Archives: Reasonable Security

Subscribe to Reasonable Security RSS Feed

InfoLawGroup Launches CPO on Demand™ Service

InfoLawGroup announces the launch of CPO on Demand™, a service through which we serve as outside Chief Privacy Officers, Privacy Counsel, and DPOs as required under EU regulation. CPO on Demand™ brings the depth and breadth of our privacy and security focused attorneys to support your business’s legal, compliance, and privacy teams. Please click here … Continue Reading

Businesses Take Heed: FTC’s Recent Report, Conference Signal Big Data’s the Big Deal in 2016

FTC Kicks Off New Year with New Report on Growing Use of Big Data Analytics Across All Industries Without so much as a week of 2016 having lapsed, the Federal Trade Commission (“FTC” or “Commission”) released a new report with recommendations to businesses on the growing use of big data. The report, “Big Data: A … Continue Reading

Mobile Apps: FTC Says Vague Privacy Policies and Lack of Terms a Problem

Last week, the FTC released a study it conducted in connection with price-comparison apps, deal apps and apps that allow people to pay for purchases using their mobile device while shopping in brick-and-mortar stores.  The newly released study is the latest commentary from the FTC in a long line of workshops and reports that started in 2012 … Continue Reading

Information Security Strategy: A Lesson from the Target Breach

Over the past few weeks, new revelations have provided greater insight into the breach of Target Corp. over the holiday shopping season.  Notable among the recent news is the assertion that the cybercriminals behind the Target breach initiated their infiltration through HVAC vendor Fazio Mechanical (http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/).  It is believed that the cybercriminals staged a phishing … Continue Reading

FTC “Internet of Things” Workshop Explores Privacy Risks and Benefits

The Federal Trade Commission’s long awaited “Internet of Things” public workshop was held Nov. 19, 2013, and webcast live (with presentations, transcripts and videos to be archived for ready access at http://www.ftc.gov/video) to explore a wide range of potential privacy and security issues associated with Internet-connected devices everywhere – at home, work and in the car.   … Continue Reading

Lessons From When Cyber Security Meets Physical Security

Data security and what qualifies as “reasonable” security is on everyone’s mind these days – at least if you’re involved in IT, or responsible for addressing any aspect of the “GRC” troika of governance, risk management and compliance issues. Sometimes overlooked on the cyber side, however, is the interaction of cyber with real world, physical … Continue Reading

The Duty to Authenticate Identity: the Online Banking Breach Lawsuits

We have entered an era where our commercial transactions are increasingly being conducted online without any face-to-face interaction, and without the traditional safeguards used to confirm that a party is who they purport to be. The attenuated nature of many online relationships has created an opportunity for criminal elements to steal or spoof online identities and use them for monetary gain. As such, the ability of one party to authenticate the identity of the other party in an online transaction is of key importance. To counteract this threat, the business community has begun to develop new authentication procedures to enhance the reliability of online identities (so that transacting parties have a higher degree of confidence that the party on the other end of an electronic transaction is who they say they are). At the same time, the law is beginning to recognize a duty to authenticate. This blogpost post looks at two online banking breach cases to examine what courts are saying about authentication and commercially reasonable security. … Continue Reading

Legal Implications of Cloud Computing — Part Five (Ethics or Why All Lawyers-Not Just Technogeek Lawyers Like Me-Should Care About Data Security)

So, you thought our cloud series was over? Wishful thinking. It is time to talk about ethics. Yes, ethics. Historically, lawyers and technologists lived in different worlds. The lawyers were over here, and IT was over there. Here's the reality: Technology - whether we are talking cloud computing, ediscovery or data security generally - IS very much the business of lawyers. This post focuses on three recent documents, ranging from formal opinions to draft issue papers, issued by three very prominent Bar associations -- the American Bar Association (ABA), the New York State Bar Association (NYSBA), and the State Bar of California (CA Bar). These opinions and papers all drive home the following points: as succinctly stated by the ABA, "[l]awyers must take reasonable precautions to ensure that their clients' confidential information remains secure"; AND lawyers must keep themselves educated on changes in technology and in the law relating to technology. The question, as always, is what is "reasonable"? Also, what role should Bar associations play in providing guidelines/best practices and/or mandating compliance with particular data security rules? Technology, and lawyer use of technology, is evolving at a pace that no Bar association can hope to meet. At the end of the day, do the realities of the modern business world render moot any effort by the Bar(s) to provide guidance or impose restrictions? Read on and tell us - and the ABA - what you think. … Continue Reading

EMI v. Comerica: Court Finds Bank’s Security is Commercially Reasonable — Bank Loses Motion for Summary Judgment

An odd result -- we know. We previously reported on the lawsuit filed by Experi-Metal, Inc. ("EMI") and the subsequent motion for summary judgment (and briefs) filed by Comerica Bank to have the case dismissed. As reported in July, the U.S. District Court for the Eastern District of Michigan has issued a ruling on Comerica's motion for summary judgment. To make a long story short, the Court denied Comerica's motion and this case appears headed toward trial (or potentially settlement). In the course of its ruling the Court found that Comerica had utilized commercially reasonable security procedures. However, that ruling had more to do with the language in Comerica's contracts than an actual substantive analysis of the reasonableness of Comerica's security. In this blogpost, we take a look at the Court's ruling. … Continue Reading

EMI v. Comerica: Comerica’s Motion for Summary Judgment

Back in February 2010, we reported on an online banking lawsuit filed by by Experi-Metal Inc. ("EMI") against Comerica (the "EMI Lawsuit"). As you might recall this case involved a successful phishing attack that allowed the bad guys to get the EMI's online banking login credentials and wire transfer about $560,000 from EMI's account (the original amount was $1.9 million, but Comerica was able to recover some of that). The bad guys were able to foil Comerica's two factor token-based authentication with a man in the middle attack. Comerica did not reimburse EMI for the loss, and this lawsuit resulted. In April 2010, Comerica filed a motion for summary judgment in order to dismiss the case. The motion has been fully briefed by both sides, and this blogpost looks at the arguments being made by the parties … Continue Reading

Information Security Standards and Certifications in Contracting

It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data. … Continue Reading

Contracting for Cloud Computing Services

Nearly every day, businesses are entering into arrangements to save the enterprise what appear to be significant sums on information technology infrastructure by placing corporate data ''in the cloud.'' Win-win, right? Not so fast. If it seems too good to be true, it probably is. Many of these deals are negotiated quickly, or not negotiated at all, due to the perceived cost savings. Indeed, many are closed not in a conference room with signature blocks, ceremony, and champagne, but in a basement office with the click of a mouse. Unfortunately, with that single click, organizations may be putting the security of their sensitive data (personal information, trade secrets, intellectual property, and more) at risk, and may be overlooking critical compliance requirements of privacy and data security law (not to mention additional regulations). My article "Contracting for Cloud Computing Services: Privacy and Data Security Considerations," published this week in BNA's Privacy & Security Law Report, explores a number of contractual provisions that organizations should consider in purchasing cloud services. You can read the full article here, reprinted with the permission of BNA. … Continue Reading

Information Governance

Security governance is often well established in large organizations, but privacy governance typically lags. It is time for a broader approach to "information governance" that focusses on the kinds of sensitive data handled by the enterprise and establishes policies to assure compliance and effective risk management, as well as better customer, employee, government, and business relations. … Continue Reading

Live from the IAPP Global Privacy Summit in Washington, DC, It’s Monday Afternoon

This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days. … Continue Reading

Dave & Buster’s Busted: Another Allleged Failure to Implement “Reasonable Security”

We are seeing more and more private litigation and regulatory enforcement actions around the issue of what constitutes "reasonable security." This week we see another. Once again the FTC asserts that a company has failed to take "reasonable and appropriate security measures" to protect personal information. Yesterday, in its 27th case challenging inadequate data security practices by organizations that handle sensitive consumer information, the FTC announced settlement of its complaint against Dave & Buster's, the restaurant chain. The FTC alleged in its complaint that, from April 30, 2007 to August 28, 2007, a hacker exploited vulnerabilities in Dave & Buster's systems to install unauthorized software and access approximately 130,000 credit and debit cards. … Continue Reading

Thoughts from the RSA Conference

As the partners of InfoLawGroup make our way through the sensory overload of the RSA Conference this week, I am reminded (and feel guilty) that it has been a while since I posted here. I have good excuses - have simply been too busy with work - but after spending several days in the thought-provoking environment that is RSA, I had to break down and write something. A few observations, from a lawyer's perspective, based on some pervasive themes. … Continue Reading

The Curious Case of EMI v. Comerica: A Bellwether on the Issue of “Reasonable Security”?

Security breaches in the online banking world continue to yield interesting lawsuits (you can read about three others in this post). The latest online banking lawsuit filed by Experi-Metal Inc. (“EMI”) against Comerica (the “EMI Lawsuit”) provides some new wrinkles that could further illuminate the boundaries of “reasonable security” under the law. Brian Krebs has … Continue Reading

Developing an Information Security and Privacy Schedule for Service Provider Transactions (Part Two)

In Part One of this blog series, we looked at the proactive nature of a data security and privacy schedule ("Schedule"), and considered the compliance function of a Schedule.  Part Two of this series discusses security incident response contract terms that should be considered for a Schedule.  In addition, we look at more traditional "risk … Continue Reading

Developing an Information Security and Privacy Schedule for Service Provider Transactions

It is a very interesting time for information security and privacy lawyers. Information technology and the processing, storage and transmitting of sensitive and personal information is ubiquitous. At the same time (and likely as a result of this ubiquity) the legal risk and regulatory compliance environment poses increased threats and potential for significant liability. Finally, … Continue Reading

Online Banking and “Reasonable Security” Under the Law: Breaking New Ground?

With the report of another data security-related lawsuit involving online banking (another 2009 lawsuit referenced here involved an alleged loss of over $500,000), and a recent victory for a plaintiff on a summary judgment motion in a similar online banking data security breach case, the question arises whether online banking breaches will yield some substantive … Continue Reading

NDAs: Worth the Effort?

In business or technical discussions with potential investors, customers, suppliers, licensors, franchisees, or joint venture partners, it is often very difficult to determine how much needs to be disclosed and exactly who "owns" which information and ideas. Were the parties just brainstorming? Did they independently develop a similar approach to a problem? Litigation over NDAs can be costly, public, and ultimately unsatisfactory to the party claiming a breach, especially if it is hard to prove the intended scope of the agreement and the actual source of information. When is it worthwhile using NDAs, and how can they be made more effective? … Continue Reading
LexBlog