Do you and your firm have adequate cybersecurity to prevent yourself (and your confidential client data) from getting hacked?
On Wednesday, December 7, at 11:00 a.m. Pacific, Richard Lutkus, a partner in Seyfarth Shaw’s eDiscovery and Information Governance Practice; and Joseph Martinez, Chief Technology Officer and Vice President of Forensics, eDiscovery & Information Security
Cross Posted from Employment Law Lookout
Your employees may be on a quest to catch ‘em all. Over 15 million people have downloaded the Pokémon GO game since its release two weeks ago. In this augmented reality game, players use their mobile devices to catch Pokémon characters in real-life locations captured by the camera in a user’s cellular phone. Though the game is very popular with Pokémon GO players, employers may not like the game quite so much.
Data And Security Concerns
There are data security concerns that arise from use of the Pokémon GO app.
First, users that want to play Pokémon Go must sign in to the app. There are two ways to do so—through an existing Google account, or through an existing Pokémon Trainer Club Account. Up until very recently, the Pokémon website did not allow users to sign up for Pokémon Trainer Club Accounts due to overwhelming demand. Thus, for most people, the only way to play Pokémon GO was by signing in to the app with their Google accounts. Even though the option to create a Trainer Club Account is now available, doing so requires more time and effort than signing in through an existing Google account.
Continue Reading Pokémon NO: New App Creates Risks For Employers
Cross Posted from California Peculiarities Employment Law Blog
Hernandez v. Sprouts Farmers Market, Inc., a case stemming from a phishing scam, emphasizes the need for California employers to implement comprehensive data protection and data breach notification policies and practices for personal employee information under the CDPA.
A story of a company suffering a data breach tops newspaper headlines almost daily. So how can you stay out of the “fuego,” and stay compliant with California laws about your employees’ and customers’ data?
California’s Data Protection Act—“Army Of One”
In 2003 California passed the nation’s first data breach notification statute: the CDPA. Since then, over 30 states have enacted similar statutes, but California remains the national leader in privacy and data security standards.
The CDPA mandates that any business that “owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” And it requires a company to notify affected individuals of a data breach “in the most expedient time possible and without unreasonable delay.”
Continue Reading Phishing: Data Breach Is “Chalkdust Torture”
In his “Data Is a Toxic Asset” blog post, Bruce Schneier argues that data is a toxic asset and that the lesson all the recent data breaches are teaching us is that storing this asset is “dangerous,” because it makes companies vulnerable to hackers, the government, and employee error. Schneier suggests addressing data breaches through stronger regulation at every stage of the data lifecycle and through personal liability of corporate executives. “Data is a toxic asset,” concludes Schneier, “We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”
Calling data a “toxic asset” sensationalizes the data-security conversation into alarmist territory. The term “toxic asset” has a certain meaning in financial circles and typically refers to assets that become illiquid when they no longer can be sold on a secondary market. This hardly applies to data, which is more of a lifeblood for corporations than toxic asset.
Continue Reading Is Data Really a “Toxic” Asset?
The U.S. Financial Crimes Enforcement Network (FinCEN) and the China Anti-Money Laundering Monitoring and Analysis Center (CAMLMAC) recently signed a Memorandum of Understanding (MOU) to create a “framework to facilitate expanded U.S.-China collaboration, communication, and cooperation” between each agency’s financial intelligence units (FIUs). News Release (December 11, 2015).
In announcing the MOU, FinCEN Director Jennifer
In an interim final rule published on October 2, another layer has been added to the compliance landscape for defense contractors. In addition to complying with breach notification requirements in as many as 47 different states in the event of a breach involving personally identifiable information, Department of Defense contractors now have to comply with the rapid notification rules issues by DOD in the even of a cyber incident involving covered defense information. These rules are noteworthy in that they require DOD contractors to report cyber incidents within 72 hours of discovering the incident. Most state breach notification statutes do not require that individuals be notified of a breach within a specific number of days and the few state statutes that do have such a requirement contain a much more lenient timeframe of 45 to 90 days.
Continue Reading Defense Contractors – Under the DOD’s Interim Rule, It Is Time Once Again To Update Your Data Breach Response Plans
With the recent uptick in the U.S. of lawsuits filed as a result of a data breaches, state legislators in the U.S. have been busy updating the many different state laws that dictate how a company must respond if they have been hacked and personal information has been compromised. With no comprehensive federal law that sets forth a uniform compliance standard, companies operating in the U.S. must comply with a patchwork of 47 different states laws that set forth a company’s obligations in the event of a data breach.
Additionally, the trend is to have more than just notice requirements. Now companies have to develop proactive steps they must take to avoid a data breach in the first place. We first saw this with the Massachusetts law, and the model is expanding.Continue Reading Information Security Policies and Data Breach Response Plans – If You Updated Yours In June, It’s Already Obsolete
In any case involving a data breach of customer or employee information, the first line of defense for the defendant is to assert that the plaintiff(s) lack standing to bring suit. In Remijas v. Neiman Marcus Group, the Seventh Circuit became the first United States Court of Appeals to tackle the issue of standing in the context of data breach litigation since the Supreme Court’s pronouncement on standing in Clapper.
Continue Reading 7th Circuit – Alleged Injuries Can Confer Standing In Data Breach Suit
Over the past few years, users have become increasingly aware of the inherent dangers of connecting to unsecured Wi-Fi networks. Unfortunately, existing security vulnerabilities in the underlying network hardware may still open a user’s computer to security issues.
Recently, Wired reported that security firm Cylance discovered a vulnerability in a specific brand of network routers deployed throughout many hotel chains throughout the world that could allow someone to install malware on guest’ computers, analyze and record data transferred over the network, and possibly access the hotel’s reservation and keycard systems. Researchers were able to locate 277 vulnerable routers in 29 different countries across and over 100 of them were located within the United States.
Continue Reading Travel Wi-Fi and Security. You May Not Know Who’s Watching.
With the FTC’s 2015 report “Internet of Things: Privacy & Security in a Connected World” (“Report”) the idea that more than just computers and phones are able to connect to the Internet. In fact, the Report states that the “IoT explosion is already around us.” This is true, and the Report goes on to describe some of the more interesting things that can be connected to the Internet which most of us don’t think about (e.g. smart health trackers, smoke detectors, and light bulbs). However, how vast is the actual IoT? And what does that mean to businesses?
Continue Reading How Far Does the “Internet of Things” Reach?