This article is the second in a four-part series describing some of the challenges to conducting breach investigations in response to increasingly sophisticated attacks. In Part 1, entitled Right-Sizing the Data Breach Investigation and published with Law360 on March 26, 2013, we provided an overview of the evolving advanced cyber threat landscape and the three common breach response scenarios (internal investigations to fix technical problems, investigation to assess payment card exposure, and investigations to determine compliance with state data breach notification statutes). This Part II takes a closer look at responses involving payment card breaches—both because of their unique nature and their potentially grave implications.

Please click the following link for a full version of Understanding the Role of the PFI in Payment Card Breaches.

Written by Jim Harvey, Partner, Privacy & Data Security  | Alston & Bird LLP

In the age of targeted intrusions, sophisticated criminal and nation-state actors are often compromising hundreds of systems within a single company’s environment. However, companies are often only seeing a small portion of the entire incident, as their response to such invasions can be, and often is, too narrowly shaped by state security breach notification requirements, industry rules governing payment card breaches and the absence of a direct legal obligation requiring a more comprehensive review. If a company has a less-than-complete understanding of the nature and scope of the intrusion, it could be exposed when the criminals revisit the enterprise for further exploitation or when regulators and class-action plaintiffs begin probing into details of the company’s response. Please click the following link for a full version of Cyber Alert: Breach Investigations, Part 1: Right-Sizing the Data Breach Investigation.

Written by Security Incident Management & Response Team | Alston & Bird LLP

A California State Assembly Member has proposed legislation that would require online privacy policies to be no more than 100 words, be written in clear and concise language, be written at no greater than an 8th grade reading level, and to include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared. California A.B. 242 was introduced by Assemblyman Ed Chau on February 6 and would amend the California Online Privacy Protection Act (Cal. Bus. and Prof. Code § 22575) with the new requirements. The bill has not yet been referred to a committee, but likely will be within the next few weeks. Assemblyman Chau was recently named Chair of the Assembly Select Committee on Privacy.

The amendments would not change the existing provisions of the statute, which requires operators of commercial websites that collect personal information to “conspicuously” post privacy policies detailing the categories of personal information collected.

Written by Bruce Sarkisian, Associate, Technology, Privacy & IP Transactions | Alston & Bird LLP

January 10, 2013 – California Attorney General Kamala Harris today issued “Privacy on The Go: Recommendations For The Mobile Ecosystem,” the goal of which is to provide mobile app developers and other parties with guidance for considering privacy early in the app development process.

Not surprisingly, the guidance recommends minimizing data collected by apps, developing a privacy policy that is clear, accurate, and conspicuous and “minimizing surprise” by drawing users’ attention to data practices that may be unexpected and enabling them to make meaningful choices.

Read More

On August 14, 2012, Governor Andrew M. Cuomo signed a series of bills designed to enhance personal privacy protections and combat consumer fraud. A key piece of the legislative package safeguards Social Security Numbers by limiting their collection and dissemination to certain entities that have a public or practical interest in the information, including the state of New York and its political subdivisions, certain federally regulated entities and banking institutions.

Read More

In what appears to be a growing trend, Vermont and Connecticut have added a requirement to separately notify the states' Attorney General's office of a data breach involving the personal information of Vermont and Connecticut residents. Last year, California amended its data breach notification statute with a similar requirement.

Read More

On May 23, Illinois followed in Maryland’s footsteps to become the second state to pass a law prohibiting employers from asking employees or job applicants for their passwords to social networking websites. Although the Illinois governor must still approve the legislation before it goes into effect, approval seems imminent given the Illinois Senate’s unanimous passage of the measure. Many other states including New York, California, Washington, Ohio, and Delaware, and both houses of Congress, are currently debating similar proposals.

Read More

The United States Supreme Court Rules that Certain GPS Surveillance Constitutes a Search under the Fourth Amendment

The United States Supreme Court’s decision in U.S. v. Jones, 132 S. Ct. 945 (2012), reveals deep fractures in the Court’s Fourth Amendment jurisprudence. Although all members of the Court upheld the D.C. Circuit’s decision that a Fourth Amendment search occurred under the facts presented, they split in their fundamental reasoning in reaching that conclusion. In sum:

Read More

The Illinois breach notification law was amended on August 22 to add specifics for breach notifications to Illinois residents. The notifications now must include contact information for the credit reporting agencies and the Federal Trade Commission as well as a statement that the individual can obtain information from these sources about fraud alerts and security freezes. The amended statute also requires a third party that stores (but does not own or license) personal data to cooperate with the owner or licensee of that data in matters related to the breach. This includes informing the owner or licensee of the breach, the approximate date of the breach and the nature of the breach as well as any steps the third party has taken with regard to the breach. The third party is not required to either disclose any trade secrets or inform anyone affected by the breach. Finally, the statute adds a new provision regarding disposal of media containing personal information. Under the amended statute, such media (either paper or electronic) must be disposed of in a way that renders the information “unreadable, unusable and undecipherable.”

Similarly, on August 31, California amended its data breach notification law also to add notification specifics. The California law requires notifications to be written in plain language, contain specific information about the dates of the breach and a list of the types of personal information that was breached. Further, the statute now requires that the notification inform affected individuals of what was done to protect them and provide advice on what the individuals can do to protect themselves. If a breach affects more than 500 California residents, it must be reported to the Attorney General’s office.

Employee privacy rights may soon be bolstered around the nation. Recently, lawmakers in almost half of the states have proposed or approved restrictions on an employer’s use of the credit history of applicants and employees when making employment decisions. Until 2007, employers in every state could lawfully assess an individual’s credit information when making employment decisions. However, in 2007, Washington became the first state of several states to enact legislation restricting such activity. The Washington law prohibits an employer from procuring an employee’s or applicant’s credit history except if the information is job related or required by law. Hawaii passed a similar law in 2009, and Illinois and Oregon followed suit in 2010.

Read More

This advisory summarizes selected state legislative and regulatory developments regarding corporate data privacy and security obligations. A series of new laws and regulations enacted in recent months require, among other things: (a) encryption of personal information on laptops, PDAs and portable media, including flash drives; (b) encryption of personal information transmitted over the Internet; (c) development and publication of Social Security Number (SSN) privacy protection policies; and (d) specific measures to protect the confidentiality and security of employee SSNs. These laws and regulations carry significant statutory penalties for violations and, in some states, the possibility of businesses facing private rights of action for noncompliance. This advisory provides a brief update on these developments in the states of Massachusetts, New York, Nevada, Connecticut and Texas.

The advisory is provided in PDF on the Alston & Bird web site: http://www.alston.com/privacy_advisory_aggressive_laws