In the Information Age, an increasing amount of data is communicated, stored, and shared electronically, and legal agreements are no exception. Digital agreements are more convenient, environmentally friendly, and are cheaper than their paper counterparts, making them the medium of choice for online businesses and Internet users alike. But, while fewer and fewer agreements are being printed, mailed, and physically signed, their ramifications are no less real. As with any other agreement, properly constructing the terms of a digital agreement is crucial if it is to serve its purpose as a legally-enforceable contract. How then should we design our websites and agreements to leave them enforceable, but without destroying the ease of use that is their biggest advantage? Continue Reading
It seems that everyone accepts credit cards nowadays – including the farmer who sells produce at my local farmer’s market (which I appreciate because I never have cash)! Anyone who accepts credit cards or debit cards, even a sole proprietor who processes a small number of transactions, must be in compliance with the Payment Card Industry Data Security Standards (“PCI DSS”). Many small businesses may not have heard of the PCI DSS or assume that the requirements do not apply to them or that compliance is too expensive. To the contrary, all merchants that accept credit cards must comply with the PCI DSS, and the costs of a breach generally outweigh the time and expense to set up a secure and compliant card payment system in the first place. Continue Reading
Antiquated privacy laws are haunting businesses that base their privacy policies on current statutory language. Most laws intended to protect individuals’ privacy rights were designed with decades-old technology in mind. While this problem has been gaining attention for its impact on individuals’ privacy rights, businesses have also felt the effect of archaic privacy laws. Due to the public’s overwhelmingly favorable views toward privacy rights, businesses are becoming increasingly vulnerable to distorted interpretations of outdated laws. Continue Reading
For the first time in its enforcement history, the Consumer Financial Protection Bureau (“CFPB”) took action against a company for deceiving consumers about the company’s data security practices. The CFPB found that Dwolla, Inc. (“Dwolla”), an online payment system, made numerous false promises about the strength and extent of its data security practices. The CFPB’s action is also notable because the agency acted preemptively — Dwolla had never detected a data breach and no consumer data had been reported stolen.
The CFPB found that Dwolla claimed on its website and in direct communications with consumers that its data security practices “exceed” or “surpass” industry security standards; but, in reality, Dwolla failed to employ reasonable security measures to protect consumer data. In addition, Dwolla claimed that “all information is securely encrypted and stored” and that its mobile applications were safe and secure. However, the CFPB found that Dwolla did not encrypt certain sensitive consumer information and released applications to the public before testing that they were secure. The agency found several other examples of statements Dwolla made that could not be established as true. Continue Reading
Your business is an international company selling products to U.S. consumers. In the last few years, you may have heard a lot about high-profile information privacy and security cases brought by the U.S. government. Should you be concerned? Most definitely.
On Feb. 23, 2016, the FTC announced that Taiwan-based computer hardware maker ASUSTeK Computers, Inc. (“ASUS”) agreed to a 20-year consent order, resolving claims that it engaged in unfair and deceptive practices in connection with routers it sold to U.S. consumers. According to the FTC’s complaint, ASUS failed to take reasonable steps to secure the software for its routers, which it offered to consumers specifically for protecting their local networks and accessing their sensitive personal information. The FTC alleged that ASUS’s router firmware and admin console were susceptible to a number of “well-known and reasonably foreseeable vulnerabilities”; that its cloud applications included multiple vulnerabilities that would allow cyber attackers to gain easy, unauthorized access to consumers’ files and router login credentials; and that the application encouraged consumers to choose weak login credentials. By failing to take reasonable actions to remedy these issues, ASUS subjected its customers to a significant risk that their sensitive personal information and local networks would be subject to unauthorized access. Continue Reading
You may have a top-notch security incident response plan and a crack team for data breach response…but have you checked to be sure that your company’s HR policies are on the same team with you? Personnel Management is one of the most important—yet often overlooked—of the 10 activity channels for effective data breach response. In the crunch of handling an actual data security incident, your company’s HR policies will either pave or block the road to a nimble, successful response.
Of course, various policies are important for prevention of data security breaches, including policies for such matters as authorized computer systems, e-communications, and Internet use; authorized data and system access; strong passwords; use of encryption and encryption keys; mobile device safeguards; precluding or limiting storage of company data on home or other personal devices; and the like. But other policy provisions are essential for effective security breach response: Continue Reading
In this series on defining your company’s information security classifications, we’ve already looked at Protected Information under state PII breach notification statutes, and PHI under HIPAA. What’s next? Customer information that must be safeguarded under the Gramm-Leach-Bliley Act (GLBA), a concern for any “financial institution” under GLBA.
GLBA begins with an elegant, concise statement of congressional policy: “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” Sounds straightforward, doesn’t it? Things get complicated, though, for three reasons: (1) the broad scope of what constitutes a “financial institution” subject to GLBA; (2) the byzantine structure of regulators authorized under GLBA to issue rules and security standards and to enforce them; and (3) the amorphous definition of nonpublic customer information. Continue Reading
The Cybersecurity Act of 2015, signed into law on Dec. 18, has four titles that address longstanding concerns about cybersecurity in the United States, such as cybersecurity workforce shortages, infrastructure security, and gaps in business knowledge related to cybersecurity. This post distills the risks and highlights the benefits for private entities that may seek to take advantage of Title I of the Cybersecurity Act of 2015 – the Cybersecurity Information Sharing Act of 2015 (“CISA”).
It’s been clear for many years that greater information-sharing between companies and with the government would help fight cyber threats. The barriers to such sharing have been (1) liability exposure for companies that collect and share such information, which can include personally identifiable information, and (2) institutional and educational impediments to analyzing and sharing information effectively.
CISA is designed to remove both of these information-sharing barriers. First, CISA provides immunity to companies that share “cyber threat indicators and defensive measures” with the federal government in a CISA-authorized manner. Second, CISA authorizes, for a “cybersecurity purpose,” both use and sharing of defensive measures and monitoring of information systems. CISA also mandates that federal agencies establish privacy protections for shared information and publish procedures and guidelines to help companies identify and share cyber threat information. Notably, companies are not required to share information in order to receive information on “threat indicators and defensive measures,” nor are entities required to act upon information received – but this won’t shield companies from ordinary ‘failure to act’ negligence claims. Continue Reading
Marvel fans know that Captain America’s shield is extraordinary, but exactly what it’s made of remains unknown – Vibranium? Adamantium? Unobtanium (oops, wrong movie)? For the time being, similar mystery shrouds the specifics of the new EU-U.S. Privacy Shield. Four months ago we posted on the European Court of Justice’s ruling that the U.S.-EU Safe Harbor was invalid. This Tuesday the European Commissioner announced negotiations with the U.S. had successfully yielded a new vehicle for compliant cross-border transfers of EU residents’ personal data, dubbed the EU-U.S. Privacy Shield. But until details of the new vehicle are disclosed, the specific features of the Privacy Shield remain murky. Continue Reading
All encryption tools are not created equal. Just ask the folks at Microsoft, who have recently demonstrated that encrypted Electronic Medical Record databases can leak information. Turns out that CryptDB, a SQL database add-on developed at MIT that allows searching of encrypted data, allows search queries to be combined with information in the public domain to hack the database. More on this in a minute. In the meantime, let’s consider the assumption that encryption is inviolate/ infrangible/ impervious to hacks. As I mentioned in an earlier post, encryption algorithms are too complex for most laypersons to understand, but we should at least wrap our heads around the concept that encryption is not a “set it and forget it” technology, nor is it foolproof. Continue Reading