<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Privacy Risk Report &#187; data</title>
	<atom:link href="https://privacyriskreport.com/tag/data/feed/" rel="self" type="application/rss+xml" />
	<link>https://privacyriskreport.com</link>
	<description></description>
	<lastBuildDate>Fri, 03 Feb 2023 16:49:49 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>hourly</sy:updatePeriod>
	<sy:updateFrequency>1</sy:updateFrequency>
	
	<item>
		<title>Industry Cyber Regulations Fill The Gaps Left By Federal And State Law</title>
		<link>https://privacyriskreport.com/industry-cyber-regulations-fill-the-gaps-left-by-federal-and-state-law/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=industry-cyber-regulations-fill-the-gaps-left-by-federal-and-state-law</link>
		<comments>https://privacyriskreport.com/industry-cyber-regulations-fill-the-gaps-left-by-federal-and-state-law/#comments</comments>
		<pubDate>Thu, 11 Apr 2019 16:17:08 +0000</pubDate>
		<dc:creator><![CDATA[Todd Rowe]]></dc:creator>
				<category><![CDATA[Protecting Against the Risk]]></category>
		<category><![CDATA[cyber]]></category>
		<category><![CDATA[cyberliability]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[data]]></category>
		<category><![CDATA[data breach]]></category>
		<category><![CDATA[insurance]]></category>

		<guid isPermaLink="false">https://privacyriskreport.com/?p=1810</guid>
		<description><![CDATA[<div class="e-mailit_top_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/industry-cyber-regulations-fill-the-gaps-left-by-federal-and-state-law/' data-emailit-title='Industry Cyber Regulations Fill The Gaps Left By Federal And State Law'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>While the United States may not have data protections in place that are as extensive as those seen the European Union&#8217;s adoption of GDPR, there is still a comprehensive framework of state and federal regulations in place to protect personal... <a class="more-link" href="https://privacyriskreport.com/industry-cyber-regulations-fill-the-gaps-left-by-federal-and-state-law/">Continue Reading &#8594;</a>
<div class="e-mailit_bottom_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/industry-cyber-regulations-fill-the-gaps-left-by-federal-and-state-law/' data-emailit-title='Industry Cyber Regulations Fill The Gaps Left By Federal And State Law'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>The post <a rel="nofollow" href="https://privacyriskreport.com/industry-cyber-regulations-fill-the-gaps-left-by-federal-and-state-law/">Industry Cyber Regulations Fill The Gaps Left By Federal And State Law</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></description>
				<content:encoded><![CDATA[<div class="e-mailit_top_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/industry-cyber-regulations-fill-the-gaps-left-by-federal-and-state-law/' data-emailit-title='Industry Cyber Regulations Fill The Gaps Left By Federal And State Law'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>While the United States may not have data protections in place that are as extensive as those seen the <a href="https://privacyriskreport.com/tick-tock-a-gdpr-primer-to-meet-the-deadline-next-week/" target="_blank">European Union&#8217;s adoption of GDPR</a>, there is still a comprehensive framework of state and federal regulations in place to protect personal information. Many industries are building on the foundation set by state and federal guidelines by creating industry-specific cyber standards. For example, various organizations in the insurance industry are taking steps to ensure their members have guidance on cyber security.</p>
<ul>
<li><strong>The Insurance Industry’s Data Protection Standards </strong></li>
</ul>
<p>The National Association of Insurance Commissioners (“NAIC”), an organization that coordinates the efforts of state insurance regulators, provides one of the best examples of an industry taking steps on its own to regulate cyber security for the insurance industry. Early NAIC cyber security initiatives included creating <em><a href="https://privacyriskreport.com/insurance-commissioners-consider-cybersecurity-regulatory-principles-for-cyber-insurers/" target="_blank">Principles for Effective Cybersecurity Insurance Regulatory Guidance</a></em> to “help state insurance departments identify uniform standards, promote accountability and provide access to essential information.” The NAIC’s initiatives are based on the realization that the insurance industry faces its own unique issues in protected sensitive data. In short, the NAIC’s initiatives provide one of the best examples of an industry taking steps to regulate itself rather than wait for state or federal regulations to plug the gaps.</p>
<ul>
<li><strong>The Data Protections Found In The NAIC’s “Model Law.” </strong></li>
</ul>
<p>The NAIC furthered its track record on cyber security measures when it adopted the Insurance Data Security Model Law (“Model Law”) in October 2017 to encourage members of the insurance industry to adopt cyber security programs that would protect consumers’ personal information, create standards that would limit damage caused by a breach and create a protocols to investigate incidents and notify the state insurance commissioner. Specifically, the the Model Law is intended “to establish standards for data security and standards for the investigation of and notification to the Commission of a Cybersecurity Event” that involves an entity regulated under the insurance laws of a given state. (A copy of the <a href="https://www.naic.org/store/free/MDL-668.pdf" target="_blank">Model Law can be found here</a>.)</p>
<p>Insurance entities that operate in a state that has adopted a version of the Model Law may be subject to new regulations spanning the time prior to a cyber incident to points after an incident.  First, under the Model Law, an insurance entity may be required to create an “Information Security Program” and “Incident Response Plan” prior to an incident. The Model Law would also govern the insurance entities’ response to a cyber incident by creating guidelines to investigate and provide notification after an incident. The Model Law is currently being considered in a number of states (Connecticut, Mississippi, Nevada, Rhode Island and New Hampshire) and has been adopted in some form in Michigan and South Carolina.</p>
<ul>
<li><strong>Ohio’s Adoption Of The “Model Law” </strong></li>
</ul>
<p>Ohio is one of the first states to adopt a version of the NAIC’s Model Law through Senate Bill 273. On December 19, 2018, John Kasich, Ohio’s governor, signed Bill 273 into law which requires entities subject to Ohio’s insurance laws to take certain steps to protect private information. While the Ohio legislature adopted a large portion of the Model Law, Senate Bill 273 had some notable changes that include:</p>
<ul>
<li><em>Affirmative Defense</em>: Senate Bill 273 provides insurance entities that are in compliance with the statute with an affirmative defense to liability if they are sued for a cyber security incident;</li>
</ul>
<ul>
<li><em>Other Considerations:</em> The Ohio Department of Insurance can consider other factors related to a breach including the type of business and size of the insurance entity; and</li>
</ul>
<ul>
<li><em>Easy Compliance:</em> A streamlined process allows the insurance entity to file documents to comply with the provisions of this law with other corporate documents filed with the State of Ohio.</li>
</ul>
<p>Ohio’s law is more than an abstract cyber security guideline. Rather, deadlines include all insurance entities must conduct a risk assessment to address the nature and likelihood of any internal threat to private information and implement a security program resulting from the risk assessment by March 19, 2020.  Therefore, Ohio’s insurance entities have work to do over the next year.</p>
<ul>
<li><strong>Industry Standards Provide Guidance</strong></li>
</ul>
<p>While many data collectors struggle to comply with various state and federal privacy laws, industry standards provide a uniform set of regulations. Further, industry standards that are crafted by members of the industry provide guidance on the issues facing that particular industry. And, while there is an argument that more regulations may become burdensome, regulations such as Ohio’s Bill 273 are helpful to the extent they protect sensitive data, provide guidance to data collectors and may limit liability when there is a cyber security incident.</p>
<div class="e-mailit_bottom_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/industry-cyber-regulations-fill-the-gaps-left-by-federal-and-state-law/' data-emailit-title='Industry Cyber Regulations Fill The Gaps Left By Federal And State Law'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>The post <a rel="nofollow" href="https://privacyriskreport.com/industry-cyber-regulations-fill-the-gaps-left-by-federal-and-state-law/">Industry Cyber Regulations Fill The Gaps Left By Federal And State Law</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></content:encoded>
			<wfw:commentRss>https://privacyriskreport.com/industry-cyber-regulations-fill-the-gaps-left-by-federal-and-state-law/feed/</wfw:commentRss>
		<slash:comments>0</slash:comments>
		</item>
		<item>
		<title>Illinois Class Action Suit Highlights Issues When An Employer Allegedly Breaches Employee Data</title>
		<link>https://privacyriskreport.com/illinois-class-action-suit-highlights-issues-when-an-employer-allegedly-breaches-employee-data/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=illinois-class-action-suit-highlights-issues-when-an-employer-allegedly-breaches-employee-data</link>
		<comments>https://privacyriskreport.com/illinois-class-action-suit-highlights-issues-when-an-employer-allegedly-breaches-employee-data/#comments</comments>
		<pubDate>Tue, 27 Mar 2018 20:39:29 +0000</pubDate>
		<dc:creator><![CDATA[Todd Rowe]]></dc:creator>
				<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[cyber]]></category>
		<category><![CDATA[data]]></category>
		<category><![CDATA[Employment]]></category>
		<category><![CDATA[privacy]]></category>

		<guid isPermaLink="false">https://privacyriskreport.com/?p=1466</guid>
		<description><![CDATA[<div class="e-mailit_top_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/illinois-class-action-suit-highlights-issues-when-an-employer-allegedly-breaches-employee-data/' data-emailit-title='Illinois Class Action Suit Highlights Issues When An Employer Allegedly Breaches Employee Data'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>A class action entitled Wade v. ABM Indus. Inc., 2018 CH 3855 was initiated last week against ABM Industries (“ABM”) in Illinois based on allegations that ABM recently breached its employee’s Personal Information.  In summary, the class action plaintiff claims... <a class="more-link" href="https://privacyriskreport.com/illinois-class-action-suit-highlights-issues-when-an-employer-allegedly-breaches-employee-data/">Continue Reading &#8594;</a>
<div class="e-mailit_bottom_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/illinois-class-action-suit-highlights-issues-when-an-employer-allegedly-breaches-employee-data/' data-emailit-title='Illinois Class Action Suit Highlights Issues When An Employer Allegedly Breaches Employee Data'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>The post <a rel="nofollow" href="https://privacyriskreport.com/illinois-class-action-suit-highlights-issues-when-an-employer-allegedly-breaches-employee-data/">Illinois Class Action Suit Highlights Issues When An Employer Allegedly Breaches Employee Data</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></description>
				<content:encoded><![CDATA[<div class="e-mailit_top_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/illinois-class-action-suit-highlights-issues-when-an-employer-allegedly-breaches-employee-data/' data-emailit-title='Illinois Class Action Suit Highlights Issues When An Employer Allegedly Breaches Employee Data'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>A class action entitled <em>Wade v. ABM Indus. Inc.,</em> 2018 CH 3855 was initiated last week against ABM Industries (“ABM”) in Illinois based on allegations that ABM recently breached its employee’s Personal Information.  In summary, the class action plaintiff claims he was damaged by his employer, ABM, “when it &#8216;allowed hackers to obtain access to Plaintiff’s and other employees’ Personal Information.”  In particular, the class action plaintiff claims his Personal Information “should not have been susceptible to unauthorized access through the use of one of the oldest, and least sophisticated types of cyber-attacks &#8211; the ‘phishing email scheme.’”</p>
<p><strong>Allegations Related To The Breach</strong></p>
<p>The class action plaintiff claims his Personal Information, including documents containing medical information, was taken during a breach in August of 2017.  Specifically, the class action plaintiff claims ABM was the target of “cyber attackers” a number of times over the years and, therefore, should have taken better steps to protect its employees’ information prior to the “phishing” attack which led to the subject data breach.</p>
<p>The class action plaintiff claims ABM should have been better prepared for this incident since it had “been targeted by cyber-attacks many times in the last decade.”</p>
<p><strong>Allegations Related To ABM’s Notification</strong></p>
<p>The class action plaintiff further alleges that ABM should not have waited more than seven months to notify its employees of the incident on March 5, 2018.  In addition to failing to be timely, the class action plaintiff claims the notification letter failed to provide sufficient information concerning the incident to allow its employees to protect themselves.</p>
<p><strong>Causes Of Action</strong></p>
<p>The class action plaintiff claims he has had to take steps to protect against identity theft and fraud and has suffered mental anguish when “he experiences anxiety and anguish when he thinks about what would happen if his identity is stolen as a result of the Data Breach.”</p>
<p>In addition to claims for breach of contract, breach of implied contract and a violation of Illinois’ Consumer Fraud and Deceptive Business Practices Act, the class action plaintiff’s complaint also contains the following causes of action:</p>
<ul>
<li><em>Violation Of N.Y. Gen. Bus. Law §349 et. seq</em>.: In his first cause of action, the class action plaintiff claims ABM engaged in “deceptive, unfair and unlawful trade acts or practices.”  Here, the class action plaintiff claims he had to provide his Personal Information as a condition of employment.</li>
</ul>
<ul>
<li><em>Negligence</em>: In his fourth cause of action, the class action plaintiff claims ABM was negligent when it failed to implement reasonable security measures and cybersecurity protocol and failed to timely notify the class action plaintiff of the incident involving his Personal Information.</li>
</ul>
<p>The allegations found in the class action plaintiff’s complaint against ABM highlight the difficult position employers may find themselves in when employees claim their personal information has been compromised.  Of course, the employer-employee relationship requires the parties continue to work together and exchange information even after an employee claims their information has been compromised.  Further, these allegations are part of a growing trend calling into question not only the technical safeguards of a data collector, but also calling into question non-technical safeguards such as security protocols and the reasonableness of a data collector’s notification process.  In the end, liability for a breach involving customer data or employee data will be limited if a data collector can show it took as many reasonable steps as possible to protect that data.</p>
<div class="e-mailit_bottom_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/illinois-class-action-suit-highlights-issues-when-an-employer-allegedly-breaches-employee-data/' data-emailit-title='Illinois Class Action Suit Highlights Issues When An Employer Allegedly Breaches Employee Data'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>The post <a rel="nofollow" href="https://privacyriskreport.com/illinois-class-action-suit-highlights-issues-when-an-employer-allegedly-breaches-employee-data/">Illinois Class Action Suit Highlights Issues When An Employer Allegedly Breaches Employee Data</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></content:encoded>
			<wfw:commentRss>https://privacyriskreport.com/illinois-class-action-suit-highlights-issues-when-an-employer-allegedly-breaches-employee-data/feed/</wfw:commentRss>
		<slash:comments>0</slash:comments>
		</item>
		<item>
		<title>Court Finds Virtual Currencies Are &#8220;Commodities&#8221; Subject To Existing Laws</title>
		<link>https://privacyriskreport.com/court-finds-virtual-currencies-are-commodities-subject-to-existing-laws/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=court-finds-virtual-currencies-are-commodities-subject-to-existing-laws</link>
		<comments>https://privacyriskreport.com/court-finds-virtual-currencies-are-commodities-subject-to-existing-laws/#comments</comments>
		<pubDate>Thu, 08 Mar 2018 16:51:41 +0000</pubDate>
		<dc:creator><![CDATA[Todd Rowe]]></dc:creator>
				<category><![CDATA[Protecting Against the Risk]]></category>
		<category><![CDATA[bitcoin]]></category>
		<category><![CDATA[breach]]></category>
		<category><![CDATA[CFTC]]></category>
		<category><![CDATA[Chicago]]></category>
		<category><![CDATA[commodities]]></category>
		<category><![CDATA[crypto currency]]></category>
		<category><![CDATA[cyber]]></category>
		<category><![CDATA[data]]></category>
		<category><![CDATA[privacy]]></category>
		<category><![CDATA[virtual currencies]]></category>

		<guid isPermaLink="false">https://privacyriskreport.com/?p=1457</guid>
		<description><![CDATA[<div class="e-mailit_top_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/court-finds-virtual-currencies-are-commodities-subject-to-existing-laws/' data-emailit-title='Court Finds Virtual Currencies Are &#8220;Commodities&#8221; Subject To Existing Laws'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>Unfortunately, the law governing cyber security and privacy issues has not kept pace with the technology giving rise to these issues.   However, a recent decision applying existing law to Bitcoin and other virtual currencies provides insight on how we may... <a class="more-link" href="https://privacyriskreport.com/court-finds-virtual-currencies-are-commodities-subject-to-existing-laws/">Continue Reading &#8594;</a>
<div class="e-mailit_bottom_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/court-finds-virtual-currencies-are-commodities-subject-to-existing-laws/' data-emailit-title='Court Finds Virtual Currencies Are &#8220;Commodities&#8221; Subject To Existing Laws'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>The post <a rel="nofollow" href="https://privacyriskreport.com/court-finds-virtual-currencies-are-commodities-subject-to-existing-laws/">Court Finds Virtual Currencies Are &#8220;Commodities&#8221; Subject To Existing Laws</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></description>
				<content:encoded><![CDATA[<div class="e-mailit_top_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/court-finds-virtual-currencies-are-commodities-subject-to-existing-laws/' data-emailit-title='Court Finds Virtual Currencies Are &#8220;Commodities&#8221; Subject To Existing Laws'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>Unfortunately, the law governing cyber security and privacy issues has not kept pace with the technology giving rise to these issues.   However, a recent decision applying existing law to Bitcoin and other virtual currencies provides insight on how we may expect the law controlling cyber security and privacy law to develop.</p>
<p>In <em>Commodity Futures Trading Commission v. McDonnell,</em> 2018 WL 1175156 (March 6, 2018), the District Court for the Eastern District of New York held the Commodity Futures Trading Commission (“CFTC”) “has standing to exercise its enforcement power over fraud related to virtual currencies sold in interstate commerce…”  The CFTC is tasked with stopping fraud or manipulation in derivatives markets by enforcing the Commodity Exchange Act (“CEA”).  The CEA requires “any commodity traded as a future” to be “traded on a commodity exchange approved by the CFTC.  Title 7 U.S.C. § 2.  In <em>McDonnell</em>, the threshold question was whether virtual currency may be regulated by the CFTC as a commodity.  And, after a lengthy analysis of virtual currencies, the District Court held the CFTC had authority over these markets and was entitled to enjoin the defendants from continuing to sell virtual currencies to the public.</p>
<p>The facts underpinning the <em>McDonnell </em>decision involve allegations that the Defendant, Patrick McDonnell (“McDonnell”), and his investment companies, “offered fraudulent trading and investment services related to virtual currency.”  Specifically, “[c]ustomers from the United States and abroad paid defendants for ‘membership’ in virtual currency trading groups purported to provide exit prices and profits of up to ‘300%’ per week.”  Unfortunately, the defendants disappeared by deleting company social media accounts and ceasing all communications with investors after receiving the initial payment and subsequent investments from members.</p>
<p>After hearing evidence concerning the defendants’ actions, the District Court granted a preliminary injunction to the CFTC when it found that the defendants committed fraud through false trading advice and “promised future profits.”  The District Court held that an injunction was warranted in light of the reasonable likelihood that the defendants would continue to violate the CEA.</p>
<ul>
<li><strong>Virtual Currencies Are Here To Stay</strong></li>
</ul>
<p>Before arriving at its decision, the <em>McDonnell </em>Court conducts an in-depth analysis of Bitcoin and other virtual currencies.  After addressing the basics related to virtual currencies, the District Court  finds these currencies “serve the same purposes as gold in terms of a currency, but much more efficiently because it does not have any mass and can be sent easily from place to place.”  Further, the District Court acknowledges that virtual currencies may be here to stay because “online exchanges have become more accessible allowing more members of the public to trade and invest in virtual currencies.”  The District Court concludes there is a greater chance for fraud and criminal activity as these currencies grow in popularity.</p>
<ul>
<li><strong>While The Regulations Are Slightly Unclear, There Is No Doubt That Virtual Currencies Are Regulated By<em> Some</em> Governmental Agency. </strong></li>
</ul>
<p>After taking a closer look at how virtual currencies could potentially be regulated by the Department of Justice, the Security and Exchange Commission, the Treasury Department, the IRS, private exchanges or through state regulations, the District Court settles on the CFTC as the administrative body that is “currently exercising partial supervision of virtual currencies.”  The District Court’s analysis of these regulations provides further support for the finding that the CFTC has standing to seek injunctive relief against anyone violating the CEA.</p>
<ul>
<li><strong>Virtual Currencies Are “Commodities” That Can Be Regulated By The CFTC</strong></li>
</ul>
<p>The <em>McDonnell</em> court must also address whether virtual currencies are “Commodities” as defined under the CEA. Therefore, the District Court must analyze whether virtual currencies fall within the definition of Commodities as defined in the CEA which protects agricultural products and all other goods and articles…and all services, rights, and interests…in which contracts for future delivery are presently or in the future dealt in.”  After a lengthy analysis of this issue, the District Court ultimately concludes “[v]irtual currencies can be regulated by CFTC as a commodity.”  In short, the District Court finds “[v]irtual currencies are ‘goods’ exchanged in a market for a uniform quality and value.”</p>
<ul>
<li><strong>The CFTC Is Entitled To An Injunction When The Fraud Is Not Directly Related To The Sale Of Futures Or Derivative Contracts</strong></li>
</ul>
<p>After finding the CFTC has standing to seek an injunction against the defendants, the <em>McDonnell</em> court next determines there is sufficient evidence that the defendants “committed fraud by misappropriation of investors’ funds and misrepresentation of trading advice and future profits promised to customers.”  On this issue, the District Court concluded that a preliminary injunction in favor of the CFTC was warranted in light of the finding that a fraud had been committed.</p>
<ul>
<li><strong>The Scope Of This Decision May Reach Beyond Virtual Currencies</strong></li>
</ul>
<p>First, the McDonnell decision makes clear that it is time for insurers to start considering whether virtual currency presents losses covered under traditional insurance policies or if new products should be developed.  Over the last few months we have seen more people invest in virtual currencies.  The <em>McDonnell</em> court quotes the December 1, 2017 Bloomberg Businessweek which sheds more light on virtual currencies: “The initial price of bitcoin, set in 2010, was less than 1 cent.  Now it’s crossed $16,000.  Once seen as the province of nerds, libertarians and drug dealers, bitcoin today is drawing millions of dollars from hedge funds.”  (While the price in December 2017 was $16,000, the price has since dropped). The <em>McDonnell </em>decision acknowledges that as the pool of investors increase, we can expect to see an increase in the potential for losses, theft and all the other things the defendants in this case are accused of doing.  Consequently, as virtual currencies become more ingrained in our daily lives, it may be time for insurers to start taking a closer look at losses involving virtual currencies.</p>
<p>Additionally, the <em>McDonnell</em> decision discusses a number of issues currently facing cyber and privacy law.  First, while the District Court finds virtual currencies fall into the definition of “commodities,” the Court has to work to get there.  In the end, the District Court finds that the same law can protect agricultural products and virtual currencies at the same time.  We face many of these same issues in cyber security and privacy law as we try to fit these emerging issues into laws and regulations that may have been on the books for decades.</p>
<p>Finally, the section of the <em>McDonnell</em> decision entitled “concurrent oversight from Other Agencies” discusses how a number of governmental agencies could regulate virtual currencies.  Likewise, cyber security and privacy faces a similar situation as a number of state and federal agencies fight to regulate this emerging area of law. Therefore, while the <em>McDonnell</em> decision provides insight into the regulation of virtual currencies, it also provides guidance for cyber security and privacy law.</p>
<p>&nbsp;</p>
<div class="e-mailit_bottom_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/court-finds-virtual-currencies-are-commodities-subject-to-existing-laws/' data-emailit-title='Court Finds Virtual Currencies Are &#8220;Commodities&#8221; Subject To Existing Laws'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>The post <a rel="nofollow" href="https://privacyriskreport.com/court-finds-virtual-currencies-are-commodities-subject-to-existing-laws/">Court Finds Virtual Currencies Are &#8220;Commodities&#8221; Subject To Existing Laws</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></content:encoded>
			<wfw:commentRss>https://privacyriskreport.com/court-finds-virtual-currencies-are-commodities-subject-to-existing-laws/feed/</wfw:commentRss>
		<slash:comments>0</slash:comments>
		</item>
		<item>
		<title>Ironing Out The Wrinkles In Data Legislation:  A Case Study</title>
		<link>https://privacyriskreport.com/ironing-out-the-wrinkles-in-data-legislation-a-case-study/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=ironing-out-the-wrinkles-in-data-legislation-a-case-study</link>
		<comments>https://privacyriskreport.com/ironing-out-the-wrinkles-in-data-legislation-a-case-study/#comments</comments>
		<pubDate>Fri, 26 Jan 2018 20:06:42 +0000</pubDate>
		<dc:creator><![CDATA[Todd Rowe]]></dc:creator>
				<category><![CDATA[Protecting Against the Risk]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[cyber]]></category>
		<category><![CDATA[data]]></category>
		<category><![CDATA[privacy]]></category>

		<guid isPermaLink="false">https://privacyriskreport.com/?p=1426</guid>
		<description><![CDATA[<div class="e-mailit_top_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/ironing-out-the-wrinkles-in-data-legislation-a-case-study/' data-emailit-title='Ironing Out The Wrinkles In Data Legislation:  A Case Study'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>There should be little dispute that the current patchwork of foreign, federal, state and industry cybersecurity regulations need to be harmonized in order to protect data. While these varying laws and proposed laws can be dizzying even for large corporations, it is... <a class="more-link" href="https://privacyriskreport.com/ironing-out-the-wrinkles-in-data-legislation-a-case-study/">Continue Reading &#8594;</a>
<div class="e-mailit_bottom_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/ironing-out-the-wrinkles-in-data-legislation-a-case-study/' data-emailit-title='Ironing Out The Wrinkles In Data Legislation:  A Case Study'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>The post <a rel="nofollow" href="https://privacyriskreport.com/ironing-out-the-wrinkles-in-data-legislation-a-case-study/">Ironing Out The Wrinkles In Data Legislation:  A Case Study</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></description>
				<content:encoded><![CDATA[<div class="e-mailit_top_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/ironing-out-the-wrinkles-in-data-legislation-a-case-study/' data-emailit-title='Ironing Out The Wrinkles In Data Legislation:  A Case Study'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>There should be little dispute that <a href="https://privacyriskreport.com/harmonization-of-federal-and-state-requirements-and-insurance-policy-conditions-may-take-time/">the current patchwork of foreign, federal, state and industry cybersecurity regulations need to be harmonized in order to protect data.</a> While these varying laws and proposed laws can be dizzying even for large corporations, it is virtually impossible for small businesses to feel confident they are meeting their obligations under these various laws.  As it stands today, a data collector, regardless of size, has to balance a number of conflicting sources when considering cyber security.  Suffice it to say, the current framework of competing laws and regulations may overwhelm data collectors causing them to simply give up on trying to meet their obligations.  In the end, data protection laws may become useless if they are too complex to be worth a data collector’s effort.</p>
<ul>
<li><strong>A Case Study:  Mom and Pop’s Cleaners</strong></li>
</ul>
<p>As 2018 <em>unfolds</em>, a hypothetical “mom and pop” dry cleaner in Tucson, Arizona keeps a registry of its customers&#8217; names, addresses, phone numbers and email addresses.  We learn that “Mom and Pop’s Cleaners” has customers that include international citizens visiting the United States and others who work at nearby businesses, as well as Arizona residents and residents from other U.S. states.  In an effort to not s<em>kirt</em> any laws, Mom and Pop have asked the<em> Privacy Risk Report</em> for assistance in understanding the laws and proposed laws that may impact them in 2018.  The following will take a real world approach and <em>spot</em> the issues presented by the laws and regulations that may impact Mom and Pop’s business in 2018.</p>
<ul>
<li><strong>Foreign Regulations Must Be Part Of The </strong><em><strong>Cycle</strong></em><strong>.  </strong></li>
</ul>
<p>Mom and Pop’s Cleaners does a brisk business with international workers at the nearby regional office of French corporation.  Accordingly, Mom and Pop have questions concerning the data they are collecting on these French residents and residents of other EU nations in 2018.</p>
<p><em>European Union General Data Protection Regulation</em></p>
<p>European Union (EU) member states will begin enforcement of the General Data Protection Regulation (“GDPR”) on May 25, 2018.  The GDPR website states this legislation “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”  (A guide to the EU GDPR can be found <a href="https://www.eugdpr.org/">here.</a>)</p>
<p>Importantly, GDPR will apply to all data collectors holding the personal data of EU residents regardless of whether the data collector may be located.  The definition of personal data is broadened to the extent it includes any information “that can be used to directly or indirectly identify the person.”  Therefore, under GDPR, this information can include “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”</p>
<p>GDPR also imposes new obligations on how the data is to handled and stored.  For example, EU residents will have a “right of access” that requires data collectors provide specific details about how information is processed.  GDPR grants EU residents a right to have their personal data deleted or erased by a data collector upon their request.  <a href="http://thehill.com/opinion/cybersecurity/366607-europes-privacy-law-set-to-change-how-personal-data-is-handled-around">Further, under GDPR, data collectors will be required to perform routine assessments to identify risks for private data. </a> Finally, the penalties for non-compliance may total anywhere from 4% of annual global turnover of the breaching data collector or €20 Million (whichever is greater).</p>
<p>Mom and Pop should not dismiss the upcoming enforcement of the GDPR as something that only concerns large, multi-national corporations.  Mom and Pop, as with many data collectors of all sizes, may be surprised to find the amount of data they are storing that belongs to EU residents.  Here, there is no question that Mom and Pop have data belonging to customers that are EU residents and should at least consider whether they have obligations under GDPR and how a breach of this information could become a <em>stain</em> on their business.  Further, the GDPR may give some insight to Mom and Pop as to the direction of U.S. privacy laws in the coming years.</p>
<p>Just as Mom and Pop seem to understand their obligations under GDPR, they wonder if GDPR applies to their British customers in light of Brexit.  The GDPR website offers the following <em>stitch</em> of advice:</p>
<p>“If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear.”</p>
<p>Mom and Pop may not be ready to consider how Brexit impacts their collection of data belonging to their British customers.  They have already made more progress in this area than many of their competitors.</p>
<ul>
<li><strong>Federal Regulations Need To Be More </strong><em><strong>Tailored</strong></em></li>
</ul>
<p>Mom and Pop’s Cleaners also has a number of customers that are tourists from other U.S. states.  Mom and Pop have questions concerning the data they are collecting for these customers in 2018.</p>
<p><em>The Data Breach Prevention and Compensation Act of 2018</em></p>
<p>U.S. lawmakers have taken steps to directly regulate credit reporting agencies in response to the Equifax breach.  In its current form, <a href="https://siliconangle.com/blog/2018/01/10/proposed-law-impose-huge-fines-credit-reporting-agency-data-breaches/">The Data Breach Prevention and Compensation Act of 2018 </a>would create new regulations by expanding the powers of the Federal Trade Commission (FTC).  Specifically, the proposed Act would create an Office of Cybersecurity to monitor large credit reporting agencies.  The Office of Cybersecurity would have the authority to impose fines on any credit reporting agency that breached data or failed to properly report a breach.  Under the current draft of the law, consumers would receive 50% of any fine imposed by the Office of Cybersecurity.</p>
<p>This legislation has been introduced by Senators Elizabeth Warren and Mark Warner after seeing the Equifax breach in 2017.  While this legislation is unlikely to pass, it still makes clear that credit reporting agencies will continue to be under heightened scrutiny in 2018 and beyond.</p>
<p>Of course, even if this legislation passes, Mom and Pop will not need to worry about it since they do not qualify as a credit reporting agency.</p>
<p><em>IoT Cybersecurity Improvement Act of 2017</em></p>
<p><a href="http://internetofthingsagenda.techtarget.com/feature/IoT-Cybersecurity-Improvement-Act-sets-low-bar-for-IoT-device-safety">The IoT Cybersecurity Improvement Act of 2017</a> would provide security practices for any company before it can sell interconnected devices to the federal government.  Importantly, this legislation would not regulate all IoT devices.  Commentators have stated that “’[b]road IoT legislation isn’t practical in the current Congress…which is was why the bill’s authors had narrowed its focus to federal procurement.”  There are further questions as to whether this is a good first step that will lead to broad IoT regulation or if these regulations will lose momentum after devices for the federal government are regulated.</p>
<p>Mom and Pop do not have any immediate concerns with this proposed legislation.  Down the road, their business may be safer if any interconnected device they purchase has the same security as that imposed on devices sold to the U.S. government.  However, this legislation does not appear to be of any concern to Mom and Pop over the next year.</p>
<ul>
<li><strong>State Regulations Create </strong><em><strong>Wrinkles </strong></em><strong>For Smaller Data Collectors.</strong></li>
</ul>
<p>Mom and Pop do not have to worry about any national data breach notification requirements.  All attempts to create breach notification standards at the federal level have lost <em>steam.</em>  In particular, the bill referred to as <a href="https://gizmodo.com/new-senate-bill-includes-jail-time-for-executives-who-c-1820897003">the Data Security and Breach Notification Act </a>appears to have no chance becoming law in 2018.  Unfortunately, as data collectors for Arizona residents, Mom and Pop will face some uncertainty in 2018.</p>
<p><em>Arizona’s Data Breach Notification Law: Changes in 2018</em></p>
<p>At present, the Arizona legislature is considering changes to <a href="https://www.jdsupra.com/legalnews/arizona-legislature-considers-58918/">Arizona’s data protection laws</a>.  The current Arizona law requires data collectors to notify individuals of any breach that compromises their information and may cause “substantial economic loss” to that individual.  The new law under consideration in 2018 for Arizona would remove this “substantial economic loss” requirement, and, therefore, would require notice in many more situations.  Additionally, the current law defines “personal information” as an individual’s name combined with a social security number, driver’s license number, non-operating i.d. or financial account number, credit card or debit card number in combination with a security code, access code or password for that account.  The new legislation would no longer require a security code, access code or password to be compromised in order to trigger a data collector’s notification obligations.</p>
<p>In 2018, Arizona’s notification law may also be changed to require notice to affected individuals within 30 days of the breach.  The law presently only requires notification to take place in the “most expedient manner possible without unreasonable delay.”</p>
<p>Based on these changes, Mom and Pop are going to need to take a close look at the data they are storing on Arizona residents and how that data is being protected.  Further, Mom and Pop may also need to take a closer look at their procedures if a breach occurs.  The time frame for their response and the notification to their customers has been taken from a subjective deadline to an objective, 30-day deadline.  Mom and Pop have a lot of work in order to make sure they are in compliance with this law.</p>
<p><em>Other States Data Breach Notification Laws</em></p>
<p>Even if Mom and Pop happen to figure out their obligations under Arizona law, they still have to consider the laws for other states where their customers may reside.  As data collectors for residents for a number of states, Mom and Pop face even more uncertainty.  As it stands today, each state has its own data breach notification laws.  Consequently, Mom and Pop may have different obligations, including numerous deadlines to provide notification, for a single breach that includes data for residents of different states.</p>
<ul>
<li><strong>Mom And Pop’s Approach For 2018</strong></li>
</ul>
<p>From a practical standpoint, Mom and Pop are not realistically going to put much thought into complying with GDRP.  However, they may make efforts to comply with their state data protection laws.  While Arizona’s new data law may not be in perfect harmony with GDRP, it is an important first step to get Mom and Pop to at least begin to consider Arizona’s law and make an effort to comply.  Maybe if things go right, Mom and Pop may consider buying an endorsement to their insurance policy for cyber protection in 2019.</p>
<p>Additionally, while it is great to see lawmakers begin to tackle these issues, it will be important to not overwhelm data collectors.  2018 promises to be an interesting year for data protection laws.</p>
<div class="e-mailit_bottom_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/ironing-out-the-wrinkles-in-data-legislation-a-case-study/' data-emailit-title='Ironing Out The Wrinkles In Data Legislation:  A Case Study'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>The post <a rel="nofollow" href="https://privacyriskreport.com/ironing-out-the-wrinkles-in-data-legislation-a-case-study/">Ironing Out The Wrinkles In Data Legislation:  A Case Study</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></content:encoded>
			<wfw:commentRss>https://privacyriskreport.com/ironing-out-the-wrinkles-in-data-legislation-a-case-study/feed/</wfw:commentRss>
		<slash:comments>0</slash:comments>
		</item>
		<item>
		<title>A Tale Of Two Worlds: 2017 Shows Us That Small Data Collectors May Have Advantages Over Large Data Collectors</title>
		<link>https://privacyriskreport.com/a-tale-of-two-worlds-2017-shows-us-that-small-data-collectors-may-have-advantages-over-large-data-collectors/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=a-tale-of-two-worlds-2017-shows-us-that-small-data-collectors-may-have-advantages-over-large-data-collectors</link>
		<comments>https://privacyriskreport.com/a-tale-of-two-worlds-2017-shows-us-that-small-data-collectors-may-have-advantages-over-large-data-collectors/#comments</comments>
		<pubDate>Wed, 20 Dec 2017 21:15:07 +0000</pubDate>
		<dc:creator><![CDATA[Todd Rowe]]></dc:creator>
				<category><![CDATA[Protecting Against the Risk]]></category>
		<category><![CDATA[Big Data]]></category>
		<category><![CDATA[cyber]]></category>
		<category><![CDATA[data]]></category>
		<category><![CDATA[privacy]]></category>
		<category><![CDATA[Small Data]]></category>

		<guid isPermaLink="false">https://privacyriskreport.com/?p=1397</guid>
		<description><![CDATA[<div class="e-mailit_top_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/a-tale-of-two-worlds-2017-shows-us-that-small-data-collectors-may-have-advantages-over-large-data-collectors/' data-emailit-title='A Tale Of Two Worlds: 2017 Shows Us That Small Data Collectors May Have Advantages Over Large Data Collectors'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>Barring a major development in the final weeks of this year, we appear to be ready to close the books on privacy/cyber law for 2017.  Of course, with two weeks left in 2017, there is still time for last-minute data... <a class="more-link" href="https://privacyriskreport.com/a-tale-of-two-worlds-2017-shows-us-that-small-data-collectors-may-have-advantages-over-large-data-collectors/">Continue Reading &#8594;</a>
<div class="e-mailit_bottom_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/a-tale-of-two-worlds-2017-shows-us-that-small-data-collectors-may-have-advantages-over-large-data-collectors/' data-emailit-title='A Tale Of Two Worlds: 2017 Shows Us That Small Data Collectors May Have Advantages Over Large Data Collectors'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>The post <a rel="nofollow" href="https://privacyriskreport.com/a-tale-of-two-worlds-2017-shows-us-that-small-data-collectors-may-have-advantages-over-large-data-collectors/">A Tale Of Two Worlds: 2017 Shows Us That Small Data Collectors May Have Advantages Over Large Data Collectors</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></description>
				<content:encoded><![CDATA[<div class="e-mailit_top_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/a-tale-of-two-worlds-2017-shows-us-that-small-data-collectors-may-have-advantages-over-large-data-collectors/' data-emailit-title='A Tale Of Two Worlds: 2017 Shows Us That Small Data Collectors May Have Advantages Over Large Data Collectors'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>Barring a major development in the final weeks of this year, we appear to be ready to close the books on privacy/cyber law for 2017.  Of course, with two weeks left in 2017, there is still time for last-minute data breaches, cyber incidents or other surprises.  Just this week, we saw major news stories which include the <a href="https://www.cnbc.com/2017/12/18/us-to-blame-north-korea-for-wannacry-cyber-attack.html" target="_blank">US government blaming North Korea for the WannaCry cyberattack earlier this year</a> and <a href="https://www.law360.com/illinois/articles/995800/sonic-drive-in-chain-hit-with-class-action-over-data-breach" target="_blank">Sonic Drive-Ins being sued in a class action for its data breach</a>.  Therefore, while we are hesitant to put together a list with a couple of weeks left in 2017, it is safe to form at least some broad conclusions about 2017.</p>
<p>Cyber has been a moving target for years and 2017 has been no different.  In 2017, we saw privacy laws evolve while legislatures attempted to keep up with the various threats.   While we did not see a pivotal cyber insurance law case, 2017 had a fair share of cases that deserve further analysis. We saw a number of cyber incidents and data breaches that should keep litigants and our courts busy for many years.  Overall, we saw a scenario where smaller data collectors have less personal information to protect and can make adjustments in 2018.  The fact that large-scale data breaches are still occurring may indicate that, despite having better information concerning data protection, large-scale data collectors may not be able to make adjustments within their organizations quickly enough to keep up with changes rules and evolving threats.</p>
<p>The body of information concerning data collectors&#8217; obligations is growing and 2017 provided the following insight for consideration in 2018 and beyond:</p>
<p><em><strong>The Further Development Of State Privacy Laws</strong></em></p>
<p>Without having a significant body of law to rely upon, state privacy laws typically provide the most guidance for data collectors.  These laws regulate the type of information that must be protected, how to protect that information and the consequences if the information is not protected properly.  In 2017, we analyze revisions and modifications to these laws that should be addressed.</p>
<p><strong>What are “Reasonable Measures” For Data Collectors?</strong></p>
<p><a href="https://privacyriskreport.com/a-safe-prediction-for-2017-cyber-security-laws-will-change-on-january-1-2017-2/" target="_blank">One central issue playing out in 2017 has been how “data collectors” adapt to modifications of state privacy laws. </a>For example, Illinois amended its breach notification statute the Personal Information Act <a href="http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&amp;ChapterID=67">(815 ILCS §530/5)</a> (&#8220;PIPA&#8221;) to include a requirement that any data collector holding “personal information concerning an Illinois resident” must “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” Illinois joined a number of other states that have expanded the definition of “personal information” to include an individual’s “user name or email address.” Therefore, an entity may have obligations to notify any individual who has had their user name or email address improperly disclosed. The Illinois legislature further broadened the definition of “personal information” to include medical information, health insurance information or biometric data.</p>
<p>PIPA was also amended in 2017 to require data collectors to take &#8220;reasonable measures&#8221; to protect personal information.  While we really did not get much insight on what the legislature believes may constitute “reasonable measures,”<a href="https://privacyriskreport.com/recent-case-sheds-light-on-what-courts-may-find-makes-security-measures-reasonable/" target="_blank"> by mid-January of 2017 we had already seen courts provide some guidance.</a>  In our January 19, 2017 post, we analyzed the <em>Dittman</em> decision in Pennsylvania to determine obligations for “data collectors” in the absence of controlling law. With scant law, a “data collector” may want to consider the advice in the <em>Dittman</em> concurrence opinion and take steps to encrypt data, establish adequate firewalls and implement an appropriate authentication protocol to protect data. Otherwise, we are still waiting on a court to address what the “Reasonable Measures” standards means.</p>
<p>On August 15, 2017, the Department of Commerce released <a href="http://csrc.nist.gov/publications/drafts/800-53/sp800-53r5-draft.pdf">Draft NIST Publication 800-53, entitled, Security and Privacy Controls for Information Systems and Organizations, </a>which is intended to provide a “catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks.”</p>
<p><a href="https://privacyriskreport.com/new-nist-standards-allow-courts-and-legislatures-to-learn-the-language-of-data/">The stated objectives of the NIST publication includes: “…to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur;</a> and make the systems resilient and survivable.” And, in meeting these objectives, the NIST publication provided the following “key questions that should be answered by organizations when addressing their security and privacy concerns&#8221;:</p>
<ul>
<li><em>What security and privacy controls are needed to satisfy the organization’s security and privacy requirements and to adequately manage risk? </em></li>
<li><em>Have the security and privacy controls been implemented or is there an implementation plan in place? </em></li>
<li><em>What is the desired or required level of assurance (i.e., confidence) that the selected security and privacy controls, as implemented, are effective in their application?”</em></li>
</ul>
<p>At this point, NIST anticipates having a final draft of this publication complete by October 2017 and a final version published by December 29, 2017.  While there may be no requirement to meet the NIST Standards, a data collector has a better chance of showing they took &#8220;reasonable measures&#8221; if they can demonstrate they attempted to address the NIST standards in addition to the vague requirements found in state privacy laws and the general standards of some industries.</p>
<p><strong>States And Courts Take Steps To Protect Biometric Data </strong></p>
<p>While we saw some changes concerning the storage of “personal data” in 2017, <a href="https://privacyriskreport.com/use-of-biometric-data-enters-the-courts/" target="_blank">we also received a glimpse of the importance of protecting biometric data.</a></p>
<p>In late 2016 and 2017, we saw a push by state legislatures to enact new laws that also protect biometric data, such as the Illinois Biometric Information Privacy Act (BIPA). “Biometrics” defines “the field of science relating to the identification of humans based upon unique biological traits, such as fingerprints, DNA, and retinas” and recently “has produced new ways of conducting commercial transactions.” In particular, the protection of biometrics is a growing concern as this technology is turning up in everything from <a href="https://privacyriskreport.com/apple-watch-poses-a-number-of-new-privacy-risks/">watches that may collect health data</a>, finger-scanners at grocery stores and gas stations to retina scanners for financial transactions.</p>
<p>Not only is this technology is here to stay, but it is already involved in litigation across the country.  For example, in <a href="https://privacyriskreport.com/wp-content/uploads/2017/02/Vigil_v_Take_Two.pdf"><em>Vigil v. Take-Two Interactive Software, Inc</em>.</a>, <a href="https://privacyriskreport.com/face-it-we-are-going-to-see-a-lot-of-the-illinois-biometric-information-protection-act-in-courts/" target="_blank">the U.S. District Court for the Southern District of New York found class action plaintiffs lacked standing to bring suit under BIPA for claims related to how their faces were used to create personalized avatars in a video game.</a> Without a doubt, this will not be the last time a court will be called on to interpret BIPA or similar statutes across the country.  In 2018, we can expect to see data collectors find other uses for biometric information and, therefore, more effort will be needed to protect this information.</p>
<p>By March of 2017, we saw another biometric data case when the Eastern District for the Northern District of Illinois analyzed BIPA in <a href="https://privacyriskreport.com/wp-content/uploads/2017/03/Rivera-Memorandum-and-Opinion.pdf"><em>Rivera v. Google Inc</em>.</a>, 16 C 02714 (N.D. Ill 2016), and found allegations that Google created and stored face-scans from pictures taken on Google devices may constitute a violation under BIPA and at least may survive a motion to dismiss.</p>
<p>As we move into 2018, we can expect the protection of biometric data will continue to grow in importance for data collectors.</p>
<p><em><strong>Another Large-Scale Data Breach in 2017: Equifax</strong></em></p>
<p>While it appeared in 2017 that large-scale data breaches may not occur as frequently as we saw a couple of years ago with Target Stores, Home Depot, Best Buy or the federal government, 2017 still had its fair share of large data breaches. The growing consensus that fewer data breaches may indicate large data collectors were taking better precautions with personal information was called into question when it was announced in September that Equifax had a significant breach.  <a href="https://privacyriskreport.com/responses-to-large-scale-breaches-such-as-equifax-may-need-to-be-analyzed-in-phases-by-data-collectors/" target="_blank">Admittedly, we are still learning the full scope of Equifax Inc.’s massive data breach which was announced on September 8, 2017</a>. While different numbers have been discussed, it appears about 143 million people may have been impacted. Suffice it to say, this was a huge data breach.</p>
<p><a href="https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do">The FTC’s website provides the following facts </a>on the Equifax breach:</p>
<p><em>The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.</em></p>
<p>Equifax’s breach response at this point initially included offering one free year of its credit monitoring service and provides information via <a href="http://www.equifaxsecurity2017.com/">its website created just for this breach</a>.  However, Equifax soon faced a backlash including the following complaints related to its response:</p>
<ul>
<li>News reports indicate that a number of people are struggling to determine if their information was included in Equifax’s breach using a website provided by Equifax. After making a number of attempts to use the website, many commentators found the website “hopelessly broken.” By September 8, 2017, <a href="https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/">Equifax had to issue a statement claiming to have fixed the problems with its website</a>.</li>
<li>Equifax’s offer to provide free credit monitoring for a year is being called into question as not providing sufficient time to properly monitor one’s credit and as a marketing ploy to get subscribers after the first year has expired. Leaving some commentators to say <em>“so, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach.”                                                                            </em></li>
<li>Equifax had to issue a statement to address growing concerns that the terms of service that consumers must accept before enrolling in the free credit monitoring service required them to waive their rights to sue Equifax for a breach. Equifax’s statement attempted to clarify its position that nothing in the terms of service would apply to this breach.</li>
<li>More than 20 proposed class-action lawsuits were filed around the country in less than a week since the breach was announced.</li>
<li>Shares of Equifax closed down 8.2% on September 11, 2017 after falling more that 13% on September 8, 2017.</li>
<li>SEC filings show that three Equifax executives sold nearly $2 million in shares of the company days after the cyberattack was discovered.  Equifax had to issue another statement after its announcement indicating that while the three executives sold a “small percentage” of their shares August 1 and August 2, 2017, they “had no knowledge that an intrusion had occurred at the time they sold their shares.”</li>
</ul>
<p>Unfortunately, Equifax’s various supplemental announcements after the initial announcement placed Equifax’s response under further scrutiny.  After the Equifax breach, it became clear that not all large data collectors, despite seeing breach scenarios play out over and over, may not be prepared for a data breach.</p>
<p><strong>Allegations in Uber Breach Demonstrate Need For Clear Response To Incident</strong></p>
<p>If Equifax made it clear that we are not out of the woods on large-scale data breaches, the allegations against Uber after its breach may have shed more light on how large-scale data collectors are handling breaches.  <a href="https://privacyriskreport.com/claims-against-uber-in-new-lawsuit-show-the-potential-for-liability-beyond-not-protecting-data/" target="_blank">On November 28, 2017 when the City of Chicago and Illinois (“plaintiffs”) filed their Complaint in a case entitled <em>City of Chicago et al. v. Uber Technologies, Inc</em>., Case No. 2017CH15594 (Nov. 28, 2017). </a>The Complaint is based on allegations that “[f]or the past several years, Uber has repeatedly failed to protect the privacy of its customers’ and drivers’ personal information.”  More specifically, the plaintiffs assert Uber took steps to cover up its breach in an effort to avoid negative publicity.  This case, regardless of whether the allegations are proven, should cause “data collectors” to consider what information they are putting (or not putting) out concerning any incidents prior to notification of the incident.</p>
<p>In particular, the plaintiffs contend that, in order to avoid “negative public attention, Uber paid hackers $100,000 to delete the data based on the hackers’ agreement to never speak publicly of the incident.” The plaintiffs claim the alleged cover up came to light because “criminal hackers couldn’t possibly be trusted to protect user data” and they ultimately disclosed the breach. The Complaint states that “Uber went so far as to even track down the criminal hackers and enter into nondisclosure agreements with them as if they were common business partners…”  Further, the plaintiffs claim Uber made this payment so that it appeared to be related to its “bug bounty program” rather than a ransom payment.  The Complaint asserts “[t]his concealment kept riders, drivers, and government agencies in the dark for over a year about Uber’s substandard security practices…”</p>
<p>The alleged cover up continued until November 21, 2017, when Uber’s Board of Directors investigated the practices of Uber’s security team. Uber has still not disclosed this incident to its customers or drivers.</p>
<p><strong>Litigation In 2017 Looked Like Litigation In 2016:  “Standing” To Bring Suit Still Questionable In 2017</strong></p>
<p>As seen in prior years, the <a href="https://privacyriskreport.com/understanding-issues-related-to-standing-in-data-breach-litigation-provides-insight-to-insurers/">threshold question in data breach lawsuits during 2017 is still whether a litigant has “standing” to bring a cause of action </a>against the party that allegedly caused a breach. This hurdle for litigants rises out of Article III of the Constitution that limits the jurisdiction of federal courts to “Cases” and “Controversies” “which are appropriately resolved through the judicial process.” Simply, litigants have not been able to move their cases forward unless they can show a concrete injury and demonstrate that future injuries are more than merely speculative.  Nevertheless, while a number of data breach cases have been lost at the initial pleadings states, some plaintiffs have been able to persuade courts that they suffered concrete injuries and could show the source of their alleged damages to survive a motion to dismiss.</p>
<p>As this body of law has developed over the years, one case in particular, <em>Lewert v. P.F. Chang’s China Bistro, Inc</em>., 14-3700 (7<sup>th</sup> Cir. 2014), in the Seventh Circuit, has provided hope for data breach plaintiffs.  Developments in 2017 in the P.F. Chang’s litigation  should provide more hope for plaintiffs.</p>
<p>The P.F. Chang’s data breach litigation traces its origins back to a 2014 data breach where plaintiffs claim their debit and credit card information had been hacked after they had visited a P.F. Chang’s in Illinois. P.F. Chang’s filed a motion to dismiss asserting first, that “the parties’ express contract precludes both an implied contract and a consumer fraud count.” (“Plaintiffs’ claims are that they purchased a meal at P.F. Chang’s and that, while P.F. Chang’s came through on the main course, it dropped the ball on the side order of data security.”) Additionally, P.F. Chang’s claimed plaintiffs’ case should have been dismissed because plaintiffs lacked standing and had no damage. The District Court dismissed plaintiffs’ data breach action for lack of standing and, therefore, did not have to address P.F. Chang’s other arguments for dismissal.</p>
<p>On April 26, 2017 the District Court filed a minute order which merely stated the “motion to dismiss is denied for the reasons stated in open court.” The District Court further granted plaintiffs’ motion to compel P.F. Chang’s to participate in a Rule 26(f) conference and begin discovery.</p>
<p>While it took a while to get here, we are finally at the point in this case where we will see if plaintiffs can gather sufficient evidence to support their claims. Data breach plaintiffs have struggled to survive the pleadings stage as many courts found their damages were too speculative to survive a motion to dismiss. It will be important to watch this case get through the discovery phases and move toward trial in order to get the full picture regarding liability for cyber security. Further, the P.F. Chang’s litigation is even more important since <a href="https://privacyriskreport.com/neiman-marcus-case-settles-after-years-of-haggling-over-price-of-data-breach-cases/">the Neiman Marcus case recently settled </a>before we could see how that litigation unfolds through discovery and further motion practice.</p>
<p><strong>Take-Away For 2018</strong></p>
<p>Based on the developments in 2017, we can expect smaller data collectors to have a wealth of information to use when determining their obligations for storage of personal information.  Smaller data collectors have state privacy laws, industry regulations and cases to look to for guidance. On the other hand, Equifax may show us that larger data collectors may have trouble in 2018.  Even though all data collectors have the same information available concerning their obligations, large data collectors may have too much information and too much red tape to properly prepare for an incident. Out of all the large-scale data collectors, one would hope Equifax was prepared for a breach and had a response ready to go. We may see a scenario where smaller data collectors, despite fewer resources, have a better chance to protect data.</p>
<div class="e-mailit_bottom_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/a-tale-of-two-worlds-2017-shows-us-that-small-data-collectors-may-have-advantages-over-large-data-collectors/' data-emailit-title='A Tale Of Two Worlds: 2017 Shows Us That Small Data Collectors May Have Advantages Over Large Data Collectors'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>The post <a rel="nofollow" href="https://privacyriskreport.com/a-tale-of-two-worlds-2017-shows-us-that-small-data-collectors-may-have-advantages-over-large-data-collectors/">A Tale Of Two Worlds: 2017 Shows Us That Small Data Collectors May Have Advantages Over Large Data Collectors</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></content:encoded>
			<wfw:commentRss>https://privacyriskreport.com/a-tale-of-two-worlds-2017-shows-us-that-small-data-collectors-may-have-advantages-over-large-data-collectors/feed/</wfw:commentRss>
		<slash:comments>0</slash:comments>
		</item>
		<item>
		<title>Responses To Large-Scale Breaches, Such As Equifax, May Need To Be Analyzed In &#8220;Phases&#8221; By Data Collectors</title>
		<link>https://privacyriskreport.com/responses-to-large-scale-breaches-such-as-equifax-may-need-to-be-analyzed-in-phases-by-data-collectors/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=responses-to-large-scale-breaches-such-as-equifax-may-need-to-be-analyzed-in-phases-by-data-collectors</link>
		<comments>https://privacyriskreport.com/responses-to-large-scale-breaches-such-as-equifax-may-need-to-be-analyzed-in-phases-by-data-collectors/#comments</comments>
		<pubDate>Thu, 14 Sep 2017 14:58:04 +0000</pubDate>
		<dc:creator><![CDATA[Todd Rowe]]></dc:creator>
				<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[breach]]></category>
		<category><![CDATA[cyber]]></category>
		<category><![CDATA[cyber security]]></category>
		<category><![CDATA[cyberliability]]></category>
		<category><![CDATA[data]]></category>

		<guid isPermaLink="false">https://privacyriskreport.com/?p=1313</guid>
		<description><![CDATA[<div class="e-mailit_top_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/responses-to-large-scale-breaches-such-as-equifax-may-need-to-be-analyzed-in-phases-by-data-collectors/' data-emailit-title='Responses To Large-Scale Breaches, Such As Equifax, May Need To Be Analyzed In &#8220;Phases&#8221; By Data Collectors'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>The best strategy for data collectors to prepare a breach response plan may be to look at what others did right and wrong in response to a cyber incident.  After reviewing a number of responses to large-scale data breaches, it... <a class="more-link" href="https://privacyriskreport.com/responses-to-large-scale-breaches-such-as-equifax-may-need-to-be-analyzed-in-phases-by-data-collectors/">Continue Reading &#8594;</a>
<div class="e-mailit_bottom_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/responses-to-large-scale-breaches-such-as-equifax-may-need-to-be-analyzed-in-phases-by-data-collectors/' data-emailit-title='Responses To Large-Scale Breaches, Such As Equifax, May Need To Be Analyzed In &#8220;Phases&#8221; By Data Collectors'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>The post <a rel="nofollow" href="https://privacyriskreport.com/responses-to-large-scale-breaches-such-as-equifax-may-need-to-be-analyzed-in-phases-by-data-collectors/">Responses To Large-Scale Breaches, Such As Equifax, May Need To Be Analyzed In &#8220;Phases&#8221; By Data Collectors</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></description>
				<content:encoded><![CDATA[<div class="e-mailit_top_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/responses-to-large-scale-breaches-such-as-equifax-may-need-to-be-analyzed-in-phases-by-data-collectors/' data-emailit-title='Responses To Large-Scale Breaches, Such As Equifax, May Need To Be Analyzed In &#8220;Phases&#8221; By Data Collectors'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>The best strategy for data collectors to prepare a breach response plan may be to look at what others did right<em> and</em> wrong in response to a cyber incident.  After reviewing a number of responses to large-scale data breaches, it has become clear that some responses are better than others. It is also clear that all large-scale breaches and the responses have a number of moving parts.  Therefore, in order to analyze all these moving parts to prepare for an incident, the best method for data collectors may be to break their strategy into the following three phases:</p>
<ul>
<li><em>Pre-Breach Preparations</em> should include discussing breach scenarios in the abstract. This timeframe should be dedicated to identifying an internal and external response team and create a general roadmap for a response.</li>
<li><em>Post-Discovery Preparations</em> should include refining the roadmap to address the specific breach facing an entity. By this point, a data collector will have more information on the incident and should be able to prepare for the announcement of the incident.</li>
<li><em>Post-Announcement Response </em>should include re-working any portion of the response plan that is not going as intended and responding according to the roadmap created in the earlier phases.</li>
</ul>
<p>While it is still early in Equifax Inc.&#8217;s response, Equifax&#8217;s recent breach provides the perfect backdrop to take a closer look at these three phases for preparing for and engaging in a successful breach response.  Admittedly, we are just learning the full scope of Equifax Inc.’s massive data breach which was announced on September 8, 2017. While different numbers have been discussed, it appears about 143 million people may be impacted.  Suffice it to say, this was a huge data breach.  <a href="https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do" target="_blank">The FTC’s website provides the following facts</a>:</p>
<p><em>The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.</em></p>
<p>The analysis of this <a href="https://privacyriskreport.com/home-depot-breach-litigation-goes-down-well-worn-path/" target="_blank">latest breach can be expected to go down the well-worn path of other large-scale breaches </a>seen at Target, Home Depot or Yahoo.  And, over the coming months, we can expect to see more information concerning Equifax&#8217;s breach.  For example,  <a href="https://www.usatoday.com/story/money/2017/09/11/equifax-hit-least-23-class-action-lawsuits-over-massive-cyberbreach/653909001/" target="_blank"><span style="color: #0066cc;">Sens. Orrin Hatch, R-Utah, and Ron Wyden, D-Oregon</span></a>, respectively the chairman and ranking member of the Senate Committee on Finance, sent Equifax detailed questions about the breach seeking “a detailed timeline of the breach, information about the company&#8217;s efforts to identify the number of consumers affected, the breadth of information compromised and the steps Equifax has taken to identify and limit potential consumer harm.”  This information, and being able to analyze this information, will be key for any data collector to review their own breach response plans.</p>
<p><strong><em>Pre-Breach Preparations Allow A Stress-Free Review Of Safeguards And The Response Game Plan</em></strong></p>
<p>During the <em>Pre-Breach Preparations</em>, a data collector will have the opportunity to confirm that it has taken all steps necessary to safeguard information and have a roadmap in place<em> if</em> there is an incident.  Once an incident occurs, it may be too late to thoroughly review the roadmap and the general structure must be created in order to fill in the details as the breach unfolds.</p>
<p>First, Equifax&#8217;s breach, involving a credit reporting agency, is different than a prior breaches which took place at retailers, financial institutions or medical care providers. That is, Equifax is often called on to provide credit monitoring to individuals that may be caught up in a cyber incident at a retailer, financial institution or medical care provider.  For example, the Illinois Personal Information Protection Act states that any breach notification shall include “the toll-free numbers and addresses for consumer reporting agencies.” <a href="http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&amp;ChapterID=67" target="_blank"><em>See</em>, 815 ILCS 530/10</a>  Therefore, notification letters prepared in accordance with Illinois law would most-likely direct Illinois residents to Equifax.  Equifax and the other credit reporting agencies build their entire business on keeping information safe.  At present, there is no information concerning what Pre-Breach Preparations Equifax had in place but there will undoubtedly be a substantial amount of information disclosed over the coming months.</p>
<p><strong><em>Post-Discovery Preparations Allow A Response To Address The Specific Facts Of The Incident</em></strong></p>
<p><em>Post-Discovery Preparations</em> allow a data collector to address the specific information it has learned from its initial investigation into its response roadmap.  That is, the roadmap can now be revised and supplemented because the investigation will show if this is a case of ransomware, a data breach or some other cyber attack.  The data collector can also determine whether it will notify any individuals and if so, what law governs that notification.  The decision to contact law enforcement should be made during this phase as well.  This phase may be the last time the data collector has full control over the incident.</p>
<p><a href="https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incident-could-potentially-affect-143-million-us-consumers.html" target="_blank">News reports indicate Equifax discovered the breach on July 29, 2017</a>.  Therefore, Equifax had more than a month, post breach, to formulate a response to this particular breach before it was announced to the public.  However, there is still little information concerning Equifax&#8217;s Post-Discovery Preparations at this time.</p>
<p><strong><em>Post-Announcement Response Allows An Entity To Address Issues That May Have Been Missed In The Other Breach Response Phases</em></strong></p>
<p>Hopefully, the response plan will only need to be slightly tweaked by the time a data collector reaches the Post-Announcement Response.</p>
<p>Equifax’s breach response at this point includes offering one free year of its credit monitoring service and providing information via <a href="http://www.equifaxsecurity2017.com" target="_blank">its website created just for this breach</a>.  However, over the last week, Equifax has faced a backlash including the following complaints related to its response:</p>
<ul>
<li>News reports indicate that a number of people are struggling to determine if their information was included in Equifax’s breach using a website provided by Equifax. After making a number of attempts to use the website, many commentators found the website “hopelessly broken.” By September 8, 2017, <a href="https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/" target="_blank">Equifax had to issue a statement claiming to have fix problems with its website</a>.</li>
<li>Equifax’s offer to provide free credit monitoring for a year is being called into question as not providing sufficient time to properly monitor one’s credit and as a marketing ploy to get subscribers after the first year has expired. Leaving some commentators to say <em>“so, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach.”</em></li>
<li>Equifax had to issue a statement to address growing concerns that the terms of service that consumers must accept before enrolling in the free credit monitoring service required them to waive their rights to sue Equifax for a breach. Equifax’s statement attempted to clarify its position that nothing in the terms of service would apply to this breach.</li>
<li>More than 20 proposed class-action lawsuits have been filed around the country in less than a week since the breach was announced.</li>
<li>Shares of Equifax closed down 8.2% on September 11, 2017 after falling more that 13% on September 8, 2017.</li>
<li>SEC filings show that three Equifax executives sold nearly $2 million in shares in the company days after the cyberattack was discovered.   Equifax had to issue another statement after its announcement indicating that while the three executives sold a &#8220;small percentage&#8221; of their shares August 1 and August 2, 2017, they &#8220;had no knowledge that an intrusion had occurred at the time they sold their shares.&#8221;</li>
</ul>
<p>Unfortunately, Equifax’s various supplemental announcements after the initial announcement have placed Equifax’s response under further scrutiny. Equifax is now being called on to respond to a variety of issues since its announcement of this breach.  The Equifax breach makes it clear that the Post-Announcement Response phase can be the most stressful phase and will require a solid roadmap formulated in the earlier breach response phases.</p>
<p>As we learn about the Equifax breach (or any other data breach) it will be key for data collectors to look at all the information related to the breach response to determine if their own brief response roadmap is sufficient.  Analyzing the various phases of a response and how those phases are connected will be necessary to continuously improve their own response plans.</p>
<div class="e-mailit_bottom_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/responses-to-large-scale-breaches-such-as-equifax-may-need-to-be-analyzed-in-phases-by-data-collectors/' data-emailit-title='Responses To Large-Scale Breaches, Such As Equifax, May Need To Be Analyzed In &#8220;Phases&#8221; By Data Collectors'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>The post <a rel="nofollow" href="https://privacyriskreport.com/responses-to-large-scale-breaches-such-as-equifax-may-need-to-be-analyzed-in-phases-by-data-collectors/">Responses To Large-Scale Breaches, Such As Equifax, May Need To Be Analyzed In &#8220;Phases&#8221; By Data Collectors</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></content:encoded>
			<wfw:commentRss>https://privacyriskreport.com/responses-to-large-scale-breaches-such-as-equifax-may-need-to-be-analyzed-in-phases-by-data-collectors/feed/</wfw:commentRss>
		<slash:comments>0</slash:comments>
		</item>
		<item>
		<title>New NIST Standards Allow Courts And Legislatures To Learn The Language Of Data</title>
		<link>https://privacyriskreport.com/new-nist-standards-allow-courts-and-legislatures-to-learn-the-language-of-data/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=new-nist-standards-allow-courts-and-legislatures-to-learn-the-language-of-data</link>
		<comments>https://privacyriskreport.com/new-nist-standards-allow-courts-and-legislatures-to-learn-the-language-of-data/#comments</comments>
		<pubDate>Wed, 06 Sep 2017 18:30:38 +0000</pubDate>
		<dc:creator><![CDATA[Todd Rowe]]></dc:creator>
				<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[cyber insurance]]></category>
		<category><![CDATA[cyberliability]]></category>
		<category><![CDATA[data]]></category>
		<category><![CDATA[data breach]]></category>
		<category><![CDATA[data security]]></category>
		<category><![CDATA[hack]]></category>
		<category><![CDATA[personal information]]></category>

		<guid isPermaLink="false">https://privacyriskreport.com/?p=1300</guid>
		<description><![CDATA[<div class="e-mailit_top_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/new-nist-standards-allow-courts-and-legislatures-to-learn-the-language-of-data/' data-emailit-title='New NIST Standards Allow Courts And Legislatures To Learn The Language Of Data'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>As courts and legislatures around the country struggle with issues related to data breaches, cyber, technology and privacy, they are finding a lack of standards to guide them through their struggles. Of course, a court may struggle to determine whether a duty... <a class="more-link" href="https://privacyriskreport.com/new-nist-standards-allow-courts-and-legislatures-to-learn-the-language-of-data/">Continue Reading &#8594;</a>
<div class="e-mailit_bottom_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/new-nist-standards-allow-courts-and-legislatures-to-learn-the-language-of-data/' data-emailit-title='New NIST Standards Allow Courts And Legislatures To Learn The Language Of Data'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>The post <a rel="nofollow" href="https://privacyriskreport.com/new-nist-standards-allow-courts-and-legislatures-to-learn-the-language-of-data/">New NIST Standards Allow Courts And Legislatures To Learn The Language Of Data</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></description>
				<content:encoded><![CDATA[<div class="e-mailit_top_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/new-nist-standards-allow-courts-and-legislatures-to-learn-the-language-of-data/' data-emailit-title='New NIST Standards Allow Courts And Legislatures To Learn The Language Of Data'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>As courts and legislatures around the country struggle with issues related to data breaches, cyber, technology and privacy, they are finding a lack of standards to guide them through their struggles. Of course, a court may struggle to determine whether a duty was breached in a data breach case if there is no standard to determine what the duty is, what a breach is, or what constitutes data. Likewise, a legislature will not be able to create a statutory framework to protect its citizens if it does not speak the “language” of data protection.  Further, even if a court can understand the fundamentals related to a particular cyber issue, a court may find <a href="https://privacyriskreport.com/harmonization-of-federal-and-state-requirements-and-insurance-policy-conditions-may-take-time/" target="_blank">a patchwork of state and federal law may govern the analysis of that issue</a>.</p>
<p>A recent example was seen when the United States District for the District of Columbia was called upon to address questions related to a search warrant issued for electronically information stored on the “cloud.” Specifically, in <em>In Re Search Of Information Associated With [Redacted]@gmail.com That Is Stored At Premises Controlled By Google, Inc</em>., 2017 WL 3445634 (D.C. Cir. July 31, 2017 D) the D.C. District Court analyzed whether the government was entitled to data held by Google on its cloud. (“The basic legal question confronting us is not a total stranger to this Court. [citation omitted] With the growing interdependence of world trade and the increased mobility of persons and companies, the need arises not infrequently, whether related to civil or criminal proceedings, for the production of evidence located in foreign jurisdictions.”) In <em>Google</em>, the D.C. District Court summed up this issue as follows:</p>
<p><em>As a result, the judiciary and legislature have been challenged to keep up with precipitous advancements in technology and global interconnectedness. Traditional notions of “territoriality” and “jurisdiction” have been muddied, especially when it comes to determining the scope of statutes governing access and disclosure of electronic records and communications. The picture is murkier still with the advent of so-called “cloud” computing, which is “the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself.”</em></p>
<p>And, while grappling with these new technological concepts, courts are beginning to look to the few common standards available, such as those created by National Institute of Standards and Technology (“NIST”) to form the structure for their decisions. For example, the D.C. District Court relied on a definition of &#8220;cloud computing&#8221; found in the NIST standards.</p>
<p>In its simplest terms, as the NIST standards gain acceptance, we may soon see a court find liability for a cyber incident when a litigant fails to meet the NIST standards to safeguard data. Therefore, it is even more important to keep current on the NIST standards, which are constantly in transition, as these standards continue to be relied upon to determine legal duty and responsibility.</p>
<p>On August 15, 2017, the Department of Commerce released <a href="http://csrc.nist.gov/publications/drafts/800-53/sp800-53r5-draft.pdf" target="_blank">Draft NIST Publication 800-53, entitled, Security and Privacy Controls for Information Systems and Organizations, </a>which is intended to provide a “catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks.”  The stated objectives of the NIST publication includes: “&#8230;to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.” And, in meeting these objectives, the NIST publication provides the following “key questions that should be answered by organizations when addressing their security and privacy concerns:</p>
<ul>
<li><em>What security and privacy controls are needed to satisfy the organization’s security and privacy requirements and to adequately manage risk? </em></li>
<li><em>Have the security and privacy controls been implemented or is there an implementation plan in place? </em></li>
<li><em>What is the desired or required level of assurance (i.e., confidence) that the selected security and privacy controls, as implemented, are effective in their application?”</em></li>
</ul>
<p>At this point, NIST is seeking public comment from August 15, 2017 through September 12, 2017. NIST anticipates having a final draft of this publication complete by October 2017 and a final version published by December 29, 2017.</p>
<p>While the NIST Standards are intended to create &#8220;minimum requirements for federal information systems,&#8221; these standards have proven to be the most-comprehensive set of standards for industries that have not adopted their own standards.  Consequently, we can expect to see courts and legislatures continue to borrow terms and concepts from NIST when there are no other standards to rely upon.   Further, insurers may soon require their insureds show they meet NIST standards during the application process as well as through the effective dates of coverage.</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<div class="e-mailit_bottom_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/new-nist-standards-allow-courts-and-legislatures-to-learn-the-language-of-data/' data-emailit-title='New NIST Standards Allow Courts And Legislatures To Learn The Language Of Data'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>The post <a rel="nofollow" href="https://privacyriskreport.com/new-nist-standards-allow-courts-and-legislatures-to-learn-the-language-of-data/">New NIST Standards Allow Courts And Legislatures To Learn The Language Of Data</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></content:encoded>
			<wfw:commentRss>https://privacyriskreport.com/new-nist-standards-allow-courts-and-legislatures-to-learn-the-language-of-data/feed/</wfw:commentRss>
		<slash:comments>0</slash:comments>
		</item>
		<item>
		<title>Law Firm Cyber Attack Is Involved In A &#8220;Series Of Mistaken Assumptions&#8221;</title>
		<link>https://privacyriskreport.com/law-firm-cyber-attack-is-involved-in-a-series-of-mistaken-assumptions/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=law-firm-cyber-attack-is-involved-in-a-series-of-mistaken-assumptions</link>
		<comments>https://privacyriskreport.com/law-firm-cyber-attack-is-involved-in-a-series-of-mistaken-assumptions/#comments</comments>
		<pubDate>Thu, 17 Aug 2017 16:17:26 +0000</pubDate>
		<dc:creator><![CDATA[Todd Rowe]]></dc:creator>
				<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[Contempt]]></category>
		<category><![CDATA[Court]]></category>
		<category><![CDATA[Cyber Attack]]></category>
		<category><![CDATA[cyberliability]]></category>
		<category><![CDATA[data]]></category>
		<category><![CDATA[data breach]]></category>
		<category><![CDATA[DLA Piper]]></category>
		<category><![CDATA[Jurors]]></category>
		<category><![CDATA[Law]]></category>
		<category><![CDATA[Legal]]></category>
		<category><![CDATA[risk]]></category>
		<category><![CDATA[security]]></category>

		<guid isPermaLink="false">https://privacyriskreport.com/?p=1282</guid>
		<description><![CDATA[<div class="e-mailit_top_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/law-firm-cyber-attack-is-involved-in-a-series-of-mistaken-assumptions/' data-emailit-title='Law Firm Cyber Attack Is Involved In A &#8220;Series Of Mistaken Assumptions&#8221;'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>On June 27, 2017, the law firm DLA Piper (&#8220;law firm&#8221;) found itself to be one of many of targets of a recent global cyber attack. The attack reportedly did not compromise any client data.  Reports indicate that, even though email... <a class="more-link" href="https://privacyriskreport.com/law-firm-cyber-attack-is-involved-in-a-series-of-mistaken-assumptions/">Continue Reading &#8594;</a>
<div class="e-mailit_bottom_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/law-firm-cyber-attack-is-involved-in-a-series-of-mistaken-assumptions/' data-emailit-title='Law Firm Cyber Attack Is Involved In A &#8220;Series Of Mistaken Assumptions&#8221;'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>The post <a rel="nofollow" href="https://privacyriskreport.com/law-firm-cyber-attack-is-involved-in-a-series-of-mistaken-assumptions/">Law Firm Cyber Attack Is Involved In A &#8220;Series Of Mistaken Assumptions&#8221;</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></description>
				<content:encoded><![CDATA[<div class="e-mailit_top_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/law-firm-cyber-attack-is-involved-in-a-series-of-mistaken-assumptions/' data-emailit-title='Law Firm Cyber Attack Is Involved In A &#8220;Series Of Mistaken Assumptions&#8221;'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p><a href="http://fortune.com/2017/06/29/dla-piper-cyber-attack/" target="_blank">On June 27, 2017, the law firm DLA Piper (&#8220;law firm&#8221;) found itself to be one of many of targets of a recent global cyber attack. The attack reportedly did not compromise any client data.</a>  Reports indicate that, even though email service was disrupted by the attack, lawyers were still able to communicate through text messaging and telephone calls. This attack on the law firm, which by all accounts was aptly prepared for a cyber attack, demonstrates that no business is completely safe and incident response preparation will continue to be a key element in cyber security.</p>
<p>This cyber attack was discussed in a recent decision and provides further proof that data breaches should not be the only concern when considering cyber security.  In <em>Cone et. al. v. Hankook Tire Co.,</em> 2017 WL 3446295 (Aug. 10, 2017 W.D. Tenn.), the District Court for the Western District of Tennessee heard arguments during a show cause hearing on questions whether certain attorneys at the law firm, as counsel for the defendant, Hankook Tire (“Hankook”), should be held in contempt after jurors were mistakenly contacted after trial without the District Court&#8217;s permission.  While the attorney at the law firm was not held in contempt of court, the District Court made clear that cyber incident, which limited email communications, did not excuse the improper contact of jurors.</p>
<p>The conduct giving rise to the show cause hearing took place after a verdict was returned in favor of Hankook on June 30, 2017. At some point shortly after the case reached a verdict, the court clerk was informed that a “jury researcher” had contact with some of the jurors.  This contact violated the local rules because the parties did not have permission from the District Court to contact jurors to discuss the case.  On July 20, 2017, the District Court issued an order requiring the parties provide information on the jury researcher.</p>
<p>In response to the order seeking information on the jury researcher, counsel for Hankook filed a statement confirming they hired the jury researcher that followed up with the jurors. However, the response filed by Hankook made clear that one of its attorneys (&#8220;Sender Attorney&#8221;) put into motion a “series of mistaken assumptions” that resulted in the jurors being contacted without the District Court’s permission.  The response indicated the jurors were contacted under the following circumstances:</p>
<ul>
<li>On June 27, 2017, prior to the conclusion of the trial, the law firm suffered a cyber attack, disabling the firm’s email.</li>
<li>On July 3, 2017, Sender Attorney emailed the jury researcher to inform them that a favorable verdict was returned for Hankook. Sender Attorney copied another attorney at his firm (&#8220;Copied Attorney&#8221;) on this email. The jury researcher responded on the same day asking whether they could contact the jurors. Sender Attorney stated that he thought the jury should be contacted unless the Copied Attorney disagreed.</li>
<li>On the day after the trial ended, the Copied Attorney was traveling to South Korea and never saw the emails discussing whether the jury researcher should contact the jurors.  The Copied Attorney&#8217;s email was not restored until some point after Sender Attorney&#8217;s email had been sent.</li>
</ul>
<p>Based on this timeline, Copied Attorney was not aware of Sender Attorney&#8217;s email until some point after the District Court issued the order seeking information on how jurors were contacted after the trial. Copied Attorney further stated that if he would have seen the emails, he would have instructed Sender Attorney to reach out to the other attorneys working on Hankook’s defense to determine if the jurors could be contacted by the jury researcher.  Unfortunately, with Copied Attorney silent on the issue, Sender Attorney and the jury researcher “mistakenly assumed” there was no reason to hold off on contacting the jurors.</p>
<p>The District Court found that Sender Attorney&#8217;s violation of the local rules was the result of “a series of questionable assumptions,” but did not rise to the level of contempt of court. While the holding in <em>Cone</em> may have little or no impact on the overall case, the District Court’s finding that there was a series of mistaken assumptions illustrates the impact that a cyber incident may have on the daily operations of any business.  In short, this cyber attack is further proof that we will likely continue to see cyber incidents causing communication disruptions in a variety of businesses.</p>
<div class="e-mailit_bottom_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/law-firm-cyber-attack-is-involved-in-a-series-of-mistaken-assumptions/' data-emailit-title='Law Firm Cyber Attack Is Involved In A &#8220;Series Of Mistaken Assumptions&#8221;'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>The post <a rel="nofollow" href="https://privacyriskreport.com/law-firm-cyber-attack-is-involved-in-a-series-of-mistaken-assumptions/">Law Firm Cyber Attack Is Involved In A &#8220;Series Of Mistaken Assumptions&#8221;</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></content:encoded>
			<wfw:commentRss>https://privacyriskreport.com/law-firm-cyber-attack-is-involved-in-a-series-of-mistaken-assumptions/feed/</wfw:commentRss>
		<slash:comments>0</slash:comments>
		</item>
		<item>
		<title>App Users Throw Transit Provider Under The Bus On Privacy Issues And Use Of Data</title>
		<link>https://privacyriskreport.com/app-users-throw-transit-provider-under-the-bus-on-privacy-issues-and-use-of-data/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=app-users-throw-transit-provider-under-the-bus-on-privacy-issues-and-use-of-data</link>
		<comments>https://privacyriskreport.com/app-users-throw-transit-provider-under-the-bus-on-privacy-issues-and-use-of-data/#comments</comments>
		<pubDate>Thu, 01 Jun 2017 20:27:08 +0000</pubDate>
		<dc:creator><![CDATA[Todd Rowe]]></dc:creator>
				<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[data]]></category>
		<category><![CDATA[Law]]></category>
		<category><![CDATA[Legal]]></category>
		<category><![CDATA[privacy]]></category>
		<category><![CDATA[Transit]]></category>

		<guid isPermaLink="false">https://privacyriskreport.com/?p=1210</guid>
		<description><![CDATA[<div class="e-mailit_top_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/app-users-throw-transit-provider-under-the-bus-on-privacy-issues-and-use-of-data/' data-emailit-title='App Users Throw Transit Provider Under The Bus On Privacy Issues And Use Of Data'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>A class action complaint was filed against BART, the San Francisco Bay Area Rapid Transit District, on May 22, 2017 in the District Court for the Northern District of California alleging BART created a “clandestine collection of private cell phone... <a class="more-link" href="https://privacyriskreport.com/app-users-throw-transit-provider-under-the-bus-on-privacy-issues-and-use-of-data/">Continue Reading &#8594;</a>
<div class="e-mailit_bottom_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/app-users-throw-transit-provider-under-the-bus-on-privacy-issues-and-use-of-data/' data-emailit-title='App Users Throw Transit Provider Under The Bus On Privacy Issues And Use Of Data'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>The post <a rel="nofollow" href="https://privacyriskreport.com/app-users-throw-transit-provider-under-the-bus-on-privacy-issues-and-use-of-data/">App Users Throw Transit Provider Under The Bus On Privacy Issues And Use Of Data</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></description>
				<content:encoded><![CDATA[<div class="e-mailit_top_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/app-users-throw-transit-provider-under-the-bus-on-privacy-issues-and-use-of-data/' data-emailit-title='App Users Throw Transit Provider Under The Bus On Privacy Issues And Use Of Data'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>A class action complaint was filed against BART, the San Francisco Bay Area Rapid Transit District, on May 22, 2017 in the District Court for the Northern District of California alleging BART created a “clandestine collection of private cell phone identifiers.” In particular, the plaintiffs claim the “BART Watch APP”—a mobile application that provided users with transit information and the ability to contact the police—collected private data in violation of California’s privacy laws. Elerts Corporation, the software developer, was also named as a defendant for its development of the App.</p>
<p>The Plaintiffs claim that “a detailed review of the BART Watch App reveals that Defendants have been using it to secretly collect Californians’ unique mobile device identification numbers…and periodically track their location.” The Plaintiffs further allege that “by collecting the device identification numbers, locations, and other personal information…Defendants have amassed a trove of data through the App.” And, Plaintiffs claim that these actions by BART and BART Police are prohibited under California law.</p>
<ul>
<li><strong>Privacy concerns over law enforcement tracking and collecting cell phone data </strong></li>
</ul>
<p>Some background is needed on “government surveillance technology” to fully understand the substance of Plaintiffs’ claims. The Complaint addresses news reports in March 2014 about California law enforcement agencies using “Stingray” devices to track and collect cell phone data in a given area. As the reporting on Stingray devices increased, the California legislature took steps to limit the use of Stingrays and similar data collecting technology in California. The Legislature sought to limit “the government’s use of communications interception technologies to ‘collect a variety of data about ‘caught’ cell phones, particularly the phone’s unique numeric identifier and its physical location.”</p>
<ul>
<li><strong>Alleged privacy concerns with BART’s Watch App</strong></li>
</ul>
<p>The Complaint alleges that “[a] forensic review of the App and how it communicates with Defendants’ servers reveals the BART Watch App was programmed to operate just as the communications interception technologies the California Legislature has warned of.” That is, the Plaintiffs assert that the App improperly collects data from users&#8217; cell phones including “the phone’s unique numeric identifier and its physical location.”   The Plaintiffs further assert the App violates users&#8217; privacy when contact information entered by a user is combined with the phones unique numeric identifier. In short, plaintiffs claim the App results in collecting “a host of identifying, tracking, and sensitive data” from users without their permission.</p>
<p>The Third Cause of Action, entitled Violation of Privacy Rights, claims the BART Watch App violates Article I of the California Constitution which “protects citizens against unwanted access to data by electronic and covert means&#8230;” This provisions of the California Constitution provides that “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.” The Plaintiff’s theory against BART is that the California Legislature recognized that “governmental agencies’ unchecked power to track a ‘phone’s unique numeric identifier and its physical location’” posed a threat to the public. The Legislature attempted to address this threat by enacting such laws as the Cellular Communications Interception Act.  That is, the Plaintiffs claim that BART has created this App which is “masquerading as a transit app that secretly collects” Californians’ private information in an effort to get around the Legislature&#8217;s attempt to safeguard this data.</p>
<ul>
<li><strong>Impact of this litigation</strong></li>
</ul>
<p>The practical impact of this litigation may, admittedly, be limited in scope.  Plaintiff&#8217;s first cause of action is based on allegations that BART violated the Cellular Communications Interception Act.  This Act required BART to install proper procedures and practices to safeguard user data.  Consequently,  the outcome of this litigation may be limited to data collectors gathering information through cellular communications.  Further, the Plaintiffs&#8217; action is based on the concern over the collection of private data by governmental agencies.</p>
<p>However, while this litigation may offer the most insight for cellular data collection by governmental agencies, private data collectors should not ignore the substance of these allegations.  A number of the allegations in the Complaint call into question whether users were properly informed how their data would be used by BART or other governmental agencies.  That is, the Complaint alleges that privacy disclosures were not easily accessible for users to review before agreeing to download the App.  Regardless of whether the allegations are true against BART, this litigation makes clear that data collectors have a fiduciary responsibility to use data for the exact purpose the data was provided and nothing more.</p>
<div class="e-mailit_bottom_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/app-users-throw-transit-provider-under-the-bus-on-privacy-issues-and-use-of-data/' data-emailit-title='App Users Throw Transit Provider Under The Bus On Privacy Issues And Use Of Data'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>The post <a rel="nofollow" href="https://privacyriskreport.com/app-users-throw-transit-provider-under-the-bus-on-privacy-issues-and-use-of-data/">App Users Throw Transit Provider Under The Bus On Privacy Issues And Use Of Data</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></content:encoded>
			<wfw:commentRss>https://privacyriskreport.com/app-users-throw-transit-provider-under-the-bus-on-privacy-issues-and-use-of-data/feed/</wfw:commentRss>
		<slash:comments>0</slash:comments>
		</item>
		<item>
		<title>Take This Job And Shove It—Oh, But First Can I Get My Family Pictures and iTunes Off My Work Phone?</title>
		<link>https://privacyriskreport.com/take-this-job-and-shove-it-oh-but-first-can-i-get-my-family-pictures-and-itunes-off-my-work-phone/?utm_source=rss&#038;utm_medium=rss&#038;utm_campaign=take-this-job-and-shove-it-oh-but-first-can-i-get-my-family-pictures-and-itunes-off-my-work-phone</link>
		<comments>https://privacyriskreport.com/take-this-job-and-shove-it-oh-but-first-can-i-get-my-family-pictures-and-itunes-off-my-work-phone/#comments</comments>
		<pubDate>Thu, 20 Apr 2017 18:24:01 +0000</pubDate>
		<dc:creator><![CDATA[Todd Rowe]]></dc:creator>
				<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[Cell Phone]]></category>
		<category><![CDATA[cyberliability]]></category>
		<category><![CDATA[data]]></category>
		<category><![CDATA[Law]]></category>
		<category><![CDATA[Legal]]></category>
		<category><![CDATA[Mobile]]></category>
		<category><![CDATA[personal information]]></category>
		<category><![CDATA[privacy]]></category>

		<guid isPermaLink="false">https://privacyriskreport.com/?p=1177</guid>
		<description><![CDATA[<div class="e-mailit_top_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/take-this-job-and-shove-it-oh-but-first-can-i-get-my-family-pictures-and-itunes-off-my-work-phone/' data-emailit-title='Take This Job And Shove It—Oh, But First Can I Get My Family Pictures and iTunes Off My Work Phone?'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>Technology in the workplace has developed to a point where we now have our personal data and our employer&#8217;s data commingled on the same devices.  We may now see employees using work phones to store personal numbers and family pictures... <a class="more-link" href="https://privacyriskreport.com/take-this-job-and-shove-it-oh-but-first-can-i-get-my-family-pictures-and-itunes-off-my-work-phone/">Continue Reading &#8594;</a>
<div class="e-mailit_bottom_toolbox">
<div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/take-this-job-and-shove-it-oh-but-first-can-i-get-my-family-pictures-and-itunes-off-my-work-phone/' data-emailit-title='Take This Job And Shove It—Oh, But First Can I Get My Family Pictures and iTunes Off My Work Phone?'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div>
</div>
</div>
<p>The post <a rel="nofollow" href="https://privacyriskreport.com/take-this-job-and-shove-it-oh-but-first-can-i-get-my-family-pictures-and-itunes-off-my-work-phone/">Take This Job And Shove It—Oh, But First Can I Get My Family Pictures and iTunes Off My Work Phone?</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></description>
				<content:encoded><![CDATA[<div class="e-mailit_top_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/take-this-job-and-shove-it-oh-but-first-can-i-get-my-family-pictures-and-itunes-off-my-work-phone/' data-emailit-title='Take This Job And Shove It—Oh, But First Can I Get My Family Pictures and iTunes Off My Work Phone?'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>Technology in the workplace has developed to a point where we now have our personal data and our employer&#8217;s data commingled on the same devices.  We may now see employees using work phones to store personal numbers and family pictures while they store work information on our equipment at home.  This commingling of data and equipment is usually not a problem until an employee leaves their position and the employer must decipher what equipment and data the employee has a right to take with them. It is becoming increasingly clear that employee training, including discussions of acceptable uses of employer equipment and data, are the best way to avoid conflicts when an employee departs.</p>
<p>One case in particular demonstrates the confusion that may arise when an employee commingles work and personal data with work and personal equipment.  On April 12, 2017, the California Court of Appeals in <em>Mendez v. Piper</em>, (unpublished) 2017 WL 1350770, Monterey County Super. Ct. No. M113943 (2017), found an employer failed to prove that an employee violated California law when the employee copied his own personal data from a hard drive owned by the employer after the employee quit his job. This case was originally filed by the employee, John Mendez (“Mendez”) when his former employer, Piper Environmental Group (“PEG”) and Mendez&#8217;s former wife, Jane Piper (“Piper”) (also the CEO of Piper), told Mendez’s prospective employers that he was barred from divulging trade secrets and could not take employment without violating his marital settlement agreement with Piper.</p>
<p>Mendez sought a judicial declaration and an injunction against PEG while PEG filed a cross-complaint based on allegations that Mendez breached a fiduciary duty and that he violated a confidentiality agreement with PEG. Both the trial court and appellate court dedicated a substantial portion of its analysis to the question of whether Mendez’s alleged copying, using and altering of confidential information stored on PEG computer equipment violated the Uniform Trade Secrets Act, <a href="https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=502.&amp;lawCode=PEN">Penal Code section 502.</a></p>
<p>Section 502 provides in relevant part:</p>
<p>CHAPTER 5. Larceny [484 &#8211; 502.9]</p>
<p><em>( Chapter 5 enacted 1872. )</em></p>
<p>(a) It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data.</p>
<ul>
<li><strong>Mendez’s Employment And Termination</strong></li>
</ul>
<p>Mendez testified that during his employment he would have been considered PEG&#8217;s “computer system administrator.” PEG allowed employees, including Mendez, to store personal and business data on PEG’s computer system. As part of his duties, Mendez testified that he set up an external drive at his residence and backed up PEG data to a company laptop which he brought home and copied the data to the external drive at his residence. Mendez further testified that his backups included all files, including Mendez’s personal and business data.</p>
<p>At some point, PEG hired a chief financial officer and it quickly became clear that Mendez’s service was no longer needed at PEG. The chief financial officer testified at trial that he believed it was his responsibility to find out as much as possible about PEG’s computer system in order to prepare for Mendez’s departure from PEG. After applying “pressure” on Mendez, Mendez ultimately quit his position at PEG.</p>
<ul>
<li><strong>Dispute Over Backup Data </strong></li>
</ul>
<p>While at a hearing concerning Mendez’s unemployment benefits, PEG’s attorney asked Mendez to return the laptop that Mendez used in the backup process. Shortly after his discussion, Mendez purchased a new computer and transferred the files from the laptop to his new computer. Mendez “wiped” his personal information from the hard drive of the laptop and left only the operating system because he originally planned on donating the laptop. However, after PEG was able to prove that it paid for the laptop, Mendez returned the laptop to PEG after it Mendez had removed his information.</p>
<ul>
<li><strong>PEG’S Insufficient Evidentiary Support</strong></li>
</ul>
<p>The trial court found that PEG failed to carry its burden to prove Mendez had violated section 502 by accessing, copying, using or altering PEG’s data without permission. The California Court of Appeals affirmed the trial court’s findings on the following basis:</p>
<p>o   <u>PEG failed to show Mendez copied data belonging to PEG</u></p>
<p>The trial court found PEG failed to meet its burden when it provided no evidence that Mendez knowingly copied files belonging to PEG. Rather, Mendez testified that the only data he copied was data he owned. Further, the court rejected testimony proffered by PEG’s forensic computer expert to the extent this expert was “an expert in identifying which files were present on a computer and when files had been accessed, copied, or deleted, but he was not an expert on which files contained PEG’s data.” The Court of Appeals found evidence to support the trial court’s finding that “Mendez accessed the hard drive in order to retrieve his personal information (which was properly on the computer).”</p>
<p>o   <u>PEG failed to show Mendez acted without permission in retrieving his data. </u></p>
<p>The court also rejected PEG’s assertion that Mendez needed its permission to retrieve personal data of the laptop after his employment was terminated. In support of its findings, the court held that “[f]or the purposes of storing documents and photos, a computer is akin to a filing cabinet or desk.” In support of its decision, the court further noted:</p>
<p>We believe that when an employer expressly or implicitly authorizes an employee to personalize his or her workspace with personal property, the employee has implicit authority to remove such personal property upon separation from employment (within any parameters reasonably needed to protect coworkers and the employer’s property). The employer does not acquire ownership of the employee’s personal property by some kind of adverse possession. We see no reason why the same principle should not apply to an employee’s personal information when it is stored on a work computer system. As the trial court implicitly concluded, Mendez had permission to retrieve his personal data from the external drive. In any event, it was PEG’s burden to prove Mendez acted without permission, not his burden to prove he had permission.</p>
<p>Based on this reasoning, the Court of Appeals affirmed the trial court’s decision that PEG failed to meet its burden of proof and that the data stored by the employee belonged to the employee.</p>
<ul>
<li> <strong>Employee Training Is Key</strong></li>
</ul>
<p>This is not the first time we have seen disputes arise over data when an employee is terminated. For example, <a href="https://privacyriskreport.com/recent-litigation-provides-example-of-password-being-possibly-too-safe/">we have seen disputes involving account passwords </a>where, after being terminated, the sole person that has possession of important workplace passwords demands money to provide the passwords to his former employer.  These situations are avoidable if employees and employers take the time before the stress of employee&#8217;s departure to determine how personal and business data and equipment should be treated.  Further, these issues could be addressed during quarterly meetings employers should have with employees to address data and privacy issues in the workplace. Even though the<em> Mendez</em> court found a computer is similar to a filing cabinet or a desk, the proper use of an employer&#8217;s computer should receive more discussion than the use of a filing cabinet.</p>
<p>The Illinois Personal Information Protection Act requires &#8220;Data Collectors&#8221; to take &#8220;reasonable measures&#8221; to protect data.  Contact <a href="http://www.tresslerllp.com/attorneys/attorney-details/todd-rowe">Todd M. Rowe</a> at Tressler LLP to discuss how employee meetings can be used to further ensure you are protecting data.</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<div class="e-mailit_bottom_toolbox"><div class="e-mailit_toolbox square size32 " data-emailit-url='https://privacyriskreport.com/take-this-job-and-shove-it-oh-but-first-can-i-get-my-family-pictures-and-itunes-off-my-work-phone/' data-emailit-title='Take This Job And Shove It—Oh, But First Can I Get My Family Pictures and iTunes Off My Work Phone?'>
<div class="e-mailit_btn_Facebook"></div>
<div class="e-mailit_btn_Twitter"></div>
<div class="e-mailit_btn_Send_via_Email"></div>
<div class="e-mailit_btn_Pinterest"></div>
<div class="e-mailit_btn_LinkedIn"></div>
<div class="e-mailit_btn_EMAILiT"></div></div>
</div><p>The post <a rel="nofollow" href="https://privacyriskreport.com/take-this-job-and-shove-it-oh-but-first-can-i-get-my-family-pictures-and-itunes-off-my-work-phone/">Take This Job And Shove It—Oh, But First Can I Get My Family Pictures and iTunes Off My Work Phone?</a> appeared first on <a rel="nofollow" href="https://privacyriskreport.com">Privacy Risk Report</a>.</p>
]]></content:encoded>
			<wfw:commentRss>https://privacyriskreport.com/take-this-job-and-shove-it-oh-but-first-can-i-get-my-family-pictures-and-itunes-off-my-work-phone/feed/</wfw:commentRss>
		<slash:comments>0</slash:comments>
		</item>
	</channel>
</rss>
