This article is the second in a four-part series describing some of the challenges to conducting breach investigations in response to increasingly sophisticated attacks. In Part 1, entitled Right-Sizing the Data Breach Investigation and published with Law360 on March 26, 2013, we provided an overview of the evolving advanced cyber threat landscape and the three common breach response scenarios (internal investigations to fix technical problems, investigation to assess payment card exposure, and investigations to determine compliance with state data breach notification statutes). This Part II takes a closer look at responses involving payment card breaches—both because of their unique nature and their potentially grave implications.

Please click the following link for a full version of Understanding the Role of the PFI in Payment Card Breaches.

Written by Jim Harvey, Partner, Privacy & Data Security  | Alston & Bird LLP

In the age of targeted intrusions, sophisticated criminal and nation-state actors are often compromising hundreds of systems within a single company’s environment. However, companies are often only seeing a small portion of the entire incident, as their response to such invasions can be, and often is, too narrowly shaped by state security breach notification requirements, industry rules governing payment card breaches and the absence of a direct legal obligation requiring a more comprehensive review. If a company has a less-than-complete understanding of the nature and scope of the intrusion, it could be exposed when the criminals revisit the enterprise for further exploitation or when regulators and class-action plaintiffs begin probing into details of the company’s response. Please click the following link for a full version of Cyber Alert: Breach Investigations, Part 1: Right-Sizing the Data Breach Investigation.

Written by Security Incident Management & Response Team | Alston & Bird LLP

On February 27, Alston & Bird’s Kim Peretti spoke at the 2013 RSA conference. Following the conference, Kim was interviewed by BankInfoSecurity about her discussion during the conference. In the video interview entitled, “Tips and Tools for Breach Investigations,” Peretti discusses:

• Areas most frequently overlooked;
• Lessons learned from recent investigations;
• Technology tools to aid investigators.

To view the full video, please click here.

Written by Security Incident Management & Response Team | Alston & Bird LLP

On January 14, 2013, Singapore passed an amendment to the Computer Misuse Act (now renamed the Computer Misuse and Cybersecurity Act), which provided the government with additional authorities to prevent, detect and counter cyber attacks on critical infrastructure. Key aspects of this law include the ability of the government to direct a person or organization to take specific steps – including exercising certain powers under the criminal procedure code -- with respect to preventing, detecting, or countering a cyber threat where the threat relates to certain types of critical infrastructure. Such broad authority could encompass directing companies to conduct “pre-emptive” strikes or other measures prior to the onset of an imminent cyber attack. Importantly, the law confers immunity from any civil or criminal liability resulting from fulfilling an obligation under the law, but also provides for criminal penalties for failing to comply.

Read More

Last week the United States Court of Appeals for the Fourth Circuit halted an attempt by three individuals involved in the ongoing WikiLeaks investigation to make information about the investigation public. Specifically, the three users sought to unseal the prosecution’s request for a court order requiring Twitter to disclose certain user account information, including the three user’s personal identifying information and account information, as well as all messages they sent and received using the service. The prosecution’s request would have included its reasoning behind why the government suspected the three user’s involvement, and may have included information regarding how the investigation has been operating. The users also moved to unseal any other orders that were issued to other companies demanding similar information be turned over to the government.

Read More

Alston & Bird has developed a checklist tool to assist Covered Entities, Business Associates, and Subcontractor Business Associates to plan their implementation of the January 25, 2013 Omnibus HIPAA Rule. The Omnibus HIPAA Rule significantly amended the HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rules, as summarized in an Alston & Bird HIPAA Advisory issued on January 25, 2013.

Read More

Last week, we blogged about the U.S. Department of Health & Human Services putting on display at the Office of Federal Register the long-awaited “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” (the “Omnibus Rule”). Today, the Omnibus Rule was published in the Federal Register – and Alston & Bird has issued a Health Care ADVISORY on the Omnibus Rule. The Health Care ADVISORY can be found on our website at: www.alston.com/advisories/healthcare-HIPAA/HITECH-Act-Omnibus-FinalRule

Written by Paula Stannard, Counsel, Privacy & Data Security | Alston & Bird LLP

There is an adage that “the best defense is a good offense.” Many companies are taking this to heart as they are becoming increasingly frustrated with the limitations of today’s commonly deployed passive countermeasures and other defensive technologies. Emerging offensive technologies, generally called “active defense technologies” offer considerable promise in being able to identify and take meaningful action against sophisticated assailants. There are, however, considerable issues about the legality of these solutions, that, in certain instances, could render users of these technologies criminally liable. Active defense technologies that employ “hack backs” are of particular concern.

Read More

First identified in 2006, the financial services sector has been battling a form of cybercrime known as “corporate account takeovers,” in which cyber criminals target employees of businesses and cause the targeted individual to spread malicious software (or "malware") which in turn steals their online banking credentials. Armed with these credentials, the criminal is able to compromise the target’s financial account and electronically steal money from business accounts, often via unauthorized wire transfers and ACH payments.

Read More

The long wait for the HIPAA/HITECH Act Omnibus Final Rule is finally over. It went on display at the Office of the Federal Register late on Thursday, January 17, 2013, and will be published in the January 25, 2013 edition of the Federal Register.

As anticipated, the Omnibus Final Rule contains modifications to:

Read More

On October 15, 2012, the Singapore Parliament passed the Bill for the Personal Data Protection Act 2012. The enactment of this Act is a fundamental shift in Singapore's approach to data protection, away from the current sectoral approach to a more European-like general data protection approach. The Act aims to establish a framework for personal data protection, by including recognized data protection concepts such as consent, withdrawal, notification of purpose, and access to and correction of personal data.

Read More

The Office of the Comptroller of the Currency (OCC), an independent bureau of the U.S. Department of the Treasury, recently released an alert to CEOs of all national banks, federal branches and agencies, and associated interested parties, calling for a heightened sense of awareness and offering risk mitigation information in response to a series of sophisticated DDoS attacks.

Read More

On June 26, 2012, the Federal Trade Commission (“FTC”) filed a complaint in federal district court in Arizona against Wyndham Worldwide Corporation and three subsidiaries (“Wyndham”) alleging that the company’s failure to adequately safeguard customers’ personal information led to millions of dollars in losses to fraud.

Read More

In what appears to be a growing trend, Vermont and Connecticut have added a requirement to separately notify the states' Attorney General's office of a data breach involving the personal information of Vermont and Connecticut residents. Last year, California amended its data breach notification statute with a similar requirement.

Read More

Yesterday, the House Intelligence Committee passed H.R. 3523, the Cyber Intelligence Sharing and Protection Act of 2011, by a nearly unanimous vote of 17-1. The legislation, which was introduced Wednesday by Committee Chairman Mike Rogers (R-MI), with the support and cosponsorship of a bipartisan group of 28 House members, would provide for sharing of certain classified cyber threat intelligence and information between the U.S. Government’s intelligence community and approved private sector companies and organizations. During the Committee’s markup of the bill, two amendments were approved by voice vote; the first, introduced by Chairman Rogers and Ranking Member Dutch Ruppersberger (D-MD) enhances the privacy protections in the bill by restricting the government’s use of information provided to it from private parties, and the second, introduced by Mike Thompson (D-CA) would require an annual report to Congress from the Inspector General of the Intelligence Community on information voluntarily provided by the private sector to the government to ensure it was shared for cybersecurity purposes. These reports will aid the Intelligence Committee in exercising proper Congressional oversight of the program going forward.

Read More

This afternoon the House Republican Cybersecurity Task Force announced a report containing its recommendations on federal cybersecurity legislation pursuant to a request by the House Republican leadership to examine four critical areas: critical infrastructure and incentives, information sharing and public-private partnerships, existing cybersecurity laws, and legal authorities.

Read More

The Illinois breach notification law was amended on August 22 to add specifics for breach notifications to Illinois residents. The notifications now must include contact information for the credit reporting agencies and the Federal Trade Commission as well as a statement that the individual can obtain information from these sources about fraud alerts and security freezes. The amended statute also requires a third party that stores (but does not own or license) personal data to cooperate with the owner or licensee of that data in matters related to the breach. This includes informing the owner or licensee of the breach, the approximate date of the breach and the nature of the breach as well as any steps the third party has taken with regard to the breach. The third party is not required to either disclose any trade secrets or inform anyone affected by the breach. Finally, the statute adds a new provision regarding disposal of media containing personal information. Under the amended statute, such media (either paper or electronic) must be disposed of in a way that renders the information “unreadable, unusable and undecipherable.”

Similarly, on August 31, California amended its data breach notification law also to add notification specifics. The California law requires notifications to be written in plain language, contain specific information about the dates of the breach and a list of the types of personal information that was breached. Further, the statute now requires that the notification inform affected individuals of what was done to protect them and provide advice on what the individuals can do to protect themselves. If a breach affects more than 500 California residents, it must be reported to the Attorney General’s office.

The Department of Commerce’s Internet Policy Task Force issued a green paper entitled “Cybersecurity, Innovation and the Internet Economy." The green paper recommends a new framework for addressing internet security issues for companies other than those that are considered part of the critical infrastructure. The term critical infrastructure refers generally to the defense, energy and financial sectors, transportation networks, and the like, as set forth in the Cybersecurity Legislative Proposal delivered by the Obama administration to Congress in May.

Read More

The preeminent privacy issue facing the House Energy and Commerce Committee, Senate Commerce Committee, Federal Trade Commission (“FTC”) and Department of Commerce during the 112th Congress will be defining the proper role of the federal government in setting and regulating consumer privacy standards for all businesses operating in the United States. At the forefront of this issue is whether Congress and Obama Administration departments and agencies can agree upon a general framework and legislative language to regulate the collection, use and disclosure of consumer data by businesses, whether they are operating exclusively online, exclusively offline or in both environments. “Every business that sells to consumers likely collects some data on them that they use to enhance their future product and service offerings in order to grow their revenue and expand their customer base. Over the past two years, Congress has been considering legislation that would establish new rules to regulate this important customer relationship, making consumer privacy legislation in the next Congress one of the key issues with broad applicability to businesses, and one issue to which executives will want to pay close attention,” observed former Senate Majority Leader Bob Dole.

Read More

This advisory summarizes selected state legislative and regulatory developments regarding corporate data privacy and security obligations. A series of new laws and regulations enacted in recent months require, among other things: (a) encryption of personal information on laptops, PDAs and portable media, including flash drives; (b) encryption of personal information transmitted over the Internet; (c) development and publication of Social Security Number (SSN) privacy protection policies; and (d) specific measures to protect the confidentiality and security of employee SSNs. These laws and regulations carry significant statutory penalties for violations and, in some states, the possibility of businesses facing private rights of action for noncompliance. This advisory provides a brief update on these developments in the states of Massachusetts, New York, Nevada, Connecticut and Texas.

The advisory is provided in PDF on the Alston & Bird web site: http://www.alston.com/privacy_advisory_aggressive_laws