Once again, we realize that we have little control over how information we share on social media is ultimately used. The recent revelation that a data analytic firm retained by Trump’s presidential campaign used the Facebook data of more than 50 million people to target them with political ads is both shocking and unsurprising at

Europe’s data protection rules will undergo their biggest change in two decades when the new General Data Protection Regulation (“GDPR”) goes into effect on May 25, 2018. The GDPR replaces the current Data Protection Directive and imposes uniform data security requirements on all EU members. While the GDPR is “an evolution, not a revolution” for data protection, there are several significant changes for which companies should be prepared.
Continue Reading Ready or Not, It’s Coming: Preparing for the GDPR

The advice we always give to clients regarding privacy policies is: “say what you do and do what you say.” It seems simple, but simplicity can be deceiving. Companies want to reassure consumers that their personal data is safe and secure; however, in today’s world, no one can make fail-safe representations of security. Uber’s recent settlement with the FTC illustrates this problem.
Continue Reading Don’t Make “Uber” Promises You Can’t Keep

Internet search giant Yahoo!Inc. (“Yahoo”) revealed last year that it was the victim of two massive data breaches back in 2013 and 2014 that potentially affected more than 1.5 billion users. Investigations into the incidents continue to reveal potentially damning information regarding what the company knew and when, how the company responded to the breaches, and the status of Yahoo’s information security at the time of the breaches. The details that have emerged paint the picture of a company that failed to adhere to basic data security requirements. Unfortunately, the technology company will likely become a case-study in what happens when an organization fails to follow security best practices.
Continue Reading Yahoo Data Breaches: A Lesson in What Not to Do

Image copyright Catherine Lane 2015The beginning of a new year offers the perfect opportunity for companies to review their privacy and data security practices and make any needed adjustments. Since it is a matter of “when,” not “if,” your company will be the target of a data breach, your organization should proactively ensure that you are prepared for the inevitable. We suggest all companies resolve to do the following in 2017 to set themselves on the right course for the year:
Continue Reading New Year’s ‘resolutions’ for privacy and data security

White House, U.S._166211048As the shock of Trump’s surprise election win gives way to processing the consequences of a Trump presidency, one issue that has not gotten as much attention is privacy and data security.

Trump did not say much on this topic on the campaign trail and his “vision” for cybersecurity on his campaign website is relatively thin. But we can glean some information from his public comments. As always with Trump, unpredictability is his trademark, so it is anyone’s guess whether his actions going forward will be consistent with his past statements.
Continue Reading What a Trump presidency may mean for privacy and data security

risksigniStock_000016809464_LargeNew York proposed first-of-its-kind cybersecurity regulations on Sept. 13, 2016. The proposed rules would apply only to banks, insurers, and other financial services companies regulated by the New York Department of Financial Services (“DFS”). However, the sweeping nature of the regulations and New York’s role as a banking center are likely to make the rules a model for other states.
Continue Reading New York proposes first cybersecurity rules

London_80706089Now that the shock has worn off and our 401(k)s have (somewhat) stabilized, we can begin to assess the implications that the UK’s historic vote to leave the EU may have on global privacy and data protection rules. While much uncertainty exists, companies should not panic as there will not be any immediate changes.
Continue Reading What Brexit means for privacy and data protection

army-sargentHiResIt seems that everyone accepts credit cards nowadays – including the farmer who sells produce at my local farmer’s market (which I appreciate because I never have cash)! Anyone who accepts credit cards or debit cards, even a sole proprietor who processes a small number of transactions, must be in compliance with the Payment Card Industry Data Security Standards (“PCI DSS”). Many small businesses may not have heard of the PCI DSS or assume that the requirements do not apply to them or that compliance is too expensive. To the contrary, all merchants that accept credit cards must comply with the PCI DSS, and the costs of a breach generally outweigh the time and expense to set up a secure and compliant card payment system in the first place.
Continue Reading Even your momma needs to comply with PCI DSS

sherrifiStock_000005376033_LargeFor the first time in its enforcement history, the Consumer Financial Protection Bureau (“CFPB”) took action against a company for deceiving consumers about the company’s data security practices. The CFPB found that Dwolla, Inc. (“Dwolla”), an online payment system, made numerous false promises about the strength and extent of its data security practices. The CFPB’s action is also notable because the agency acted preemptively — Dwolla had never detected a data breach and no consumer data had been reported stolen.

The CFPB found that Dwolla claimed on its website and in direct communications with consumers that its data security practices “exceed” or “surpass” industry security standards; but, in reality, Dwolla failed to employ reasonable security measures to protect consumer data. In addition, Dwolla claimed that “all information is securely encrypted and stored” and that its mobile applications were safe and secure. However, the CFPB found that Dwolla did not encrypt certain sensitive consumer information and released applications to the public before testing that they were secure. The agency found several other examples of statements Dwolla made that could not be established as true.
Continue Reading There’s a new privacy boss in town