Category Archives: Security Programs & Policies

Check Your Technology at the Door

Recent news of government monitoring of phone calls and emails, both within the U.S. and abroad, has caused some to reexamine their technological companions.  Many are beginning to ask, when highly confidential and sensitive information is being discussed, should our seemingly indispensable technology be checked at the door? This month, the British government began banning the presence of iPads at certain Cabinet meetings over […]

A Few Thoughts from Deputy Undersecretary for Cybersecurity, Mark Weatherford, Department of Homeland Security

On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat. On Information Sharing:  This is a continuing challenge, in part because of the way the federal government shares information.  At present, the federal government provides cyber […]

Good Advice that Bears Repeating: Toughen Up Your Passwords!

In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords.  But despite the efforts of these researchers, the article’s conclusion is a gloomy one: The upshot is that there is probably no right answer. All security is […]

Facebook Settles FTC Charges that It Deceived Consumers, Agrees to 20 Year Consent Order

In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle “charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” according to the FTC’s press release. In its complaint, the FTC […]

New England-Israel Data Storage & Security Summit-November 14, 2011

Ensuring strong and efficient data storage and secured systems is the foundation of any successful business in today’s global business environment; the continued migration to cloud computing only amplifies this need.  New England and Israel are global leaders in innovation and entrepreneurship and major players in the global software/IT industry, with the innovations of its […]

Upcoming Seminar: “He Posted What? Dealing with Social Media in the Modern Workplace”

Please join Foley Hoag’s Labor and Employment attorneys on November 15 from 8:30 a.m. to 10:00 a.m. for a discussion of new challenges that employers face with social media. Topics to be reviewed include: Employer monitoring of employee activities on social media sites such as Facebook, Twitter and LinkedIn; Whether employers can discipline employees for […]

Advanced Cyber Security Center Launched

As noted in MassHighTech, the Advanced Cyber Security Center was officially launched on September 20.  The program was opened by Massachusetts Governor Deval Patrick and featured a presentation from Attorney General Martha Coakley.  As described by MassHighTech: Touted as a first of its kind collaborative effort that brings together stakeholders in cyber security from the […]

More Consumer Data Security and Privacy Legislation Introduced

The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8.  This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies.  In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses […]

What Can My Company Do To Fight Cybercrime Collaboratively?

Wondering what your company might be able to do at the local level to help fight cybercrime? There are a growing number of public-private collaborations that are trying to get ahead of the bad guys. One is the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).  The ACSC is a collaborative, cross-sector research facility […]

“Pressure Point: Online Privacy — Privacy is Potentially a Costly Workplace Issue”

In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy – Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers:  “Most of the time, data breaches don’t come down to a failure of technology or inadequate technology. […]

Information Security In the Age of WikiLeaks

InformationWeek has published an interesting Analytics Brief on "Information Security in the Age of WikiLeaks."  (Subscription required.)  The brief discusses the following subjects: Could a Major Security Breach Be on the Horizon? The Smartphone Dilemma What Elements Are Currently Covered in Your Organization’s Security Awareness Program? Security Budgets Fare Well Implementing Risk Management Disciplines Do […]

FTC Publishes Copier Data Security Guide

As we noted back in May, digital copiers have caught the eye of government privacy enforcers.  If you have a digital copier at your business, you should review the FTC’s Copier Data Security: A Guide for Businesses.  In that Guide, the FTC suggests that “your information security plans .  . . should cover the digital copiers your company […]

DHS Updates Its “Handbook for Safeguarding Sensitive PII”

The Department of Homeland Security has released its latest update to its internal guide to handling personally identifiable information.  The "Handbook for Safeguarding Sensitive PII at DHS" has been around since 2008; even if you do not have direct dealings with DHS, it provides a useful point of comparison for your own policies and procedures. 

Some Tips for Protecting Your Data when Dealing with Vendors

I recently attended the 10th Annual Legal and Compliance Forum on Privacy & Security of Consumer and Employee Information in Washington, DC. It featured a particularly lively panel on “Oversight of Third-Parties and Vendors: Managing and Controlling Relationships Through Effective Due Diligence and Contract Negotiation.” Below are some  key points the panelists discussed; some may seem obvious, […]

Website Privacy Policies – an extensive primer…..

This is a cross-posting of an interesting November 29 entry in Foley Hoag’s Emerging Enterprise Center blog, by Patrick Connolly and Prithvi Tanwar: If your start-up’s website will collect user information…. and chances are it will, you need to start thinking about your website privacy policy. I have often spoken with founders who think that the website […]

Is the Rejection of Security Advice by Users Really Rational? A Response to Cormac Herley

In the April 11, 2010, Boston Globe, there is an extended discussion of an article by Cormac Herley of Microsoft entitled, "So Long, And No Thanks for the Externalities:  The Rational Rejection of Security Advice by Users."  In his paper, Mr. Herley argues thoughtfully that compliance with even simple security measures, like changing your passwords, […]

Facebook Changes User Privacy Controls

Last month, Facebook announced plans to simplify its users’ ability to control privacy settings. Facebook will standardize privacy settings, remove overlapping settings, and put all settings on the same page. In an effort to give users more control over how their information is shared, Facebook will allow users to decide, on a post-by-post basis, with whom to share […]

Bozeman, Montana Suspends Controversial Requirement That Job Applicants Provide Usernames and Passwords to Facebook Accounts

When, in June, the City of Bozeman, Montana sought to change its job application to require municipal job seekers to disclose usernames and passwords for popular social networking sites, it immediately drew widespread criticism.  Specifically, Bozeman asked applicants to "Please list any and all, current personal or business websites, web pages or memberships on any […]

EFF launches Terms of Service Tracker

On June 4, 2009, the Electronic Frontier Foundation (EFF) launched TOSBack – a site that tracks changes in the terms of service for major websites such as Facebook, Google, Apple, and eBay. If you’re wondering why anyone would be interested in such a thing, you may want to revisit the controversy that accompanied the revisions to the Facebook […]

FTC and Other Agencies Issue Frequently Asked Questions (With Answers) on Red Flags Rules

On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to “assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking” on identity theft.  The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to […]

FTC Releases “Template” Identity Theft Prevention Program for Red Flags Rules Compliance

On Wednesday, May 13, 2009, the FTC released a "template" identity theft prevention program (.pdf) to guide businesses subject to a "low risk" of identity theft through the process of complying with federal Red Flags Rules.  The FTC template was first announced on May 1, 2009 when the agency postponed enforcement of the general purpose Red Flags Rules until August […]

Last Minute Reprieve: FTC Postpones Deadline for Red Flags Compliance Until August 1, 2009 – Will Release “Template” For Compliant Identity Theft Prevention Program

On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009. Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a “template” identity theft prevention program. “For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.” The FTC indicates that it will make the template available through their website.

OPSEC, Data Security and A-Rod

The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested […]

The FTC Strikes Back: (Essentially) Everyone Should Be Complying With Red Flags Rules, Especially The Healthcare Industry

In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” — the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you — then they probably do. In this post, we will recap the FTC’s recent guidance on who should be complying with the Rules.

Has the Consumer Privacy Legislative Forum Decided to Abandon Efforts to Draft Federal Privacy Legislation?

In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA […]

Lessons Learned from Facebook’s Terms of Service

By Gabriel M. Helmer and Aaron Wright When Facebook changed its official terms of service earlier this month, what ensued was an explosive public outcry over who owns what users post to social networking sites. Tens of thousands of Facebook’s 175+ million users suddenly clicked that often-overlooked link at the bottom of the webpage and poured over the arcane and legalistic language comprising […]

Economy Delivers A Perfect Storm In Information Security: Data Crimes Rising As Economy Stumbles

According to a recently-released report from McAfee, the downturn in the economy is creating a “perfect information security risk storm.” The report, entitled “Unsecured Economies: Protecting Vital Information,” can be found here [Note: MacAfee requires registration to downloade the report]. McAfee bases its findings on a worldwide survey of 1,000 IT decision makers. The McAfee Report makes […]

FTC Issues Guidance to Businesses on How To Handle Social Security Numbers

Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers – SSNs and ID Theft. For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, the deadline for businesses to adopt compliant identity theft prevention programs.

ALERT: Massachusetts Gives Businesses Until May 1, 2009 to Adopt Comprehensive Information Security Programs To Comply With Recent State Identity Theft Regulations

On Friday, November 14, 2008, Massachusetts regulators announced that they will give affected businesses until May 1, 2009 to comply with new identity theft regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same day.

ALERT: FTC Gives Businesses Until May 1, 2009 to Adopt Identity Theft Prevention Plans that Comply With Recent FTC “Red Flags” Regulations

On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.