In an age when many of us briskly scroll through website terms and conditions and check, “I agree” without thinking, how should businesses design their websites to obtain proper authorization to access users’ sensitive information? The announcement of the settlement of a pair of recent FTC complaints against PaymentsMD, a medical billing services provider and its former CEO, and the resulting settlement, provide some important guidance, at least with regard to health information practices. In that settlement, the Atlanta-based health billing company and its former CEO settled charges that they misled thousands of consumers who signed up for… More
Our colleages have analyzed a significant NLRB decision in Purple Communications Inc. that, in most circumstances, employees have a right to use employer email systems for non-business purposes during non-working time. This decision reversed the NLRB’s 2007 decision in Register Guard, in which it found that employers could limit employee use of email systems to “business purposes only” and that employers could “specifically prohibit” certain email system uses by employees:
In reaching this conclusion, the Board adopted a presumption that employees who have been given access to an employer’s email system are entitled to use that system to… More
With every swipe of a credit card this holiday season, consumers put their faith in the companies that process and store their information. Yet, it is no secret that data breaches are on the rise, hitting companies large and small. Massive data breaches recently struck Target and Home Depot, to just name a few, and these two breaches alone affected hundreds of millions of consumers and cost the companies hundreds of millions of dollars. Sony Pictures is still reeling from a data breach this month that… More
I’ve looked at clouds from both sides now From up and down, and still somehow It’s cloud illusions I recall I really don’t know clouds at all
Until recently, many cloud users felt like Joni Mitchell in her classic song, “Both Sides Now.” No matter how you looked at clouds, you never really understood them, how they worked, or what happened inside them. Cloud storage and data processing were often (and with some justification) viewed as something of a digital Wild West, with few rules or standards for data protection, not much transparency… More
Our client, CloudLock, recently hosted an interesting webinar, “Moving to the Public Cloud: Whirlpool Case Study.” The webinar features John Bingham, CISO at Whirlpool Corporation, who shared Whirlpool’s story of moving into the public cloud and how their security team found the support for the company’s core business goals.
Our friends at Co3Systems and IOD recently produced a webinar, “Ready or Not, Here They Come: Preparing For Phase 2 HIPAA Compliance Audits” that provides a succinct overview of what is coming down the pike for HIPAA covered entities.
Last week, the HHS Office of Inspector General released a damning report on FDA’s data security: “The objective of this review was to determine whether the FDA’s network and external Web applications were vulnerable to compromise through cyber attacks.” In short, they were vulnerable:
Overall, FDA needed to address cyber vulnerabilities on its computer network. Although we did not obtain unauthorized access to the FDA network, we identified the following issues:
Web page input validation was inadequate, external systems did not enforce account lockout procedures, security assessments were not… More
The FTC recently filed a comment on the National Highway Traffic Safety Administration’s advance notice of proposed rulemaking related to vehicle-to-vehicle communications. The comment left no doubt that the FTC wants to regulate the Internet and everything connected to it.
Nonetheless, the FTC’s specific comments about vehicle security were noteworthy:
First, participants expressed concern about the ability of connected car technology to track consumers’ precise geolocation over time. Such information may divulge personal details about an individual. Did Consumer A visit an AIDS clinic last Tuesday? What place of worship does he attend? Was he at a psychiatrist’s office… More
If you were not able to join us for our October 17 program with Kroll, Data Breach Prevention and Response: Avoiding Potential Pitfalls and Implementing Best Practices to Protect Your Company, we are happy to provide you with an electronic copy of the presentation materials.
In a first for the FCC, it announced on October 24 that it intends to fine two telecom companies $10 million for data security violations:
The FCC intends to fine TerraCom, Inc. and YourTel America, Inc. $10 million for several violations of laws protecting the privacy of phone customers’ personal information. According to an investigation by the Enforcement Bureau, TerraCom and YourTel apparently stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access. The information was gathered to demonstrate eligibility for the Lifeline program, which is… More