Privacy & Cybersecurity

Mark your calendars:  Upcoming events with Mintz Levin privacy attorneys

You might think that if you lock your backup tapes in a safe they are protected from a data breach, but Kmart’s recent data breach proves that’s not the case.  Last month, a person held a Kmart employee in Little Rock, Arkansas at gun point and ordered him to open the store’s safe.

The Securities Exchange Commission (“SEC”) and the Commodity and Futures Trade Commission (“CFTC”) (together, the “Commissions”) have issued final joint rules and guidelines that require certain entities regulated by the Commissions to establish programs to address risks of identity theft.

Volley #1 - Trade Associations to FTC:  Please Delay!
The long-awaited amendments to the Children's Online Privacy Protection Act (COPPA) have been the subject of much discussion and debate.  

(LONDON) The draft of the new Data Protection Regulation, the first EU privacy law with highly serious teeth in the form of fines based on global turnover, continues to wend its way through various committees of the European Parliament (EP).

Last week in Washington, D.C., this author had the opportunity to sit in on a panel discussion by the SEC’s Division of Corporation Finance (“CorpFin”) discussing, among other things, recent developments in cybersecurity disclosure in public company filings.

Earlier this month, we reported on the privacy case against craft giant Michaels Stores (see our blog post here, as well as our client alert here) in which the plaintiff alleged that Michaels illegally collected zip codes during credit card transactions.

Damages issues continue to bedevil would-be data breach class action plaintiffs. A long and growing line of cases holds that consumers cannot maintain claims arising from theft of their personal or financial data without alleging that the theft resulted in financial injury.

After rounds of comments and public workshops, the FTC has finally released an update to its digital advertising disclosure guidelines. The FTC first released guidance on digital advertising in 2000 and last May the FTC requested comments on how the guidelines could be updated.

Yesterday, the Massachusetts Supreme Judicial Court (“SJC”) ruled that zip codes constitute “personal identification information” under G.L. c. 93. The question of law came to the SJC from the U.S. District Court for Massachusetts stemming from Tyler vs. Michaels Store, Inc, which was dismissed in January.

Security and privacy are the most frequently expressed concerns about cloud computing (defined for this article to include software as a service, platform as a service and storage as a service), but for companies that engage in research, design, development, manufacturing and servicing of items that are subject to U.S. export controls, cloud computing poses another risk that must be properly managed to avoid the substantial penalties that flow from unlicensed exports of technical data.

In a case about exposing user data, Apple suffered a setback due to its concealment of information in litigation. Last week, in the multi-district litigation, In Re iPhone Application Litigation, Judge Lucy Koh of the Northern District of California denied Apple’s motion for summary judgment in a putative class action by iPhone and iPad owners who allege that Apple enabled violations of their privacy rights through “apps.”

Security and privacy are the most frequently expressed concerns about cloud computing (defined for this article to include software as a service, platform as a service and storage as a service), but for companies that engage in research, design, development, manufacturing and servicing of items that are subject to U.S. export controls, cloud computing poses another risk that must be properly managed to avoid the substantial penalties that flow from unlicensed exports of technical data.

It seems that some of the nation’s largest public company banks must be avid readers of this blog and have taken to heart our 2013 prediction that the SEC would require greater disclosure related to data security risks and breaches. 

Perhaps we are being cynical, but if we imagine the current conversation between consumers and the makers of mobile payment applications, it would be something along the lines of:

There is much going on at the Federal Trade Commission (FTC)  these days, particularly in the privacy arena. In addition to the settlements discussed below, today the White House confirmed that President Obama will nominate Edith Ramirez as Chair of the FTC, replacing outgoing Chairman Jon Leibowitz.

As we have reported in this blog, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released final regulations containing modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (Omnibus Rule).

Our colleagues in our Washington, DC office have prepared a detailed summary of the President's Cybersecurity Executive Order.

If you haven't yet caught up with the new HIPAA Omnibus Rule and its consequences for those businesses who are not themselves healthcare providers, but are service providers to healthcare entities (and even further downstream than that....), you can take a listen to our recent webinar highlighting the most important changes and issues.