Data Breach Notification Laws: A How-To Guide

Data Breach Notification Law: A How-To Guide

Although Congress has attempted to agree on federal data breach notification legislation, there is no national data breach notification law that applies to most companies. Instead, 48 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving personal information. The only states without such laws are Alabama and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data breach not

Incident Response Plans: A How-To Guide

Incident Response Plans: A How-To Guide

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. Furthermore, many organizations are required to maintain one. For example, any organization that accepts payment cards is most likely contractually required to adopt an incident response plan. …

incident

Wire Transfer Fraud: A How-To Guide

Wire Transfer Fraud: A How-To Guide

Businesses are increasingly falling victim to wire fraud scams – sometimes referred to as “man-in-the-email” or “business email compromise” scams. Although there are multiple variants, a common situation involves an attacker gaining access to the email system of a company, or the company’s vendor, and monitoring email traffic about an upcoming transaction. When it comes time to submit an invoice or a payment, the attacker impersonates one of the parties and sends wire instructions asking that payment be sent to the attacker’s bank account. …

Wire transfer

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification in the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data breachhhh

Tax Filing Fraud

Tax Filing Fraud

Tax returns and W-2s are information rich documents that contain the name and Social Security Number of an employee, as well as information concerning their salary and address, and personal behavior and characteristics (e.g., the charities that they support, their sources of income, their investments, and their relationships with financial institutions). Each year cyber-attackers target these documents. If successful, an attacker may attempt to sell sensitive information contained in the file. Other attackers may attempt to use tax-related documents (e.g., an employee’s W-2) to submit a fraudulent income tax return in the hope of obtaining any refund owed to an employee. …

tax filing

Employer Privacy Policies: A How-To Guide

Employer Privacy Policies: A How-To Guide

In 2005 Michigan became the first state to pass a statute requiring employers to create an internal privacy policy that governs their ability to disclose some forms of highly sensitive information about their employees. Michigan’s Social Security Number Privacy Act expressly requires employers to create policies concerning the confidentiality of employees’ social security numbers (“SSN”) and to disseminate those policies to employees. New York adopted a similar statute. Several other states – Connecticut, Massachusetts, and Texas – have statutes mandating the establishment of privacy policies that could also apply in the employer-employee context. …EPP

Cyber Insurance: A How-To Guide

Cyber Insurance: A How-To Guide

Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But, a substantial portion of organizations don’t carry coverage for data breaches despite numerous high profile breaches. While many insurance companies offer cyber insurance, not all policies are created equal. The following provides a snapshot of information concerning cyber insurance. …

cyber insurance

Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. In the United States, incident response plans are commonplace. Since 2005, the federal banking agencies have interpreted the Gramm-Leach-Bliley Act as requiring financial institutions to create procedures for handling data security incidents.1 Although there is no federal statute that requires the majority of other types of organizations to create an incident response plan, state data safeguards and data breach notification statutes provide incentives for many other organizations to craft response plans. …

Response plans

Social Security Number Privacy Policies: A How-To Guide

Social Security Number Privacy Policies: A How-To Guide

Social Security Numbers (“SSN”) were originally established by the Social Security Administration to track earnings and eligibility for Social Security benefits. Because a SSN is a unique personal identifier that rarely changes, federal agencies use SSN for purposes other than Social Security eligibility (e.g., taxes, food stamps, etc.). In 1974, Congress passed legislation requiring federal agencies that collect SSN to provide individuals with notice regarding whether the collection was mandatory and how the agency intended to use the SSN.1   Congress later barred agencies from disclosing SSN to third parties. Federal law does not, however, regulate private-sector use of SSN. …

social security

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …data-breach-eu-us-comp

How to Respond To Third Party (Non-Government) Civil Subpoenas And Document Requests That Ask For Personal Information

How to Respond To Third Party (Non-Government) Civil Subpoenas And Document Requests That Ask For Personal Information

Litigants in a civil dispute often use subpoenas, subpoenas duces tecum, and discovery requests to obtain personal information about individuals who may not be present in the litigation. A request for documents and information that include personal information about third parties may conflict with legal obligations imposed upon an organization not to produce information. For example, if an organization promises within its privacy policy that it will never share personal information with a “third party,” and does not include an exception for requests made in civil litigation or through judicial process, a consumer could argue that by producing information pursuant to a subpoena or discovery request an organization has violated its privacy policy and committed an unfair or deceptive practice in violation of federal or state law. …

how-to-respond

How to Respond to Government Subpoenas and Document Requests That Ask for Personal Information

Federal and state agencies traditionally obtain information for law enforcement purposes using a variety of methods including:

  • court issued subpoenas,
  • grand jury subpoenas,
  • search warrants,
  • litigation discovery requests, and
  • administrative subpoenas.1

A request by a government agency for personal information about one, or more, consumers may conflict with consumers’ expectations of privacy, and, in some instances, may arguably conflict with legal obligations imposed upon an organization not to produce information.  For example, if an organization promises within its privacy policy that it will never share the information that it collects with a “third party” and does not include an exception for requests from law enforcement, or government agencies, a consumer could argue that by producing information pursuant to a government request, an organization has violated its privacy policy and committed an unfair or deceptive practice in violation of federal or state law. …

subpoenas

Cross-Office Team Publishes Article in ‘Journal of Investment Compliance’

August 2016

Boulder Partner David Zetoony, Denver Counsel Elizabeth Kemery Sipes, and DC Associate Joshua James published an article in the Journal of Investment Compliance regarding data security issues that financial services firms currently face and how to overcome them. Financial services firms risk potential financial implications and increasing regulatory ramifications, such as fines, penalties and enforcement actions, for failing to implement tailored cybersecurity programs. The article provides a guide for designing policies and procedures related to cybersecurity programs, including considerations for designing a document retention policy, drafting an incident response plan, and starting or evaluating a bounty program. The article is the result of three previous client alerts written by the authors and published on the Bryan Cave website. To read one of the client alerts, click here.

Questions to Consider When Shopping for Cyber Insurance

Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But a substantial portion of organizations do not carry coverage for data breaches despite numerous high-profile breaches.  While many insurance companies offer cyber insurance, not all policies are created equal….

aug1dp

Understanding How the FTC Tracks Privacy Complaints

The FTC collects complaints about companies that allegedly violate the data privacy, data security, advertising, and marketing laws. The result is a massive database of consumer complaints known as “Consumer Sentinel” that is used by the FTC and other consumer protection regulators to identify and investigate enforcement targets.

Regulators can use Consumer Sentinel to search for complaints on any company. They can also request that the database alert them to new complaints about an organization, or connect them with other law enforcement agencies that might have an interest in investigating the same organization. In addition to these functionalities, the FTC also creates a “Top Violator” report and a “Surge” report that track those organizations that the FTC believes may have a suspicious pattern of consumer complaints.1 The end result is that the vast majority of FTC enforcement actions target companies identified within the FTC’s database….

trackingcompalints

FCC Proposes Indiscriminate PII Definition in Privacy NPRM

In addition to a bothersome “breach” definition, the Federal Communications Commission (“FCC”), in its April 1, 2016 Notice of Proposed Rulemaking (“NPRM”) concerning ISP privacy regulation, proposes a sweeping definition of personally identifiable information (“PII”). The definition is broad enough to cover virtually every piece of information about an individual. Despite the FCC’s legally necessary finding that ISPs are “common carriers” required to transmit information without undue discrimination, the FCC seems not to have carefully considered an ISP’s unique and limited role in facilitating the exchange of information between and among consenting communicators….

fcccnprm

FCC Proposes Bothersome Breach Definition in Privacy NPRM

On April 1, 2016 the Federal Communications Commission (“FCC”) released its Notice of Proposed Rulemaking (“NPRM”) concerning privacy regulation of internet broadband service providers (“ISPs”). The NPRM proposes, among other things, an expansive and vexing definition of “breach.” If not modified, the definition would require notices to customers, the FCC and the FBI of even trivial internal employee access to customer information….fccbothersome

How to Select a Qualified Security Assessor (“QSA”)

Retailers that accept credit cards are typically required by the payment card brands to show that they are in compliance with the Payment Card Industry Data Security Standards or “PCI DSS” at least once a year. How a retailer is permitted to show compliance depends in part on whether the retailer has a history of data security issues (e.g., have they suffered a breach) and the quantity of credit cards that the retailer transacts each year. Typically retailers that have either had a data security breach, or transact large quantities of credit cards, are required to retain a Qualified Security Assessor or “QSA” to conduct an audit and to provide an independent report showing whether the retailer is in compliance with the PCI DSS. Retailers that have not experienced a data breach and transact relatively few cards are often permitted to self-certify their compliance with the PCI DSS….qsa

Privacy Regulation Regime Change: Bad or Good for ISPs?

The Federal Communications Commission (“FCC”) is on the verge of proposing new federal privacy regulations for internet broadband service providers (“ISPs”). ISPs were previously policed by the Federal Trade Commission (“FTC”). The FCC’s rulemaking is an outgrowth of its determination last year that wireline and wireless ISPs are telecommunications common carriers subject to Title II of the Communications Act, including the privacy provisions in Section 222 thereof. That determination, which is still under attack in court, effectively moved ISPs from FTC to FCC jurisdiction. ISPs will soon be forced to grapple with the details of a proposed FCC privacy regulatory scheme that has already been broadly outlined in a “Fact Sheet” released by the FCC. The FCC will fully unveil its specific proposals in a formal Notice of Proposed Rulemaking (“NPRM”) scheduled for an FCC vote on March 31….

isp

How to Draft an Effective Incident Response Plan (2016)

The best way to handle any emergency is to be prepared. When it comes to data breaches, incident response plans are the first step organizations take to prepare. Furthermore, many organizations are required to maintain one. For example, any organization that accepts payment cards is most likely contractually required to adopt an incident response plan….

respnseplanm

Best Practices for Handling Vehicle Event Data Recorders (2016)

Event data recorders, also known as “black boxes” or “sensing diagnostic modules,” capture information such as the speed of a vehicle and the use of a safety belt. In the event of a collision this information can be used to help understand how the vehicle’s systems performed.  In December of 2012, the National Highway Traffic Administration proposed a rule that would require automakers to install event data recorders in all new light passenger vehicles. . . 2016VehicleEventDataRecorders

Webinar: Monitoring Employee Use of Computers, Phones, Social Media and More: Latest Developments for In-House Corporate and Employment Lawyers Program date

January 26, 2016

Employers have a variety of technological means to monitor employees’ communications and activities, and new technologies provide additional means. Yet employees still have legally protected privacy rights that must be respected. Join Dan Prywes and Josh James as they discuss:

  • basic principles respecting different monitoring tools and areas of legal uncertainty,
  • the development of employer policies and employee-consent forms to best advance employers’ legitimate goals, and variations among state laws, union bargaining over monitoring, and emerging issues.

We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.

Vehicle Black Box Event Recorders At A Glance (2015)

Vehicle Event Data Recorders - At A GlanceEvent data recorders, also known as “black boxes” or “sensing diagnostic modules,” capture information such as the speed of a vehicle and the use of a safety belt, in the event of a collision to help understand how the vehicle’s systems performed.  15 states have passed statutes that discuss the privacy of the data that these devicse collect . . .

 

2015 Telemarketing Report

TelemarketingReportWe are pleased to announce the 2015 edition of our whitepaper discussing trends in telemarketing (TCPA) litigation. The 2015 report provides the most comprehensive analysis of complaint filings by industry, court, legal theory, and type of issue . . . (click on thumbnail for report)

2015 Data Privacy Litigation Report

2015DataPrivacyLitigationReportWe are pleased to announce the 2015 edition of our whitepaper discussing trends in data privacy class action litigation. The 2015 report provides the most comprehensive analysis of complaint filings by industry, court, legal theory, and type of privacy issue . . . (click on thumbnail for report)

2015 Data Breach Class Action Report

We are pleased to announce the 5th edition of our whitepaper discussing trends in data breach class action litigation.  The 2015 report provides the most comprehensive analysis of trends in complaint filings by industry, court, legal theory, and type of data breach . . .

 

2015 Data Breach Litigation Report

Webinar: Understanding Data Security Litigation: A guide for In-house counsel

October 6, 2015

This program provides an overview of the types of legal and regulatory claims a company may be faced with in the wake of a data breach. In-house counsel should walk away understanding the potential exposure faced by their companies and strategies for defeating such claims.  Click here to register for the live program, or to access a recording.

Webinar: A Guide for In-House Counsel on How To Draft the Terms of a Cybersecurity “Bounty” Program.

May 19, 2015

Companies are often contacted by individuals claiming to be “white hat” hackers who purport to have identified a security vulnerability and are willing to share it with the company –for a price. The requests are often perceived as extortion or blackmail when they are unsolicited. In order to avoid this scenario companies . . .

The program is sponsored by West Law Legal Ed and Celesq.  Participants can register here.

Incident Response Plans At a Glance (2015)

Incident_Response_At A Glance

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. Furthermore, many organizations are required to maintain one. For example, any company that accepts payment cards is most likely contractually required to adopt an incident response plan . . .

 

Bounty Programs At a Glance (2015)

Crowdsourcing_At A Glance_1

Data security officers keep their eyes open for risks. Usually this means monitoring reports from automated security systems that flag potential security events and listening to employees’ reports of security issues. There is a great deal of debate, however, about the merits of listening to the security concerns of people outside of an organization. On one end of the spectrum companies refuse to discuss any aspect of their security with the public. On the other end of the spectrum companies proactively encourage the public to report security vulnerabilities by paying well meaning hackers (usually called “white hat” hackers) to report problems . . .

Breach Notification Laws At A Glance (2015)

Breach Notification Laws

Although Congress has attempted to agree on federal data breach legislation, there is no national data breach notification law that applies to most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving certain types of personally identifiable information (“PII”). . .

Cyber Insurance At a Glance (2015)

CyberInsuranceJPG

Most businesses know they need insurance to cover risks to the business’s property like fire or theft or the risk of liability if someone is injured at the business. But, a substantial portion of businesses don’t carry coverage for a rapidly expanding area of risk – data breaches. Despite numerous high profile breaches in the past year, many business do not have a cyber insurance policy. . .

 

WiFi Connected Cars And Privacy Concerns (2015)

WifiCars

Think data privacy is only something for “technology” or “internet” companies? Think again— America’s car companies certainly have. On Wednesday November 12, 2014, two trade groups representing 19 of the largest car companies in the world sent a letter to the Federal Trade Commission (“FTC”) outlining privacy principles the companies have committed to follow. . .

Whitepaper: Data Privacy and Security Class Action Litigation Trends (Sept 2014)

ClassLitigation Sept 2014

TCPA cases continue to predominate as the single largest category of data privacy or data security breach litigation. In terms of industries, there has been a significant uptick in complaints filed against debt collectors and a corresponding uptick in allegations that the Fair Debt Collection Practices Act has been violated. . .