Data Privacy + Security Insider

Leveraging Knowledge to Manage Your Data Risks

The Securities and Exchange Commission (SEC) this week issued an investigative report that outlined cyber incidents that nine public companies had experienced, causing fraudulent losses totaling more than $100 million. The conclusion of the report is that public companies “should consider cyber threats when implementing internal controls.” The investigations focused on business email compromises where intruders posed as company executives or vendors and used emails (usually through phishing and spear phishing campaigns) to trick employees…
The Department of Health and Human Services Office for Civil Rights (OCR) announced this week that it has settled the largest health care data breach for the largest enforcement fine in history. OCR settled the massive data breach Anthem suffered in 2015 for $16 million—a substantially larger fine than any others assessed by OCR for HIPAA violations. The data breach included the names, birth dates, and Social Security numbers of nearly 80 million individuals. The…
Many companies are migrating their email systems to Microsoft Office 365 (O365). The majority of security incidents in which we have been engaged in over the past six months involve a hacker successfully phishing an employee of the company (most of the time someone who is an executive in the company) and then spoofing the Office 365 credentials box, so the victim puts his or her user name and password into the hacker’s spoofed O365…
On October 12, 2018, Pennsylvania approved a new law that imposes criminal penalties on individuals who use drone to spy on others. The law takes effect in 60 days. Under this law, the state may impose a fine of up to $300 on any individual who uses a drone to invade another person’s privacy or puts another person in fear of being physically harmed by the drone. The law also imposes a more serious penalty…
The Federal Trade Commission (FTC) announced yesterday that it will release on a quarterly basis instead of annually an aggregated report of all of the consumer complaints lodged by individuals . The goal is to provide more up-to-date information about what consumers are experiencing so others can learn from them and protect themselves from becoming a victim. The FTC also launched its Consumer Protection Data Spotlight, which it says will “take a deep dive into the…
As we previously noted, Facebook originally announced a breach late last month, in which hackers took advantage of a code vulnerability in the website’s “View As” feature, to access user’s data. However, on October 12, 2018, Facebook stepped back the number of affected accounts from 50 to roughly 30 million, and it acknowledged that hackers were able to view varying levels of information for different accounts. …
Many consumers are unaware that retailers use facial recognition technology in retail stores to monitor shoppers and prevent shoplifting. Consumers see cameras in retail stores and assume it is to monitor for shoplifting and theft, but many are unaware that facial recognition technology is used so their actual identity can be determined while they are shopping in the store. The Brookings Institute recently released a survey of 2,000 adults asking about their feelings relating to…
One of our clients told us this week that he loves to read the blog and Insider, but that he would really appreciate it if we would point out some hot compliance tips so when he scans the Insider he can see hot button topics that he should be aware of that he might not otherwise know about in the privacy and security world. We thought it was a great idea, so here is the…
I often hear people say that they have no control of their data, that their data is being monetized by big companies, that they don’t know what those companies are doing with their data, that they are frustrated when they receive notification that their data has been compromised, and they didn’t even know that company had their data in the first place. Unfortunately, many people throw up their hands and give up trying to control…
In the wake of the determination by the European Commission that the EU-US Safe Harbor Framework was insufficient to protect EU citizens’ personal information, the Privacy Shield Framework was implemented by the Department of Commerce. Companies who apply for Privacy Shield certification are required to file an application, which requires the companies to attest to certain things that they are doing to protect personal data of individuals before personal information of EU citizens are transferred…