data privacy[Update:  After publication of the below post, AB 1035 was amended to remove the below-referenced language. The fact that the California legislature considered defining what constitutes “reasonable security procedures and practices” for purposes of the CCPA’s private right of action but, at least as of now, did not proceed with such legislation leaves businesses subject

It should come as no surprise that educational institutions are among the top targets for hackers and purveyors of personally identifiable information. In 2017, only the financial and healthcare sectors had more data breaches. Yet despite the looming menace of increased cyber-attacks, federal regulation of student data remains woefully inadequate. The Family Educational Rights & Privacy Act (“FERPA”) was enacted back in 1974, when the Internet was still a gleam in ARPANET’s eye and Jeff Bezos was only ten years old, and it has not been amended since 2001. It certainly protects (or tries to protect) student data from unwarranted disclosure or use, but it and the regulations that implement it do not meaningfully protect student data from theft or destruction. More importantly, FERPA fails to address, except in a few narrow situations, what kinds of obligations third-party contractors have vis-à-vis the student data that they collect and use. However, because FERPA has no preemption provisions, its mandates are a floor, not a ceiling; this means that states can step in and enact more stringent rules and regulations.

Continue Reading

Over the past five to ten years, the advancement of technology has produced a flurry of corporate cyber-attacks. Data breaches make the news virtually every day.

Too often, however, companies seek compensation for their data breach losses by making claims on commercial general liability (CGL) or property policies – policies that simply were not written

Blockchain technology is seeing increasingly wide use internationally, but security issues are becoming a major problem.

Blockchain is a public electronic ledger that can be openly shared among users and that creates an unchangeable record of their transactions. Each transaction, or “block”, is time-stamped and linked to the previous one. Each block is then linked to a specific participant. Blockchain can only be updated by consensus between users in the system, and when new data is entered, it can never be erased, edited, adjusted, or changed.


Continue Reading

For over twenty years, my father was a wholesale seafood supplier. One day over dinner (probably lobster, because that’s just how we rolled), my father tells us that he has hired an off-duty US Department of Agriculture inspector to inspect the fish that his company will be sending out to its grocery store clients. When I asked him if this was a legal requirement, he said it was not (the Department of Health and Human Services, via the FDA, apparently regulates fish, not the USDA). When I then asked him why he was doing it, he said, “If you were in the grocery store and you saw one piece of fish labelled ‘USDA Government Inspected’ and one piece of fish without that label, which one would you buy?” An informal “seal” program had been born!

Continue Reading

On March 17, the New York Times covered a new item on the growing list of high-profile data breaches with its article detailing how a British political consulting firm, Cambridge Analytica, obtained personal information from millions of Facebook users by way of a low-profile researcher. The revelation sent shock waves through the online community, and the public outcry was swift and resounding. As more details emerge, Facebook and Cambridge Analytica will continue to face political and legal repercussions from all angles—with one possible legal instrument being the Computer Fraud and Abuse Act (CFAA).

Continue Reading

Semper Fidelis is the U.S. Marines’ motto – “always faithful.” Perhaps an ironic twist of phrase in the context of its recent and preventable data breach. Let’s recap. The Marine Forces Reserve recently announced that personal information of over 21,000 Marines, sailors, and civilians were “compromised.” The PI included social security numbers, bank account and routing numbers, card information, name, address and other contact information. In other words, PI which is a treasure trove for identity thieves. Some of the PI may have been redacted in part. How did this breach occur? The culprit was an e-mail incorrectly sent with an unencrypted attachment. The email was sent out by the Defense Travel System which manages travel itineraries and expense reimbursement. Obviously sensitive location information is also in play. Probably not a big thing for a travelling salesperson, but highly problematic for defense sector travel.

Continue Reading