Cybersecurity & Tech

National Retailers Federation revealed a survey that shows that 97% of surveyed business leaders believe data security is top priority for 2015. 

National Retailer Association

New federal legislation would establish federal data security standards for car makers. Most cars collect data, without the vehicle owner or driver’s knowledge. The data is then sold to third parties. 

Legislation would require:

•  car companies and third-party vendors to be competent in:
  • detecting 
  • reporting
  • responding to real-time hacking events
• drivers would be notified of:
  • data collection,
  • data transmission and
  • how that data is being used.
• Allow consumers to decline data collection without having navigation disabled.

AutoBlog

A panel in rugged, independent Idaho is creating a task force to study:

• how much student data is sold to third parties
• how best to protect student data, and
• how to reduce sharing student data. 

 State and federal agencies collect nearly 566 data points per student. Last year, Idaho passed a law that can fine school districts up to $50,000 for student data security breaches.

Last week Congressmen Barton (R-TX) and Rush (D-IL) filed data breach notification legislation. Feds want to protect personal, private information and the states are quickly passing bills that further protect their citizens. 

What you need to know about the federal bills:

• Act Name: Data Accountability and Trust Act (DATA Act)
• Bill Number: HR 580
• Senators Feinstein, Pryor, Rockefeller, and Nelson filed similar, but not identical bill:
  • Data Security and Breach Notification Act 
  • SR 177
• What do HR 580 & SR 177 seek to accomplish?
  • Nationwide data security standard
  • Backed by FTC enforcement & State Attorney Generals and civil penalties
    • Penalties up to $5M per violation
  • Require notification to the FTC & to affected individuals in the event of a data breach
  • Define “personal information” to include:
    • an individual’s name in connection with :
      • (1) a Social Security number
      • (2) a driver’s license, passport, or other government-issued identification number, or
      • (3) a financial account or credit or debit card number in combination with a security code or password that would permit access to an individual’s financial account. 
  • Businesses would be required to have information security procedures and policies to safeguard information.  

National Law Review

The FBI is investigating whether hacked tax information was used to file fraudulent state and federal tax returns without the original taxpayer’s knowledge.   

The fraudulent state and federal tax filings are impacting businesses and individuals. 

WSJ

Last week Anthem experienced a data security breach that resulted in the exposure of personal information for up to 80 million people.   This week, a class action lawsuit has been filed in Atlanta.  

Here’s what plaintiffs allege:

• World’s biggest known data breach
• The FBI has identified health care as particularly weak in data security. 

Courthouse News Service

• Health Information protected by HIPPA will put companies at risk.
  • Department of Health and Human Services Office for Civil Rights enforcement actions have led to multiple million dollar settlements against hospitals, clinics, and health systems
• FTC will take enforcement action. That action will lead to lawsuits challenging the FTC powers of enforcement. 
  • Opportunity for state enforcement abounds.
• More lawsuits against companies and financial institutions. Big legal costs. Big tort reform opportunity. A sample of the lawsuits:
  • class action suits
  • Claims under specific privacy statutes, like motor vehicle records
  • State medical privacy laws for employee health insurance records
  • Restricted access to bank accounts may satisfy data breach causes of action
• Insurance Regulation on data breach policies as the industry rapidly expands.

The Oregon Attorney General has a data breach legislation wish list. On her wish list is:

• Extend data breach enforcement and notification to the Oregon Department of Justice
• Oregonians should have access to information about:
  • who is collecting their personal information and data
  • how it is being used and protected
  • to whom it is being sold.

Oregon Business Report

Sony Pictures spent $15M in Q3 for investigating and remediating its data breach.    Legal costs forthcoming.  Tech Crunch

Retail data breaches lead to class action lawsuits. They’re new. They’re trendy.

How financial liability for a breach is assessed is a developing legal trend. Legal trends turn into legislative trends as states grapple with assigning liability.

Today the retailers & the banks are at odds over this in policy court. To add fuel to the this policy fire, a federal court sided with a retailer against financial institutions by limiting a grocer’s liability to:

• $500,000
• based on the agreement between the grocer & the financial institutions processing the payments

Retailers want banks to bear the brunt of costs. Banks want retailers to meet the high security standards they have to meet. 

PYMNTS.COM

In 2014, California passed bills to protect student data from contractors. What did the bills do?

• Require “school districts to maintain control and ownership of any data managed by a private vendor.” Cal AB 1584 (2014)
• Give education technology companies until 2016 to stop selling student personal identifying information and to stop target marketing to students  CAL SB 1177

At the school district level, these actions are being taken:

• Teacher training on privacy issues.
• Use of vetted list vendors, that comply with data retention and storage restriction

The Recorder
 

The Garden State has mandated that all protected health information be encrypted. This new requirement applies to:

• health providers
• hospitals 
• medical insurance corporations

The NJ legislation, signed by Gov. Christie, exceeds HIPAA requirements and will require encryption of:

• patient’s name linked with:
  • a Social Security number
  • driver’s license or other state-issued identification
  • address
  • identifiable health information.  

National Law Review

Private companies want access to government health care information to build their business, but they’re access to health care data is shrinking fast. HHS is severely cutting the information it is sharing with third parties.

The change was sparked after the AP reported that healthcare.gov was sending personal identifying information to third parties for marketing, advertising, and internet data performance purposes. 

Privacy advocates, the Electronic  Frontier  Foundation, Senator Hatch and Senator Grassley want the federal government to do more to stop health care data sharing with private companies. 

AP     National Law Review    The Hill   NYTimes

The Target data breach of 2013 changed a lot of things. Cyber Insurance is a booming business, and spending for cyber security is increased on average 34%.  The survey also said:

• 57% of U.S. CEOs extremely concerned about over-regulation 
• AppRiver says last year it quarantined about 1 billion email messages that contained viruses in attachments, about double the amount it did in 2013.
• 75% of the British people it asked said they want more transparency in business, and 81% said they want more accountability.
• A survey by KPMG of the FTSE350 found 58% of respondents said they expect their cybersecurity risk to increase over the next year.     WSJ 

Where does the buck stop in data security regulation? Is it at the financial institution or at the retailer who garners the class action lawsuit? 

Retailers have said they should not be treated like banks, which are heavily regulated. Information Intelligence

The Credit Union National Association,  Financial Services Roundtable, the Consumer Bankers Association and four other financial trade associations sent a letter to Congress on Friday asking to have new rules imposed upon retailers that handle customers’ personal data.  This could impose fines of up to $1 Million per day for retailers.   The Hill 

Georgia techies are focused on tax incentives and making Georgia the Supreme Leader in Data Security. The economic incentive proposals:

• Extend Angel Investor Tax Credit
• Film Tax Credits
• “triple the qualifying period on a sales-tax exemption for companies buying more than $15 million in computer equipment, from one year to three”
  • This tax credit has made Georgia a hot spot for data centers
• Create a committee to make Georgia a leader in data and cyber security
  • Georgia is home to IBM and to U.S. military’s cyber command, which they believe make Georgia the perfect leader in data and cyber security

Athens Online 

Add New York to the growing list of states ramping up data security laws. NY will consider legislation similar to OR and IN that would provide a “safe harbor rule for companies that implement specific data security plans and standards that officials say would minimize the chance of a breach. “

New York’s study of data breaches found that health care was the largest source for data breaches.  Healthcare Dive

Data Protection Policy Trends Emerging….

HB 349 by Kleinschmidt calls for limiting collection of fingerprint in criminal history checks.

HB 764 by Susan King calls for DSHS to limit the information stored,require notification upon a breach and prohibit the sale of information. 

HB 852 by Sanford calls for a study on the collection and storage of biometric identifiers. 

Federal law or state law? Which should have the final say over a data breach at a local business? Or, if a data breach affects a nationwide retailer? The State Of Union included a call for federal data breach laws, pre-empting state law. 

Texas Congressman Michael Burgess agrees with federal pre-emption.

He will chair the hearing on Tuesday January 27th, and said, “We need a plan in place that will help prevent data from being stolen in the first place, and will also alleviate consequences for consumers if hackers are successful.”   The Hill 

Since 2009, health care data breach statistics are:

• 8%  involve hacking
• 40.9 million individuals’ records have been exposed
  • Of the individual records, 19%, were blamed on hackers
    • This includes a hack, allegedly by Chinese hackers ,to the health care data at Community Health System in Franklin, TN, resulting in stolen personally identifiable information on 4.5 million individuals.

President Obama’s federal data breach proposal would pre-empt state law, but it EXEMPTS health care and banking, which each have their own data breach standards. Modern Healthcare

75% of international cyber security experts support breach notification laws. The biggest concerns about complying with the laws:

• 55% notification would affect corporate reputation
• 15% said systems not geared for notifications
• 13% listed increased costs as a concern

PC World

Insurance sales for data protection are skyrocketing.

With the feds and states scrambling to protect citizen data, and class action lawsuits being filed with every breach, the insurance market is booming.  

Demand For Cyber Insurance Skyrockets | The Hill

2 Privacy Experts say Federal Standards Don’t help individuals:

• Alvaro Bedoya, the executive director of the Center on Privacy & Technology at Georgetown University Law Center, says consumers benefit from state laws which are stronger than national proposals. 
• Software & Information Industry Association says individuals will not be safer with federal protections.

National Review

Baker Hostetler offers an absolutely fantastic chart of what every state is doing on data security.

Data privacy experts say state laws go further to protect your information if its the subject of a leak, breach or hack. Tort reform types point to data breaches being a new bevy of class action lawsuits.  Baker Hostetler

Hot Topic: How to protect and notify individuals in case of a data breach. Here’s Washington State’s proposal to upgrade their notification laws: Finally, unlike other states, Washington state law does not require any centralized reporting to the state when a data breach occurs, resulting in a lack of robust information for law enforcement and consumers.

The proposed legislation strengthens Washington’s data breach notification law by:

• Notification requirements when the data breach is encrypted data

• Establish notification timelines.

• Require consumer notification as immediately as possible and no later than 30 days whenever personal information is likely compromised

• Centralized reporting to the state to improve enforcement actions.

• Require the Attorney General to be notified within 30 days when a data breach occurs at a business, non-profit or public agency, enabling the Attorney General to compile centralized information about data breaches for law enforcement and consumers

• Require businesses, non-profits and agencies, when reporting a breach, to provide consumers with basic information they can use to help secure or recover their identities.   

Kirkland Report: WA House Bill 1078 & Senate Bill 5047

Obama Administration in a grand data security bill offers liabolity protection to companies that share cyberthreat indicators with the government.

Privacy Rights advocates are not amused.   Washington Post     The Hill    

The White House released proposals to protect data. Student data. Energy data.  Tech data. 75 Companies have said “Aye.” Including the big dogs- Apple and Microsoft. 

Education Data Protection:

• No sales to third parties for a purpose other than strictly educational.
• No targetted advertising to kids. 

WSJhttp://blogs.wsj.com/law/2015/01/12/white-house-moves-to-protect-data-privacy/

Mandatory data breach notices have triggered lawsuits. Lawsuits have led to class action lawsuits. Think Target and Home Depot, the big retail data breaches. Class Action lawsuits lead to settlements.  

Whether one agrees or not what the impact of tort reform will be, data security is ripe for tort reform. 

 Volokoh Conspiracy | Washington Post

Indiana’s AG enforced violations of HIPPA against a health care provider, who improperly dumped health records.  The health care provider put the records, unshredded, in a dumpster. National Law Review  

A couple weeks ago, Indiana’s AG offered legilative guidance on data security bills.  Information Intelligence

State laws address data breaches. They set up notification procedures and establish liability. A cyber law expert lays out in liability and causes of actions in various states.

Looking at the calss action suits that have followed major retailer data breaches, it is the legal trend of the year. 

Claims Journal

Data security and protecting consumers education, health and financial data just got a kick start.  

• Texas Congressman Hurd will chair the IT Subcommittee — a new panel created by incoming Oversight Committee Chairman Jason Chaffetz of Utah.
• Texas Congressman Ratcliffe will chair the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, a part of the Homeland Security Committee.

Dallas Morning News

In 2014 states began passing data security and data protection legislation. Just look to legislative efforts in CA, FL, NJ, IN, WY, AL. Click the legislative trend category to see a complete list.  

In 2014 California passed a number of data security bills to protect students, consumers and patients, including:

• Privacy Rights for California Minors in the Digital World (California’s SB 568)

  •  Prohibits marketing or advertising alcohol, firearms and tobacco to minors

  • Prohibits using, disclosing, or compiling a minor’s personal information (or permitting a third party to do so).

  • Intended to exceed federal protections for minors.

• Data Breach Notification Amendments (California’s AB 1710):

  •  Business must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” 

  • Any identity theft prevention services must be made at no cost to the affected person for not less than 1 year. 

• Medical Information Breach Notification Period (California’s AB 1755):
  • Expands the time permitted to report breaches or disclosures of patients’ medical information to the state & to the patient.  
  • Permits email notification.

• Safeguarding Pupil Digital Records ( California’s AB 1584):

  • Provide local educational agencies with control to contract with third parties that provide digital educational software or services, including cloud-based services, for the digital storage, management, and retrieval of pupil records. 

  • Limits the use of the pupil records, ensuring compliance with the federal Family Educational Rights and Privacy Act

• Pupil Records and Social Media (California’s AB 1442):

  • Restricts a school district, county education office, or charter school that gathers information from an enrolled pupil on social media from using information collected for other purposes.

  • Prohibits selling or sharing of information, and imposes other requirements related to the destruction of information. 

• Student Online Personal Information Protection Act (California’sSB 1177):

  • “Prohibits operators of websites and online services and applications used primarily for K–12 school purposes, and designed and marketed for those purposes, from pursuing targeted advertising to students and their parents or legal guardians.”

  • “Prohibits using covered information to build a profile of K–12 students, selling a student’s information, and disclosing certain types of information.”  

National Law Review 

$5.6 Billion buys a lot of tongue depressers. Its also the expected cost of data breaches in the health care industry for 2015 according to the 2015 2nd Annual Data Breach Industry Forecast by Experian. Highlights from the forecast :

• A Ponemon Institute survey found that 72% of healthcare organizations indicated they are only “somewhat confident” or “not confident” in the security and privacy of patient data. 
• Increasing data security by health care organizations could limit  the risk of breaches and  limit scrutiny from regulators   Business Solutions 

The State collects mountains of data from motor vehicles to health care agencies. Keeping up with the technology to protect this information lags behind.

The State Auditor found that state data projects are not being completed on time, on budget, and may bot receive the proper authorization. 

SAO 15-015  Austin Business Journal 

The proposed legislation would require more of businesses, including:

• More stringent requirements for storing & retaining sensitive data
• Reduce harm to consumers with better notifications
• Increase transparency of online privacy policies

What does this mean for business:

• Require data to be securely stored
  • Delete personal or financial data
  • Retain only what is necessary for business purposes and processes
• Limit sharing or selling of data only when authorized by law or when consumers are informed in advance
• Inform consumers by clear and conspicuous notice when personal data must be collected and how long it will be stored
•  Data Breach Notification Changes with quicker notifications to consumers, with more information, applied to more data breaches.   AD LAW ACCESS  National Law Review Indiana Attorney General Proposal 

Another day, another retailer with a data breach.

The National Association of Federal Credit Unions took the opportunity to call for clear data breach laws.

Why? Without regulation every business that could possibly be related to a data breach is getting sued. It’s a class action gold mine.  The Hill 

FTC and FCC are both regulating data breaches. FTC pursued an enforcement action against Wyndham Hotels, which then challenged the FTC’s regulatory authority. 

In a case watched by many corporations, the courts said yes, the FTC has regulatory authority to take enforcment actions related to data breaches.  

In late 2014, the U.S. Court of Appeals for the Third Circuit ordered the parties to mediation to save all parties time and money.    King & Spaulding via JD Supra

Why does this matter? Data security laws on the state level are increasing.  State level enforcement is inevitable. Enforcement will come with hefty fines against businesses that experience data breaches. 

The fighters for financial institutions:   Independent Community Bankers of America  

The fighters for retailers: Retail Industry Leaders Association, National Retail Federation, National Grocers Association,  Merchant Advisory Group, National Association of Convenience Stores, Food Marketing Institute, &  National Restaurant Association 

 Why did the kerfuffle start: Banks assert that they absorb the heaviest burden “following security breaches of payment card data.”   The Independent Community Bankers Support:

• “the costs of data breaches should ultimately be borne by the breached party,
• all participants in the payments system—including merchants—should be subject to Gramm-Leach-Bliley Act–like data-security standards,
• a national data-security breach and notification standard should be implemented to replace the current patchwork of state laws,
• unnecessary barriers to effective threat-information sharing between law enforcement and the financial and retail sectors should be removed, and
• while community banks and other financial institutions continue to move to chip technology for debit and credit cards, these technologies alone may not have prevented the recent retailer breaches and do not protect against fraud in “card-not-present” transactions, such as online purchases.”     ICBA Press Release

Retort from the Retailers:  

Federal Health and Human Services has pursued a string of health care data breach claims against health care providers.

Health care data is protected under HIPAA, and data breach issues could also fall under data security laws and regulations.  

For refresher on the HHS settlement with Anchorage Community Mental Health Services, see Association of Corporate Counsel. 

Forecasting trends related to hacking/data breaches/cyber security is a hot topic. Just look at the plethora of class action lawsuits, and the Sony hack that led to pulling the film, The Interview, and its own set of lawsuits.

In an interview with the WallStreet Journal Legal Writer Dan Dipietro, a cyber security expert says he expects cyber security insurance to soon be part of the ordinary course of business.  

WallStreet Journal

Tech companies (makers of computers, phones, tablets, etc… & software companies) are getting protection under a bill By Sen. Wyden.  

Think of all the personal privacy bills in Texas during 2013- drones, license plate capturing, photography protections… Texas loves protecting personal privacy from big brother. 

The Wyden bill would prohibit law enforcement from requiring tech companies to make it easy for law enforcement to access data and devices. Closing this exception would make it harder for hackers to access data and devices.

Win for data security against hackers. Win for Constitutional protection against unreasonable searches.   VPN Creative | The Verge 

Lawmakers wants to know what financial institutions are doing to keep financial data secure. This applies to state and federal lawmakers.

National press focuses on federal lawmakers. So, here we go: Sen. Warren and Rep. Cummings want to know which banks have experienced cyber attacks. They claim 500 million records have been hacked from financial institutions in the last year, and they want solutions to fix it.

We all know this will first get fixed on the state level,  like the 11 states that enacted data security bills in 2014. 

 Above the Law  | Letter from Sen. Warren & Rep. Cummings  

California’s sweeping data security legislation should serve as a model for the nation and states according to the National Consumers League (“NCL”).

NCL also commends the 10 states that have enacted data security legislation requiring businesses to implement data security protocols. The Hill  California’s Assembly Bill 1710

Data breaches and law suits go together like PB&J- pear, brie and jambon.

Sony faces a class action lawsuit from former employees, who claim Sony had knolwedge of the data security weaknesses & did nothing to correct or protect confidential information.

The data breach leak included personal & confidential employee information, and their lawsuit is limited to the leaking of the employee information.  Deadline Hollywood  Sony Employee Class Action Court Filing 

This should be on every employer’s radar as well as the impending legislation to address data security that may add new burdens to businesses. 

New York is home to WallStreet. Naturally the New York Department of Financial Services would include new exmaination requirements that focus on data security. Exmainations will now include:

• Management of 3rd parties
• Cyber Security Insurance requirements
• Monitoring, protection, testing, and detection of cyber security systems [3 page letter from NYDFS] [WSJ]

Winter 2013 brought a large data breach for Target. Various lawsuits ensued. Financial institutions sued. Individuals sued.

Target had sought to dismiss the suit brought by 5 financial institutions. The judge said, “NO,” in one of the first rulings of its kind allowing financial institutions to sue retailers for data breaches. 

Judge Magnuson also said, “imposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.”  [Bloomberg] [Law360] [NY Times | BitsBlog]

HHSC gave the House Committee on Public Health and the Senate Health and Human Services Committee a holiday gift- a report on data security.

The report lays out plans for rulemaking and legislative recommendations, including new requirements for providers: 

Iowa Department of Motor Vehicles is releasing an app that will function as your driver’s license. No more getting ticketed for not having your driver’s license with you, unless your phone battery is drained. 

State officials assure that the app and driver’s license will be secure from data security breeches.  [Des Moines Register]

Legislation predictions from Bankers: 

• Banks required to appoint chief information security officers
• Banks to undergo quarterly tests for information system vulnerabilities
• Required review of these third-party contracts and relationships
• Standard set of protocols that banks must follow
• Tort issues like: 
  • assign legal duties and responsibility
  • illuminate investor or shareholder disclosure obligations

[American Banker]

How do policy makers balance the need for educational systems to adapt and improve while also protecting student data?

 It’s a state issue. It’s a federal issue. It’s a local school district policy issue. Politico calls it an issue that “Parents, activists and a select group of lawmakers are clamoring for a fix.”

Federal, bipartisan bills are languishing. in 2014 Colorado, Oklahoma and California passed their own bills to protect sudent data. Industry wants to self regulate, with some online education providers signing a letter that states they will not sell student data.  [Politico]

Winter 2013 brought a large data breach for Target. Various lawsuits ensued. Financial institutions sued. Individuals sued.

Target had sought to dismiss the suit brought by 5 financial institutions. The judge said no.

Judge Magnuson also said, “imposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.”  [Bloomberg] [Law360]

President Obama’s pick to lead the Pentagon, Ashton Carter, is a strong proponent of increasing data security. He’s been involved with the reorganization of US Cyber Command. ​

Expect more legislative & media attention for data security. [Washington Post] 

Retailers support uniform notification requirements. Pawlenty, head of the Financial services Roundtable, wants them to go a step further.

He wants businesses to meet the high standards that financial institutions have to meet.  [The Hill]

Multidistrict litigation found its new bread and butter in data breach lawsuits. The Credit Union National Association determined that the Home Depot data breach cost credit unions $60 million. $60 million hit includes the cost to reissue cards, deal with fraud and cover other costs. [Atlanta Business Journal]

FTC’s data security enforcement powers are rooted in FTC Act. The Third Circuit Court of Appeals is considering an appeal of a ruling that affirmed the FTC’s data security enforcement powers. The Center for Democracy and Technology supports the FTC’s enforcement powers. [CDT]

Protecting the personal privacy of citizens is trending. Wyoming is considering legislation that will:

• Limit the amount of information the state can collect
• Prohibit the sale of information to third parties [Wyoming Public Media]

Data Security is a concern for businesses large and small. These associations are urging fair reform that doesn’t overburden businesses, large or small: 

Back in 2013, gubernatorial candidate Greg Abbott released his “We the People Plan” focusing on privacy. He’s concerned about data security, specifically:

• The sale or resale of Texans’ data by state agencies
• Extending the prohibitions against re-identification of de-identified data to non-medical data [Greg Abbott’s We the People Plan]

Data breaches don’t only affect retail establishments and customers, banks and credit unions are also affected.  Each data breach requires new credit and debit cards to be printed and mailed, and for fraudulent charges to be covered.  This comes at a hefty cost to financial institutions. 

The “Credit Union National Association says September’s data security breach at Home Depot cost its members nearly $60 million to reissue cards and cover fraudulent charges.” That’s double the estimate to cover the Target data breach. [Washington Business Journal]

The 2014 Home Depot data breach litigation has raised the very tort issues that data breach legislation addresses- venue and consolidation. Whenever there are a lot of injuured parties, spread out throughout a state or country these issues arise.

Data security breaches are the new pharmaceutical class action. [National Law Review]

36 states considered 110 bills related to student data protection and privacy in 2014. The usual and obvious bills to ban collecting and/or storing student data were filed. And more nuanced bills were fild such as those which granted State Baords of Education privacy powers to protect student data. 

Need some pictures to show what was considered throughout the country? Check out the Data Quality Campaign. [Data Quality Campaign]

Schools have been tracking students to make them safer and more efficicent. The more data that is collected, the more information there is that can be fruitful to the nefarious hackers.

This year Florida became the first state to ban the collection of biometric identifiers from students. In 2014, 36 states considersidered 110 bills on protecting data security of students.

What type of student data protections are we seeing?

• FL bans collecting student biometric identifiers
• KS requires parental consent for collection biometric identifiers from students
• NH, CO, & NC ban the collection and retention of student biometric identifiers
• NH & MO said no to radio frequency student identification cards  [Pew Trusts]

The phrase “if any” is giving lawsyers fodder with California’s new data security law. The issue is whether “if any” means credit monitoring must be offered or may be offered. 

As always, drafting matters. Read carefully. Consider propositions, conjunctions, and the placement of commas. It matters. [National Law Review]

There’s a national talent deficit in cybersecurity personnel. Its also hard to hire the necessary talent when the talent can fiscally fare far better in the private sector. [The Fiscal Times]

Strong economies rely on investor confidence. According to a poll by the Center for Audit Quality, increased data security regulation leads to improved investor confidence.

Investor confidence in the U.S. economy stands at 70%.  [Journal of Accountancy]

Early this year privacy advocates had a win when ICE retracted its planned policy to allow access to a national law enforcement license-plate tracking system.

Local ICE offices didn’t like this. So, they started buying access to a private company’s vehcile registration database. Houston ICE office is noted as buying the private company’s vehicle database.

On going criminal investigations, where constitutional protections apply, are one thing, but open access to a private company’s vehicle registration database is concerning to privacy rights adovates and civil libertarians. [Washington Post]

A New Jersey data security bill is called best practices for businesses and government, but also increases the costs of government and of doing business.

The bill would require notification for more data breaches. Like most states notification in New Jersey was required for traditional indentify fraud issues- like when a name and social security number are released.

The new legidslation requires disclosure of a breach if  usernames and email addresses, in combination with a password or security question-and-answer, are released or captured. [Philadelphia Business Journal]

Washington Post points out that local regulations on ride share continuously forego obtianing access to anonymized ride share data. Its the same data local governments collect from taxicab drivers. 

The data  serves two purposes.

(1) It strengthens transportation systems  and gives tools for transportation planners, and

(2)It  provides an understadning of how many jobs ride share is creating. [Washington Post]

Lots of nobel bills become studies and reports when the opposition is vocal. For the last years, the Attorney General of California has released data breach reports.

In 2013, there were 167 breaches reported to the California Attorney General, exposing data of 18.5 Million Californians.

The California Attorney General also makes the following recommendations:  

For the health care industry:

– Use strong encryption to protect medical information on laptops and on other portable devices, and consider encryption for desktop computers.

For the Legislature:

– Consider legislation to amend the breach notice law in order to strengthen the substitute notice procedure; clarify the roles and responsibilities of data owners and data maintainers; and require a final breach report to the Attorney General.
– Consider legislation to provide funding to support system upgrades for small California retailers.
 

Data Breach Legislation History from California:
“In 2003, California was the first state to pass a law (AB 700, Simitian) mandating data breach notifications. This law requires businesses and state agencies to notify Californians when their personal information is compromised in a security breach.

In 2012, companies and state agencies subject to the law were also required, for the first time, to report any breach that involved more than 500 Californians to the Attorney General’s Office. (SB 24, Simitian).” [Lake County News]

Does this sound familiar? A state entity sends unecrypted names and social security numbers? Yes, much like the Texas Comptroller incident, a Pension system in Arizona sent unecrypted filed in regular mail to a third party provider.

The third party provider never received the unecrypted disks. Now, the state is spending $300,000 to provide indentity protection for the affected retirees. [News 4 Tucson]

Canada is considering imposing $100,000 fines on businesses that fail to notify customers of data breaches. Currently Canada utilizes a regional patch work of data security legislation, the national fine for businesses would be a first for Canada. [Info Security Magazine]

Refreshing Recollection: The FCC can and does impose fines on businesses, like it did on two telecom companies late last week. 

RollCall argues that the down side of hightened data security legislation is that it makes consumers complacent. Consumers aren’t encouraged or empowered to protect their own personal data. Are more regulations on business the answer to data security?  [Roll Call]

New Jersey Legisalture is moving a bill that would place new burdens on business and government in the Garden State.

Businesses & government would be required to maintain databases that allow quick contact to  customers/clients/citizens in case of a data breach.

The bill also expands the type of breaches that have to be disclosed to include usernames and passwords. [NJ A3146] 

Florida passed a data security bill earlier this year. A Republican in a neighboring state, Alabama, is filing legislation to require companies and financial institutions to disclose to customers when their personal information is exposed.

The Alabama Governor also initiated a push to upgrade all state software to better protect personal privacy. [Decatur Daily]

A contentious state house race in Kentucky has reached new dramatic heights when the Democratic Party sent out the arrest record of the Republican candidate, including his Social Security Number. A botched recovery for breaching data privacy by the Democratic Party isn’t helping this situation. The Republican called on the state Attorney General to investigate. 

This campaign oops moment has led to more talk of better data security laws. [Good Morning America]

Tech companies have been contributing exponentially more to campaigns and causes that are not favored by the perceived liberal core of Silicon Valley.

Some argue the tech company liberal core isn’t liberal but rather libertarian. Just look to the hearty response Rand Paul received recently in Silicon Valley.  

Tech companies want changes to data privacy laws. Tech companies generally support increased protection for your data privacy and they are putting their money where there mouths are. [Politico]

Personal data protection is a concern world wide. Australia created a Privacy Commissioner to monitor the protection of personal data privacy. Some argue that the Privacy Commissioner enforcement powers exclude state and local governments and thus isn’t effective. A legislative proposal seeks to revoke the Privacy Commissioner. [The Guardian]

FCC wades into data security enforcement by fining two telecom companies $10M for failing to properly secure their customer data. Does the PUC have this power? [WSJ]

Data breaches. There’s a new one every week. Cybersecurity experts say the only way to address the issue is long term legislative and political reform.  Bruce Schneier, a fellow at the Berkman Center for Internet & Society at Harvard says there should be more regualtion on business to secure our personal information. What does those regulations looks like?

• Causes of Action for consumers against the business.
• Government imposed penalties against businesses. 
• Timely and comprehensive disclosures of breaches by businesses.

That’s a lot of business regulation. [Sacramento Business Journal]

News reports allege that Staples had a data breach. There’s a long list of retailers that have endured a data breach. 

Forbes discusses the role personal repsonsibility has in data breach corrections. Legislating personal responsibility is challenging. The modus operandi of the Legislature is putting into place new regulations on retailers, banks and/or creating new civil or criminal penalties. [Forbes]

Almost a year ago, Target experienced a large data security breach through a third party vendor. This data breachprompted federal and state legislation, and class action law suits.

The Target data breach led to at least 27 federal causes of action in 18 different federal courts. MDL, multi district litigation, is a hot topic for the Texas Legislature. MDL was addressed in 2003 tort reform legislation and in various asbestos litigation reforms.

If Texas creates causes of action related to data privacy, be assured, MDL will be discussed. [Southeast Times Record]

The FBI is sharing frightening information. 500 Million financial records have been hacked.

Can you hear all those bills being written? Legisaltor comments write themselves: FBI statistics indicate that 500 million financial records have been hacked. These vicitms deserve justice for the invasion in their privacy. This bill will give the vicitims of hacking justice….

What remains to be seen is whether these bills will go after the hackers? after the financial institutions for not protecting the information better? Will it be civil penalties or criminal penalties?[USA Today]

The Internet Association has been active in D.C. It’s now setting its sights on shaping student data security legislation and ride sharing legislation. It formed a California PAC.  Next stop is Texas. [The Recorder]

All federal debit and credit cards  will require PIN and chip technology. President Obama required the data security measures by issuing an executive order. The Order is heralded by the National Retailers Federation. [Roll Call] [The Hill]

Refreshing Recollection: The same chip and pin technology is discussed by several interim committees examining increasing Texas’ data security. [Business & Industry March 27, 2014]

California is limiting how third party education vendors can use student data. In an interview with Education Week, the new law is referred to as the “first truly comprehensive student-data-privacy legislation” and said he expects it to become a model for other states around the country.” [Education Week] [Copy of the Bill- The Student Online Personal information Protection Act]

Privacy is a hot issue. Citizens want privacy. The government wants to be free to peruse your electronic information. It’s causing a bone of contention between the U.S. government and big technology companies like Apple and Google that seek to protect and encrypt customer data.

The FBI Chief is warning Silicon Valley that they are doing too much to protect privacy. He wants Congress to act to allow the government to intercept more electronic information. That should be popular with the new Libertarian leaning, Republican Congress. [WallStreet Journal]

For a good while law enforcement could obtain cell phone data without a warrant. Its a controversial 4th amendment issue throughout the US, including in Texas.

Florida police had a warrant for calls going into and out of a defendant’s phone, but the Florida Supreme Court said that warrant did not cover tracking cell phone data to follow the defendant’s movements. The ruling is being heralded as an enormous victory for privacy rights. [First Coast News] [Wall Street Journal]

This interim legislative committees have been studying data security after a rash of data breaches. It’s a complex issue. How to protect consumers, how to protect businesses and how to protect banks will be a tricky balance for the Legislature.

We need to add one more policy consideration- how data security policies impact innovation. Texas wants to be a leader in innovation and utilizes economic development programs and favorable tax environment to draw leaders in innovation to Texas.  

A recent Intel panel on data security and data privacy suggests poor data security and data privacy policies are harming innovation. Add innovation and economic development to your list of poilicy considerations for 2015’s data security legislation.  [Engadget] 

DropBox, the cloud storage service, was allegedly hacked. Logins and passwords are being published and bitcoin is being requested by the hacker. DropBox’s statement is that the hack came through a third party vendor, much like the Target hack.

DropBox recommends enabling the two key log-in. Two key log-in methods have also been discussed in interim committee hearings as a standard for the state to consider adopting in 2015 legisaltion. Look for the phrase in any laundry list of data security measures. [Houston Chronicle] 

Protecting your data security has many levels. One is personal responsibility, which is Snapchat’s point. Unusual PR choice of Snapchat to blame its own users. But, exercising personal responsibility to protect your personal data is smart. Don’t worry the good men and women of Texas government will come to your aid during 2015 with legislation to protect individuals and businesses, increase criminal penalties and create new causes of action. [NYMag]

Digital health is big business. But, protecting digital health records doesn’t get the same attention as data breaches at retail establishments. We should be paying more attention to the security of our digital health records. [Washington Post: WonkBlog]

Even the Blizzard cannot prevent data breaches.  Dairy Queen followed the 3 key responses. (1) Publicly list of affected stores (2) Offer identity repair services. (3) Work with law enforcement. As usual, the target of the hack was credit card information while in transit, and no PIN numbers or social security numbers which were hacked.  [GrubStreet]

Data Security is complicated. Federal statutes and rules control on one level. State statutes and rules compliment and add to federal requirements.  Legislation will be focused on keeping the bad guys out of your personal and private information. This protection from data breaches will focus on state causes of actions to protect businesses; additional security parameters for the banking industry; and state criminal causes of action galore.

Sometimes the bad guys who should be kept out of your personal and private information is law enforcement. Most of us think law enforcement can’t go on fishing expeditions for information and that law enforcement needs warrants. Such is not true. Here’s Google’s CEO talking about it to the WallStreet Journal. [WSJ]

Breaching data security means jail time. Also- remember to be kind to people- when a fired employee is pushed to the point to break into secured email- there were communication problems. Communication problems usuallly trace to a failure to listen. Listen- it’s respectful.    No one likes a name calling bully. Be smart, don’t incite those prone to hacking.   [Albuquerque Journal] 

Breaching security means jail time. Also- remember to be kind to people- when a fired employee breaks into secured email- there was a lack of respectful treatment.    No one likes a name calling bully.      

2015 legislation will include criminal penalties.  Since the banking crisis, we’ve seen an uptick in criminal charges against corporations.  [ABQ Journal]

When talking about data security, it’s easy to get lost in the data that can be taken away by the nefarious. But, businesses shouldn’t ignore examining the information that they collect.

FTC Commissioner Brill stresses the need for companies to consider minimizing data collection. Less data collected, less of a target for data breaches by the nefarious elements. [AdAge] 

UT Austin today announced the formation of IDWise, funded with a partnership with the Texas Legislature. IDWise will provide data security toolkits and education for individuals and small businesses.   [UT Austin Center for Identity]

Blue Spike is being called a patent troll. Filing 45 patent infringement claims in two weeks raises red flags. Especailly after June US Supreme Court rulings requiring greater specificty in patent infringement claims.

The texas Legislature is looking to state solutions for businesses that were targetted by trolls. Solutions include state legal claims against the trolls. 

[EFF on the US Supreme Court Rulings] [Above the Law] [TX House Committee on Techonology Interim Charge]

Google says it takes hours, not weeks, to clean up a data breach, if your personal information/photos are posted on its websites. But, here’s the kicker- Google relies on users to report breached information.

There is no internet law enforcement. There are bullies and hackers, but there is no John Wayne or Clint Eastwood of the Internet to ensure everyone acts respectfully.  The very Libertarian internet world relies on personal responsibility.

Personal responsibility is a wonderful concept, in a perfect world. In reality, lawsuits abound. When there are lawsuits, state legislatures will step in and regulate data security. Regulation will also bring internet taxes to support data security enforcement. [WSJ]

Big week for tech and politics. Facebook & YELP stop contributing to ALEC.  Tech companies are in high gear hiring consultants at record levels to navigate politics and government. Search warrants that make tech companies turn over terabytes of storage, angering their tech users, automatically sparks the attention of their lawyers, which in turn, causes consultant hiring. It’s a limbic reaction.  The Government taking “cloud property” is as evil as taking real property to Libertarian types. [Buzzfeed]