On Jan. 25, 2019, the Illinois Supreme Court issued a landmark opinion in Rosenbach v. Six Flags Entertainment Corporation, a case brought under the Illinois Biometric Information Privacy Act (“BIPA”). 740 ILCS 14/1 et seq. The court reversed the decision of the Illinois appellate court and held that a plaintiff may bring a lawsuit under BIPA as an “aggrieved” party based upon a defendant’s violation of the statutory requirements of BIPA and without the plaintiff being required to show … Read More
In a local news interview, I was recently asked to comment on the Facebook-Cambridge Analytica story involving the unauthorized use of Facebook user profile information by Cambridge Analytica for profiling and targeting purposes. The focus of the interview was what consumers can do to better protect themselves. However, there are learning opportunities for businesses too. Here are some quick points to consider for both parties.
- Your choices matter most. I beat this drum pretty heavily, but it is
U.S. privacy law is based on the principles of notice and consent – for instance, under FTC and state consumer protection laws, consumers given fair notice and the opportunity to consent generally cannot complain about the use of their data.
But as we have noted in prior posts, the E.U.’s General Data Protection Regulation (“GDPR”), which will become effective May 25 of this year, is more comprehensive than any U.S. privacy law in most respects. It treats personal data (defined … Read More
The Office for Civil Rights (OCR) announced a settlement agreement for $5.5 million dollars with Florida’s Memorial Healthcare Systems (MHS) stemming from allegations it failed to protect patient data. The privacy violation arose out of the unauthorized access of 115,143 patients by MHS employees. The information that was compromised consisted of names, dates of birth and social security numbers. A majority of these impermissible actions occurred when a former employee’s login credentials were used from 2011-2012 which affected 80,000 individuals.… Read More
To effectively guard against an enemy of any kind it’s important to know your enemy. This strategy is just as effective when fighting an online battle to protect your company’s data.
Before you can effectively defend against cyberattacks, it is important to educate yourself on potential threats and how to handle them. We invite you to join us on September 7 for part two of the Columbus Cybersecurity Series featuring FBI agent David Fine returns. During this portion of the … Read More
This is the first of a three-part series on the implications of cybersecurity threats on boards of directors.
Now, more than ever, corporate boards face an immense challenge to ensure that their companies are prepared for cybersecurity threats before they occur. It is not question of if a corporation will be hit by a cybersecurity incident or data breach, but when.
The Existing Cybersecurity Landscape and Associated Risks
The landscape that corporate boards face has never been more treacherous, with … Read More
The Department of Justice Cybersecurity Unit recently issued its “best practices” for cybersecurity incidents, while the SEC recently circulated a cybersecurity “guidance update.” These publications recommend that companies institute certain policies and procedures for cybersecurity based on each agency’s experience in the area.
The agencies’ suggestions are good ones. More importantly, like NIST’s Cybersecurity Framework, such recommendations may become de facto standards that regulators, courts, and juries look to when they assess whether your company’s … Read More
Threat Intelligence is, very simply, network defense techniques that leverage knowledge (i.e. intelligence and counter intelligence) about adversaries so that organizations can build a superior information base which decreases the chances of an attacker compromising their networks. Gartner more specifically defines it as “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to the menace or hazard.”
Vulnerability … Read More
The marquee breaches that have occurred recently (i.e. Anthem, Home Depot, Morgan Stanley, Target, Linked In, and Sony) have helped U.S. Fortune 1000 companies understand that data security must be taken seriously. Not only must companies invest in their data security, but they must proactively manage and protect it. Previously, large corporations generally considered hacking attacks and general security breaches as “Force Majeure” events in that they were both unpredictable and unpreventable. Therefore, many of the Fortune 1000 purchased cyber … Read More
When we secure an asset, we usually know where it is and have a series of controls to protect it. For a house or office building, it is the address and we secure it with locks and perhaps a security service. For a car, we have the VIN and maybe a tracking device if the car is valuable as well as keys and alarms to control access. By and large, we have ingrained in our psyches how to protect physical … Read More
Following high-profile data breaches, including North Korea’s virtual invasion of Sony Pictures, President Obama declared a national emergency related to malicious cyber-attacks from abroad. In an executive order signed April 1, 2015, Obama created expansive sanctions designed to curb, as he put it, this “unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”
The order gives the U.S. Treasury Department discretion to freeze assets of foreign persons or entities who engage in “or … Read More
What career could possibly be more exciting than serving as a privacy lawyer for tech start-up companies? This is a question I asked myself a few years back, right after I finished clerking for a couple of terrific federal judges and right as I was considering starting the privacy practice I had envisioned as a law student sitting in Prof. Fred Cate’s classes at the Indiana University Maurer School of Law several years earlier. At that time, my answer was … Read More
“How To Advise Tech Start-Ups in Practice, Not Theory,” an article by Taft Cincinnati attorney Matthew D. Lawless, was published in IAPP’s The Privacy Advisor on March 24.
About the IAPP
The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.… Read More
1. Do we receive any health information from health plans, health care clearinghouses or other … Read More