Global Privacy & Security Compliance Law Blog

Category Archives: Security

Subscribe to Security RSS Feed

Compliance and Enforcement in the Hospitality Industry Webinar Available

An August 2 webcast on Compliance and Enforcement in the Hospitality Industry  looked at the FTC proceedings in the Wyndham Hotels matter and identified some key takeaways, while considering how similar issues might play out in the European Union. (For those unable to follow the live webcast, the full presentation is now available online.) Some … Continue Reading

Data Security: Compliance and Enforcement in the Hospitality Industry

August 2 Webcast to Consider Risks and Responses A recent high-profile enforcement action by the Federal Trade Commission (FTC) provides meaningful context and occasion for examining data security risks in the hospitality industry. In late June, the FTC filed suit against global hospitality company Wyndham Worldwide Corp. and three of its subsidiaries for alleged data security … Continue Reading

CNIL Offers Guidance on Aligning Cloud Services with Data Protection Requirements

The French Data Protection Authority (CNIL) has issued a working document setting out its recommendations to companies contemplating the use of cloud computing services. This is in part the result of a public consultation carried out by the CNIL from October to December 2011. The guidance includes a checklist applicable to both private and public … Continue Reading

Alaska Medicaid Pays $1.7 Million Settlement in HIPAA Security Case

By Jennifer Archie and Suan Ambler-Ebersole Second Highest HIPAA Settlement Amount to Date and First Paid by a State The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced Tuesday that it had reached a settlement with Alaska’s state Medicaid agency, the Department of Health and Social Services (DHSS) for $1,700,000 … Continue Reading

SEC Guidance on Cybersecurity Disclosures

By Kevin Boyle and Kee-Min Ngiam The SEC’s Staff of the Division of Corporation Finance recently issued guidance to help clarify public reporting companies’ disclosure obligations in the area of cybersecurity risks and cyber incidents. The guidance, which does not change existing disclosure obligations for public companies, should help company officers responsible for security, privacy, … Continue Reading

Cyber Security: Getting the Board on Board?

By Gail Crawford and Amy Taylor At the end of 2010, the UK Government raised the national threat level for cyber security risk to Tier One (the same tier as the terrorism threat) and announced it was allocating £650 million (around US $1 billion) to governmental cyber security measures and resilience developments. A recent report … Continue Reading

Kicking Squatters Off Your Domain Name: What’s New Plus the Basics

As online services Groupon and Facebook have recently learned, cybersquatters are more than a mere nuisance.  Cybersquatting can disrupt or delay business expansion or operations, or compromise security and user experience.  Groupon’s planned expansion to Australia was delayed for months because a clone site in Australia named Scoopon purchased the domain name, took the … Continue Reading

The Expanding Reach of the UK’s Freedom of Information Act

Whilst Tony Blair, the Prime Minister responsible for the Freedom of Information Act 2000 (FOIA) has described the legislation as one of the biggest mistakes of his career, the current UK government’s proposals, to be implemented via the Protection of Freedoms Bill, extend the Act to cover a wide range of bodies which have previously … Continue Reading

Naughty or Nice: A Checklist for 2011 Privacy Policy Compliance and Risk Management

The recently released reports from the U.S. Department of Commerce and the Federal Trade Commission have focused important, and much needed attention, on privacy policies and legal compliance. Unfortunately, much of the substance is aspirational, rather than immediately operational. So, with the benefit of our collective client experience, we offer the following “Naughty or Nice” Checklist to get … Continue Reading

Budget Season Help: More Evidence That Data Protection Spending Cuts Costs

The Ponemon Institute is out with a new Intel-sponsored study concluding, among other things, that lost laptops cost U.S. organizations in excess of $2 billion a year. Yet, two-thirds of companies surveyed still do not take basic security precautions to protect laptops. A look at prior Ponemon work cited in the report suggests failing to … Continue Reading

Five Useful Provisions for Your Web Site Terms of Use

We are often asked to review web site terms of use.  Here are five provisions that often seem to be missing in action (in no particular order):   No Scraping   With automated screen scraping tools readily available, this data harvesting technique presents issues for websites that allow users to search for data.  Even if … Continue Reading

PCI 2.0 Released: Clarifications But No New Requirements

On October 28, 2010, the Payment Card Industry Data Security Standard (PCI DSS) 2.0 was released. There are no new requirements, mostly the PCI Security Standard Council (“Council”) made wording clarifications throughout the 12 existing requirements. These changes go into effect January 1, 2011, but merchants don’t have to be compliant with them until December … Continue Reading

HHS’ Withdrawal of Breach Notification Regulations under the HITECH Act Creates Uncertainty

The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009.  During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.  HHS reviewed … Continue Reading