RSS Print Email

Data Security

New California Law Expands Data Security Requirements, SSN Protections and Breach Notification Obligations

On September 30, 2014, the Governor of California signed Assembly Bill 1710, which made three small but important changes to the state’s privacy laws.  The bill:  (1) amended California’s breach notification law to require that the notifying entities offer identity theft protection services to affected individuals in certain cases; (2) required California businesses that “maintain” personal information on state residents to adopt reasonable security procedures to protect that personal information (a requirement that previously only applied to businesses that own or license such data); and (3) amended the state’s Social Security Number (“SSN”) protection law to prohibit the sale or advertisement for sale of such numbers, with limited exception.  The bill will become effective January 1, 2015.  Having been the first state to enact a breach notification law, California continues to be at the cutting edge of state efforts to deal with cybersecurity.  

Read More

Kim Peretti authors Bloomberg BNA article on Cyber Threat Intelligence and Information Sharing

September 5, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Data Security, Cybersecurity, Privacy

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, authored (with contributions from associate Lou Dennig) the Bloomberg BNA article, “Cyber Threat Intelligence: To Share or Not to Share—What Are the Real Concerns?” In the article, Peretti discusses the importance of exchanging cyberthreat information and the concerns relating to information sharing, as well as provides guidance for companies in mitigating potential risks regarding this information sharing.

Posted by Security Incident Management & Response Team | Alston & Bird LLP

Alston & Bird Hosting Event: The Evolving Cyber Insurance Market: Key Issues and Challenges

September 3, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Events, Data Security, Cybersecurity, Privacy, Department of Homeland Security (DHS)

Kim Peretti, partner and co-chair of the firm’s Security Incident Management and Response Team, will moderate a panel discussion during this September 11 event. The featured speakers are Tom Finan, Senior Cybersecurity Strategist and Counsel with the U.S. Department of Homeland Security, and Sean Hyatt, counsel in the firm’s Litigation & Trial Practice Group and a member of the Insurance Litigation & Regulation Team.

Read More

Kim Peretti Interviewed by BankInfoSecurity

August 28, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Data Security, Cybersecurity, Privacy, Data Breach, Privacy Policy

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was interviewed on by BankInfoSecurity about what boards must know about security issues and how to keep directors risk-aware.

In the interview, titled “Cybersecurity: What Boards Must Know,” Peretti discusses what directors don't know about security, the pre- and post-breach responsibilities of boards, and how to educate the board - and when. "[Boards] have an awareness of the threat out there," Peretti said. "But what they're struggling with - what they don't know - is what is the risk that the [threat] has to any particular organization, how do you mitigate that risk, and how do you respond to it?"

Read More

Secret Service Estimates in Follow-Up Advisory that "Backoff" Malware Affected 1,000 U.S. Businesses

August 25, 2014 | Posted by Lou Dennig | Topic(s): Advisories, Security Breach, Data Security, Cybersecurity, Data Breach, Cybercrime

On Friday, August 22 the Department of Homeland Security (“DHS”) and U.S. Secret Service released an advisory warning that a family of malware known as “Backoff” may have infiltrated the Point of Sale (“PoS”) systems of over 1,000 U.S. businesses. The malware was injected into some systems as far as back as October 2013, and DHS warns that it “has likely infected many victims who are unaware that they have been compromised.” “Backoff” allows cybercriminals to remotely exfiltrate consumer credit card information by exploiting an organization’s administrator accounts. The advisory strongly encourages businesses to take immediate action and contact their IT personnel, PoS and antivirus vendors as well as other service providers to assess whether their systems have been compromised by the malware.

Read More

PCI Security Standards Council Publishes Third-Party Security Assurance Guidance

The Payment Card Industry Security Standards Council (PCI-SSC) today released recommendations for meeting the PCI Data Security Standard (PCI-DSS) when sharing cardholder data with third party service providers. PCI-DSS requires a merchant or other entity in entrusted with cardholder data to ensure that cardholder data continues to be protected when it is provided to a third party.

Read More

Dominique Shelton Named Most Influential Lawyer in Digital Media and E-Commerce Law by Los Angeles Business Journal

July 31, 2014 | Posted by Privacy & Data Security Team | Topic(s): Data Security, Privacy

Dominique Shelton, partner in the firm’s Litigation & Trial Practice and Privacy & Data Security Groups was recently included by the Los Angeles Business Journal in their inaugural, “Most Influential Lawyers: Digital Media and E-Commerce.”

The list recognizes 30 Los Angeles attorneys who have demonstrated outstanding achievements in digital media and e-commerce law. Shelton is noted as one of the top practitioners in her field, advising clients on “cutting-edge” legal issues and “representing companies in a variety of industries and service sectors, including digital sales and marketing, advertising, wireless/mobile Internet, lead generation, manufacturing and electrical, software, telecommunications and television.”

Posted by Privacy & Data Security Team | Alston & Bird LLP

U.S. Treasury Secretary Lew Emphasizes Cyber-Risks for Financial Institutions

In remarks delivered earlier this month, U.S. Treasury Secretary Jacob Lew highlighted the dangers of “cyber intrusions” to financial institutions. Secretary Lew cited more than 250 cyber attacks against U.S. banks and credit unions since 2011, as well as recent hacks and credit card thefts against major retailers. “Cyber attacks on our financial system represent a real threat to our economic and national security,” said Secretary Lew.

Read More

Kim Peretti and Jessica Corley co-author Bloomberg BNA article on Director Liability for Cybersecurity

July 29, 2014 | Posted by Security Incident Management & Response Team | Topic(s): Data Security, Cybersecurity, Privacy, Data Breach, Privacy Policy

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, co-authored with Jessica Corley, chair of the firm’s Securities Litigation Group, the Bloomberg BNA article, “Cybersecurity: What Directors Need to Know in an Era of Increased Scrutiny.” In the article, Peretti and Corley discuss the cybersecurity issues that directors and officers face due to the fact that most companies’ assets are stored digitally and, therefore, at risk of cyberattacks. Because of these risks, well-designed policies and procedures to ensure data security are crucial to companies of all sizes, both in the public and private sectors. Directors and officers are under increased scrutiny and expected to be fully aware and engaged in their companies’ cybersecurity measures. Peretti and Corley’s article addresses the risks and impacts of data breaches, as well as practical pre- and post-breach guidance.

To read the full article, click here.

Posted by Security Incident Management & Response Team | Alston & Bird LLP

Privacy Partner Dominique Shelton Authors Privacy Advisor Article on Hulu VPPA Case

Dominique Shelton, partner in Alston and Bird’s Privacy & Data Security practice and member of the Litigation and Trial Practice group, authored an article appearing on June 19 in International Association of Privacy Professionals' (IAPP) Privacy Advisor titled, “Court Denies Class-Action in Hulu Case, But There’s More." In the article, Shelton discusses the Hulu consumer class-action case that has been ongoing since July 2011. Shelton points out that any company that hosts video content on its website or mobile app and includes a “Like” button or other social networking plug-in should be following this case. The issue at-hand is whether or not the technology associated with the “Like” button constitutes a violation of the Video Privacy Protection Act (VPPA) by disclosing users’ viewing habits without their consent. Because this case touches so many companies, it is an important one to follow. The case resurfaced in the news this week because the court denied the plaintiffs’ putative class-action lawsuit, without prejudice.

Read More

West Virginia High Court Finds Standing without Harm for Invasion of Privacy Claim in State Data Breach Class Action

June 20, 2014 | Posted by Zach Neal & Alex Brown | Topic(s): Health Privacy, Data Security, Litigation, Class Action

The West Virginia Supreme Court of Appeals recently issued an important – but outlier – decision in a data breach class action. In a per curiam decision, the Court held that the plaintiffs had standing to bring their claims even though discovery revealed that not a single class member – much less the named plaintiffs – had suffered any property damage or economic losses. Tabata v. Charleston Area Med. Ctr., No. 13-0766, --- S.E.2d ---, 2014 WL 2439961 (W. Va. May 28, 2014). Indeed, the court found that, although some of plaintiffs’ personal information had accidentally been made available on a website, there was no evidence anyone had ever viewed that information. Despite this, the Court concluded that the plaintiffs had standing to bring two common law claims.

Read More

Hulu: The Northern District of California Denies Class Certification without Prejudice on Grounds Class Not Ascertainable

Data privacy practices and related class action litigation continue to be super-hot topics that require close attention from companies. Brand damage, governance shakeups and congressional inquiries because of data practices should provide sufficient motivation to stay up-to-the minute in these critical areas. This advisory examines the latest developments in the Hulu litigation involving alleged violations of the Video Privacy Protection Act. While a California federal district court has denied certification of a class of Hulu video service users, it left the door open for future class cases in this emerging area.

The full Cyber Alert is available here

Written by Kim Chemerinsky, Senior Associate, Privacy & Data Security | Alston & Bird LLP

A+B Privacy Team Provides Analysis of California AG Privacy Report: New Best Practices Guidance Applies to all Businesses Collecting Personal Information from California Residents

In follow up to our previous blog, California AG Kamala Harris Issues Privacy Policy Guidance: Making Your Privacy Practices Public Contains Draft Tips for Website and Online Service Privacy Policies, regarding the release of the AG’s report, please see our recently released client advisory providing a detailed analysis of the new privacy guidance: California Attorney General Kamala Harris Releases Long-Anticipated Guidance Regarding Privacy Policy Notices . As conceived, the Report is designed to apply to all businesses, regardless of the country or state in which they operate, based on the California AG’s position that the California Online Privacy Protection Act (Cal-OPPA) applies to all companies that collect personal information about California residents through their websites, online services or mobile apps, even if the business has no other connection to California.

Written by Dominique Shelton, Partner, Privacy & Data Security and Litigation and Trial Practice and Paul Martino, Partner, Privacy & Data Security and Legislative & Public Policy| Alston & Bird LLP

Eleventh Circuit Paves the Way for the FTC’s Administrative Action to Proceed; FTC denies LabMD’s Motion for Summary Decision

May 27, 2014 | Posted by zach.neal@alston.com | Topic(s): Federal Trade Commission (FTC), Enforcement, Data Security, Litigation

Two decisions from last week have provided clarity – at least regarding which tribunal will first decide whether LabMD violated Section 5 – in the ongoing battle between the FTC and LabMD. In the first decision, the Eleventh Circuit refused to stay, pending appellate review, the FTC’s administrative action against LabMD. This decision came on the heels of the district court refusing to enjoin the FTC’s administrative action due to a lack of jurisdiction to do so. In the second decision, the FTC refused to grant LabMD’s Motion for Summary Decision. The net result of these decisions is twofold. First, the trial of the FTC’s administrative proceeding against LabMD is now in progress. Second, no federal court will likely address the merits of LabMD’s arguments until after the FTC’s administrative action concludes.

Read More

California AG Kamala Harris Issues Privacy Policy Guidance: Making Your Privacy Practices Public Contains Draft Tips for Website and Online Service Privacy Policies

Today, California Attorney General Kamala Harris released her long-anticipated guidance on privacy policies for companies collecting information from California residents in a report entitled Making Your Privacy Practices Public (the “Report”). While the Report exceeds existing law in many respects, affected companies should take heed to review the report and be familiar with its contents as it sets forth a blue print for how the CA AG’s office views “best practices” in connection with privacy policy drafting in the areas of “Big Data,” behavioral tracking, data security, and the “readability” of privacy disclosures. Further, the CA AG takes the position that California’s Online Privacy Protection Act (Cal-OPPA) applies to all companies that collect information from California residents – and as such applies to companies operating outside of California.

Read More

1234567