Privacy and Security Law Blog : Privacy & Security Law Blog : Davis Wright Tremaine LLP : Seattle, Los Angeles, Washington D.C., New York, San Francisco, Shanghai, Portland and Anchorage Law Firm

By Dan Reing

On April 3, 2013, the National Institute for Standards and Technology (“NIST”) hosted its first of four planned Cybersecurity Framework Workshops on April 3, 2013 at the Department of Commerce consisting of five panel discussions among a variety of private and public stakeholders affected by the Executive Order on “Improving Critical Infrastructure Cybersecurity” (“EO”) issued February 13, 2013.  As we previously discussed, the EO set in motion a process to develop and implement a national, voluntary Cybersecurity Standards Framework aimed at protecting the nation’s critical infrastructure and the provision of essential services to the American people.  The EO tasked NIST with drafting the Cybersecurity Framework, and on February 24, 2013, it issued a Request For Information (“RFI”) seeking public comment on issues the Cybersecurity Framework should address.  The RFI comment period closes on April 8, 2013.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Robert G. Scott, Jr.

On February 12, 2012, President Obama signed an Executive Order as well as a complementary Presidential Policy Directive intended to improve the flow of information and cyber-threat intelligence between government agencies and the private sector, and to improve the security of the nation’s critical infrastructure.  The policies and requirements in these documents outline an ever-increasing role for owners and operators of critical infrastructure in resisting cyber threats.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Joins Recent 9th Circuit Decision Narrowly Construing the Law

By Ronnie London

The U.S. Court of Appeals for the 4th Circuit has issued a ruling in WEC Carolina Energy Solutions v. Miller, holding that the federal Computer Fraud and Abuse Act (“CFAA”) prohibition on exceeding “authorized access” to a computer covers only the scope of access allowed and exceeded, not subsequent use of any information obtained by way of such access.  In doing so, the 4th Circuit echoed the recent 9th Circuit en banc decision in U.S. v. Nosal adopting a similarly narrow construction of the statute, as described in our post here.  As noted, the Nosal decision departed from broader interpretations of “exceeds authorized access” adopted by the 5th, 7th, and 11th Circuits, and the 4th Circuit’s WEC decision now makes that split even more attractive for possible Supreme Court review.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Randy Gainer

A recent story in the Washington Post that describes former FBI assistant director Shawn Henry’s plan to “name names” of governments that sponsor hackers to break into U.S. networks.  He also suggests that the private firm he recently joined, CrowdStrike, may take countermeasures against hackers.  Such “hack-back” strategies have been debated in the security community for several years.  That Mr. Henry is talking openly about going on the offensive against hackers may mean that hacker battles are about to get more interesting.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By David M. Silverman

In a Notice of Apparent Liability (NAL) released Monday by the Federal Communications Commission (FCC) against Google, the FCC found that Google’s collection of unencrypted data obtained from Wi-Fi networks in its Street View project did not violate the Communications Act provision that prohibits the unauthorized interception and either use or publication of radio communications. However, the FCC has proposed a $25,000 forfeiture penalty for Google’s initial failure to cooperate with the agency’s investigation of this matter.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Ronald G. London

Check out our new advisory, in which Doug Ross and Greg Chaimov explain how taking prompt and effective action to protect patients after a data breach paid big dividends in the Oregon Supreme Court, which affirmed dismissal of a class action against Providence Health & Services-Oregon.  The case is significant in that it shows a prompt and substantial response to such data theft can play a vital role in prevailing in ensuing litigation, especially given that, when the data theft occurred, Oregon had no law governing how a custodian of records like Providence should respond.  That Providence responded quickly to contact its patients and arrange for credit protection was a key factor in the outcome.  Read more here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Bruce E. H. Johnson

Effective March 1, 2012, any company, wherever located, that is holding the “personal information” of Massachusetts residents must amend its existing vendor contracts to require compliance with Massachusetts data security regulations. 201 CMR 17.03 (f)(2).

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

European Commission Releases Formal Proposal on Data Protection Reform

By Robert Stankey and Adam Shoemaker

On Jan. 25, 2012, the European Commission released the final version of its proposed revisions to the European Union’s data protection framework. The package of changes represents a comprehensive reform of the EU’s 1995 data protection rules.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Erin Nedenia Reid

In a departure from the recent trend of courts refusing to allow data breach claimants to seek mitigation damages, the First Circuit recently held in  Anderson v. Hannaford Bros. Co. that credit and debit card payment processors may be held liable for mitigation damages in the wake of targeted card-number theft by a criminal enterprise.   In Hannaford, the appeals court reversed a decision below that dismissed negligence and implied contract claims arising out of a 2007 breach of grocer Hannaford’s electronic payment processing system, which resulted in the theft of 4.2 million credit and debit card numbers.   The First Circuit’s decision suggests credit and debit card payment processors may be at a higher risk than previously thought of facing viable class action claims in the wake of data breaches.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By: Micah Ratner

A U.S. District Court in the Eastern Disrict of Michigan has issued its decision in Experi-Metal, Inc. v. Comerica Bank, holding that a bank—instead of the bank’s customer—was liable for $560,000 in unrecovered funds from a phishing attack. The case is noteworthy because a customer is typically liable for unauthorized transfers under Uniform Commercial Code (“U.C.C”) Article 4A. Under U.C.C. Section 4A-202, the customer is responsible for unauthorized transfers if (1) the bank and customer agree that the bank will authenticate transfers through a security procedure, (2) the security procedure is commercially reasonable, and (3) the bank accepted the transfer in good faith.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Those of you who were once frequent visitors to this blog may, by now, be asking one or more of the following questions:

(a) Why haven’t you guys posted anything for so many months?
(b) Why does the site look different?
(c) Who’s going to win the NBA playoffs?
(d) Why did they cancel My Name is Earl?

Well, the first two at least. The truth is that this blog was started in August 2005, and ran steadily (sometimes more steadily than others) for about three years. As blogs go, that’s a fairly distinguished record – there are more abandoned blogs lining the sides of the Information Superhighway than there are hubcaps along the Cross Bronx. Wait, did we actually just use the phrase “Information Superhighway”? Because that is so 2005. As is that phrase we just used.

So anyway, when our firm decided to revamp its website, we took this as an opportunity to think seriously (read: discuss over drinks) what we wanted to accomplish with this blog, and what we needed to do to keep it fresh and relevant. The process has taken a bit longer than we expected, but here’s where we are:

Rather than a long list of bloggers, you will be getting regular updates from just five of us – and henceforth there will be no more posts in this annoying third-person, royal we, voice. We may have some guest bloggers on occasion, but for the most part you can level any criticisms at the following:

Bruce Johnson, our Burgermeister-Meisterburger, who will be blogging on the topic of Personal Communications (blogging, employee/employer relations, etc.)

Randy Gainer, who will be captivating you with stories about the Government Surveillance (ECPA/CFAA, CALEA, REAL ID/travel issues, etc.)

Charlene Brownlee, who is by far the most stylish among us (and who will be blogging on the subject of Data Breaches and identity-theft laws)

Ronald London, who will endeavor to keep an eye on Congress and will be blogging about telemarketing, junk fax, CAN-SPAM, behavioral/advanced advertising, and CPNI (which we’ll call Marketing and Consumer Privacy)

Lance Koonce, who will try not to mangle any stories about Online Threats such as hacking, phishing, pharming, pretexting, malware/spyware, and offline versions such as dumpster diving and the theft/loss of data-containing devices.

We do not purport to be a source for all news that touches on privacy and security – the field has exploded and aggregating such information would be a full-time career. Rather, we hope to tease out interesting aspects of specific issues within our areas of coverage. We hope you’ll take a look, and keep coming back if what you see intrigues you.

Thanks,

The PrivSecBlog Team

And by the way:

The Lakers.
Ratings. And possibly bad karma.
 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link