By Jennifer Archie, Kevin Boyle, and Gail Crawford What are the data breach risks that are of the most concern to the hospitality industry? What is the US Federal Trade Commission’s jurisdictional authority and what enforcement tools do they have available when it comes to data security? Learn more about these issues and other top … Continue Reading
An August 2 webcast on Compliance and Enforcement in the Hospitality Industry looked at the FTC proceedings in the Wyndham Hotels matter and identified some key takeaways, while considering how similar issues might play out in the European Union. (For those unable to follow the live webcast, the full presentation is now available online.) Some … Continue Reading
On Thursday, the U.S. Senate failed to pass a motion to end debate on the Cybersecurity Act of 2012 by a vote of 52-46. Sponsors were unable to muster the 60 votes required to move forward with the legislation, following heavy lobbying against the bill by the U.S. Chamber of Commerce, the financial industry, and … Continue Reading
August 2 Webcast to Consider Risks and Responses A recent high-profile enforcement action by the Federal Trade Commission (FTC) provides meaningful context and occasion for examining data security risks in the hospitality industry. In late June, the FTC filed suit against global hospitality company Wyndham Worldwide Corp. and three of its subsidiaries for alleged data security … Continue Reading
By Jennifer Archie and Kevin Boyle The Cybersecurity Act of 2012 (S. 3414) moved one step closer to possible passage on Thursday when the United States Senate voted 84 to 11 to allow an open amendment process when the bill is taken up for floor debate, as early as next week. The bill still faces … Continue Reading
The French Data Protection Authority (CNIL) has issued a working document setting out its recommendations to companies contemplating the use of cloud computing services. This is in part the result of a public consultation carried out by the CNIL from October to December 2011. The guidance includes a checklist applicable to both private and public … Continue Reading
By Jennifer Archie and Suan Ambler-Ebersole Second Highest HIPAA Settlement Amount to Date and First Paid by a State The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced Tuesday that it had reached a settlement with Alaska’s state Medicaid agency, the Department of Health and Social Services (DHSS) for $1,700,000 … Continue Reading
By Kevin Boyle and Kee-Min Ngiam The SEC’s Staff of the Division of Corporation Finance recently issued guidance to help clarify public reporting companies’ disclosure obligations in the area of cybersecurity risks and cyber incidents. The guidance, which does not change existing disclosure obligations for public companies, should help company officers responsible for security, privacy, … Continue Reading
By Gail Crawford and Amy Taylor At the end of 2010, the UK Government raised the national threat level for cyber security risk to Tier One (the same tier as the terrorism threat) and announced it was allocating £650 million (around US $1 billion) to governmental cyber security measures and resilience developments. A recent report … Continue Reading
The American Institute of Certified Public Accountants (“AICPA”) Statement of Auditing Standard No. 70, or SAS 70 as it is more commonly known, has been with us since April 1992. On 15 June 2011, it will effectively be replaced by two new standards: (i) a reporting standard for service organisations, the “Statement on Standards for … Continue Reading
As online services Groupon and Facebook have recently learned, cybersquatters are more than a mere nuisance. Cybersquatting can disrupt or delay business expansion or operations, or compromise security and user experience. Groupon’s planned expansion to Australia was delayed for months because a clone site in Australia named Scoopon purchased the Groupon.com.au domain name, took the … Continue Reading
Whilst Tony Blair, the Prime Minister responsible for the Freedom of Information Act 2000 (FOIA) has described the legislation as one of the biggest mistakes of his career, the current UK government’s proposals, to be implemented via the Protection of Freedoms Bill, extend the Act to cover a wide range of bodies which have previously … Continue Reading
The recently released reports from the U.S. Department of Commerce and the Federal Trade Commission have focused important, and much needed attention, on privacy policies and legal compliance. Unfortunately, much of the substance is aspirational, rather than immediately operational. So, with the benefit of our collective client experience, we offer the following “Naughty or Nice” Checklist to get … Continue Reading
The Ponemon Institute is out with a new Intel-sponsored study concluding, among other things, that lost laptops cost U.S. organizations in excess of $2 billion a year. Yet, two-thirds of companies surveyed still do not take basic security precautions to protect laptops. A look at prior Ponemon work cited in the report suggests failing to … Continue Reading
We are often asked to review web site terms of use. Here are five provisions that often seem to be missing in action (in no particular order): No Scraping With automated screen scraping tools readily available, this data harvesting technique presents issues for websites that allow users to search for data. Even if … Continue Reading
On October 28, 2010, the Payment Card Industry Data Security Standard (PCI DSS) 2.0 was released. There are no new requirements, mostly the PCI Security Standard Council (“Council”) made wording clarifications throughout the 12 existing requirements. These changes go into effect January 1, 2011, but merchants don’t have to be compliant with them until December … Continue Reading
The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments. HHS reviewed … Continue Reading
