Better Late Than Never: U.S. and EU Regulators Reach Data Privacy Agreement

Officials from the United States and European Union have reached a tentative agreement regarding transfers of personal data by European individuals and businesses to the United States. As stated in the agreement, “This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.” When finalized, it will replace a previous safe harbor agreement between the U.S. and EU, which was struck down by the European Court of Justice (ECJ) in October 2015. This agreement comes several days after a self-imposed deadline for crafting new terms. The central issue concerns the transfer of personal information from the EU to the U.S. Under the European Data Protection Directive, personal data cannot be sent to a third country unless ...
Continue Reading...


The Danger from Within: Banks Work to Combat Hackers Internally

iStock_000050437260_XXXLarge While many companies work diligently to guard against external cyber threats, a number of banks are taking steps to protect themselves from another dangerous, yet equally damaging source — their own employees. According to the Association of Corporate Counsel, at least 30 percent of data breaches during 2015 were caused by seemingly harmless employee errors. To the unknowing employee, a simple click of the mouse could expose information or clues to those looking for an opportunity to breach even the most high-tech security systems. In response to this staggering risk, banks have developed a number of “internal” cybersecurity protections designed to guard against the unmindful employee, including a ban of all portable USB drives, as such devices can be easily lost or stolen. Employees are now warned to monitor their social media content, and to ...
Continue Reading...

CISA Passes as Part of Omnibus Spending Bill

US Capitol Congress recently passed the Cybersecurity Information Sharing Act of 2015 (CISA) as part of Division N of H.R. 2029, Public Law 114-113 the Consolidated Appropriations Act, 2016, (CAA). As previously reported, on October 27, 2015 the United States Senate passed a different version of CISA, S.754, which without requiring such information sharing, would create a system for federal, state and local agencies to receive threat information from private companies in real time and for the private sector to receive such information in addition and as necessary. Both versions of the bill were not without controversy. As enacted, CISA is designed to increase information sharing on cyber risks between federal, state, and local governmental agencies, and also between governmental agencies and the private sector. It is a tool that can be ...
Continue Reading...

Iranians Use Cellular Modem to Hack Suburban NYC Dam

iStock_000010623991_Medium Any machine, if it’s connected to the internet, can be hacked; including the automated equipment controlling dams, steel mills and nuclear power facilities. As we previously reported here, criminals were able to take control of a German steel mill’s computerized production system, forcing an unscheduled shut-down causing “massive damage” in 2014. Likewise, in 2010, a cyberattack was able to disable Iran’s uranium enrichment centrifuges by targeting the software installed in the electronic equipment. This week, the Wall Street Journal reported that in 2013, Iranian computer hackers accessed the control system of a 22-foot flood-control dam in the Rye Brook suburb of New York City.  See Iranian Hackers Infiltrated New York Dam.  Attackers of US infrastructure could gain access to control systems controlling water flow in pipelines, water releases and drawbridges, and, ...
Continue Reading...

The Burden of Establishing “Injury” in Data-Breach Class Action Lawsuits

Jablonski-John_s-web Contrary to the predictions of various commentators, John Jablonski of Goldberg Segalla’s Cyber Risk and Social Media Practice Group explains how recent federal court decisions continue to hold a high standard for proving standing in data breach class action lawsuits. As John concludes in an article for Claims Management: “Standing may be easier for class-action plaintiffs to demonstrate if their data was hacked, but as these cases demonstrate, surviving a standing motion is not always as easy as commentators predicted it would be in the wake of Neiman Marcus.”  A full copy of the article is available here.
Continue Reading...

End of EU Data Privacy Safe Harbor Blockade in Sight?

iStock_000038012250_Large Negotiators from the European Union and the United States are in the process of negotiating a new agreement that would effectively remove the blockade to the EU Data Privacy Safe Harbor for U.S. companies. We previously wrote about a decision by the European Court of Justice (ECJ) which opened U.S. companies up to potential fines for not protecting their data from U.S. government surveillance programs. Given the potential impact against companies like Facebook and other companies that utilize personal information, EU and U.S. leaders are scrambling to come up with a new agreement that would substantively replace the safe harbor provision invalidated by the ECJ. The next evaluation of negotiations will take place on December 17, 2015. The goal is to have a new agreement in place by the end ...
Continue Reading...

NYDFS Notifies Federal Regulators of New Potential Cyber Security Regulations

On November 9, 2015, the New York State Department of Financial Services (NYDFS) sent a memorandum entitled Potential New NYDFS Cyber Security Regulation Requirements to several federal and state financial services regulators, including banking, securities and insurance regulatory, administrative and supervisory  bodies. These potential regulations are based on results of two sets of surveys of financial entities about their “cyber security programs, costs and future plans.” NYDFS surveyed 150 banks and 43 insurance companies. The results of the May 2014 banking industry survey are here and an update to that survey, dated April 2015, is found here.  The results of the February 2015 insurance industry survey are here. As the memo noted: Several broad conclusions and concerns . . . emerged from these reports and the risk assessments (the latter of ...
Continue Reading...

Potential Storms A-Brewin’ for Countries Enjoying the Calm of the EU Cyber Safe Harbor

EU law provides that personal data from the EU can only be transferred to countries that can ensure adequate protection of that data. The European Commission has authority to designate certain countries as “safe harbors” based on the domestic law of that country or that country’s international commitments. The EU Commission granted the United States safe harbor status. However, the European Court of Justice recently held that while the European Commission has authority to make these decisions, they are not binding on individual EU country regulators investigating complaints that a country does not have sufficient safeguards. This decision could open U.S. companies up to inquiries by individual EU states addressing concerns about data privacy. Read the full decision here.  Read a summary of the decision here. 
Continue Reading...

HIPAA’s Application to Digital Media

Night hospital ward Recent media attention to the disclosure of Personal Health Information (PHI) concerning Lamar Odom provides a reminder that the Health Insurance Portability and Accountability Act (HIPAA) applies broadly to digital photographs and other electronic data, whether or not the disclosure is inadvertent. Goldberg Segalla attorneys Seth L. Laver, Jessica L. Wuebker and Kenneth M. Alweis have developed three useful steps to improve privacy and security programs and policies to account for these potential HIPAA violations, which can be read here on the firm’s Professional Liability Matters blog.
Continue Reading...

Controversial Cybersecurity Information Sharing Act Passes Senate, Will Likely Become Law

US Capitol On October 27, 2015, the United States Senate passed S.754, the Cybersecurity Information Sharing Act (CISA or the Act) 74-21. Without requiring such information sharing, CISA would create a system for federal agencies to receive threat information from private companies in real time. However, the bill is not without controversy. As we discussed in August the Department of Homeland Security raised concerns in July and August that the “real time collaboration” requirement in CISA would not permit them to scrub personal information contained in the data. As a result, the government would have access to information that it would not normally have access to without a warrant. Several senators introduced amendments to address this and other concerns. However, no amendments passed. S.754 requires the federal government and entities monitoring, operating, ...
Continue Reading...