With all due respect to noted astrophysicist Stephen Hawking, this blog post will attempt to explain the bank privacy universe in a tiny package. Many tend to think “bank privacy” began with the Gramm-Leach-Bliley Act (“GLB” and technically The Financial Services Modernization Act of 1999). But this perspective misstates the origin of bank privacy and understates its breadth and depth.

Rather bank privacy is genetically coded into the customer relationship and has been since the beginning. Perhaps “privacy” is even the wrong word as “confidential” seems more apt. Protecting bank customer confidences has long been recognized on both state and federal levels, at common law and in numerous statutes pre-dating GLB. For perspective, in 1995 I revised my bank’s deposit agreement and made extensive reference to customer confidentiality and the bank’s information sharing practices, embodying almost all the concepts later enshrined in GLB.
Continue Reading A Brief History of Bank Privacy

Posting a terms of use document on your website or mobile application defines the terms that govern your customers’ use of your website or mobile application and greatly reduces your exposure to liability when providing goods or services through a web-based application. A privacy policy describes to your consumers what information you collect, how you collect

Anytime we conduct a training, we can’t help but turn blue in the face repeating over and over again the importance of conducting an accurate and thorough risk analysis of electronic PHI (ePHI). In the event of a breach or an audit, one of the first items the Office of Civil Rights (OCR) will ask for is the risk analysis. The OCR has obviously lost its patience for entities that choose or fail to perform an adequate risk analysis. Earlier this month, Advocate Health Care Center (Advocate Health) agreed to pay a massive $5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This settlement is the largest to-date against a single entity.
Continue Reading HIPAA punches a serious blow: Advocate Health enters into $5.5-million settlement for violations

Those in the privacy and data security (or baseball) world should be familiar with the St. Louis Cardinals and Houston Astros hacking incident. Former St. Louis Cardinals’ scouting director, Chris Correa, was recently sentenced to 46 months and ordered to pay restitution after pleading guilty to five counts of unauthorized access of a protected (Astros) computer, bringing an end to the federal criminal investigation. Recapping the hacking highlights, Correa accessed the Astros’ proprietary player information database, Ground Control. Ground Control contained the Astros’ “collective baseball knowledge” drawn from player statistics, impressions and opinions of the team’s scouts, coaches, statisticians and doctors, and other sources. Correa also accessed the email accounts of several members of the Astros front office including “Victim A” (likely former Cardinals executive and present Astros general manager Jeff Luhnow), “Victim B” (likely former Cardinals and present Astros sabermetrician Sig Mejdal), and at least one other person. According to the Astros, Correa accessed Ground Control at least 60 times on 35 different days over a 15-month period; one can only speculate as to breadth and depth of Correa’s access to the Astros’ email system. The intrusions initially appeared to have emanated from a device housed in a condominium in Jupiter, Florida (the Cardinals’ spring training home), but given the lengthy period of time, likely involved other devices in other locations. Correa gained access to the Astros’ systems by having Luhnow’s Cardinals’ passwords which were “similar” to his Astros’ passwords. Correa both reviewed and downloaded Ground Control information.
Continue Reading Houston (Astros), We Have a Problem

States are updating their data security statutes in response to the increasing number of data breaches that are exposing residents’ personal information to unauthorized users. Two states in particular – Illinois and Tennessee – recently made sweeping changes to their respective data security statutes in an attempt to make organizations more responsive in light of this growing data security concern.
Continue Reading Recent changes to states’ data security laws

Technology has changed the way businesses market themselves to consumers. Businesses now have the ability to identify shifting consumer preferences, launch highly targeted advertising campaigns, and communicate instantly with potential customers. One thing this new marketing has in common? Consumer data. As marketing technologies evolve, companies should be aware that the myriad of data security regulations don’t just apply to how companies conduct their business, but how they market it as well.
Continue Reading Marketing in the age of data security

It seems that everyone accepts credit cards nowadays – including the farmer who sells produce at my local farmer’s market (which I appreciate because I never have cash)! Anyone who accepts credit cards or debit cards, even a sole proprietor who processes a small number of transactions, must be in compliance with the Payment Card Industry Data Security Standards (“PCI DSS”). Many small businesses may not have heard of the PCI DSS or assume that the requirements do not apply to them or that compliance is too expensive. To the contrary, all merchants that accept credit cards must comply with the PCI DSS, and the costs of a breach generally outweigh the time and expense to set up a secure and compliant card payment system in the first place.
Continue Reading Even your momma needs to comply with PCI DSS

For the first time in its enforcement history, the Consumer Financial Protection Bureau (“CFPB”) took action against a company for deceiving consumers about the company’s data security practices. The CFPB found that Dwolla, Inc. (“Dwolla”), an online payment system, made numerous false promises about the strength and extent of its data security practices. The CFPB’s action is also notable because the agency acted preemptively — Dwolla had never detected a data breach and no consumer data had been reported stolen.

The CFPB found that Dwolla claimed on its website and in direct communications with consumers that its data security practices “exceed” or “surpass” industry security standards; but, in reality, Dwolla failed to employ reasonable security measures to protect consumer data. In addition, Dwolla claimed that “all information is securely encrypted and stored” and that its mobile applications were safe and secure. However, the CFPB found that Dwolla did not encrypt certain sensitive consumer information and released applications to the public before testing that they were secure. The agency found several other examples of statements Dwolla made that could not be established as true.
Continue Reading There’s a new privacy boss in town

2015 was quite a year for Information Governance, and it’s now time for a year-end post.  I’ve neither the prescience nor patience for making predictions, and after briefly flirting with a Star Wars/Holiday mash-up, I remembered that’s been done before, with tragic results. So, all that’s left is a single question, which may be the only question that matters  – over a tumultuous year for privacy, data security, information management, and e-discovery, what did we learn about governing information?
Continue Reading Information Governance in 2015 – did we learn anything?

Husch Blackwell along with CBIZ and UMB co-sponsored Security, Data Breach & The Bottom Line: A Forecast For Manufacturers on Oct. 29 at Boulevard Brewery in Kansas City. Seventy people attended the manufacturing-focused seminar, which covered various areas of vulnerability specific to manufacturers and included a special keynote by AUSA, John Cowles and FBI Agent