The Straits Times reported on 14 August that Singapore’s Personal Data Protection Commission (the “Commission”) is investigating a complaint from a user that Xiaomi has breached the Personal Data Protection Act 2012 (“PDPA”). This is believed to be the first investigation under the main PDPA rules unrelated to the Do Not Call registry which came … Continue Reading
Speakers: Jennifer Archie, Kevin Boyle, Gail Crawford & David Schindler The legal and business consequences of recent high-profile data breaches are varied and severe. Today, lawyers and executives for large enterprises must assess and advise on complex multi-jurisdictional notification, investigation, litigation and remedial issues that arise following a major data breach incident. How are general … Continue Reading
By Kevin Boyle and Alex Stout On Monday, the data security firm CrowdStrike released a new report pointing a digital finger at the Chinese Army for cyber espionage against western technology companies. It has long been known that some of the most serious cyber challenges stem from state-sponsored attacks using encryption, customized tools that anti-virus … Continue Reading
By Jennifer Archie, Kevin Boyle & Alex Stout Yesterday, the Federal Trade Commission announced a settlement with Snapchat, the young mobile messaging company. The complaint alleges misrepresentations about functionality and related security as well as privacy violations, including misrepresenting the amount of data Snapchat collected from users and the use of location data for analytics … Continue Reading
By Kevin Boyle & Alex Stout Hardly a day passes now without some new report of a security vulnerability with inevitable breaches that follow, but Monday’s news about the two-year old vulnerability in OpenSSL is (or should be) catching everyone’s attention. The problem is a coding error in a widely used cryptographic software library for … Continue Reading
By, Jeremy M. Alexander, Natalie E. Brown & Susan A. Ebersole The day all covered entities and business associates have been working toward is here—September 23, 2013, the deadline to comply with the changes in the HIPAA omnibus final rule, published on January 25, 2013. Here is a review of the top three compliance categories … Continue Reading
By Elizabeth Richards and Kevin Boyle On June 14, 2013, the Food and Drug Administration (“FDA”) issued a draft guidance entitled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” (“Guidance”). The Guidance was issued in response to growing concerns about IT vulnerabilities due to the increased use of wireless, Internet and network-connected … Continue Reading
By Susan Ambler Ebersole HHS today published the long-awaited HIPAA/HITECH omnibus final rule. A pre-publication version of the Rule was released on January 17. The Rule is effective March 26, 2013, but covered entities and business associates have until September 23, 2013 to comply. While Latham & Watkins is still engaged in a comprehensive review … Continue Reading
By Jennifer Archie, Kevin Boyle, and Gail Crawford What are the data breach risks that are of the most concern to the hospitality industry? What is the US Federal Trade Commission’s jurisdictional authority and what enforcement tools do they have available when it comes to data security? Learn more about these issues and other top … Continue Reading
An August 2 webcast on Compliance and Enforcement in the Hospitality Industry looked at the FTC proceedings in the Wyndham Hotels matter and identified some key takeaways, while considering how similar issues might play out in the European Union. (For those unable to follow the live webcast, the full presentation is now available online.) Some … Continue Reading
On Thursday, the U.S. Senate failed to pass a motion to end debate on the Cybersecurity Act of 2012 by a vote of 52-46. Sponsors were unable to muster the 60 votes required to move forward with the legislation, following heavy lobbying against the bill by the U.S. Chamber of Commerce, the financial industry, and … Continue Reading
August 2 Webcast to Consider Risks and Responses A recent high-profile enforcement action by the Federal Trade Commission (FTC) provides meaningful context and occasion for examining data security risks in the hospitality industry. In late June, the FTC filed suit against global hospitality company Wyndham Worldwide Corp. and three of its subsidiaries for alleged data security … Continue Reading
By Jennifer Archie and Kevin Boyle The Cybersecurity Act of 2012 (S. 3414) moved one step closer to possible passage on Thursday when the United States Senate voted 84 to 11 to allow an open amendment process when the bill is taken up for floor debate, as early as next week. The bill still faces … Continue Reading
The French Data Protection Authority (CNIL) has issued a working document setting out its recommendations to companies contemplating the use of cloud computing services. This is in part the result of a public consultation carried out by the CNIL from October to December 2011. The guidance includes a checklist applicable to both private and public … Continue Reading
By Jennifer Archie and Suan Ambler-Ebersole Second Highest HIPAA Settlement Amount to Date and First Paid by a State The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced Tuesday that it had reached a settlement with Alaska’s state Medicaid agency, the Department of Health and Social Services (DHSS) for $1,700,000 … Continue Reading
By Kevin Boyle and Kee-Min Ngiam The SEC’s Staff of the Division of Corporation Finance recently issued guidance to help clarify public reporting companies’ disclosure obligations in the area of cybersecurity risks and cyber incidents. The guidance, which does not change existing disclosure obligations for public companies, should help company officers responsible for security, privacy, … Continue Reading
By Gail Crawford and Amy Taylor At the end of 2010, the UK Government raised the national threat level for cyber security risk to Tier One (the same tier as the terrorism threat) and announced it was allocating £650 million (around US $1 billion) to governmental cyber security measures and resilience developments. A recent report … Continue Reading
The American Institute of Certified Public Accountants (“AICPA”) Statement of Auditing Standard No. 70, or SAS 70 as it is more commonly known, has been with us since April 1992. On 15 June 2011, it will effectively be replaced by two new standards: (i) a reporting standard for service organisations, the “Statement on Standards for … Continue Reading
As online services Groupon and Facebook have recently learned, cybersquatters are more than a mere nuisance. Cybersquatting can disrupt or delay business expansion or operations, or compromise security and user experience. Groupon’s planned expansion to Australia was delayed for months because a clone site in Australia named Scoopon purchased the Groupon.com.au domain name, took the … Continue Reading
Whilst Tony Blair, the Prime Minister responsible for the Freedom of Information Act 2000 (FOIA) has described the legislation as one of the biggest mistakes of his career, the current UK government’s proposals, to be implemented via the Protection of Freedoms Bill, extend the Act to cover a wide range of bodies which have previously … Continue Reading
The recently released reports from the U.S. Department of Commerce and the Federal Trade Commission have focused important, and much needed attention, on privacy policies and legal compliance. Unfortunately, much of the substance is aspirational, rather than immediately operational. So, with the benefit of our collective client experience, we offer the following “Naughty or Nice” Checklist to get … Continue Reading
The Ponemon Institute is out with a new Intel-sponsored study concluding, among other things, that lost laptops cost U.S. organizations in excess of $2 billion a year. Yet, two-thirds of companies surveyed still do not take basic security precautions to protect laptops. A look at prior Ponemon work cited in the report suggests failing to … Continue Reading
We are often asked to review web site terms of use. Here are five provisions that often seem to be missing in action (in no particular order): No Scraping With automated screen scraping tools readily available, this data harvesting technique presents issues for websites that allow users to search for data. Even if … Continue Reading
On October 28, 2010, the Payment Card Industry Data Security Standard (PCI DSS) 2.0 was released. There are no new requirements, mostly the PCI Security Standard Council (“Council”) made wording clarifications throughout the 12 existing requirements. These changes go into effect January 1, 2011, but merchants don’t have to be compliant with them until December … Continue Reading