Cybersecurity & Tech

• Sen. Pat Leahy of his Consumer Privacy Protection Act
• Reps. Randy Neugebauer and John Carney Bill
  • Counterpart to the Seante’s Carper-Blunt bill
  • holding merchants to similar standards to financial institutions.
  • Not well received by retailers and merchants 
• Sen. Bill Nelson bill filed in January, but not moving
• Senators Kirk and Gillibrand filed this week
• A bill in the works by Sen. Warner

Politico

The first data security bill that moved in Congress this year would pre-empt state laws. Some say it would be more lax than the majority of state data security laws.

A new federal legislative proposal removes preemption. The Consumer Privacy Protection Act introduced by Senator Leahy would require companies to take more affirmative steps to protect consumer data.

Health IT Security

A lawsuit against Home Depot, based on the retailer’s data breach, alleges that the data breach is a result of lax data security measures by Home Depot executives.

 Multiple security upgrades were routinely rejected  by the retailer.

Atlanta Business Journal

• “Develop specific policies and procedures regarding the handling of proprietary or sensitive information.
• Improve information security training.
• Ensure only the minimum necessary access to the information.
• Communicate and apply consistent sanctions for information privacy or security violations.
• Monitor employee activity.
• Ensure adequate oversight or governance of information security programs.” 

CFO Magazine

The US Supreme COurt has accepted a case to determine standing in data breach cases. We all know data breach law suits flow freely after a data breach. The question among courts has been is the injury to the person suing- that the information is out in the black market for information or does some economic damage have to occur before the individual can seek a court remedy.

The case that will shed light on data breach standing is Spokeo, Inc. v. Robins.

Orrick

Illinois Legislature is moving a data security bill that adds marketing information to protected information. Which means, if marketing information about a consumer is breached, notice will be required to the consumer.

Illinois Bill, SB1833,  was drafted by the Illinois Attorney General and “will require notification in the event of a breach of “information related to a consumer’s online browsing history, online search history, or purchasing history.”” 

Advertisers and Marketers are displeased.

SC Magazine for IT Security Professionals

A hotel in Rhode Island is sending all information that it collects about its guests to the local police. Does state law require it? No. 

Is the hotel under subpoena? No. The police and hotel reached an agreement. Guests will receive no notice of the information sharing.

Governing

Montana and Wyoming, wrangling western individualism, passed new data breach notification laws. Here’s what they did:

Wyoming expanded what information triggers a data breach notification to include:

• Username or email address with password or security question and answer
• Birth or marriage certificate
• Medical, biometric or health insurance information
• Individual taxpayer identification number.

Wyoming also expanded what should be included in a notification received by a consumer to include:

• A toll-free number to contact the organization
• Types of PII affected
• A general description of the breach
• Approximate date of the breach
• General actions taken to protect against further breaches
• Advice relating to reviewing account statements and monitoring credit reports-
• Whether the notification was delayed due to law enforcement.

Montana also expanded what type of information triggers a notification, to include:

• Information that relates to an individual’s physical or mental condition
• Medical history, medical claims history, or medical treatment information obtained from a medical professional or medical care institution, from the individual, or from the individual’s spouse, parent, or legal guardian.
• a tax ID number

Montana also broadened which entities receive notification to include:

• A company must “simultaneously” provide a copy of the notice to the Montana Attorney General’s Consumer Protection Office. 
• If the data breach involves insurance information,  simultaneous notice must be given to the Montana Insurance Commissioner.

Wilson Elser via JD Supra

3 states have enacted new data security reforms. Most recently, Washington State  joined Wyoming and Montana. Washington’s reforms include, according to JD Supra:

• Expands coverage to hard copy data as well as electronic or “computerized” data;
• Requires notification of the Washington Attorney General if more than 500 Washington residents are required to be notified;
• Imposes a 45-day deadline for notification of affected consumers and, when required, of the Washington Attorney General;
• Empowers the Washington Attorney General to enforce the statute by bringing actions under the state’s consumer protection act;
• Mandates certain content in the consumer notification, including the name and contact information of the reporting business, a list of the types of PI subject to the breach, and the toll-free telephone numbers and addresses of consumer reporting agencies;
• Introduces a safe harbor for PI that is “secured” or encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard “or is Otherwise modified so that it is rendered unreadable, unusable, or undecipherable by an unauthorized person;” and
• Adds language that exempts certain covered entities from compliance if they otherwise comply with certain federal laws. 

Davis Wright Tremaine LLP

Small banks and credit unions have filed suit to enjoin the nearly $20 million settlement between Target and Mastercard related to the 2013. 

Small banks and credit unions allege:

• the agreement between Target and Mastercard was surreptitious
• ““This sweetheart deal for Target was negotiated without involvement of the court or the legal representatives of the impacted financial institutions.”

Target is still in negotiation with Visa over a settlement for reissuing credit and debit cards after the 2013 data breach.

​Reuters

The SEC is mulling over requiring disclosures by publicly traded companies concerning data security and data breaches. 

This should come at no suprise as in 2011, the Corporate Fiannce Division issued guidance on disclosing data security and data breaches in CF Disclosure Guidance: Topic No. 2, Cybersecurity, Oct. 13, 2011.

What’s the SEC considering risk factors that need to be disclosed?

•  if the risk of data breaches would make an investment in the business risky or speculative AND
• including the potential cost of any breach.

SEC is serious too. It is issuing comment letters based on the current guidance and imposing fines.  The Recorder

The federal data breach bill moving through Congress will preempt all state laws. Most states have stronger data breach laws than the federal bill.

Some say the federal bill is being pushed by the business lobby. It makes sense. Businesses are being sued after data breaches and it is costing millions and millions. Hundreds of millions. 

California, has stronger data security statutes and the California Consumer Federation says the federal bill will:

•Eliminate notification to the California attorney general  of any security breach.

•Allow the state attorney general to file a civil lawsuit but prevent individuals from suing over a data breach.

•It would no longer require breached companies to provide free ID theft protection services, such as credit monitoring and fraud alerts.

LA Times 

The GAO found 69 data weaknesses at the IRS, which caught the attention of Sen. Grassley and the Treasury inspector general for tax administration.

The Treasury’s inspector general for tax administration ranks data security as the IRS’s top management problem for 2015. In response, the IRS claims that budget cuts have impacted its abaility to find security weaknesses.

The Hill

Data Security is the number one concern for credit unions according to the National Association of Federal Credit Unions. 

Their concern is founded in fact. In 2014, 317 million new pieces of malware were created according to Symantec’s 2015 Internet Security Threat Report. Data breaches have been increasing by 20% per year. 

This group supports legislation that includes:

• Payment of Breach Costs by Breached Entities
• National Standards for Safekeeping Information
• Data Security Policy Disclosure
• Notification of the Account Servicer
• Disclosure of Breached Entity
• Enforcement of Prohibition on Data Retention
• Burden of Proof in Data Breach Cases 

Business Wire

Buried in the federal data breach legislation, that pre-empts state data protections in 38 states, with stronger data protection statutes, is liability protection for businesses that share data security threats and intrusions with other businesses and the government. Law360

Cloud medical image exchanges are used to help radiologists be more efficient, but are suspectible to data breaches.  The data security standards promoted by the industry are:

• encryption when the data is static
• encrption when the data is in transport
• transport layer security &
• transferring data through VPN tunnels

Health IT Security

A coalition of business groups, including:

• National Association of Convenience Stores
• National Association of Realtors
• National Grocers Association
• National Restaurant Association
• National Retail Federation

are urging federal lawmakers to retain a provision in federal data breach legislation that will require 3rd party vendors to notify consumers when they experience a data breach. 

The Hill 

Target’s holiday 2013 data breach continues to breed lawsuits and settlements. Target recently settled with Mastercard for $20 million. 

The $20 million will go to financial institutions to:

• covers costs that banks incurred to reissue credit cards and debit cards
• Cover the cost of fraud that resulted from the exposure of customer information

Fortune

Federal data breach legislation that would preempt 38 state laws on data breach, was approved by the House Energy and Commerce Committee. 

The biggest rift in the committee is whether federal law should preempt stronger state laws.

The Hill 

Last week Congressman Lamar Smith held “Reining in the EPA: A Regulation Roundtable” one of the invitees was Agriculture Commissioner Sid Miller.

When conversation moved to a “secret” EPA map of U.S. waterways, Commissioner Miller indicated that the EPA released personal information about  farms and ranches. The information was released to “environmental extremist groups.”  It is reported that Homeland Security department called the release of the farm and ranch water maps is “a bioterrorist threat.” 

Hill Country Community Journal

38 states have stronger state laws. The federal legislation would preempt those state laws and the lower, weaker standard would prevail.  Washington Post

Alabama is the 48th state to enact data security laws, and one of a few that have revamped data security statutes post major retail data breaches. The Alabama legislation will triger notification within 30 days when any of the following information is hacked:

•  medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
• health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
• User name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

It also addresses record retention of data breaches.

National Law Review 

Data security and the political world is a sordid affair. We’ve seen data hacking by campaigns leading to arrests, and now, the Hill reports on data breaches that have K Street on edge. 

The head of the American bar Association Cybersecurity Legal Task Force offers a serious warning:

“What a lobbyist might call blowing off steam could harm their business if it offends a client. For them, the risk is less about revealing state secrets or bribery than it is about humiliation, about damage to their firm’s reputation,””

The Hill

Since New Year’s Day, 90 Million individual health care records have been exposed by data hackers.  

Why is health care data targeted?  The data is highly valuable on the black market.

How are hackers gaining access to health care data? Via portals in electronics such as sonogram machines, conference call machines, fax machines… MD Anderson tests all its electronic equipment for security protcols.

Commentary in Houston Chronicle 

The Federal Communications Commission this week fined AT&T $25 M for a data breach that caused personal information, including social security numbers, of 280,000 AT&T customers to be breached. 

AT&T will incur more costs as it notified affected customers and pays for credit monitoring services, per the FCC order. 

Engadget

Data Security and data privacy is a near and dear to Libertarian types. Think Rand Paul. Libertarian types look to the Federalists papers to justify constitutional positions, such as protecting Americans from government intrusion into their personal, private data. 

Pointing to Federalist Paper 33 and 44, when a national interest exists, it is necessary and proper for the federal government to act. 

Legal Intelligencer

Bipartisanship Lives. Last week a new data security bill was unvieled to create standardized requirements for data breach and security issues. 

Co-sponsors of the bill:

• Representative Marsha Blackburn (R-TN)
• Representative Peter Welch (D-VT)
• Both are members of the House Subcommittee on Commerce, Manufacturing, and Trade, and Blackburn also serves as Vice Chairman of the Energy and Commerce Committee.

The Bill is Titled: “Data Security and Breach Notification Act of 2015. 

What the bill does:

• Companies would be required to use “reasonable security measures” to protect an individual’s personal information. 
• Companies would be required “to notify affected individuals as “expeditiously as possible” but no later than 30-days after the company has taken the “necessary measures to determine the scope of the breach and restore reasonable integrity, security, and confidentiality of the data system,” unless the delay is attributed to law enforcement or national security reasons.  ” 
• No individual notice obligation if there was no reasonable risk that the breach of security resulted in, or would result in, identity theft, economic loss or harm, or financial fraud.
• Effectively preempt the current patchwork of state statutes governing data breach notification and data security.  
• Enforcement:
  • A violation of this legislation would constitute an unfair and deceptive act or practice
  • Federal Trade Commission or state attorneys general would have authority to enforce.  
  • civil penalties for violations of the data security and breach notification requirements.  

National Law Review

European companies are struggling with the 28 different data security laws that the EU has enacted for each of its member countries. Multinational companies have different compliance standards for each country. 

However, an attorney for technology and innovation sector says data regulations, even those that differ by member state increase productivity in fields of innovation and technology. This productivity increases due to the globalization of data.

Computer Weekly

The number of companies experiencing a data breach is increasing annually. In 2013 it was 33%. In 2014 it was 43%. Its a mix of retail and health care data breaches leading the increases.

More data breaches means more litigation.

SC Magazine for IT Security Professionals   Ponemon Institute

• Target will put $10 million into a fund to be used to pay its affected customer
  • Customers with substantiated losses recover first
  • Customers with no substantiated losses receive funds thereafter
• $6.75 Million will go to the attorneys
• How many people are eligible? 100,000,000. Yes, 100 million people.

Minneapolis Star Tribune

An Illinois Credit Union has sued Kamart/Sears over a 2014 data breach because the retailers reaction to a data breach harmed financial institutions. Here’s why, note same thing can happen in Texas:

• The financial institutions were required:
  • to refund fraudulent charges
  • respond to a higher volume of customer complaints, and
  • increase fraud monitoring efforts
• The financial institutions lost revenue
• The retailers failed to maintain adequate data security under applicable payment card industry standards
• The retailer delayed notification to consumers by at least 5 weeks. 
• The causes of actions rooted in :
  • Illinois Personal Information Protection Act,
  • Consumer Fraud and Deceptive Business Act,
  • New York General Business Law,
  • negligence, and negligent misrepresentation and/or omission.​

JDSupra InfoBytes Blog

Education Testing Companies are being accused of spying on student facebook, twitter, and instagram accounts. The companies are going so far as requiring that information, such as exam information, posted by students be removed. 

Education companies insist they do not spy on students, but rather track certain terms.

Washington Post

The EU is waging a legal war with Facebook over whether Facebook can store the personal and private data of EU residents on servers located outside the EU? 

This legal issues raises the issue of whether Texans want their information stored on servers in NY or CA?

WallStreet Journal

What kind of information can hackers get from a student’s education app?

• first name, middle initial, last name,
• gender
• date of birth
• parent email address
• name and address of school
• usernames (some with associated passwords)
• teacher email addresses
• teacher and class roster affiliations
• class photos with students labeled by name,
• in-class behavior records,
• reading level and progress assessments, and math skill and progress assessments.

An identity could easily be created with this information, which sparked Congress to address the situation with the Student Digital Privacy and Parental Rights Act. 

States can address the situation by requiring data security protocols on stored student data and for third party education software and apps.   EdSurge

An April meeting of attorneys general will focus on data security issues. This comes in the wake of Connecticut AG forming a data privacy division and the attorneys general in NY, OR and WA recommending legislative changes to address data security.

Reed Smith Global Regulatory Enforcement

To handle data breach investigations and litigation, the Connecticut Attorney General created a Privacy and Data Security Department.

The Department emerged from a 2011 task force studying how the state can best address data breaches, and is staffed with a ” cross-disciplinary team of experts in health, finance and other disciplines.” 

Westfair Communications

A Dallas trial lawyer has filed suit in California against Toyota, Ford and GM because the vehicle’s software is easily hacked. 

The suit claims:

• The automakers failed to ensure the basic electronic security of their vehicles
• The electronic security can be hacked by anyone
• The easy hack allows a person, who is not the driver, to  take control of the basic functions of the vehicle
• The vehicles thereby endanger the safety of the driver and others

Case No. 4:15-cv-01104-DMR

Southeast Times Record

Do company executives breach their fiduciary duty by how they handle data security or in the methods of handling data breaches?

A lawfirm is investigating whether executives at Home Depot breached their fiduciary duty by failing to protect against the Home Depot data breach. 

Market Watch

Data privacy is the new frontier for property rights.  People fiercely want to protect their personal data. It gets tricky when the person trying to protect their data is a public school teacher.

A parent in Virginia sued to have teacher evaluations released.

The first court sided with the parent to allow for the release of teacher evaluations.  The suit is on appeal. Teacher groups refer to the release of evaluations as an invasion of privacy. It’ll be fought to the Supreme Court and is a fight occurring around the country.  Washington Post

A Portland Uber driver is the named plaintiff in a class action lawsuit against Uber for a 2014 data breach.

The breach disclosed personal information for 50,000 Uber drivers. The lawsuit alleges that Uber took 5 months to disclose the data breach, which violates California law. California statutes require employers to protect the personal information of employees.

Antman v. Uber Technologies Inc, U.S. District Court for the Northern District of California, No. 15-1175.  

Insurance Journal InAutoNews NYDailyNews Fortune via Reuters

The Federal Trade Commission issued a report saying its a bad idea to apply banking rules to retailers. 3 Reasons Why:

•  “burdensome to nonbanks”
• “Retailers lack the authority over payment cards to maintain certain data security obligations”
• “The FTC lacks the supervisory examination and resources to provide specific guidance and oversight that would be necessary to cover every nonbank business”

The Hill

According to experts in Silicon Valley, data breach costs break down for business like this:

•  80% less than $1 million in direct costs and damages
• 15 % of breaches cost between $1 million and $20 million
• 5% cost more than $20 million to investigate, deal with and pay legal costs
• Average Cost is $7Million 
• Only 8% of businesses are buying cyber insurance coverage

San Francisco Business Journal

A glut of credit card and financial data on the black market has driven down its price. As a result, hackers are targeting more lucrative health care records.

Health care records are selling for as much as 7 times the value of financial data on the black market.  Legal Intelligencer

1. More respect for financial institutions in courts. Data breaches lead to law suits. Law suits lead to multiple law suits. Multiple law suits become class action law suits. High dollar class action lawsuits are facing Target and Home Depot.

2. Push for national data breach legislation by multi-state companies.

3. More health care data breaches.  Legal Intelligencer

Montana empowered its attorney general office by requiring that it receive notice of any qualifying data breach. The Montana Attorney General opertes a consumer protection division that will seek to help affected Montanans. 

Montana Standard

A student at the Univeristy of Oregon, Go Ducks!, alleges she was raped by 3 basketball players. The University found the sudents at fault and kicked them out of school and off the basketball team.

After the alleged rape, the student sought treatment at the student health center. Her treatment included mental health care.

She eventually sued the school as the alleged offenders were never tried for a crime.  During the lawsuit her mental health records, when she sought care at the unveristy health care clinic, were accessed without her permission by the University.  

The policy & legal question is does FERPA (Federal Education Privacy) trump HIPPA? The Feds say: “The Department of Education urges higher education institutions to not only comply with FERPA, but also to respect the expectation of confidentiality that all Americans hold when talking to a counselor or therapist.”

Kaiser Health News

The Data Quality Campaign joined the Consortium for School Networking to set forth principles to guide student data regulation. The goal is to protect student data while doing no harm to schools. 4 points they all agree on:

• Student data should be used to further and support student learning and success.
• Students, families, and educators should have timely access to information collected about the student.
• Students’ personal information should only be shared with service providers for legitimate educational purposes.
• Everyone who has access to students’ personal information should be trained on how to effectively and ethically use, protect, and secure it.

The Consortium includes:

1. Alliance for Excellent Education
2. AASA: The School Superintendents Association
3. American Association of Colleges for Teacher Education
4. American Association of School Librarians
5. Association of School Business Officials International
6. Consortium for School Networking
7. Council for the Accreditation of Educator Preparation
8. Council of Chief State School Officers
9. Data Quality Campaign
10. Digital Promise
11. Education Trust
12. Educators 4 Excellence
13. Foundation for Excellence in Education
14. Institute for Higher Education Policy
15. International Association for K12 Online Learning
16. International Society for Technology in Education
17. National Association of Secondary School Principals
18. National Association of State Boards of Education
19. National Association of State Directors of Teacher Education and Certification
20. National Center for Learning Disabilities
21. National Council on Teacher Quality
22. National Education Association
23. National Parent Teacher Association
24. National School Boards Association
25. PDK International
26. SIF Association
27. Stand for Children
28. State Education Technology Directors Association
29. State Higher Education Executive Officers Association
30. StriveTogether
31. StudentsFirst
32. Thomas B. Fordham Institute

Education Week

A data breach of medical records at an Ohio hospital system has led to a $5,000,000 class action lawsuit. It took 4 months for the hospital system to notify patients of the data breach.

The legal complaint is based on the medical records data breach creating a “threat of immediate harm has injured her privacy as a result of negligence.”

WFMJ

Van Deaver has filed HB 2156 which the author says protects student data in 8 ways.

• Not sell student information;
• Not behaviorally target advertising;
• Use data for authorized education purposes only;
• Not change privacy policies without notice and choice;
• Enforce strict limits on data retention;
• Support parental access to, and correction of errors in, their children’s information;
• Provide comprehensive security standards; and,
• Be transparent about the collection and use of data. 

VanDeaver Press Release

The Illinois Attorney General is working to expand the definition of what is private information that triggers data breach notifications.

She wants to include the following information:

• email addresses
• log-ins
• passwords
• Health insurance information
•  biometric information
• geolocation information

Her proposal doesn’t specify when the consumer and the Attorney General office must be notified. Instead,   businesses are granted flexibility by requiring that business take “reasonable steps” to protect information that it holds.   

S.B. 1833

Hailed as a victory for plaintiff’s lawyers, class actions are proceeding for data breaches at Target and Sony. Since the February breach at Anthem, more than 40 class action lawsuits have been filed. 

Legal experts say data breach cases move forward when the plaintiff can allege:

• “Statutory damages, such as a particular state’s data-breach law, or
• if there are known sales of stolen identities on the black market”
  National Law Journal

Connecticut’s  SB1024 applies higher data privacy standards on health care providers, by establishing regulations through the department of insurance. 

Which health care entities are affected?

• health insurers
• HMOs
• “other entities licensed to do health insurance business in Connecticut,”
• pharmacy benefits managers
• third-party administrators that administer health benefits
• utilization review companies

What are these health care businesses required to do?

• encrypt health care data that it maintains

What personal information information are health care entities required to encrypt?

•  individual’s first name or initial and last name in combination with one or more of the following:
• Social Security number
•  driver’s license number
• address
• or identifiable health information

The 2015 CT bill follows in the path of the New Jersey health care data privacy bill.  

Day Pitney 

California’s SB 576 will require app makers to explain:

• what location information they’re gathering from your phone
• why they’re collecting it and
• whether they’re sharing it with anyone else. 
• Will require users’ permission to continue to gather GPS information from your phone

The Recorder

Theodore Kobus III, co-leader of the Privacy and Data Security Practice at Baker Hostetler, favors state regulation over one size fits all federal regulation of data security notification. 

He suggests the right template for data security is HIPAA’s approach. HIPPA has been functioning for more than 10 years and has no uniform standard for security.

Businesses need flexibility to respond to data breaches. The flexibility is necessary based on 3 factors:

• size of the business
• budget of the business
• industry of the business. 

Inside Counsel

Fresh off naming San Antonio the #2 spot for cyber security expertise, St. Mary’s University unveils a new Masters of Science degree in cybersecurity. Texas Public Radio

SB 628 by Van Taylor prohibits a governmental body from:

• capturing or possessing a biometric identifier without:
• express statutory authority to capture or possess the biometric identifier AND
• consent of the individual. 

Today Representatve Jim Murphy announced the formation of the Texas Innovation and High Tech Caucus. Members of the legislature are directed to contact Bradly Pepper in Represenative Murphy’s Office. 

Selling student data is a hot topic. Education businesses want to buy student data to tweak their products. Releasing student data is of increasing concern to data privacy advocates, especially since data related to children is far more valuable on the black market. 

Maryland is bouncing around how to protect student data. Proposals include:

• prohibiting selling student information for profit, including names, grades and test scores, socioeconomic information, search activity, photos and other student identifiers.
• prohibiting targeted advertising and profiling of individual students

Cecil Whig via the Capital Daily News Service

This week, the U.S. Army Reserve selected UTSA as a founding member of a unique public-private partnership program to train cybersecurity professionals. 

Under the Cyber P3 designation, UTSA and other participating schools will help the government fill as many as 40,000 positions nationwide.

San Antonio Business Journal

A US Chamber of Commerce study ranks San Antonio as #2 area for data security professionals. The industry is working to gain traction with local economic development officials.  KSAT

UTSA established its Institute for CyberSecurity in 2001. The Institute trains not only students, but also those in business to improve their cybersecurity. 

In 2014, the Institute was named the Top cyber security education program in the nation by certified information technology professionals. 

KSAT

Last week, Brian Engle, DIR’s data security go-to guy, left his  state government post. He is now the first employee of a nonprofit, Retail Industry Information Sharing and Analysis Center.

His new role is to support the retail industry in their cybersecurity efforts and their efforts to protect their customer information and information technology.     

Government Technology

National Retailers Federation revealed a survey that shows that 97% of surveyed business leaders believe data security is top priority for 2015. 

National Retailer Association

New federal legislation would establish federal data security standards for car makers. Most cars collect data, without the vehicle owner or driver’s knowledge. The data is then sold to third parties. 

Legislation would require:

•  car companies and third-party vendors to be competent in:
  • detecting 
  • reporting
  • responding to real-time hacking events
• drivers would be notified of:
  • data collection,
  • data transmission and
  • how that data is being used.
• Allow consumers to decline data collection without having navigation disabled.

AutoBlog

A panel in rugged, independent Idaho is creating a task force to study:

• how much student data is sold to third parties
• how best to protect student data, and
• how to reduce sharing student data. 

 State and federal agencies collect nearly 566 data points per student. Last year, Idaho passed a law that can fine school districts up to $50,000 for student data security breaches.

Last week Congressmen Barton (R-TX) and Rush (D-IL) filed data breach notification legislation. Feds want to protect personal, private information and the states are quickly passing bills that further protect their citizens. 

What you need to know about the federal bills:

• Act Name: Data Accountability and Trust Act (DATA Act)
• Bill Number: HR 580
• Senators Feinstein, Pryor, Rockefeller, and Nelson filed similar, but not identical bill:
  • Data Security and Breach Notification Act 
  • SR 177
• What do HR 580 & SR 177 seek to accomplish?
  • Nationwide data security standard
  • Backed by FTC enforcement & State Attorney Generals and civil penalties
    • Penalties up to $5M per violation
  • Require notification to the FTC & to affected individuals in the event of a data breach
  • Define “personal information” to include:
    • an individual’s name in connection with :
      • (1) a Social Security number
      • (2) a driver’s license, passport, or other government-issued identification number, or
      • (3) a financial account or credit or debit card number in combination with a security code or password that would permit access to an individual’s financial account. 
  • Businesses would be required to have information security procedures and policies to safeguard information.  

National Law Review

The FBI is investigating whether hacked tax information was used to file fraudulent state and federal tax returns without the original taxpayer’s knowledge.   

The fraudulent state and federal tax filings are impacting businesses and individuals. 

WSJ

Last week Anthem experienced a data security breach that resulted in the exposure of personal information for up to 80 million people.   This week, a class action lawsuit has been filed in Atlanta.  

Here’s what plaintiffs allege:

• World’s biggest known data breach
• The FBI has identified health care as particularly weak in data security. 

Courthouse News Service

• Health Information protected by HIPPA will put companies at risk.
  • Department of Health and Human Services Office for Civil Rights enforcement actions have led to multiple million dollar settlements against hospitals, clinics, and health systems
• FTC will take enforcement action. That action will lead to lawsuits challenging the FTC powers of enforcement. 
  • Opportunity for state enforcement abounds.
• More lawsuits against companies and financial institutions. Big legal costs. Big tort reform opportunity. A sample of the lawsuits:
  • class action suits
  • Claims under specific privacy statutes, like motor vehicle records
  • State medical privacy laws for employee health insurance records
  • Restricted access to bank accounts may satisfy data breach causes of action
• Insurance Regulation on data breach policies as the industry rapidly expands.

The Oregon Attorney General has a data breach legislation wish list. On her wish list is:

• Extend data breach enforcement and notification to the Oregon Department of Justice
• Oregonians should have access to information about:
  • who is collecting their personal information and data
  • how it is being used and protected
  • to whom it is being sold.

Oregon Business Report

Sony Pictures spent $15M in Q3 for investigating and remediating its data breach.    Legal costs forthcoming.  Tech Crunch

Retail data breaches lead to class action lawsuits. They’re new. They’re trendy.

How financial liability for a breach is assessed is a developing legal trend. Legal trends turn into legislative trends as states grapple with assigning liability.

Today the retailers & the banks are at odds over this in policy court. To add fuel to the this policy fire, a federal court sided with a retailer against financial institutions by limiting a grocer’s liability to:

• $500,000
• based on the agreement between the grocer & the financial institutions processing the payments

Retailers want banks to bear the brunt of costs. Banks want retailers to meet the high security standards they have to meet. 

PYMNTS.COM

In 2014, California passed bills to protect student data from contractors. What did the bills do?

• Require “school districts to maintain control and ownership of any data managed by a private vendor.” Cal AB 1584 (2014)
• Give education technology companies until 2016 to stop selling student personal identifying information and to stop target marketing to students  CAL SB 1177

At the school district level, these actions are being taken:

• Teacher training on privacy issues.
• Use of vetted list vendors, that comply with data retention and storage restriction

The Recorder
 

The Garden State has mandated that all protected health information be encrypted. This new requirement applies to:

• health providers
• hospitals 
• medical insurance corporations

The NJ legislation, signed by Gov. Christie, exceeds HIPAA requirements and will require encryption of:

• patient’s name linked with:
  • a Social Security number
  • driver’s license or other state-issued identification
  • address
  • identifiable health information.  

National Law Review

Private companies want access to government health care information to build their business, but they’re access to health care data is shrinking fast. HHS is severely cutting the information it is sharing with third parties.

The change was sparked after the AP reported that healthcare.gov was sending personal identifying information to third parties for marketing, advertising, and internet data performance purposes. 

Privacy advocates, the Electronic  Frontier  Foundation, Senator Hatch and Senator Grassley want the federal government to do more to stop health care data sharing with private companies. 

AP     National Law Review    The Hill   NYTimes

The Target data breach of 2013 changed a lot of things. Cyber Insurance is a booming business, and spending for cyber security is increased on average 34%.  The survey also said:

• 57% of U.S. CEOs extremely concerned about over-regulation 
• AppRiver says last year it quarantined about 1 billion email messages that contained viruses in attachments, about double the amount it did in 2013.
• 75% of the British people it asked said they want more transparency in business, and 81% said they want more accountability.
• A survey by KPMG of the FTSE350 found 58% of respondents said they expect their cybersecurity risk to increase over the next year.     WSJ 

Where does the buck stop in data security regulation? Is it at the financial institution or at the retailer who garners the class action lawsuit? 

Retailers have said they should not be treated like banks, which are heavily regulated. Information Intelligence

The Credit Union National Association,  Financial Services Roundtable, the Consumer Bankers Association and four other financial trade associations sent a letter to Congress on Friday asking to have new rules imposed upon retailers that handle customers’ personal data.  This could impose fines of up to $1 Million per day for retailers.   The Hill 

Georgia techies are focused on tax incentives and making Georgia the Supreme Leader in Data Security. The economic incentive proposals:

• Extend Angel Investor Tax Credit
• Film Tax Credits
• “triple the qualifying period on a sales-tax exemption for companies buying more than $15 million in computer equipment, from one year to three”
  • This tax credit has made Georgia a hot spot for data centers
• Create a committee to make Georgia a leader in data and cyber security
  • Georgia is home to IBM and to U.S. military’s cyber command, which they believe make Georgia the perfect leader in data and cyber security

Athens Online 

Add New York to the growing list of states ramping up data security laws. NY will consider legislation similar to OR and IN that would provide a “safe harbor rule for companies that implement specific data security plans and standards that officials say would minimize the chance of a breach. “

New York’s study of data breaches found that health care was the largest source for data breaches.  Healthcare Dive

Data Protection Policy Trends Emerging….

HB 349 by Kleinschmidt calls for limiting collection of fingerprint in criminal history checks.

HB 764 by Susan King calls for DSHS to limit the information stored,require notification upon a breach and prohibit the sale of information. 

HB 852 by Sanford calls for a study on the collection and storage of biometric identifiers. 

Federal law or state law? Which should have the final say over a data breach at a local business? Or, if a data breach affects a nationwide retailer? The State Of Union included a call for federal data breach laws, pre-empting state law. 

Texas Congressman Michael Burgess agrees with federal pre-emption.

He will chair the hearing on Tuesday January 27th, and said, “We need a plan in place that will help prevent data from being stolen in the first place, and will also alleviate consequences for consumers if hackers are successful.”   The Hill 

Since 2009, health care data breach statistics are:

• 8%  involve hacking
• 40.9 million individuals’ records have been exposed
  • Of the individual records, 19%, were blamed on hackers
    • This includes a hack, allegedly by Chinese hackers ,to the health care data at Community Health System in Franklin, TN, resulting in stolen personally identifiable information on 4.5 million individuals.

President Obama’s federal data breach proposal would pre-empt state law, but it EXEMPTS health care and banking, which each have their own data breach standards. Modern Healthcare

75% of international cyber security experts support breach notification laws. The biggest concerns about complying with the laws:

• 55% notification would affect corporate reputation
• 15% said systems not geared for notifications
• 13% listed increased costs as a concern

PC World

Insurance sales for data protection are skyrocketing.

With the feds and states scrambling to protect citizen data, and class action lawsuits being filed with every breach, the insurance market is booming.  

Demand For Cyber Insurance Skyrockets | The Hill

2 Privacy Experts say Federal Standards Don’t help individuals:

• Alvaro Bedoya, the executive director of the Center on Privacy & Technology at Georgetown University Law Center, says consumers benefit from state laws which are stronger than national proposals. 
• Software & Information Industry Association says individuals will not be safer with federal protections.

National Review

Baker Hostetler offers an absolutely fantastic chart of what every state is doing on data security.

Data privacy experts say state laws go further to protect your information if its the subject of a leak, breach or hack. Tort reform types point to data breaches being a new bevy of class action lawsuits.  Baker Hostetler

Hot Topic: How to protect and notify individuals in case of a data breach. Here’s Washington State’s proposal to upgrade their notification laws: Finally, unlike other states, Washington state law does not require any centralized reporting to the state when a data breach occurs, resulting in a lack of robust information for law enforcement and consumers.

The proposed legislation strengthens Washington’s data breach notification law by:

• Notification requirements when the data breach is encrypted data

• Establish notification timelines.

• Require consumer notification as immediately as possible and no later than 30 days whenever personal information is likely compromised

• Centralized reporting to the state to improve enforcement actions.

• Require the Attorney General to be notified within 30 days when a data breach occurs at a business, non-profit or public agency, enabling the Attorney General to compile centralized information about data breaches for law enforcement and consumers

• Require businesses, non-profits and agencies, when reporting a breach, to provide consumers with basic information they can use to help secure or recover their identities.   

Kirkland Report: WA House Bill 1078 & Senate Bill 5047

Obama Administration in a grand data security bill offers liabolity protection to companies that share cyberthreat indicators with the government.

Privacy Rights advocates are not amused.   Washington Post     The Hill    

The White House released proposals to protect data. Student data. Energy data.  Tech data. 75 Companies have said “Aye.” Including the big dogs- Apple and Microsoft. 

Education Data Protection:

• No sales to third parties for a purpose other than strictly educational.
• No targetted advertising to kids. 

WSJhttp://blogs.wsj.com/law/2015/01/12/white-house-moves-to-protect-data-privacy/

Mandatory data breach notices have triggered lawsuits. Lawsuits have led to class action lawsuits. Think Target and Home Depot, the big retail data breaches. Class Action lawsuits lead to settlements.  

Whether one agrees or not what the impact of tort reform will be, data security is ripe for tort reform. 

 Volokoh Conspiracy | Washington Post

Indiana’s AG enforced violations of HIPPA against a health care provider, who improperly dumped health records.  The health care provider put the records, unshredded, in a dumpster. National Law Review  

A couple weeks ago, Indiana’s AG offered legilative guidance on data security bills.  Information Intelligence

State laws address data breaches. They set up notification procedures and establish liability. A cyber law expert lays out in liability and causes of actions in various states.

Looking at the calss action suits that have followed major retailer data breaches, it is the legal trend of the year. 

Claims Journal

Data security and protecting consumers education, health and financial data just got a kick start.  

• Texas Congressman Hurd will chair the IT Subcommittee — a new panel created by incoming Oversight Committee Chairman Jason Chaffetz of Utah.
• Texas Congressman Ratcliffe will chair the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, a part of the Homeland Security Committee.

Dallas Morning News

In 2014 states began passing data security and data protection legislation. Just look to legislative efforts in CA, FL, NJ, IN, WY, AL. Click the legislative trend category to see a complete list.  

In 2014 California passed a number of data security bills to protect students, consumers and patients, including:

• Privacy Rights for California Minors in the Digital World (California’s SB 568)

  •  Prohibits marketing or advertising alcohol, firearms and tobacco to minors

  • Prohibits using, disclosing, or compiling a minor’s personal information (or permitting a third party to do so).

  • Intended to exceed federal protections for minors.

• Data Breach Notification Amendments (California’s AB 1710):

  •  Business must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” 

  • Any identity theft prevention services must be made at no cost to the affected person for not less than 1 year. 

• Medical Information Breach Notification Period (California’s AB 1755):
  • Expands the time permitted to report breaches or disclosures of patients’ medical information to the state & to the patient.  
  • Permits email notification.

• Safeguarding Pupil Digital Records ( California’s AB 1584):

  • Provide local educational agencies with control to contract with third parties that provide digital educational software or services, including cloud-based services, for the digital storage, management, and retrieval of pupil records. 

  • Limits the use of the pupil records, ensuring compliance with the federal Family Educational Rights and Privacy Act

• Pupil Records and Social Media (California’s AB 1442):

  • Restricts a school district, county education office, or charter school that gathers information from an enrolled pupil on social media from using information collected for other purposes.

  • Prohibits selling or sharing of information, and imposes other requirements related to the destruction of information. 

• Student Online Personal Information Protection Act (California’sSB 1177):

  • “Prohibits operators of websites and online services and applications used primarily for K–12 school purposes, and designed and marketed for those purposes, from pursuing targeted advertising to students and their parents or legal guardians.”

  • “Prohibits using covered information to build a profile of K–12 students, selling a student’s information, and disclosing certain types of information.”  

National Law Review 

$5.6 Billion buys a lot of tongue depressers. Its also the expected cost of data breaches in the health care industry for 2015 according to the 2015 2nd Annual Data Breach Industry Forecast by Experian. Highlights from the forecast :

• A Ponemon Institute survey found that 72% of healthcare organizations indicated they are only “somewhat confident” or “not confident” in the security and privacy of patient data. 
• Increasing data security by health care organizations could limit  the risk of breaches and  limit scrutiny from regulators   Business Solutions 

The State collects mountains of data from motor vehicles to health care agencies. Keeping up with the technology to protect this information lags behind.

The State Auditor found that state data projects are not being completed on time, on budget, and may bot receive the proper authorization. 

SAO 15-015  Austin Business Journal 

The proposed legislation would require more of businesses, including:

• More stringent requirements for storing & retaining sensitive data
• Reduce harm to consumers with better notifications
• Increase transparency of online privacy policies

What does this mean for business:

• Require data to be securely stored
  • Delete personal or financial data
  • Retain only what is necessary for business purposes and processes
• Limit sharing or selling of data only when authorized by law or when consumers are informed in advance
• Inform consumers by clear and conspicuous notice when personal data must be collected and how long it will be stored
•  Data Breach Notification Changes with quicker notifications to consumers, with more information, applied to more data breaches.   AD LAW ACCESS  National Law Review Indiana Attorney General Proposal 

Another day, another retailer with a data breach.

The National Association of Federal Credit Unions took the opportunity to call for clear data breach laws.

Why? Without regulation every business that could possibly be related to a data breach is getting sued. It’s a class action gold mine.  The Hill 

FTC and FCC are both regulating data breaches. FTC pursued an enforcement action against Wyndham Hotels, which then challenged the FTC’s regulatory authority. 

In a case watched by many corporations, the courts said yes, the FTC has regulatory authority to take enforcment actions related to data breaches.  

In late 2014, the U.S. Court of Appeals for the Third Circuit ordered the parties to mediation to save all parties time and money.    King & Spaulding via JD Supra

Why does this matter? Data security laws on the state level are increasing.  State level enforcement is inevitable. Enforcement will come with hefty fines against businesses that experience data breaches. 

The fighters for financial institutions:   Independent Community Bankers of America  

The fighters for retailers: Retail Industry Leaders Association, National Retail Federation, National Grocers Association,  Merchant Advisory Group, National Association of Convenience Stores, Food Marketing Institute, &  National Restaurant Association 

 Why did the kerfuffle start: Banks assert that they absorb the heaviest burden “following security breaches of payment card data.”   The Independent Community Bankers Support:

• “the costs of data breaches should ultimately be borne by the breached party,
• all participants in the payments system—including merchants—should be subject to Gramm-Leach-Bliley Act–like data-security standards,
• a national data-security breach and notification standard should be implemented to replace the current patchwork of state laws,
• unnecessary barriers to effective threat-information sharing between law enforcement and the financial and retail sectors should be removed, and
• while community banks and other financial institutions continue to move to chip technology for debit and credit cards, these technologies alone may not have prevented the recent retailer breaches and do not protect against fraud in “card-not-present” transactions, such as online purchases.”     ICBA Press Release

Retort from the Retailers: