Category Archives: Security Programs & Policies

Every October, in recognition of National Cybersecurity Awareness Month, the federal government and its partners work to educate stakeholders on cybersecurity awareness and how best to protect the privacy and security of confidential data. Within the health care industry, the HIPAA Security Rule applies to covered entities and their business associates (“regulated entities”) and electronic protected health information (ePHI).  Because ePHI identifies individuals and includes information relating to an individual’s health,… More

The Federal Trade Commission has finalized amendments to the Standards for Safeguarding Customer Information (“Safeguards Rule”), specific to defined financial institutions, designed to strengthen security for consumer financial information following a recent uptick in data breaches.

The amendments contain four main modifications to the existing Rule that outline additional protections financial institutions must implement when handling sensitive consumer data.

• First, the amendments provide financial institutions with additional guidance regarding developing and implementing an information security program,…

More

On July 28, 2021, President Biden issued a Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.  The Memo recognizes that the protection of the nation’s critical infrastructure lies not only with government, i.e., at the federal, state, local, tribal, and territorial levels, but with critical infrastructure owners and operators.  In addition, the Memo states that cybersecurity threats to critical infrastructure, and the systems that control and operate it,… More

By now, you have heard about the SolarWinds Orion hack. But what do you need to know about it?

First, if you want or need the technical details, the Cybersecurity and Infrastructure Security Agency (CISA) has them. In particular, on December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices.… More

What do businesses need to do to comply with privacy and data security laws?  The first place to look is to relevant statutes.  If you store or process the personal information of Massachusetts residents, then you will at least be subject to the Massachusetts Data Breach Notification Statute and related security regulations.  These are important guides that require certain operational activities, such as maintaining a written information security program,… More

If you are among the many people turning to video-teleconferencing (VTC) to stay connected during the COVID-19 pandemic, you need to protect yourself from “Zoom-bombing” – the entrance of uninvited individuals into your VTC.  The FBI has received multiple reports of conferences being disrupted by offensive images and/or threatening language.

The FBI recommends the following steps to mitigate VTC hijacking threats:

• Do not make meetings or classrooms public:
  • In Zoom,…

More

Companies that have already done the work to become GDPR-compliant are a step ahead, but all companies that collect California users’ personal information or just do business in California should check to see whether they are obligated to comply with the CCPA. Foley Hoag’s Privacy & Data Security practice group has more than a decade of experience and deep knowledge in domestic and international privacy law. Our CCPA team, with lawyers admitted to practice in California,… More

The Boston Bar Journal has published an article of mine on written information security policies, or WISPs, which are required in certain jurisdictions (such as Massachusetts) and are becoming increasingly important privacy and security tools for companies.  You can read the article here. More

A recent report from the Mass Digital Health Council includes a cybersecurity toolkit created by MDHC’s Cybersecurity Group of Experts (CGE). The toolkit will enable faster clinical adoption of new digital health products, software and solutions by enhancing access to security needs and requirements and will address:

• Cybersecurity needs for digital health companies
• Medical device and software solutions
• Best practices
• Available state and national resources and tools

This toolkit should enable healthcare organizations to share experiences and guidance with each other,… More

Shifting how businesses think about privacy.

Let’s stop thinking about privacy policies alone, and let’s start thinking about data governance plans.

For the ordinary business trying to generate revenue and minimize risk, having to think about data privacy can be both a nuisance and a headache.  Generally, it’s easy to want to think about privacy as something that can be dealt with using minimal resources—by updating a template privacy policy and posting it on a website,… More

What do pumpkin spice lattes and National Cybersecurity Awareness Month have in common?  Not much, other than both should be top of mind in October, but that doesn’t mean that it’s wrong to think about them both in August.

Held every October, National Cybersecurity Awareness Month is a collaborative effort between government and industry to ensure every American has the resources they need to stay safe and secure online while increasing the resilience of the Nation against cyber threats.  … More

The EU Commission issued today a “Communication to the European Parliament and the Council” which is entitled “Data protection rules as a trust enabler in the EU and beyond- taking stock”, which outlines the current state of EU data protection, with particular focus on the impact of GDPR.

1. The implementation of GDPR in the EU

The Commission notes that all EU Member States have updated their national data protection laws except for three (Greece,… More

Start-up companies know that, when potential investors kick the tires, they will look carefully at the company’s business model and IP portfolio.  These days, investors are also likely to look at whether the company is in compliance with privacy and data security laws.  Cybersecurity has become increasingly important for business of all sizes.  While identity thieves may focus on the target rich environments of large-scale enterprises,… More

It took three days, but I finally found a panel at BIO 2018 that addressed the current challenges in privacy and security regarding health data.  This panel, Realizing the Potential of Clinical and Consumer Genomics, was focused on all the new genetic tests that are available (with more to come) and all the genetic data those tests are generating.  I was particularly impressed with the approach of Mindstrong Health to privacy and security,… More

Partner Colin Zick was recently invited to speak to the Union College Computer Science Department’s Seminar Series. His presentation addressed the difficulties in implementing encryption in the workplace, the challenges to encryption from law enforcement, and the future of encryption in light of U.S. v. Microsoft and the coming GDPR.

Click here to download the presentation.… More

Editor’s Note:  Martha Coakley, Christopher Hart, and Emily Nash recently published an article in Today’s General Counsel entitled, “The Life Cycle of a Data Breach.”  Here is a snippet:

A data breach can be an existential crisis for an unprepared business, and in the best case it’s likely to be expensive and disruptive. Treat data security as an integral part of the company risk profile,… More

(Part of a continuing series.)

BYOD, or “Bring Your Own Device,” is an umbrella term for policies that employers have concerning your smart phone, tablet, or laptop.  Essentially, the questions that BYOD policies seek to answer are these:  (1) Who owns your device?  (2) Who owns the information on your device?  (3)  What happens if that information (or the device itself) gets lost or stolen?  and (4) What happens to the device and information after you leave the employer?… More

In Case You Missed It:  The EU/US Privacy Shield is set to go into effect this Tuesday, July 13, pending a decision today by the EU’s College of Commissioners.  On Friday, July 8, the Privacy Shield agreement (entered into in February) was adopted by EU member states. EU/US data transfer has been in limbo ever since the erstwhile Safe Harbor was invalided by the European Court of Justice last year. … More

The content of the Privacy Shield was made public yesterday and today.

The new framework dedicated to the EU / US flow of personal data is in fact a combination of several documents issued by the US and the EU.

On the US side, we have a letter sent by the U.S. Secretary of Commerce Penny Pritzker on 23 February 2016 to EU Commissioner Věra Jourová including the “package of EU-US Privacy Shield materials” (of 128 pages) which is made of 6 letters issued by various US officials (see details at the end of this article).… More

In response to the announcement of the EU-U.S. Privacy Shield, the Article 29 Working Party issued its own statement, the key elements of which are as follows:

• The Working Party will not blindly accept the EU-US Privacy Shield.
  It welcomes the conclusion of the negotiations, but also is asking to see all documents pertaining to the new EU-US Privacy Shield by the end of February.…

More

A timely new resource for business executives, technology professionals, and lawyers alike is the newly-published Navigating the Digital Age:  The Definitive Cybersecurity Guide for Directors and Officers from the New York Stock Exchange and Palo Alto Networks.  At 355 pages, the guide provides information from dozens of contributors from around the country and from various backgrounds. The guide explores 46 separate topics, focusing on such issues as prevention,… More

am just back from presenting at the New York Stock Exchange’s program on Cyber Risks and the Boardroom, where I presented on The Role of Cyber Insurance.  My presentation is here:  2015_04_21_The_Role_of_Cyber_Insurance_NYSE_Presentation.  It was evident from this program that the C-suite is very concerned about cyber issues, but management and their boards often lack the expertise to deal with them effectively. With specific regard to cyber insurance,… More

As a follow up to our summary of the key takeaways from the White House’s first Summit on Cybersecurity and Consumer Protection, the centerpiece of which was President Obama’s signing of a new Executive Order, “Promoting Private Sector Cybersecurity Information Sharing,” what follows is an analysis of that Order.

What does the Order actually do?

The Order “promotes…encourages…and…allows” but does not require anything.… More

Our client, CloudLock, recently hosted an interesting webinar, “Moving to the Public Cloud: Whirlpool Case Study.” The webinar features John Bingham, CISO at Whirlpool Corporation, who shared Whirlpool’s story of moving into the public cloud and how their security team found the support for the company’s core business goals. More

The highly publicized hacking of the iCloud accounts of dozens of celebrities was disclosed over Labor Day weekend and has raised larger, more serious concerns regarding the security of personal and corporate data held in the cloud.

Several explanations for how the hack was achieved have been offered, with some initial pointing the finger at potential flaws in Apple’s security system.… More

Recent news of government monitoring of phone calls and emails, both within the U.S. and abroad, has caused some to reexamine their technological companions.  Many are beginning to ask, when highly confidential and sensitive information is being discussed, should our seemingly indispensable technology be checked at the door?

This month, the British government began banning the presence of iPads at certain Cabinet meetings over concerns that the devices could contain viruses that would allow third parties to take control of the microphone and transmit recorded audio. … More

On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat.

On Information Sharing:  This is a continuing challenge, in part because of the way the federal government shares information.  At present, the federal government provides cyber threat information to private sector organizations,… More

Interesting article from Of Counsel regarding both the substance and the business of data privacy and security law.  Lawyers from several firms (including me) talk about current and pending legislation, the mechanisms of compliance and breach response, and the pipeline for new lawyers in the field of data security and privacy. 

One of the other attorneys discussed the shortage of trained attorneys in this area as follows:

You’d think,… More

In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords.  But despite the efforts of these researchers, the article’s conclusion is a gloomy one:

The upshot is that there is probably no right answer. All security is irritating (ask anyone who flies regularly), and there is a constant tension between people’s desire to be safe and their desire for things to be simple.… More

Ponemon “data breach” cost

At most restaurants, when the time comes to pay the check, you hand over your credit card and a waiter you’ve known for only about an hour takes off with your credit card. You trust that the waiter will only charge your meal and won’t make off with your card number.  But if you ever have been to a Legal Sea Foods restaurant, you will notice that the waiter brings a handheld electronic device to your table to swipe your credit card when you are ready to pay the bill. … More

In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle “charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” according to the FTC’s press release.

In its complaint, the FTC alleged,… More

Ensuring strong and efficient data storage and secured systems is the foundation of any successful business in today’s global business environment; the continued migration to cloud computing only amplifies this need.  New England and Israel are global leaders in innovation and entrepreneurship and major players in the global software/IT industry, with the innovations of its companies earning international recognition and prestige.

The New England-Israel Data Storage &… More

Please join Foley Hoag’s Labor and Employment attorneys on November 15 from 8:30 a.m. to 10:00 a.m. for a discussion of new challenges that employers face with social media. Topics to be reviewed include:

• Employer monitoring of employee activities on social media sites such as Facebook, Twitter and LinkedIn;
• Whether employers can discipline employees for their posts,…

More

Please join me and my friends at Co3 Systems for a free webinar,”Data Breaches & Compliance:  Understanding The Law and How You Can Prepare” to be held on Thursday, October 20, 2011 1:00 p.m. – 2:00 p.m. EDT. To add this webinar and the call-in information to your Outlook calendar, click here.  I will be presenting with Ted Julian of Co3; Ted brings a wealth of experience from working at Arbor Networks,… More

As noted in MassHighTech, the Advanced Cyber Security Center was officially launched on September 20.  The program was opened by Massachusetts Governor Deval Patrick and featured a presentation from Attorney General Martha Coakley.  As described by MassHighTech:

Touted as a first of its kind collaborative effort that brings together stakeholders in cyber security from the government,… More

The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8.  This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies.  In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures,… More

I just completed a webinar for the Association of Corporate Counsel, with Ed Palmieri of Facebook, discussing "What Every In-House Counsel Needs to Know About Data Security and Privacy."  The program slides can be found at this link. More

Wondering what your company might be able to do at the local level to help fight cybercrime? There are a growing number of public-private collaborations that are trying to get ahead of the bad guys.

One is the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).  The ACSC is a collaborative, cross-sector research facility working to address critical and sophisticated cyber security challenges.… More

In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy —
Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers: 

• “Most of the time, data breaches don’t come down to a failure of technology or inadequate technology. It comes down to someone doing something stupid,”…

More

InformationWeek has published an interesting Analytics Brief on "Information Security in the Age of WikiLeaks."  (Subscription required.)  The brief discusses the following subjects:

• Could a Major Security Breach Be on the Horizon?
• The Smartphone Dilemma
• What Elements Are Currently Covered in Your Organization’s Security Awareness Program?
• Security Budgets Fare Well
• Implementing Risk Management Disciplines
• Do You Really Know Who Your Friends Are?…

More

Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies:  How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller. More

As we noted back in May, digital copiers have caught the eye of government privacy enforcers.  If you have a digital copier at your business, you should review the FTC’s Copier Data Security: A Guide for Businesses.  In that Guide, the FTC suggests that “your information security plans .  . . should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands,… More

The Department of Homeland Security has released its latest update to its internal guide to handling personally identifiable information.  The "Handbook for Safeguarding Sensitive PII at DHS" has been around since 2008; even if you do not have direct dealings with DHS, it provides a useful point of comparison for your own policies and procedures.  More

I recently attended the 10th Annual Legal and Compliance Forum on Privacy & Security of Consumer and Employee Information in Washington, DC. It featured a particularly lively panel on “Oversight of Third-Parties and Vendors: Managing and Controlling Relationships Through Effective Due Diligence and Contract Negotiation.” Below are some  key points the panelists discussed; some may seem obvious, but they are nevertheless important measures to consider as part of your vendor relationships:

• Be able to terminate the relationship without cause.  …

More

If you got a new smartphone over the holidays, you’ve probably figured out how to use it by now.  The next thing to worry about is security.  The good news is that wireless providers are working to fortify their phones against attacks, as explained in this Wall Street Journal article.

There are some personal actions you should consider as well:

1. Set a password and make it a strong one.…

More

In January, we provided some helpful hints about passwords, in our entry:  Is Your Password Still "123456"? If So, It’s Time for a Change.

It’s been nearly a year, so it’s time to change your password again.  In case you need some help, we liked the guidance provided by the public radio program, Marketplace, in a recent broadcast.  Ironically, these recommendations come from an expert whose company’s password databases had just been hacked.  … More

This is a cross-posting of an interesting November 29 entry in Foley Hoag’s Emerging Enterprise Center blog, by Patrick Connolly and Prithvi Tanwar:

If your start-up’s website will collect user information…. and chances are it will, you need to start thinking about your website privacy policy. I have often spoken with founders who think that the website privacy policy is a “one size fits all,… More

In the April 11, 2010, Boston Globe, there is an extended discussion of an article by Cormac Herley of Microsoft entitled, "So Long, And No Thanks for the Externalities:  The Rational Rejection of Security Advice by Users."  In his paper, Mr. Herley argues thoughtfully that compliance with even simple security measures, like changing your passwords, is so time-consuming that it is not worth the effort for most users.… More

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has filed its final information security regulations and will be making them public this week. The final rules appear to have been tweaked only slightly from the draft regulations issued on August 17, 2009.

Last month, Facebook announced plans to simplify its users’ ability to control privacy settings. Facebook will standardize privacy settings, remove overlapping settings, and put all settings on the same page. In an effort to give users more control over how their information is shared, Facebook will allow users to decide, on a post-by-post basis, with whom to share their content. Users will have the option of sharing their posts with: 1) only specific friends,… More

When, in June, the City of Bozeman, Montana sought to change its job application to require municipal job seekers to disclose usernames and passwords for popular social networking sites, it immediately drew widespread criticism.  Specifically, Bozeman asked applicants to "Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook,… More

On June 4, 2009, the Electronic Frontier Foundation (EFF) launched TOSBack – a site that tracks changes in the terms of service for major websites such as Facebook, Google, Apple, and eBay. If you’re wondering why anyone would be interested in such a thing, you may want to revisit the controversy that accompanied the revisions to the Facebook terms of service. 

At TOSBack,… More

On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to “assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking” on identity theft.  The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC),… More

On Wednesday, May 13, 2009, the FTC released a "template" identity theft prevention program (.pdf) to guide businesses subject to a "low risk" of identity theft through the process of complying with federal Red Flags Rules.  The FTC template was first announced on May 1, 2009 when the agency postponed enforcement of the general purpose Red Flags Rules until August 1, 2009 (see our posting here or our more detailed client alert here).… More

On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009. Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a “template” identity theft prevention program. “For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.” The FTC indicates that it will make the template available through their website.

As the May 1, 2009 deadline for compliance with federal Red Flags Rules nears, the FTC’s staff has informally mentioned that helpful guidance would be forthcoming. As of today, the FTC has launched a new website and a series of materials to assist businesses pushing to meet the May 1st deadline.

The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested positive for steroid use in 2003 remains undecided. And the outcome of a motion now before the United States Court of Appeals for the Ninth Circuit may affect not only those 103 baseball players,… More

In a recent letter (.pdf) to the healthcare industry, the Federal Trade Commission (“FTC”) has issued its clearest pronouncement yet on which entities must comply with federal “Red Flag Rules” — the identity theft regulations that will go into effect for many businesses on May 1, 2009 (and have been in effect for banks and financial institutions since November 1, 2008). This latest guidance strongly suggests that if you are wondering whether the new federal regulations apply to you — then they probably do. In this post, we will recap the FTC’s recent guidance on who should be complying with the Rules.

In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA Privacy & Security Law Report, 8 PVLR 331, the CPLF “has decided to abandon efforts to develop a set of principles for omnibus U.S.… More

By Gabriel M. Helmer and Aaron Wright

When Facebook changed its official terms of service earlier this month, what ensued was an explosive public outcry over who owns what users post to social networking sites. Tens of thousands of Facebook’s 175+ million users suddenly clicked that often-overlooked link at the bottom of the webpage and poured over the arcane and legalistic language comprising Facebook’s terms of service. … More

According to a recently-released report from McAfee, the downturn in the economy is creating a “perfect information security risk storm.” The report, entitled “Unsecured Economies: Protecting Vital Information,” can be found here [Note: MacAfee requires registration to downloade the report]. McAfee bases its findings on a worldwide survey of 1,000 IT decision makers.

The McAfee Report makes four key findings:

1. Increasingly, important digital information is being moved between companies and across continents and is being lost.…

More

High-profile Massachusetts businesses and industry groups have sent Massachusetts governor Deval Patrick a letter requesting that the governor reissue existing identity theft regulations and give battered businesses two additional years to develop information security programs.

Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers – SSNs and ID Theft. For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, the deadline for businesses to adopt compliant identity theft prevention programs.

On Friday, November 14, 2008, Massachusetts regulators announced that they will give affected businesses until May 1, 2009 to comply with new identity theft regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same day.

On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.