Data Privacy Monitor

Cyber Criminals' Menu Features the Food & Beverage Industry; Steps to Protect Your Business

Judy Selby — Fri, 24 May 2013 14:00:00 -0500

2012 was a challenging year for the Food and Beverage (F&B) industry. In addition to increased government regulation, rising food prices and relatively slow growth trends, the industry once again was a favorite target of cybercriminals. According to the 2013 Trustwave Global Security Report, cyberattacks on F&B enterprises comprised 24% of attacks in 2012, second only to retail merchants (45%). A franchisor's lack of corporate control over franchisees coupled with interconnectivity among franchisees adds to the risk.

The cost of a data breach can be devastating. ANX Corporation reports that the average direct cost of a credit card breach to a restaurant is $80,000. Perhaps more importantly, a shocking 70% of restaurants that suffer a breach go out of business within one year of the attack, according to ANX. Immediately after a breach is identified, the business must stop taking credit cards and remediate the breach. The business then would be required to be inspection by a Qualified Security Assessor (QSA) for the Payment Card Industry (PCI) on a yearly basis for three years or until the credit cards brands at issue agree to drop the reporting requirement.

ANX identified eight key security gaps that affect food service organizations: outdated firewalls, insecure remote access, weak security configurations, operating system flaws, lack of staff training, flaw security policies, negligence and poor change control procedures.

Zaxby's 567-location franchise restaurant chain is a recent victim of a computer system and point-of-sale (POS) breach. Zaxby's initiated a forensic investigation after a number of its locations had been identified as common points of potentially fraudulent charges. The investigation revealed that computer systems in 108 locations stored suspicious files and were infected with malware designed to collect and transmit payment card information. Although there is no evidence that third parties obtained that information, Zaxby's required all of its licensees "to engage an industry leading provider of PCI compliance services to provide enhanced firewalls, system monitoring and PCI compliance services."

Despite the inherent risks facing every company that processes confidential data as well as the additional and unique risks encountered by franchised enterprises, some relatively simple steps can be taken to reduce the risk of a data breach and to mitigate the effects if a data breach takes place.

Risk Management

An internal risk management program, including the establishment of strong policies and procedures, training and insurance can reduce the chances of a data breach and mitigate the damages if a breach occurs. Businesses should:

Review their internal policies and procedures and make sure they're up to date. The statutory and regulatory framework governing confidential information is constantly evolving and must be incorporated by your organization. The 46 state laws seem to always change with respect to notification and security requirements. If your organization conducts business outside of the US, requirements of foreign laws must be incorporated into your policies and procedures. Remember, having a policy your company does not follow is worse than not having a policy at all; therefore, ensure that your policies are distributed to, and followed by, employees.
Review your incident response plan regularly and ensure that the team members are prepared to jump in when an incident occurs.
Hire a consultant to conduct a yearly security risk assessment to identify any vulnerability in your processes and procedures for handling confidential data. Some laws, such as HIPAA, require periodic risk assessments. And, it is good practice as organizational risks change with changing practices.
Education of employees is critical to the success of any compliance program. Make sure all employees are educated and trained concerning those policies and procedures and any laws and regulations that apply to your business. There are laws, such as the Massachusetts Data Protection Law 201 CMR 17.00, that mandate these types of training programs.
Work closely with your business partners to ensure that they are properly handling your confidential data. Vendors are the cause of at least 1/3 of all data security incidents.
Do not forget to compare your data collection and sharing practices to what your privacy policy says. Regulators, such as the Federal Trade Commission, are watching closely.

Cyber insurance can help organizations respond to and mitigate the harmful consequences of a data breach. Most cyber insurance policies provide invaluable assistance to help the insured respond to a breach, including first party coverage for an attorney breach coach, forensic technicians, notification providers, credit monitoring services and crisis management professionals, as well as third party liability coverage for legal defense costs and fines. Further reading: Why Risk Data Breaches? Subscription required.

The Franchise Agreement

Franchise agreements should address several important data security concerns, PCI compliance, breach notification and cyber insurance.

PCI Compliance

Every business that accepts credit or debit cards must comply with the PCI's Data Security Standard (PCI DSS). Broadly stated, the PCI DSS requires the business to:

build and maintain a secure network, including installation and maintenance of a firewall and use of appropriate passwords
protect cardholder data, avoiding storage of such data if possible
maintain a vulnerability management program, including use of current antivirus programs
implement strong access control measures limited to those with a need-to know
monitor and test networks regularly
maintain and disseminate an updated information security policy

Although the PCI mandates compliance with its DSS, the Franchise Agreement nevertheless should specifically address data security and require franchisees to comply with the PCI DSS. Any third party vendors should be contractually obligated to comply with those requirements, and contractual indemnity should be considered. The franchisee may ultimately end up being financially responsible for PCI DSS compliance. Potentially devastating financial repercussions include fines of up to $50,000 per incident, liability for losses relating to the compromised account information and re-issuance of cards and possible suspension of merchant accounts.

Breach Notification

The franchisee should be required to promptly notify the franchisor of all breaches in security and immediate notify the franchisor of all breaches of sensitive information. The franchisor must control the response to the security breach including the decision as to whether public disclosure is required. The franchisor must also be afforded the opportunity to investigate the breach with its own resources either on-site or remotely through the franchisee's computing resources.

The franchisor may also want to consider being notified of any impermissible uses or disclosures, not just those that rise to the level of a breach. First, this allows the franchisor to monitor the practices of the franchisee to determine if it wants to continue the relationship. And, it also provides the franchisor with control over what it considers to be a breach, which is important since it is the franchisor's reputation that is typically on the line despite who caused the breach.

Cyber Insurance

Franchise agreements also should require franchisees to purchase a specified amount of cyber insurance coverage in the event of a data breach. The protections provided by cyber insurance literally can provide a lifeline to F&B businesses that are victimized by cyber criminals.

BakerHostetler's Privacy and Data Protection Team and Ted Kobus: Ranked in Chambers USA 2013

Admin — Fri, 24 May 2013 11:15:13 -0500

Posted by Admin

Congratulations to the BakerHostetler Privacy and Data Protection Team for their ranking and “considerable praise” in the 2013 edition of Chambers USA: America’s Leading Lawyers for Business. The team was ranked among the nation’s best in the area of “Privacy & Data Security: Nationwide.” Privacy and Data Protection Team Co-Leader, Ted Kobus, was individually ranked for his “excellence,” leadership, and expertise. Equally impressive, the BakerHostetler team was also given the distinction of being “Recommended for Client Service” and “Recommended for Commercial Awareness.” Our results and client confidence speak for themselves with our clients endorsing us as “a very strong team” and the “go-to firm on these issues” given our “deep capability,” “dedicated service to clients,” and “commercial awareness." The BakerHostetler Privacy and Data Protection Team is recognized for looking “to get the job done in a manner that is in the best interests of the client, in a professional and cost-effective manner."

Twitter v. Manhattan DA Fight Unfortunately Ends with a Whimper

Fernando Bohorquez, Jr. — Fri, 24 May 2013 10:00:00 -0500

Posted by Fernando Bohorquez, Jr.

This blog post is a joint submission with BakerHostetler’s Discovery Advocate blog.

Last Friday, Twitter’s battle with the Manhattan District Attorney over a subpoena for an Occupy Wall Street protester’s tweets came to an anti-climactic end as the New York appeals court dismissed Twitter’s appeal of a Manhattan Criminal Court’s order to produce the tweets as “academic.” Twitter’s appeal raised important issues of first impression to the social media community and the non-decision decision appears to have been a lost opportunity to bring some clarity to questions concerning the government’s subpoena power.

A little bit of background first. In early 2012, the Manhattan District Attorney served a subpoena on Twitter for Malcolm Harris’ Twitter account information and tweets. Harris - one of the hundreds of Occupy Wall Street protesters – was charged with disorderly conduct by the Manhattan DA for “occupying” the Brooklyn Bridge. The DA served Twitter with a subpoena under the Stored Communications Act for Harris’ Twitter records in connection with the investigation. Consistent with Twitter’s internal policies, Twitter notified Harris of the subpoena and Harris tried to quash it. In an April 20, 2012 order, the Manhattan Criminal Court judge held that Harris had no standing to challenge the subpoena.

Twitter then entered the fray and moved to quash the DA’s subpoena and its motion was similarly denied by the Manhattan Criminal Court in a June 30, 2012 decision. The court reiterated its prior holding that only Twitter - not Harris - had standing to challenge the subpoena and that neither the Fourth Amendment of the U. S. Constitution nor the New York Constitution’s analogue provision required a search warrant. Twitter appealed the decision but in the interim had to produce the records to avoid paying stiff contempt sanctions as its stay of the order was denied.

As we quickly - and arguably irreversibly – move towards a world where we share more and more of our lives on social media, it is growing increasingly important to understand how social media companies respond to government requests for our information and what recourse these companies and their customers may have when faced with such requests. Indeed, in U.S v. Jones – the recent Supreme Court case holding that a GPS tracking device required a warrant under the Fourth Amendment – Justice Sotomayor acknowledged the shifting societal norms and rapidly changing technologies noting in her concurrence that “it may be necessary … to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.”

Twitter is no stranger to government subpoenas and in its brief history has developed a robust reputation for protecting customer information from government requests for information. According to the Electronic Frontier Foundation, Twitter scored a six out of six in a ranking of how strongly companies protect customer data. A handful of other social media giants and big tech companies got five out of six, including Dropbox, Google and Linkedin, but only Twitter garnered a perfect score.

Twitter’s refusal to provide Harris’ information to the DA was perhaps the most high profile example of the company’s pro-customer stance. But more importantly, the case was primed to raise at least two important legal questions on appeal:

(1) Whether Twitter users like Harris have standing under the Stored Communications Act (SCA) and the U.S. Constitution to move to quash government subpoenas for their Twitter records; and

(2) Whether the DA’s subpoena for Harris’ non-publicly available tweets violated the Fourth Amendment, i.e., whether Harris had a reasonable expectation of privacy requiring a search warrant from the government as opposed to a civil subpoena under the SCA (for a quick related refresher, SCA discovery basics were previously discussed here).

On May 17, 2013, the NY appellate court decided to pass on answering these questions as moot because Twitter had already produced Harris’ records. Facing contempt sanctions for failure to comply with the Manhattan Criminal Court Order, Twitter not only appealed the Criminal Court’s decision, but also sought to stay the proceedings while the appeal was pending. The Appellate court, however, denied the stay application on September 27, 2012. Twitter produced the materials last fall to avoid paying substantial monetary fines.

To be sure, the Appellate court’s decision was somewhat preordained and even predicted by Twitter itself. In its opposition to show cause before the Criminal Court as to why it should not be fined for contempt for not producing the records, Twitter argued that being forced to produce Harris’ tweets before resolution on appeal would render the issues moot and prevent a full and fair adjudication of the Criminal Court’s order. Unfortunately for social media companies and their customers looking for clarity and guidance on the scope of the government’s subpoena power, that is exactly what happened.

To get both sides of the argument, we recommend that you read the Criminal Court’s June 30, 2012 Order available here and Twitter’s appellate brief of that decision here.

HHS OCR Director Leon Rodriguez's Dialogue on HIPAA/HITECH Compliance

Kimberly M. Wong — Thu, 23 May 2013 10:59:15 -0500

Posted by Kimberly M. Wong

“HIPAA is a valve, not a blockage,” stated HHS OCR Director Leon Rodriguez, at the OCR/NIST 6^th Annual Conference on Safeguarding Health Information: Building Assurance through HIPAA Security. Discussing the tension inherent in HIPAA, between patient access to patient information and an organization’s safeguarding of protected health information (PHI), Director Rodriguez characterized OCR’s HIPAA guidance as providing the “super highways” to ensuring patient access to PHI and to safeguarding PHI. An organization, on its own, must figure out the “surface streets,” emphasizing once again the flexibility and scalability of HIPAA. Regardless of the type or size of an organization governed by HIPAA, the basic rules remain the same. To adequately safeguard PHI, HIPAA defines a process. HIPAA provides an organization with a series of decisions, policies and procedures, analyses, and plans. Above all, patient expectations govern.

Where does an organization draw the line between patient access and protecting PHI, especially in light of increased OCR enforcement of HIPAA/HITECH? To ease a covered entity’s and business associate’s anxiety, Director Rodriguez reassured organizations that OCR is not playing a game of “gotcha.” OCR is neither trolling for enforcement actions and civil monetary penalties (CMPs), nor seeking to punish a proactive organization for a single incident. In support of his statement, Director Rodriguez highlighted the fact that of the 74,554 complaints filed since 2003, and the 26,513 total cases investigated by OCR, 17,767 cases resulted in corrective action, and only 13 cases since 2008 resulted in a Resolution Agreement and CMPs.

Director Rodriguez acknowledged that breaches of PHI are going to happen, as risks exist even where organizations are doing everything right. OCR is interested in what an organization is not doing, and whether the proper analysis is being conducted. An organization must identify, remedy and change (if needed).

So what type of action/inaction ends up in an OCR monetary enforcement scenario? Director Rodriguez categorized two culprits: (1) an ongoing failure to comply with the HIPAA Privacy and Security Rules, and (2) an unforgivable disclosure. Regarding the first category, an ongoing failure usually exists over several months and/or years. Often times, a risk analysis is missing, including a lack of routine information system reviews. Director Rodriguez stressed the importance of conducting risk analyses to identify vulnerabilities. Once risk is identified, it must be properly evaluated and addressed. Another reoccurring ongoing failure is the lack of updating of policies and procedures after a change in business operations or a change in technology. Director Rodriguez summarized the routine case OCR falling under monetary enforcement scenario as an incident affecting a large number of records, a vulnerability that exists for a number of months, and a failure to assess risk (e.g. OCR’s May 21, 2013 Resolution Agreement with Idaho State University). The second category is an unforgivable disclosure of PHI that is borderline criminal (e.g. UCLA breach of celebrities’ privacy resulting in OCR’s July 6, 2011 Resolution Agreement).

Regarding CMPs, Director Rodriguez highlighted the guidance provided in the Final Rule regarding factors to consider in determining the amount of CMPs to assess. The Resolution Agreement in the Alaska DHSS, where there was an alleged lack of remediation over a long period of time, is an example used by Director Rodriguez to demonstrate how the failure to remediate over a prolonged period of time can increase a CMP. In Alaska DHHS, the Resolution Agreement required payment of $1.7M. Accordingly, in addition to identifying, assessing and responding to a breach incident, an organization must also timely remedy any vulnerability in order to keep the amount of any potential CMP low.

Director Rodriguez also commented on the vulnerabilities associated with mobile devices, which remains a topic of interest for OCR. Of the breach reports received by OCR, 25% are related to paper records and vulnerability of mobile devices. Director Rodriguez encourages all organizations to focus on securing mobile devices (a “great vulnerability”) and to use HHS resources regarding mobile device security.

OCR’s HIPAA audits were also discussed – specifically OCR’s findings regarding encryption. Not surprisingly, OCR found that encryption, an addressable implementation specification under the Security Rule, was not always implemented by organizations. Director Rodriguez stressed the importance of conducting an analysis – shopping for technology, evaluating the risks and costs with implementation, and how encryption might affect patient care in the clinical setting. An organization must weigh the pros and cons of encryption in making the final decision to encrypt or not to encrypt. This lack of analysis regarding the adoption of encryption is a red flag.

Director Rodriguez, concluding his dialogue on HIPAA/HITECH compliance, recommended that every organization “be smart and implement best practices” and remember that the patient is most important. Organizations must determine how to best ensure patient access to PHI while also adequately safeguarding PHI. “[A] risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program.”

HHS Reaches $400,000 Settlement Of Alleged HIPAA Security Rule Violations For Disabling Firewall Protections

Theodore J. Kobus III — Wed, 22 May 2013 11:05:26 -0500

Posted by Theodore J. Kobus III

The U.S. Department of Health and Human Services (HHS) has reported a $400,000 settlement with Idaho State University (ISU) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The incident giving rise to the investigation by the HHS Office for Civil Rights (OCR) involved a potential exposure of information about 17,500 patients over a ten-month period.

OCR has enforcement authority of the HIPAA Privacy and Security Rules. When a breach is reported to HHS, as required by the breach notification rules, OCR typically initiates an investigation regarding the reporting organization's compliance with the breach notification requirements as well as the state of compliance with the HIPAA Privacy and Security Rules. In this case, OCR concluded that:

(1) ISU failed to conduct an appropriate risk assessment between April 1, 2007 and November 26, 2012;

(2) ISU failed to implement adequate security protections during the same time period to protect electronic protected health information (ePHI); and

(3) ISU did not regularly review information system (IS) activity to determine if ePHI was inappropriately used or disclosed.

These points are all significant and emphasize the importance of a healthcare organization's actions taken to evaluate its risks and appropriately respond to vulnerabilities. Moreover, point three supports OCR's expectation that organizations regularly review IS activity (e.g., audit trails and logging) to determine if there has been an impermissible use or disclosure of ePHI, or if the security protections in place need to be changed.

The Resolution Agreement includes a two-year corrective action plan (CAP) in addition to the monetary settlement. The CAP imposes numerous obligations on ISU, including annual reporting requirements as follows:

(1) summary of the risk management plan, security measures, and training;

(2) summary of IS activity review measures and evidence of training related to those measures;

(3) update on compliance gap analysis activity;

(4) summary of reportable events and corrective/preventative action;

(5) attestation from an ISU officer that the annual report is accurate and truthful.

OCR's 13th resolution agreement demonstrates the priority an organization must place on taking proactive steps to continuously assess and timely respond to risk. In addition, the resolution agreement continues to support the notion that compliance is a C-Suite issue and documentation is critical to support your compliance efforts.

HHS Considers Amending HIPAA Privacy Rule to Permit Disclosure of Mental Health Information for Firearm Background Checks

Cory Fox — Fri, 10 May 2013 11:00:00 -0500

Posted by Cory Fox

Adding yet another wrinkle to the nation’s contentious gun control debate, the U.S. Department of Health and Human Services (HHS) has released an Advance Notice of Proposed Rulemaking (ANPRM) soliciting information and public comment on possible amendments to the HIPAA Privacy Rule to permit disclosure of limited mental health information to the National Instant Criminal Background Check System (NICS). The ANPRM stems from one of the 23 Executive Actions included in the Obama Administration’s January 2013 plan to reduce gun violence that sought to address “unnecessary legal barriers, particularly relating to [HIPAA], that may prevent states from making information available to the NICS.”

What is the NICS?

The NICS is the federal government’s background check system for the sale or transfer of firearms. Established under the Brady Handgun Violence Prevention Act, licensed gun dealers use the NICS to identify persons who are subject to one or more “prohibitors” under the Gun Control Act that make them ineligible to purchase firearms. One such prohibitor is the “mental health prohibitor,” which applies to persons who have been involuntarily committed to a mental institution, found incompetent to stand trial or not guilty by reason of insanity, or otherwise adjudicated as having a serious mental condition that results in their presenting a danger to themselves or to others or being unable to manage their own affairs. Prohibitors often originate at the state level, but federal law does not require state agencies to disclose the identities of individuals subject to prohibitors to the NICS, and not all states report prohibitors. This lack of reporting to the NICS can result in the sale or transfer of firearms to individuals who are prohibited from purchasing them.

How does the Privacy Rule Affect the NICS?

According to the ANPRM, some states are not reporting mental health prohibitor information to the NICS because they are concerned that such disclosures may be prohibited under the HIPAA Privacy Rule. However, as the ANPRM points out, much of the mental health prohibitor information in question, such as records of individuals adjudicated as incompetent to stand trial, originates with entities in the criminal justice system that are not covered entities subject to the Privacy Rule. In addition, to the extent covered entities are involved, the ANPRM provides that there are ways in which the Privacy Rule permits reporting to the NICS, such as through the enactment of state legislation requiring such reporting or the use of hybrid entity status. The ANPRM does note, however, that NICS reporting would not fall under the Privacy Rule’s provisions permitting disclosures for law enforcement purposes (which apply to specific law enforcement inquiries) or to avert a serious threat to public safety (which require an imminent threat of harm).

How would the amendment work?

The amendments under consideration would expressly permit covered entities with information on the identities of persons subject to a mental health prohibitor to disclose this information to the NICS. Such disclosures would be subject to the minimum necessary rule and would likely be limited to names, demographic information, and codes identifying the reporting entity and the relevant prohibitor. No treatment records or other clinical or diagnostic information would be disclosed. In addition, only those entities responsible for the determination that a mental health prohibitor exists would be permitted to disclose the information.

What’s next?

HHS is seeking information regarding the nature and scope of the underreporting problem, the entities creating and/or maintaining data, the extent to which existing permissible disclosures are insufficient and additional methods of disseminating information concerning whether the Privacy Rule affects reporting to the NICS. In particular, HHS has requested specific examples of situations where NICS reporting has been hindered by HIPAA requirements or where covered entities are uncertain over how HIPAA applies to such reporting. HHS will then review and evaluate comments to the ANPRM and determine whether amendments to the HIPAA Privacy Rule are necessary. Comments regarding the Privacy Rule amendments and the information requested by HHS are due by June 7, 2013.

The Lessons of the "Street View" Imbroglio: Know What Data You Collect and Don't Collect Data You Don't Need

Maryanne Stanganelli — Thu, 25 Apr 2013 11:35:06 -0500

Posted by Maryanne Stanganelli

The unintended capture of personal data by Google Street View has resulted in a German Data Commissioner imposing a $189,000 fine on Google this Monday. As anyone who has used Google Maps at the street view level knows, Google Street View is a valuable service that captures roads, landscapes, landmarks, buildings—and other activity that happens to be taking place when the Google vehicle collecting the data takes its pictures. But privacy regulators were not happy with the fact that, from 2008 to 2010, the street view vehicles also picked up personal data, such as email addresses and passwords, sent over unsecured Wi-Fi networks as they traversed throughout the globe.

In Germany, after state prosecutors in Hamburg decided not to press charges against Google in November 2012 on this issue, the Hamburg Commissioner for Data Protection and Freedom of Information picked up the case and on Monday handed down a fine of $189,000 (€ 145,000). Google maintains that it did not look at or intend to collect the data, and that the company has taken steps against the occurrence of this kind of collection in the future. Accepting Google’s assertion that any violation was unintentional, the fine imposed was less than the maximum amount permitted for negligence-based violations, which is $195,000 (€ 150,000). However, it is notable that a proposal in the draft EU data protection regulation would give regulators the power to impose higher fines for violations of data protection law —up to 2 percent of a company’s annual sales—if enacted.

The Hamburg authorities were the first to raise the issue of the collection of the payload data collected by Google’s vehicles, which was then picked up in other jurisdictions. Last month, Google entered into an agreement with attorneys general from 38 U.S. states and the District of Columbia, agreeing to pay $7 million and launch a data-security education program both internally within the company and externally to the public in resolution of the joint investigation. As announced by the Connecticut Attorney General in connection with that agreement, Google stated that the collection was limited to fragmented data, that it has since removed the software from its Street View vehicles, and agreed not to collect any additional data by means of those vehicles without notice and consent.

Google’s proactive approach in working with regulators to resolve their concerns has created an outcome that preserves its Street View service, with minimum negative impact on the company, and a positive working relationship with regulators going forward. But the potential availability of enhanced fines for negligent data protection law violations means that in the future companies may pay a higher price for unintended data protection law violations.

All companies should take the following lessons from the Street View experience – know what data you are collecting and don’t collect more than you need, or you may be creating unnecessary exposure under data collection laws.

SEC Greenlights Use of Social Media for Publicly Disclosing Company Information

Fernando Bohorquez, Jr. — Fri, 19 Apr 2013 11:00:00 -0500

Posted by Fernando Bohorquez, Jr.

Co-authored by: Jonathan Nowakowski

Recognizing the reality that many investors likely get more information from Facebook and Twitter than a corporate 10-K and that most public companies have a robust social media presence, the U.S. Securities and Exchange Commission (“SEC”) recently weighed in on the use of social media by public companies to disclose material nonpublic information to the general public. The SEC’s guidance was prompted by its investigation of Netflix and its CEO Reed Hastings, specifically Hastings’ post of material nonpublic information on his personal Facebook page in July 2012 concerning Netflix monthly viewing numbers. In its April 2, 2013, report and investigation of whether the post violated the SEC’s corporate disclosure rules and regulations (“April Netflix Report”), the SEC decided not to pursue an enforcement action against Netflix or Hastings and used the incident as an important teaching moment for public companies that may want to use social media to communicate material nonpublic information.

On July 3, 2012, Hastings posted the following message to his personal Facebook page with over 200,000 followers:

“Congrats to Ted Sarados, and his amazing content licensing team. Netflix monthly viewing exceeded 1 billion hours for the first time ever in June. When House of Cards and Arrested Development debut, we’ll blow those records away. Keep going, Ted, we need even more!”

While the congratulatory post may have seemed harmless at the time, Netflix did not file a Form 8-K with the SEC, issue a formal press release, or post the information on Netflix’s webpage – the typical avenues for announcing material nonpublic information. Neither had Netflix previously alerted investors that Hasting’s Facebook page would be used to disclose material information about the company. Hasting’s Facebook post caught the SEC’s eye and in December 2012, the SEC notified Netflix and Hastings that it was considering an enforcement action against them for possibly violating Regulation Fair Disclosure (“Reg FD”).

A quick overview of Reg FD and the SEC’s Reg FD company website guidance: Reg FD requires that the disclosure of material nonpublic corporate information should be distributed in a broad and non-exclusionary manner to the public. Information is considered nonpublic if it has not been disseminated in a manner available to the public generally. Information is considered material if it is reasonably foreseeable that an investor would trade on the basis of that information. Reg FD was adopted to address the concern that issuers were selectively “disclosing important nonpublic information, such as advance warning of earnings results, to securities analysts or selected institutional investors before making full disclosure of the same information to the general public.” Public companies typically comply with Reg FD by disclosing material nonpublic information in SEC filings, through press releases, on the company website, or some combination of all three.

In August 2008, the SEC provided guidance on the disclosure of material nonpublic information via company websites, blogs, and other “push” technologies. 2008 Commission Guidance on the Use of Company Websites, Rel. No. 34-58288 (Aug. 7, 2008), (“2008 Guidance”). The 2008 Guidance explained that whether a company’s website or blog is a “recognized channel of distribution” passing muster under Reg FD depends on the “steps that the company has taken to alert the market to its website and its disclosure practices, as well as the use by investors and the market of the company’s website.” The 2008 Guidance non-exhaustive list of factors for companies to consider include, but are not limited to:

whether and how the company lets investors and the market know that the company has a website and that they should look at the company’s website for information;
whether the company has made investors and markets aware that it will post important information on its website and whether it has a pattern of doing so;
whether the company’s website is designed to lead investors and the market efficiently to information about the company;
the extent to which information posted on the website is regularly picked up by the market and media, and is reported;
the steps taken by the company to make its website accessible; and
the nature of the information being disclosed.

With respect to Hasting’s Facebook post, the SEC ultimately decided not to pursue enforcement proceedings against Netflix or Hastings, namely because the agency concluded that there was a great deal of uncertainty concerning how Reg FD applied to public disclosures via social media. In the April Netflix Report, the SEC made clear that the 2008 Guidance “provide[s] a relevant framework for applying Regulation FD to evolving social media channels of distribution” and applies with “equal force” to the use of social media to disclose material information. Accordingly, moving forward the SEC “expects issuers to examine rigorously the factors indicating whether a particular [social media] channel is a ‘recognized channel of distribution for communicating with their investors.” The SEC also emphasized that the “steps taken to alert the market about which forms of communication a company intends to use for the dissemination of material, nonpublic information, including social media channels … are critical to the fair and efficient disclosure of information.”

The April Nextflix Report encourages companies to consider using periodic reports, press releases, and corporate websites to identify specific social media platforms that the company intends to use as well as the types of information it plans to disclose through social media. Further, while the SEC did not go so far as to endorse Facebook and Twitter as recognized channels of distribution in the April Netflix Report, by referencing them as general examples of social media platforms, coupled with each having one billion and 200 million users respectively, it is likely that the SEC would view both social media platforms as recognized channels of distribution so long as the public was adequately alerted of that intended use. Notably, the April Netflix Report found that personal social media sites of company employees – regardless of the amount of followers – would not ordinarily be assumed to be a proper channel for distribution without adequate notice that they will be used for that purpose.

Regulators are increasingly turning a critical eye toward companies' use of social media from everything from advertising to financial disclosures. The April Netflix Report is the latest example of regulators wrestling with the new reality of social media as an information source for the general public and companies increasingly relying on this medium to communicate to investors and consumers. Public companies looking to social media as a possible means to disclose nonpublic material information should take heed of the SEC's April Netflix Report and carefully consider the following steps:

revisit and review the company’s existing Reg. FD policy;
evaluate the selected social media platform(s) applying the 2008 Guidance factors summarized above;
formulate a plan to alert the public of the social media platforms it intends to use and for what purpose through, among other things, its corporate website, periodic reports filed with the SEC and through formal press releases, and do so over an extended period of time with a specific date given for when the company will begin posting material information via the social media platform(s) that the company ultimately chooses;
develop a coordinated plan to use designated social media platforms as part of the company’s investor communications along with more traditional venues such as SEC filings, press releases and the company’s website;
review and revise electronic communications policies and train employees on the potential consequences of disclosing material nonpublic information on social media;
coordinate legal, compliance, and investor relations departments to work together to implement and enforce electronic communications policies as well as review all social media content before it is posted; and
ensure compliance with the laundry list of potentially applicable securities laws, which are beyond the scope of this blog, e.g., compliance with antifraud and proxy solicitation regulations, among others.

The April Netflix Report and 2008 Guidance are available here and here, respectively.

New gTLDs Raise Data Security Concerns

Craig Hoffman — Tue, 16 Apr 2013 12:01:06 -0500

Posted by Craig Hoffman

Authored by: David A. Einhorn and Alan Pate

ICANN is well on its way to the launch of new generic top-level domains (gTLDs) with the first ones being approved as early as April 23rd. The handful of TLDs currently in use, such as “.com”, “.org”, and “.edu”, may soon be joined by over 1000 gTLDs ranging from “.book” to “.football”. While we have previously focused on intellectual property concerns and objections to these new gTLDs, the launch perhaps raises another important consideration: What implications might the new gTLDs have on the security of the Internet itself?

At the end of last month, VeriSign, longstanding operator of the “.com” top-level domain, issued a highly critical assessment of the new gTLD program. In its March 29 report, VeriSign described a range of potential issues, all suggesting that the launch on ICANN’s current timetable could undermine the stability and security of the Internet. For VeriSign, the problem seems to be the rapid speed at which the launch is progressing combined with ICANN’s unrealistic expectations that the existing Internet infrastructure will adapt. Certificate authorities, root server operators, and VeriSign itself, are described as not being prepared for the technical implications the influx of new gTLDs will bring. According to VeriSign, this ultimately puts the “safety and security of Internet users, and the infrastructure itself” at risk.

Due to the seriousness of these allegations, the Intellectual Property Owner’s Association has taken the position that the launch of the new gTLDs be delayed until these concerns have been properly evaluated and addressed.

Further, in a recent letter to the CEO of ICANN, PayPal expressed similar security concerns. Specifically, PayPal raises the possibility that the new gTLD program might dangerously interfere with the security of private domains. Private domains, as their name implies, exist outside the public Internet and for that reason are most often employed for security reasons. One of the most common examples of a private domain is a corporate intranet. Corporate intranets are typically used to host services such as internal document management, email, or other web-based business applications. Being private, they do not have to “resolve” or go to public top-level domain’s such as .com or .org, and can by-and-large choose their own top-level domains. One of most common domains for a business intranet, and the example PayPal uses in its letter, is the “.corp” domain.

The crux of PayPal’s concern is what will happen when “.corp” becomes a generic TLD? In some circumstances, they argue, it is possible a computer, smartphone, or other device could actually be deceived into connecting to the public .corp as if it were connected to the private .corp. Once connected, the possibility of confidential data being compromised could be serious.

How serious of a problem could this be? Statistics PayPal cite show nearly 10% of the total query load on public root servers represent just the top ten most frequently used private domains. In other words, a large portion of internet traffic consists of devices trying to connect to a private address on the public internet. This suggests that there is ample possibility for foul play should those traditionally private domain names be delegated to the public.

PayPal’s recommendation is relatively straightforward: ICANN should take the most popular private domain names off the market. These include strings such as .corp, .local, .home, .internal, and .private. Not doing so, PayPal claims, would put “millions of users and high-value systems at considerable risk.” To date, there are outstanding gTLD applications for the .corp and .home domains.

For VeriSign, nothing short of a temporary halt to the process would be satisfactory. In a recent interview, however, ICANN CEO Fadi Chehade indicated that ICANN had no intention of delaying the issuance of the new gTLDs. Nevertheless, this past week, perhaps in response to VeriSign’s report, ICANN did announce some additional protections it would be employing—“Emergency Back-End Registry Operators” or EBEROs. These EBEROs will work to guarantee that websites hosted on new gTLDs will resolve in the event any gTLD fails. The EBEROs will be scattered across different regions of the globe to eliminate the possibility that any one natural disaster could affect all EBEROs at once. This is a measure VeriSign had suggested.

Ultimately, it remains to be seen what data security, privacy, or other concerns may be implicated by the influx of new gTLDs. For the many businesses and entities that could be affected by the program, it is important to remain vigilant of the new top-level domains on the horizon and how they may impact existing systems.

Guest Blog: Vermont Privacy Breach Regulations

Admin — Tue, 16 Apr 2013 10:56:09 -0500

Posted by Admin

Editor's Notes:
Guest blog Interview by Mark Greisiger, President NetDiligence®
This blog post has been republished with permission from Junto – NetDiligence Blog

A Q&A with Ryan Kriger
Among state Attorneys General, Vermont has gained a reputation for being particularly aggressive about data breach and privacy regulation. To better understand the state’s Consumer Protection Act requirements and processes for data breach investigation, I talked to Ryan Kriger, Assistant Attorney General.

What should a small business know about complying with the Vermont law?
We have a guidance available on our website, which should be helpful. In the case of a breach, they should first contact law enforcement, their insurer, their lawyer, any IT people involved and, if there’s credit card information at stake, their processor. Their primary duty is to figure out what happened and get the situation under control. They have to notify us within 14 days of finding out about the breach. That preliminary notice is kept confidential. We want businesses to give notice to consumers relatively quickly, and the 14-day notice to us allows us to stay on top of things and make sure they are doing that. We did create a waiver last year—if your company has policies in place and you’re confident that you will comply with the law, you can be certified ahead of time as long as you sign the document and get it on file with us before a breach incident. If you have a certification on file, you don’t need to notify us within 14 days. Another subsection says that if the data collector is sure that the data never got into the wrong hands—say, a password protected laptop was lost for five hours, then returned—they can call and ask us if they still need to give notice, and we probably won’t require it.

If it’s a really big breach and we think it could be problematic, we may follow up with questions. If we perceive the company’s actions to be unreasonable, unfair or deceptive, such as in the case with TJX, then we will begin an inquiry. Often, this wouldn’t just be Vermont, but multiple states getting together and asking questions.

How might you approach a data breach incident?
The first step is that we want to make sure the business has covered all of the necessary notification. Notice to consumers should go out “in the most expedient time possible and without unreasonable delay.” Vermont has a 45-day deadline, but we think in many cases notice should go out sooner. We encourage companies to send us their notification letter before it goes out to consumers, and we can help them make sure it’s in line with the statute. Also, the sample letter to consumers gets posted to our website, so consumers can confirm that the letter itself is legitimate. The second thing is to make sure the company fixes the problems that led to the breach. Sometimes smaller businesses think it’s a one-shot deal and don’t want to change their business practices, but we remind them that they are on notice, and that the fine outlined in the Consumer Protection Act is $10,000 per violation. Now, we’ve never had to levy that fine as most people seem to want to resolve the issues, but we want businesses to know that we are here to protect consumers and they need to take that seriously. In the TJX case, it appears that the company may have been collecting credit card information at point of sale and transmitting it, unencrypted, over unprotected wi-fi networks. This sort of blatant violation of standard security practices, and the length of time that it was allowed to continue, clearly justified bringing an enforcement action. We’re not trying to trick people, and in most cases we can resolve things in a cooperative fashion, but when a company drags their feet, we will go after them.

What are some of the key weak spots that lead to a privacy/data breach incident?
It can be all over the map—certainly, not encrypting data where encryption is appropriate is one issue. Over-collecting data you don’t need, such as using SSNs as an identifier, could be another. Other problems we see: collecting credit card data through a homemade system that’s not PCI-compliant when you could be using a secure third-party system. Not changing passwords or updating software. In smaller businesses, it might be negligence about employees who could be stealing credit card information. In general, it’s a good practice to have the occasional forensic analysis or stress test. We have partnered with Norwich University to offer penetration testing to any small business in Vermont that wants it. The Verizon Report has shown us that small businesses are the prime focus of security breaches, so we are particularly sensitive to the needs of small businesses in Vermont.

What type of fines and penalties can a company face for noncompliance? Can the lack of certain actions or controls increase their culpability in your view?
I mentioned the $10,000 per violation fine, and we consider each day you go beyond the deadline a separate penalty. Our Consumer Protection Act doesn’t have an intent requirement, but we obviously take intent, negligence and lack of controls into account when we think about enforcement and penalties. A business suffering a breach calling us to ask what they can do, making it’s clear they want to do the right thing, is very different from a business that denies anything went wrong, after we’ve found out about the breach three months later. We are very cautious with our use of power and we’re not trying to bully anyone, but if we need to use a large fine to get a business into compliance, we will do so. If an enforcement action reaches a settlement agreement, called an assurance of discontinuance or consent judgment, we may seek penalties, but we will also seek injunctive relief, which is asking the business to change its behavior. For example, we may want the business to put security or compliance systems into place, offer restitution for consumers, or take other steps to make sure it doesn’t happen again. In general, we are eager to proactively work with businesses to protect consumers and create a productive, cooperative relationship in order to prevent breaches.

In summary…
I first met AAG Ryan Kriger at our NetDiligence® Cyber Risk & Privacy Liability Forum last year in Marina del Rey. I thought he might be guarded about the state’s approach to enforcement, but boy, was I wrong. He was actually very forthright in talking about how seriously Vermont takes the issue of consumer privacy, including violators of state regulation. He makes the point that his department is willing to work with organizations that suffer a data breach incident and will give them a roadmap to do the right thing by the victims (whose personal information is now in wrongful hands). What is clear is that organizations that demonstrate a lack of care (or even willful nondisclosure) will be penalized.

Ryan is also speaking at the upcoming NetDiligence® Cyber Risk & Privacy Liability Forum in Philadelphia this June 6-7.