Privacy & Cybersecurity

The National Institute of Standards and Technology (NIST), publishers of the Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”) last February, have published a Request for Information in the Federal Register seeking comments on industry experience with the Framework to date. 

According to recent media reports, Google is allegedly designing a Google account for children under 13 which would permit children in this age group to officially create  their own Gmail account and to access a kid-friendly version of YouTube.

Technology, retail, medical, financial services, education ..... and more experience data losses on a daily basis through employee negligence, poor controls, insider attacks, advanced persistent threats from malevolent outsiders or computer viruses.

Wearable devices, including health and activity monitors, video and audio recorders, location trackers, and other interconnected devices in the form of watches, wristbands, glasses, rings, bracelets, belts, gloves, earrings and shoes are being heavily promoted in the next wave of consumer electronics.

Community Health Systems, Inc. (the “Company”), one of the largest hospital organizations in the country, announced via a public filing (Form 8K) made yesterday with the Securities and Exchange Commission (“Report”) that the Company was the target of a cyber attack that compromised the health data of 4.5 million individuals.

The issue of cyberliability risk is finally making its way to the board room. We have written about the importance of board education and board involvement in the assessment of cyber threats and liability risk and the Securities and Exchange Commission is looking carefully at public company disclosures of cybersecurity risks as a factor for the investing public. 

 (LONDON) Could the European Court of Justice’s May 13, 2014 Google Spain decision delay the adoption of the EU Data Protection Regulation?

There is another retail data breach to talk about in this Privacy Monday post – privacy & security bits and bytes to start your week.

We are just two Mondays away from Labor Day, the traditional end of summer in the United States. Here are some privacy tidbits to get your week started. See especially Jake Romero's piece on the new Delaware data destruction law.

Rarely do Microsoft, AT&T, Verizon, Apple, Cisco and the ACLU all agree on a particular subject; rarer still that such an unlikely coalition fails.

The phrase “back off” is an implied threat typically reserved for bumper stickers and mud flaps, but if you are a retailer that permits the use of remote desktop applications in your business, the name Backoff should be considered much more intimidating.

The last Monday in July -- the summer of 2014 is rapidly slipping away! Here are some privacy and security bits and bytes for this last week of July:
US Congress Heads Out on August Recess Soon - Much to Do

The current mechanisms for legitimizing such transfers, including adequacy assessments, Binding Corporate Rules, model contracts, and express consent, are retained. Also, an important “derogation” for infrequent, small transfers has been endorsed.

To recap the legislative process, the EU Commission, Parliament and Council all need to agree on the final wording of the new Regulation. The EU Commission put forth a first draft in 2012 and the Parliament proposed a much more pro-individual draft in March 2014. 

U.S. District Court Judge Ronald M. Whyte has issued an order  granting in part and denying in part Google’s Motion to Dismiss the class action filed against the Company on ­March 7 in the U.S. District Court for the Northern District of California as a result of unauthorized children’s in-app purchases in the Google Play Store.

Some clarification and a bit more flexibility was forthcoming late last week from the Federal Trade Commission to help ease compliance with the "new" COPPA.

We are now officially in the throes of "midsummer" on this Privacy Monday.  And, on occasion in the data privacy world, we agree with Will Shakespeare's words....“Lord, what fools these mortals be!”

The American Bar Association Health Law Section’s July 2014 eSource publication includes an article by Dianne Bourque, Kimberly Gold, and Stephanie Willis that provides examples of how risk assessments under the Breach Notification Rule have changed since the HIPAA Omnibus Rule went into effect in September 2013.

It’s an ancient conundrum; if a tree falls in the forest, and no one is there to hear it, does it make a sound? Privacy litigation may well offer the closest jurisprudential equivalent; if data is stolen, but no one does anything with it, has there been an injury? 

Children, according to Whitney Houston, are our future, but they are also, according to the Federal Trade Commission, willing to spend unlimited amounts of money to purchase virtual items within mobile applications.