Cybersecurity / Data Security

Subscribe to Cybersecurity / Data Security via RSS

Today, only 2 days after consensus was reached on the final text of the new EU Data Protection Regulation, the first step has been taken to officially adopt the law and enter a new era of data protection.  This morning, the Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) formally adopted the text

Last week, Politico published the results of its recent survey “What keeps America’s computer experts up at night?”  Crowell & Moring’s Privacy & Cybersecurity Group Co-Chair Evan Wolff, as well as Senior Counsel Harvey Rishikof, both participated in the survey, which touched on issues ranging from cyber legislation to the potential for cyber attacks on

Wyndham-FTC Settlement Looks to PCI; Target Consumer Appeals Settlement; Leaders Propose Encryption Commission; Ashley Madison MDL in St. Louis; FTC Commissioner Warns of FCC ISP Overreach; Moms Sue Over Doll’s IoT Capability

Wyndham to Implement PCI-Focused Information Security Program in Settlement with FTC

On Wednesday, the FTC and Wyndham settled a long-standing dispute regarding the hospitality company’s alleged “unfair and deceptive” data security practices, a suit that confirmed the FTC’s authority to regulate in the space.  Wyndham agreed to establish a comprehensive information security program designed to protect payment cardholder data and to conduct regular structural audits of its information security systems – taking cues from the Payment Card Industry Data Security Standard.

Target Consumer Appeals $10M Data Breach Settlement

Californian James Sciaroni has appealed the $10 million consumer class action settlement approved in November by Judge Paul Magnuson.  When Sciaroni objected to the settlement in July, he argued that it “does not adequately compensate the class,” totaling only about 9 cents per class member in compensatory damages, in addition to the information security standards Target accepted.Continue Reading Privacy-Cybersecurity Weekly News Update December 6- 11, 2015

On Monday, the HHS Office of Civil Rights (OCR) released its third resolution and settlement agreement in as many weeks.  The $750,000 settlement with the University of Washington Medicine (“UWM”) is yet another citing the alleged failure to conduct an enterprise-wide risk analysis as required by the HIPAA Security Rule.  As part of the settlement,

EU Data Protection Law Reform: Most of the General Data Protection Regulation (GDPR) text agreed in principle; Schrems’ second hit – Austrian citizen files three new complaints with EU Data Protection authorities to suspend data transfers outside the EU by Facebook; EU Privacy Regulators to Evaluate VTech Breach.

EU Data Protection Law Reform: Most of the General Data Protection Regulation (GDPR) text agreed in principle

Jan Philipp Albrecht, the European Parliament’s lead negotiator on November 30 stated that the European negotiators have agreed “in principle” on most of the text for the new General Data Protection Regulation (GDPR), which is aimed to be finalized by the end of 2015.

According to texts of the Luxembourg Presidency, which also include suggested compromise texts, important areas which still remain under discussion are the provisions on Data Breaches, the criteria for the appointment of a Data Protection Officer (“DPO”) and the amount of the Administrative Fines.Continue Reading Key EU Privacy & Cybersecurity Highlights, November 30 – December 6, 2015

Target Settles Data Breach Claims with Banks and Insurers

On Thursday, Target agreed to settle claims with a group of financial institutions arising from its 2013 data breach involving customers’ credit card information.  Target reportedly will pay $39 million to settle the class-action suit in federal court in Minnesota.  This settlement follows a $67 million settlement with Visa in August and a $10 million settlement of a consumer class action in March.

Chinese Government Arrests Suspected OPM Hackers

The Washington Post reported Wednesday that Chinese officials arrested several hackers purportedly connected with the data breach of 22 million OPM personnel records earlier this year.  The arrests occurred shortly before President Xi’s September state visit.  The Post noted that one U.S. official responded that “[w]e don’t know that [sic] if the arrests the Chinese purported to have made are the guilty parties . . . [t]here is a history [in China] of people being arrested for things they didn’t do . . . .”

OMB Director Donovan Announces New Federal Privacy Council

In a speech Wednesday to the Federal Privacy Summit, Office of Management & Budget (OMB) Director Shaun Donovan announced the establishment of the Federal Privacy Council.  The Council will be tasked with interagency integration and sharing of best-practices and to “professionalize the privacy profession.”Continue Reading Privacy-Cybersecurity Weekly News Update November 29- December 4, 2015

EU Ministers of Home Affairs push for Passenger Records Directive; EU Member States Data Protection Authorities: News Regarding Safe Harbor (continuous update).

EU Ministers of Home Affairs push for Passenger Records Directive

In the aftermath of the November 13 attacks in Paris, European Union Ministers of Home Affairs push for the release of a Passenger

Congress has taken another step to emphasize the importance of detecting and deterring cyber crime, as the House recently passed the Strengthening State and Local Cyber Crime Fighting Act.  Please see Trade Secrets Trends for a post by our colleagues John McCarthy and Craig Lytle for more details about the bill’s passage and significance.

 

Record Fine: Belgium’s Court orders Facebook to stop Data Protection law violation under forfeiture of a penalty of € 250,000 per day; Big Data: Opinion of The European Data Protection Supervisor; Safe Harbor Topic 1: Hamburg DPA actively preparing enforcement actions; Data Protection vs. Terrorism: Belgium to push for Passenger Records Law following Paris attacks; Safe Harbor Topic 2: EU Chief Jourova confident about ongoing Safe Harbor negotiations; Safe Harbor Topic 3: Norwegian DPA requires authorization of US data transfers.

Penalties and Fines: Belgium’s Court orders Facebook to stop violations of Belgium Data Protection Act under forfeiture of a penalty of €250,000 per day

A Belgian Court has fined Facebook €250.000 per day for violations of the Belgian Data Protection Act.

Facebook had collected web data of millions of Belgians who are not members of Facebook’s social network page, but were simply visiting websites. The Court in its judgment of 9 November 2015 found that this way of collecting data is a “manifest” violation of Belgian data protection law. According to the court, this applies irrespective of the purposes Facebook uses this data after having collecting it. Facebook argued that European users of its social network are subject to the Irish Data Protection Law (instead of Belgian law). The court disagreed citing the well-known Google Spain case that ruled that a Member State law applies if the activities of a local establishment are inextricably linked to the activities of the data controller.

The Court ordered to stop the violations under forfeiture of a penalty of €250.000 per day. The court based this on the consideration that the penalty’s amount needs to be sufficiently deterrent. The Court pointed out that Facebook in 2014 realized a turnover of  US-$ 12.4 billion and a profit of US-$ 2.9 billion, so that the amount of € 250,000 per day was considered adequate.  Facebook has announced that it will file an appeal against the judgment, which however does suspend the initial judgment.Continue Reading Key EU Privacy & Cybersecurity Highlights, November 16 – November 22, 2015

FCC’s expands data security enforcement; Sprint settles FCRA claims; $12.5M fine for background screening agencies; Congress considers auto cybersecurity study; No FCC “do not track” rules; Safe harbor alternatives; No SCA liability for inadvertent disclosure

FCC takes first enforcement action related to cable operator’s data security

The Federal Communications Commission fined Cox Communications $595,000 for failing to employ proper security and notification practices related to its 2014 data breach.  The Communications Act of 1934 requires cable operators to protect subscribers’ personally identifiable information.  Cox, the third-largest cable provider in the U.S., suffered a data breach when social engineering and phishing efforts resulted in unauthorized access to Cox’s customer database.  Specifically, an unauthorized user pretended to be a Cox representative and convinced a contractor and tech support representative to provide access credentials into a fake Cox website.  Cox notified the FBI and later sent notice to most of the affected customers, but never reported the breach to FCC.  The FCC’s fine comes on the heels of an investigation into whether Cox properly protected customers’ proprietary information and provided prompt notice to affected customers and law enforcement authorities.  In addition to paying the penalty, Cox must comply with requirements designed to improve its data security practices, notify all affected current and former customers of the breach, and provide those affected with free credit monitoring services.  This is the FCC’s third enforcement action this year related to violations of the Communications Act, and its first action against a cable provider. Companies should review whether data security procedures account for attacks using social engineering.  This may include multi-factor authentication for all employees, minimizing the number of employees with access to customers’ personal information, and procedures and sanctions governing third-party compliance with security procedures.  Companies should also ensure their notice practices account for all affected individuals and the relevant government agencies.Continue Reading Key Privacy & Cybersecurity Highlights, November 2 – November 8, 2015