Tag Archives: data security

Privacy and Product Counseling: 2020 in Review

By Kyle R. Fath, Gerald J. Ferguson and Nichole Sterling on December 17, 2020 Posted in Privacy

Summary Advising our clients on compliance with laws and regulations is, hands down, the most important aspect of our role as attorneys. In addition to seeking counsel on their obligations under laws and regulations, however – motivated by industry trends, utilization of and dependence on third-party services and platforms, and, this year, the COVID-19 pandemic … Continue Reading

New FTC Provides Insights Into Its Plan for a Balanced Approach to Data Privacy and Security

By Alan L. Friel, John Busch and Carolina Alonso on December 19, 2018 Posted in Federal Legislation, GDPR, Online Privacy

This year brought unprecedented focus on consumer privacy – the rollout of the European Union General Data Protection Regulation (GDPR), the Cambridge Analytica controversy and Congressional hearings, a GDPR-light law coming out of California, more and bigger security incidents, and multiple proposals for an omnibus federal data protection law. The Federal Trade Commission (FTC or … Continue Reading

11th Circuit Issues Opinion Vacating Order That Required LabMD to Overhaul Its Data Security Program

By Kathryn Carey and Aaron Lancaster on June 8, 2018 Posted in Cybersecurity, Medical Privacy

On June 6, the 11th Circuit issued its long-awaited decision on LabMD Inc. v. Federal Trade Commission, vacating as unenforceable the Federal Trade Commission’s (FTC’s) cease and desist order that required LabMD to create and implement a variety of protective measures with respect to data security. Notably, however, the decision did not address the most … Continue Reading

Deeper Dive: Using Response Time Metrics to Drive Incident Response Preparedness & Response Improvement

By Craig A. Hoffman on May 1, 2018 Posted in Data Security Incident Response

One of the most important metrics in our report is the incident response (IR) timeline, which tracks the average time it takes companies to detect, contain, fully investigate, and provide notification of the incident to individuals. The metric is valuable because it helps entities identify areas where they can improve before an incident occurs and … Continue Reading

FTC Blog Post Series Makes Common Sense Of Data Security

By Julie Hein on August 21, 2017 Posted in Cybersecurity, Data Breaches

Recently, data security experts and regulators have said that “businesses should use a common sense approach” when addressing data security. However, rarely do I hear clients or other business professionals speak in those terms. Many organizations find data security to be daunting. It does not have to be. In fact, it can be a matter … Continue Reading

Ways to Prevent & Prepare for Ransomware Attacks

By BakerHostetler on June 30, 2017 Posted in Ransomware

Ransomware was involved in 10 percent of the 450 breaches handled by our Privacy and Data Protection team in 2016. This week’s news about a global ransomware attack is another example that this trend is on the rise. Companies, governments and organizations around the world are grappling with what steps they should take to minimize … Continue Reading

Deeper Dive: Ransomware – WannaCry and the Future of Ransomware-as-a-Service

By Melinda L. McLellan and James A. Sherer on May 22, 2017 Posted in Cybersecurity, Data Breaches, Incident Response, Ransomware

In our 2017 BakerHostetler Data Security Incident Response Report, we addressed the increasingly ubiquitous scourge of ransomware, one of the fastest-growing types of malware causing data security incidents. We noted that ransomware attacks have been steadily expanding in both frequency and severity, and that those trends seemed set to continue for the foreseeable future. Less than a … Continue Reading

Babies and Baby-making, or Not… Privacy and Security Lessons for the Internet of Things

By Alan L. Friel on May 2, 2017 Posted in Internet of Things

What do babies, sex toys and wireless head phones have in common? Apparently, the privacy concerns of the Federal Trade Commission (FTC), state AGs and legislatures, class action plaintiffs, and consumer advocacy groups, at least when it comes to the Internet of Things (IoT). The IoT refers to consumer devices that are connected, directly or … Continue Reading

Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity

By David M. Brown on August 24, 2016 Posted in Cybersecurity, Data Breaches, Enforcement, Online Privacy, Retail Industry

On Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information. According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an … Continue Reading

Unanimous FTC Finds LabMD’s Data Security Practices Violated Section 5 of the FTC Act

By Will R. Daugherty and David M. Brown on August 18, 2016 Posted in Cybersecurity, Enforcement, Medical Privacy, Online Privacy

On July 29, 2016, a unanimous Federal Trade Commission (“FTC” or “Commission”) issued its Opinion and Final Order reversing the decision of an administrative law judge (“ALJ”) and holding that LabMD engaged in “unfair” practices in violation of Section 5 of the FTC Act because it failed to provide reasonable and appropriate security for personal … Continue Reading

BakerHostetler Data Security Incident Response Report Reveals Being “Compromise Ready” Better Positions Companies to Respond to Incidents

By Theodore J. Kobus III on March 30, 2016 Posted in Incident Response, News, Online Privacy

On March 30, 2016, we released our second annual Data Security Incident Response Report. Key findings show that phishing/hacking/malware was the cause of 31% of data security incidents during 2015, revealing a shift from 2014 when human error was the leading cause. The report also continues the inaugural-year theme that no industry is immune to … Continue Reading

LabMD and Wyndham Decisions Curtail FTC’s Data Privacy and Security Reach

By Alan L. Friel and Gerald J. Ferguson on January 5, 2016 Posted in Children’s Privacy, HIPAA/HITECH, Online Privacy

Both the administrative law judge’s decision in LabMD and the Third Circuit’s recent decision in Wyndham, which we previously blogged about, put the FTC on notice that it cannot assume that in the wake of a security breach, allegedly inadequate data security will necessarily constitute an unfair practice under Section 5 of the FTC Act. Further, … Continue Reading

Incident Response Tip: Five Ways to Improve Information Security and Reduce the Impact of a Data Breach

By M. Scott Koller on December 30, 2015 Posted in Cybersecurity, Incident Response

The new year will arrive in a few short days and when the bell tolls, it will mark the end of another extremely active year of data breaches. High-profile breaches such as Anthem, Ashley Madison, and the Office of Personnel Management serve as a reminder that it is a matter of when, not if, your … Continue Reading

FCC’s Growing Privacy and Data Security Enforcement

By Patrick H. Haggerty and F. Paul Pittman on December 8, 2015 Posted in Data Breaches, Enforcement

The Federal Communications Commission (FCC) has had a busy 2015, and its presence in the data security regulatory enforcement space will likely continue to grow. Last year, the FCC named Travis LeBlanc as chief of the Enforcement Bureau. Since then, the FCC has brought three separate enforcement actions against companies for allegedly not safeguarding consumers’ … Continue Reading

A Deeper Dive: Data Security Incident? Don’t Panic

By Gerald J. Ferguson on August 17, 2015 Posted in Cybersecurity, Data Breaches, Incident Response

It’s 6 p.m. on a Friday and you get a call from your IT department. They have detected that an intruder has gained access to your company’s network. At this point, the headlines from the major data breaches of recent years may be flashing before you. You may be assuming the worst: regulatory investigations … … Continue Reading

Does the Government Have Carte Blanche to Retain Seized Data Indefinitely? In Amicus Brief to the Second Circuit, Policy Groups Argue No

By William W. Hellmuth on August 3, 2015 Posted in Information Security

On July 29, 2015, BakerHostetler filed an amicus brief with the Second Circuit on behalf of the Center for Democracy and Technology, joined by five prominent nonprofit public interest groups, for the en banc rehearing of United States v. Ganias, Case No. 12-240. In Ganias, the Court will grapple with arguments centering on whether the … Continue Reading

A Deeper Dive: Regulatory Investigations Following a Reported Breach

By Theodore J. Kobus III on June 2, 2015 Posted in Breach Notification, Incident Response, Information Security

In our inaugural Data Security Incident Response Report (the Report), we found that regulators inquired about a company’s breach 31% of the time and multi-state state Attorneys General investigations were launched less than 5% of the time. A post-breach investigation is not guaranteed. Certainly, in large, highly public incidents, companies can expect at least an … Continue Reading

To Err Is Human; to Indemnify, Divine?: Human Foibles in the Cloud

By Tanya Forsheit on May 19, 2015 Posted in Data Breaches, Incident Response, Information Security

BakerHostetler’s inaugural Data Security Incident Response Report (the “Report”) concluded that employee negligence and theft were two of the top five causes of data security incidents for the more than 200 incidents that we handled in 2014. Needless to say, this raises some important and concerning questions when it comes to the cloud. We note … Continue Reading

The DOJ Sets Out to Establish Standard for Data Security Incident Response and Preparation

By F. Paul Pittman on May 14, 2015 Posted in Data Breaches, Incident Response

Editor’s Note: The author is the most recent attorney to join our Privacy and Data Security Team. Paul represents clients in responding to potential data security incidents, counsels on incident response preparedness, and works with clients to develop appropriate policies to ensure compliance with applicable law, industry standards, or self-regulatory guidelines. He also counsels clients … Continue Reading

BakerHostetler’s First Data Security Incident Response Report Shows Human Error is Most Often to Blame

By Theodore J. Kobus III, Gerald J. Ferguson and Craig A. Hoffman on May 7, 2015 Posted in Incident Response

We are pleased to announce the release of the first BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and … Continue Reading

Secret Service Raises Warning About Backoff POS Malware

By Craig A. Hoffman on August 25, 2014 Posted in Information Security, Online Privacy, Retail Industry

The Secret Service, which investigates financial crimes, issued a security Alert on July 31, 2014, warning of malware named “Backoff” that was being used to steal payment card data from point-of-sale (POS) systems. The Alert notes that the attackers often gain initial network access by stealing or brute-forcing the passwords for remote desktop applications (e.g., … Continue Reading

Something Wicked This Way Comes – Dark and Dusty Data and the Risk Your Organization Already Owns

By BakerHostetler on December 16, 2013 Posted in Data Breaches

This blog post is a joint submission with BakerHostetler’s Discovery Advocate blog. Authored by: James Sherer During the final panel of Thomson Reuters’ 17th Annual eDiscovery & Information Governance in Practice Forum, Thomas Barnett, Ignatius Grande, and Sandra Rampersaud led a lively discussion on Managing Big Data, Dark Data, and Risk. And while the exchange … Continue Reading

Court Denies Motion for Class Certification in Hannaford

By Erica Gann Kitaev on April 4, 2013 Posted in Data Breaches

Editor’s note: This is a cross-blog post with BakerHostetler’s Class Action Lawsuit Defense blog. For the latest class action defense updates, visit www.ClassActionLawsuitDefense.com. In an order surely to reverberate with both the plaintiffs’ and defense bar, on March 20, 2013, Judge D. Brock Hornby of the United States District Court for the District of Maine … Continue Reading

Be Prepared: Redline Version of the HIPAA/HITECH Final Rule

By Theodore J. Kobus III on January 22, 2013 Posted in HIPAA/HITECH, Medical Privacy

The final rule is significant for any organization that is considered to be a HIPAA covered entity (“CE”) (health systems, health care providers, health plans, etc.) or the more broadly defined business associate (“BA”). During our initial analysis of the final rule, we note significant changes to the way a breach is defined and we … Continue Reading