Archives: Information Security

Subscribe to Information Security RSS Feed

OCR Guidance on Use of Tracking Technologies Warrants Review of Website Tech

By Aleksandra Vold, Lynn Sessions and Stefanie Ferrari on December 13, 2022 Posted in Information Governance, Information Security

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued guidance regarding covered entities’ and business associates’ use of tracking technologies (the Guidance). As discussed in greater detail below, the Guidance reveals OCR’s position that an IP address is not just an identifier but is itself individually identifiable health information (IIHI) … Continue Reading

The Impact of Data Security Incident Trends on Commercial Transactions: Part II – Development Agreements

By Craig Carpenter on October 12, 2021 Posted in Cybersecurity, Data Breach Notification Laws, Data Breaches, Information Security, Uncategorized

The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report – a report based on the firm’s experience with data security incident response and litigation over the past year – features a number of important insights previously covered in this blog, including trends in global breach notification, healthcare industry risks and ransomware. The report is … Continue Reading

CPRA Rulemaking Begins with an Invitation by the New California Privacy Protection Agency

By Justin T. Yedor, Stanton Burke and Jeewon Serrato on September 23, 2021 Posted in CCPA, CPRA, Information Security, Online Privacy, Uncategorized

By Justin Yedor, Stanton Burke, and Jeewon K. Serrato For businesses awaiting guidance on how to comply with the California Privacy Rights Act (the “CPRA”), the new California Privacy Protection Agency (“CPPA”) began the rulemaking process on September 22, 2021 with an Invitation for Preliminary Comments on Proposed Rulemaking (the “Invitation for Comment”). In the … Continue Reading

SEC Cybersecurity Actions Against Registered Firms for Business Email Compromises Emphasize Importance of MFA

By Adam Cohen and Jonathan A. Forman on September 14, 2021 Posted in Enforcement, Incident Response, Information Security, SEC

On August 30, 2021, the Securities and Exchange Commission (“SEC”) announced three settled orders against several investment advisers, broker-dealers, and dual registrants for violations of Regulation S-P allegedly resulting from business email compromises that each exposed or potentially exposed the personal information of thousands of customers.[1] These enforcement actions underscore the following lessons for broker-dealers and … Continue Reading

Everything Data!

By Theodore J. Kobus III on January 21, 2020 Posted in Advertising, Breach Notification, Consumer Data, Cybersecurity, Data Breaches, HIPAA/HITECH, Incident Response, Information Governance, Information Security

Thank you to our clients and relationships, as well as to the BakerHostetler team who made the creation of the new Digital Assets and Data Management (DADM) Practice Group possible. In a world dependent on data, this group takes a 360-degree approach to the delivery of services and counsel to clients on how they manage … Continue Reading

The Video Privacy Protection Act: Watching the Courts Through Crossed Eyes

By Carolina Alonso, Alan L. Friel and Niloufar Massachi on March 7, 2018 Posted in Advertising, Behavioral Advertising, Children’s Privacy, Geolocation, Information Governance, Information Security, Marketing, Online Privacy, Privacy Class Actions

The Video Privacy Protection Act (VPPA), passed by Congress in 1988, is intended to prevent a “video tape service provider” from “knowingly” disclosing an individual’s “personally identifiable information” (PII) to third parties where that individual “requested or obtained … video materials,” such as “prerecorded video cassette tapes or similar audio visual materials.” At the time … Continue Reading

Colorado Proposes Cybersecurity Requirements for Investment Advisers and Broker-Dealers

By Melinda L. McLellan and Jonathan A. Forman on April 6, 2017 Posted in Cybersecurity, Financial Privacy, Information Security

On March 27, 2017, the Colorado Department of Regulatory Agencies proposed changes to the Colorado Securities Act that would impose new cybersecurity requirements on investment advisers and broker-dealers (the “Proposed Rule”). Among other obligations, the Proposed Rule would require these entities to include cybersecurity as part of their risk assessments, and establish and maintain written … Continue Reading

FTC’s $2.2m Smart TV Settlement Signals Continued IoT Enforcement Focus

By Alan L. Friel and Melinda L. McLellan on March 1, 2017 Posted in Behavioral Advertising, Big Data, Enforcement, Information Security, Internet of Things, Marketing, Online Privacy

On February 6, 2017, the Federal Trade Commission announced that it had settled charges against VIZIO, Inc., a consumer electronics manufacturer of Internet-connected televisions. The FTC alleged that VIZIO unfairly tracked sensitive TV viewing data of millions of American consumers, and deceptively failed to disclose how the collected data was being used. This action was … Continue Reading

Finalized New York Department of Financial Services Cybersecurity Regulation to Take Effect March 1

By Melinda L. McLellan and Jonathan A. Forman on February 23, 2017 Posted in Cybersecurity, Enforcement, Financial Privacy, Information Security

On February 16, 2017, the New York Department of Financial Services (NYDFS) announced the release of its finalized Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Regulation”), which will take effect on March 1, 2017. This final iteration, issued following an additional 30-day comment period, is in large part the same as the revised version dated … Continue Reading

New York Department of Financial Services Sets Forth Extensive Cybersecurity Regulatory Framework Proposal

By Suchismita Pahi and Kathryn Mellinger on December 1, 2015 Posted in Cybersecurity, Information Security, State Legislation

On November 9, 2015, the New York State Department of Financial Services (NYDFS) issued a letter to the members of the Financial and Banking Information Infrastructure Committee (FBIIC) detailing a new cybersecurity framework proposal for “covered entities,” or financial institutions regulated by NYDFS. The framework builds on data from NYDFS reports surveying cybersecurity programs from … Continue Reading

2015 BakerHostetler Security Incident Response Report Provides Insight Beyond Technical Incidents

By Craig A. Hoffman on August 27, 2015 Posted in Cybersecurity, Data Breaches, HIPAA/HITECH, Incident Response, Information Security, Infrastructure, Retail Industry

There is no longer a debate – security incidents are inevitable. Organizations are working to be better prepared to respond when the first sign of an incident is detected (often at 4:30 p.m. on a Friday). So what kind of incidents should they prepare for and how should they prepare? Annual reports from forensic investigation … Continue Reading

Does the Government Have Carte Blanche to Retain Seized Data Indefinitely? In Amicus Brief to the Second Circuit, Policy Groups Argue No

By William W. Hellmuth on August 3, 2015 Posted in Information Security

On July 29, 2015, BakerHostetler filed an amicus brief with the Second Circuit on behalf of the Center for Democracy and Technology, joined by five prominent nonprofit public interest groups, for the en banc rehearing of United States v. Ganias, Case No. 12-240. In Ganias, the Court will grapple with arguments centering on whether the … Continue Reading

As FCC Flexes New Consumer Protection and Privacy Regulatory Enforcement Muscles Against ISPs, Some Call for Expanded Authority Over Online Services

By F. Paul Pittman on July 2, 2015 Posted in Big Data, Information Security, Mobile Privacy

The Federal Communications Commission (FCC) has imposed a record $100M forfeiture fine against a global telecommunications company for alleged deceptive data plan promotions. The FCC’s fine comes on the heels of revisions to its 2010 Open Internet rules that expanded its enforcement authority over “telecommunications service” providers to cover broadband Internet service providers (ISPs). Under … Continue Reading

A Deeper Dive: Regulatory Investigations Following a Reported Breach

By Theodore J. Kobus III on June 2, 2015 Posted in Breach Notification, Incident Response, Information Security

In our inaugural Data Security Incident Response Report (the Report), we found that regulators inquired about a company’s breach 31% of the time and multi-state state Attorneys General investigations were launched less than 5% of the time. A post-breach investigation is not guaranteed. Certainly, in large, highly public incidents, companies can expect at least an … Continue Reading

To Err Is Human; to Indemnify, Divine?: Human Foibles in the Cloud

By Tanya Forsheit on May 19, 2015 Posted in Data Breaches, Incident Response, Information Security

BakerHostetler’s inaugural Data Security Incident Response Report (the “Report”) concluded that employee negligence and theft were two of the top five causes of data security incidents for the more than 200 incidents that we handled in 2014. Needless to say, this raises some important and concerning questions when it comes to the cloud. We note … Continue Reading

SEC Adopts Rules to Improve Systems Compliance and Integrity

By Patrick H. Haggerty on December 2, 2014 Posted in Information Security

On November 19, 2014, the Securities and Exchange Commission (SEC) unanimously voted to adopt Regulation Systems Compliance and Integrity (Reg SCI), which will govern the technology infrastructure of the U.S.’s securities exchanges and certain other trading platforms and market participants.[1] Reg SCI will supersede and replace the SEC’s current Automation Review Policy (ARP). The new … Continue Reading

#Ubergate Makes Plain That Privacy Cannot Be a Passing Thought for Start-Ups

By Fernando A. Bohorquez, Jr. and Jenna N. Felz on November 26, 2014 Posted in Information Security, Online Privacy

The long-brewing behind-the-scenes tensions of privacy, big data, and mobile finally came to a head last week in the public relations disaster known as #Ubergate. Uber’s meteoric rise to the pinnacle of the rideshare start-up economy has been fueled in part by its collection and usage of sensitive consumer geolocation information. An Uber executive’s recent … Continue Reading

Indecent Exposure: FTC Obtains Injunctions Against Debt Brokers for Improperly Published Consumer Information

By William W. Hellmuth on November 25, 2014 Posted in Information Security

On November 12, 2014, the Federal Trade Commission announced that the District Court for the District of Columbia had entered preliminary injunctions against two debt sellers which, together, had improperly posted personal information of over 70,000 consumers online. The FTC filed complaints seeking permanent injunctions and other equitable relief against Cornerstone and Co., LLC, and … Continue Reading

Secret Service Raises Warning About Backoff POS Malware

By Craig A. Hoffman on August 25, 2014 Posted in Information Security, Online Privacy, Retail Industry

The Secret Service, which investigates financial crimes, issued a security Alert on July 31, 2014, warning of malware named “Backoff” that was being used to steal payment card data from point-of-sale (POS) systems. The Alert notes that the attackers often gain initial network access by stealing or brute-forcing the passwords for remote desktop applications (e.g., … Continue Reading

New Guidance for Merchants on Ensuring that Service Providers Share Security Responsibility

By Craig A. Hoffman and Charles Shih on August 18, 2014 Posted in Cybersecurity, Information Security

For merchants, long gone are the days of using a card reader with a dial-up connection to their payment processor. Today’s omni-channel retailers rely on multiple third party service providers to complete payment card transactions. These third parties—call center operators, payment gateways, loyalty solution providers, managed security services, data-center hosts, mobile app developers, and fraud … Continue Reading

What Companies Can Do to Protect Themselves in the Face of Yet Another Massive Data Breach

By Pamela Jones Harbour and Jenna N. Felz on August 12, 2014 Posted in Cybersecurity, Data Breaches, Information Security, Online Privacy

Last week it was reported that a small group of Russian computer hackers illegally obtained an unprecedented quantity of internet credentials, including 1.2 billion username and password combinations, and over 500 million unique email addresses. The compromised companies have not yet been identified, but it is believed that the information came from over 420,000 websites. … Continue Reading

Major Transformation in Cyber-Liability Insurance is Underway

By BakerHostetler on July 31, 2014 Posted in Cybersecurity, Information Security

Editor’s Note: the following blog post was authored by Ben Beeson from Lockton Companies LLC In the beginning The emergence of the Internet as a business platform at the end of the nineties also announced the arrival of new risks to organizations. In those early days, there was a widely held belief that the primary concern was operational, … Continue Reading

Florida Gives Breach Notification Statute More Teeth

By Cory J. Fox on June 30, 2014 Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Identity Theft, Information Security

On June 20, 2014, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 (“FIPA”), which will repeal Florida’s current breach notification statute at Fla. Stat. § 817.5681 and replace it with a new statute at Fla. Stat. § 501.171 effective July 1, 2014. On the same day, Governor Scott also signed SB … Continue Reading