On February 27, 2018, the Supreme Court heard arguments in United States v. Microsoft Corp., a case that will decide whether a digital communications provider has to comply with a U.S. search warrant for user data that is stored outside of the U.S. U.S. v. Microsoft could have major consequences for digital privacy and international data sharing, especially for the cloud-computing industry.

Continue Reading <I>U.S. v. Microsoft</I>: Is Your Data and Privacy at Risk?

In 2016, the U.S. Supreme Court in Spokeo, Inc. v. Robins, provided a potentially powerful Article III standing defense under F.R.Civ.P. 12(b)(1) seemingly applicable to a variety of privacy claims, including FCRA, FACTA, TCPA, and FDCPA statutory damage claims. The Court noted for a plaintiff to establish standing to sue in federal court, she must establish an “injury in fact” consisting of an invasion of a legally protected interest, which is both particularized and concrete.

Spokeo dealt with the “concrete” portion. To be concrete, an injury must be real but may also be intangible. Congress’ intent in creating a right is instructive, but not sufficient. Allegations of a bare procedural violation likely would not suffice to maintain standing. Some injuries create harm, others do not. Thanks for that.

Continue Reading More or Less Than the Plaintiff Bargained For: Two Recent Appellate Courts Thwart Privacy Claims Based On The Contract

There was a recent headline-making story involving a Wisconsin employer that announced it was offering its employees the option to be microchipped to replace security badges they use regularly at work. Of the 85 employees, 41 decided to have the small chip implanted in their hand. Husch Blackwell attorneys Laura Ferrari and Erik Eisenmann break-down the seemingly futuristic concept of “chipped” employees and the privacy concerns it brings in a post that originated on Husch Blackwell’s Technology, Manufacturing and Transportation Industry Insider blog.

The advice we always give to clients regarding privacy policies is: “say what you do and do what you say.” It seems simple, but simplicity can be deceiving. Companies want to reassure consumers that their personal data is safe and secure; however, in today’s world, no one can make fail-safe representations of security. Uber’s recent settlement with the FTC illustrates this problem.

Continue Reading Don’t Make “Uber” Promises You Can’t Keep

With the rise of innovations like cloud technology and software-as-a-service, clients are increasingly finding that it makes business sense to outsource computerized services, from payroll processing to the storage of electronic medical records. While doing so often cuts costs, routing (frequently confidential) data through third-party service providers also implicates serious cybersecurity concerns and, in some cases, may increase potential liability. Further, one of the pillars of a commercially reasonable information security program is selecting and retaining service providers capable of maintaining appropriate safeguards. To address these concerns, and to keep data safe, clients should require service providers to furnish them with Service Organization Control (“SOC”) Reports, particularly SOC 2 Reports.

SOC Reports were developed by the American Institute of CPAs (AICPA) to provide information about the robustness and quality of a service provider’s internal controls over certain types of data. There are three types of SOC Reports, each serving separate functions.

Continue Reading SOC It To ‘Em: Securing Your Outsourced Data with SOC 2 Reports

On April 24, 2017, the Office of Civil Rights (“OCR”) announced the first HIPAA settlement based on the impermissible disclosure of unsecured electronic protected health information by a wireless service provider. CardioNet, an ambulatory cardiac monitoring service, provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias, agreed to pay $2.5 million, and to implement a corrective action plan.

As reported by the OCR, in 2012 CardioNet reported to the OCR the theft of a workforce member’s unencrypted laptop containing electronic PHI (“ePHI”) of 1,391 individuals. OCR’s investigation revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.   Additionally, CardioNet’s provided the OCR draft policies and procedures implementing the HIPAA Security standards, and was unable to produce final policies or procedures implementing the security safeguards for ePHI, including mobile devices. Continue Reading Mighty Fine – The High Cost ($2.5 Million) for Unsecured ePHI

I recently decided to reread Dante’s The Inferno. One would not expect guidance on IoT privacy and data security (IotPDS) from a 700 year old text, but The Inferno, particularly Canto III, provides significant direction on consumer IoTPDS issues.  So,

“Abandon All Hope, You Who Enter Here.”

Continue Reading Dante on IoT Security

Ransomware. It is the word every corporate board and IT team fears. Ransomware is a type of malicious software that can quickly shut down an entire network of computers and compromise an enormous amount of critical data. Often, when a ransomware attack occurs, all connected systems are locked down and a message appears on the victim’s screen stating that the victim’s system has been encrypted and that the victim’s data has been compromised. The attacker threatens to publish or delete the stolen data and systems unless the victim pays a ransom, which is typically demanded in the Bitcoin currency.

On May 12, 2017, the now-infamous WannaCry ransomware attack caught worldwide headlines when attackers compromised over 230,000 computers in over 150 countries by exploiting a vulnerability in certain versions of the Microsoft Windows operating system software. Many experts in the cybersecurity industry predict that 2017 will be the year of ransomware.

Unfortunately, most companies are unaware of how to respond to or prevent ransomware and other cyberattacks. This post provides simple, yet key steps that should be taken to prepare for and minimize the risk of a business-disrupting cyber attack:

  1. Invest in cybersecurity. There is no “silver bullet” program that will prevent a cyberattack or ensure the complete security of your system.  However, there are many industry-tested and trusted programs and services available to protect your systems. Research the right security programs for your business and invest wisely. Also, understand that the cyberattack landscape is ever-evolving. Remain current with emerging threats. Cybersecurity is a process, not a single product or program.
  2. Update software regularly. WannaCry exploited a vulnerability in Microsoft Windows software. By installing readily available security patches, companies could have protected themselves from the attack. However, many companies had not installed the updates and patches and found themselves to be the unfortunate victims of theft and extortion. Update or remove outdated software.
  3. Create off-network, secure backups of data and programs regularly. When a ransomware attack occurs, one of the first and most pressing orders of business will be to restore the system and data without having to pay the attacker. This is possible only if you have secure and up-to-date backups readily available. Generally speaking, these backups must be separate from the compromised network or they too will be inaccessible.
  4. Conduct periodic system audits. Even if you have the best security software available, vulnerabilities arise and hackers seek to capitalize upon them.  Invest in IT audits to identify system weaknesses and address them quickly. Conduct penetration testing and track outside attempts to attack your systems.
  5. Address cybersecurity risks in all vendor, software and service-provider contracts. Most companies have a number of different software providers, service providers and other vendors who have access to their IT systems. Yet, they often overlook cybersecurity issues in their contracts. It is critical to ensure your vendors also have industry standard security protocols in place to protect you. You can also include a variety of contractual provisions to ensure you are protected and your own risk is minimized in the event of an attack.
  6. Assemble a response team and plan. Have an experienced legal and forensic team lined up before you need them. When a ransomware attack occurs, you’ll need an internal C-suite team, as well as experienced cybersecurity attorneys and an IT forensic team who can assist you. Ideally, these professionals will have relationships with law enforcement and other professionals who you may need to call upon.
  7. Know what a Bitcoin is and how to obtain them. Do you know how to get 300 Bitcoin if needed?
  8. Create a public relations response plan. You will need to tailor it to your circumstances, but ransomware attacks happen quickly and can rapidly become public. Be ready to respond quickly and appropriately.
  9. Educate your employees. Cyberattacks are often caused by human error.  Educate your employees to help minimize the risk of an attack. Your employees are often your first line of defense and can spot malicious emails and suspicious activity.
  10. Obtain cyberliability insurance. Cyberliability insurance can’t prevent a malicious attack, but it can offset some of the enormous expense that can come with an attack.

Generally, one hears the term “big data” and, in the next breath, about the host of privacy issues implicated by that big data. Indeed, a quick google search confirms that in many of the top links appearing in a google search of “big data” include the word “privacy.”

There is a reason for this, of course: big data often contains a lot of information aggregated from different sources about individuals. Many times, consumer do not know in the first place that different pieces of information about them have been collected (or, if they know it has been collected, they do not know the information has been retained); they do not know that such information has been aggregated; and they do not know the aggregated information has been (and is being) further disseminated. Single pieces of information on their own pose a privacy risk. The aggregation of the information, which is then disseminated, poses a greater and different privacy risk.
Continue Reading Alternate (Data) Universe