data security
Subscribe to data security's Posts

Uber Criminal Complaint Raises the Stakes for Breach Response

On August 20, 2020, a criminal complaint was filed charging Joseph Sullivan, Uber's former chief security officer, with obstruction of justice and misprision of a felony in connection with an alleged attempted cover-up of a 2016 data breach. These are serious charges for which Mr. Sullivan has the presumption of innocence. At the time of the 2016 data breach, Uber was being investigated by the US Federal Trade Commission (FTC) in connection with a prior data breach that occurred in 2014. According to the complaint, the hackers behind the 2016 breach stole a database containing the personal information of about 57 million Uber users and drivers. The hackers contacted Uber to inform the company of the attack and demanded payment in return for their silence. According to the complaint, Uber's response was to attempt to recast the breach as a legitimate event under Uber's "bug bounty" program and pay a bounty. An affidavit submitted with the complaint portrays a...

Continue Reading

China Data Protection Enforcement Update – A Focus on Platform Content

Following the first enforcement actions by local authorities in Shantou and Chongqing for violations of the new Network Security Law that came into effect this year, authorities in China have recently shown a clear initial focus with several new cases targeting provisions of the law that require monitoring of platform content. As of the start of October 2017, enforcement actions by authorities in China have targeted platform content violations in nearly 70 percent of all actions under the new provisions of the data protection rules.   A smaller but notable percentage of the actions have also targeted violations related to security failures under the “graded protection system monitoring” requirements, which include issues such as failing to resolve security vulnerabilities, not saving users’ login information, or connecting to known problematic websites. Other enforcement actions related to this field have targeted types of crimes that existed before the...

Continue Reading

China’s Network Security Law Comes into Effect: What It Means for Your Company

Today, China’s much anticipated Network Security Law comes into effect after two years of review, revisions over three drafts and a public commenting process. The law is a historical development for China’s legislative coverage of information security and data protections. It also represents one of the strictest approaches in any jurisdiction worldwide, and a continuation of a broader effort at demonstrating the government’s cyber-sovereignty goals through control and regulation of data and the internet. Overview of the Network Security Law Commonly referred to as the “Cybersecurity Law,” the new piece of legislation has a broad scope and covers a range of issues related to data privacy, security and cross-border transfers, including: Increasing security measures and strengthening data security through a variety of specific obligations Ensuring consent for collection of personal information through the principles of legality, proper justification and...

Continue Reading

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws. The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI,...

Continue Reading

New Data Disposal Law in Delaware Requires Action by Impacted Businesses

While the federal government continues its inaction on data security bills pending in Congress, some U.S. states have been busy at work on this issue over the summer.  A new Delaware law H.B. 295, signed into law on July 1, 2014 and effective January 1, 2015, provides for a private right of action in which a court may order up to triple damages in the event a business improperly destroys personal identifying information at the end of its life cycle.  In addition to this private right of action, the Delaware Attorney General may file suit or bring an administrative enforcement proceeding against the offending business if it is in the public interest. Under the law, personal identifying information is defined as: A consumer’s first name or first initial and last name in combination with any one of the following data elements that relate to the consumer, when either the name or the data elements are not encrypted: his or her signature, full date of birth, social...

Continue Reading

STAY CONNECTED

TOPICS

ARCHIVES