Privacy & Cybersecurity

Welcome to Privacy Monday - here are five privacy & security bits and bytes to start your week:
1)  California AG's Data Breach Report: Who Is Handling Your Patients' Confidential Health Information?

Substantive litigation in the flood of lawsuits concerning the recent Home Depot data breach awaits a determination of where the cases will be heard.  Numerous overlapping lawsuits have been filed in courts throughout the United States asserting claims on behalf of consumers and financial institutions arising from the massive theft of credit card data that was confirmed by Home Depot in September.

A federal district court in New Jersey has dismissed with prejudice a shareholder derivative suit, Palkon v. Holmes, No. 14-CV-01234 (SRC) (D.N.J.), that tried to blame the directors and officers at hospitality company Wyndham Worldwide Corporation (“Wyndham”) for a series of data breaches.

In past posts we’ve taken a close look at the Framework for Improving Critical Infrastructure Cybersecurity put forth by the National Institute of Standards and Technology (NIST), exploring its wide-ranging implications for companies across a number of different industries.

October is National Cyber Security Awareness Month. This is an opportunity to remind employees (and yourselves) about how to keep corporate networks and their own cyber lives secure.

As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) and National Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance through HIPAA Security” into three phrases:  (i) risk assessment, (ii) workforce training, and (iii) adequate encryption. 

As we promised in our post on the Yelp and TinyCo Federal Trade Commission COPPA enforcement actions, the Mintz Privacy Team has prepared an extensive review and analysis of both actions, and a helpful guide to avoiding COPPA violations.

Happy autumnal equinox
Home Depot Breach - By the Numbers

As we predicted in prior blog posts (here and here), the Federal Trade Commission has begun its vigorous enforcement of the Amended COPPA Rule.  And one of the players is not a child-related site, so read on. 

As the world recovers from the excitement leading up to Tuesday’s Apple Live Event announcement of the new iPhone 6 and Apple Watch, mobile app developers are chomping at the bit to create software that leverages the new operating system and Apple’s widely-anticipated “HealthKit,” a purportedly secure platform that allows mHealth apps to share user’s health and fitness data with the new Health app and with each other. 

When one thinks of the use of technology in school, often the first image that comes to mind is of students sending ill-advised Snapchats and making in-app purchases that line the pockets of the Kardashian family, rather than paying attention in geometry. 

It appears that the data breach victim of the week (perhaps of the year) is The Home Depot. Brian Krebs has reported that it appears that two large dumps of purloined credit card numbers have made an appearance on the black market and that those numbers may have originated at Home Depot locations. 

Some weeks ago, we wrote a piece "What You Need to Know About Backoff Malware: The New Threat Targeting Retailers". It's apparently gotten worse. Any business utilizing point-of-sale (POS) terminals for "swiping" credit cards needs to pay attention to this threat and assess vulnerability.

The National Institute of Standards and Technology (NIST), publishers of the Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”) last February, have published a Request for Information in the Federal Register seeking comments on industry experience with the Framework to date. 

According to recent media reports, Google is allegedly designing a Google account for children under 13 which would permit children in this age group to officially create  their own Gmail account and to access a kid-friendly version of YouTube.

Technology, retail, medical, financial services, education ..... and more experience data losses on a daily basis through employee negligence, poor controls, insider attacks, advanced persistent threats from malevolent outsiders or computer viruses.

Wearable devices, including health and activity monitors, video and audio recorders, location trackers, and other interconnected devices in the form of watches, wristbands, glasses, rings, bracelets, belts, gloves, earrings and shoes are being heavily promoted in the next wave of consumer electronics.

Community Health Systems, Inc. (the “Company”), one of the largest hospital organizations in the country, announced via a public filing (Form 8K) made yesterday with the Securities and Exchange Commission (“Report”) that the Company was the target of a cyber attack that compromised the health data of 4.5 million individuals.

The issue of cyberliability risk is finally making its way to the board room. We have written about the importance of board education and board involvement in the assessment of cyber threats and liability risk and the Securities and Exchange Commission is looking carefully at public company disclosures of cybersecurity risks as a factor for the investing public. 

 (LONDON) Could the European Court of Justice’s May 13, 2014 Google Spain decision delay the adoption of the EU Data Protection Regulation?