Negotiating Payment Processing Agreements: A How-To Guide

Negotiating Payment Processing Agreements: A How-To Guide

Credit cards are the primary form of payment received by most retailers. In order to process a credit card a retailer must enter into an agreement with a bank and a payment processor. Payment processing agreements often have significant impacts on a retailer’s financial liability in the event of a data breach. In many cases, the contractual liabilities that flow from a payment processing agreement surpass all other financial liabilities that arise from a data breach including the cost to investigate an incident, defend litigation, and defend a regulatory investigation. The following provides a snapshot of information concerning payment processing agreements. …

nego

Security Due Diligence In A Merger Or Acquisition: A How-To Guide

Security Due Diligence In A Merger Or Acquisition: A How-To Guide

The FTC can hold an acquirer responsible for the bad data security practices of a company that it acquires. Evaluating a potential target’s data security practices, however, can be daunting and complicated by the fact that many “data” issues arise months, or years, after a transaction has closed. For example, the FTC has investigated data security breaches and unlawful data collection practices that occurred years before the company was acquired, but were discovered months after a transaction closed. The following provides a snapshot of information concerning hacking. …

secutiry

Credit Cards and the Payment Card Industry Data Security Standard

Credit Cards and the Payment Card Industry Data Security Standard

For most retailers the primary source of revenue comes from credit card transactions. In order to accept credit cards, a retailer must enter into a contractual agreement with a payment processor and a merchant bank. As discussed in previous sections, those agreements typically required that the retailer represent and warrant its compliance with the Payment Card Industry Data Security Standard (“PCI DSS”). Alternatively, they require a representation and warranty that the retailer complies with the rules of the payment card brands (i.e.,American Express, Discover, MasterCard, and Visa), and some of the payment brand rules could be interpreted as requiring that a retailer be compliant with the PCI DSS. …

credit cards and the

Fingerprint Identification Technology: A How-To Guide

Fingerprint Identification Technology: A How-To Guide

Fingerprint identification technology uses fingerprints to uniquely identify individuals. The technology has been used by law enforcement agencies for decades, and dozens of statutes regulate when government agencies may collect fingerprints, how they are permitted to use them, and with whom they can be shared. Advances in fingerprint recognition software have lead some private entities to begin using the technology to authenticate consumers. For example, some mobile devices have integrated fingerprint recognition technology to replace, or supplement, passwords or pass codes. Some employers are also using fingerprint recognition technology to increase the accuracy and efficiency of employee timekeeping systems. …

FIT

Cybersecurity Disclosures: A How-To Guide

Cybersecurity Disclosures: A How-To Guide

In October of 2011, the U.S. Securities and Exchange Commission (“SEC”) issued guidance regarding a public company’s obligations to disclose cybersecurity risks and cyber incidents (the “Cybersecurity Disclosure Guidance”).1 The Cybersecurity Disclosure Guidance applies to all SEC registrants and relates to disclosures under the Securities Act of 1933 and the Securities Exchange Act of 1934. …

cd

Outsourcing your organization’s DPO duties? Consider this

The General Data Protection Regulation will come into effect on May 25, 2018, and will provide a modernized compliance framework for data protection. Because of the extraterritorial reach, entities that operate in the U.S. should take note and consider complying with the regulation.  While having a data protection officer, as mandated under the GDPR, is not a new concept and is required for entities operating in countries such as Singapore and Germany, the extraterritorial scope of GDPR greatly broadens the number of companies that may need to hire one. Article 37(1) of GDPR requires the designation of a DPO in the following circumstances: where the processing is carried out by a public authority or body; where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions or offenses.

Due to the extraterritorial scope of GDPR, many companies will be required to spend money on either an internal DPO or a third-party entity such as a law or IT firm to act as their external DPO. According to one study by the IAPP, more than 28,000 new DPOs need to be hired by 2018, and that’s just in the EU and U.S. Applied globally, the IAPP found that number looks more like 75,000. With the shortage of individuals trained to handle DPO responsibilities, it is likely that many entities will look to hire an external third-party DPO. Before hiring an external DPO, entities should consider the following issues:

Can the DPO be adequately involved with an entity’s data privacy program and do the costs justify hiring an external DPO?

Contrary to common belief, a DPO’s duties do not solely involve responding to breach situations and cooperating with supervisory authorities. In addition, the GDPR states that a DPO’s duties are broad and include tasks such as: monitoring an entity’s compliance with GDPR; providing advice when conducting data protection impact assessments; informing the entity and its employee of data protection obligations, and cooperating with various supervisory authorities. Article 29 Working Party’s guidance on DPOs provides further clarification that a DPO should be invited to participate regularly in meetings with senior and middle management and also should be easily accessible within the organization.

Traditionally, law firms and IT consulting firms either charge by the hour or have a fixed budget (or semi-fixed budget) to provide their services. It is important to consider that certain responsibilities, such as attending meetings and monitoring an entity’s compliance with GDPR, may be extremely time consuming and expensive on a per-hour basis. Certain service providers have created a fixed-fee arrangement that may provide cost savings, but at the risk of sacrificing quality by putting less qualified and experienced individuals on certain DPO related duties. In a fixed fee or semi-fixed fee arrangement, an entity should consider the included services along with the experience of the individuals that will be performing those services.

Can the service provider act independently in performing its DPO duties?

According to GDPR Article 38(3) and Article 29 Working Party’s guidance on DPOs, a DPO must perform its duties and tasks in an independent manner. In other words, the DPO must not be instructed on how to deal with a matter and cannot be instructed to take a certain stance related to a data privacy issue. However, for many third party providers, this could be a potential issue, especially if the service provider has many engagements with the entity in question. If an entity has a close prior relationship with the service provider, the line may be easily blurred and may lead to instances where the service provider may be asked or may feel pressure to take a stance in a certain manner.

Does the DPO have other privacy, data security, or IT related engagements with the entity that could potentially create a conflict of interest?

According to GDPR Article 38(6) and Article 29 Working Party’s guidance on DPOs, a DPO is allowed to fulfill other tasks and duties. However, it requires that those tasks and duties do not result in a conflict of interest with its DPO duties. For many service providers, this can be an issue, especially if a service provider has worked with the entity’s management in designing an entity’s privacy program or assisted an entity in interpreting privacy rules and regulations. Service providers may be compelled or feel uncomfortable in making determinations that are contrary to the advice that the service provider provided in a previous engagement. In order to prevent issues of independence, U.S. publicly traded companies often use a different audit firm for Sarbanes Oxley corporate internal controls issues, as compared to general audit services. Other conflicts to consider include hiring the same external DPO as an entity’s Qualified Security Assessor under the Payment Card Industry Rules or hiring the same DPO as an entity’s security-information event-management firm.

Below is a list of questions and issues to consider prior to hiring an external DPO:

  • Do you envision the external DPO being extremely hands on?
  • What kind of fee engagement is the external DPO offering?
  • If the fee engagement is fixed: Are the included services adequate for your organization? Are the individuals handling DPO duties qualified?
  • If the fee engagement is on a per hour basis: Are the rates reasonable given the experience of the individuals performing DPO duties? Are there available discounts for a prepayment of expenses? What kind of duties do you envision the DPO handling?
  • Does the DPO represent other entities in your sector?
  • Does your entity have a close relationship with the external DPO that may cause independence issues?
  • Has the external DPO engaged in any privacy or data security work for your entity in the past? Could that work cause a conflict of interest?

 

This article first appeared in The Privacy Advisor.

Are Radio Waves Coming From My Wallet? The Privacy and Security Issues Involved With RFID Technology

Are Radio Waves Coming From My Wallet? The Privacy and Security Issues Involved With RFID Technology

Radio Frequency Identification (“RFID”) technology uses electromagnetic fields to transfer data. RFID systems typically operate by attaching tags to objects, devices, or cards. Some tags can be powered by a local power source, such as a battery (“active RFID”). Their local power source permits them to transmit a signal that may be registered hundreds of meters from an RFID reader. Other tags do not have a local power source and are instead powered by electromagnetic induction from the magnetic fields that are produced by a RFID reading device in close proximity (“passive RFID”). …

RFIDD

Wire Transfer Fraud: A How-To Guide

Wire Transfer Fraud: A How-To Guide

Businesses are increasingly falling victim to wire fraud scams – sometimes referred to as “man-in-the-email” or “business email compromise” scams. Although there are multiple variants, a common situation involves an attacker gaining access to the email system of a company, or the company’s vendor, and monitoring email traffic about an upcoming transaction. When it comes time to submit an invoice or a payment, the attacker impersonates one of the parties and sends wire instructions asking that payment be sent to the attacker’s bank account. …

Wire transfer

FDIC Cybersecurity Examinations: A How-To Guide

FDIC Cybersecurity Examinations: A How-To Guide

FDIC bank examinations generally include a focus on the IT systems of banks with a particular focus on information security. The federal banking agencies issued Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (“FFIEC”) to conduct IT examinations of service providers. …

FDIC

Cyber-Extortion: A How-To Guide

Cyber-Extortion: A How-To Guide

Cyber extortion refers to a situation in which a third party threatens that if an organization does not pay money, or take a certain action, the third party will take an adverse action against the organization. Among other things, threats may include exploiting a security vulnerability identified by the extorter, reporting the organization’s security vulnerability to the press, or reporting the organization’s security vulnerability to regulators. …

cyber ext

Bounty or Bug Programs: A How-To Guide

Bounty or Bug Programs: A How-To Guide

Data security officers typically look for security risks by monitoring reports from automated security systems, listening to employees’ reports of security issues, and/or auditing IT systems. There is a great deal of debate, however, about the merits of listening to the security concerns of people outside of an organization. On one end of the spectrum, some organizations refuse to discuss any aspect of their security with the public. On the other end of the spectrum, organizations proactively encourage the public to report security vulnerabilities by paying well-meaning hackers (usually called “white hat hackers” or “independent researchers”) to report problems. …

bounty

Tax Filing Fraud

Tax Filing Fraud

Tax returns and W-2s are information rich documents that contain the name and Social Security Number of an employee, as well as information concerning their salary and address, and personal behavior and characteristics (e.g., the charities that they support, their sources of income, their investments, and their relationships with financial institutions). Each year cyber-attackers target these documents. If successful, an attacker may attempt to sell sensitive information contained in the file. Other attackers may attempt to use tax-related documents (e.g., an employee’s W-2) to submit a fraudulent income tax return in the hope of obtaining any refund owed to an employee. …

tax filing

Cyber Insurance: A How-To Guide

Cyber Insurance: A How-To Guide

Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But, a substantial portion of organizations don’t carry coverage for data breaches despite numerous high profile breaches. While many insurance companies offer cyber insurance, not all policies are created equal. The following provides a snapshot of information concerning cyber insurance. …

cyber insurance

Document Retention Periods: A How-To Guide

Document Retention Periods: A How-To Guide

Data minimization can be a powerful – and seemingly simple – data security measure. The term refers to retaining the least amount of personal information necessary in order for an organization to function. Less information means that there is less that the organization needs to protect, and less opportunity for information to be lost or stolen. …

Doc Retention

What Will The Proposed New York Cybersecurity Requirements For Financial Institutions Really Make Companies Do?

What Will The Proposed New York Cybersecurity Requirements For Financial Institutions Really Make Companies Do?

In early September 2016, the New York Department of Financial Services (“DFS”) proposed a set of data security regulations (the “Proposal”) that would govern financial institutions, banks, and insurance companies subject to the jurisdiction of the agency (“covered entities”). After receiving public comments, DFS revised and resubmitted the Proposal on December 28, 2016. If the Proposal ultimately goes into effect it would require that covered entities have a written information security policy (“WISP”) and outline specific provisions (substantive and procedural) that must be contained in that document. While the Proposal has garnered a great deal of public attention, the majority of the provisions in the latest version are not unique. …

NYDFS

Guidelines for De-Identification, Anonymization, and Pseudonymization

Guidelines for De-Identification, Anonymization, and Pseudonymization

De-identification of data refers to the process used to prevent personal identifiers from being connected with information. The FTC indicated in its 2012 report Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers that the FTC’s privacy framework only applies to data that is “reasonably linkable” to a consumer.1 The report explains that “data is not ‘reasonably linkable’ to the extent that a company: (1) takes reasonable measures to ensure that the data is de-identified; (2) publicly commits not to try to re-identify the data; and (3) contractually prohibits downstream recipients from trying to re-identify the data.” …

de-identification

 

Data Maps and Data Inventories: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Data Maps and Data Inventories: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States companies are not required to inventory the type of data that they maintain, or map where that data flows in (and out) of their organization. That said, knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most mature data privacy and data security programs. For example, while the law does not require that companies inventory the data that they collect, federal and state law is being interpreted as requiring that companies use, at a minimum, reasonable and appropriate security to protect certain types of “sensitive” information such as Social Security Numbers. It is difficult for many companies to defend their security practices if they lack confidence as to whether they are collecting sensitive information and, if so, where it is being maintained. As a result, while it is not a legal requirement to conduct a data inventory it is, for many, a de facto step to comply with other legal requirements. …data-maps

Guidelines for Written Information Security Policies

Guidelines for Written Information Security Policies

Although federal law only requires that financial institutions and health care providers maintain a written information security policy or “WISP,” approximately thirty four states have enacted legislation that requires organizations in other industries to take steps to keep certain forms of personal information safe. These statutes are broadly referred to as “safeguards” legislation. In some states safeguards legislation requires that organizations adopt certain security-oriented practices such as encrypting highly sensitive personal information or irrevocably destroying sensitive documents. In other states safeguards legislation requires the adoption of a comprehensive written information security policy. …

written-info-securities

EU Binding Corporate Rules For Transferring Data: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

EU Binding Corporate Rules For Transferring Data: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States companies are permitted to transfer personal information – including sensitive personal information – as needed between their offices, locations, and corporate affiliates. For example, there are no restrictions that prevent a company from sending personal information collected within the US to a company data center located outside of the US. In the European Union, the EU Data Protection Directive 95/46/EC (the “Directive”) creates a legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. …

eu-binding

Guidelines for Radio Frequency Identification (“RFID”)

Guidelines for Radio Frequency Identification (“RFID”)

Radio Frequency Identification (“RFID”) technology uses electromagnetic fields to transfer data. RFID systems typically operate by attaching tags to objects, devices, or cards. Some tags can be powered by a local power source, such as a battery (“active RFID”). Their local power source permits them to transmit a signal that may be registered hundreds of meters from an RFID reader. Other tags do not have a local power source and are instead powered by electromagnetic induction form the magnetic fields that are produced by a RFID reading device in close proximity (“passive RFID”). …

rfid

How to Prepare for an FDIC Cybersecurity Examination

How to Prepare for an FDIC Cybersecurity Examination

FDIC bank examinations generally include a focus on the IT systems of banks with a particular focus on information security. The federal banking agencies issued Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (“FFIEC”) to conduct IT examinations of service providers….
how-to-prepare-for-an-fdic-cybersecurity-exampination

New Insider Threat and Cybersecurity Requirements Pose Significant Costs for Smaller Government Contractors

New Insider Threat and Cybersecurity Requirements Pose Significant Costs for Smaller Government Contractors

In a recent article in the National Defense Magazine, Bryan Cave attorneys point out that recent changes to the National Industrial Security Program Operating Manual, or NISPOM, may make it more difficult for companies, particularly those that are unable to spread costs across multiple high-dollar contracts, to compete for government contracts requiring access to classified information. As a result, the efforts by the Department of Defense to increase competition and innovation by turning to smaller companies ultimately may be unsuccessful.
To read the full article, click here. 

Guidelines for Third-Party Vendor Management Programs

Guidelines for Third-Party Vendor Management Programs

Third-party service providers present difficult and unique privacy and cybersecurity challenges. Vendor management is important throughout the life of your relationship with your vendors. Vendor diligence starts during the vendor selection process, continues through contract negotiation, and ends when the parties terminate their relationship. The goal is to effectively improve the service your vendors provide to your company and allow your customers to realize the benefits of the arrangement, while mitigating the risk inherent in the vendor relationship. …third-party-vendors

Guidelines for Cloud Computing

Guidelines for Cloud Computing

Most companies now use some form of cloud computing whether through software as a service, platform as a service, or infrastructure as a service. Cloud computing’s cost-effective scalability can offer significant advantages to an organization, but it can also raise significant security concerns. Although many cloud providers offer assurances that their systems are secure, many are also unwilling to contractually guarantee the security of data placed in the cloud and are unwilling to fully indemnify a company in the event that the cloud storage is breached. …

bush

Should Hotels, Restaurants, Bars, and Shopping Centers Stop Offering Open WiFi Connections?

Should Hotels, Restaurants, Bars, and Shopping Centers Stop Offering Open WiFi Connections?

The answer in Germany is “yes.” To understand why, you have to understand the principle of “co-liability” or Störerhaftung. Under the principle of co-liability, operators of an open WiFi network can be held liable for the legal infringements of the users of their networks. This means that if someone uses your company’s free WiFi network to illegally download music, your company could be sent a warning (or could be subject to liability) for permitting the use.

The European Court of Justice recently addressed this issue in a case that dealt with the applicability of the E-Privacy Directive on private operators of internet connections. The case was presented to the European Court of Justice by the Regional Court of Munich, and involved a warning letter that had been sent by Sony Music Group to the operator of a business that offered free WiFi in its sales areas. According to Sony, a guest had allegedly used the free WiFi connection to illegally download music. …

 

krampitz

Guidelines for Written Information Security Policies

Guidelines for Written Information Security Policies

Although federal law only requires that financial institutions and health care providers maintain a written information security policy or “WISP,” approximately thirty four states have enacted legislation that requires organizations in other industries to take steps to keep certain forms of personal information safe. These statutes are broadly referred to as “safeguards” legislation. In some states safeguards legislation requires that organizations adopt certain security-oriented practices such as encrypting highly sensitive personal information or irrevocably destroying sensitive documents. In other states safeguards legislation requires the adoption of a comprehensive written information security policy. …

 

written-info

How to Respond to National Security Letters That Ask for Personal Information

National Security Letters (“NSLs”) refer to a collection of statutes that authorize certain government agencies to obtain information and simultaneously impose a secrecy obligation upon the recipient of the letter.

Four statutes permit government agencies to issue NSLs: (1) the Electronic Communication Privacy Act,1 (2) the Right to Financial Privacy Act,2 (3) the National Security Act,3 and the (4) Fair Credit Reporting Act.4 Although differences exist between the NSLs issued under each statute, in general, all of the NSLs permit a requesting agency to prevent an organization that receives the NSL from disclosing the fact that it received the request, or the type of information that was requested, if disclosure may result in a danger to national security, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life or physical safety of a person. If the recipient of a NSL wishes to challenge a non-disclosure request accompanying a NSL, the recipient may file a petition with a U.S. district court in the district where the person does business,5 or, the recipient may request that the requesting agency obtain judicial review of the nondisclosure request.6 In both instances, the requesting agency must file an application with the court setting forth the reasons for the nondisclosure request. …

zetoony-microsite-scrnsht

We Really Mean It This Time: Recently Enacted FOIA Improvement Act of 2016 Mandates

On June 13, Congress passed the FOIA Improvement Act of 2016, and President Obama signed the bill into law on June 30, nearly 50 years after the original Freedom of Information Act (“FOIA”) was first enacted. The new law was effective as of June 30.

On July 19, the U.S. Department of Justice Office of Information Policy (“OIP”) issued its first guidelines relating to the Act, prompting agencies to begin carrying out new FOIA mandates in the way they respond to and give notice regarding FOIA requests. OIP said it will continue to issue guidance on the Act “on a rolling basis.”….

foiaschwartz

Questions to Consider When Shopping for Cyber Insurance

Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But a substantial portion of organizations do not carry coverage for data breaches despite numerous high-profile breaches.  While many insurance companies offer cyber insurance, not all policies are created equal….

aug1dp

Analysis of Health Care Data Breach Litigation Trends

Companies that have a breach involving protected health information (“PHI”) worry not only about fines and penalties imposed by the Department of Health and Human Services (“HHS”), but about class action lawsuits.  The risk that a class action lawsuit will lead to financial liability, however, is often misunderstood.

In many, if not most, class action lawsuits that involve the loss of PHI, plaintiffs have been unable to prove that they have standing to seek recovery. Specifically, unless a plaintiff has been the victim of identity theft or has suffered some other type of concrete injury, most courts have refused to let them proceed based solely on the allegation that they are subject to an increased risk of harm as a result of the breach…..

hcbreachlitigationtrends

Exploring the Causes of Healthcare Data Breaches

Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), covered entities (e.g. healthcare providers and health plans) must notify the Department of Health and Human Services (“HHS”) of breaches of unsecured protected health information (“PHI”).1  The information provided to HHS provides organizations with a high level of insight concerning the types of breaches that occur in the healthcare industries.

The data collected by HHS concerning breaches affecting 500 or more individuals in 2014 shows that low-tech breaches remain the most common form of data loss in the health sector – surpassing more publicized hacking events….

causeshcdatabreach

Your Organization is Impacted by Ransomware – Now What?

Some forms of cyber extortion are automated and not targeted at any specific victim. For example, “ransomware” refers to a type of malware that prevents users from accessing their systems unless, and until, a ransom is paid. Although variants of ransomware operate differently, many encrypt the contents of a victim’s hard drive using asymmetric encryption in which the decryption key is stored on the attacker’s server and is available only after payment of the ransom. Victims typically discover the ransomware when they receive an on-screen message instructing them to transfer funds using an electronic currency, such as bitcoin, in order to receive the decryption key and access to their files. “CryptoLocker” is the most famous ransomware family and first appeared in 2013….

ransomware

How to Respond to a Cyber Extortion Demand

Cyber extortion refers to a situation in which a third party threatens that if an organization does not pay money, or take a certain action, the third party will take an adverse action against the organization.  Among other things, threats may include exploiting a security vulnerability identified by the extorter, reporting the organization’s security vulnerability to the press, or reporting the organization’s security vulnerability to regulators….

cyberextortiondemand

Tennessee Breach-Notification Law Indicative of Data-Security Regulators’ Lack of Creativity

Guest Commentary in the Washington Legal Foundation Legal Pulse

David Zetoony authored a blog post June 6 for the Washington Legal Foundation Legal Pulse on the Tennessee breach notification law, which he says is indicative of data security regulators’ lack of creativity. The Tennessee legislature amended its data breach notification statute so that beginning July 1, a “breach of security” will no longer have the qualifier that the data must be “unencrypted.” Despite this change being characterized by the media as making the Tennessee statute “among the nation’s toughest,” Zetoony argues that the change will have very little, if any, impact on businesses. Click here to read the blog post.

wlfpulse

Data Privacy Considerations for Starting or Evaluating a Bounty Program

Data security officers typically look for security risks by monitoring reports from automated security systems, listening to employees’ reports of security issues, and/or auditing IT systems. There is a great deal of debate, however, about the merits of listening to the security concerns of people outside of an organization. On one end of the spectrum, some organizations refuse to discuss any aspect of their security with the public. On the other end of the spectrum, organizations proactively encourage the public to report security vulnerabilities by paying well-meaning hackers (usually called “white hat hackers” or “independent researchers”) to report problems. While these organizations view “bounty” programs as commonsense crowdsourcing, others view the concept of paying someone who has hacked a company’s system as extortion. As more companies move to establish bounty programs, third parties have begun to offer platforms or frameworks to help organize the programs. Some frameworks provide a forum in which companies can communicate with hackers; a method to facilitate payments to hackers; and guidelines for hackers to follow when identifying vulnerabilities and reporting them to participating companies…..

bounty

How to Evaluate a Credit Monitoring Service (2016)

Organizations are not, generally, required to offer services to consumers whose information was involved in a breach.1 Nonetheless, many organizations choose to offer credit reports (i.e., a list of the open credit accounts associated with a consumer), credit monitoring (i.e., monitoring a consumer’s credit report for suspicious activity), identity restoration services (i.e., helping a consumer restore their credit or close fraudulently opened accounts), and/or identity theft insurance (i.e., defending a consumer if a creditor attempts to collect upon a fraudulently opened account and reimbursing a consumer for any lost funds). In addition, if you do offer one of these services, a 2014 California statute and a 2015 Connecticut law prohibits you from charging the consumer for them.….creditmonitor

Data Privacy Due Diligence: Questions to Consider in a Merger or Acquisition

The FTC can hold an acquirer responsible for the bad data security and privacy practices of a company that they acquire.  Evaluating a potential target’s data privacy and security practices, however, can be daunting and complicated by the fact that many “data” issues arise months, or years, after a transaction has closed.  For example, the FTC has investigated data security breaches and unlawful data collection practices that occurred years before the company was acquired, and were discovered months after the transaction closed….

duediligence

 

How to Prepare for the General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (the “GDPR”) was adopted by the EU Parliament last April 14, 2016. The GDPR will replace the EU Data Protection Directive (95/46/EC), which was implemented more than 20 years ago. After a two year transition period to integrate the new obligations, the GDPR will be directly applicable in all EU Member States in June 2018.

The GDPR’s aim is to unify data protection law within the European Union and increase data subjects’ rights (I). This involves strengthened obligations for companies in terms of compliance (II), as well as extended powers of Data Protection Authorities (“DPA”) (III)….

gdpr2

 

 

How to Design a Document Retention Policy (2016)

Data minimization can be a powerful – and seemingly simple – data security measure. The term refers to retaining the least amount of personal information necessary in order for an organization to function. Less information means that there is less that the organization needs to protect, and less opportunity for information to be lost or stolen….documentretention

How to Avoid or Respond to Wire Transfer Fraud (2016)

Businesses are increasingly falling victim to wire fraud scams – sometimes referred to as “man-in-the-email” or “business email compromise” scams. Although there are multiple variants, a common situation involves an attacker gaining access to the email system of a company, or the company’s vendor, and monitoring email traffic about an upcoming transaction. When it comes time to submit an invoice or a payment, the attacker impersonates one of the parties and sends wire instructions asking that payment be sent to the attacker’s bank account….

wiretransferfraud

How to Avoid Being the Weakest Link in Your Company’s Cybersecurity Efforts

Everyone has been in a movie theatre when one of the actors approaches that door to the basement behind which strange noises are coming. They reach out to turn the knob and in unison the audience is thinking, “Fool, haven’t you ever been to the movies? Don’t you know that the zombies or ghouls or some other equally disgusting creature are waiting for you behind that door? Don’t do it!” They of course open the door, blissfully unaware of the grisly fate waiting for them.

I get the same sort of feeling when I read about cybersecurity lapses at banks. Think about the following:

“Someone dropped a thumb drive, I think I’ll just plug it into my computer at work and see what is on it. Surely nothing bad will happen. If nothing else, I’ll give it to one of my kids, they can use it on the home computer.”

“My good friend, the one who sends me those emails asking me to pass them along to three of my closest friends, just sent me an email with an adorable cat video. I just love cat videos, I’ll open it on my computer at work and see what is on it. Surely nothing bad will happen. Doesn’t the FBI monitor the internet keeping us safe from bad people?”

“Someone from a small European country that I have never heard of has sent me an email telling me that I might be the recipient of an inheritance. I always knew I was destined for better things in life, I’ll just click on the attachment and follow the instructions. Surely nothing bad will happen.”

“My good customer Bob just sent me an email telling me that he is stuck in jail in South America. He needs me to wire money to post his bail. I didn’t know that Bob was traveling, I am pretty sure I just saw him in the bank a couple of days ago. I probably won’t try and call his house or wife or his cell phone to double check, I’m sure his email is legitimate.”

If you were in the movie theatre you’d be yelling out “Don’t do it!” If this were a movie you would see the green glowing blob patiently waiting to silently flow into the office computer. The blob just sits there though, waiting for the bank officer to hit the keystroke that opens the file. Now we see it watching as the person sits down at the computer and logs in, types in a password and initiates a wire transfer. The blob silently memorizes both the login ID and the password. Weeks can go by as the suspense builds. The ominous music begins to swell in the background, we know that something is going to happen when as fast as lightning, the blob springs to life initiating wire transfers for tens of millions of dollars.

This is exactly what occurred in February of 2016 in Bangladesh. Criminals were able to place the blob in the form of malware on to the computers for the central bank of Bangladesh. Reports indicate that part of the malware included a keylogger which was used to memorize passwords and other login credentials to the system created by the Society for Worldwide Interbank Financial Telecommunication (“Swift”) used by banks to initiate funds transfers. In the end, $81 million was wired through the bank’s accounts at the NY Federal Reserve, apparently to a casino in the Philippines where it was converted into untraceable gambling chips.

It is not clear yet exactly how the criminals inserted the malware into the central bank’s computers, but the situation underscores what we have been telling clients about cybersecurity. You are only as strong as your weakest link, and the weakest link is usually someone who clicks on an attachment or picks up the thumb drive found on the floor. It is human nature to be curious, and it takes constant training and reminders to personnel to remind them about appropriate responses. Financial institutions are constantly hiring new employees, and each of them brings their own personal history of computer hygiene with them. Each of them must be taught immediately about the importance of not opening suspicious emails or attachments. Spam and malware filters hopefully block most of the incoming criminally engineered emails, but the criminals are resourceful and continue to innovate.

As we have noted previously, federal banking regulators have higher expectations concerning preparedness for cyberattacks. The Cybersecurity Assessment Tool released in 2015 by the FFIEC provides specific standards by which an institution can be judged when undergoing regulatory examinations.

At Bryan Cave, our Data Privacy and Security Team can assist you by conducting a data risk assessment, including reviewing your cyberattack insurance coverage. That analysis, coupled with our Banking Group’s ability to navigate the bank regulatory gauntlet will better prepare you for upcoming IT and cyberattack exams.

No matter how good a company’s security is, data security events are unavoidable. When a security breach does occur, preventing liability often means analyzing facts, identifying legal obligations, and taking steps to prevent or mitigate harm within the first minutes and hours of becoming aware of a breach. That’s why an attorney from our Data Privacy and Security Team is on-call for clients whenever and wherever a breach occurs: 24 hours a day, 7 days a week. For more information, visit our Bryan Cave Data Breach Hotline web page.

Bryan Cave Data Breach Hotline
+1 202 508 6136 (international)
+1 844 8BREACH (844-827-3224 toll free — US only)

How Employers Can Help Prevent W-2’s From Being Breached and Their Employees From Becoming Victims of ID Theft

The Internal Revenue Service issued an alert about an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.

The IRS has learned this scheme – part of the surge in phishing emails seen this year – already has claimed several victims as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives….w2

How to Select a Qualified Security Assessor (“QSA”)

Retailers that accept credit cards are typically required by the payment card brands to show that they are in compliance with the Payment Card Industry Data Security Standards or “PCI DSS” at least once a year. How a retailer is permitted to show compliance depends in part on whether the retailer has a history of data security issues (e.g., have they suffered a breach) and the quantity of credit cards that the retailer transacts each year. Typically retailers that have either had a data security breach, or transact large quantities of credit cards, are required to retain a Qualified Security Assessor or “QSA” to conduct an audit and to provide an independent report showing whether the retailer is in compliance with the PCI DSS. Retailers that have not experienced a data breach and transact relatively few cards are often permitted to self-certify their compliance with the PCI DSS….qsa

How to Draft an Effective Incident Response Plan (2016)

The best way to handle any emergency is to be prepared. When it comes to data breaches, incident response plans are the first step organizations take to prepare. Furthermore, many organizations are required to maintain one. For example, any organization that accepts payment cards is most likely contractually required to adopt an incident response plan….

respnseplanm

How to Conduct a Data Inventory of Your Human Resource Records (2016)

Some of the largest data breaches in recent years involved the loss of employment records. Knowing the type of data that a human resource department collects, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most data security programs. The process of answering these questions is often referred to as a “data inventory,” and can be an instrumental component in preventing a data breach….howtoconduct

What You Need to Know About the New General Data Protection Regulation (GDPR) (2016)

The EU Parliament Committee on Civil Liberties, Justice, and Home Affairs (“LIBE”) finally released the text of the long anticipated new data protection law. While the law has not formally been enacted, its adoption at this point is considered pro forma. Once adopted, its provisions will go into effect in spring of 2018. The hope, and expectation, is that the GDPR will cause the EU to have a much more harmonized approach to data protection.

Here is what companies doing business in the EU need to know about the new General Data Protection Regulation (GDPR or Regulation)….

gdpr

Best Practices for Sharing Threat Indicators with the Government (2016)

After a security incident is identified organizations often consider whether to share information concerning the incident with government agencies. If the incident involved criminal conduct, federal law enforcement agencies – such as the Federal Bureau of Investigation or the United States Secret Service – may be interested in investigating and attempting to prosecute those responsible. It’s also possible that law enforcement already may be investigating similar incidents and can share information that may help in your investigation. For example, they may be able to identify IP addresses associated with bad actors, security vulnerabilities that are being exploited within other organizations, or evidence that might suggest that criminals successfully obtained information from your organization….

threatindicators

How to Design or Review an Encryption Policy (2016)

Encryption refers to the process of converting data into a form that is unreadable unless the recipient has a pre-designated algorithm, “key,” and password to convert the information into readable text. Most statutes, regulations, and agencies that require that companies utilize encryption to protect data do not mandate that a specific encryption standard be used. Some statutes do require, however, that companies use an encryption key that is at least 128-bits in length . . . 2016Encryption

How to Conduct a Data Inventory (2016)

Knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of most data privacy and data security programs. The process of answering these questions is often referred to as a “data map” or a “data inventory.”  Although the questions that a data map tries to solve are relatively straightforward, the process of conducting a data map can be daunting depending upon the size and structure of an organization . . . 2016DataInventory

Evaluating Data Privacy and Security Issues of Self-Driving Vehicles (2016)

Self-driving cars, or autonomous vehicles, may be the greatest disruptive innovation to travel that we have experienced in a century. A fully-automated, self-driving car is able to perceive its environment, determine the optimal route, and drive unaided by human intervention for the entire journey. Self-driving cars have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel. However, obstacles remain for the full implementation of the technology including the need to reduce public fear, increase reliability, and create adequate regulations . . . 2016SelfDrivingCars

SEC CyberDisclosures At A Glance (2015)

Cybersecurity Disclosures - At A GlanceThe SEC has made clear that there are a number of disclosure requirements that might impose an obligation on an issuer to disclose cyber-risks and cyber-incidents and has discussed certain of those requirements, including disclosures required in risk factors, MD&A, business descriptions, legal proceedings, financial statements and disclosure controls and procedures. . . .

 

Understanding The Responsibilities and Liabilities of Business Associates at a Glance (2015)

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified the Health Insurance Portability and Accountability Act (“HIPAA”) by expanding the definition of “Business Associates” and their responsibilities and liabilities.  Pursuant to HITECH and HIPAA Business Associates are required to . . .

Business Associates_At A Glance

Due Diligence in Mergers & Acquisitions At A Glance (2015)

The FTC has held acquirers responsible for the bad data security and privacy practices of the companies that they acquire.  Evaluating a potential target’s data privacy and security practices can be daunting and complicated . . .

Mergers and Acquisition Due Diligence_At A Glance

 

BYOD At A Glance (2015)

Many companies permit their employees to use personal mobile devices, such as smartphones and tablets, to access company specific information, such as email.  Bring Your Own Device (“BYOD”) policies can be popular for employees that want to use their hand-picked device and for employers who avoid the cost of providing, and maintaining, company-owned devices. Nonetheless, the use of company data on noncompany devices implicates both security and privacy considerations . . . BYOD_Data Privacy_1

 

Wire Transfer Fraud At A Glance (2015)

Businesses are increasingly falling victim to wire fraud scams – sometimes referred to as “man-in-the-email” or “business email compromise” scams.  Although there are multiple variants, a common situation involves an attacker gaining access to the email system of a company, or the company’s vendor, and monitoring email traffic about an upcoming transaction . . . Wire Transfer Fraud At A Glance

 

Asia and Data Protection: At A Glance (2015)

Europe has had data protection laws in place for over a decade.  In Asia, many countries have historically relied on constitutional law or sector based rules to protect personal data and, until recently, only  a few countries had any form of consolidated data protection legislation… Data Protection Asia_At A Glance

Data Maps and Data Inventories At A Glance (2015)

Knowing the type of data that you collect, where it is being held, with whom it is being shared, and how it is being transferred is a central component of many data privacy and data security programs.  The process of answering these questions is often referred to as a data map or a data inventory.  Although the questions that a data map tries to solve are relatively straightforward, the process of conducting one can be daunting . . . Data_Map_At A Glance (2)

Document Retention and Collection Policies At A Glance (2015)

Data minimization can be a powerful – and seemingly simple – data security measure.  The term refers to retaining the least amount of personal information that is necessary in order for an organization to function. Less information means that there is less that the organization needs to protect, and less opportunity for information to be lost or stolen . . .

Document Retention_At A Glance_1

 

EMV Technology At A Glance (2015)

Over the past several years the credit card industry has been encouraging banks and retailers to migrate to EMV technology, which is sometimes referred to as “chip-and-pin” or “chip-and-signature.”  EMV, which is named after the developers of the technology (Europay, MasterCard, Visa) is a technical standard that includes a microprocessor physically embedded in a plastic credit card.  The processor stores credit card data and, which, when inserted, is decrypted and read . . . EMV At A Glance

FDIC Data Security Examinations At A Glance (2015)

FDIC bank examinations generally include a focus on information technology systems with a particular focus on data security.  The examination process relies to some extent on bank management attestations regarding the extent to which IT risks . . . FDIC Examinations_At A Glance

Credit Card Payment Processing Agreements At A Glance (2015)

Credit cards are the primary form of the payment for most retailers.  In order to process credit cards a retailer must enter into an agreement with a bank and a payment processor.  Those agreements can be daunting and often have significant impacts on a retailer’s financial liability in the event of a data breach. Indeed, in many cases the contractual liabilities that flow from the credit card processing agreement surpass all other financial liabilities that arise from a breach including litigation . . . Negotiating Card Agreements_At A Glance_1

Self-Driving Cars At A Glance (2015)

Self-driving cars, or autonomous vehicles, may be the greatest disruptive innovation to travel that we have experienced in a century. A fully-automated, self-driving car is able to perceive its environment, determine the optimal route, and drive unaided by human intervention for the entire journey. Self-driving cars have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel. However, obstacles remain for the full implementation of the technology . . . Self_Driving Cars_At A Glance

 

Contracting with Cloud Computing Vendors At A Glance (2015)

Most companies use some form of cloud computing.  While cloud computing’s scalabiltiy offers cost efficiences, it also raises security concerns and service providers cannot guarantee 100% security of the underlying data . . .

CloudComputing

Written Information Security Policies At A Glance (2015)

 

WISP

Although federal law only requires that financial institutions and health care providers maintain a written information security policy or “WISP,” approximately thirty four states have enacted legislation that requires organizations in other industries to take steps to keep certain forms of personal information safe. . .

Crowdsourcing Security With Bounty Programs At A Glance (2015)

Bounty Programs At A Glance

There is a great deal of debate about the merits of listening to the security concerns of people outside of an organization. On one end of the spectrum companies refuse to discuss any aspect of their security with the public. On the other end of the spectrum companies proactively encourage the public to report security vulnerabilities by paying well meaning hackers (usually called “white hat” hackers) to report problems. While these companies view “bounty” programs as . . .

 

Appointing your company’s DPO in Germany At A Glance (2015)

Appointment_DPO_1

Under German law most companies are required to assign a data protection official (DPO) within one month of beginning business operations.  The assigned DPO must be adequately qualified, and qualifications generally depend on the scope of data procsesed and the industry in which the business operates . . .

The FTC Top Violators Report At A Glance (2015)

FTC Violators_At A Glance

Each month the FTC’s Division of Planning and Information (“DPI”) creates a “Top Violators” report that ranks the fifty companies with the greatest volume of consumer complaints for that month. The report indicates whether each company listed was included in the previous month’s report, whether its rank has changed, and the number of complaints received by the FTC that month. For companies that are new to the report, DPI reviews their complaints and summarizes the issue, or issues, that are being raised . . .

 

Bounty Programs At a Glance (2015)

Crowdsourcing_At A Glance_1

Data security officers keep their eyes open for risks. Usually this means monitoring reports from automated security systems that flag potential security events and listening to employees’ reports of security issues. There is a great deal of debate, however, about the merits of listening to the security concerns of people outside of an organization. On one end of the spectrum companies refuse to discuss any aspect of their security with the public. On the other end of the spectrum companies proactively encourage the public to report security vulnerabilities by paying well meaning hackers (usually called “white hat” hackers) to report problems . . .

The FTC Surge Report At a Glance (2015)

FTC Surge Reports_At A Glance

The FTC collects complaints about companies alleged data privacy, data security, advertising, and marketing violations.  Each month the FTC’s Division of Planning and Information (“DPI”) creates a “Surge” report that identifies those companies with the greatest increase in consumer complaint volume . . .

 

FINRA Report on Cybersecurity Practices (2015)

FinraFeb2015

On February 4, 2015, FINRA published its report on cybersecurity practices arising out of its 2014 targeted examination of firms’ cybersecurity preparedness.  The Report reflects FINRA’s risk management-based approach to cybersecurity issues, identifying principles and “effective practices” for member firms to consider, as opposed to decreeing specific requirements, policies or procedures. FINRA characterizes its intent in preparing the Report as an attempt to focus firms on a “risk management-based approach to cybersecurity” that can be tailored to each firm’s particular circumstances. . .

 

Data Class Action Litigation At A Glance (2015)

Class Action Litigation (2)

According to FBI Director James Corney “there are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”  It is no wonder that management is increasingly concerned about the risks that flow from a data breach, especially the risk that their company will face a class action lawsuit. . .

 

SEC Issues Cybersecurity Exam Observations (2015)

SECCyber

On February 3, 2015, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert summarizing its findings following examination of the preparedness of 57 broker-dealers and 49 investment advisory firms to address legal, regulatory and compliance challenges related to cybersecurity. These examinations grew out of the SEC’s Cybersecurity Examination Initiative which began last year . . .

 

Written Information Security Policies At a Glance (2015)

Written_Policies_At A Glance

Although federal law only requires that financial institutions and health care providers maintain a written information security policy or “WISP,” approximately thirty four states have enacted legislation that requires organizations in other industries to take steps to keep certain forms of personal information safe. These statutes are broadly referred to as “safeguards” legislation . . .

 

Cyber Insurance At a Glance (2015)

CyberInsuranceJPG

Most businesses know they need insurance to cover risks to the business’s property like fire or theft or the risk of liability if someone is injured at the business. But, a substantial portion of businesses don’t carry coverage for a rapidly expanding area of risk – data breaches. Despite numerous high profile breaches in the past year, many business do not have a cyber insurance policy. . .