Cybersecurity & Tech

Lifelock, the company advertising its ability to protect your financial data, violated its 2010 $12 million settlement with 35 state attorneys general according to the FTC.  

“LifeLock vigorously opposed the FTC’s allegations.” The case is heading to the courts.

The Hill   Forbes (Lifelock value tumbles)

A JP Morgan hack led to the arrest of 4 in Florida. Federal officials are linking the dta hack and stock manipulation.

The financial data breach had previously been thought to be the work of Russian gangs.

The Hill  Bloomberg

HomeDepot Shareholders are taking action against Home Depot. They have filed suit  to request corporate documents, potentially for the purpose of investigating wrongdoing by corporate officers or directors.

Above The Law

“In the 2015 first half, venture firms invested $1.2 billion in cybersecurity startups, according to researcher CB Insights.”

Data breaches are taking this nerdy issue, cyber and data security, and turning it into big business, well funded, with a lot of government regulation, oversight, and contracting opportunities.

WallStreet Journal

For the first time ever, Zurich Surety registers as a lobbyist in Canada amid interest in data security legislation.

Folks, data security insurance is a business that is growing exponentially. The well read will remember that just last week, Information Intelligence brought you news of the first lawsuit concerning insurance coverage in a data breach. 

Rapidly growing industry. Not Yet in Texas. Hello opportunities. 

Canadian Underwriter

This week, Rep. Mo Brooks (R-Ala.)  introduced the “Protect US Act,” which would:

• Give the president and Congress the power to add foreign powers accused of harboring or conducting hacking to a “State Sponsors of Cyberattacks” list.
• The president would be granted power to impose a wide range of trade sanctions on those countries.

China/Chinese hackers were allegedly behind the massive federal government data breach.

The Hill

Sen. Debbie Stabenow (D-Mich.) and Sen. Martin Heinrich (D-N.M) say the Energy and Water Development funding bill shortchanges our electric grid from being properly protected from a cyber attack.

They call for funding the following data security protections:

• virtual forensics platform,” intended to detect malicious actors sitting on the network
• Replace the $11M removed from the Cybersecurity for Energy Delivery Systems

The Hill

Connecticut and Oregon both strengthened laws protecting health care data this year. Specifically the states , strengthened protections of personally identifiable information (“PII”).

• Connecticut did this:
  • Effective October 1, 2015, S.B. 941 
    • Requires notice of a breach of personal information within 90 days of discovery
    • If a breach involves social security numbers, must offer a year of complimentary identity theft prevention and mitigation services, and the notifications must include information on signing up for these services, as well as information on placing a credit freeze. 
    •  Health insurance companies must implement, maintain, and update annually a “comprehensive information security program” to protect personal information (including protected health information, government-issued ID numbers, biometric data, and financial information).
• Oregon did this:
  • Senate Bill 601 (SB 601) is effective January 1, 2016, and will:
    •  Expand the definition of “personal information” triggering a required notification to include:
      • 1) biometrics
      • 2) health insurance policy number or subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the individual; or
      • 3) any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the individual.
    •  The Attorney General must be notified for breaches of personal information involving 250 residents of the state or more & may bring Deceptive Trade Practices Act violations.
    • The threshold for notification is altered  to an “unlikely to suffer harm” standard in place of the previous standard of “no reasonable likelihood of harm” and requires this determination be made in writing by the effected entity and maintained for at least five years.  

The Beat @ CooleyHealth

In an effort to protect data,  large financial entities, like credit card companies, are looking to collecting facial recognition software to further protect their and your financial data.

Storing biometric information along side financial information at one company seems like that company is putting put a neon sign that reads, “Hacker Dreams Come True Here.” 

Coin Telegraph: Future of Money

47 Attorneys General signed a letter supporting state authority over data breach enforcement and strongly opposing any attempts at federal preemption.

 Gen. Paxton is notably absent from the list: Arkansas, Connecticut, Illinois, Indiana, Maryland, Massachusetts and Nebraska, was also joined by the following states and territories, according to the news release: Alabama, Alaska, Arizona, California, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, North Mariana Islands, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, and West Virginia.

LasCruces Sun News      Montana Department of Justice 

A company that controls concession stands at 9 zoos across the country announced a data breach just in time for summer tourism. 

Washington Times

Say you’re a health care provider. You buy data breach insurance policy to cover any potential hacks or breaches. you think you’re doing the right thing to protect your business.

Then, your data gets hacked. You file a claim with your insurance company. You’re denied. You go to court.

The insurance company says the health care provider failed to provide the required minimum security standards. 

Its a case of first impression. It’ll make history and make legislation far and wide as the claims are state law and federal (HIPPA).

Crowell Moring Data Law

Ft. Worth is home to a new $500 Million Facebook data center, powered by renewable energy.  

The facility broke ground this week and will be up and running by 2016 with 40 full time employees.

TechCrunch   Governor Abbott

Learning Curve conducted a poll about technology in education, and student data is in its scope:

•  71% believe technology has improved their child’s education
• 79% concerned about the privacy and security of their child’s data
• 75% worried about advertiser access to that data

First Look | The Intercept

NAPA has new data breach compliance and certification. Data breaches are big business, people.  

Data breaches and protecting against data breaches generate:

• Big legislative pushes
• New regulations
• Procurement Opportunities (hello, $21M emergency contract that the federal data breach sparked)

Data breaches impact:

• bankers, credit unions, financial institutions
• retailers
• corporations
• new lawsuit filings
• health data
• student data
• +more

NAPA

Federal employees this week filed suit over the June 4th federal data breach. The breach is said to the largest in government history, and allegedly the result of Chinese hackers seeking super secret spy information. 

The crux of the lawsuit is something all corporations should pay heed to as its the same argument made by plaintiffs in Target and HomeDepot breaches too- how much knowledge did the government have about potential breaches and did the government fail to act? As for the feds, the  lawsuit alleges:

• The federal government was on notice because:
• “10 million confirmed intrusion attempts targeting its network in an average month”
• OPM Breach potentially affects 18 million federal applicants
• OIG found that in many areas the OPM’s performance actually got worse in that “a 2014 OIG report, the ‘drastic increase in the number of [software] systems operating without valid authorization is alarming and represents a systemic issue of inadequate planning by the OPM offices to authorize the [software] systems they own.”

Courthouse News Service

The Federal Trade Commission has released new guidelines for corporate data security. FTC has the power to fine companies for data breaches, so take heed. 

Recommendations include:

1. Start with security.
2. Control access to data sensibly.
3. Require secure passwords and authentication.
4. Store sensitive personal information securely and protect it during transmission.
5. Segment your network and monitor who’s trying to get in and out.
6. Secure remote access to your network.
7. Apply sound security practices when developing new products.
8. Make sure your service providers implement reasonable security measures.
9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
10. Secure paper, physical media, and devices.

FTC Start with Security coming to UT law November 5th

FTC Guide for Businesses

Healthcare Management Information Systems Society released a new survey about data security and healthcare, the results:

• 2/3 of healthcare companies repsonsing experienced a data security issue within the last year
• 87% say data security is a increasingly higher business concern for healthcare
• 69% say their concern about data security is motivated by phishing
• 46% say the highest data security concern is internal negligence
• 57% have at least 1 full time staff person dedicated to data security

MedCity News

An immentn departure by the director of the Office of Personnel Management, Katherine Archuleta, appears likely.

She leads the federal agency at the center of the largest government data breach-ever.

What we know: Alleged Chinese hackers. Forthcoming federal agency resignations.

The Hill

Data Security from student data to retail data to contracts to clean up data breaches is big business. The EU is often seen as taking a stronger approach to data protection predicts it will be big business at the tune of 415 Billion Euros a year.

Psst- a Euro is more valuable than a US Dollar.

Computer Weekly

• “Expands the statute’s definition of “personal information” to include a resident’s biometric or medial information;
• Requires entities or persons that own or license consumer personal information to notify the Oregon Attorney General of a data breach if the entity must notify more than 250 residents;
• Raises the threshold for notifying Oregon consumers to a more generous “unlikely to suffer harm” standard;
• Lowers the threshold for reporting to consumer report agencies (CRAs) by requiring notice to CRAs whenever a breach affects more than 1,000 residents;
• Exempts covered entities under the Health Insurance Portability and Accountability Act (HIPAA) from compliance, so long as a copy of the notice sent to either the entity’s primary functional regulator or to state residents is sent to the Attorney General; and
• Allows the Attorney General to bring action against entities that violate the data breach statute, pursuant to Oregon’s Unlawful Trade Practices Act (Ore. Rev. Stat. § 646.607).”

JD Supra | Privacy & Security Law

Will Congress pass a national data security bill after the massive federal employee data breach. Odds are not high. There is a higher liklihood that next week there will be a new food trailer opening in Austin. 

What does this mean? States will pass stronger data security bills from everything from retailers to public education contractors to health care data.

Health Data Management

Protecting citizen data from the prying eyes of the government, hackers, and neighbors is the rally cry of everyone from Rand Paul to the Wyoming Legislature.

 Wyoming’s Task Force on Digital Information will recommend whether the Legislature should move forward with its constitutional amendment again in 2016.

In 2015, the constitutional amendment ran into hurdles when legislators realized that protecting privacy might make a mess of open records.

To head this disaster off at the pass, some press types recommended a right to know addition to the constitutional amendment. 

Courthouse News Service

One of Governor Abbott’s line item vetoes struck $5,000,000 in funding for University of Texas Center for Identity.  The Center seeks to limit impact of data security breaches.

The Governor’s rational: “If The Center þr ldentíty is a príority, the University may use íts appropriationfor ínstitutional enhancement, leverage public-private partnerships, or allocate other resources þr this purpose. “

Governor Abbott Budget Vetoes   UT Center for Identity

SOPIPA and Student Privacy Pledge are all the talk among Edtech companies gathered in NYC. 

California’s SOPIPA passed in 2014 has influenced other state legislation.  Student data protection isn’t just for state legislatures. Its also federal- Hello, FERPA.

And, state boards of education have used rule making to address data protection that can can hinder or assist edtech companies. 

EdSurge

The federal employee data breach this week, triggered an emergency contract of $20+million to provide credit monitoring services.

It’s a common response to offer these services. The Texas Comptroller did the same a few years ago when state employee records were breached/exposed.

The techies say credit monitoring is only part of the solution when a person’s data is breached. Other parts to the solution are:

• Watching for phishing emails.
  • Employees can be coerced into providing information without realizing they are being coerced
• upgrade their personal systems
•  invest in firewall protections

Government Executive

A data breach at Texas Department of Aging and Disability Services made 6,600 Medicaid patients’ information, including Social Security numbers and private health information, available online.

DADS

Fierce Health IT

A federal judge in Los Angeles Monday refused to throw out legal claims that Sony was negligent in maintaining adequate data security.

Refresher: the Sony data hack led to the release of:

• employee salaries
• worker health data
• racially tinged e-mail banter and
• other sensitive information.

Bloomberg

4.1 million current and former federal employees had their information exposed in a federal government data hack. California’s Department of Technology regulates data security.

The California Department of Technology reports 204 data breaches in 2014 among state agencies. 

State cybersecurity jobs are notoriously tough to fill. The private sector pays better and state hiring moves at a glacial pace. As a result, data security is often outsourced which opens the data up to another layer of potential data breaches.

Sacramento Bee

Rand Paul has filabuster against the Patriot Act and has outspoken opinions on NSA data collection.

His opinions are echoed by Ted Cruz and Bernie Sanders. 

Factor in the recent federal government employee data breach and Hillary Clinton’s Department of State email, and data security and data privacy will play a key role in upcoming elections.

Advertising Age

FBI is investigating a data breach allegedly pertetrated by the St. Louis Cardinals back office.  

If you see one mouse in the barn, there are likely a lot more mice.  Corporate data breaches are likley far more common.

Wallstreet Journal   NewYork Times  Houston Chronicle 

Connecticut passed new data breach laws that will:

• require businesses to notify affected person within 90 days of the breach
• Require businesses to provide 1 year of identity-theft protection if their Social Security number is compromised

CT SB 949    Consumer Financial Services Law Monitor

“Sweeping changes to provincial health privacy laws will soon cut down the red tape preventing authorities from prosecuting snoopers and force hospitals to declare all breaches of patient records to the privacy watchdog.” 

• the six month deadline to lay charges would be wiped out
• potential fine for snoopers would be doubled from $50,000 to $100,000
• Hospitals would also be forced to report all breaches to regulatory colleges and the provincial privacy commissioner

Toronto Star

Cyber Security Firms & their Investors according to the WallStreet Journal.  

In the honorable mention category- are the data breach fixing firms, like the quick $21M federal contract to CSID. WashingtonPost

TexasTURF is sounding the alarm on data collection by TXDOT. As we know, data collection is ripe for a data breach. 

Texas TURF says “TxDOT tracks drivers to mine data without their consent” 

The numbers on the Chinese data hack at the IRS:

• $20.7 M private contract to notify those who had information hacked
• 3.2 million notifications will be sent by e-mail and snail mail
• Hacking victims will receive: “…$1 million identity theft insurance policy in case their identity is stolen, 18 months of credit monitoring and other security protections as part of the contract.”
• 4 million current and former federal employees affected

Washington Post

TexasLegislature passed body cameras for law enforcement officers, SB 158 by West. It’ll create a lot of data.

“Seattle Police Department alone produced over 360 terabytes of data from dashboard cameras.” its a lot of data, that must be stored securely, whcih can be costly. 

Recently updated FBI Criminal Justice Information Services (CJIS) policies offer guidance on safe data storage. 

Federal Times

last week a district court blocked a Texas Medical Board rule that required a face to face video conference or an in person meeting prior to telemedicine. It was a win for telehealth. 

“Officials of the College of Healthcare Information Management Executives (CHIME) have sent a letter to two U.S. Representatives – Fred Upton (R-Michigan) and Diana DeGette (D-Colorado) – expressing their concern about the need for better patient identification. ”  

They point to:

• “As data exchange increases among providers, patient data matching errors and mismatches will become exponentially more dangerous and costly.” 
•  Congress should lift prohibitions against a national patient ID.
• Increased interoperability comes increased “threats to data integrity.” 

GlobalMD

“The U.S. Office of Personnel Management on Thursday said personal information for as many as 4 million current and former employees of the federal government may have been compromised in a recent cyberattack.” Law 360

Small businesses are not pleased with a data security proposal by House Financial Institutions and Consumer Credit Subcommittee Chairman Randy Neugebauer(R-Texas) and fellow Financial Services Committee member Rep. John Carney (D-Del.).

National Retailers Federation response: “Congress should take concrete steps to make sure the credit card cartel finally does the right thing and makes its cards secure.”

The Hill 

Does the Chief Information Officer take the fall? Nope, it’s the CEO.

SC Magazine for Information Security Professionals

“On a 39-0 vote, senators on Wednesday approved tech industry-backed legislation that would require law enforcement to obtain warrants before accessing emails, text messages and other digitally stored data.”

The Recorder 

Tax returns for 104,000 households were hacked.

The hackers used hacked personal information to re-hack into the IRS to view past tax returns.

This allows the hackers to build fuller identiy profiles and to file tax returns with the fradululently obtained information. 

WallStreetJournal CNN Credits Russian Hackers

Retailers scuttled the $19 million settlement with mastercard issuers over the Target data breach. This keeps Mastercard in the class action lawsuit. 

National Law Review

Data collectors and analyzers, IBM and Ponemon Institute, released the 2015 Cost of Data Breach Study: Global Analysis, which shows the average data breach cost increased 23% over the past two years to $3.79 million.

The report recommends mitigating costs with insurance and technology enhancements.

Security Intelligence  PC World

Radion Shack filed for bankruptcy protections. In that process, it has valuable consumer marketing information that it would like to sell. The FTC is entering the fray, in its newly amped role as data protector. 

Law 360

U.S. Senators Hatch & Markey this month filed a measure to protect student data. Following suit is Senator Vitter. 

Hatch & Markey focus on amending FERPA. Yes, that FERPA at issue in the UT System/Wallace Hall debacle. The Senators’ Protecting Student Privacy Act seeks to:

• Require that “data security safeguards be put in place to protect sensitive student data that is held by private companies,”
• Prohibit “the use of students’ personally identifiable information to advertise or market a product or service,”
• Provide “parents with the right to access the personal information about their children—and amend that information if it is incorrect—that is held by private companies,”
•  Make “transparent the names of all outside parties that have access to student information,”

Hatch-Markey Press Release

Vitter’s covertly named Student Privacy Protection Act will:

• ” Reinstate protections originally outlined under [FERPA] by clarifying who can access student data and what information is accessible,”
• “Require educational agencies to gain prior consent from students or parents and implement measures to ensure records remain private,”
• Hold liable through monetary fines “[a]ny educational agency, school, or third party that fails to get consent.” 
• Extend “FERPA’s protections to ensure records of homeschooled students are treated equally”
• Prohibit “educational agencies, schools, and the Secretary of Education from including personally identifiable information obtained from federal or state agencies through data matches in student data.” 

Vitter Press Release

A class action lawsuit was certified this week against yahoo, which has a process to intercept, scan and store incomiong, non-yahoo emails of its users for advertising purposes.

Something to think about when you’re sending confidential or privileged information via email.

The Recorder

Chicago Public Schools accidentally released personal information on 4,000 students to 5 potential vendors.

Chicago Public Schools assures the public that social security numbers were not released by the inadvertant data breach. 

NBC 5 Chicago

Within the last few years, the FTC has increased its data security enforcement. Including issuing record breaking fines against companies from big banks to major telecommunications providers.

An FTC Posting touts the favorable treatment for companies that self report data breaches to the FTC.

The Hill   FTC.GOV

A school district in Ohio suffered a data breach that exposed the names, addresses and social security numbers of students. The hacker? a student, who shared the information.

Young adult data is very valuable on the black market, because the identity is freely adaptable.

News-Herald Columbus Dispatch

California Attorney General Kamala Harris, front runner to succeed U.S. Senator Barbara Boxer, is urging Congress to allow states to have stonger data security bills.  

Her concerns about the federal bill are many, including:

• Allowing breached companies to determine whether harm has occurred
• Need to protect  medical data and health insurance information
• Need for a stronger notification timeframe for companies targeted by identity thieves and hackers.

Law360

Nevada is the most recent state to expand the definition of personal information that trigger data security laws. 

The expanded definition includes:

• individual’s medical identification number or health insurance identification number and
• a user name, unique identifier or email address with its associated password, access code or security question and answer that would permit access to an online account

This reflects a growing trend to include email address/usernames along with passwords in state data security statutes. 

Assembly Bill 179   

Thieves aquired names, addresses, social security numbers and other personal information from a database owned by CICS employment services., whiched housed employment background check information.

The thieves then took the personal information and filed false IRS forms to obtain tax refunds. The company does not know how the informaiton was taken, but they know it was when the theft ring was busted.

Oregon Live

The National Association of State Chief Information Officers, an organization for states’ chief information technology officials, found states are plagued by problems with hiring cybersecurity experts.

Why? 

• “Nearly 92 percent of states said salary and pay grades presented a challenge in attracting and keeping employees.
• 86 percent of states said they’re having trouble recruiting people to fill vacant slots. Four years ago, only 55 percent of states reported having that problem.
• 46 percent of states said that it takes three to five months to fill senior positions.”

Governing

Humans. Human error causes more data leaks, breaches, and exposure than hackers. A law firm report says data breaches are caused by:

• 37% human error
• 22% theft from outside
• 16% theft from inside
• 14% malware
• 11% phishing

Health IT Security

Data security:

• “knowing where your data is located”
•  ” who may access the data. “

Data privacy:

• “predicated on data security”
• “requires further understanding how personal data is being collected, processed (and by whom), and transferred,”
• “and the consistency of these practices with applicable laws, regulations, and the reasonable expectations of the relevant consumers”

National Law Review

Some proposals in Congress will allow corporations to determine whether the breach justifies notification.   WallStreet Journal 

• Sen. Pat Leahy of his Consumer Privacy Protection Act
• Reps. Randy Neugebauer and John Carney Bill
  • Counterpart to the Seante’s Carper-Blunt bill
  • holding merchants to similar standards to financial institutions.
  • Not well received by retailers and merchants 
• Sen. Bill Nelson bill filed in January, but not moving
• Senators Kirk and Gillibrand filed this week
• A bill in the works by Sen. Warner

Politico

The first data security bill that moved in Congress this year would pre-empt state laws. Some say it would be more lax than the majority of state data security laws.

A new federal legislative proposal removes preemption. The Consumer Privacy Protection Act introduced by Senator Leahy would require companies to take more affirmative steps to protect consumer data.

Health IT Security

A lawsuit against Home Depot, based on the retailer’s data breach, alleges that the data breach is a result of lax data security measures by Home Depot executives.

 Multiple security upgrades were routinely rejected  by the retailer.

Atlanta Business Journal

• “Develop specific policies and procedures regarding the handling of proprietary or sensitive information.
• Improve information security training.
• Ensure only the minimum necessary access to the information.
• Communicate and apply consistent sanctions for information privacy or security violations.
• Monitor employee activity.
• Ensure adequate oversight or governance of information security programs.” 

CFO Magazine

The US Supreme COurt has accepted a case to determine standing in data breach cases. We all know data breach law suits flow freely after a data breach. The question among courts has been is the injury to the person suing- that the information is out in the black market for information or does some economic damage have to occur before the individual can seek a court remedy.

The case that will shed light on data breach standing is Spokeo, Inc. v. Robins.

Orrick

Illinois Legislature is moving a data security bill that adds marketing information to protected information. Which means, if marketing information about a consumer is breached, notice will be required to the consumer.

Illinois Bill, SB1833,  was drafted by the Illinois Attorney General and “will require notification in the event of a breach of “information related to a consumer’s online browsing history, online search history, or purchasing history.”” 

Advertisers and Marketers are displeased.

SC Magazine for IT Security Professionals

A hotel in Rhode Island is sending all information that it collects about its guests to the local police. Does state law require it? No. 

Is the hotel under subpoena? No. The police and hotel reached an agreement. Guests will receive no notice of the information sharing.

Governing

Montana and Wyoming, wrangling western individualism, passed new data breach notification laws. Here’s what they did:

Wyoming expanded what information triggers a data breach notification to include:

• Username or email address with password or security question and answer
• Birth or marriage certificate
• Medical, biometric or health insurance information
• Individual taxpayer identification number.

Wyoming also expanded what should be included in a notification received by a consumer to include:

• A toll-free number to contact the organization
• Types of PII affected
• A general description of the breach
• Approximate date of the breach
• General actions taken to protect against further breaches
• Advice relating to reviewing account statements and monitoring credit reports-
• Whether the notification was delayed due to law enforcement.

Montana also expanded what type of information triggers a notification, to include:

• Information that relates to an individual’s physical or mental condition
• Medical history, medical claims history, or medical treatment information obtained from a medical professional or medical care institution, from the individual, or from the individual’s spouse, parent, or legal guardian.
• a tax ID number

Montana also broadened which entities receive notification to include:

• A company must “simultaneously” provide a copy of the notice to the Montana Attorney General’s Consumer Protection Office. 
• If the data breach involves insurance information,  simultaneous notice must be given to the Montana Insurance Commissioner.

Wilson Elser via JD Supra

3 states have enacted new data security reforms. Most recently, Washington State  joined Wyoming and Montana. Washington’s reforms include, according to JD Supra:

• Expands coverage to hard copy data as well as electronic or “computerized” data;
• Requires notification of the Washington Attorney General if more than 500 Washington residents are required to be notified;
• Imposes a 45-day deadline for notification of affected consumers and, when required, of the Washington Attorney General;
• Empowers the Washington Attorney General to enforce the statute by bringing actions under the state’s consumer protection act;
• Mandates certain content in the consumer notification, including the name and contact information of the reporting business, a list of the types of PI subject to the breach, and the toll-free telephone numbers and addresses of consumer reporting agencies;
• Introduces a safe harbor for PI that is “secured” or encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard “or is Otherwise modified so that it is rendered unreadable, unusable, or undecipherable by an unauthorized person;” and
• Adds language that exempts certain covered entities from compliance if they otherwise comply with certain federal laws. 

Davis Wright Tremaine LLP

Small banks and credit unions have filed suit to enjoin the nearly $20 million settlement between Target and Mastercard related to the 2013. 

Small banks and credit unions allege:

• the agreement between Target and Mastercard was surreptitious
• ““This sweetheart deal for Target was negotiated without involvement of the court or the legal representatives of the impacted financial institutions.”

Target is still in negotiation with Visa over a settlement for reissuing credit and debit cards after the 2013 data breach.

​Reuters

The SEC is mulling over requiring disclosures by publicly traded companies concerning data security and data breaches. 

This should come at no suprise as in 2011, the Corporate Fiannce Division issued guidance on disclosing data security and data breaches in CF Disclosure Guidance: Topic No. 2, Cybersecurity, Oct. 13, 2011.

What’s the SEC considering risk factors that need to be disclosed?

•  if the risk of data breaches would make an investment in the business risky or speculative AND
• including the potential cost of any breach.

SEC is serious too. It is issuing comment letters based on the current guidance and imposing fines.  The Recorder

The federal data breach bill moving through Congress will preempt all state laws. Most states have stronger data breach laws than the federal bill.

Some say the federal bill is being pushed by the business lobby. It makes sense. Businesses are being sued after data breaches and it is costing millions and millions. Hundreds of millions. 

California, has stronger data security statutes and the California Consumer Federation says the federal bill will:

•Eliminate notification to the California attorney general  of any security breach.

•Allow the state attorney general to file a civil lawsuit but prevent individuals from suing over a data breach.

•It would no longer require breached companies to provide free ID theft protection services, such as credit monitoring and fraud alerts.

LA Times 

The GAO found 69 data weaknesses at the IRS, which caught the attention of Sen. Grassley and the Treasury inspector general for tax administration.

The Treasury’s inspector general for tax administration ranks data security as the IRS’s top management problem for 2015. In response, the IRS claims that budget cuts have impacted its abaility to find security weaknesses.

The Hill

Data Security is the number one concern for credit unions according to the National Association of Federal Credit Unions. 

Their concern is founded in fact. In 2014, 317 million new pieces of malware were created according to Symantec’s 2015 Internet Security Threat Report. Data breaches have been increasing by 20% per year. 

This group supports legislation that includes:

• Payment of Breach Costs by Breached Entities
• National Standards for Safekeeping Information
• Data Security Policy Disclosure
• Notification of the Account Servicer
• Disclosure of Breached Entity
• Enforcement of Prohibition on Data Retention
• Burden of Proof in Data Breach Cases 

Business Wire

Buried in the federal data breach legislation, that pre-empts state data protections in 38 states, with stronger data protection statutes, is liability protection for businesses that share data security threats and intrusions with other businesses and the government. Law360

Cloud medical image exchanges are used to help radiologists be more efficient, but are suspectible to data breaches.  The data security standards promoted by the industry are:

• encryption when the data is static
• encrption when the data is in transport
• transport layer security &
• transferring data through VPN tunnels

Health IT Security

A coalition of business groups, including:

• National Association of Convenience Stores
• National Association of Realtors
• National Grocers Association
• National Restaurant Association
• National Retail Federation

are urging federal lawmakers to retain a provision in federal data breach legislation that will require 3rd party vendors to notify consumers when they experience a data breach. 

The Hill 

Target’s holiday 2013 data breach continues to breed lawsuits and settlements. Target recently settled with Mastercard for $20 million. 

The $20 million will go to financial institutions to:

• covers costs that banks incurred to reissue credit cards and debit cards
• Cover the cost of fraud that resulted from the exposure of customer information

Fortune

Federal data breach legislation that would preempt 38 state laws on data breach, was approved by the House Energy and Commerce Committee. 

The biggest rift in the committee is whether federal law should preempt stronger state laws.

The Hill 

Last week Congressman Lamar Smith held “Reining in the EPA: A Regulation Roundtable” one of the invitees was Agriculture Commissioner Sid Miller.

When conversation moved to a “secret” EPA map of U.S. waterways, Commissioner Miller indicated that the EPA released personal information about  farms and ranches. The information was released to “environmental extremist groups.”  It is reported that Homeland Security department called the release of the farm and ranch water maps is “a bioterrorist threat.” 

Hill Country Community Journal

38 states have stronger state laws. The federal legislation would preempt those state laws and the lower, weaker standard would prevail.  Washington Post

Alabama is the 48th state to enact data security laws, and one of a few that have revamped data security statutes post major retail data breaches. The Alabama legislation will triger notification within 30 days when any of the following information is hacked:

•  medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
• health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
• User name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

It also addresses record retention of data breaches.

National Law Review 

Data security and the political world is a sordid affair. We’ve seen data hacking by campaigns leading to arrests, and now, the Hill reports on data breaches that have K Street on edge. 

The head of the American bar Association Cybersecurity Legal Task Force offers a serious warning:

“What a lobbyist might call blowing off steam could harm their business if it offends a client. For them, the risk is less about revealing state secrets or bribery than it is about humiliation, about damage to their firm’s reputation,””

The Hill

Since New Year’s Day, 90 Million individual health care records have been exposed by data hackers.  

Why is health care data targeted?  The data is highly valuable on the black market.

How are hackers gaining access to health care data? Via portals in electronics such as sonogram machines, conference call machines, fax machines… MD Anderson tests all its electronic equipment for security protcols.

Commentary in Houston Chronicle 

The Federal Communications Commission this week fined AT&T $25 M for a data breach that caused personal information, including social security numbers, of 280,000 AT&T customers to be breached. 

AT&T will incur more costs as it notified affected customers and pays for credit monitoring services, per the FCC order. 

Engadget

Data Security and data privacy is a near and dear to Libertarian types. Think Rand Paul. Libertarian types look to the Federalists papers to justify constitutional positions, such as protecting Americans from government intrusion into their personal, private data. 

Pointing to Federalist Paper 33 and 44, when a national interest exists, it is necessary and proper for the federal government to act. 

Legal Intelligencer

Bipartisanship Lives. Last week a new data security bill was unvieled to create standardized requirements for data breach and security issues. 

Co-sponsors of the bill:

• Representative Marsha Blackburn (R-TN)
• Representative Peter Welch (D-VT)
• Both are members of the House Subcommittee on Commerce, Manufacturing, and Trade, and Blackburn also serves as Vice Chairman of the Energy and Commerce Committee.

The Bill is Titled: “Data Security and Breach Notification Act of 2015. 

What the bill does:

• Companies would be required to use “reasonable security measures” to protect an individual’s personal information. 
• Companies would be required “to notify affected individuals as “expeditiously as possible” but no later than 30-days after the company has taken the “necessary measures to determine the scope of the breach and restore reasonable integrity, security, and confidentiality of the data system,” unless the delay is attributed to law enforcement or national security reasons.  ” 
• No individual notice obligation if there was no reasonable risk that the breach of security resulted in, or would result in, identity theft, economic loss or harm, or financial fraud.
• Effectively preempt the current patchwork of state statutes governing data breach notification and data security.  
• Enforcement:
  • A violation of this legislation would constitute an unfair and deceptive act or practice
  • Federal Trade Commission or state attorneys general would have authority to enforce.  
  • civil penalties for violations of the data security and breach notification requirements.  

National Law Review

European companies are struggling with the 28 different data security laws that the EU has enacted for each of its member countries. Multinational companies have different compliance standards for each country. 

However, an attorney for technology and innovation sector says data regulations, even those that differ by member state increase productivity in fields of innovation and technology. This productivity increases due to the globalization of data.

Computer Weekly

The number of companies experiencing a data breach is increasing annually. In 2013 it was 33%. In 2014 it was 43%. Its a mix of retail and health care data breaches leading the increases.

More data breaches means more litigation.

SC Magazine for IT Security Professionals   Ponemon Institute

• Target will put $10 million into a fund to be used to pay its affected customer
  • Customers with substantiated losses recover first
  • Customers with no substantiated losses receive funds thereafter
• $6.75 Million will go to the attorneys
• How many people are eligible? 100,000,000. Yes, 100 million people.

Minneapolis Star Tribune

An Illinois Credit Union has sued Kamart/Sears over a 2014 data breach because the retailers reaction to a data breach harmed financial institutions. Here’s why, note same thing can happen in Texas:

• The financial institutions were required:
  • to refund fraudulent charges
  • respond to a higher volume of customer complaints, and
  • increase fraud monitoring efforts
• The financial institutions lost revenue
• The retailers failed to maintain adequate data security under applicable payment card industry standards
• The retailer delayed notification to consumers by at least 5 weeks. 
• The causes of actions rooted in :
  • Illinois Personal Information Protection Act,
  • Consumer Fraud and Deceptive Business Act,
  • New York General Business Law,
  • negligence, and negligent misrepresentation and/or omission.​

JDSupra InfoBytes Blog

Education Testing Companies are being accused of spying on student facebook, twitter, and instagram accounts. The companies are going so far as requiring that information, such as exam information, posted by students be removed. 

Education companies insist they do not spy on students, but rather track certain terms.

Washington Post

The EU is waging a legal war with Facebook over whether Facebook can store the personal and private data of EU residents on servers located outside the EU? 

This legal issues raises the issue of whether Texans want their information stored on servers in NY or CA?

WallStreet Journal

What kind of information can hackers get from a student’s education app?

• first name, middle initial, last name,
• gender
• date of birth
• parent email address
• name and address of school
• usernames (some with associated passwords)
• teacher email addresses
• teacher and class roster affiliations
• class photos with students labeled by name,
• in-class behavior records,
• reading level and progress assessments, and math skill and progress assessments.

An identity could easily be created with this information, which sparked Congress to address the situation with the Student Digital Privacy and Parental Rights Act. 

States can address the situation by requiring data security protocols on stored student data and for third party education software and apps.   EdSurge

An April meeting of attorneys general will focus on data security issues. This comes in the wake of Connecticut AG forming a data privacy division and the attorneys general in NY, OR and WA recommending legislative changes to address data security.

Reed Smith Global Regulatory Enforcement

To handle data breach investigations and litigation, the Connecticut Attorney General created a Privacy and Data Security Department.

The Department emerged from a 2011 task force studying how the state can best address data breaches, and is staffed with a ” cross-disciplinary team of experts in health, finance and other disciplines.” 

Westfair Communications

A Dallas trial lawyer has filed suit in California against Toyota, Ford and GM because the vehicle’s software is easily hacked. 

The suit claims:

• The automakers failed to ensure the basic electronic security of their vehicles
• The electronic security can be hacked by anyone
• The easy hack allows a person, who is not the driver, to  take control of the basic functions of the vehicle
• The vehicles thereby endanger the safety of the driver and others

Case No. 4:15-cv-01104-DMR

Southeast Times Record

Do company executives breach their fiduciary duty by how they handle data security or in the methods of handling data breaches?

A lawfirm is investigating whether executives at Home Depot breached their fiduciary duty by failing to protect against the Home Depot data breach. 

Market Watch

Data privacy is the new frontier for property rights.  People fiercely want to protect their personal data. It gets tricky when the person trying to protect their data is a public school teacher.

A parent in Virginia sued to have teacher evaluations released.

The first court sided with the parent to allow for the release of teacher evaluations.  The suit is on appeal. Teacher groups refer to the release of evaluations as an invasion of privacy. It’ll be fought to the Supreme Court and is a fight occurring around the country.  Washington Post

A Portland Uber driver is the named plaintiff in a class action lawsuit against Uber for a 2014 data breach.

The breach disclosed personal information for 50,000 Uber drivers. The lawsuit alleges that Uber took 5 months to disclose the data breach, which violates California law. California statutes require employers to protect the personal information of employees.

Antman v. Uber Technologies Inc, U.S. District Court for the Northern District of California, No. 15-1175.  

Insurance Journal InAutoNews NYDailyNews Fortune via Reuters

The Federal Trade Commission issued a report saying its a bad idea to apply banking rules to retailers. 3 Reasons Why:

•  “burdensome to nonbanks”
• “Retailers lack the authority over payment cards to maintain certain data security obligations”
• “The FTC lacks the supervisory examination and resources to provide specific guidance and oversight that would be necessary to cover every nonbank business”

The Hill

According to experts in Silicon Valley, data breach costs break down for business like this:

•  80% less than $1 million in direct costs and damages
• 15 % of breaches cost between $1 million and $20 million
• 5% cost more than $20 million to investigate, deal with and pay legal costs
• Average Cost is $7Million 
• Only 8% of businesses are buying cyber insurance coverage

San Francisco Business Journal