Privacy & Cybersecurity

Much has been written, in this space and elsewhere, on the concept of "reasonable security" -- what constitutes "reasonable security," how much security is "reasonable," etc.  

How true........

Today's Washington Post includes a front page article that should serve as a warning to any employer about increasingly sophisticated social engineering attacks that exploit one key vulnerability that is essentially immune to technical solutions: their employees. 

This week, Apple shareholders requested that its Board of Directors publish a report explaining how the board oversees privacy and data security risks. The proposal was prompted by concern that recent issues such as the unauthorized access to iPhone users’ address books and the release of one million Unique Device IDs could place the company’s growth opportunities at risk.

As the old saying goes, "no good deed goes unpunished...." The most recent, published Office for Civil Rights (OCR) HIPAA enforcement action serves as an important reminder that self-reported breaches can and do lead to investigations and enforcement.

Senator John D. Rockefeller IV (D., W.Va.) recently sent a letter to the CEOs of all Fortune 500 companies asking the companies for more information about their cybersecurity practices. 

A new rule proposed for federal government contractors will require that all federal contracts over $100,000 (including contracts for commercial items and those to small businesses) will have to include a clause requiring the contractor to implement  basic data security protections for any non-public data provided to the contractor by the federal government or generated by the contractor for the government. 

Mobile app developers have some unique challenges when it comes to preparation and implementation of privacy policies. But, regulators have made it quite clear that the general privacy laws and regulations apply whether the application is online or mobile. 

Wyndham Hotel & Resorts LLC (“Wyndham”) has filed a Motion to Dismiss the Federal Trade Commission’s (the “FTC”) Complaint against it, which alleges that Wyndham committed unfair and deceptive acts related to three data security breaches that Wyndham has suffered since 2008.

Lorene Schaefer, a mediator, arbitrator and workplace investigator, has reported on the One Mediation blog that by a letter of August 3, 2012 the Buffalo, New York office of the EEOC notified an employer that the employer’s written policy warning employees who participate in an investigation not to discuss the matter and providing that employees who do so may be subject to discipline including termination of employment may be a “flagrant violation” of Title VII and itself an adverse employment action.

The FTC has finally released details of their settlement with Google, including the hefty price tag of $22.5 million, the highest fine ever slapped on a violator of an FTC consent order. The Internet giant was charged with breaking the terms of the consent order they entered into last year by misrepresenting how users could opt out of having certain cookies dropped on their browser.

CNN reports that the Cybersecurity Act of 2012 (SB 3414) has failed to pass the US Senate. A cloture vote failed by a vote of 42-46, mostly along party lines.

A recently-filed class action lawsuit asserts claims against the Winn-Dixie supermarket chain and a third-party vendor, Purchasing Power, LLC, in connection with the alleged theft of employee data provided to Purchasing Power in order to administer a discount purchasing program offered to Winn-Dixie employees. 

In a move signaling increased enforcement of the state’s data privacy and security regulations, California’s Attorney General Kamala D. Harris has announced the creation of the Privacy Enforcement and Protection Unit.  

Small business owners have new hope that they may be on the same footing as individuals when it comes to cybertheft from their bank accounts.

The pre-conference workshops at the Data Protection & Privacy Law Compliance Conference have begun! The first workshop covered managing the risk of third party vendors. An important element of ensuring the security and privacy of your vendors is finding out what vendors your vendors are using. 

North American marketers take note: Canada is set to finalize one of the toughest anti-spam laws in the world. Canada had fallen behind when it came to introducing anti-spam legislation, but it is now making up for lost time.

The Federal Trade Commission (FTC) has announced that it has filed suit in U.S. District Court in Phoenix against Wyndham Worldwide Corporation and three of its subsidiaries. The lawsuit cites "alleged data security failures that led to three data breaches at Wyndham hotels in less than two years."  

We have been following proposed legislation to modify the Connecticut data breach notification law as it worked its way (unsuccessfully) through the 2012 General Session of the legislature.

Nearly as predictable as the sun coming up in the morning, the recent theft of 6.5 million LinkedIn user passwords has resulted in the filing of a class action lawsuit in a California federal court.