Security Measures : Privacy and Security Law Blog

Posted on August 1, 2011 by Davis Wright Tremaine

House Subcommittee Approves Data Security Bill

On July 20, 2011, the House Commerce, Manufacturing and Trade subcommittee approved the Secure and Fortify Electronic (SAFE) Data Act (“SAFE Data Act” or “Act”) in a voice vote. The text of the bill is available here. The measure will now move to the full Energy and Commerce Committee for consideration. The bill would establish a national standard for when companies are required to notify consumers that their unencrypted personal information has been accessed or acquired and for notifying the Federal Trade Commission (“FTC”) and law enforcement of a security breach.

The bill applies to all persons and companies subject to the jurisdiction of the FTC and any tax-exempt organizations under Section 501(c) of the Internal Revenue Code; however, entities subject to HIPAA and Gramm-Leach Bliley will be exempt from the Act in certain circumstances. Under the current version, only data containing personal information related to commercial activity is protected. Personal information is defined as the consumer’s name, or address or phone number combined with one or more of the following pieces of information: social security number, government identification number (e.g., driver’s license number), or financial account identification number (if the codes or passwords needed to gain access to the financial account are included).

Tags: SAFE Data Act, Secure and Fortify Electronic Data Act, Security Measures, privacy legislation

Posted on January 25, 2008 by Ronald London

FTC Data Security Consent Decree Suggests Minimum Steps Companies Must Take

Posted by Ronald London

The FTC recently announced a consent decree with online retailer Life is good (www.lifeisgood.com) that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC's view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers' credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.

Tags: Federal Regulation, Financial Institutions, Identity Theft, Internet, Personal Privacy, Security Breaches, Security Measures

Posted on November 10, 2006 by Ronald London

Confidential Information Should Be Encrypted or Not Stored on Laptops

Posted by Randy Gainer

81% of U.S. businesses surveyed this year reported that, in the previous 12 months, at least one of their laptops or other portable electronic devices had been lost or stolen. U.S. Survey: Confidential Data at Risk, 5 Privacy & Security Law Report 1162 (2006). When a laptop is lost or stolen, unencrypted data on the computer can easily be accessed. Even if a user name and password are needed to sign on to the laptop, the hard drive can be removed in a few seconds and all data on the hard drive can be copied to another computer or to a storage device in minutes.