Part III: Has Congress Spoken and Does It Really Matter? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

In the first and second parts of this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp. and then focused on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable. Today, we take a slightly different view of the FTC’s Section 5 history and revisit whether Brown v. Williamson actually supports the position that Congress has granted the Commission the authority to regulate data security under Section 5. But in the end, such analysis may not matter—the FTC is not the sole source of data security responsibilities for “unregulated” industries and one way or another, data security accountability is coming….
Continue Reading...

Part II: Fair Notice or No Notice? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

In our first blog in this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp., in which Judge Salas confirmed the FTC’s authority to bring enforcement actions to redress deficient corporate data security practices, even in the absence of formal rules or regulations setting forth what practices are unreasonable. Today we begin to explore the ramifications of that ruling, focusing on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable.
Continue Reading...

EU High Court Overturns Telecom Data Retention Requirements

The Court of Justice of the European Union, the highest court in the EU, declared the EU’s 2006 Data Retention Directive invalid in a judgment issued on April 8, 2014. The directive, which has been implemented via national legislation by most EU member states, requires telecommunications and Internet providers to collect and retain traffic and location data regarding users’ calls and Internet activity for up to two years in order to assist law enforcement in the prevention of “serious crime” (such as organized crime and terrorism). The Court of Justice, however, determined that the directive interferes with European citizens’ fundamental rights to privacy.
Continue Reading...

Part I: The Elephant Emerges From the Mousehole: The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

In support of its motion to dismiss the FTC’s complaint alleging data security deficiencies in violation of Section 5 of the FTC Act, Wyndham Worldwide Corporation cited the Supreme Court’s opinion in Whitman v. American Trucking Ass’ns, which cautioned against agencies utilizing vague statutory provisions to alter “fundamental details of a regulatory scheme”, and colorfully stating that “[Congress] does not, one might say, hide elephants in mouseholes.” See 531 U.S. 457, 468 (2001).
Continue Reading...

No Harm, Still Foul? Florida Court Approves Data-Breach Class Action Settlement

Data-breach class action suits may have just gained significant traction. On Feb. 28, 2014, the U.S. District Court for the Southern District of Florida approved a first of its kind class action data breach settlement that will pay plaintiffs regardless of whether they were damaged by the breach.
Continue Reading...

California Bill Would Create Cyber Security Commission

By Christin McMeley and Jane Whang

In recognition of the increasing threat that cyber-attacks pose to the state's infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a "Cyber Security Commission."

The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor's Office and Legislature on the status and progress of cyber security efforts.

Continue Reading...

California AG Weighs in on Cybersecurity

By Paul Glist and Leslie Moylan

Just as NIST completes its version 1.0 national Framework for Improving Critical Infrastructure Cybersecurity, California Attorney General Kamala Harris has made clear she intends a leadership role for California. With a guide called “Cybersecurity in the Golden State: How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents,” the AG offers a simplified, brief, and plain English version of cybersecurity protections directed toward small and medium size California businesses that likely lack the resources to hire full-time cybersecurity personnel. The Guide’s “Practical Steps to Minimize Cyber Vulnerabilities” are based on acknowledged deficiencies in the devices, websites, and apps at the network’s edge, and on the need for users and businesses to discipline their behavior and increase their vigilance against threats. The best practices outlined in the Guide are not unique to small or medium size businesses and overlap to a large extent NIST’s perspective on threats and cyber recommendations from many sources. The NIST Framework provides greater detail and is more explicit in the latitude it provides for business judgments about the proportionality of precautions with respect to the specific risks. Both the California Guide and NIST Framework seek to prod organizations to analyze risks, determine needs, and outline plans to protect, detect, respond and recover.
Continue Reading...

New Advisory Posted on NIST Cybersecurity Framework 1.0 and Growing Federal Concern Over Data Security and Cyber Crime

By Bob Scott

Check out our recent advisory analyzing the National Institute of Standards and Technologies’ newly-finished Cybersecurity Framework, which is intended to reduce cyber risks to critical infrastructure – including to banks, communications companies, utilities, and healthcare providers.  The Framework adds to the growing prominence of data security issues:  increased incidents of electronic data theft; extensive media coverage; rising class-action litigation.  The Federal Trade Commission has assumed enforcement authority for data security and breach incidents under Section 5 of the FTC Act, while Congress and state legislatures consider legislative options.  The Framework remains voluntary for the companies it addresses, but offers insight into evolving government expectations for data security, privacy and civil liberties.  Access the advisory here.

FTC's 50th Data Security Settlement Sends a Message: Be Careful with Overseas Contractors

By Adam H. Greene, Rebecca L. Williams, and Sarah S. Fallows

The Federal Trade Commission (FTC) sent a message about the importance of imposing appropriate security measures on—and monitoring—vendors with access to confidential consumer information. The FTC issued a 20-year consent order with GMR Transcription Services (GMR) over its overseas contractor’s data security breach. The decision marks the FTC’s 50th information security settlement and fifth health information complaint (four of which have settled). For health care providers and business associates, the GMR settlement suggests that the FTC has higher expectations than HHS regarding management and oversight of vendors and other downstream subcontractors, especially when these vendors are outside of U.S. jurisdiction. The GMR settlement did not involve security failures by GMR itself, but by a subcontractor, Fedtrans.

"A" for Effort? Senator Markey Announces Latest Privacy Legislation Aimed at Protecting Student Data

By Leslie Gallagher Moylan

On January 14, 2014, Senator Edward Markey (D-Mass) announced that he plans to introduce legislation in the coming weeks to ensure that safeguards are in place for student data shared with third parties.  Citing concerns raised by recent changes to the Family Educational Rights and Privacy Act (FERPA) that have allowed for the increased sharing and use of student data in the private sector, Markey stated that the legislation will include the following components:

Continue Reading...

Google Street View Class Action Survives: Ninth Circuit Holds Wi-Fi is Not "Radio" Under Wiretap Act

By Bob Scott and John Seiver

In the latest development in the Google Street View case, the Ninth Circuit once again upheld the lower court’s decision that Google’s collection of unencrypted Wi-Fi does not fit within an exception to the Wiretap Act that allows the interception and use of “radio transmissions” that are “readily accessible to the public,” although it narrowed the reasoning of its earlier opinion.

After initially upholding the district court order denying Google’s motion to dismiss the case because of the Wiretap Act exception, the court asked for briefing on Google’s petition for panel and en banc rehearing.  Technically, the panel granted part of Google’s motion for rehearing and modified its opinion, but it did not change its decision that unencrypted Wi-Fi transmissions are protected from interception by the Wiretap Act.  Google now could ask the U.S. Supreme Court to review the case, pursue further litigation in the district court, or settle.

Continue Reading...

Are You a Target?

By Daniel P. Reing

As has been widely reported, the popular retail giant Target announced yesterday that it suffered a data breach impacting approximately 40 million credit and debit card accounts used in Target stores across the country between November 27th and December 15th. It appears that the breach involved the theft of “track data” from the magnetic stripe on the back of credit and debit cards used in Target stores. Thieves use this stolen information to create counterfeit cards.

Continue Reading...

PCI DSS 3.0: Business as Usual?

By Randy Gainer, Attorney, CISSP, and Christin McMeley, CIPP-US 

In the past, critics of the Payment Card Industry (PCI) Data Security Standard (DSS) have alleged that the DSS requirements either (1) provide little more than a minimal baseline for security with a “check-the-box” compliance approach; or (2) are written vaguely so that the Council can retroactively allege non-compliance and impose fees on merchants who claim to have been PCI DSS “compliant” at the time of the breach (see our recent Genesco post). On November 7, 2013, the PCI Security Standards Council (SSC) released version 3.0, which may address these criticisms by:
  • Focusing on “security, not compliance;”
  • Making PCI DSS a “business as usual practice;”
  • Providing “added flexibility on ways to meet the requirements;” and
  • Clarifying “the level of validation the assessor is expected to perform.”
Continue Reading...

A House Divided: Federal Judges Take Conflicting Positions on Wiretap Act Claims Against Google in California's Northern District

When is the “course of business” considered “ordinary?”

By Bob Scott

Last week, the U.S. District Court for the Northern District of California dismissed a class action claim that Google’s modifications to its customer privacy policies and subsequent sharing of customer data across Google products violate the Wiretap Act and other laws.  The decision by Magistrate Judge Grewal in Google, Inc. Privacy Policy Litigation underscores the gap between his broad application of an exception to the Wiretap Act’s prohibitions and the far narrower view of that same exception taken by Judge Koh of the same court in allowing the Google, Inc. Gmail Litigation to proceed, which we discussed here and here.

Both cases challenge, among other things, Google’s practice of sharing data collected from its customers with advertising partners.  In both cases, Google asked the court to dismiss claims that this sharing violates the Wiretap Act, on the basis of the Act’s exception that allows a provider of electronic communications services to intercept customer data “in the ordinary course of business.”  Yet the cases reach opposite decisions on the applicability of that exception to very similar claims.

Continue Reading...

It's Not Just the NSA: Your Keyboard Knows Who You Are, Too

By Lance Koonce

In 1891, Arthur Conan-Doyle wrote a Sherlock Holmes short story entitled “A Case of Identity”.  In it, he solves a mystery in part by determining that several different letters were all typed on the same typewriter:

"It is a curious thing," remarked Holmes, "that a typewriter has really quite as much individuality as a man's handwriting. Unless they are quite new no two of them write exactly alike. Some letters get more worn than others, and some wear only on one side. Now, you remark in this note of yours, Mr. Windibank, that in every case there is some little slurring over the e, and a slight defect in the tail of the r. There are fourteen other characteristics, but those are the more obvious."
Continue Reading...

Federal Lawmakers Revive Do Not Track Kids Legislation

By Christin S. McMeley, Paul Glist, and Leslie Gallagher Moylan

A bipartisan, bicameral effort is again underway to extend current law and impose new restraints on the online tracking of children and teens under the age of 16. As promised, on Thursday, Nov.14, 2013, Senator Edward Markey (D-Mass) and Rep. Joe Barton (R-Texas) introduced their respective versions (S. 1700 and H.R. 3481) of the “Do Not Track Kids Act of 2013.” Specifically, the Do Not Track Kids Act would:

·         Extend many of the privacy protections already afforded to children ages 12 and under in the Children's Online Privacy Protection Act (COPPA) to teens through age 15 ;

·         Formally include online and mobile applications (the FTC already did this through enforcement actions and then by rule in its recent COPPA amendments);

·         Expand the definition of “personal information” to include device identifiers;

·         Extend COPPA protections to geolocation information;

·         Prohibit targeted marketing to children and minors without verifiable parental consent for children or the consent of a “minor” (13-15 year old);

·         Require the operators of a website, online service, or online or mobile application “directed to minors” to adopt and comply with a “Digital Marketing Bill of Rights for Teens” that is consistent with the Fair Information Practices Principles; and

·         Attempt to arm parents and their children with an “eraser button” to eliminate publically available personal information online.

Using momentum gained from the ineffective attempts to establish broader, voluntary Do Not Track standards and mechanisms, California’s recent “Do Not Track” and “Eraser” laws, and increased interest by lawmakers in online tracking and privacy issues generally, Senator Markey and Congressman Barton have focused their efforts “to protect children and teens”—which may be the only way to advance the broader Do Not Track concept in a stymied Congress.

Continue Reading...

Data Protection Regulation Proposal Approved by the European Parliament

By Robert Stankey
The European Parliament has finalized its version of the proposed Data Protection Regulation, which would substantially change personal data protection rules in the 31-country European Economic Area.  The Parliament’s LIBE committee voted October 21 on a final package of amendments to the European Commission’s draft regulation in January 2012.  After formal approval by the full Parliament, negotiations will begin with national governments (through the Council of the European Union) on a final version of the legislation.
Key features of the amendments are:

  • Higher penalties - Violations could be punished through the imposition fines of up to the greater of €100 million ($137 million) or 5% of annual worldwide revenue (compared with €1 million or 2% proposed by the Commission). 
  • Breach notification – Regulators and, in certain circumstances, affected individuals still must be notified of data breaches, but the 24-hour notification deadline that had been proposed by the Commission has been eliminated.
  • Consent – Affirmative action (such as through a writing or an online acceptance) is required to show consent.  Implied consent through use of a service is not sufficient. 
  • Right of erasure – Existing rights to request the deletion of personal data have been strengthened as a replacement for the Commission’s controversial and ill-defined proposal for a “right to be forgotten”.
  • Disclosure to foreign governments – New provisions would make it a violation to disclose information that is processed in the EU to a foreign government without the approval of a data protection authority.
  • Standardized information disclosures – Standard information disclosures have been specified, including an icon-based compliance scorecard.
  • Pseudonymous data – A new category of personal data that cannot be attributed to a specific individual will be subject to a different set of privacy rules.
  • Profiling – Use of personal data for analytic or predictive purposes would require an individual’s consent and provide a mechanism to object to profiling.
  • Extraterritorial application – Parliament has somewhat strengthened provisions that would make data protection rules applicable to all non-European companies that offer goods or services to Europeans or that monitor Europeans.  Data processing within Europe would no longer be required for EU privacy rules to apply.
  • Home regulator – Data controllers would be subject to enforcement by the regulator where they have their main establishment in Europe. 

The text approved by European Parliament can be found here and here.  The Parliament also finalized its changes to the Commission’s proposal for a directive protecting personal data held by European governments and public bodies.

NIST Releases Preliminary Cybersecurity Framework: Comments Next and Final Due In February 2014

By Robert G. Scott, Jr. and Daniel P. Reing

On October 22, 2013, the National Institute of Standards and Technologies (NIST) released its “Preliminary Cybersecurity Framework,” with comments due 45 days after publication in the Federal Register. NIST expects the window for comments to open expeditiously so that it may comply with the deadlines established in President Obama’s Executive Order 13636 (the “EO”). Under the EO, NIST must evaluate comments, revise the Preliminary Framework, and issue a final version by February 12, 2014 (see our earlier posts found here and here). The Administration seeks to encourage private sector adoption of the Framework through potential incentives, and given the increasing volume of and risk from hacking and data loss, private entities should be reviewing their cybersecurity and data protection practices as a matter of ongoing operations.

Continue Reading...

Update: Google Not Going Down Without a Fight

By John D. Seiver and Christin McMeley

Google is seeking further review in two cases we wrote about last week on alleged Wiretap Act violations.  In the Gmail case, where Google was charged with improperly reviewing subscribers’ emails,  Google asked Judge Koh to certify her decision for interlocutory appeal to the Ninth Circuit.  But even if Judge Koh grants Google’s motion, the Ninth Circuit still has to agree to take the appeal.  And given the Ninth Circuit’s Decision in Google’s Street View case, where Google was found to have improperly “intercepted” unencrypted Wi-Fi signals, it is not clear that Google will succeed in gaining interlocutory review, except that….

Google may feel encouraged because the Ninth Circuit on Wednesday ordered the plaintiffs to respond to Google’s petition for panel and en banc rehearing in the Street View case, a precondition to any grant of rehearing. We will update on plaintiffs’ filing and the court’s action on Google’s petition.

While federal courts in California seem more inclined to let plaintiffs move forward with Wiretap Act claims, a U.S. District Court Judge in Delaware dismissed claims that Google violated computer users’ rights by placing “cookies” into user’s Web browsers to facilitate the placement of advertising, and disregarding Apple’s Safari browser’s default blocker.  The court held that a URL is merely “a location identifier” and therefore, the cookies do not intercept “contents” as required for a Wiretap Act violation, nor does it “demonstrate that Google intercepted any ‘contents or meaning’” under California’s Invasion of Privacy Act.”  The court also dismissed claims that the placement of such cookies violated the Stored Communications Act, stating that “[d]espite the temptation, the court declines to try to fit a square peg (modern technology) into the proverbial round hole (the intent of Congress as reflected in the statutory language of the SCA).”  Even though the court found that, “while plaintiffs have offered some evidence that the online personal information at issue has some modicum of identifiable value to an individual plaintiff, plaintiffs have not sufficiently alleged that the ability to monetize their PII has been diminished or lost by virtue of Google's previous collection of it,” it went on to resolve and dismiss the substantive issues because when plaintiffs allege statutory violations with the possibility of collecting statutory damages, “the absence of any actual injury, may in some circumstances create standing.”

It is reasonable to expect that unless and until there are definitive appellate or SCOTUS rulings on standing or that the “round hole” of ECPA cannot easily accommodate the “square peg” of modern technology, we will continue to see the class action privacy bar testing the waters.

9th Circuit Joffe v. Google "Street View" Decision Raises Questions About Wiretap Act's "Radio Transmissions" Exception

 By John Seiver

Last week, the Ninth Circuit held that the Wiretap Act prohibits the kind of “interception” and collection of transmissions from unencrypted Wi-Fi networks that Google reportedly followed in compiling Street View data. Technically, the court affirmed a district judge’s order denying Google’s motion to dismiss, but the importance of the ruling was in extending Wiretap Act protections to unencrypted Wi-Fi traffic. 
Continue Reading...

Latest FTC Enforcement Action Reflects Agency's Intent to Focus on Emerging Market Involving the "Internet of Things"

By K.C. Halm

In its first enforcement action against a company operating in the emerging market known as the “Internet of Things”, the FTC has secured a settlement agreement with a company that markets Internet-connected video cameras designed to allow consumers to remotely monitor their homes.

The increasing connectivity of consumer devices, such as cars, appliances, and medical devices, and the capability for these devices to communicate with other such devices, is commonly referred to as the Internet of Things. Many of the devices connected through the Internet of Things have the capability to communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.

But the benefits of such connectivity also present potential privacy and security risks, as the FTC’s latest action illustrates.

Continue Reading...

NIST Releases Draft Cybersecurity Framework

By Robert G. Scott, Jr.

The National Institute of Standards and Technologies (NIST) has released the first draft of the Cybersecurity Framework required by President Obama’s Executive Order 13636 and Presidential Policy Directive 21, as detailed in our earlier posts (found here, here and here). The draft outlines the tentative format of the final Framework, which would include four major sections:

  • A guide for senior executives and others on how to use the Framework to evaluate and manage their organizations’ cyber risk preparedness;
  • A user’s guide for more detailed implementation of the Framework;
  • The “core structure” of the Framework; and
  • A compendium of references such as existing cybersecurity standards, guidelines and practices.
Continue Reading...

Federal Data Breach Legislation Introduced, But Will It Go Anywhere?


By:  Christin S. McMeley

Last week Senator Pat Toomey (R-PA), along with one Independent and six other Republican Senators, introduced the “Data Security and Breach Notification Act of 2013.”  The bill would provide businesses and consumers with a single set of rules for notifications in the event certain electronic records are compromised, preempting state data breach notification requirements and several federal laws that contain security requirements.

Continue Reading...

Federal Cybersecurity Initiatives Demand Vigilance of Communication and Energy Infrastructure Owners and Operators

By:  Robert G. Scott, Jr.

Cybersecurity initiatives are moving rapidly within the federal government and require owners and operators of critical infrastructure – including in particular Communication and Energy Systems, and those who supply and service them – to remain vigilant in managing cybersecurity risks.  The National Institute of Standards and Technologies  (NIST) is moving quickly to develop the Cybersecurity Framework required by President Obama’s Executive Order 13636 (EO-13636) and Presidential Policy Directive 21 (PPD-21), as detailed in our earlier posts here and here.  At the same time, Congress continues to develop cybersecurity legislation to address concerns over the current state of cybersecurity and cyber-threat information-sharing in various sectors of the economy.  Chief among these sectors are energy and communications, which are deemed “uniquely critical” in PPD-21 given their role in supporting all other critical infrastructure.

Continue Reading...

NIST Hosts First of Four Planned Cybersecurity Framework Workshops

By Dan Reing

On April 3, 2013, the National Institute for Standards and Technology (“NIST”) hosted its first of four planned Cybersecurity Framework Workshops on April 3, 2013 at the Department of Commerce consisting of five panel discussions among a variety of private and public stakeholders affected by the Executive Order on “Improving Critical Infrastructure Cybersecurity” (“EO”) issued February 13, 2013.  As we previously discussed, the EO set in motion a process to develop and implement a national, voluntary Cybersecurity Standards Framework aimed at protecting the nation’s critical infrastructure and the provision of essential services to the American people.  The EO tasked NIST with drafting the Cybersecurity Framework, and on February 24, 2013, it issued a Request For Information (“RFI”) seeking public comment on issues the Cybersecurity Framework should address.  The RFI comment period closes on April 8, 2013.

Continue Reading...

Executive Order and Policy Directive Promotes Cybersecurity Cooperation and Intelligence Sharing

By Robert G. Scott, Jr.

On February 12, 2012, President Obama signed an Executive Order as well as a complementary Presidential Policy Directive intended to improve the flow of information and cyber-threat intelligence between government agencies and the private sector, and to improve the security of the nation’s critical infrastructure.  The policies and requirements in these documents outline an ever-increasing role for owners and operators of critical infrastructure in resisting cyber threats.

Continue Reading...

Fourth Circuit Decision Deepens Split of Authority on Federal Computer Fraud and Abuse Act's Prohibition on Conduct that "Exceeds Authorized Access"

Joins Recent 9th Circuit Decision Narrowly Construing the Law

By Ronnie London

The U.S. Court of Appeals for the 4th Circuit has issued a ruling in WEC Carolina Energy Solutions v. Miller, holding that the federal Computer Fraud and Abuse Act (“CFAA”) prohibition on exceeding “authorized access” to a computer covers only the scope of access allowed and exceeded, not subsequent use of any information obtained by way of such access.  In doing so, the 4th Circuit echoed the recent 9th Circuit en banc decision in U.S. v. Nosal adopting a similarly narrow construction of the statute, as described in our post here.  As noted, the Nosal decision departed from broader interpretations of “exceeds authorized access” adopted by the 5th, 7th, and 11th Circuits, and the 4th Circuit’s WEC decision now makes that split even more attractive for possible Supreme Court review.

Continue Reading...

Plans to Publicize Foreign-Sponsored Hackers and Counter-Measures

By Randy Gainer

A recent story in the Washington Post that describes former FBI assistant director Shawn Henry’s plan to “name names” of governments that sponsor hackers to break into U.S. networks.  He also suggests that the private firm he recently joined, CrowdStrike, may take countermeasures against hackers.  Such “hack-back” strategies have been debated in the security community for several years.  That Mr. Henry is talking openly about going on the offensive against hackers may mean that hacker battles are about to get more interesting.

FCC: Google's Collection of Unencrypted Data Does Not Violate Communications Act

By David M. Silverman

In a Notice of Apparent Liability (NAL) released Monday by the Federal Communications Commission (FCC) against Google, the FCC found that Google’s collection of unencrypted data obtained from Wi-Fi networks in its Street View project did not violate the Communications Act provision that prohibits the unauthorized interception and either use or publication of radio communications. However, the FCC has proposed a $25,000 forfeiture penalty for Google’s initial failure to cooperate with the agency’s investigation of this matter.

Continue Reading...

Oregon Supreme Court Decision Shows How Rapid Response to Data Breach Can Pay Off in Ensuing Litigation

By Ronald G. London

Check out our new advisory, in which Doug Ross and Greg Chaimov explain how taking prompt and effective action to protect patients after a data breach paid big dividends in the Oregon Supreme Court, which affirmed dismissal of a class action against Providence Health & Services-Oregon.  The case is significant in that it shows a prompt and substantial response to such data theft can play a vital role in prevailing in ensuing litigation, especially given that, when the data theft occurred, Oregon had no law governing how a custodian of records like Providence should respond.  That Providence responded quickly to contact its patients and arrange for credit protection was a key factor in the outcome.  Read more here.

Massachusetts Data Protection Law: Third-Party Provision Effective March 1

By Bruce E. H. Johnson

Effective March 1, 2012, any company, wherever located, that is holding the “personal information” of Massachusetts residents must amend its existing vendor contracts to require compliance with Massachusetts data security regulations. 201 CMR 17.03 (f)(2).

Continue Reading...

Europe Plans Significant Expansion in Data Protection Rights

European Commission Releases Formal Proposal on Data Protection Reform

By Robert Stankey and Adam Shoemaker

On Jan. 25, 2012, the European Commission released the final version of its proposed revisions to the European Union’s data protection framework. The package of changes represents a comprehensive reform of the EU’s 1995 data protection rules.

Continue Reading...

First Circuit Case Becomes One of First Successful Attempts to Assert Data Breach Class Action Liability

By Erin Nedenia Reid

In a departure from the recent trend of courts refusing to allow data breach claimants to seek mitigation damages, the First Circuit recently held in  Anderson v. Hannaford Bros. Co. that credit and debit card payment processors may be held liable for mitigation damages in the wake of targeted card-number theft by a criminal enterprise.   In Hannaford, the appeals court reversed a decision below that dismissed negligence and implied contract claims arising out of a 2007 breach of grocer Hannaford’s electronic payment processing system, which resulted in the theft of 4.2 million credit and debit card numbers.   The First Circuit’s decision suggests credit and debit card payment processors may be at a higher risk than previously thought of facing viable class action claims in the wake of data breaches.

Continue Reading...

New Court Decision Upends U.C.C. Rule Typically Applied, Holds Bank Liable for Unrecovered Funds from a Phishing Attack

By: Micah Ratner

A U.S. District Court in the Eastern Disrict of Michigan has issued its decision in Experi-Metal, Inc. v. Comerica Bank, holding that a bank—instead of the bank’s customer—was liable for $560,000 in unrecovered funds from a phishing attack. The case is noteworthy because a customer is typically liable for unauthorized transfers under Uniform Commercial Code (“U.C.C”) Article 4A. Under U.C.C. Section 4A-202, the customer is responsible for unauthorized transfers if (1) the bank and customer agree that the bank will authenticate transfers through a security procedure, (2) the security procedure is commercially reasonable, and (3) the bank accepted the transfer in good faith.

Continue Reading...

We're Baaaaaaack.

Those of you who were once frequent visitors to this blog may, by now, be asking one or more of the following questions:

(a) Why haven’t you guys posted anything for so many months?
(b) Why does the site look different?
(c) Who’s going to win the NBA playoffs?
(d) Why did they cancel My Name is Earl?

Well, the first two at least. The truth is that this blog was started in August 2005, and ran steadily (sometimes more steadily than others) for about three years. As blogs go, that’s a fairly distinguished record – there are more abandoned blogs lining the sides of the Information Superhighway than there are hubcaps along the Cross Bronx. Wait, did we actually just use the phrase “Information Superhighway”? Because that is so 2005. As is that phrase we just used.

So anyway, when our firm decided to revamp its website, we took this as an opportunity to think seriously (read: discuss over drinks) what we wanted to accomplish with this blog, and what we needed to do to keep it fresh and relevant. The process has taken a bit longer than we expected, but here’s where we are:

Rather than a long list of bloggers, you will be getting regular updates from just five of us – and henceforth there will be no more posts in this annoying third-person, royal we, voice. We may have some guest bloggers on occasion, but for the most part you can level any criticisms at the following:

Bruce Johnson, our Burgermeister-Meisterburger, who will be blogging on the topic of Personal Communications (blogging, employee/employer relations, etc.)

Randy Gainer, who will be captivating you with stories about the Government Surveillance (ECPA/CFAA, CALEA, REAL ID/travel issues, etc.)

Charlene Brownlee, who is by far the most stylish among us (and who will be blogging on the subject of Data Breaches and identity-theft laws)

Ronald London, who will endeavor to keep an eye on Congress and will be blogging about telemarketing, junk fax, CAN-SPAM, behavioral/advanced advertising, and CPNI (which we’ll call Marketing and Consumer Privacy)

Lance Koonce, who will try not to mangle any stories about Online Threats such as hacking, phishing, pharming, pretexting, malware/spyware, and offline versions such as dumpster diving and the theft/loss of data-containing devices.

We do not purport to be a source for all news that touches on privacy and security – the field has exploded and aggregating such information would be a full-time career. Rather, we hope to tease out interesting aspects of specific issues within our areas of coverage. We hope you’ll take a look, and keep coming back if what you see intrigues you.


The PrivSecBlog Team

And by the way:

The Lakers.
Ratings. And possibly bad karma.