Clicky

Header graphic for print
InfoLawGroup privacy. security. technology. media. advertising. intellectual property.

Tag Archives: security measures

The Legal Implications of Social Networking Part Three: Data Security

Posted in Social Networking

In 2011, InfoLawGroup began its “Legal Implications” series for social media by posting Part One (The Basics) and Part Two (Privacy). In this post (Part Three), we explore how security concerns and legal risk arise and interact in the social media environment.
There are three main security-related issues that pose potential security-related legal risk. First, to the extent that employees are accessing and using social media sites from company computers (or increasingly from personal computers connected to company networks or storing sensitive company data), malware, phishing and social engineering attacks could result in security breaches and legal liability. Second, spoofing and impersonation attacks on social networks could pose legal risks. In this case, the risk includes fake fan pages or fraudulent social media personas that appear to be legitimately operated. Third, information leakage is a risk in the social media context that could result in an adverse business and legal impact when confidential information is compromised.

Third in our Cloud Computing Webinar Series

Posted in Cloud Computing

In the next in our series of free webinars on cloud computing, Information Law Group Attorney Richard Santalesa examines implications arising from NIST’s “Guidelines on Security and Privacy in Public Cloud Computing,” with a focus on the legal considerations any team tasked with implementation of security best practices will need to grapple with.
To register for this free one hour webinar on May 24 at 12pm ET, visit – http://bit.ly/kyRdku

NIST Releases New DRAFT Cloud Computing Synopsis

Posted in Cloud Computing

The National Institute of Standards and Technology (NIST) recently released a new cloud computing draft special publication for public review and comment (see associated press release), which NIST is billing as "its most complete guide to cloud computing to date."  Public comments to NIST on the 84-page P 800-146  DRAFT Cloud Computing Synopsis and Recommendations (PDF 1.9MB)… Continue Reading

FAQ on the “BEST PRACTICES Act” – Part Two

Posted in Regulations

We recently published the first part of our FAQ series on Congressman Bobby Rush’s new data privacy bill known as “Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act (a.k.a. “BEST PRACTICES Act” or “Act”). In Part One we looked at some of the key definitions and requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the “Safe Harbor” outlined in the Act, various exemptions for de-identified information and application and enforcement.

FAQ on the “BEST PRACTICES Act” – Part One

Posted in Regulations

Congressman Bobby Rush has introduced a new data privacy bill to Congress known as the “Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards” Act (a.k.a. “BEST PRACTICES Act” or “Act”).
We have put together a summary of the Act in “FAQ” format. In Part One we look at some of the key definitions, requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the “Safe Harbor” outlined in the Act, various exemptions for deidentified information, and provisions concerning the application and enforcement of the Act.

A Closer Look at the PCI Compliance and Encryption Requirements of Nevada’s Security of Personal Information Law

Posted in Encryption, Nevada Security of Personal Information Law

Since approximately 2005, the state of Nevada has had a fairly comprehensive data privacy law on its books: the Nevada Security of Personal Information Law (the “Law”). Prior to 2009, the Law imposed various requirements concerning the protection of personal information of Nevada residents, including requirements concerning security breach notice, the implementation of reasonable security… Continue Reading

Developing an Information Security and Privacy Schedule for Service Provider Transactions (Part Two)

Posted in Information security contracts, Reasonable Security

In Part One of this blog series, we looked at the proactive nature of a data security and privacy schedule ("Schedule"), and considered the compliance function of a Schedule.  Part Two of this series discusses security incident response contract terms that should be considered for a Schedule.  In addition, we look at more traditional "risk… Continue Reading

Developing an Information Security and Privacy Schedule for Service Provider Transactions

Posted in Information security contracts, Reasonable Security

It is a very interesting time for information security and privacy lawyers. Information technology and the processing, storage and transmitting of sensitive and personal information is ubiquitous. At the same time (and likely as a result of this ubiquity) the legal risk and regulatory compliance environment poses increased threats and potential for significant liability. Finally,… Continue Reading

Code or Clear? Encryption Requirements (Part 3)

Posted in Encryption

In other posts, I addressed the trend in the United States to require encryption for certain categories of personal data that are sought by ID thieves and fraudsters – especially Social Security Numbers, driver’s license numbers, and bank account or payment card details – as well as for medical information, which individuals tend to consider especially sensitive. These concerns are not, of course, limited to the United States. Comprehensive data protection laws in Europe, Canada, Japan, Australia, New Zealand and elsewhere include general obligations to maintain “reasonable” or “appropriate” or “proportional” security measures, usually without further elaboration. Some nations have gone further, however, to specify security measures.

Code or Clear? Encryption Requirements under Information Privacy and Security Laws (Part 1)

Posted in Encryption

“Exactly what data do we have to encrypt, and how?” That’s a common question posed by IT and legal departments, HR and customer service managers, CIOs and information security professionals. In the past, they made their own choices about encryption, balancing the risks of compromised data against the costs of encryption. Those costs are measured not merely by expense but also by increased processing load, user-unfriendliness, and the remote but real possibility of lost or corrupted decryption keys resulting in inaccessible data. After weighing the costs and benefits, most enterprises decided against encryption for all but the most sensitive applications and data categories.