Privacy & Cybersecurity

Last week in Washington, D.C., this author had the opportunity to sit in on a panel discussion by the SEC’s Division of Corporation Finance (“CorpFin”) discussing, among other things, recent developments in cybersecurity disclosure in public company filings.

Earlier this month, we reported on the privacy case against craft giant Michaels Stores (see our blog post here, as well as our client alert here) in which the plaintiff alleged that Michaels illegally collected zip codes during credit card transactions.

Damages issues continue to bedevil would-be data breach class action plaintiffs. A long and growing line of cases holds that consumers cannot maintain claims arising from theft of their personal or financial data without alleging that the theft resulted in financial injury.

After rounds of comments and public workshops, the FTC has finally released an update to its digital advertising disclosure guidelines. The FTC first released guidance on digital advertising in 2000 and last May the FTC requested comments on how the guidelines could be updated.

Yesterday, the Massachusetts Supreme Judicial Court (“SJC”) ruled that zip codes constitute “personal identification information” under G.L. c. 93. The question of law came to the SJC from the U.S. District Court for Massachusetts stemming from Tyler vs. Michaels Store, Inc, which was dismissed in January.

Security and privacy are the most frequently expressed concerns about cloud computing (defined for this article to include software as a service, platform as a service and storage as a service), but for companies that engage in research, design, development, manufacturing and servicing of items that are subject to U.S. export controls, cloud computing poses another risk that must be properly managed to avoid the substantial penalties that flow from unlicensed exports of technical data.

In a case about exposing user data, Apple suffered a setback due to its concealment of information in litigation. Last week, in the multi-district litigation, In Re iPhone Application Litigation, Judge Lucy Koh of the Northern District of California denied Apple’s motion for summary judgment in a putative class action by iPhone and iPad owners who allege that Apple enabled violations of their privacy rights through “apps.”

It seems that some of the nation’s largest public company banks must be avid readers of this blog and have taken to heart our 2013 prediction that the SEC would require greater disclosure related to data security risks and breaches. 

Perhaps we are being cynical, but if we imagine the current conversation between consumers and the makers of mobile payment applications, it would be something along the lines of:

There is much going on at the Federal Trade Commission (FTC)  these days, particularly in the privacy arena. In addition to the settlements discussed below, today the White House confirmed that President Obama will nominate Edith Ramirez as Chair of the FTC, replacing outgoing Chairman Jon Leibowitz.

As we have reported in this blog, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released final regulations containing modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (Omnibus Rule).

Our colleagues in our Washington, DC office have prepared a detailed summary of the President's Cybersecurity Executive Order.

If you haven't yet caught up with the new HIPAA Omnibus Rule and its consequences for those businesses who are not themselves healthcare providers, but are service providers to healthcare entities (and even further downstream than that....), you can take a listen to our recent webinar highlighting the most important changes and issues.

Mintz is presenting a webinar on January 30, 2013 to discuss the impact of the HIPAA Omnibus Rule - the first, sweeping overhaul of the HIPAA privacy and security rules in a decade.

The Department of Health and Human Services, Office for Civil Rights (OCR) has posted on its website sample business associate agreement provisions to help covered entities and business associates comply with the new business associate agreement requirements under the final HIPAA Omnibus Rule.

Something everyone can do for Data Privacy Day:  make it a point to change at least one password and make it "long and strong."

Time for some tips to keep your company (and your employees) safe online --

US marketers who have been paying attention to anti-spam developments north of the border are concerned about proposed new Canadian regulations. If you have not been paying attention, it's probably time that you did. We have a guest post today discussing the progress of those regulations.

As we pore through the 562-page HITECH Omnibus Rule released by the Department of Health and Services late yesterday afternoon.

We posted this alert back in March, and now California Attorney General Kamala Harris has released a recommended set of privacy best practices for app developers and advertising networks entitled "Privacy on the Go: Recommendations for the Mobile Ecosystem."