One More New Year’s Resolution: Change Your Passwords Before Groundhog Day

The SplashData list of worst passwords of 2014 was just published, and it looks very similar to the list in 2013, 2012, 2011, etc.:

Rank Password Change from 2013 1 123456 No Change 2 password No Change 3 12345 Up 17 4 12345678 Down 1 5 qwerty Down 1 6 123456789 No Change 7 1234 Up 9 8 baseball New 9 dragon New 10 football New 11 1234567 Down 4 12 monkey Up 5 13 letmein Up 1 14 abc123 Down 9 15 111111 Down 8 16 mustang New 17 access New 18 shadow Unchanged 19 master New 20… More

The Outlook for 2015

Data privacy and security have never been more top of mind for business than they are right now. As I noted in this article in Law360:

“The outlook in 2015 is that we’ll have more breaches, but I think we’ll also continue to have more conversations as people get used to breaches as a way of life about what we expect to be kept private, and how we want to confront that….  Because the attacks are becoming increasingly difficult to prevent, how fast a company is able to respond and shut down an attack is key, because that means… More

Medical Billing Provider and its Former CEO Settle FTC Charges That They Misled Consumers About Collection of Personal Health Data

In an age when many of us briskly scroll through website terms and conditions and check, “I agree” without thinking, how should businesses design their websites to obtain proper authorization to access users’ sensitive information? The announcement of the settlement of a pair of recent FTC complaints against PaymentsMD, a medical billing services provider and its former CEO, and the resulting settlement, provide some important guidance, at least with regard to health information practices.  In that settlement, the Atlanta-based health billing company and its former CEO settled charges that they misled thousands of consumers who signed up for… More

NLRB Disregards Security Concerns in Ruling That Employees Have a Right to Use Employers’ Email Systems for Non-Business Purposes

Our colleages have analyzed a significant NLRB decision in Purple Communications Inc. that, in most circumstances, employees have a right to use employer email systems for non-business purposes during non-working time. This decision reversed the NLRB’s 2007 decision in Register Guard, in which it found that employers could limit employee use of email systems to “business purposes only” and that employers could “specifically prohibit” certain email system uses by employees:

In reaching this conclusion, the Board adopted a presumption that employees who have been given access to an employer’s email system are entitled to use that system to… More

Five Tips to Help Companies Protect Themselves from Data Breaches

Hand press on Shopping Cart iconWith every swipe of a credit card this holiday season, consumers put their faith in the companies that process and store their information. Yet, it is no secret that data breaches are on the rise, hitting companies large and small. Massive data breaches recently struck Target and Home Depot, to just name a few, and these two breaches alone affected hundreds of millions of consumers and cost the companies hundreds of millions of dollars. Sony Pictures is still reeling from a data breach this month that… More

Both Sides Now: Cloud Security and Privacy Enter the Modern Era with ISO 27018

I’ve looked at clouds from both sides now From up and down, and still somehow It’s cloud illusions I recall I really don’t know clouds at all

 Joni Mitchell, “Both Sides Now”

Until recently, many cloud users felt like Joni Mitchell in her classic song, “Both Sides Now.” No matter how you looked at clouds, you never really understood them, how they worked, or what happened inside them. Cloud storage and data processing were often (and with some justification) viewed as something of a digital Wild West, with few rules or standards for data protection, not much transparency… More

CloudLock Webinar, “Moving to the Public Cloud: Whirlpool Case Study.”

Our client, CloudLock, recently hosted an interesting webinar, “Moving to the Public Cloud: Whirlpool Case Study.” The webinar features John Bingham, CISO at Whirlpool Corporation, who shared Whirlpool’s story of moving into the public cloud and how their security team found the support for the company’s core business goals.

Ready or Not, Here They Come: Preparing For Phase 2 HIPAA Compliance Audits

Our friends at Co3Systems and IOD recently produced a webinar, “Ready or Not, Here They Come: Preparing For Phase 2 HIPAA Compliance Audits” that provides a succinct overview of what is coming down the pike for HIPAA covered entities.

You can access the slides from the presentation here and view the webinar recording here.

FDA Flunks Data Security Exam

Last week, the HHS Office of Inspector General released a damning report on FDA’s data security:  “The objective of this review was to determine whether the FDA’s network and external Web applications were vulnerable to compromise through cyber attacks.”  In short, they were vulnerable:

Overall, FDA needed to address cyber vulnerabilities on its computer network. Although we did not obtain unauthorized access to the FDA network, we identified the following issues:

Web page input validation was inadequate, external systems did not enforce account lockout procedures, security assessments were not… More

The FTC Wants to Regulate the Internet of Things, Including Your Car

The FTC recently filed a comment on the National Highway Traffic Safety Administration’s advance notice of proposed rulemaking related to vehicle-to-vehicle communications.  The comment left no doubt that the FTC wants to regulate the Internet and everything connected to it.

Nonetheless, the FTC’s specific comments about vehicle security were noteworthy:

First, participants expressed concern about the ability of connected car technology to track consumers’ precise geolocation over time. Such information may divulge personal details about an individual.  Did Consumer A visit an AIDS clinic last Tuesday? What place of worship does he attend? Was he at a psychiatrist’s office… More