Data Security

For those who observe it, the Christmas season (secular version 2.0) is definitely here. As a child, I cherished the thought of a man with a red suit accessing our house through the chimney. For those of us concerned about computer system security, we worry about a person with a black hat accessing our data through phishing, hacking, and malware. I hate to mention, well, you know who, but someone out there loves the thought of taking your Whoville roast beast.

Enjoy the next few days with your family and friends, but remember, it’s also time to consider your data security for 2016. Knowing you, once you’ve opened all the presents, eaten dinner, and just settled down for a moment of quiet sanity, your thoughts will inevitably turn to the new year. So, here are six holiday-themed recommendations for your consideration. If you don’t recognize the quotes below, that means you didn’t spend your childhood binge-watching classic holiday programs. Not a worry – simply unwrap the answer key at the bottom.

Today the FTC announced a $100-million settlement of its most recent data security lawsuit against LifeLock, the ubiquitous B2C provider of credit monitoring and identity theft protection to consumers.  Despite years of litigation with the FTC and 35 states’ attorneys general, LifeLock has continued with a business model that taps into consumers’ visceral fear of identity theft, and also consumers’ persistent belief that such exposure can magically disappear… all for “less than $10/ month.” But while “Nobody can conceive or imagine all the wonders there are unseen and unseeable in the world,” LifeLock’s settlement with the FTC is a reminder that there is no perfect protection against identity theft.

Yesterday the FTC announced it has settled its claims against Wyndham for inadequate data security, with Wyndham signing on to essentially the same consent order used by the FTC in most of its more than 50 concluded data security enforcement matters. The settlement marks the end of a three-year legal battle in which Wyndham attempted, unsuccessfully, to restrict the FTC’s authority to pursue companies for inadequate data security as an ”unfair” business practice under Section 5 of the FTC Act.

The FTC has pursued enforcement actions against more than 50 companies for inadequate data security, and to date only two, Wyndham Hotels and LabMD, have pushed back. On the heels of a Third Circuit victory in its Wyndham litigation, the FTC recently suffered a blow when its administrative complaint against LabMD was dismissed – by an FTC administrative judge, no less.

As the FTC pursues an appeal to its commissioners, are there lessons to be learned? First, reports of the death of the FTC’s Section 5 data security enforcement authority have, once again, been greatly exaggerated – the FTC will remain in the data security enforcer role post-LabMD, as strong as ever. And second, the real lesson of LabMD is what it teaches us about grey hat security firm tactics, and how businesses need to trust their gut and do their homework.

Talk about a “bank holiday” – under a settlement deal filed in court yesterday, Target will pay $39.4 million  to a litigation class of banks and credit unions to settle financial institution claims related to the retailers’ massive 2013 data breach, which compromised at least 40 million credit cards. The preliminary settlement is the first time a retailer has agreed to directly absorb financial institutions’ costs from a data breach, such as fraud losses and the expense of issuing new debit and credit cards.

Under the terms of this settlement, Target will pay up to $20.25 million directly to the settlement class and $19.1 million to fund MasterCard’s Account Data Compromise Program relating to the breach. The settlement will apply to all U.S. financial institutions that issued payment cards identified as having been at risk from the breach and that did not previously release their claims against Target by signing on to separate deals. A final approval hearing on the settlement is set for next year.

Only minutes passed between first learning of the Paris attacks and confirming that our son, studying abroad in France, was safe. But it seemed to last a lifetime. My wife and I were with him in Paris just two weeks earlier, strolling happily a few blocks from where slaughter would soon visit the Bataclan Concert Hall and La Belle Equipe. Then, like a sick, twisted Groundhog Day, it felt like 9/11 all over again.

The Paris terrorism has rekindled an ongoing debate over government surveillance power, personal privacy, and cybersecurity. In this crucial, consequential debate, it behooves us to remember that terrorism’s goal is to trigger emotional, extreme reaction, and that perspective and balance are the antitheses of violent radicalism.

There are at least 1,040 reasons to love Florida. Who isn’t drawn to the sunshine, the pristine beaches, the food… and the tax fraud racket? For decades, South Florida has been the Silicon Valley for scam artists, drawn by the weather and the opportunity to make lots of money without actually doing much work. According to the Federal Trade Commission, Florida holds the highest per capita rate of identity theft complaints, followed by Georgia and California. While Medicare fraud, mortgage fraud, and securities fraud have traditionally been the bread and butter of South Florida scam artists, tax refund scams are definitely the new darling. But as the IRS recently announced, it’s the dawn of a new day for tax fraud prevention.

While data breaches have become a common occurrence, the epic breach of the Office of Personal Management (“OPM”) records stands out for many reasons. The hackers obtained PII on at least 21.5 million people and accessed highly confidential background check and security clearance information, including personal details such as fingerprint data and financial history. But what is most shocking is that the federal government was aware of security flaws within OPM’s computer system for years before the breach, yet never addressed those vulnerabilities.

Husch Blackwell along with CBIZ and UMB co-sponsored Security, Data Breach & The Bottom Line: A Forecast For Manufacturers on Oct. 29 at Boulevard Brewery in Kansas City. Seventy people attended the manufacturing-focused seminar, which covered various areas of vulnerability specific to manufacturers and included a special keynote by AUSA, John Cowles and FBI Agent

While advising the board of directors of a company to pay close attention to data security issues is akin to your dentist telling you to floss, the stakes are too high for a board to ignore. The board of any company must constantly monitor and assess its company’s data security procedures and potential risks. Although there is no strategy to prevent a security breach, each member of a board must exercise its fiduciary duty to consider the risks to a company. To the credit of many companies in the last several years, the assessment of data security risks has achieved a more pronounced position.