On March 6, 2017, the Federal Trade Commission (FTC) issued new guidelines for businesses as to how to deter and reduce the risk of phishing attacks. The recommendations should be shared and discussed with your company’s Information Technology (IT) department to make sure that the email servers and systems have the requisite safeguards. Compliance with these standards will reduce risk and is one way of showing that the company is making a prudent and reasonable effort to protect personal information.Read More
Polsinelli on Privacy | Privacy and Data Security Blog
In an increasingly competitive environment, effectively leveraging technology can be the difference between success and failure for companies in all sectors of the economy. Protecting your data and securing employee/end user privacy – this is the goal of Polsinelli’s Privacy and Data Security practice and it’s what keeps us up at night. We offer compliance and security counseling, transactional support, data breach rapid response, and breach litigation and counseling. 19 offices; 800+ attorneys.
For each of the last few years, February and March have seen a sharp increase in the frequency and volume of W-2-related phishing scams. According to a recent IRS Notice, 2017 is no different, except perhaps that the threat is evolving.
Traditionally, the W-2 scam works like this:
Cyber criminals use social engineering to identify certain key Human Resources (HR) and/or accounting personnel within a company. Targeting those HR and/or accounting employees, the cyber criminals send emails with a “spoofed” sender address. The emails appear to come from the company’s CEO or other executive, and they generally claim that the CEO has an urgent need for Form W-2s for all employees in advance of a meeting the CEO has with the IRS. Unsuspecting mid-level HR and accounting personnel send on the W-2s, and inadvertently cause a data breach.Read More
A leadership change at the Federal Trade Commission (FTC) may spell relief for U.S. businesses grappling with the agency’s enforcement measures amidst an increasingly dangerous cybersecurity landscape. On January 25, 2017, President Donald Trump named Maureen Ohlhausen (currently a commissioner of the FTC) as acting chairman of the FTC. Ohlhausen has served at the agency in various capacities for more than a decade, and is now the lone Republican remaining on what will soon be a two-member commission, after former-Chair Edith Ramirez’s announced resignation. When Ramirez leaves the agency on February 10th, only Ohlhausen and Commissioner Terrell McSweeney (Democrat) will remain at the helm with three vacant commissioner seats for President Trump to appoint.Read More
President Trump signed an Executive Order last week that potentially puts the six-month old Privacy Shield in jeopardy. While mostly aimed at immigration and border patrol, the Executive Order entitled “Enhancing Public Safety in the Interior of the United States,” also includes a provision aimed at eliminating privacy protection for foreigners. Section 14 of the Executive Order reads:
"Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."
By specifically excluding non-U.S. citizens or residents from the protections of the Privacy Act, the U.S. safeguards provided by the Privacy Shield regarding the adequacy of protection of the personally identifiable information of EU citizens could be destroyed, leading to the invalidation of the Privacy Shield Agreement outright.Read More
Few issues keep executives awake at night more than Privacy and Data Security. New regulations and threats alike are plentiful, varied, and evolving. The rate of change for cybersecurity and information governance continues to increase, while corporate budgets to address them remain stretched.
As your organization prepares for 2017, data security, privacy compliance, and new technological threats are sure to be on your list of priorities. This guide highlights some key Privacy and Data Security trends and expectations for the new year. Organizations that are well prepared to address the issues highlighted in this guide will be better positioned to mitigate risk and strengthen compliance efforts.Read More
As the May 2018 effective date of the General Data Protection Regulation’s (GDPR) looms, U.S. companies have had to expand their investment in implementing measures to ensure compliance with the GDPR. According to a recent PwC Pulse Survey, 92% of respondents considered GDPR a “top priority” in 2017, with 77% of companies planning to allocate more than $1 million, and 68% saying their budget falls between $1 million and $10 million.Read More
The United States and Switzerland finalized a new “Privacy Shield” Agreement on Wednesday that mirrors the existing U.S.-E.U. Privacy Shield framework. The new deal will allow multinationals to continue to transfer data between the U.S. and Switzerland while complying with Swiss data protection requirements.
The new deal replaces the existing U.S.-Swiss Safe Harbor Agreement, the validity of which has been in question since the Schrems decision was issued in October of 2015. Companies that have maintained their Swiss Safe Harbor certification may begin certifying under the new U.S.-Swiss Privacy Shield framework on April 12th. The 90 day delay is intended to provide companies with time to review the new Swiss principles and the commitments they entail.Read More
The Year of the Breach: 2016 was the year that law firm data breaches landed and stayed squarely in both the national and international headlines. There have been numerous law firm data breaches involving incidents ranging from lost or stolen laptops and other portable media to deep intrusions exposing everything in the law firm’s network. In March, the FBI issued a warning that a cybercrime insider-trading scheme was targeting international law firms to gain non-public information to be used for financial gain. In April, perhaps the largest volume data breach of all time involved law firm Mossack Fonesca in Panama. Millions of documents and terabytes of leaked data aired the (dirty) laundry of dozens of companies, celebrities and global leaders. Finally, Chicago law firm, Johnson & Bell Ltd., was in the news in December when a proposed class action accusing them of failing to protect client data was unsealed.Read More
By Joseph D. McClendon
Yahoo, fresh off its September 2016 announcement of a 2014 cyber attack that breached 500 million user accounts, announced on December 14 that there is evidence of a second data breach, which affects twice as many user accounts than the initial 2014 breach.
The beleaguered search engine company disclosed that an internal investigation has uncovered a second data breach dating back to 2013, where cyber criminals were able to steal an estimated 1 billion end user names, email addresses, telephone numbers, and dates of birth. The cyber criminals also stole hashed passwords as well as security questions and answers, some of which may have not been encrypted. Yahoo has not offered any information on why some account recovery questions and answers were encrypted, while others were not. The company does not believe financial data was stolen in the breach.
The Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued new guidance last month for organizations that handle consumer health information (Joint Guidance). This is one of several joint-agency guidance documents issued this year in a collaboration effort by HHS and FTC, including best practices for mobile health app developers and a mobile health apps interactive tool.Read More
On October 21, 2016, hackers carried out a massive Denial of Service cyberattack that rendered some of the most popular websites in the country inaccessible to much of the East Coast. Unlike past DoS attacks, this latest attack was undertaken by infecting millions of internet-connected devices with malware, causing new concerns about the ever-growing Internet of Things.Read More
In the past year, the Department of Health and Human Services, Office for Civil Rights (OCR) has issued a number of guidance documents* to clarify its interpretation of key requirements set forth in the HIPAA Privacy and Security Rules (45 C.F.R. Part 160, 162, and 164) (collectively, the HIPAA Rules). Its latest guidance clarifies OCR’s position on cloud service providers (CSPs) as business associates (the Cloud Guidance), and the related requirements under the HIPAA Rules through a series of FAQs. Importantly, the Cloud Guidance applies to all CSPs equally, regardless of the level of functionality or services provided (e.g., the provision of an electronic medical record system on the cloud, versus limited application hosting).
OCR kicked off the Cloud Guidance by clarifying its position on an issue that Covered Entities and CSPs have continued to debate for quite some time - whether a CSP is a business associate if the Protected Health Information (PHI) that is stored in its cloud is encrypted and the CSP does not possess the encryption key.Read More
More than 700 companies have self-certified to comply with the Privacy Shield in the two months since the Department of Commerce began accepting submissions. The number of applications is expected to rise as the September 30, 2016 deadline for a special grace period looms, and the number is expected to slow down after October 1, 2016 because the compliance obligations increase after the deadline.Read More
Yahoo, the American technology company most famous for its use of a webportal to organize categories of websites and its contributions to early Internet search engine technology, announced today that at least 500 million user accounts were breached in a 2014 cyber attack. Data stolen by, what Yahoo believes are state-sponsored actors, include names, email addresses, telephone numbers, dates of birth, and hashed passwords. Breached data may also include account security questions and answers, however, whether or not that data was encrypted appears to be on an account-by-account basis. Yahoo was quick to note that its investigation into the data breach has not shown that the stolen data includes unhashed passwords or credit card or bank account information. This breach may be the largest data breach publicly disclosed and it comes on the heels of the $4.8 billion Verizon acquisition of Yahoo. Yahoo shares fell after the announcement but analysts have noted that the acquisition is unlikely to be affected by the news.Read More
Two recent studies show an increasing need for companies to better train their employees in data security to prevent data and monetary loss. On September 7, 2016, Wells Fargo Insurance released a study on cyber security showing some interesting trends in companies with $100 million or more in annual revenue. The second-annual study questioned 100 decision makers on issues of data, hackers, network vulnerabilities, and other cyber security matters. The study showed that companies were nearly twice as concerned with losing private data as they were with being hacked or having some other security breach disrupt their system.Read More
The rise in popularity of apps and services that use location data (technology that pinpoints a consumer’s location automatically), like the smash-hit Pokémon Go, have EU privacy regulators calling on companies to ‘mind the gap.’ The much-anticipated General Data Protection Regulations (the “GDPR), as well as other EU privacy laws, aim to tighten up the rules for obtaining consent from consumers about what data they are sharing and to restrict how companies can use the data they are mining from consumers. There has been much speculation about how these new regulations, not directives, coupled with a much higher potential for fines, will impact U.S. companies that operate or plan to operate in the EU. Those using location data in apps and for passive tracking should pay close attention to EU regulators as GDPR implementation draws near.Read More
President Barack Obama established a new Presidential Policy Directive on Tuesday, July 26, 2016 outlining the federal government’s response to future cyber attacks in both the public and private sector. Lisa Monaco, Homeland Security Advisor to President Obama for Homeland Security and Counter Terrorism, announced the new directive setting forth “principles governing the Federal Government’s response to any cyber incident, whether involving government or private sector entities.”Read More
For thousands of U.S. companies left in limbo after the invalidation of Safe Harbor last year, relief has finally arrived. The European Commission (“EC”) formally approved and adopted the new trans-Atlantic Privacy Shield data transfer pact on Tuesday, opening the door for new certification and EU-US data transfers.Read More
Despite the fact that Business Associates have been directly subject to and liable under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) since February 18, 2010 (the effective date of the relevant provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act), the Department of Health & Human Services, Office for Civil Rights (OCR), announced last Thursday, June 30, 2016, that it has entered into its first resolution agreement with a HIPAA Business Associate.Read More
As markets tumble and many business leaders try to predict what the Brexit may mean for their organizations, privacy officers should remember the neo-classic British refrain: Keep Calm and Carry On.
There may be turmoil, confusion, new regulations, and new compliance regimes ahead, but it will likely take years for the UK to untangle itself from the European Union, and even then the UK may well remain within the European Economic Area. For US companies with transatlantic operations, the best course is to continue a measured but deliberate approach towards eventual GDPR compliance.Read More