You are here
Home > Posts tagged "JD Supra"

From Data Breach to Bankruptcy – A Cautionary Tale for Those Without Cyber Insurance

Two lessons from this: 1. It's worth investing in cyber security (a full program, not just shiny security tools); 2. Insurance can make the difference between survival and bankruptcy if/when the worst happens...: A data breach may cost a company millions in recovery and liability damages, but rarely does a breach force a company into bankruptcy. However, a months-long data breach at American Medical Collection Agency (AMCA) in 2018-2019 did just that, forcing its parent comp

New Study Shows AI Made Scientific Discoveries Humans Missed: What are the Implications for eDiscovery?

Legal process usually lags behind commercial application of new technology. Here's a discussion about a potential use for AI, but why it's difficult to implement...: [...]In a recent study published in Nature, researchers from the Lawrence Berkeley National Laboratory used an algorithm called Word2Vec to read scientific papers. The algorithm was given no training in scientific knowledge, instead relying only on word associations. While reviewing over 3 million previously wri

Introduction and Comments on Measures for Data Security Management

It's worth reading the complete article to get a feel for the restrictions that China is placing on network operators. It looks like they are learning from activities in the West and are building privacy measures as well as security. These two clauses caught my eye...: [...] Requirements on Special Cases in Data Collection and Use: Targeted Push Information: (A) Network operators shall not, through authorization by default, bundling functions, or other means, force or m

FTC Litigation with D-Link Ends with Comprehensive Settlement

It's strange that it takes legal action to force a manufacturer to undertake a security program and get third party certification. I'd rather see this as a cost of entry into the market that applies to all manufacturers...: In 2017, the FTC filed a complaint against D-Link Systems, Inc. (D-Link) alleging that the Taiwan-based computer networking equipment manufacturer had taken inadequate security measures which left its wireless routers and Internet-connected cameras vulner

Employers Can Truncate Employee Social Security Numbers on Forms W-2

This might seem esoteric, but...Data anonymisation is one of the basic methods for maintaining privacy and is strongly suggested (i.e. mandatory without a good reason) in GDPR.  Good to see it being adopted in the USA...: In an effort to reduce identity theft, the IRS has issued final regulations that permit employers to truncate the social security numbers of employees on Forms W-2. Thus, the employer can elect to report the number in the format of XXX-XX-1234 or ***-**-123

Medtronic 508 (MiniMed) Insulin Pumps Recalled

This is a report from a law firm in the USA. There's a series of design decisions to be made for each medical device but the two big cyber security issues are remote access & remote updates. If you allow for firmware to be updated remotely that can make the device more insecure. It's a difficult call...: In my 25 years in the data privacy and cybersecurity profession, this is the first time that I believe a medical device has been recalled because of a cybersecurity risk

US Data Breach and Privacy 2019 Legislative Recap

A useful summary of the patchwork of legislation across the US. My general advice for companies operating internationally is to take GDPR as your starting point, then look for specific enhancements by jurisdiction you operate in...: A few weeks ago, Texas signed into law an amendment to its data breach law, capping off a busy first half of 2019 for state lawmakers in this arena.  As we gear up for the second half of 2019, we thought a recap was worthwhile.  The legislation r

New Bill Imposing Increased Fines for Violations of Russian Data Protection Laws Under Consideration

Doing business in Russia. Time to review your data localisation practises...: On June 13, 2019, a new draft bill imposing multi-million Ruble (RUB) fines for infringing Russian data localization and information security laws—multiplying the maximum penalty under current law by a magnitude of 240—was submitted to the State Duma (the lower chamber of Russian Parliament). This would supplement existing fines, which we reported were previously increased in 2017. The current v

Browsewrap Terms Enforced Due to Customer Knowledge of Existence of Terms

Click- or Browse-wrap agreements (simple tick-box stuff) on websites have a patchy history of being enforceable. This case makes the point that repeated use of a website may imply acceptance of terms...: [...] As a result, the court granted the defendant’s motion to compel arbitration. The case stands for an important proposition that enforceability of website terms may, in some cases, be contingent on instances of actual notice of the terms that occur outside the registrati

OCR reminds business associates of direct liability for noncompliance with HIPAA Rules

Supply chain risk hasn't been out of the news recently. In the US, the regulator is reminding business associates of healthcare companies that they are also subjects of regulatory oversight...: The HHS Office for Civil Rights (“OCR”) recently issued a new fact sheet (“Fact Sheet”) addressing direct liability of business associates for violations of the HIPAA Privacy, Security and Breach Notification Rules (“HIPAA Rules”). The Fact Sheet serves as a reminder to business assoc