Privacy & Cybersecurity

In the wake of the recent massive data breaches suffered by Target and Neiman Marcus, many banks and retailers have renewed the call for a change in the way that consumers in the United States pay for goods and services.

The release yesterday of the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology caps a year-long effort by NIST to find an industry consensus for assessing and improving the cybersecurity of the nation's privately-owned critical infrastructure.

The California Senate has passed a bill restricting the information that certain online retailers can collect in connection with consumer purchases. Senate Bill 383 would amend Sections 1747.02 and 1747.08 of the California Civil Code to address the collection of customer information in connection with credit card purchases in online transactions for downloadable products. 

Data privacy legislation has been introduced regularly, but has yet to pass, could this be the year? The recent breaches at Target and Neiman Marcus have drawn national attention and may be the impetus needed to pass the legislation.

The Department of Defense and the General Services Administration, which together spend more than $500 billion annually on information technology, have released a joint report to the White House recommending steps to upgrade the cybersecurity requirements of acquisitions of information technology and services throughout the federal government. 

In the latest chapter in the Sony PlayStation Network (“PSN”) data breach saga, a decision that issued on January 21, 2014 permanently dismissed all but a handful of the class action claims advanced in a 51 count complaint. 

The US CAN-SPAM Act is old hat for marketers in the US. But it is time to revisit email marketing compliance programs if you send email north of the US border. Canada's anti-spam law (known as "CASL") has been debated for years but is finally coming into effect. 

As anyone with a pulse and a computer, television or carrier pigeon knows, Target Corporation (NYSE: TGT) suffered a major data breach in December – the extent of which is still being uncovered – and pegs the latest number of customers that have had their personal information stolen anywhere from 70 to 110 million. 

FTC Chairwoman Edith Ramirez just announced (press conference) that Apple, Inc. (“Apple”) has agreed to provide consumers full refunds of at least  $32.5 Million Dollars to settle the Commission’s complaint alleging that Apple billed consumers millions of dollars in charges incurred by children in purchasing items that costs money within mobile apps for kids (“children’s in-app charges”), without parental consent.

These are busy times in the data privacy/security world.
If Misery Loves Company, Target Has Friends

The Target data breach story keeps getting worse. The December pre-Christmas disclosure was the theft of up to 40 million Target shoppers' credit and debit card information in what appeared to have been a hack of the Target point-of-sale system that allowed the thieves to swipe magnetic card data as customers checked out.

As we predicted in our prior blog post reviewing the key children’s privacy developments of the past year, 2014 is turning out to be the year of enforcement of children’s privacy regulations! The first two requests for investigation under the Amended COPPA Rule have been filed with the FTC by the Center for Digital Democracy (“CDD”), a consumer rights organization.

At the end of 2013, the Federal Financial Institutions Examination Council (FFIEC) became the latest regulator to weigh in on social media and offered their final social media guidance. The proposed regulation was released last January.

The FTC has announced that it has unanimously approved the knowledge-based authentication method proposed by Imperium, LLC (“Imperium”) as a COPPA-compliant method of obtaining verifiable parental consent (“VPC”). Knowledge-based authentication has been used by entities in the financial services industry to authenticate users for several years.

After a brief hiatus for the holidays and our "12 Days of Privacy" series, we are back.
We have had a series of late year -- and new year -- data breaches in the news.  

The question is not whether a company will be the target of a data breach, but when. Verizon’s most recent Data Breach Investigation Report states that, in 2012, there were over 47,000 reported security incidents, which resulted in 621 confirmed data disclosures and at least 44 million comprised records. 

As we have discussed throughout this series, there is a whole universe of potential privacy and cyber risks not understood at a board level, and company directors must wake up to cyber threats or risk litigation from all sides.

When asked why he robbed banks, the notorious bank robber Willie Sutton apocryphally replied, “Because that’s where the money is.” No matter its provenance, Sutton’s legendary dictum guides computer hackers and class counsel alike. 

As use of social media and other technologies continue to raise serious employment-related privacy issues in the workplace, expect to see a flurry of activity in 2014 from federal and state legislatures, administrative bodies and courthouses throughout the country addressing those issues.

Last December, the FTC gave to us the long awaited (or maybe not so much by covered entities!) final amendments to the 14-year old Children’s Online Privacy Protection Act (COPPA) Rule (the “COPPA Rule,” and as amended, the “Amended COPPA Rule”).