RSS Print Email

Privacy

DOJ and FTC Issue Antitrust Policy Statement on Cybersecurity Information Sharing

April 11, 2014 | Posted by Maki DePalo | Topic(s): Data Security, Cybersecurity, Privacy, Data Protection

On April 10, 2014, The Department of Justice (“DOJ”) and the Federal Trade Commission (“FTC”) (collectively, the “Agencies”) issued a policy statement on the sharing of cybersecurity information. The policy statement indicates that the Agencies share the President’s view that “cyber threat is one of the most serious economic and national security challenges we face as a nation.” In the policy statement, the Agencies explain how their analytical framework for information sharing works with respect to the exchange of cyber threat information and clarify that properly designed sharing of cyber threat information should not raise antitrust concerns.

Read More

District Court Denies Wyndham Motion to Dismiss and Supports FTC's Authority in Data Breach Cases

In Federal Trade Commission v. Wyndham Worldwide Corp., et al., No. 13-cv-01887-ES-JAD (D.N.J. Apr. 7, 2014), Judge Esther Salas of the U.S. District Court for the District of New Jersey denied Wyndham’s request for dismissal of the FTC’s lawsuit against the hotel resort chain as a result of getting hacked.* Wyndham had challenged the FTC’s power to assert an unfairness claim under Section 5 of the FTC Act. Although the Court’s ruling focused solely on the FTC’s authority to bring the lawsuit, and offered no opinion on the underlying merits of the allegations, the ruling could have broad ramifications on the FTC’s ability to pursue companies for unfair and deceptive trade practices when a data breach occurs.

Read More

SIA Announces Revised Privacy Framework

April 7, 2014 | Posted by Maki DePalo | Topic(s): Data Security, Cybersecurity, Privacy, Data Protection

The Security Industry Association (“SIA”) announced the revised SIA Privacy Framework on April 1, 2014. Building on the initial framework released in 2010, the revised SIA Privacy Framework is designed to provide guidance to companies seeking to establish adequate privacy policies to protect personally identifiable information and other sensitive data. This release outlines a core set of principles and best practices for privacy protections in the deployment of security technologies.

Read More

OCR and ONC Release New Security Risk Assessment Tool

Late last week, the HHS Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) released a security risk assessment (SRA) tool designed to help health care providers conduct risk assessments as required by the HIPAA Security Rule.  Under the Security Rule, health care providers must perform risk assessments to evaluate the security of their electronic protected health information (ePHI), and then implement reasonable and appropriate safeguards that may be necessary to reduce and manage the risk and to protect ePHI.  While the Security Rule does not dictate the frequency of such risk assessments, providers participating in CMS’s Electronic Health Records (EHR) Incentive Program must conduct a risk assessment every year in order to meet Meaningful Use standards.  As we have previously written, participants in the EHR Incentive Program may be penalized for failing to conduct an annual risk assessment.

Read More

Alston & Bird and Kroll Hosting Webinar: Global Breach Investigations in a Post Snowden World – New Standards, New Challenges

March 25, 2014 | Posted by Privacy & Data Security team | Topic(s): Events, International, Data Security, Cybersecurity, Privacy, Data Breach, Cybercrime

Jim Harvey, partner and co-chair of the firm’s Privacy & Data Security team and the Security Incident Management and Response Team, will moderate a panel discussion during this April 2 webinar. The featured speakers are Kim Peretti, Partner and co-chair of the firm’s Security Incident Management & Response Team, E.J. Hilbert, Managing Director and Head of Cyber Investigations with Kroll, and Andrew Tannenbaum, Cybersecurity Counsel with IBM.

Cybersecurity incidents increasingly affect servers, employees, customers and business operations throughout the world, impacting both the investigatory process and the legal and regulatory landscape. The evolving global breach notification standards require constant monitoring and skillful navigation through a variety of regulatory schemes. Global investigations also present logistical, technical, and forensic challenges as sophisticated malware compromises systems without regards to geographical boundaries. This webinar brings together a panel of experts to provide an overview of the global legal landscape for data breach notification, highlight legal and technical considerations in conducting a global investigation, and offer practical tips for addressing the logistical complexities inherent in such investigations.

Wednesday, April 2
10:00 a.m. to 11:30 a.m. (ET)

For more information and to register, please click here.

Posted by Privacy and Data Security team | Alston & Bird LLP

Alston & Bird Hosting Privacy, Innovation and Big Data Program Organized by the American Constitution Society

March 21, 2014 | Posted by Privacy & Data Security team | Topic(s): Events, Data Security, Privacy, Regulation, Big Data

On March 25, Alston & Bird partner David Keating to moderate panel discussion organized by the American Constitution Society and Georgia State Bar on Big Data. Featured speakers are Georgia Tech’s Peter Swire, Acxiom’s Jerry Jones, FTC’s Cindy Liebes, and attorney Gerald Weber.

David Keating, Partner and co-chair of the firm’s Privacy & Security team, will moderate the panel titled “Privacy, Innovation and Big Data: What Does the Future Hold?” Technologies used to collect and analyze vast amounts of data have made quantum leaps forward in recent years. At the same time, the cost of storage of data has continued a dramatic trend downward. The result is Big Data – large datasets compiled by businesses and governmental authorities, which can be used to identify individuals from disparate bits of information and to derive intimate details about individuals’ activities online and in the physical world. This panel discussion will focus on how governments and businesses collect vast amounts of data about peoples’ lives and how that information, now called Big Data, is analyzed and used. The panelists will discuss issues relating to the balancing of Big Data’s benefits against actual or perceived privacy costs, and whether existing legal frameworks are sufficient to address this new paradigm.

Read More

Jim Harvey Speaking at the 2014 IAPP Global Privacy Summit

Jim Harvey, co-chair of the firm’s Privacy & Data Security practice and the Security Incident Management and Response Team, will participate as a presenter at the 2014 IAPP Global Privacy Summit, March 5-7. The IAPP Summit, one of the largest in the world, hosts privacy and security professionals to focus on a range of privacy-related topics.

Read More

OCR Issues New Guidance on the HIPAA Privacy Rule and Sharing of Mental Health Information

February 25, 2014 | Posted by Julia Dempewolf and Paula Stannard | Topic(s): Health Privacy, Privacy, Health Insurance Portability and Accountability Act (HIPAA)

Late last week, the HHS Office for Civil Rights (OCR) published guidance designed to help health care providers understand when, consistent with the HIPAA Privacy Rule, they may share information related to a patient’s mental health with others.  As we have previously written, HHS seeks to balance a patient’s privacy rights in mental health records against public safety concerns.  OCR’s latest guidance clarifies the circumstances under which a health care provider may communicate with a patient’s family members, friends or others involved in an adult or minor patient’s care.  The guidance also addresses when and how a mental health care provider may notify a patient’s family members, friends or others involved in the patient’s care (or payment for care) when the patient fails to comply with a treatment or medication regimen, as well as the mental health provider’s ability to listen to concerns raised by the patient’s family members, friends or others involved in the patient’s care about the patient’s health and well-being.  Finally, the guidance addresses situations in which a patient presents a serious and imminent threat of harm to self or others and the role of law enforcement – and the ability of a health care provider to disclose information to law enforcement and others – in such situations.

Read More

Complimentary Seminar – Payment Card Breaches: How to Prepare, How to Survive – March 5, 2014

February 18, 2014 | Posted by Privacy & Data Security Team | Topic(s): Data Security, Privacy

Please join Alston & Bird, Dell SecureWorks and AIG for a discussion on how to prepare for and respond to payment card breaches.

Read More

NIST releases final Cybersecurity Framework

The National Institute of Standards and Technology (“NIST”) has released the final version of the much-anticipated Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). The Framework was developed by NIST at the direction of President Obama’s February 12, 2013, Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” (the “Executive Order”).

Read More

FTC Settles With Children’s Entertainment Company Over Safe Harbor Lapse

February 11, 2014 – The FTC today announced a proposed settlement with Fantage.com Inc., a children’s online entertainment company that allegedly misrepresented its adherence to the U.S.-European Union Safe Harbor Framework (the “Framework”).

Read More

Kim Peretti Quoted in Washington Post Article “Target Security Breach: Eric Holder Vows to Find Hackers”

February 5, 2014 | Posted by Privacy & Data Security Team | Topic(s): Federal Trade Commission (FTC), Security Breach, Privacy, Data Breach

Kim Peretti, co-chair of the firm’s Security Incident Management & Response Team, was quoted in the Washington Post article “Target Security Breach: Eric Holder Vows to Find Hackers.” Attorney General Eric Holder confirmed that his agency is investigating the holiday heist on Target, which exposed weaknesses in the nation’s credit card system. As a result of the breach, the FTC was urged to launch an investigation into Target’s security practices. According to the article, the FTC can “bring an enforcement action against any company that fails to safeguard their customers’ personal information.”

Peretti stated that “most cases result in consent orders that force the company to establish tighter controls and subject it to routine audits.” “It’s been relatively common that companies that disclose consumer data breaches face inquiries by either the FTC or state attorneys general,” she said. “They are very active in that space and have been increasingly active in that space.”

To read the complete article, please click here.

Posted by Privacy and Data Security Team | Alston & Bird LLP

Kim Peretti Presented at the Law Seminars International Cybersecurity Law and Strategies Conference

January 28, 2014 | Posted by Privacy & Data Security Team | Topic(s): Events, Cybersecurity, Privacy, Regulation

Kimberly Peretti, partner in the Privacy & Data Security Team, was a speaker in the seminar discussion “Legal Developments for Cyber Security Law” during the Law Seminar International Cybersecurity Law and Strategies Conference on Monday, January 27.

The following topics were discussed during the program:

• Regulatory requirements and structure (to the extent there is one).
• Who has jurisdiction over what?
• What items do you need on your regulatory compliance checklist?

For more information on the conference, please click here.

Posted by Privacy & Data Security Team | Alston & Bird LLP

Alston & Bird to Host the Financial Marketplaces and Cyber Risk Seminar – February 11

January 28, 2014 | Posted by Privacy & Data Security Team | Topic(s): Events, Data Security, Cybersecurity, Privacy, Regulation

Please join Jim Harvey and Kimberly Peretti, co-chairs of the firm’s Security Incident Management & Response Team, for a first-of-its-kind seminar: “Financial Marketplaces and Cyber Risk.”

The panel discussion will both define cyber risk and its implications for financial marketplaces and address the existing regulatory framework and strategies purporting to improve risk mitigation for the industry as a whole.

Tuesday, February 11
8:30 a.m. to 10:30 a.m. (ET)

Moderator:
Jim Harvey, Partner, Alston & Bird LLP

Panelists:
Mark Clancy, Managing Director of Technology Risk Management, Depository Trust & Clearing Corporation
Russell Fitzgibbons, Executive Vice President and Chief Risk Officer, The Clearing House
Jerry Perullo, Deputy CISO, IntercontinentalExchange, Inc.
Katheryn Rosen, Deputy Assistant Secretary, Office of Financial Institutions Policy, Department of Treasury
Kimberly Peretti, Partner, Alston & Bird LLP

The program is a complimentary seminar in our New York office. Alternatively, the program will also be made available via teleconference. For more information and to register, please click here.

Posted by Privacy & Data Security Team | Alston & Bird LLP

 

Senator Leahy Reintroduces “Personal Data Privacy and Security Act”: Federal Data Breach Notification Law Includes Criminal Penalties for Failure to Notify

On January 8, 2014, Senator Leahy (D-VT) reintroduced the “Personal Data Privacy and Security Act” (S. 1897) in an effort to both enhance criminal penalties for computer hacking, and create a tough Federal data breach notification statute. The bill was originally cosponsored (at the time of its introduction) by Senators Chuck Schumer (D-NY), Al Franken (D-MN) and Richard Blumenthal (D-CT), and has since been cosponsored by Senator Robert Menendez (D-NJ). The bill has been referred to the Senate Judiciary Committee for consideration, and the committee is expected to hold a hearing on data security breach issues within the coming weeks.

Read More

123456789