GDPR Compliance: Common Misconceptions

GDPR Compliance: Common Misconceptions

The European Union’s General Data Protection Regulation (GDPR) has multiple levels of provisions that can be complicated for organizations that require a consumer’s consent to process their data. In an interview with Marianne Kolbasuk McGee of Bank Info Security, Elizabeth (Liz) Harding, shareholder in Polsinelli’s Tech Transitions and Data Privacy practice, weighs in on the common misconceptions of GDPR compliance and regulatory changes.

Read More

U.K. Information Commissioner’s Office Intends to Impose Fine on Facebook

U.K. Information Commissioner’s Office Intends to Impose Fine on Facebook

By: Allison Trimble

The U.K. Information Commissioner’s Office announced it will impose the maximum fine of $660,000 for Facebook’s breach of the U.K. Data Protection Act (see Notice of Intent).  The breach, which includes both the failure to safeguard personal information and the failure to provide transparency as to how personal information was harvested by others, is tied to the Cambridge Analytica scandal in which the personal information of 87 million Facebook users was improperly shared with third parties without such users’ consent. 

Read More

Don’t be a Dummy – FTC Warns against Inadequate Security Controls in “Dummy” (Non-Production) Environments

Don’t be a Dummy – FTC Warns against Inadequate Security Controls in “Dummy” (Non-Production) Environments

By: Allison R. Trimble

The FTC recently announced a revised settlement with Uber Technologies, Inc. (“Uber”) in which the ride-sharing company has agreed to expand the proposed settlement it reached with the FTC last year over charges that Uber deceived consumers about its privacy and data security practices. 

Read More

Cyber Security Insurance: Nine Questions to Ask to Determine Your Exposure

Cyber Security Insurance: Nine Questions to Ask to Determine Your Exposure

By Kathryn T. Allen

There is an increased interest in cyber security insurance for businesses amid frequent news of computer hacking, network intrusions, data theft, and high-profile ransomware attacks. Since cyber security insurance is relatively new to the market, many companies lack a basic understanding of what their policy covers and what it may not.

Read More

2018: A Cybersecurity Preview

2018: A Cybersecurity Preview

By Reece Clark

As the world rings in 2018, privacy experts collectively brace for a new year of information security challenges. While ransomware, denial of service attacks, and endpoint security vulnerabilities will remain top of mind in 2018, new threats and risk factors will also emerge. Likewise, traditional hacking threats are likely to be more sophisticated in 2018, with new and more powerful hacking tools in the hands of bad actors. Businesses, consumers, and governments must remain vigilant in their information security posture as they face these new and diverse cybersecurity challenges. Polsinelli on Privacy looks at four areas of information security poised to make headlines in 2018.

Read More

Guidance from the FTC says “Don’t Worry: It’s Just a Phrase"

Guidance from the FTC says “Don’t Worry: It’s Just a Phrase"

By Rachel A. Rice

In a new policy enforcement statement, the Federal Trade Commission (“FTC”) has provided additional guidance on when verifiable parental consent must be obtained for a website operator or provider of online services to receive or use voice recordings from children under 13. Under the Children’s Online Privacy Protection Act (“COPPA”), verifiable parental consent must be obtained prior to collecting personal information from children over the internet. The definition of “personal information” includes audio files such as voice recordings. 16 C.F.R. § 312.2. However, in the recent policy enforcement statement, the FTC has stated it will not take enforcement action (subject to the limitations described below) against parties who do not obtain parental consent when a voice recording is used “solely as a replacement of written words” so long as the voice recording is (a) briefly used solely for that purpose; and (b) is deleted immediately thereafter. In doing so, the FTC made a distinction between voice recordings that are made in connection with purposes such as verbal searches or verbal instructions to a connected device and voice recordings that are made for other purposes. According to the FTC, voice recordings made for the purpose of verbal searches and verbal instructions are the result of a technological evolution where voice is beginning to replace written words in some scenarios. 

Read More

Privacy Shield Updates: Positive Joint Annual Review; Mandated Arbitral Fees

Privacy Shield Updates: Positive Joint Annual Review; Mandated Arbitral Fees

By Steven A. Hengeli, Jr.

The EU-U.S. Privacy Shield has passed its first test: the first joint annual review. If your organization has been waiting for a positive review of the Privacy Shield to join, now is a good time to consider moving forward. 

The European Commission and the U.S. Department of Commerce conducted the first joint annual review of the Privacy Shield in September. The joint annual review helps ensure that the Privacy Shield remains “adequate” under EU data protection law over time. The European Commission’s published report following the review generally expresses support for the Privacy Shield—with some noted opportunities for improvement, including increased enforcement activity and efforts to raise awareness among EU residents of their Privacy Shield rights. 

Read More

WPA2 KRACK ATTACK

WPA2 KRACK ATTACK

By Aaron M. Levine

Several news reports today sounded the alarm that the WPA2 protocol, currently the most popular method of securing Wi-Fi communications, is vulnerable to the “KRACK” attack. Despite the amusing name, this vulnerability is extremely serious. 

KRACK stands for Key Reinstallation Attack. In essence, this attack tricks Wi-Fi enabled devices into reinstalling the “nonce,” which is a randomly generated, one-time numerical key used to encrypt communications between the targeted device and the router/gateway. Once the attacker has compromised this key, it can eavesdrop on the packets that are sent to/from the target device or, alternatively, it can forge packets to inject viruses or other malicious code onto a target machine.

Read More

The Potential of “Elastic Sensitivity” to Protect Privacy in Big Data Analytics

The Potential of “Elastic Sensitivity” to Protect Privacy in Big Data Analytics

By Zuzana S. Ikels

Three University of California-Berkeley researchers have written a paper discussing the first “practical approach for differential privacy.” This new method, referred to as “Elastic Sensitivity,” excludes the components of tables in large data sets and big data databases that contain individual information from the other data before running the query. 

Read More

Congressional Task Force Issues Report on Cybersecurity in the Health Care Industry

Congressional Task Force Issues Report on Cybersecurity in the Health Care Industry

By Zuzaka S. Ikels

In June 2017, the Health Care Industry Cybersecurity Task Force issued its Report on Improving Cybersecurity in the Health Care Industry. To view the report, click here.

The task force was created by Congress as part of the Cybersecurity Act of 2015, and is comprised of subject matter experts from the public and private sector that evaluated the cybersecurity threats, the security of IT systems, and the regulations and laws that relate to the health care industry. In the Report, the task force discusses the evolution and transition from paper to electronic healthcare records (“EHR”), and tailors the recommendations to encourage opportunities for efficiencies, research and sharing of information, while responding to the increasing threat of cybersecurity breaches to the health care providers’ technical infrastructure.

Read More

Privacy Policies Expose Companies to Law Suits: Bose Hit by a Class-Action Law Suit

Privacy Policies Expose Companies to Law Suits: Bose Hit by a Class-Action Law Suit

By Jarno J. Vanto, Amanda J. Katzenstein, and Jean Marie R. Pechette

Bose has been slapped with a class-action lawsuit accusing the company of essentially spying on their wireless headphone customers by secretly collecting and transmitting the users’ private music and other audio selections to third parties without disclosure and user consent. 

Read More

Swiss-U.S. Privacy Shield Opens for Self-Certifications

Swiss-U.S. Privacy Shield Opens for Self-Certifications

By  Amanda J. Katzenstein

On April 12, 2017, the Department of Commerce will begin accepting self-certifications to the Swiss-U.S. Privacy Shield. The Swiss-U.S. Privacy Shield was approved to be an adequate legal mechanism for compliance with Swiss requirements to transfer personal data from Switzerland to the United States after the Swiss-U.S. Safe Harbor was declared invalid following the Schrems decision on October 6, 2015. 

Read More

Senate Votes to Repeal FCC Privacy Rule Governing ISP Providers

Senate Votes to Repeal FCC Privacy Rule Governing ISP Providers

By Zuzana S. Ikels

In a vote of 50 to 48, along party lines, the Senate voted to overturn the privacy rules governing ISP providers that were issued in October 2016 by the Federal Communications Commission (FCC). Click here to view the FCC Privacy Rules. The FCC Privacy Rules required ISP and broadband providers to obtain an individual’s consent and authorization – through an “opt-in” mechanism – before a provider could collect, use, share or sell the customer’s information to third party marketers and companies. It also included data security and data breach notification recommendations and requirements. The FCC also imposed a blanket prohibition on ISP providers that offered “take-it-or-leave-it” broadband services contingent on pre-authorization. 

Read More

New Guidance This Week from FTC on Best Practices Against Phishing

New Guidance This Week from FTC on Best Practices Against Phishing

By Zuzana S. Ikels

On March 6, 2017, the Federal Trade Commission (FTC) issued new guidelines for businesses as to how to deter and reduce the risk of phishing attacks. The recommendations should be shared and discussed with your company’s Information Technology (IT) department to make sure that the email servers and systems have the requisite safeguards. Compliance with these standards will reduce risk and is one way of showing that the company is making a prudent and reasonable effort to protect personal information. 

Read More

‘Tis The Season…For Dangerous W-2 Phishing Scams

‘Tis The Season…For Dangerous W-2 Phishing Scams

By Daniel L. Farris

For each of the last few years, February and March have seen a sharp increase in the frequency and volume of W-2-related phishing scams. According to a recent IRS Notice, 2017 is no different, except perhaps that the threat is evolving.  

Traditionally, the W-2 scam works like this: 

Cyber criminals use social engineering to identify certain key Human Resources (HR) and/or accounting personnel within a company. Targeting those HR and/or accounting employees, the cyber criminals send emails with a “spoofed” sender address. The emails appear to come from the company’s CEO or other executive, and they generally claim that the CEO has an urgent need for Form W-2s for all employees in advance of a meeting the CEO has with the IRS.  Unsuspecting mid-level HR and accounting personnel send on the W-2s, and inadvertently cause a data breach. 

Read More

Big Law, Big Data, Big Problem

Big Law, Big Data, Big Problem

By Kathryn T. Allen

The Year of the Breach: 2016 was the year that law firm data breaches landed and stayed squarely in both the national and international headlines. There have been numerous law firm data breaches involving incidents ranging from lost or stolen laptops and other portable media to deep intrusions exposing everything in the law firm’s network. In March, the FBI issued a warning that a cybercrime insider-trading scheme was targeting international law firms to gain non-public information to be used for financial gain. In April, perhaps the largest volume data breach of all time involved law firm Mossack Fonesca in Panama. Millions of documents and terabytes of leaked data aired the (dirty) laundry of dozens of companies, celebrities and global leaders. Finally, Chicago law firm, Johnson & Bell Ltd., was in the news in December when a proposed class action accusing them of failing to protect client data was unsealed.

Read More

Yahoo Announces Second Data Breach in Four Months

Yahoo Announces Second Data Breach in Four Months

By Joseph D. McClendon
 
Yahoo, fresh off its September 2016 announcement of a 2014 cyber attack that breached 500 million user accounts, announced on December 14 that there is evidence of a second data breach, which affects twice as many user accounts than the initial 2014 breach. 
 
The beleaguered search engine company disclosed that an internal investigation has uncovered a second data breach dating back to 2013, where cyber criminals were able to steal an estimated 1 billion end user names, email addresses, telephone numbers, and dates of birth. The cyber criminals also stole hashed passwords as well as security questions and answers, some of which may have not been encrypted. Yahoo has not offered any information on why some account recovery questions and answers were encrypted, while others were not. The company does not believe financial data was stolen in the breach.

Read More

Recent Studies Show Increasing Need For Employee Training in Data Security

Recent Studies Show Increasing Need For Employee Training in Data Security

By: Mary Kathryn Curry

Two recent studies show an increasing need for companies to better train their employees in data security to prevent data and monetary loss. On September 7, 2016, Wells Fargo Insurance released a study on cyber security showing some interesting trends in companies with $100 million or more in annual revenue. The second-annual study questioned 100 decision makers on issues of data, hackers, network vulnerabilities, and other cyber security matters. The study showed that companies were nearly twice as concerned with losing private data as they were with being hacked or having some other security breach disrupt their system. 

Read More

President Barack Obama Institutes New Policy Responding To Cyber Incidents

President Barack Obama Institutes New Policy Responding To Cyber Incidents

By D. Rockwell Bower

President Barack Obama established a new Presidential Policy Directive on Tuesday, July 26, 2016 outlining the federal government’s response to future cyber attacks in both the public and private sector. Lisa Monaco, Homeland Security Advisor to President Obama for Homeland Security and Counter Terrorism, announced the new directive setting forth “principles governing the Federal Government’s response to any cyber incident, whether involving government or private sector entities.”

Read More