Precision medicine is an innovative approach to medical treatment that takes into account individual differences in people’s genes, environments, and lifestyles. The promise of precision medicine is delivering the right treatments, at the right time, to the right person. It provides medical professionals the resources they need to target the specific treatments of the illnesses that patients may encounter. Although the term “precision medicine” is relatively new, the concept has been a part of healthcare for many years. For example, a person who needs a blood transfusion is not given blood from a randomly selected donor; instead, the donor’s blood type is matched to the recipient to reduce the risk of complications.

Technology has changed the way businesses market themselves to consumers. Businesses now have the ability to identify shifting consumer preferences, launch highly targeted advertising campaigns, and communicate instantly with potential customers. One thing this new marketing has in common? Consumer data. As marketing technologies evolve, companies should be aware that the myriad of data security regulations don’t just apply to how companies conduct their business, but how they market it as well.

In the Information Age, an increasing amount of data is communicated, stored, and shared electronically, and legal agreements are no exception. Digital agreements are more convenient, environmentally friendly, and are cheaper than their paper counterparts, making them the medium of choice for online businesses and Internet users alike. But, while fewer and fewer agreements are being printed, mailed, and physically signed, their ramifications are no less real. As with any other agreement, properly constructing the terms of a digital agreement is crucial if it is to serve its purpose as a legally-enforceable contract. How then should we design our websites and agreements to leave them enforceable, but without destroying the ease of use that is their biggest advantage?

It seems that everyone accepts credit cards nowadays – including the farmer who sells produce at my local farmer’s market (which I appreciate because I never have cash)! Anyone who accepts credit cards or debit cards, even a sole proprietor who processes a small number of transactions, must be in compliance with the Payment Card Industry Data Security Standards (“PCI DSS”). Many small businesses may not have heard of the PCI DSS or assume that the requirements do not apply to them or that compliance is too expensive. To the contrary, all merchants that accept credit cards must comply with the PCI DSS, and the costs of a breach generally outweigh the time and expense to set up a secure and compliant card payment system in the first place.

Antiquated privacy laws are haunting businesses that base their privacy policies on current statutory language. Most laws intended to protect individuals’ privacy rights were designed with decades-old technology in mind. While this problem has been gaining attention for its impact on individuals’ privacy rights, businesses have also felt the effect of archaic privacy laws. Due to the public’s overwhelmingly favorable views toward privacy rights, businesses are becoming increasingly vulnerable to distorted interpretations of outdated laws.

For the first time in its enforcement history, the Consumer Financial Protection Bureau (“CFPB”) took action against a company for deceiving consumers about the company’s data security practices. The CFPB found that Dwolla, Inc. (“Dwolla”), an online payment system, made numerous false promises about the strength and extent of its data security practices. The CFPB’s action is also notable because the agency acted preemptively — Dwolla had never detected a data breach and no consumer data had been reported stolen.

The CFPB found that Dwolla claimed on its website and in direct communications with consumers that its data security practices “exceed” or “surpass” industry security standards; but, in reality, Dwolla failed to employ reasonable security measures to protect consumer data. In addition, Dwolla claimed that “all information is securely encrypted and stored” and that its mobile applications were safe and secure. However, the CFPB found that Dwolla did not encrypt certain sensitive consumer information and released applications to the public before testing that they were secure. The agency found several other examples of statements Dwolla made that could not be established as true.

Your business is an international company selling products to U.S. consumers. In the last few years, you may have heard a lot about high-profile information privacy and security cases brought by the U.S. government. Should you be concerned? Most definitely.

On Feb. 23, 2016, the FTC announced that Taiwan-based computer hardware maker ASUSTeK Computers, Inc. (“ASUS”) agreed to a 20-year consent order, resolving claims that it engaged in unfair and deceptive practices in connection with routers it sold to U.S. consumers. According to the FTC’s complaint, ASUS failed to take reasonable steps to secure the software for its routers, which it offered to consumers specifically for protecting their local networks and accessing their sensitive personal information. The FTC alleged that ASUS’s router firmware and admin console were susceptible to a number of “well-known and reasonably foreseeable vulnerabilities”; that its cloud applications included multiple vulnerabilities that would allow cyber attackers to gain easy, unauthorized access to consumers’ files and router login credentials; and that the application encouraged consumers to choose weak login credentials. By failing to take reasonable actions to remedy these issues, ASUS subjected its customers to a significant risk that their sensitive personal information and local networks would be subject to unauthorized access.

You may have a top-notch security incident response plan and a crack team for data breach response…but have you checked to be sure that your company’s HR policies are on the same team with you? Personnel Management is one of the most important—yet often overlooked—of the 10 activity channels for effective data breach response. In the crunch of handling an actual data security incident, your company’s HR policies will either pave or block the road to a nimble, successful response.

Of course, various policies are important for prevention of data security breaches, including policies for such matters as authorized computer systems, e-communications, and Internet use; authorized data and system access; strong passwords; use of encryption and encryption keys; mobile device safeguards; precluding or limiting storage of company data on home or other personal devices; and the like. But other policy provisions are essential for effective security breach response:

In this series on defining your company’s information security classifications, we’ve already looked at Protected Information under state PII breach notification statutes, and PHI under HIPAA. What’s next? Customer information that must be safeguarded under the Gramm-Leach-Bliley Act (GLBA), a concern for any “financial institution” under GLBA.

GLBA begins with an elegant, concise statement of congressional policy: “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” Sounds straightforward, doesn’t it? Things get complicated, though, for three reasons: (1) the broad scope of what constitutes a “financial institution” subject to GLBA; (2) the byzantine structure of regulators authorized under GLBA to issue rules and security standards and to enforce them; and (3) the amorphous definition of nonpublic customer information.

The Cybersecurity Act of 2015, signed into law on Dec. 18, has four titles that address longstanding concerns about cybersecurity in the United States, such as cybersecurity workforce shortages, infrastructure security, and gaps in business knowledge related to cybersecurity. This post distills the risks and highlights the benefits for private entities that may seek to take advantage of Title I of the Cybersecurity Act of 2015 – the Cybersecurity Information Sharing Act of 2015 (“CISA”).

It’s been clear for many years that greater information-sharing between companies and with the government would help fight cyber threats. The barriers to such sharing have been (1) liability exposure for companies that collect and share such information, which can include personally identifiable information, and (2) institutional and educational impediments to analyzing and sharing information effectively.

CISA is designed to remove both of these information-sharing barriers. First, CISA provides immunity to companies that share “cyber threat indicators and defensive measures” with the federal government in a CISA-authorized manner. Second, CISA authorizes, for a “cybersecurity purpose,” both use and sharing of defensive measures and monitoring of information systems. CISA also mandates that federal agencies establish privacy protections for shared information and publish procedures and guidelines to help companies identify and share cyber threat information. Notably, companies are not required to share information in order to receive information on “threat indicators and defensive measures,” nor are entities required to act upon information received – but this won’t shield companies from ordinary ‘failure to act’ negligence claims.