Tag: privacy

Posted on by Sandra A. Jeskie

Is Your Business Prepared for a Ransomware Attack?

Ransomware attacks are on the rise and expected to reach epidemic proportions. The most publicized attack took place this year at the Hollywood Presbyterian Medical Center when it was forced to declare an “internal emergency” after a ransomware attack locked down its systems. Businesses that are viewed as offering a combination of valuable data and weak security may be seen as attractive to attackers. Some attackers have strictly financial motivations while others may simply be in it for “the data.”

According to Cisco’s Midyear Cybersecurity Report, email and malicious advertising are the primary ways ransomware infiltrates a system. Businesses often pay the ransom but even when paid, files may be lost or altered in ways that could be devastating to the business.

Cisco reports that companies entering into M&A deals often do not conduct enough due diligence on the risk posture of the acquired business and realize their shortcomings after the deal is done, when it is too late to remediate problems or when it’s harder to do so because the networks are intertwined.

What can you do? Robust security is clearly the first step to prevent attacks and that begins with the creation of a comprehensive privacy and security roadmap that addresses high risk areas, compliance gaps and specific tactics for incident preparedness. It is important to involve experienced counsel at the outset to not only advise on the array of federal and state privacy and cybersecurity laws and help develop the policy but also to direct any security investigation so that consultants can report potential vulnerabilities to outside counsel to protect potentially negative findings from discovery in future litigation.

On September 7th, the Federal Trade Commission will begin its series of seminars on new and emerging technologies with a workshop on ransomware.

Posted on by Sandra A. Jeskie

Best Practices for Consumer Wearables & Wellness Apps

Last week the Future of Privacy Forum (FRF) issued “Best Practices for Consumer Wearables & Wellness Apps & Devices.  The Best Practices are built on the five core principles of privacy protection, which form the foundation for privacy laws in the U.S.: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress.  They also seek to add protections for data that may not be covered by specific sector legislation and to add guidance in areas where general privacy statues are applicable.

While the Best Practices may appear easy to apply, in practice, they require businesses to develop a comprehensive approach to privacy and data security practices with the guidance of experienced counsel to avoid significant risks in this emerging area.

The Best Practices can be viewed at https://fpf.org/wp-content/uploads/2016/08/FPF-Best-Practices-for-Wearables-and-Wellness-Apps-and-Devices-Final.pdf

Posted on by Sandra A. Jeskie

Is Your Company Registered for the New EU-U.S. Privacy Shield?

Following the July 12, 2016, adoption by the European Commission of the EU-U.S. Privacy Shield (the “Privacy Shield”), companies engaging in trans-Atlantic data sharing can now register for the Privacy Shield. It replaces the prior Safe Harbor Program, which was invalidated by the European Court of Justice on October 6, 2015, when it ruled that the data of European citizens was not safe when stored on U.S. computer servers given the U.S. government’s ability to access information through its intelligence services.

The new Privacy Shield provides transparency in how companies use personal data, robust U.S. government oversight and increased cooperation with EU data protection authorities (the “DPA”). It includes more rigorous monitoring and enforcement by the U.S. Department of Commerce (the “Department”) and the Federal Trade Commission (“FTC”). Because the Privacy Shield is enforceable as U.S. law against a registered company, it is essential to ensure its compliance before registering.

Key provisions of the Privacy Shield include:

  • Informing Individuals About Data Processing: The Privacy Shield requires more heightened notice standards than under the Safe Harbor, including additional requirements for participants’ privacy policies.
  • Providing Free and Accessible Dispute Resolution: The Privacy Shield outlines several dispute resolution mechanisms and specific timelines for handling disputes.
  • Cooperating with the Department of Commerce: Participants should promptly respond to Department inquiries and requests for information relating to the Privacy Shield.
  • Ensuring Accountability for Data Transferred to Third Parties: Participants must enter into written agreements with third parties to ensure that data is processed for limited and specified purposes consistent with the consent provided by the individual, that the third party will provide the same level of protection and that the third party will provide notification if it can no longer meet its obligation.
  • Transparency Related to Enforcement Actions: The Privacy Shield seeks to create greater transparency for enforcement actions by making public any Privacy Shield-related sections of any compliance or assessment reports submitted to the FTC as a result of an FTC or court order based on non-compliance.
  • Potential Additions in the Future: The Privacy Shield is designed to be updated with time to address evolving issues and accommodate the General Data Protection Regulation (effective in 2018).

To join the Privacy Shield, a U.S.-based company must first develop a Privacy Shield-compliant privacy policy. Thereafter, a company can self-certify and publicly commit to comply with the Privacy Shield’s requirements. Once publicly committed, the provisions of the Privacy Shield are enforceable as U.S. law against the company. If a participant chooses to leave the Privacy Shield, it will be required to annually certify its commitment to apply the principles of the Privacy Shield to, or provide “adequate” protection for, any information it retains that was received while operating under the Privacy Shield.

The requirements of the Privacy Shield are different than its predecessor Safe Harbor. It may be prudent for companies engaging in the cross-border transfer of data to consult legal counsel experienced with the Privacy Shield to ensure compliance.

Posted on by Eric J. Sinrod

Government Surveillance of Internet Traffic

At this point, it may come as no surprise that the US government has some ability to monitor internet traffic. However, the tremendous extent of government surveillance may be somewhat alarming to those who are interested in privacy on the internet.

An article by RT.com reports that the NSA has the ability to read 75 percent of all U.S. internet traffic. The article points out that programs referred to as Stormbrew, Lithium, Oakstar, Fairview, and Blarney all have the ability to monitor the actual text of emails, not just email metadata.  Continue reading “Government Surveillance of Internet Traffic”

Posted on by Eric J. Sinrod

How to Keep Your Personally Identifiable Information Secure Online

It seems like we constantly are hearing about Internet hacks and the stealing of personally identifiable information online. At this point, we use the Internet for so many positive aspects of our lives. Given that we inevitably are online, what are some steps that we can employ to keep our private information safe?

Here are just a few simple tips to keep in mind:

First, it is important to protect your credit card information. One way of doing this is to check and see that the website you are logging onto is secure. One thing to look for is whether the URL begins with HTTPS and not just HTTP. Also, it is important to log out of your customer accounts when you are done with transactions — especially financial transactions.  Continue reading “How to Keep Your Personally Identifiable Information Secure Online”

Posted on by Eric J. Sinrod

EPIC Helps Challenge Surveillance by US and British Intelligence Agencies

The Electronic Information Privacy Center (EPIC) has just filed a third-party intervention brief before the European Court of Human Rights (the Court) to help challenge the surveillance activities of intelligence organizations of the United States and the United Kingdom.

The case, according to EPIC’s brief, “impacts the human rights to privacy, data protection and freedom of expression of people around the world …,” and is of “broad international importance because it involves arrangements to transfer personal data between the United States and European counties.” A core purpose of EPIC’s intervention is to show the Court that “current trends in U.S. and European surveillance law … are undermining privacy, data protection, and security.”  Continue reading “EPIC Helps Challenge Surveillance by US and British Intelligence Agencies”

Posted on by Duane Morris

Student’s Internship Canceled After Exposing Facebook Privacy Issue

Many college students likely would covet an internship at Facebook. One Harvard University student landed such an internship. However, he says that the internship offer to him was rescinded by Facebook because he reportedly exposed privacy flaws in Facebook’s mobile messenger. Is that correct or not, and what lesson has been learned?

Harvard student, Aran Khanna, launched a browser application from his dorm room. The app revealed that Facebook Messenger users were able to precisely pinpoint the geographic locations of people with whom they were communicating, as reported by The Guardian. Continue reading “Student’s Internship Canceled After Exposing Facebook Privacy Issue”

Posted on by Eric J. Sinrod

Where Has All the Privacy Gone?

When it comes to privacy, a lyric from a Joni Mitchell song seems apt: “You don’t know what you’ve got till it’s gone.” Indeed, as technology has moved forward, it seems that practically every semblance of privacy has disappeared.

Let’s recount just a few of the ways that privacy has gone by the wayside.

From the Workplace to Cyberspace

For starters, there is very little privacy in the workplace. Most employers have employees sign policies stating that the business equipment that employees use is company property and that employers can monitor communications using that equipment. Employees are told upfront that they do not have expectations of privacy when using company phones, computers, and other devices.

In addition, practically everyone is living their life, at least to some extent, on the Internet. As a consequence, all sorts of private information is shared in cyberspace. When making online purchases, for example, credit card and home address information is shared. When making such purchases, consumers agree to the terms of service of the providers. At times, those terms of service allow for the further sharing of information provided, and can also lead to targeted advertising. Continue reading “Where Has All the Privacy Gone?”

Posted on by Eric J. Sinrod

Are U.S. Companies Violating European Union Privacy Rules?

Gone are the days when some companies may decide to take lightly the responsibility to safeguard private data. Indeed, many companies have been very earnest in complying with U.S. privacy rules when it comes to sensitive data such as health and financial information.

But how are U.S. companies doing when it comes to protecting European data? Not so well, according to a recent complaint filed with the Federal Trade Commission (FTC).

Continue reading “Are U.S. Companies Violating European Union Privacy Rules?”

Posted on by Eric J. Sinrod

ABA: Lawyers Can Snoop on Jurors’ Social Media Sites

Jurors always are admonished by judges not to conduct any independent factual research with respect to the cases they are considering. In this way, the rules of evidence will be adhered to and jurors will only be permitted to evaluate evidence deemed admissible and relevant by the judge.

But what about lawyers? How much sleuthing can they do with respect to the potential and actual jurors for their cases? Can they, for example, snoop on social media sites to learn more? Read on.

Continue reading “ABA: Lawyers Can Snoop on Jurors’ Social Media Sites”

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress