Privacy & Cybersecurity

The FTC has announced that it has unanimously approved the knowledge-based authentication method proposed by Imperium, LLC (“Imperium”) as a COPPA-compliant method of obtaining verifiable parental consent (“VPC”). Knowledge-based authentication has been used by entities in the financial services industry to authenticate users for several years.

After a brief hiatus for the holidays and our "12 Days of Privacy" series, we are back.
We have had a series of late year -- and new year -- data breaches in the news.  

The question is not whether a company will be the target of a data breach, but when. Verizon’s most recent Data Breach Investigation Report states that, in 2012, there were over 47,000 reported security incidents, which resulted in 621 confirmed data disclosures and at least 44 million comprised records. 

As we have discussed throughout this series, there is a whole universe of potential privacy and cyber risks not understood at a board level, and company directors must wake up to cyber threats or risk litigation from all sides.

When asked why he robbed banks, the notorious bank robber Willie Sutton apocryphally replied, “Because that’s where the money is.” No matter its provenance, Sutton’s legendary dictum guides computer hackers and class counsel alike. 

As use of social media and other technologies continue to raise serious employment-related privacy issues in the workplace, expect to see a flurry of activity in 2014 from federal and state legislatures, administrative bodies and courthouses throughout the country addressing those issues.

Last December, the FTC gave to us the long awaited (or maybe not so much by covered entities!) final amendments to the 14-year old Children’s Online Privacy Protection Act (COPPA) Rule (the “COPPA Rule,” and as amended, the “Amended COPPA Rule”).

As public companies prepare for the New Year and the start of yet another annual reporting season, it is the perfect time to reflect on our 2013 prediction that the SEC would require greater disclosure relating to cybersecurity risks and data breaches. As predicted, the SEC has been quite busy.

Web cameras, burglar alarms, fitness monitors, smartphones, and a host of other internet connected devices all have the potential to invade privacy by collecting and sharing personal information. 

The Department of Defense (DoD) has published its new final rule governing the security measures imposed on DoD unclassified technical information resident on or passing through the unclassified information systems of its contractors and subcontractors.

In 2013 geolocation and biometrics were hot topics. Apple included a fingerprint reader on the new iPhone which was either really cool or an epic fail depending on your viewpoint, and Google and the NSA are tracking our every move.

2013 was a busy year for California. We passed a budget with a surplus, let Kim and Kanye get engaged in one of our stadiums and panicked over possibly losing Sriracha sauce. At the same time, we also passed a number of significant pieces of legislation related to data privacy, the effects of which will be felt throughout the year.

The year 2013 started with a bang for HIPAA-regulated entities, with the passage of the long-awaited HIPAA Omnibus Rule, implementing privacy, security, breach notification, enforcement and other provisions of the HITECH Act. Omnibus Rule momentum carried through much of the year with an industry-wide push to comply with the September 23, 2013 compliance date for significant provisions of the Omnibus Rule.

Haul out the holly, fill up the stockings, even though it's just one week past Thanksgiving day.....
Rather than look back at 2013, next week the Privacy & Security blog will count down The 12 Days of Privacy, looking ahead to what we might expect in 2014.

If you haven't been paying attention to "password hygiene" preached by this blog and others, perhaps it's time. Jose Pagliery from CNNMoney reports of a large-scale hack that has compromised over 2 million passwords at Facebook, Gmail, Twitter, Yahoo and others.

This past weekend if you survived the towel aisle and other Black Friday dangers and made it to the register to purchase your items, it is possible you were asked to provide an email address so that your receipt could be emailed to you.

(LONDON) The European Commission, which has the authority to make changes to the US Safe Harbor program, has published a paper titled “Rebuilding Trust in EU-US Data Flows” that sets out the changes that the Commission would like to see the US adopt. 

Earlier this month, Google, Inc. (“Google” or “Company”) entered into an  agreement with the Attorney Generals of 37 states and the District of Columbia, settling allegations of violation of  the participating states’ consumer protection or applicable computer abuse statutes (the “Settlement Agreement”).

We don't do this very often, but this is an excellent opportunity for a lawyer with privacy experience at a long-time Mintz client.

The month of November is quickly slipping by - this is the time to be looking at the 2014 cybersecurity and data privacy goals and updates and planning ahead.