Data breach law links for Sept 9, 2016.  

Key takeaways: you’re not immune from data breaches; maintain at least some semblance of security; have a plan.

1. 43 million is an awful lot of customers to notify that their Last.Fm accounts were hacked, or why 123456 isn’t a secure password. Read more….

2. And another company not using hashed passwords….. Rambler.ru. Another reminder why 000000 isn’t a secure password. Read more….

3. Congressional Report Slams US Office of Personnel Management on Data Breach:

“Probably the most incisive portion of the assessment is the timeline of major events in the breach, which details a series of miscalculations on the part of the OPM leadership. The analysis paints the picture of a chronic — almost willful — underestimation by senior leadership at OPM about the seriousness of the threat facing the agency, until it was too late.”

Read more at krebonsecurity….

4. Make a plan, practice the plan, appoint a delegated authority. Sounds like good advice. Worth reading an excellent article by Linda Musthaler on networkworld.com

5. An older article, but just to remind you that nobody is safe from data breaches, not even Google: read more….

6. 20 second of physical access with a $50 device is all that’s need to steal login credentials. How are you supposed to protect against that? Good article here, by Dan Goodin.

7. Data Privacy Law: The 5 different areas businesses should be concerned with. Read more…..

What September 2016’s Data Breach Wave Teaches Businesses About Legal Compliance

The breaches highlighted in this roundup — Last.fm, Rambler.ru, and the OPM — each carry distinct legal lessons for businesses that handle personal information. The common thread is that data security failures generate immediate and significant legal exposure under federal and state law.

Lesson One: Password Security Is a Legal Compliance Issue

Both the Last.fm and Rambler.ru breaches involved unsalted or poorly hashed passwords — a failure that modern best practices have addressed for over a decade. From a legal standpoint, storing passwords in an insecure format is strong evidence of negligence in a data breach lawsuit. The FTC has pursued enforcement actions against companies for exactly this type of failure under the unfair or deceptive practices standard of 15 U.S.C. § 45. In FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), the court affirmed the FTC’s authority to hold companies liable for lax data security. If your business stores user credentials, industry-standard hashing algorithms with proper salting are not optional features — they are the floor of legally defensible data security practice.

Lesson Two: Willful Ignorance of Threats Exposes Senior Leadership

The Congressional report on the OPM breach described a chronic — almost willful — underestimation of the threat. Courts and regulators assessing data breach liability look at what the organization knew and when. A company that received security audit recommendations, or whose IT staff reported known vulnerabilities, and then suffered a breach is in a far worse legal position than a company that was the victim of a genuinely novel attack despite reasonable precautions. Document your security assessments, remediation efforts, and the decisions made — and not made — at the executive level. That documentation becomes critical evidence in regulatory investigations and class action defense.

Lesson Three: Have a Response Plan and Practice It

State data breach notification laws impose notification timelines that begin running from the moment the business discovers or reasonably should have discovered the breach. A business with a documented incident response plan will identify and contain a breach faster, begin the notification clock from a defensible point, and demonstrate to regulators and plaintiffs that it acted reasonably. Key elements of a legally defensible incident response plan include: a designated incident commander with authority to invoke the plan; pre-identified forensic investigation firm and outside breach counsel; a state-by-state notification matrix covering each state where your customers reside; pre-drafted notification templates reviewed by counsel for compliance with applicable statutes; and a cyber liability insurance policy with coverage for notification costs, forensic investigation, and regulatory defense.

The Five Areas of Data Privacy Law Businesses Must Track

Data privacy law for businesses spans five distinct regulatory areas: state breach notification statutes, which differ significantly in their definitions of personal information, notification timelines, and regulatory reporting requirements; the FTC’s general unfair practices authority under Section 5 of the FTC Act; sector-specific federal statutes including HIPAA for healthcare data, GLBA for financial data, and COPPA for data about children under 13; the California Consumer Privacy Act and its successor the CPRA, which have become the de facto national standard for consumer data rights; and international frameworks, particularly the EU’s General Data Protection Regulation, which applies whenever you process the personal data of EU residents regardless of where your business is incorporated. No breach is ever just a breach in one regulatory silo — multi-state, multi-framework compliance is the norm for any business of meaningful scale.

If you want to conduct a data security compliance assessment, develop an incident response plan, or respond to an active breach, Revision Legal’s data breach attorneys are available to help. Contact us through the form on this page or call 855-473-8474.

Physical Security as a Data Security Legal Issue

The final item in this roundup — the observation that 20 seconds of physical access with a $50 device is enough to steal login credentials — points to a category of data security risk that is often overlooked in legal compliance discussions: physical security. Most data breach notification laws and FTC guidance focus on network and software security, but physical access to computing infrastructure is a recognized vector for data theft. Courts and regulators assess the reasonableness of a business’s overall security posture — including physical access controls — when evaluating whether a business took appropriate measures to protect personal information. Businesses that maintain servers or workstations containing personal information should implement physical access controls such as locked server rooms, visitor logs, employee ID requirements, and clean desk policies that prevent unauthorized individuals from accessing unattended computing equipment. Failure to maintain physical security controls, when combined with a data breach, can support arguments that the business acted negligently in protecting consumer data — particularly when the business knew or should have known that physical access to its systems posed a risk.

Why Nobody Is Safe: Lessons from High-Profile Breaches

The observation that even Google has suffered data breaches through third-party benefits providers highlights a critical compliance principle: even businesses with extensive security resources and sophisticated technical teams can suffer breaches through third-party vendor relationships. The legal implication is that businesses cannot delegate their data security obligations to vendors and assume the obligation transfers with the data. A business that shares personal information with a vendor — whether a benefits administrator, a payroll processor, a marketing platform, or a cloud storage provider — remains responsible under applicable data breach notification laws for the personal information that vendor holds on its behalf. Contracts with vendors who handle personal information should include data security requirements, breach notification obligations, indemnification provisions, and the right to audit the vendor’s security practices. Revision Legal assists businesses in drafting and reviewing vendor data security agreements to ensure that third-party risks are contractually managed. Contact us through the form on this page or call 855-473-8474.