reaction can cause further damage and may result in a total system failure.  Some hackers rely on the natural inclination to examine a network in order to cause more destruction.  They may install dormant malware that is triggered after an authorized user accesses the network to survey the damage.  If the hackers are monitoring the network after the attack, they may also be able to steal additional information such as passwords and usernames if individuals attempt to log on.

The better option is to immediately suspend all use of the network and commence the action plan.  By limiting network activity, a business may be able to contain the attack and safeguard unaffected systems.  Furthermore, suspending the network will help preserve evidence of the attack for law enforcement officials.  As a last resort, a business should be prepared to shut its entire system down in order to contain the attack if it is still active.

Do Not Release Information to Unconfirmed Parties

After a cyberattack, a business should be very careful to only communicate information to credible sources.  Some hackers will pose as law enforcement officials and send inquiring messages to the business after the attack.  These messages are sent in an attempt to gain information from the business.  The hackers may use this information to launch a second cyberattack on the already damaged network.  All communication should be via the telephone or in person if possible.  It is important that a business designate one individual to communicate on behalf of the business.  This individual should not share information with anyone until he or she has confirmed the identity of the other party.

Do Not Attempt to Retaliate Against Other Networks

If a business is able to determine the source of the cyberattack, it may be tempted to retaliate with cyber warfare against the source.  Not only is this tactic illegal under U.S. and foreign cybersecurity laws, but it may also cause further damage to a business’ system or provoke a second attack.  Additionally, many cyberattacks originate from innocent networks that have previously been hacked.  Retaliation against these networks would only hurt a previous victim and would not impact the hackers.  Remaining calm and following the action plan is always the best course of action after a business has been impacted by a cyberattack.

Executing an Response Plan

This blog post is the third installment of a six-part series discussing the best practices relating to cyber security.  The first two blog posts discussed the best practices for preparing a business in case of a cyberattack.  This post will discuss the initial steps that a business should take after a cyberattack occurs.

Once an employee discovers a cyber incident, the business should immediately assess the nature and range of the situation.  It is important to determine whether the disruption is a purposeful cyberattack or a system accident.  This determination will assist a business in executing the appropriate Response Plan.  If the incident is a malicious cyberattack, the business may need to disengage its entire system and shut down its technological operations.  If the incident is a product of faulty software, the business may be able to take less extreme measures.

Gathering the correct information as quickly as possible will not only help defend the system from additional attacks, but also provide law enforcement with information to begin its investigation.  The system administrator should survey the network to determine which computer systems were impacted, where the incident originated, and what malware may have been installed on the network.  Additional information concerning which users were logged onto the network and which programs were running on the network is also useful in determining the source of the attack.

During the initial assessment it is important to determine if data was exported from the system.  The data trail may illustrate the possible motive behind the attack and where it could strike next.  If a business can identify other networks that are impacted by the attack it should alert those networks’ administrators.  This may help to weaken the attack and increase the chance of retrieving stolen data.

After the initial assessment is complete, the business may need to employ preventative measures in order to stop the loss of data.  Common approaches to prevent additional attacks include (1) redirecting network traffic, (2) segregating all or part of a network, or (3) filtering all messages and communications on the network.  If a specific user or network terminal is identified as being the root of the attack, it should be blocked and disabled immediately.  In more extreme cases, an entire network may need to be shut down if an attack persists.  A business should store backup copies of critical data if its Response Plan calls for the network to be shut down.  This allows the business to continue some operations from a remote network while its main network is disabled.

It is important that all steps taken to gather information and diminish damages are recorded accurately.  This information will be useful in law enforcement’s efforts to bring criminal charges and for a business’ insurance claims.

The following blog post will discuss the next steps for a business to take once these initial steps are complete.

In response to a data breach in 2014, employees of University of Pittsburgh Medical Center filed a two-count class action complaint against UPMC for (1) negligence and (2) breach of an implied contract for failing to protect their personal data. The employee plaintiffs alleged that their Social Security numbers, names, addresses, birthdates, W2 information and salaries were stolen and used to file fraudulent tax returns and open fraudulent bank accounts.

In dismissing the class action, Judge R. Stanton Wettick Jr. ruled that Pennsylvania law does not recognize a private right of action to recover actual damages as a result of a data breach. Judge Wettick stated that creating such a cause of action in the context of a data breach would overwhelm the state courts and require businesses – who are also victims in criminal activity – to spend substantial resources to respond to these claims. Judge Wettick noted that, to date, the only obligation imposed upon businesses by the Pennsylvania General Assembly is to provide notification of a data breach. Judge Wettick refused to interfere with the legislature’s direction in this area of the law.

This decision confirms that, under Pennsylvania law, plaintiffs will continue to have difficulty bringing claims against businesses who suffer data breaches.

The case is Dittman et al. v. The University of Pittsburgh Medical Center, Case No. GD-14-003285 in the Court of Common Pleas of Alleghany County, Pennsylvania.

The Security and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently released an initial summary of its findings from its 2014 OCIE Cybersecurity Initiative.  The OCIE examined 57 registered broker-dealers and 49 registered investment advisers to better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity.

The OCIE Summary made the following observations:

  • the majority of examined broker-dealer and advisers have adopted written information security policies;
  • the majority of examined firms conduct periodic risk assessments to identify cybersecurity threats and vulnerabilities;
  • most of the examined firms reported that they have experienced cyber-attacks directly or through one or more of their vendors; and
  • almost all of the examined firms make use of encryption in some form.

The OCIE also identified key differences in practices between broker-dealers and advisers, including that broker-dealers were more likely to:  (1) incorporate cybersecurity risk policies into contracts with vendors; (2) explicitly designate a Chief Information Security Officer; and (3) maintain insurance for cybersecurity incidents.

FINRA also recently released a Report on Cybersecurity Practices, which presents firms with an approach to cybersecurity grounded in risk management.  FINRA’s Report recommends:

  • a sound governance framework with leadership engagement on cybersecurity issues;
  • risk assessments;
  • technical controls and strategy that fit the firm’s individual situation;
  • testing response plans, which should include containment, mitigation, recovery, investigation, notification and making consumers whole;
  • exercising due diligence when contracting with and using a vendor;
  • training staff to prevent unintentional downloading of malware; and
  • engaging in collaborative self-defense with other firms by sharing intelligence.

For more information and resources related to the SEC and FINRA’s examination of cybersecurity, check out Christopher Varano‘s post on Fox Rothschild’s Securities Compliance blog.

Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.

The White House’s proposed Consumer Privacy Bill of Rights seeks to provide “a baseline of clear protections for consumers and greater certainty for companies.”  The guiding principles of the draft bill are:  individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.

But the proposed legislation also seeks to afford companies discretion and flexibility to promote innovation, which some officials argue has led to a lack of clarity.

FTC Chairwoman Edith Ramirez had hoped for a “stronger” proposal and had “concerns about the lack of clarity in the requirements that are set forth.”  However, Chairwoman Ramirez acknowledged the significance of a privacy bill backed by the White House.  FTC Commissioner Julie Brill also expressed concern over weaknesses in the draft, calling for more boundaries.

Likewise, European Data Protection Supervisor Giovanni Buttarelli felt that the proposal lacked clarity and that, as written, “a large majority of personal data would not be subject to any provisions or safeguards.”

To review the administration’s proposed bill, click here.

 

New Jersey Governor Chris Christie signed a bill (S.562) into law on January 9, 2015 that will impose a standard more stringent than HIPAA on health insurance carriers authorized (i.e., licensed) to issue health benefits plans in New Jersey.  Effective August 1, 2015, such carriers will be required to secure computerized records that include certain personal information by encryption (or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person).  “Personal information” requiring encryption includes an individual’s first name or first initial and last name when linked with any one or more of the following data elements:

*          Social security number

*          Driver’s license number or State identification card number

*          Address

OR

*          Individually identifiable health information as defined under HIPAA

Notably, the encryption requirement applies only to “end user computer systems” and “computerized records transmitted across public networks”, as those terms are defined in the law.  “End user computer systems” are defined as computer systems “designed to allow end users to access computerized information, computer software, computer programs, or computer networks” and include “desktop computers, laptop computers, tables or other mobile devices, or removable media.”

The law is more stringent than HIPAA not only because it requires encryption, but because it applies to personal data that is more rudimentary than the type of data that constitutes protected health information (PHI) under HIPAA.  For example, under the new law, if a health insurance carrier compiles or maintains a computerized record that contains an individual’s first initial, last name, and address (and this information is not publicly available in a directory listing to which the individual has consented, which effectively excludes the information from the law’s definition of a “record”), the encryption requirement would apply even if the individual is not covered (insured) by the carrier.  A health insurance carrier subject to this new law that is building a mailing list of prospective customers or otherwise collecting information about individuals who are not plan members or insureds will need to make sure its encryption capabilities encompass not only existing or future members’ PHI, but any and all “personal information” that is compiled or maintained.

On December 31, 2014, the Federal Trade Commission announced that it approved a final order settling charges against Snapchat.

In its complaint, the FTC charged Snapchat with deceiving consumers over the amount of personal data that it collected and the security measures in place to protect the data from disclosure and misuse.

The settlement order prohibits Snapchat from misrepresenting the extent to which a message is deleted after being viewed by the recipient and the extent to which Snapchat is capable of detecting or notifying the sender when a recipient has captured a screenshot or otherwise saved the message.  Snapchat is also prohibited from misrepresenting the steps taken to protect against misuse or unauthorized disclosure of information.

Finally, the company will be required to implement a “comprehensive privacy program” and obtain assessments of that program every two years from an independent privacy professional for the next 20 years.

In its press release, the FTC noted that its settlement with Snapchat is “part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers.”  For more information from the FTC on marketing apps, click here.