Houston (Astros), We Have a Problem

Baseball_97888386

Those in the privacy and data security (or baseball) world should be familiar with the St. Louis Cardinals and Houston Astros hacking incident. Former St. Louis Cardinals’ scouting director, Chris Correa, was recently sentenced to 46 months and ordered to pay restitution after pleading guilty to five counts of unauthorized access of a protected (Astros) computer, bringing an end to the federal criminal investigation. Recapping the hacking highlights, Correa accessed the Astros’ proprietary player information database, Ground Control. Ground Control contained the Astros’ “collective baseball knowledge” drawn from player statistics, impressions and opinions of the team’s scouts, coaches, statisticians and doctors, and other sources. Correa also accessed the e-mail accounts of several members of the Astros front office including “Victim A” (likely former Cardinals executive and present Astros general manager Jeff Luhnow), “Victim B” (likely former Cardinals and present Astros sabermetrician Sig Mejdal), and at least one other person. According to the Astros, Correa accessed Ground Control at least 60 times on 35 different days over a 15 month period; one can only speculate as to breadth and depth of Correa’s access to the Astros’ e-mail system. The intrusions initially appeared to have emanated from a device housed in a condominium in Jupiter, Florida (the Cardinals’ spring training home), but given the lengthy period of time, likely involved other devices in other locations. Correa gained access to the Astros’ systems by having Luhnow’s Cardinals’ passwords which were “similar” to his Astros’ passwords. Correa both reviewed and downloaded Ground Control information. Continue Reading

What Brexit means for privacy and data protection

London_80706089Now that the shock has worn off and our 401(k)s have (somewhat) stabilized, we can begin to assess the implications that the UK’s historic vote to leave the EU may have on global privacy and data protection rules. While much uncertainty exists, companies should not panic as there will not be any immediate changes. Continue Reading

Recent changes to states’ data security laws

keyhole_000000145416_LargeStates are updating their data security statutes in response to the increasing number of data breaches that are exposing residents’ personal information to unauthorized users. Two states in particular – Illinois and Tennessee – recently made sweeping changes to their respective data security statutes in an attempt to make organizations more responsive in light of this growing data security concern. Continue Reading

The Precision Medicine Initiative: White House privacy and security guidelines released

Laser160298237-1Precision medicine is an innovative approach to medical treatment that takes into account individual differences in people’s genes, environments, and lifestyles. The promise of precision medicine is delivering the right treatments, at the right time, to the right person. It provides medical professionals the resources they need to target the specific treatments of the illnesses that patients may encounter. Although the term “precision medicine” is relatively new, the concept has been a part of healthcare for many years. For example, a person who needs a blood transfusion is not given blood from a randomly selected donor; instead, the donor’s blood type is matched to the recipient to reduce the risk of complications. Continue Reading

Marketing in the age of data security

dangerTechnology has changed the way businesses market themselves to consumers. Businesses now have the ability to identify shifting consumer preferences, launch highly targeted advertising campaigns, and communicate instantly with potential customers. One thing this new marketing has in common? Consumer data. As marketing technologies evolve, companies should be aware that the myriad of data security regulations don’t just apply to how companies conduct their business, but how they market it as well. Continue Reading

On My Terms: The key to designing an enforceable digital agreement

key-digitaliStock_000022243984_LargeIn the Information Age, an increasing amount of data is communicated, stored, and shared electronically, and legal agreements are no exception. Digital agreements are more convenient, environmentally friendly, and are cheaper than their paper counterparts, making them the medium of choice for online businesses and Internet users alike. But, while fewer and fewer agreements are being printed, mailed, and physically signed, their ramifications are no less real. As with any other agreement, properly constructing the terms of a digital agreement is crucial if it is to serve its purpose as a legally-enforceable contract. How then should we design our websites and agreements to leave them enforceable, but without destroying the ease of use that is their biggest advantage? Continue Reading

Even your momma needs to comply with PCI DSS

army-sargentHiResIt seems that everyone accepts credit cards nowadays – including the farmer who sells produce at my local farmer’s market (which I appreciate because I never have cash)! Anyone who accepts credit cards or debit cards, even a sole proprietor who processes a small number of transactions, must be in compliance with the Payment Card Industry Data Security Standards (“PCI DSS”). Many small businesses may not have heard of the PCI DSS or assume that the requirements do not apply to them or that compliance is too expensive. To the contrary, all merchants that accept credit cards must comply with the PCI DSS, and the costs of a breach generally outweigh the time and expense to set up a secure and compliant card payment system in the first place. Continue Reading

Haunted by the past

hacker-enter-keyiStock_000000132325_MediumAntiquated privacy laws are haunting businesses that base their privacy policies on current statutory language. Most laws intended to protect individuals’ privacy rights were designed with decades-old technology in mind. While this problem has been gaining attention for its impact on individuals’ privacy rights, businesses have also felt the effect of archaic privacy laws. Due to the public’s overwhelmingly favorable views toward privacy rights, businesses are becoming increasingly vulnerable to distorted interpretations of outdated laws. Continue Reading

There’s a new privacy boss in town

sherrifiStock_000005376033_LargeFor the first time in its enforcement history, the Consumer Financial Protection Bureau (“CFPB”) took action against a company for deceiving consumers about the company’s data security practices. The CFPB found that Dwolla, Inc. (“Dwolla”), an online payment system, made numerous false promises about the strength and extent of its data security practices. The CFPB’s action is also notable because the agency acted preemptively — Dwolla had never detected a data breach and no consumer data had been reported stolen.

The CFPB found that Dwolla claimed on its website and in direct communications with consumers that its data security practices “exceed” or “surpass” industry security standards; but, in reality, Dwolla failed to employ reasonable security measures to protect consumer data. In addition, Dwolla claimed that “all information is securely encrypted and stored” and that its mobile applications were safe and secure. However, the CFPB found that Dwolla did not encrypt certain sensitive consumer information and released applications to the public before testing that they were secure. The agency found several other examples of statements Dwolla made that could not be established as true. Continue Reading

FTC v. ASUS – In the Internet age, being a foreign-based company is no defense

city-namesiStock_000049719310_LargeYour business is an international company selling products to U.S. consumers. In the last few years, you may have heard a lot about high-profile information privacy and security cases brought by the U.S. government. Should you be concerned? Most definitely.

On Feb. 23, 2016, the FTC announced that Taiwan-based computer hardware maker ASUSTeK Computers, Inc. (“ASUS”) agreed to a 20-year consent order, resolving claims that it engaged in unfair and deceptive practices in connection with routers it sold to U.S. consumers. According to the FTC’s complaint, ASUS failed to take reasonable steps to secure the software for its routers, which it offered to consumers specifically for protecting their local networks and accessing their sensitive personal information. The FTC alleged that ASUS’s router firmware and admin console were susceptible to a number of “well-known and reasonably foreseeable vulnerabilities”; that its cloud applications included multiple vulnerabilities that would allow cyber attackers to gain easy, unauthorized access to consumers’ files and router login credentials; and that the application encouraged consumers to choose weak login credentials. By failing to take reasonable actions to remedy these issues, ASUS subjected its customers to a significant risk that their sensitive personal information and local networks would be subject to unauthorized access. Continue Reading

LexBlog