data security : Privacy & Information Security Law Blog

Home > data security >

FTC Warns Organizations of P2P-Related Data Security Breaches

Posted on February 23, 2010 by Hunton & Williams LLP

On February 22, 2010, the Federal Trade Commission issued a news release indicating that it had notified almost 100 organizations that personal data about their customers, students or employees had been shared from their computer networks on peer-to-peer (“P2P”) file sharing sites, thereby exposing the data of affected individuals to possible identity theft and fraud. In its letters, the FTC urged recipient entities to review their internal security procedures and the security procedures of their third party service providers. The letters also recommended that the companies identify affected individuals and consider whether to notify them of the possible risks to their personal information pursuant to applicable state and federal data security breach notification laws. Samples of the FTC’s letters were published with the news release and are available on the FTC’s website.

In addition, to help companies manage security risks related to P2P networks, the FTC published a Guide for Businesses on Peer-to-Peer file sharing and provided a link to a P2P Security Guide for consumers.

Hunton & Williams partner, Lisa J. Sotto, discussed the FTC’s release in USA Today's Technology Live Blog.

Tags: Enforcement, FTC, Federal Trade Commission, Identity Theft, Online Privacy, P2P, Security Breach, Workplace Privacy, breach notification, data security, file sharing, peer-to-peer, personal data, personal information, service providers

Privacy and Data Security Risks in Cloud Computing

Posted on February 5, 2010 by Hunton & Williams LLP

Cloud computing raises complex legal issues related to privacy and information security. As legislators and regulators around the world grapple with the privacy and data security implications of cloud computing, companies seeking to implement cloud-based solutions should closely monitor this rapidly evolving legal landscape for developments. In an article published on February 3, 2010, Lisa Sotto, Bridget Treacy and Melinda McLellan explore U.S. and EU legal requirements applicable to data stored by cloud providers, and highlight some of the risks associated with the use of cloud computing.

Class Action Lawsuit Against Heartland Dismissed

Posted on December 14, 2009 by Hunton & Williams LLP

The court in In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D. N.J. Dec. 12, 2009) recently dismissed a class action lawsuit brought by investors in Heartland, a processor of payment card transactions whose stock value dropped significantly after it suffered a data security breach in which hackers allegedly stole 130 million payment card numbers. The plaintiffs argued that Heartland’s statements to the effect that it had adequate security systems and that it took the issue of computer network security very seriously were fraudulent because Heartland knew it had poor data security and failed to remedy critical problems soon enough to prevent the theft.

According to the complaint, in December 2007, a group of hackers now under criminal indictment launched an attack on Heartland’s network, injecting malicious code into Heartland’s computers. Heartland allegedly discovered this injection of malicious code and took remedial steps that failed to fully eradicate the threat. Later, in 2008, the hackers used the injected code to steal millions of payment card numbers. Heartland did not discover the theft until January 2009.

The plaintiffs argued that Heartland had made various representations to investors that it maintained sufficient security to prevent such hacking. For example, Heartland’s 2007 Annual Report discussed the company’s network security situation stating that Heartland “place[d] significant emphasis on maintaining a high level of security” and maintained a network configuration that “provides multiple layers of security to isolate our databases from unauthorized access.”

The court disagreed with the plaintiffs’ claim that these statements were untruthful, holding that “there is nothing inconsistent between Defendants’ statements and the fact that Heartland had suffered an … attack.” The court explained that “[t]he fact that a company has suffered a security breach does not demonstrate that the company did not ‘place significant emphasis on maintaining a high level of security,’” because “[i]t is equally plausible that Heartland did place a high emphasis on security but that the Company’s security systems were nonetheless overcome.”

With respect to a former Heartland IT employee’s statement that Heartland should have taken various additional steps to secure its network following the 2007 attack, the court found that “one former employee’s opinion that Heartland did not do everything it could have done to address the security breach does not render the statement ‘We place significant emphasis on maintaining a high level of security’ false.”

In the end, the court dismissed the complaint against Heartland with prejudice, finding that, because the company “did not make any statements to the effect that the company’s network was immune from security breaches or that no security breach had ever occurred, …the statements in the 10-K were not false or misleading.”

Tags: Breach, Heartland, Information Security, Privacy Notice, Security Breach, class action, data security, hackers, litigation, network security, payment card, privacy policy, securities

Director of United States National Cybersecurity Center Resigns, Citing Obstacles

Posted on March 11, 2009 by Hunton & Williams LLP

Former Silicon Valley entrepreneur Rod Beckstrom has tendered his resignation from the post of Director of United States National Cybersecurity Center, effective March 13, 2009. In his resignation letter to Secretary of Homeland Security Janet Napolitano, Mr. Beckstrom complained of inadequate funding and criticized the National Security Agency’s dominant role in “most national cyber efforts.” He characterized this arrangement as “bad strategy” because “intelligence culture is very different than a network operations or security culture,” and he argued that the centralization within one organization of all top-level government network security and monitoring constituted a significant threat to the democratic process. Mr. Beckstrom’s resignation letter is available here.

Tags: Department of Homeland Security, Government, Information Security, National Cybersecurity Center, National Security Agency, data security

Satyam Crisis Highlights Data Security and Corporate Issues for Outsourcing Customers

Posted on January 9, 2009 by Hunton & Williams LLP

Scarcely a month after the world media was flooded with news of the catastrophic terrorist attacks in Mumbai, headlines are once again rife with articles on the global impact of events in India. This time, the news has focused on Satyam Computer Services (“Satyam”), previously one of India’s largest and most prestigious outsourcing providers, and a series of missteps that began in October 2008, when alarming allegations of possible involvement in a customer security breach surfaced in the media. After that news, there were allegations of misdeeds with customers, a failed takeover attempt, and now the chairman’s confession of massive accounting irregularities.

To read more on the Satyam crisis, please click here. Hunton & Williams has organized a cross-disciplinary team of lawyers to respond to the Satyam situation, including leading outsourcing, data security and insolvency practitioners, as well as local counsel in India. We have also released a second client alert on how Satyam customers should consider dealing with agreements, please click here to read this alert.

Tags: India, International, Security Breach, data security, outsourcing

Compliance Deadline Extended for Massachusetts Data Security Regulations

Posted on November 18, 2008 by Hunton & Williams LLP

Massachusetts recently announced that it is extending the deadline for compliance with new state data security regulations. In consideration of the current economic climate, Massachusetts has extended its original compliance deadline of January 1, 2009. The new compliance deadline will be phased in. By May 1, 2009, companies that are subject to the regulations must generally comply with the new standards and must contractually ensure the compliance of their third-party service providers. In addition, by May 1, 2009, covered businesses must encrypt laptops containing personal information. By January 1, 2010, companies are required to have a written certification of compliance from their third-party service providers and must encrypt other company portable devices, such as memory sticks and PDAs.

Massachusetts’ new May 1, 2009, compliance deadline coincides with the updated implementation deadline for the Federal Trade Commission’s Red Flags Rule. The Red Flags Rule contains provisions requiring certain financial institutions and creditors to put in place security measures aimed at detecting and preventing identity theft. Entities that are subject to both the Red Flags Rule and Massachusetts’ new regulations may be able to address the implementation requirements of both during the same program development process.

For details regarding the scope and requirements of the Massachusetts regulations, please click here.

For details regarding the updated Red Flags Rule compliance deadline, please click here.

Tags: Information Security, Massachusetts, State Law, data security, red flags rule

This website is for general information purposes only. Information posted is not intended to be legal advice. For more information, please see the Disclaimer and Privacy Notice links.

Computerworld magazine has named Hunton & Williams the top firm for privacy for the third year in a row based on a survey of more than 2,000 corporate privacy professionals.More...

Topics

Archives

Recent Updates

Links

Financial Industry News

Attorney General Van Hollen and Secretaries Nilsestuen and Heinemann Emphasize Teamwork and Eduction During Consumer Protection Week MADISON, Wis., March 11 -- The Wisconsin Attorney General issued the following news release: In recognition of National Consumer Protection Week, Wisconsin Attorney General J.B. Van Hollen joins with Rod Nilsestuen, the Secretary of Department of Agriculture Trade and Consumer Protection (DATCP) and Lorrie Keating Heinemann, the Secretary of Department of Financial Institutions (DFI) in educating Wisconsin consumers about some of the more pervasive scams targeted at consumers' pocket books...
March 11, 2010 7:27 PM
Attorney General Marty Jackley Gears Up for 12th Annual National Consumer Protection Week PIERRE, S.D., March 10 -- The South Dakota Attorney General issued the following news release: Today, Attorney General Marty Jackley joins with federal, state and local government agencies and consumer protection organizations to announce the 12th Annual National Consumer Protection Week (NCPW), March 7-13. This coordinated consumer education campaign encourages individuals across the country to take full advantage of their consumer rights. This year's theme - Dollars & Sense: Rated "A"...
March 11, 2010 5:15 PM
Rule of law vs. security LONDON Politicians in Britain and in Japan often talk glibly about the importance of the rule of law. But how many of them have a clear idea of what this important phrase means? A book by Tom Bingham titled "The Rule of Law" was recently published in...
March 11, 2010 2:05 PM
Religious sensitivity vs. national security Canadian lawyer Kerry Gearin is planning to fly to Washington, D.C., this summer for a conference on Islamic family law, but the full-body scanners being deployed in some U.S. airports make her wonder if she'll be forced to leave her modesty at home....
March 12, 2010 12:23 AM
5 hospital workers reinstated after privacy flap Five of the 16 employees fired by the Harris County Hospital District in November after being accused of violating patient privacy laws have been reinstated. The firings were the fallout from October, when Dr. Stephanie Wuest, a first-year Baylor College...
March 11, 2010 4:18 PM
Statement of The Alliance of Automobile Manufacturers Before the Subcommittee on Commerce, Trade and Consumer Protection WASHINGTON, March 11 -- The Alliance of Automobile Manufacturers issued the following statement: Thank you Chairman Rush, Ranking Member Whitfield, and members of the subcommittee for the opportunity to provide the automakers' perspective on manufacturing, selling and servicing the world's safest motor vehicle fleet. As you and your colleagues consider the road ahead for the National Highway Traffic Safety Administration (NHTSA) it is important to bear in mind the broader context of motor...
March 11, 2010 11:31 PM
5 hospital workers get jobs back in privacy case Mar. 12--Five of the 16 employees fired by the Harris County Hospital District in November after being accused of violating patient privacy laws have been reinstated.The firings were the fallout from October, when Dr. Stephanie Wuest, a first-year Baylor College of Medicine resident assigned to Ben Taub General Hospital, was shot in a grocery store parking lot and became a patient at the hospital.While she was there, a number of employees not involved in her care are alleged to have accessed...
March 11, 2010 7:43 PM
Declaring assets should be a legal duty BEIJING: For Han Deyun, a National People's Congress deputy, a moderate, rational stance is needed from all parties in order for a mechanism requiring officials to declare their assets to succeed. 'National legislation will act as a very powerful signal...
March 11, 2010 2:35 PM
Greene: Justice Dept. claims depraved killers have privacy rights I don't care about the privacy rights of depraved prison killers.Neither, I'm pretty sure, do the feds.Still, the Justice Department is purporting to protect William and Rudy Sablan's privacy rights in a case in which it's refusing to...>]]>
March 11, 2010 7:46 AM
TARP overseer fears Consumer Financial Protection Agency will lack teeth As Senate Banking Committee chairman Senator Christopher Dodd prepares to unveil his version of a Consumer Financial Protection Agency Monday, the fiesty defender of the middle class, Elizabeth Warren, said today she will be disappointed if the agency...
March 11, 2010 12:00 PM

Privacy & Information Security Law Blog

Unless otherwise noted, attorneys not certified by the Texas Board of Legal Specialization.

The Hunton & Williams law firm's Privacy and Information Management practice includes attorneys who provide services related to privacy law and information security. Our lawyers practice in all areas of privacy and information security, including: state and federal privacy law compliance; EU data protection compliance, including global data transfer mechanisms such as the U.S. Safe Harbor program and model clauses; HIPAA compliance, including the Privacy Rule and Safeguards Rule; GLBA compliance, including the Privacy Rule and Safeguards Rule; FCRA compliance, including disclosure of consumer reports, Affiliate Marketing Rule compliance, and Red Flags Rule compliance; e-commerce issues such as CAN-SPAM, TCPA, mobile marketing, other direct marketing and behavioral advertising; response to and preparation for information security breaches, including breach notification; workplace privacy, such as employee monitoring; identity theft; records management, records retention, and records disposal; online privacy such as COPPA compliance and website privacy notices; e-discovery; and FTC or other government enforcement actions.

Atlanta, Austin, Bangkok, Beijing, Brussels, Charlotte, Dallas, Houston, London, Los Angeles, McLean, Miami, New York, Norfolk, Raleigh, Richmond, San Francisco, Washington - www.hunton.com

LexBlog Lawyer Blogs and Law Firm Blog Design

Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

Published By
Hunton & Williams

Global privacy and information security law updates and analysis