Cybersecurity News and Notes: June 27, 2016

In Case You Missed It

The FTC settled with mobile advertising company InMobi for $950,000 in civil penalties, along with the implementation of a privacy program, based on the FTC’s charges that InMobi impermissibly tracked the locations of both adult and child consumers for the purpose of geo-targeted advertising.  The latter, of course, also implicated allegations of violations of the Children’s Online Privacy Protection Act (COPPA) rule.  The FTC alleged in particular that, when installing an application to which InMobi’s advertising was attached, even if a user declined to share location information with the application, InMobi’s software would… More

DHS Issues New Rules Governing Sharing of Cyberthreat Data

Last week, the Department of Homeland Security (“DHS”) released its Final Rules for private-sector information-sharing under the Cybersecurity Information Sharing Act of 2015 (“CISA”). CISA permits private companies to share cyber threat information with the U.S. government and shields those companies from liability for doing so.  The new CISA Rules outline exactly how this information-sharing will work, namely: how information is submitted; what information gets submitted; and what happens to the information after submission.

HOW IS INFORMATION SUBMITTED?

The preferred method for submitting cyber-threat data to DHS is through “TAXII”, short for “Trusted Automated Exchange of Indicator Information.”   TAXII… More

New Data Protection Obligations In Europe: Data Protection Officers and Impact Assessment under the New General Data Protection Regulation (GDPR)

The full text of the General Data Protection Regulation (GDPR) was published on 4 May 2016. Although the GDPR will not be effective until 25 May 2018, it is worth looking into it right now given the major changes it makes to the rules in the 1995 Directive.

Application of the GDPR

The GDPR applies to the processing of personal data by companies having an “establishment” in the European Union, regardless of whether the processing takes place in the EU or not. It also applies to companies not established in the EU, where the processing activities are related… More

Cybersecurity News & Notes – June 20, 2016

In Case You Missed It: Illinois strengthened its data privacy and security law, with the amendments going into effect in January 2017.  The amendments include expanding the definition of “personal information” to include a username or email address of an Illinois resident in conjunction with a password or security question answer that would permit access to an online account.  The definition is also expanded to include medical and health insurance information.  However, if a company already complies with the data security elements of HIPAA and HITECH, then it will be deemed to comply with the Illinois law.  Illinois’ amendments… More

Ransomware Update: The FBI Weighs In

The FBI recently released an article discussing the spate of ransomware attacks on a variety of different entities, including hospitals. In the article, the FBI warned that ransomware attacks and the cybercriminals carrying them out are growing increasingly sophisticated.  The FBI opposes paying a ransom when hit by a ransomware attack, saying that doing do incentivizes more ransomware attacks, can inadvertently fund other illegal activity, and does not always result in the restoration of access.  The FBI recommends that entities focus on prevention efforts like employee training, patching operating systems and software, and restricting access to files, directories, and/or… More

OCR Releases Video Guidance on Provision of Medical Records

The summer movie season is now officially in full swing, with the release of three informational videos regarding HIPAA and the right of individuals to access their medical records, published by the Office of Civil Rights of the Department of Health and Human Services. 

The video trilogy, and accompanying infographic, are the eagerly-awaited sequel to OCR’s guidance “Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.525,” issued earlier this year.  That guidance is essential reading for companies operating in the medical records space, as it sets forth OCR’s views on such topics… More

EU-US Data Transfers‎: An update on actions taken by European DPAs

After the European Court of Justice invalidated Safe Harbor on October 6, ‎2015, the Article 29 Working Party announced in an October 16, 2015 statement that US companies that were Safe Harbor certified had until the end of January 2016 to find alternative means to transfer data to the US and, if they failed to do so, EU Data Protection Authorities would pursue enforcement measures. DPAs in France, Germany, and Ireland have all addressed these issues, but in different ways.

France

The Head of the European Working Party, Isabelle Falque-Pierrotin, is also the head of the French DPA,… More

Cybersecurity News & Notes – June 13, 2016: A Brief Digest of Cybersecurity News You Can Use

In Case You Missed It:  The SEC fined Morgan Stanley $1 million for a 2014 data breach.  While the FTC had declined to pursue an enforcement action, blaming the breach on technical issues rather than any actions or omissions on the part of Morgan Stanley, the SEC reached a different conclusion.  The  SEC faulted Morgan Stanley for, among other things, failing to have adequate and up-to-date cybersecurity policies and for failing to correct gaps and flaws in its security systems.  This fine is a reminder of two important things:  first, that the SEC is going to be an increasingly active player… More

Cybersecurity News and Notes – June 6, 2016

In Case You Missed It: US and EU officials signed on to the so-called “Privacy Umbrella” deal last week.  The agreement is designed to protect the personal data of EU citizens when it is transferred to the US for law enforcement purposes — a sort of criminal counterpart to the sturdier-sounding Privacy Shield we discussed here last Thursday.  And, like the Shield, the Umbrella has drawn its share of critics, who claim that it “effectively undoes” much of EU’s data protection.

News of Note: Zuckerberg Hacked. Demonstrating that no one is immune from a cybersecurity attack, Facebook founder… More

Update on EU-US Transfer of Data and the Proposed Privacy Shield

On 29 February the European Commission released its draft adequacy decision about the proposed Privacy Shield, which is intended to replace the invalidated EU-US Safe Harbor.  While Microsoft stated on April 11 that they “pledged to sign up for the Privacy Shield,” the European authorities have so far been much more skeptical.

Article 29 Working Party On 13 April, the Article 29 Working Party issued an opinion indicating they had strong concerns with the draft and asked the Commission… More