Cybersecurity & Tech

• “Expands the statute’s definition of “personal information” to include a resident’s biometric or medial information;
• Requires entities or persons that own or license consumer personal information to notify the Oregon Attorney General of a data breach if the entity must notify more than 250 residents;
• Raises the threshold for notifying Oregon consumers to a more generous “unlikely to suffer harm” standard;
• Lowers the threshold for reporting to consumer report agencies (CRAs) by requiring notice to CRAs whenever a breach affects more than 1,000 residents;
• Exempts covered entities under the Health Insurance Portability and Accountability Act (HIPAA) from compliance, so long as a copy of the notice sent to either the entity’s primary functional regulator or to state residents is sent to the Attorney General; and
• Allows the Attorney General to bring action against entities that violate the data breach statute, pursuant to Oregon’s Unlawful Trade Practices Act (Ore. Rev. Stat. § 646.607).”

JD Supra | Privacy & Security Law

Will Congress pass a national data security bill after the massive federal employee data breach. Odds are not high. There is a higher liklihood that next week there will be a new food trailer opening in Austin. 

What does this mean? States will pass stronger data security bills from everything from retailers to public education contractors to health care data.

Health Data Management

Protecting citizen data from the prying eyes of the government, hackers, and neighbors is the rally cry of everyone from Rand Paul to the Wyoming Legislature.

 Wyoming’s Task Force on Digital Information will recommend whether the Legislature should move forward with its constitutional amendment again in 2016.

In 2015, the constitutional amendment ran into hurdles when legislators realized that protecting privacy might make a mess of open records.

To head this disaster off at the pass, some press types recommended a right to know addition to the constitutional amendment. 

Courthouse News Service

One of Governor Abbott’s line item vetoes struck $5,000,000 in funding for University of Texas Center for Identity.  The Center seeks to limit impact of data security breaches.

The Governor’s rational: “If The Center þr ldentíty is a príority, the University may use íts appropriationfor ínstitutional enhancement, leverage public-private partnerships, or allocate other resources þr this purpose. “

Governor Abbott Budget Vetoes   UT Center for Identity

SOPIPA and Student Privacy Pledge are all the talk among Edtech companies gathered in NYC. 

California’s SOPIPA passed in 2014 has influenced other state legislation.  Student data protection isn’t just for state legislatures. Its also federal- Hello, FERPA.

And, state boards of education have used rule making to address data protection that can can hinder or assist edtech companies. 

EdSurge

The federal employee data breach this week, triggered an emergency contract of $20+million to provide credit monitoring services.

It’s a common response to offer these services. The Texas Comptroller did the same a few years ago when state employee records were breached/exposed.

The techies say credit monitoring is only part of the solution when a person’s data is breached. Other parts to the solution are:

• Watching for phishing emails.
  • Employees can be coerced into providing information without realizing they are being coerced
• upgrade their personal systems
•  invest in firewall protections

Government Executive

A data breach at Texas Department of Aging and Disability Services made 6,600 Medicaid patients’ information, including Social Security numbers and private health information, available online.

DADS

Fierce Health IT

A federal judge in Los Angeles Monday refused to throw out legal claims that Sony was negligent in maintaining adequate data security.

Refresher: the Sony data hack led to the release of:

• employee salaries
• worker health data
• racially tinged e-mail banter and
• other sensitive information.

Bloomberg

4.1 million current and former federal employees had their information exposed in a federal government data hack. California’s Department of Technology regulates data security.

The California Department of Technology reports 204 data breaches in 2014 among state agencies. 

State cybersecurity jobs are notoriously tough to fill. The private sector pays better and state hiring moves at a glacial pace. As a result, data security is often outsourced which opens the data up to another layer of potential data breaches.

Sacramento Bee

Rand Paul has filabuster against the Patriot Act and has outspoken opinions on NSA data collection.

His opinions are echoed by Ted Cruz and Bernie Sanders. 

Factor in the recent federal government employee data breach and Hillary Clinton’s Department of State email, and data security and data privacy will play a key role in upcoming elections.

Advertising Age

FBI is investigating a data breach allegedly pertetrated by the St. Louis Cardinals back office.  

If you see one mouse in the barn, there are likely a lot more mice.  Corporate data breaches are likley far more common.

Wallstreet Journal   NewYork Times  Houston Chronicle 

Connecticut passed new data breach laws that will:

• require businesses to notify affected person within 90 days of the breach
• Require businesses to provide 1 year of identity-theft protection if their Social Security number is compromised

CT SB 949    Consumer Financial Services Law Monitor

“Sweeping changes to provincial health privacy laws will soon cut down the red tape preventing authorities from prosecuting snoopers and force hospitals to declare all breaches of patient records to the privacy watchdog.” 

• the six month deadline to lay charges would be wiped out
• potential fine for snoopers would be doubled from $50,000 to $100,000
• Hospitals would also be forced to report all breaches to regulatory colleges and the provincial privacy commissioner

Toronto Star

Cyber Security Firms & their Investors according to the WallStreet Journal.  

In the honorable mention category- are the data breach fixing firms, like the quick $21M federal contract to CSID. WashingtonPost

TexasTURF is sounding the alarm on data collection by TXDOT. As we know, data collection is ripe for a data breach. 

Texas TURF says “TxDOT tracks drivers to mine data without their consent” 

The numbers on the Chinese data hack at the IRS:

• $20.7 M private contract to notify those who had information hacked
• 3.2 million notifications will be sent by e-mail and snail mail
• Hacking victims will receive: “…$1 million identity theft insurance policy in case their identity is stolen, 18 months of credit monitoring and other security protections as part of the contract.”
• 4 million current and former federal employees affected

Washington Post

TexasLegislature passed body cameras for law enforcement officers, SB 158 by West. It’ll create a lot of data.

“Seattle Police Department alone produced over 360 terabytes of data from dashboard cameras.” its a lot of data, that must be stored securely, whcih can be costly. 

Recently updated FBI Criminal Justice Information Services (CJIS) policies offer guidance on safe data storage. 

Federal Times

last week a district court blocked a Texas Medical Board rule that required a face to face video conference or an in person meeting prior to telemedicine. It was a win for telehealth. 

“Officials of the College of Healthcare Information Management Executives (CHIME) have sent a letter to two U.S. Representatives – Fred Upton (R-Michigan) and Diana DeGette (D-Colorado) – expressing their concern about the need for better patient identification. ”  

They point to:

• “As data exchange increases among providers, patient data matching errors and mismatches will become exponentially more dangerous and costly.” 
•  Congress should lift prohibitions against a national patient ID.
• Increased interoperability comes increased “threats to data integrity.” 

GlobalMD

“The U.S. Office of Personnel Management on Thursday said personal information for as many as 4 million current and former employees of the federal government may have been compromised in a recent cyberattack.” Law 360

Small businesses are not pleased with a data security proposal by House Financial Institutions and Consumer Credit Subcommittee Chairman Randy Neugebauer(R-Texas) and fellow Financial Services Committee member Rep. John Carney (D-Del.).

National Retailers Federation response: “Congress should take concrete steps to make sure the credit card cartel finally does the right thing and makes its cards secure.”

The Hill 

Does the Chief Information Officer take the fall? Nope, it’s the CEO.

SC Magazine for Information Security Professionals

“On a 39-0 vote, senators on Wednesday approved tech industry-backed legislation that would require law enforcement to obtain warrants before accessing emails, text messages and other digitally stored data.”

The Recorder 

Tax returns for 104,000 households were hacked.

The hackers used hacked personal information to re-hack into the IRS to view past tax returns.

This allows the hackers to build fuller identiy profiles and to file tax returns with the fradululently obtained information. 

WallStreetJournal CNN Credits Russian Hackers

Retailers scuttled the $19 million settlement with mastercard issuers over the Target data breach. This keeps Mastercard in the class action lawsuit. 

National Law Review

Data collectors and analyzers, IBM and Ponemon Institute, released the 2015 Cost of Data Breach Study: Global Analysis, which shows the average data breach cost increased 23% over the past two years to $3.79 million.

The report recommends mitigating costs with insurance and technology enhancements.

Security Intelligence  PC World

Radion Shack filed for bankruptcy protections. In that process, it has valuable consumer marketing information that it would like to sell. The FTC is entering the fray, in its newly amped role as data protector. 

Law 360

U.S. Senators Hatch & Markey this month filed a measure to protect student data. Following suit is Senator Vitter. 

Hatch & Markey focus on amending FERPA. Yes, that FERPA at issue in the UT System/Wallace Hall debacle. The Senators’ Protecting Student Privacy Act seeks to:

• Require that “data security safeguards be put in place to protect sensitive student data that is held by private companies,”
• Prohibit “the use of students’ personally identifiable information to advertise or market a product or service,”
• Provide “parents with the right to access the personal information about their children—and amend that information if it is incorrect—that is held by private companies,”
•  Make “transparent the names of all outside parties that have access to student information,”

Hatch-Markey Press Release

Vitter’s covertly named Student Privacy Protection Act will:

• ” Reinstate protections originally outlined under [FERPA] by clarifying who can access student data and what information is accessible,”
• “Require educational agencies to gain prior consent from students or parents and implement measures to ensure records remain private,”
• Hold liable through monetary fines “[a]ny educational agency, school, or third party that fails to get consent.” 
• Extend “FERPA’s protections to ensure records of homeschooled students are treated equally”
• Prohibit “educational agencies, schools, and the Secretary of Education from including personally identifiable information obtained from federal or state agencies through data matches in student data.” 

Vitter Press Release

A class action lawsuit was certified this week against yahoo, which has a process to intercept, scan and store incomiong, non-yahoo emails of its users for advertising purposes.

Something to think about when you’re sending confidential or privileged information via email.

The Recorder

Chicago Public Schools accidentally released personal information on 4,000 students to 5 potential vendors.

Chicago Public Schools assures the public that social security numbers were not released by the inadvertant data breach. 

NBC 5 Chicago

Within the last few years, the FTC has increased its data security enforcement. Including issuing record breaking fines against companies from big banks to major telecommunications providers.

An FTC Posting touts the favorable treatment for companies that self report data breaches to the FTC.

The Hill   FTC.GOV

A school district in Ohio suffered a data breach that exposed the names, addresses and social security numbers of students. The hacker? a student, who shared the information.

Young adult data is very valuable on the black market, because the identity is freely adaptable.

News-Herald Columbus Dispatch

California Attorney General Kamala Harris, front runner to succeed U.S. Senator Barbara Boxer, is urging Congress to allow states to have stonger data security bills.  

Her concerns about the federal bill are many, including:

• Allowing breached companies to determine whether harm has occurred
• Need to protect  medical data and health insurance information
• Need for a stronger notification timeframe for companies targeted by identity thieves and hackers.

Law360

Nevada is the most recent state to expand the definition of personal information that trigger data security laws. 

The expanded definition includes:

• individual’s medical identification number or health insurance identification number and
• a user name, unique identifier or email address with its associated password, access code or security question and answer that would permit access to an online account

This reflects a growing trend to include email address/usernames along with passwords in state data security statutes. 

Assembly Bill 179   

Thieves aquired names, addresses, social security numbers and other personal information from a database owned by CICS employment services., whiched housed employment background check information.

The thieves then took the personal information and filed false IRS forms to obtain tax refunds. The company does not know how the informaiton was taken, but they know it was when the theft ring was busted.

Oregon Live

The National Association of State Chief Information Officers, an organization for states’ chief information technology officials, found states are plagued by problems with hiring cybersecurity experts.

Why? 

• “Nearly 92 percent of states said salary and pay grades presented a challenge in attracting and keeping employees.
• 86 percent of states said they’re having trouble recruiting people to fill vacant slots. Four years ago, only 55 percent of states reported having that problem.
• 46 percent of states said that it takes three to five months to fill senior positions.”

Governing

Humans. Human error causes more data leaks, breaches, and exposure than hackers. A law firm report says data breaches are caused by:

• 37% human error
• 22% theft from outside
• 16% theft from inside
• 14% malware
• 11% phishing

Health IT Security

Data security:

• “knowing where your data is located”
•  ” who may access the data. “

Data privacy:

• “predicated on data security”
• “requires further understanding how personal data is being collected, processed (and by whom), and transferred,”
• “and the consistency of these practices with applicable laws, regulations, and the reasonable expectations of the relevant consumers”

National Law Review

Some proposals in Congress will allow corporations to determine whether the breach justifies notification.   WallStreet Journal 

• Sen. Pat Leahy of his Consumer Privacy Protection Act
• Reps. Randy Neugebauer and John Carney Bill
  • Counterpart to the Seante’s Carper-Blunt bill
  • holding merchants to similar standards to financial institutions.
  • Not well received by retailers and merchants 
• Sen. Bill Nelson bill filed in January, but not moving
• Senators Kirk and Gillibrand filed this week
• A bill in the works by Sen. Warner

Politico

The first data security bill that moved in Congress this year would pre-empt state laws. Some say it would be more lax than the majority of state data security laws.

A new federal legislative proposal removes preemption. The Consumer Privacy Protection Act introduced by Senator Leahy would require companies to take more affirmative steps to protect consumer data.

Health IT Security

A lawsuit against Home Depot, based on the retailer’s data breach, alleges that the data breach is a result of lax data security measures by Home Depot executives.

 Multiple security upgrades were routinely rejected  by the retailer.

Atlanta Business Journal

• “Develop specific policies and procedures regarding the handling of proprietary or sensitive information.
• Improve information security training.
• Ensure only the minimum necessary access to the information.
• Communicate and apply consistent sanctions for information privacy or security violations.
• Monitor employee activity.
• Ensure adequate oversight or governance of information security programs.” 

CFO Magazine

The US Supreme COurt has accepted a case to determine standing in data breach cases. We all know data breach law suits flow freely after a data breach. The question among courts has been is the injury to the person suing- that the information is out in the black market for information or does some economic damage have to occur before the individual can seek a court remedy.

The case that will shed light on data breach standing is Spokeo, Inc. v. Robins.

Orrick

Illinois Legislature is moving a data security bill that adds marketing information to protected information. Which means, if marketing information about a consumer is breached, notice will be required to the consumer.

Illinois Bill, SB1833,  was drafted by the Illinois Attorney General and “will require notification in the event of a breach of “information related to a consumer’s online browsing history, online search history, or purchasing history.”” 

Advertisers and Marketers are displeased.

SC Magazine for IT Security Professionals

A hotel in Rhode Island is sending all information that it collects about its guests to the local police. Does state law require it? No. 

Is the hotel under subpoena? No. The police and hotel reached an agreement. Guests will receive no notice of the information sharing.

Governing

Montana and Wyoming, wrangling western individualism, passed new data breach notification laws. Here’s what they did:

Wyoming expanded what information triggers a data breach notification to include:

• Username or email address with password or security question and answer
• Birth or marriage certificate
• Medical, biometric or health insurance information
• Individual taxpayer identification number.

Wyoming also expanded what should be included in a notification received by a consumer to include:

• A toll-free number to contact the organization
• Types of PII affected
• A general description of the breach
• Approximate date of the breach
• General actions taken to protect against further breaches
• Advice relating to reviewing account statements and monitoring credit reports-
• Whether the notification was delayed due to law enforcement.

Montana also expanded what type of information triggers a notification, to include:

• Information that relates to an individual’s physical or mental condition
• Medical history, medical claims history, or medical treatment information obtained from a medical professional or medical care institution, from the individual, or from the individual’s spouse, parent, or legal guardian.
• a tax ID number

Montana also broadened which entities receive notification to include:

• A company must “simultaneously” provide a copy of the notice to the Montana Attorney General’s Consumer Protection Office. 
• If the data breach involves insurance information,  simultaneous notice must be given to the Montana Insurance Commissioner.

Wilson Elser via JD Supra

3 states have enacted new data security reforms. Most recently, Washington State  joined Wyoming and Montana. Washington’s reforms include, according to JD Supra:

• Expands coverage to hard copy data as well as electronic or “computerized” data;
• Requires notification of the Washington Attorney General if more than 500 Washington residents are required to be notified;
• Imposes a 45-day deadline for notification of affected consumers and, when required, of the Washington Attorney General;
• Empowers the Washington Attorney General to enforce the statute by bringing actions under the state’s consumer protection act;
• Mandates certain content in the consumer notification, including the name and contact information of the reporting business, a list of the types of PI subject to the breach, and the toll-free telephone numbers and addresses of consumer reporting agencies;
• Introduces a safe harbor for PI that is “secured” or encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard “or is Otherwise modified so that it is rendered unreadable, unusable, or undecipherable by an unauthorized person;” and
• Adds language that exempts certain covered entities from compliance if they otherwise comply with certain federal laws. 

Davis Wright Tremaine LLP

Small banks and credit unions have filed suit to enjoin the nearly $20 million settlement between Target and Mastercard related to the 2013. 

Small banks and credit unions allege:

• the agreement between Target and Mastercard was surreptitious
• ““This sweetheart deal for Target was negotiated without involvement of the court or the legal representatives of the impacted financial institutions.”

Target is still in negotiation with Visa over a settlement for reissuing credit and debit cards after the 2013 data breach.

​Reuters

The SEC is mulling over requiring disclosures by publicly traded companies concerning data security and data breaches. 

This should come at no suprise as in 2011, the Corporate Fiannce Division issued guidance on disclosing data security and data breaches in CF Disclosure Guidance: Topic No. 2, Cybersecurity, Oct. 13, 2011.

What’s the SEC considering risk factors that need to be disclosed?

•  if the risk of data breaches would make an investment in the business risky or speculative AND
• including the potential cost of any breach.

SEC is serious too. It is issuing comment letters based on the current guidance and imposing fines.  The Recorder

The federal data breach bill moving through Congress will preempt all state laws. Most states have stronger data breach laws than the federal bill.

Some say the federal bill is being pushed by the business lobby. It makes sense. Businesses are being sued after data breaches and it is costing millions and millions. Hundreds of millions. 

California, has stronger data security statutes and the California Consumer Federation says the federal bill will:

•Eliminate notification to the California attorney general  of any security breach.

•Allow the state attorney general to file a civil lawsuit but prevent individuals from suing over a data breach.

•It would no longer require breached companies to provide free ID theft protection services, such as credit monitoring and fraud alerts.

LA Times 

The GAO found 69 data weaknesses at the IRS, which caught the attention of Sen. Grassley and the Treasury inspector general for tax administration.

The Treasury’s inspector general for tax administration ranks data security as the IRS’s top management problem for 2015. In response, the IRS claims that budget cuts have impacted its abaility to find security weaknesses.

The Hill

Data Security is the number one concern for credit unions according to the National Association of Federal Credit Unions. 

Their concern is founded in fact. In 2014, 317 million new pieces of malware were created according to Symantec’s 2015 Internet Security Threat Report. Data breaches have been increasing by 20% per year. 

This group supports legislation that includes:

• Payment of Breach Costs by Breached Entities
• National Standards for Safekeeping Information
• Data Security Policy Disclosure
• Notification of the Account Servicer
• Disclosure of Breached Entity
• Enforcement of Prohibition on Data Retention
• Burden of Proof in Data Breach Cases 

Business Wire

Buried in the federal data breach legislation, that pre-empts state data protections in 38 states, with stronger data protection statutes, is liability protection for businesses that share data security threats and intrusions with other businesses and the government. Law360

Cloud medical image exchanges are used to help radiologists be more efficient, but are suspectible to data breaches.  The data security standards promoted by the industry are:

• encryption when the data is static
• encrption when the data is in transport
• transport layer security &
• transferring data through VPN tunnels

Health IT Security

A coalition of business groups, including:

• National Association of Convenience Stores
• National Association of Realtors
• National Grocers Association
• National Restaurant Association
• National Retail Federation

are urging federal lawmakers to retain a provision in federal data breach legislation that will require 3rd party vendors to notify consumers when they experience a data breach. 

The Hill 

Target’s holiday 2013 data breach continues to breed lawsuits and settlements. Target recently settled with Mastercard for $20 million. 

The $20 million will go to financial institutions to:

• covers costs that banks incurred to reissue credit cards and debit cards
• Cover the cost of fraud that resulted from the exposure of customer information

Fortune

Federal data breach legislation that would preempt 38 state laws on data breach, was approved by the House Energy and Commerce Committee. 

The biggest rift in the committee is whether federal law should preempt stronger state laws.

The Hill 

Last week Congressman Lamar Smith held “Reining in the EPA: A Regulation Roundtable” one of the invitees was Agriculture Commissioner Sid Miller.

When conversation moved to a “secret” EPA map of U.S. waterways, Commissioner Miller indicated that the EPA released personal information about  farms and ranches. The information was released to “environmental extremist groups.”  It is reported that Homeland Security department called the release of the farm and ranch water maps is “a bioterrorist threat.” 

Hill Country Community Journal

38 states have stronger state laws. The federal legislation would preempt those state laws and the lower, weaker standard would prevail.  Washington Post

Alabama is the 48th state to enact data security laws, and one of a few that have revamped data security statutes post major retail data breaches. The Alabama legislation will triger notification within 30 days when any of the following information is hacked:

•  medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
• health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
• User name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

It also addresses record retention of data breaches.

National Law Review 

Data security and the political world is a sordid affair. We’ve seen data hacking by campaigns leading to arrests, and now, the Hill reports on data breaches that have K Street on edge. 

The head of the American bar Association Cybersecurity Legal Task Force offers a serious warning:

“What a lobbyist might call blowing off steam could harm their business if it offends a client. For them, the risk is less about revealing state secrets or bribery than it is about humiliation, about damage to their firm’s reputation,””

The Hill

Since New Year’s Day, 90 Million individual health care records have been exposed by data hackers.  

Why is health care data targeted?  The data is highly valuable on the black market.

How are hackers gaining access to health care data? Via portals in electronics such as sonogram machines, conference call machines, fax machines… MD Anderson tests all its electronic equipment for security protcols.

Commentary in Houston Chronicle 

The Federal Communications Commission this week fined AT&T $25 M for a data breach that caused personal information, including social security numbers, of 280,000 AT&T customers to be breached. 

AT&T will incur more costs as it notified affected customers and pays for credit monitoring services, per the FCC order. 

Engadget

Data Security and data privacy is a near and dear to Libertarian types. Think Rand Paul. Libertarian types look to the Federalists papers to justify constitutional positions, such as protecting Americans from government intrusion into their personal, private data. 

Pointing to Federalist Paper 33 and 44, when a national interest exists, it is necessary and proper for the federal government to act. 

Legal Intelligencer

Bipartisanship Lives. Last week a new data security bill was unvieled to create standardized requirements for data breach and security issues. 

Co-sponsors of the bill:

• Representative Marsha Blackburn (R-TN)
• Representative Peter Welch (D-VT)
• Both are members of the House Subcommittee on Commerce, Manufacturing, and Trade, and Blackburn also serves as Vice Chairman of the Energy and Commerce Committee.

The Bill is Titled: “Data Security and Breach Notification Act of 2015. 

What the bill does:

• Companies would be required to use “reasonable security measures” to protect an individual’s personal information. 
• Companies would be required “to notify affected individuals as “expeditiously as possible” but no later than 30-days after the company has taken the “necessary measures to determine the scope of the breach and restore reasonable integrity, security, and confidentiality of the data system,” unless the delay is attributed to law enforcement or national security reasons.  ” 
• No individual notice obligation if there was no reasonable risk that the breach of security resulted in, or would result in, identity theft, economic loss or harm, or financial fraud.
• Effectively preempt the current patchwork of state statutes governing data breach notification and data security.  
• Enforcement:
  • A violation of this legislation would constitute an unfair and deceptive act or practice
  • Federal Trade Commission or state attorneys general would have authority to enforce.  
  • civil penalties for violations of the data security and breach notification requirements.  

National Law Review

European companies are struggling with the 28 different data security laws that the EU has enacted for each of its member countries. Multinational companies have different compliance standards for each country. 

However, an attorney for technology and innovation sector says data regulations, even those that differ by member state increase productivity in fields of innovation and technology. This productivity increases due to the globalization of data.

Computer Weekly

The number of companies experiencing a data breach is increasing annually. In 2013 it was 33%. In 2014 it was 43%. Its a mix of retail and health care data breaches leading the increases.

More data breaches means more litigation.

SC Magazine for IT Security Professionals   Ponemon Institute

• Target will put $10 million into a fund to be used to pay its affected customer
  • Customers with substantiated losses recover first
  • Customers with no substantiated losses receive funds thereafter
• $6.75 Million will go to the attorneys
• How many people are eligible? 100,000,000. Yes, 100 million people.

Minneapolis Star Tribune

An Illinois Credit Union has sued Kamart/Sears over a 2014 data breach because the retailers reaction to a data breach harmed financial institutions. Here’s why, note same thing can happen in Texas:

• The financial institutions were required:
  • to refund fraudulent charges
  • respond to a higher volume of customer complaints, and
  • increase fraud monitoring efforts
• The financial institutions lost revenue
• The retailers failed to maintain adequate data security under applicable payment card industry standards
• The retailer delayed notification to consumers by at least 5 weeks. 
• The causes of actions rooted in :
  • Illinois Personal Information Protection Act,
  • Consumer Fraud and Deceptive Business Act,
  • New York General Business Law,
  • negligence, and negligent misrepresentation and/or omission.​

JDSupra InfoBytes Blog

Education Testing Companies are being accused of spying on student facebook, twitter, and instagram accounts. The companies are going so far as requiring that information, such as exam information, posted by students be removed. 

Education companies insist they do not spy on students, but rather track certain terms.

Washington Post

The EU is waging a legal war with Facebook over whether Facebook can store the personal and private data of EU residents on servers located outside the EU? 

This legal issues raises the issue of whether Texans want their information stored on servers in NY or CA?

WallStreet Journal

What kind of information can hackers get from a student’s education app?

• first name, middle initial, last name,
• gender
• date of birth
• parent email address
• name and address of school
• usernames (some with associated passwords)
• teacher email addresses
• teacher and class roster affiliations
• class photos with students labeled by name,
• in-class behavior records,
• reading level and progress assessments, and math skill and progress assessments.

An identity could easily be created with this information, which sparked Congress to address the situation with the Student Digital Privacy and Parental Rights Act. 

States can address the situation by requiring data security protocols on stored student data and for third party education software and apps.   EdSurge

An April meeting of attorneys general will focus on data security issues. This comes in the wake of Connecticut AG forming a data privacy division and the attorneys general in NY, OR and WA recommending legislative changes to address data security.

Reed Smith Global Regulatory Enforcement

To handle data breach investigations and litigation, the Connecticut Attorney General created a Privacy and Data Security Department.

The Department emerged from a 2011 task force studying how the state can best address data breaches, and is staffed with a ” cross-disciplinary team of experts in health, finance and other disciplines.” 

Westfair Communications

A Dallas trial lawyer has filed suit in California against Toyota, Ford and GM because the vehicle’s software is easily hacked. 

The suit claims:

• The automakers failed to ensure the basic electronic security of their vehicles
• The electronic security can be hacked by anyone
• The easy hack allows a person, who is not the driver, to  take control of the basic functions of the vehicle
• The vehicles thereby endanger the safety of the driver and others

Case No. 4:15-cv-01104-DMR

Southeast Times Record

Do company executives breach their fiduciary duty by how they handle data security or in the methods of handling data breaches?

A lawfirm is investigating whether executives at Home Depot breached their fiduciary duty by failing to protect against the Home Depot data breach. 

Market Watch

Data privacy is the new frontier for property rights.  People fiercely want to protect their personal data. It gets tricky when the person trying to protect their data is a public school teacher.

A parent in Virginia sued to have teacher evaluations released.

The first court sided with the parent to allow for the release of teacher evaluations.  The suit is on appeal. Teacher groups refer to the release of evaluations as an invasion of privacy. It’ll be fought to the Supreme Court and is a fight occurring around the country.  Washington Post

A Portland Uber driver is the named plaintiff in a class action lawsuit against Uber for a 2014 data breach.

The breach disclosed personal information for 50,000 Uber drivers. The lawsuit alleges that Uber took 5 months to disclose the data breach, which violates California law. California statutes require employers to protect the personal information of employees.

Antman v. Uber Technologies Inc, U.S. District Court for the Northern District of California, No. 15-1175.  

Insurance Journal InAutoNews NYDailyNews Fortune via Reuters

The Federal Trade Commission issued a report saying its a bad idea to apply banking rules to retailers. 3 Reasons Why:

•  “burdensome to nonbanks”
• “Retailers lack the authority over payment cards to maintain certain data security obligations”
• “The FTC lacks the supervisory examination and resources to provide specific guidance and oversight that would be necessary to cover every nonbank business”

The Hill

According to experts in Silicon Valley, data breach costs break down for business like this:

•  80% less than $1 million in direct costs and damages
• 15 % of breaches cost between $1 million and $20 million
• 5% cost more than $20 million to investigate, deal with and pay legal costs
• Average Cost is $7Million 
• Only 8% of businesses are buying cyber insurance coverage

San Francisco Business Journal

A glut of credit card and financial data on the black market has driven down its price. As a result, hackers are targeting more lucrative health care records.

Health care records are selling for as much as 7 times the value of financial data on the black market.  Legal Intelligencer

1. More respect for financial institutions in courts. Data breaches lead to law suits. Law suits lead to multiple law suits. Multiple law suits become class action law suits. High dollar class action lawsuits are facing Target and Home Depot.

2. Push for national data breach legislation by multi-state companies.

3. More health care data breaches.  Legal Intelligencer

Montana empowered its attorney general office by requiring that it receive notice of any qualifying data breach. The Montana Attorney General opertes a consumer protection division that will seek to help affected Montanans. 

Montana Standard

A student at the Univeristy of Oregon, Go Ducks!, alleges she was raped by 3 basketball players. The University found the sudents at fault and kicked them out of school and off the basketball team.

After the alleged rape, the student sought treatment at the student health center. Her treatment included mental health care.

She eventually sued the school as the alleged offenders were never tried for a crime.  During the lawsuit her mental health records, when she sought care at the unveristy health care clinic, were accessed without her permission by the University.  

The policy & legal question is does FERPA (Federal Education Privacy) trump HIPPA? The Feds say: “The Department of Education urges higher education institutions to not only comply with FERPA, but also to respect the expectation of confidentiality that all Americans hold when talking to a counselor or therapist.”

Kaiser Health News

The Data Quality Campaign joined the Consortium for School Networking to set forth principles to guide student data regulation. The goal is to protect student data while doing no harm to schools. 4 points they all agree on:

• Student data should be used to further and support student learning and success.
• Students, families, and educators should have timely access to information collected about the student.
• Students’ personal information should only be shared with service providers for legitimate educational purposes.
• Everyone who has access to students’ personal information should be trained on how to effectively and ethically use, protect, and secure it.

The Consortium includes:

1. Alliance for Excellent Education
2. AASA: The School Superintendents Association
3. American Association of Colleges for Teacher Education
4. American Association of School Librarians
5. Association of School Business Officials International
6. Consortium for School Networking
7. Council for the Accreditation of Educator Preparation
8. Council of Chief State School Officers
9. Data Quality Campaign
10. Digital Promise
11. Education Trust
12. Educators 4 Excellence
13. Foundation for Excellence in Education
14. Institute for Higher Education Policy
15. International Association for K12 Online Learning
16. International Society for Technology in Education
17. National Association of Secondary School Principals
18. National Association of State Boards of Education
19. National Association of State Directors of Teacher Education and Certification
20. National Center for Learning Disabilities
21. National Council on Teacher Quality
22. National Education Association
23. National Parent Teacher Association
24. National School Boards Association
25. PDK International
26. SIF Association
27. Stand for Children
28. State Education Technology Directors Association
29. State Higher Education Executive Officers Association
30. StriveTogether
31. StudentsFirst
32. Thomas B. Fordham Institute

Education Week

A data breach of medical records at an Ohio hospital system has led to a $5,000,000 class action lawsuit. It took 4 months for the hospital system to notify patients of the data breach.

The legal complaint is based on the medical records data breach creating a “threat of immediate harm has injured her privacy as a result of negligence.”

WFMJ

Van Deaver has filed HB 2156 which the author says protects student data in 8 ways.

• Not sell student information;
• Not behaviorally target advertising;
• Use data for authorized education purposes only;
• Not change privacy policies without notice and choice;
• Enforce strict limits on data retention;
• Support parental access to, and correction of errors in, their children’s information;
• Provide comprehensive security standards; and,
• Be transparent about the collection and use of data. 

VanDeaver Press Release

The Illinois Attorney General is working to expand the definition of what is private information that triggers data breach notifications.

She wants to include the following information:

• email addresses
• log-ins
• passwords
• Health insurance information
•  biometric information
• geolocation information

Her proposal doesn’t specify when the consumer and the Attorney General office must be notified. Instead,   businesses are granted flexibility by requiring that business take “reasonable steps” to protect information that it holds.   

S.B. 1833

Hailed as a victory for plaintiff’s lawyers, class actions are proceeding for data breaches at Target and Sony. Since the February breach at Anthem, more than 40 class action lawsuits have been filed. 

Legal experts say data breach cases move forward when the plaintiff can allege:

• “Statutory damages, such as a particular state’s data-breach law, or
• if there are known sales of stolen identities on the black market”
  National Law Journal

Connecticut’s  SB1024 applies higher data privacy standards on health care providers, by establishing regulations through the department of insurance. 

Which health care entities are affected?

• health insurers
• HMOs
• “other entities licensed to do health insurance business in Connecticut,”
• pharmacy benefits managers
• third-party administrators that administer health benefits
• utilization review companies

What are these health care businesses required to do?

• encrypt health care data that it maintains

What personal information information are health care entities required to encrypt?

•  individual’s first name or initial and last name in combination with one or more of the following:
• Social Security number
•  driver’s license number
• address
• or identifiable health information

The 2015 CT bill follows in the path of the New Jersey health care data privacy bill.  

Day Pitney 

California’s SB 576 will require app makers to explain:

• what location information they’re gathering from your phone
• why they’re collecting it and
• whether they’re sharing it with anyone else. 
• Will require users’ permission to continue to gather GPS information from your phone

The Recorder

Theodore Kobus III, co-leader of the Privacy and Data Security Practice at Baker Hostetler, favors state regulation over one size fits all federal regulation of data security notification. 

He suggests the right template for data security is HIPAA’s approach. HIPPA has been functioning for more than 10 years and has no uniform standard for security.

Businesses need flexibility to respond to data breaches. The flexibility is necessary based on 3 factors:

• size of the business
• budget of the business
• industry of the business. 

Inside Counsel

Fresh off naming San Antonio the #2 spot for cyber security expertise, St. Mary’s University unveils a new Masters of Science degree in cybersecurity. Texas Public Radio

SB 628 by Van Taylor prohibits a governmental body from:

• capturing or possessing a biometric identifier without:
• express statutory authority to capture or possess the biometric identifier AND
• consent of the individual. 

Today Representatve Jim Murphy announced the formation of the Texas Innovation and High Tech Caucus. Members of the legislature are directed to contact Bradly Pepper in Represenative Murphy’s Office. 

Selling student data is a hot topic. Education businesses want to buy student data to tweak their products. Releasing student data is of increasing concern to data privacy advocates, especially since data related to children is far more valuable on the black market. 

Maryland is bouncing around how to protect student data. Proposals include:

• prohibiting selling student information for profit, including names, grades and test scores, socioeconomic information, search activity, photos and other student identifiers.
• prohibiting targeted advertising and profiling of individual students

Cecil Whig via the Capital Daily News Service

This week, the U.S. Army Reserve selected UTSA as a founding member of a unique public-private partnership program to train cybersecurity professionals. 

Under the Cyber P3 designation, UTSA and other participating schools will help the government fill as many as 40,000 positions nationwide.

San Antonio Business Journal

A US Chamber of Commerce study ranks San Antonio as #2 area for data security professionals. The industry is working to gain traction with local economic development officials.  KSAT

UTSA established its Institute for CyberSecurity in 2001. The Institute trains not only students, but also those in business to improve their cybersecurity. 

In 2014, the Institute was named the Top cyber security education program in the nation by certified information technology professionals. 

KSAT

Last week, Brian Engle, DIR’s data security go-to guy, left his  state government post. He is now the first employee of a nonprofit, Retail Industry Information Sharing and Analysis Center.

His new role is to support the retail industry in their cybersecurity efforts and their efforts to protect their customer information and information technology.     

Government Technology