FTC Settles Privacy Shield Misrepresentation Claims

FTC Settles Privacy Shield Misrepresentation Claims

By: Jarno Vanto and Allison Trimble

What’s Happening?

The Federal Trade Commission recently entered into settlement agreements with four companies regarding claims that the companies misrepresented their compliance with the EU-U.S. Privacy Shield Framework.  Each company indicated on its website that it actively participated in the EU-U.S. Privacy Shield. 

Read More

U.K. Information Commissioner’s Office Intends to Impose Fine on Facebook

U.K. Information Commissioner’s Office Intends to Impose Fine on Facebook

By: Allison Trimble

The U.K. Information Commissioner’s Office announced it will impose the maximum fine of $660,000 for Facebook’s breach of the U.K. Data Protection Act (see Notice of Intent).  The breach, which includes both the failure to safeguard personal information and the failure to provide transparency as to how personal information was harvested by others, is tied to the Cambridge Analytica scandal in which the personal information of 87 million Facebook users was improperly shared with third parties without such users’ consent. 

Read More

2018: A Cybersecurity Preview

2018: A Cybersecurity Preview

By Reece Clark

As the world rings in 2018, privacy experts collectively brace for a new year of information security challenges. While ransomware, denial of service attacks, and endpoint security vulnerabilities will remain top of mind in 2018, new threats and risk factors will also emerge. Likewise, traditional hacking threats are likely to be more sophisticated in 2018, with new and more powerful hacking tools in the hands of bad actors. Businesses, consumers, and governments must remain vigilant in their information security posture as they face these new and diverse cybersecurity challenges. Polsinelli on Privacy looks at four areas of information security poised to make headlines in 2018.

Read More

Congressional Task Force Issues Report on Cybersecurity in the Health Care Industry

Congressional Task Force Issues Report on Cybersecurity in the Health Care Industry

By Zuzaka S. Ikels

In June 2017, the Health Care Industry Cybersecurity Task Force issued its Report on Improving Cybersecurity in the Health Care Industry. To view the report, click here.

The task force was created by Congress as part of the Cybersecurity Act of 2015, and is comprised of subject matter experts from the public and private sector that evaluated the cybersecurity threats, the security of IT systems, and the regulations and laws that relate to the health care industry. In the Report, the task force discusses the evolution and transition from paper to electronic healthcare records (“EHR”), and tailors the recommendations to encourage opportunities for efficiencies, research and sharing of information, while responding to the increasing threat of cybersecurity breaches to the health care providers’ technical infrastructure.

Read More

Largest Electoral Data Breach Exposes Personal Data of Nearly 200 Million U.S. Citizens

Largest Electoral Data Breach Exposes Personal Data of Nearly 200 Million U.S. Citizens

By: Amanda J. Katzenstein

In what is being described as the largest breach of U.S. electoral data, personal data relating to almost 200 million U.S. citizens was accidentally exposed by a Republican National Committee vendor. According to BBC, the 1.1 terabytes of data exposed “includes birthdates, home addresses, telephone numbers and political views of nearly 62% of the entire US population.” 

Read More

Massive Global Ransomware Attack

Massive Global Ransomware Attack

By JJ Bollozos

A cybersecurity attack of global proportions...

As of this afternoon, cybersecurity company Avast reported a ransomware attack, known as WanaCrypt0r 2.0, has been detected over 57,000 times across 99 countries. Of note, the attack has allegedly infected a large telecommunications company in Spain, hospitals across England, and a shipping company based in the U.S., as well as other companies throughout the world. According to the New York Times, the ransomware was included in a compressed file sent via email that would infect a victim’s device once it was opened. 

Read More

1 Million Google Users Hit with Fake Google Docs Phishing Attack

1 Million Google Users Hit with Fake Google Docs Phishing Attack

By Joseph D. McClendon

A new phishing attack is making the rounds through email, this time using a fake Google Docs app to trick you into granting permissions to your real Google account. The attack starts by sending you an invitation to view a document in what appears to be Google Docs. Clicking on the link takes you to a fake Google login screen, which logs you into a third party web app that’s been named “Google Docs.” Next, you are instructed to give permissions to the web app to access your email and contacts list. Once the malicious web app has access to your account, the attack spreads by sending more phishing emails from “you” to your contact list. 

Read More

$2.5M HIPAA Settlement against CardioNet is the First Involving a Wireless Health Services Provider

$2.5M HIPAA Settlement against CardioNet is the First Involving a Wireless Health Services Provider

By Jean Marie R. Pechette

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced on April 24, 2017, a $2.5 Million settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), with CardioNet, Inc., based on its alleged impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.  

Read More

Privacy Policies Expose Companies to Law Suits: Bose Hit by a Class-Action Law Suit

Privacy Policies Expose Companies to Law Suits: Bose Hit by a Class-Action Law Suit

By Jarno J. Vanto, Amanda J. Katzenstein, and Jean Marie R. Pechette

Bose has been slapped with a class-action lawsuit accusing the company of essentially spying on their wireless headphone customers by secretly collecting and transmitting the users’ private music and other audio selections to third parties without disclosure and user consent. 

Read More

‘Tis The Season…For Dangerous W-2 Phishing Scams

‘Tis The Season…For Dangerous W-2 Phishing Scams

By Daniel L. Farris

For each of the last few years, February and March have seen a sharp increase in the frequency and volume of W-2-related phishing scams. According to a recent IRS Notice, 2017 is no different, except perhaps that the threat is evolving.  

Traditionally, the W-2 scam works like this: 

Cyber criminals use social engineering to identify certain key Human Resources (HR) and/or accounting personnel within a company. Targeting those HR and/or accounting employees, the cyber criminals send emails with a “spoofed” sender address. The emails appear to come from the company’s CEO or other executive, and they generally claim that the CEO has an urgent need for Form W-2s for all employees in advance of a meeting the CEO has with the IRS.  Unsuspecting mid-level HR and accounting personnel send on the W-2s, and inadvertently cause a data breach. 

Read More

Yahoo Announces Second Data Breach in Four Months

Yahoo Announces Second Data Breach in Four Months

By Joseph D. McClendon
 
Yahoo, fresh off its September 2016 announcement of a 2014 cyber attack that breached 500 million user accounts, announced on December 14 that there is evidence of a second data breach, which affects twice as many user accounts than the initial 2014 breach. 
 
The beleaguered search engine company disclosed that an internal investigation has uncovered a second data breach dating back to 2013, where cyber criminals were able to steal an estimated 1 billion end user names, email addresses, telephone numbers, and dates of birth. The cyber criminals also stole hashed passwords as well as security questions and answers, some of which may have not been encrypted. Yahoo has not offered any information on why some account recovery questions and answers were encrypted, while others were not. The company does not believe financial data was stolen in the breach.

Read More

Recent Attack Demonstrates IoT Risks in Household Items

Recent Attack Demonstrates IoT Risks in Household Items

By Amanda J. Katzenstein

On October 21, 2016, hackers carried out a massive Denial of Service cyber attack that rendered some of the most popular websites in the country inaccessible to much of the East Coast. Unlike past DoS attacks, this latest attack was undertaken by infecting millions of internet-connected devices with malware, causing new concerns about the ever-growing Internet of Things.

Read More

Yahoo Discloses Massive Data Breach

Yahoo Discloses Massive Data Breach

By Joseph D. McClendon

Yahoo, the American technology company most famous for its use of a web portal to organize categories of websites and its contributions to early Internet search engine technology, announced today that at least 500 million user accounts were breached in a 2014 cyber attack. Data stolen by, what Yahoo believes are state-sponsored actors, include names, email addresses, telephone numbers, dates of birth, and hashed passwords. Breached data may also include account security questions and answers, however, whether or not that data was encrypted appears to be on an account-by-account basis. Yahoo was quick to note that its investigation into the data breach has not shown that the stolen data includes unhashed passwords or credit card or bank account information. This breach may be the largest data breach publicly disclosed and it comes on the heels of the $4.8 billion Verizon acquisition of Yahoo. Yahoo shares fell after the announcement but analysts have noted that the acquisition is unlikely to be affected by the news.

Read More

President Barack Obama Institutes New Policy Responding To Cyber Incidents

President Barack Obama Institutes New Policy Responding To Cyber Incidents

By D. Rockwell Bower

President Barack Obama established a new Presidential Policy Directive on Tuesday, July 26, 2016 outlining the federal government’s response to future cyber attacks in both the public and private sector. Lisa Monaco, Homeland Security Advisor to President Obama for Homeland Security and Counter Terrorism, announced the new directive setting forth “principles governing the Federal Government’s response to any cyber incident, whether involving government or private sector entities.”

Read More

UK Parliamentary Committee Recommends Penalizing CEOs for Cyber Breach

UK Parliamentary Committee Recommends Penalizing CEOs for Cyber Breach

By Daniel L. Farris

The effects of last year’s data breach at UK Telecom, TalkTalk, may be farther reaching than the one million customers whose data was compromised. The UK Parliament's Culture, Media and Sports Committee – which opened an inquiry into the circumstances surrounding the breach last November – made recommendations Monday to significantly enhance penalties for both companies and chief executives who fail to prepare for, timely report, or learn from data breaches, including tying CEO compensation to the effectiveness of their companies’ cybersecurity programs.  

Read More

Giving Customers Control: FCC Confronts Internet Service Providers with Privacy Rules

Giving Customers Control: FCC Confronts Internet Service Providers with Privacy Rules

By Nicole A. Poulos

The Federal Communications Commission (“FCC”) voted yesterday to propose new privacy rules for broadband Internet Service Providers (“ISPs”) a mere three weeks after Chairman Tom Wheeler proposed them.  The proposed privacy rules, which are intended to give customers more control over their personal data, will now be released for public comment.  Currently, no enforceable privacy rules exist for broadband networks.

Adoption of the Proposed Rulemaking did not go without a fight, as the final vote was a 3-2 split.  Opponents to the rules argued that the regulations only target ISPs, and fail to reach social networks and other online services.  Proponents of the proposed rules argued that ISPs can collect and piece together a wealth of information on customers, including private information.

Read More

The Rising Threat of Ransomware

The Rising Threat of Ransomware

By Maggie M. Arcaro

Targeted cyber “hold ups” are on the rise. Last week, Hollywood Presbyterian Medical Center in Los Angeles made headlines after choosing to make a ransom payment to end a ten-day lockdown of their computer system, including their electronic medical records system. A group of cyber attackers used ransomware, a type of malware that takes a computer system hostage by blocking access to the system until a ransom demand is paid, to force Hollywood Presbyterian to make the ransom payment. Some forms of ransomware also display an official-looking legal warning across your screen, claiming you’ve committed a crime and demanding you make a certain payment to avoid legal prosecution or jail.   

Read More

Tax Benefit for Early Cybersecurity Protections

Tax Benefit for Early Cybersecurity Protections

By Mary Kathryn Curry

In August 2015, the Internal Revenue Service announced (IRS Announcement 2015-22) that credit monitoring and other identity protection services provided by employers to employees following a data breach are not taxable.  In response to comments, the IRS has now expanded that decision to include identity protection services offered before a breach occurs.

Read More

Potential Changes to Disclosure Requirements for Publicly Traded Companies

Potential Changes to Disclosure Requirements for Publicly Traded Companies

By Christopher L.E. Hines

The U.S. Senate recently proposed a bill that would require publicly owned companies to be more forthcoming with respect to data breaches and cybersecurity vulnerabilities.  For example, publicly owned companies would have to disclose, through U.S. Securities and Exchange Commission investor filings, whether any member of the company's board of directors is a cybersecurity expert.

Read More

Target to Pay Nearly $40 Million to Settle with Banks over Data Breach; Total Costs Reach $290 Million

Target to Pay Nearly $40 Million to Settle with Banks over Data Breach; Total Costs Reach $290 Million

By Daniel L. Farris

A settlement filed Wednesday provides that Target Corp. will pay $39.4 million to the banks and credit unions who brought class action claims against the retailer for alleged losses the financial institutions suffered as a result of Target’s 2013 data breach. The breach, which impacted as many as 110 million individuals, compromised as many as 40 million credit cards. 

Read More