Cybersecurity & Tech

A glut of credit card and financial data on the black market has driven down its price. As a result, hackers are targeting more lucrative health care records.

Health care records are selling for as much as 7 times the value of financial data on the black market.  Legal Intelligencer

1. More respect for financial institutions in courts. Data breaches lead to law suits. Law suits lead to multiple law suits. Multiple law suits become class action law suits. High dollar class action lawsuits are facing Target and Home Depot.

2. Push for national data breach legislation by multi-state companies.

3. More health care data breaches.  Legal Intelligencer

Montana empowered its attorney general office by requiring that it receive notice of any qualifying data breach. The Montana Attorney General opertes a consumer protection division that will seek to help affected Montanans. 

Montana Standard

A student at the Univeristy of Oregon, Go Ducks!, alleges she was raped by 3 basketball players. The University found the sudents at fault and kicked them out of school and off the basketball team.

After the alleged rape, the student sought treatment at the student health center. Her treatment included mental health care.

She eventually sued the school as the alleged offenders were never tried for a crime.  During the lawsuit her mental health records, when she sought care at the unveristy health care clinic, were accessed without her permission by the University.  

The policy & legal question is does FERPA (Federal Education Privacy) trump HIPPA? The Feds say: “The Department of Education urges higher education institutions to not only comply with FERPA, but also to respect the expectation of confidentiality that all Americans hold when talking to a counselor or therapist.”

Kaiser Health News

The Data Quality Campaign joined the Consortium for School Networking to set forth principles to guide student data regulation. The goal is to protect student data while doing no harm to schools. 4 points they all agree on:

• Student data should be used to further and support student learning and success.
• Students, families, and educators should have timely access to information collected about the student.
• Students’ personal information should only be shared with service providers for legitimate educational purposes.
• Everyone who has access to students’ personal information should be trained on how to effectively and ethically use, protect, and secure it.

The Consortium includes:

1. Alliance for Excellent Education
2. AASA: The School Superintendents Association
3. American Association of Colleges for Teacher Education
4. American Association of School Librarians
5. Association of School Business Officials International
6. Consortium for School Networking
7. Council for the Accreditation of Educator Preparation
8. Council of Chief State School Officers
9. Data Quality Campaign
10. Digital Promise
11. Education Trust
12. Educators 4 Excellence
13. Foundation for Excellence in Education
14. Institute for Higher Education Policy
15. International Association for K12 Online Learning
16. International Society for Technology in Education
17. National Association of Secondary School Principals
18. National Association of State Boards of Education
19. National Association of State Directors of Teacher Education and Certification
20. National Center for Learning Disabilities
21. National Council on Teacher Quality
22. National Education Association
23. National Parent Teacher Association
24. National School Boards Association
25. PDK International
26. SIF Association
27. Stand for Children
28. State Education Technology Directors Association
29. State Higher Education Executive Officers Association
30. StriveTogether
31. StudentsFirst
32. Thomas B. Fordham Institute

Education Week

A data breach of medical records at an Ohio hospital system has led to a $5,000,000 class action lawsuit. It took 4 months for the hospital system to notify patients of the data breach.

The legal complaint is based on the medical records data breach creating a “threat of immediate harm has injured her privacy as a result of negligence.”

WFMJ

Van Deaver has filed HB 2156 which the author says protects student data in 8 ways.

• Not sell student information;
• Not behaviorally target advertising;
• Use data for authorized education purposes only;
• Not change privacy policies without notice and choice;
• Enforce strict limits on data retention;
• Support parental access to, and correction of errors in, their children’s information;
• Provide comprehensive security standards; and,
• Be transparent about the collection and use of data. 

VanDeaver Press Release

The Illinois Attorney General is working to expand the definition of what is private information that triggers data breach notifications.

She wants to include the following information:

• email addresses
• log-ins
• passwords
• Health insurance information
•  biometric information
• geolocation information

Her proposal doesn’t specify when the consumer and the Attorney General office must be notified. Instead,   businesses are granted flexibility by requiring that business take “reasonable steps” to protect information that it holds.   

S.B. 1833

Hailed as a victory for plaintiff’s lawyers, class actions are proceeding for data breaches at Target and Sony. Since the February breach at Anthem, more than 40 class action lawsuits have been filed. 

Legal experts say data breach cases move forward when the plaintiff can allege:

• “Statutory damages, such as a particular state’s data-breach law, or
• if there are known sales of stolen identities on the black market”
  National Law Journal

Connecticut’s  SB1024 applies higher data privacy standards on health care providers, by establishing regulations through the department of insurance. 

Which health care entities are affected?

• health insurers
• HMOs
• “other entities licensed to do health insurance business in Connecticut,”
• pharmacy benefits managers
• third-party administrators that administer health benefits
• utilization review companies

What are these health care businesses required to do?

• encrypt health care data that it maintains

What personal information information are health care entities required to encrypt?

•  individual’s first name or initial and last name in combination with one or more of the following:
• Social Security number
•  driver’s license number
• address
• or identifiable health information

The 2015 CT bill follows in the path of the New Jersey health care data privacy bill.  

Day Pitney 

California’s SB 576 will require app makers to explain:

• what location information they’re gathering from your phone
• why they’re collecting it and
• whether they’re sharing it with anyone else. 
• Will require users’ permission to continue to gather GPS information from your phone

The Recorder

Theodore Kobus III, co-leader of the Privacy and Data Security Practice at Baker Hostetler, favors state regulation over one size fits all federal regulation of data security notification. 

He suggests the right template for data security is HIPAA’s approach. HIPPA has been functioning for more than 10 years and has no uniform standard for security.

Businesses need flexibility to respond to data breaches. The flexibility is necessary based on 3 factors:

• size of the business
• budget of the business
• industry of the business. 

Inside Counsel

Fresh off naming San Antonio the #2 spot for cyber security expertise, St. Mary’s University unveils a new Masters of Science degree in cybersecurity. Texas Public Radio

SB 628 by Van Taylor prohibits a governmental body from:

• capturing or possessing a biometric identifier without:
• express statutory authority to capture or possess the biometric identifier AND
• consent of the individual. 

Today Representatve Jim Murphy announced the formation of the Texas Innovation and High Tech Caucus. Members of the legislature are directed to contact Bradly Pepper in Represenative Murphy’s Office. 

Selling student data is a hot topic. Education businesses want to buy student data to tweak their products. Releasing student data is of increasing concern to data privacy advocates, especially since data related to children is far more valuable on the black market. 

Maryland is bouncing around how to protect student data. Proposals include:

• prohibiting selling student information for profit, including names, grades and test scores, socioeconomic information, search activity, photos and other student identifiers.
• prohibiting targeted advertising and profiling of individual students

Cecil Whig via the Capital Daily News Service

This week, the U.S. Army Reserve selected UTSA as a founding member of a unique public-private partnership program to train cybersecurity professionals. 

Under the Cyber P3 designation, UTSA and other participating schools will help the government fill as many as 40,000 positions nationwide.

San Antonio Business Journal

A US Chamber of Commerce study ranks San Antonio as #2 area for data security professionals. The industry is working to gain traction with local economic development officials.  KSAT

UTSA established its Institute for CyberSecurity in 2001. The Institute trains not only students, but also those in business to improve their cybersecurity. 

In 2014, the Institute was named the Top cyber security education program in the nation by certified information technology professionals. 

KSAT

Last week, Brian Engle, DIR’s data security go-to guy, left his  state government post. He is now the first employee of a nonprofit, Retail Industry Information Sharing and Analysis Center.

His new role is to support the retail industry in their cybersecurity efforts and their efforts to protect their customer information and information technology.     

Government Technology

National Retailers Federation revealed a survey that shows that 97% of surveyed business leaders believe data security is top priority for 2015. 

National Retailer Association

New federal legislation would establish federal data security standards for car makers. Most cars collect data, without the vehicle owner or driver’s knowledge. The data is then sold to third parties. 

Legislation would require:

•  car companies and third-party vendors to be competent in:
  • detecting 
  • reporting
  • responding to real-time hacking events
• drivers would be notified of:
  • data collection,
  • data transmission and
  • how that data is being used.
• Allow consumers to decline data collection without having navigation disabled.

AutoBlog

A panel in rugged, independent Idaho is creating a task force to study:

• how much student data is sold to third parties
• how best to protect student data, and
• how to reduce sharing student data. 

 State and federal agencies collect nearly 566 data points per student. Last year, Idaho passed a law that can fine school districts up to $50,000 for student data security breaches.

Last week Congressmen Barton (R-TX) and Rush (D-IL) filed data breach notification legislation. Feds want to protect personal, private information and the states are quickly passing bills that further protect their citizens. 

What you need to know about the federal bills:

• Act Name: Data Accountability and Trust Act (DATA Act)
• Bill Number: HR 580
• Senators Feinstein, Pryor, Rockefeller, and Nelson filed similar, but not identical bill:
  • Data Security and Breach Notification Act 
  • SR 177
• What do HR 580 & SR 177 seek to accomplish?
  • Nationwide data security standard
  • Backed by FTC enforcement & State Attorney Generals and civil penalties
    • Penalties up to $5M per violation
  • Require notification to the FTC & to affected individuals in the event of a data breach
  • Define “personal information” to include:
    • an individual’s name in connection with :
      • (1) a Social Security number
      • (2) a driver’s license, passport, or other government-issued identification number, or
      • (3) a financial account or credit or debit card number in combination with a security code or password that would permit access to an individual’s financial account. 
  • Businesses would be required to have information security procedures and policies to safeguard information.  

National Law Review

The FBI is investigating whether hacked tax information was used to file fraudulent state and federal tax returns without the original taxpayer’s knowledge.   

The fraudulent state and federal tax filings are impacting businesses and individuals. 

WSJ

Last week Anthem experienced a data security breach that resulted in the exposure of personal information for up to 80 million people.   This week, a class action lawsuit has been filed in Atlanta.  

Here’s what plaintiffs allege:

• World’s biggest known data breach
• The FBI has identified health care as particularly weak in data security. 

Courthouse News Service

• Health Information protected by HIPPA will put companies at risk.
  • Department of Health and Human Services Office for Civil Rights enforcement actions have led to multiple million dollar settlements against hospitals, clinics, and health systems
• FTC will take enforcement action. That action will lead to lawsuits challenging the FTC powers of enforcement. 
  • Opportunity for state enforcement abounds.
• More lawsuits against companies and financial institutions. Big legal costs. Big tort reform opportunity. A sample of the lawsuits:
  • class action suits
  • Claims under specific privacy statutes, like motor vehicle records
  • State medical privacy laws for employee health insurance records
  • Restricted access to bank accounts may satisfy data breach causes of action
• Insurance Regulation on data breach policies as the industry rapidly expands.

The Oregon Attorney General has a data breach legislation wish list. On her wish list is:

• Extend data breach enforcement and notification to the Oregon Department of Justice
• Oregonians should have access to information about:
  • who is collecting their personal information and data
  • how it is being used and protected
  • to whom it is being sold.

Oregon Business Report

Sony Pictures spent $15M in Q3 for investigating and remediating its data breach.    Legal costs forthcoming.  Tech Crunch

Retail data breaches lead to class action lawsuits. They’re new. They’re trendy.

How financial liability for a breach is assessed is a developing legal trend. Legal trends turn into legislative trends as states grapple with assigning liability.

Today the retailers & the banks are at odds over this in policy court. To add fuel to the this policy fire, a federal court sided with a retailer against financial institutions by limiting a grocer’s liability to:

• $500,000
• based on the agreement between the grocer & the financial institutions processing the payments

Retailers want banks to bear the brunt of costs. Banks want retailers to meet the high security standards they have to meet. 

PYMNTS.COM

In 2014, California passed bills to protect student data from contractors. What did the bills do?

• Require “school districts to maintain control and ownership of any data managed by a private vendor.” Cal AB 1584 (2014)
• Give education technology companies until 2016 to stop selling student personal identifying information and to stop target marketing to students  CAL SB 1177

At the school district level, these actions are being taken:

• Teacher training on privacy issues.
• Use of vetted list vendors, that comply with data retention and storage restriction

The Recorder
 

The Garden State has mandated that all protected health information be encrypted. This new requirement applies to:

• health providers
• hospitals 
• medical insurance corporations

The NJ legislation, signed by Gov. Christie, exceeds HIPAA requirements and will require encryption of:

• patient’s name linked with:
  • a Social Security number
  • driver’s license or other state-issued identification
  • address
  • identifiable health information.  

National Law Review

Private companies want access to government health care information to build their business, but they’re access to health care data is shrinking fast. HHS is severely cutting the information it is sharing with third parties.

The change was sparked after the AP reported that healthcare.gov was sending personal identifying information to third parties for marketing, advertising, and internet data performance purposes. 

Privacy advocates, the Electronic  Frontier  Foundation, Senator Hatch and Senator Grassley want the federal government to do more to stop health care data sharing with private companies. 

AP     National Law Review    The Hill   NYTimes

The Target data breach of 2013 changed a lot of things. Cyber Insurance is a booming business, and spending for cyber security is increased on average 34%.  The survey also said:

• 57% of U.S. CEOs extremely concerned about over-regulation 
• AppRiver says last year it quarantined about 1 billion email messages that contained viruses in attachments, about double the amount it did in 2013.
• 75% of the British people it asked said they want more transparency in business, and 81% said they want more accountability.
• A survey by KPMG of the FTSE350 found 58% of respondents said they expect their cybersecurity risk to increase over the next year.     WSJ 

Where does the buck stop in data security regulation? Is it at the financial institution or at the retailer who garners the class action lawsuit? 

Retailers have said they should not be treated like banks, which are heavily regulated. Information Intelligence

The Credit Union National Association,  Financial Services Roundtable, the Consumer Bankers Association and four other financial trade associations sent a letter to Congress on Friday asking to have new rules imposed upon retailers that handle customers’ personal data.  This could impose fines of up to $1 Million per day for retailers.   The Hill 

Georgia techies are focused on tax incentives and making Georgia the Supreme Leader in Data Security. The economic incentive proposals:

• Extend Angel Investor Tax Credit
• Film Tax Credits
• “triple the qualifying period on a sales-tax exemption for companies buying more than $15 million in computer equipment, from one year to three”
  • This tax credit has made Georgia a hot spot for data centers
• Create a committee to make Georgia a leader in data and cyber security
  • Georgia is home to IBM and to U.S. military’s cyber command, which they believe make Georgia the perfect leader in data and cyber security

Athens Online 

Add New York to the growing list of states ramping up data security laws. NY will consider legislation similar to OR and IN that would provide a “safe harbor rule for companies that implement specific data security plans and standards that officials say would minimize the chance of a breach. “

New York’s study of data breaches found that health care was the largest source for data breaches.  Healthcare Dive

Data Protection Policy Trends Emerging….

HB 349 by Kleinschmidt calls for limiting collection of fingerprint in criminal history checks.

HB 764 by Susan King calls for DSHS to limit the information stored,require notification upon a breach and prohibit the sale of information. 

HB 852 by Sanford calls for a study on the collection and storage of biometric identifiers. 

Federal law or state law? Which should have the final say over a data breach at a local business? Or, if a data breach affects a nationwide retailer? The State Of Union included a call for federal data breach laws, pre-empting state law. 

Texas Congressman Michael Burgess agrees with federal pre-emption.

He will chair the hearing on Tuesday January 27th, and said, “We need a plan in place that will help prevent data from being stolen in the first place, and will also alleviate consequences for consumers if hackers are successful.”   The Hill 

Since 2009, health care data breach statistics are:

• 8%  involve hacking
• 40.9 million individuals’ records have been exposed
  • Of the individual records, 19%, were blamed on hackers
    • This includes a hack, allegedly by Chinese hackers ,to the health care data at Community Health System in Franklin, TN, resulting in stolen personally identifiable information on 4.5 million individuals.

President Obama’s federal data breach proposal would pre-empt state law, but it EXEMPTS health care and banking, which each have their own data breach standards. Modern Healthcare

75% of international cyber security experts support breach notification laws. The biggest concerns about complying with the laws:

• 55% notification would affect corporate reputation
• 15% said systems not geared for notifications
• 13% listed increased costs as a concern

PC World

Insurance sales for data protection are skyrocketing.

With the feds and states scrambling to protect citizen data, and class action lawsuits being filed with every breach, the insurance market is booming.  

Demand For Cyber Insurance Skyrockets | The Hill

2 Privacy Experts say Federal Standards Don’t help individuals:

• Alvaro Bedoya, the executive director of the Center on Privacy & Technology at Georgetown University Law Center, says consumers benefit from state laws which are stronger than national proposals. 
• Software & Information Industry Association says individuals will not be safer with federal protections.

National Review

Baker Hostetler offers an absolutely fantastic chart of what every state is doing on data security.

Data privacy experts say state laws go further to protect your information if its the subject of a leak, breach or hack. Tort reform types point to data breaches being a new bevy of class action lawsuits.  Baker Hostetler

Hot Topic: How to protect and notify individuals in case of a data breach. Here’s Washington State’s proposal to upgrade their notification laws: Finally, unlike other states, Washington state law does not require any centralized reporting to the state when a data breach occurs, resulting in a lack of robust information for law enforcement and consumers.

The proposed legislation strengthens Washington’s data breach notification law by:

• Notification requirements when the data breach is encrypted data

• Establish notification timelines.

• Require consumer notification as immediately as possible and no later than 30 days whenever personal information is likely compromised

• Centralized reporting to the state to improve enforcement actions.

• Require the Attorney General to be notified within 30 days when a data breach occurs at a business, non-profit or public agency, enabling the Attorney General to compile centralized information about data breaches for law enforcement and consumers

• Require businesses, non-profits and agencies, when reporting a breach, to provide consumers with basic information they can use to help secure or recover their identities.   

Kirkland Report: WA House Bill 1078 & Senate Bill 5047

Obama Administration in a grand data security bill offers liabolity protection to companies that share cyberthreat indicators with the government.

Privacy Rights advocates are not amused.   Washington Post     The Hill    

The White House released proposals to protect data. Student data. Energy data.  Tech data. 75 Companies have said “Aye.” Including the big dogs- Apple and Microsoft. 

Education Data Protection:

• No sales to third parties for a purpose other than strictly educational.
• No targetted advertising to kids. 

WSJhttp://blogs.wsj.com/law/2015/01/12/white-house-moves-to-protect-data-privacy/

Mandatory data breach notices have triggered lawsuits. Lawsuits have led to class action lawsuits. Think Target and Home Depot, the big retail data breaches. Class Action lawsuits lead to settlements.  

Whether one agrees or not what the impact of tort reform will be, data security is ripe for tort reform. 

 Volokoh Conspiracy | Washington Post

Indiana’s AG enforced violations of HIPPA against a health care provider, who improperly dumped health records.  The health care provider put the records, unshredded, in a dumpster. National Law Review  

A couple weeks ago, Indiana’s AG offered legilative guidance on data security bills.  Information Intelligence

State laws address data breaches. They set up notification procedures and establish liability. A cyber law expert lays out in liability and causes of actions in various states.

Looking at the calss action suits that have followed major retailer data breaches, it is the legal trend of the year. 

Claims Journal

Data security and protecting consumers education, health and financial data just got a kick start.  

• Texas Congressman Hurd will chair the IT Subcommittee — a new panel created by incoming Oversight Committee Chairman Jason Chaffetz of Utah.
• Texas Congressman Ratcliffe will chair the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, a part of the Homeland Security Committee.

Dallas Morning News

In 2014 states began passing data security and data protection legislation. Just look to legislative efforts in CA, FL, NJ, IN, WY, AL. Click the legislative trend category to see a complete list.  

In 2014 California passed a number of data security bills to protect students, consumers and patients, including:

• Privacy Rights for California Minors in the Digital World (California’s SB 568)

  •  Prohibits marketing or advertising alcohol, firearms and tobacco to minors

  • Prohibits using, disclosing, or compiling a minor’s personal information (or permitting a third party to do so).

  • Intended to exceed federal protections for minors.

• Data Breach Notification Amendments (California’s AB 1710):

  •  Business must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” 

  • Any identity theft prevention services must be made at no cost to the affected person for not less than 1 year. 

• Medical Information Breach Notification Period (California’s AB 1755):
  • Expands the time permitted to report breaches or disclosures of patients’ medical information to the state & to the patient.  
  • Permits email notification.

• Safeguarding Pupil Digital Records ( California’s AB 1584):

  • Provide local educational agencies with control to contract with third parties that provide digital educational software or services, including cloud-based services, for the digital storage, management, and retrieval of pupil records. 

  • Limits the use of the pupil records, ensuring compliance with the federal Family Educational Rights and Privacy Act

• Pupil Records and Social Media (California’s AB 1442):

  • Restricts a school district, county education office, or charter school that gathers information from an enrolled pupil on social media from using information collected for other purposes.

  • Prohibits selling or sharing of information, and imposes other requirements related to the destruction of information. 

• Student Online Personal Information Protection Act (California’sSB 1177):

  • “Prohibits operators of websites and online services and applications used primarily for K–12 school purposes, and designed and marketed for those purposes, from pursuing targeted advertising to students and their parents or legal guardians.”

  • “Prohibits using covered information to build a profile of K–12 students, selling a student’s information, and disclosing certain types of information.”  

National Law Review 

$5.6 Billion buys a lot of tongue depressers. Its also the expected cost of data breaches in the health care industry for 2015 according to the 2015 2nd Annual Data Breach Industry Forecast by Experian. Highlights from the forecast :

• A Ponemon Institute survey found that 72% of healthcare organizations indicated they are only “somewhat confident” or “not confident” in the security and privacy of patient data. 
• Increasing data security by health care organizations could limit  the risk of breaches and  limit scrutiny from regulators   Business Solutions 

The State collects mountains of data from motor vehicles to health care agencies. Keeping up with the technology to protect this information lags behind.

The State Auditor found that state data projects are not being completed on time, on budget, and may bot receive the proper authorization. 

SAO 15-015  Austin Business Journal 

The proposed legislation would require more of businesses, including:

• More stringent requirements for storing & retaining sensitive data
• Reduce harm to consumers with better notifications
• Increase transparency of online privacy policies

What does this mean for business:

• Require data to be securely stored
  • Delete personal or financial data
  • Retain only what is necessary for business purposes and processes
• Limit sharing or selling of data only when authorized by law or when consumers are informed in advance
• Inform consumers by clear and conspicuous notice when personal data must be collected and how long it will be stored
•  Data Breach Notification Changes with quicker notifications to consumers, with more information, applied to more data breaches.   AD LAW ACCESS  National Law Review Indiana Attorney General Proposal 

Another day, another retailer with a data breach.

The National Association of Federal Credit Unions took the opportunity to call for clear data breach laws.

Why? Without regulation every business that could possibly be related to a data breach is getting sued. It’s a class action gold mine.  The Hill 

FTC and FCC are both regulating data breaches. FTC pursued an enforcement action against Wyndham Hotels, which then challenged the FTC’s regulatory authority. 

In a case watched by many corporations, the courts said yes, the FTC has regulatory authority to take enforcment actions related to data breaches.  

In late 2014, the U.S. Court of Appeals for the Third Circuit ordered the parties to mediation to save all parties time and money.    King & Spaulding via JD Supra

Why does this matter? Data security laws on the state level are increasing.  State level enforcement is inevitable. Enforcement will come with hefty fines against businesses that experience data breaches. 

The fighters for financial institutions:   Independent Community Bankers of America  

The fighters for retailers: Retail Industry Leaders Association, National Retail Federation, National Grocers Association,  Merchant Advisory Group, National Association of Convenience Stores, Food Marketing Institute, &  National Restaurant Association 

 Why did the kerfuffle start: Banks assert that they absorb the heaviest burden “following security breaches of payment card data.”   The Independent Community Bankers Support:

• “the costs of data breaches should ultimately be borne by the breached party,
• all participants in the payments system—including merchants—should be subject to Gramm-Leach-Bliley Act–like data-security standards,
• a national data-security breach and notification standard should be implemented to replace the current patchwork of state laws,
• unnecessary barriers to effective threat-information sharing between law enforcement and the financial and retail sectors should be removed, and
• while community banks and other financial institutions continue to move to chip technology for debit and credit cards, these technologies alone may not have prevented the recent retailer breaches and do not protect against fraud in “card-not-present” transactions, such as online purchases.”     ICBA Press Release

Retort from the Retailers:  

Federal Health and Human Services has pursued a string of health care data breach claims against health care providers.

Health care data is protected under HIPAA, and data breach issues could also fall under data security laws and regulations.  

For refresher on the HHS settlement with Anchorage Community Mental Health Services, see Association of Corporate Counsel. 

Forecasting trends related to hacking/data breaches/cyber security is a hot topic. Just look at the plethora of class action lawsuits, and the Sony hack that led to pulling the film, The Interview, and its own set of lawsuits.

In an interview with the WallStreet Journal Legal Writer Dan Dipietro, a cyber security expert says he expects cyber security insurance to soon be part of the ordinary course of business.  

WallStreet Journal

Tech companies (makers of computers, phones, tablets, etc… & software companies) are getting protection under a bill By Sen. Wyden.  

Think of all the personal privacy bills in Texas during 2013- drones, license plate capturing, photography protections… Texas loves protecting personal privacy from big brother. 

The Wyden bill would prohibit law enforcement from requiring tech companies to make it easy for law enforcement to access data and devices. Closing this exception would make it harder for hackers to access data and devices.

Win for data security against hackers. Win for Constitutional protection against unreasonable searches.   VPN Creative | The Verge 

Lawmakers wants to know what financial institutions are doing to keep financial data secure. This applies to state and federal lawmakers.

National press focuses on federal lawmakers. So, here we go: Sen. Warren and Rep. Cummings want to know which banks have experienced cyber attacks. They claim 500 million records have been hacked from financial institutions in the last year, and they want solutions to fix it.

We all know this will first get fixed on the state level,  like the 11 states that enacted data security bills in 2014. 

 Above the Law  | Letter from Sen. Warren & Rep. Cummings  

California’s sweeping data security legislation should serve as a model for the nation and states according to the National Consumers League (“NCL”).

NCL also commends the 10 states that have enacted data security legislation requiring businesses to implement data security protocols. The Hill  California’s Assembly Bill 1710

Data breaches and law suits go together like PB&J- pear, brie and jambon.

Sony faces a class action lawsuit from former employees, who claim Sony had knolwedge of the data security weaknesses & did nothing to correct or protect confidential information.

The data breach leak included personal & confidential employee information, and their lawsuit is limited to the leaking of the employee information.  Deadline Hollywood  Sony Employee Class Action Court Filing 

This should be on every employer’s radar as well as the impending legislation to address data security that may add new burdens to businesses. 

New York is home to WallStreet. Naturally the New York Department of Financial Services would include new exmaination requirements that focus on data security. Exmainations will now include:

• Management of 3rd parties
• Cyber Security Insurance requirements
• Monitoring, protection, testing, and detection of cyber security systems [3 page letter from NYDFS] [WSJ]

Winter 2013 brought a large data breach for Target. Various lawsuits ensued. Financial institutions sued. Individuals sued.

Target had sought to dismiss the suit brought by 5 financial institutions. The judge said, “NO,” in one of the first rulings of its kind allowing financial institutions to sue retailers for data breaches. 

Judge Magnuson also said, “imposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.”  [Bloomberg] [Law360] [NY Times | BitsBlog]

HHSC gave the House Committee on Public Health and the Senate Health and Human Services Committee a holiday gift- a report on data security.

The report lays out plans for rulemaking and legislative recommendations, including new requirements for providers: 

Iowa Department of Motor Vehicles is releasing an app that will function as your driver’s license. No more getting ticketed for not having your driver’s license with you, unless your phone battery is drained. 

State officials assure that the app and driver’s license will be secure from data security breeches.  [Des Moines Register]

Legislation predictions from Bankers: 

• Banks required to appoint chief information security officers
• Banks to undergo quarterly tests for information system vulnerabilities
• Required review of these third-party contracts and relationships
• Standard set of protocols that banks must follow
• Tort issues like: 
  • assign legal duties and responsibility
  • illuminate investor or shareholder disclosure obligations

[American Banker]

How do policy makers balance the need for educational systems to adapt and improve while also protecting student data?

 It’s a state issue. It’s a federal issue. It’s a local school district policy issue. Politico calls it an issue that “Parents, activists and a select group of lawmakers are clamoring for a fix.”

Federal, bipartisan bills are languishing. in 2014 Colorado, Oklahoma and California passed their own bills to protect sudent data. Industry wants to self regulate, with some online education providers signing a letter that states they will not sell student data.  [Politico]

Winter 2013 brought a large data breach for Target. Various lawsuits ensued. Financial institutions sued. Individuals sued.

Target had sought to dismiss the suit brought by 5 financial institutions. The judge said no.

Judge Magnuson also said, “imposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.”  [Bloomberg] [Law360]

President Obama’s pick to lead the Pentagon, Ashton Carter, is a strong proponent of increasing data security. He’s been involved with the reorganization of US Cyber Command. ​

Expect more legislative & media attention for data security. [Washington Post] 

Retailers support uniform notification requirements. Pawlenty, head of the Financial services Roundtable, wants them to go a step further.

He wants businesses to meet the high standards that financial institutions have to meet.  [The Hill]

Multidistrict litigation found its new bread and butter in data breach lawsuits. The Credit Union National Association determined that the Home Depot data breach cost credit unions $60 million. $60 million hit includes the cost to reissue cards, deal with fraud and cover other costs. [Atlanta Business Journal]

FTC’s data security enforcement powers are rooted in FTC Act. The Third Circuit Court of Appeals is considering an appeal of a ruling that affirmed the FTC’s data security enforcement powers. The Center for Democracy and Technology supports the FTC’s enforcement powers. [CDT]

Protecting the personal privacy of citizens is trending. Wyoming is considering legislation that will:

• Limit the amount of information the state can collect
• Prohibit the sale of information to third parties [Wyoming Public Media]

Data Security is a concern for businesses large and small. These associations are urging fair reform that doesn’t overburden businesses, large or small: 

Back in 2013, gubernatorial candidate Greg Abbott released his “We the People Plan” focusing on privacy. He’s concerned about data security, specifically:

• The sale or resale of Texans’ data by state agencies
• Extending the prohibitions against re-identification of de-identified data to non-medical data [Greg Abbott’s We the People Plan]

Data breaches don’t only affect retail establishments and customers, banks and credit unions are also affected.  Each data breach requires new credit and debit cards to be printed and mailed, and for fraudulent charges to be covered.  This comes at a hefty cost to financial institutions. 

The “Credit Union National Association says September’s data security breach at Home Depot cost its members nearly $60 million to reissue cards and cover fraudulent charges.” That’s double the estimate to cover the Target data breach. [Washington Business Journal]

The 2014 Home Depot data breach litigation has raised the very tort issues that data breach legislation addresses- venue and consolidation. Whenever there are a lot of injuured parties, spread out throughout a state or country these issues arise.

Data security breaches are the new pharmaceutical class action. [National Law Review]

36 states considered 110 bills related to student data protection and privacy in 2014. The usual and obvious bills to ban collecting and/or storing student data were filed. And more nuanced bills were fild such as those which granted State Baords of Education privacy powers to protect student data. 

Need some pictures to show what was considered throughout the country? Check out the Data Quality Campaign. [Data Quality Campaign]

Schools have been tracking students to make them safer and more efficicent. The more data that is collected, the more information there is that can be fruitful to the nefarious hackers.

This year Florida became the first state to ban the collection of biometric identifiers from students. In 2014, 36 states considersidered 110 bills on protecting data security of students.

What type of student data protections are we seeing?

• FL bans collecting student biometric identifiers
• KS requires parental consent for collection biometric identifiers from students
• NH, CO, & NC ban the collection and retention of student biometric identifiers
• NH & MO said no to radio frequency student identification cards  [Pew Trusts]

The phrase “if any” is giving lawsyers fodder with California’s new data security law. The issue is whether “if any” means credit monitoring must be offered or may be offered. 

As always, drafting matters. Read carefully. Consider propositions, conjunctions, and the placement of commas. It matters. [National Law Review]

There’s a national talent deficit in cybersecurity personnel. Its also hard to hire the necessary talent when the talent can fiscally fare far better in the private sector. [The Fiscal Times]

Strong economies rely on investor confidence. According to a poll by the Center for Audit Quality, increased data security regulation leads to improved investor confidence.

Investor confidence in the U.S. economy stands at 70%.  [Journal of Accountancy]

Early this year privacy advocates had a win when ICE retracted its planned policy to allow access to a national law enforcement license-plate tracking system.

Local ICE offices didn’t like this. So, they started buying access to a private company’s vehcile registration database. Houston ICE office is noted as buying the private company’s vehicle database.

On going criminal investigations, where constitutional protections apply, are one thing, but open access to a private company’s vehicle registration database is concerning to privacy rights adovates and civil libertarians. [Washington Post]

A New Jersey data security bill is called best practices for businesses and government, but also increases the costs of government and of doing business.

The bill would require notification for more data breaches. Like most states notification in New Jersey was required for traditional indentify fraud issues- like when a name and social security number are released.

The new legidslation requires disclosure of a breach if  usernames and email addresses, in combination with a password or security question-and-answer, are released or captured. [Philadelphia Business Journal]

Washington Post points out that local regulations on ride share continuously forego obtianing access to anonymized ride share data. Its the same data local governments collect from taxicab drivers. 

The data  serves two purposes.

(1) It strengthens transportation systems  and gives tools for transportation planners, and

(2)It  provides an understadning of how many jobs ride share is creating. [Washington Post]

Lots of nobel bills become studies and reports when the opposition is vocal. For the last years, the Attorney General of California has released data breach reports.

In 2013, there were 167 breaches reported to the California Attorney General, exposing data of 18.5 Million Californians.

The California Attorney General also makes the following recommendations:  

For the health care industry:

– Use strong encryption to protect medical information on laptops and on other portable devices, and consider encryption for desktop computers.

For the Legislature:

– Consider legislation to amend the breach notice law in order to strengthen the substitute notice procedure; clarify the roles and responsibilities of data owners and data maintainers; and require a final breach report to the Attorney General.
– Consider legislation to provide funding to support system upgrades for small California retailers.
 

Data Breach Legislation History from California:
“In 2003, California was the first state to pass a law (AB 700, Simitian) mandating data breach notifications. This law requires businesses and state agencies to notify Californians when their personal information is compromised in a security breach.

In 2012, companies and state agencies subject to the law were also required, for the first time, to report any breach that involved more than 500 Californians to the Attorney General’s Office. (SB 24, Simitian).” [Lake County News]

Does this sound familiar? A state entity sends unecrypted names and social security numbers? Yes, much like the Texas Comptroller incident, a Pension system in Arizona sent unecrypted filed in regular mail to a third party provider.

The third party provider never received the unecrypted disks. Now, the state is spending $300,000 to provide indentity protection for the affected retirees. [News 4 Tucson]

Canada is considering imposing $100,000 fines on businesses that fail to notify customers of data breaches. Currently Canada utilizes a regional patch work of data security legislation, the national fine for businesses would be a first for Canada. [Info Security Magazine]

Refreshing Recollection: The FCC can and does impose fines on businesses, like it did on two telecom companies late last week. 

RollCall argues that the down side of hightened data security legislation is that it makes consumers complacent. Consumers aren’t encouraged or empowered to protect their own personal data. Are more regulations on business the answer to data security?  [Roll Call]

New Jersey Legisalture is moving a bill that would place new burdens on business and government in the Garden State.

Businesses & government would be required to maintain databases that allow quick contact to  customers/clients/citizens in case of a data breach.

The bill also expands the type of breaches that have to be disclosed to include usernames and passwords. [NJ A3146] 

Florida passed a data security bill earlier this year. A Republican in a neighboring state, Alabama, is filing legislation to require companies and financial institutions to disclose to customers when their personal information is exposed.

The Alabama Governor also initiated a push to upgrade all state software to better protect personal privacy. [Decatur Daily]

A contentious state house race in Kentucky has reached new dramatic heights when the Democratic Party sent out the arrest record of the Republican candidate, including his Social Security Number. A botched recovery for breaching data privacy by the Democratic Party isn’t helping this situation. The Republican called on the state Attorney General to investigate. 

This campaign oops moment has led to more talk of better data security laws. [Good Morning America]

Tech companies have been contributing exponentially more to campaigns and causes that are not favored by the perceived liberal core of Silicon Valley.

Some argue the tech company liberal core isn’t liberal but rather libertarian. Just look to the hearty response Rand Paul received recently in Silicon Valley.  

Tech companies want changes to data privacy laws. Tech companies generally support increased protection for your data privacy and they are putting their money where there mouths are. [Politico]

Personal data protection is a concern world wide. Australia created a Privacy Commissioner to monitor the protection of personal data privacy. Some argue that the Privacy Commissioner enforcement powers exclude state and local governments and thus isn’t effective. A legislative proposal seeks to revoke the Privacy Commissioner. [The Guardian]

FCC wades into data security enforcement by fining two telecom companies $10M for failing to properly secure their customer data. Does the PUC have this power? [WSJ]

Data breaches. There’s a new one every week. Cybersecurity experts say the only way to address the issue is long term legislative and political reform.  Bruce Schneier, a fellow at the Berkman Center for Internet & Society at Harvard says there should be more regualtion on business to secure our personal information. What does those regulations looks like?

• Causes of Action for consumers against the business.
• Government imposed penalties against businesses. 
• Timely and comprehensive disclosures of breaches by businesses.

That’s a lot of business regulation. [Sacramento Business Journal]

News reports allege that Staples had a data breach. There’s a long list of retailers that have endured a data breach. 

Forbes discusses the role personal repsonsibility has in data breach corrections. Legislating personal responsibility is challenging. The modus operandi of the Legislature is putting into place new regulations on retailers, banks and/or creating new civil or criminal penalties. [Forbes]