All posts by Erich Falke

The New Biometric Data Ruling You Need to Know About!

Authentication through biometrics—such as fingerprinting or iris scanning—is growing rapidly. In 2008, Illinois passed the Biometric Information Privacy Act (BIPA) and became the first state to regulate the collection and use of this kind of data.

Recently, the Illinois Supreme Court made it much easier for plaintiffs to show harm under BIPA. This means we’ll likely see a significant rise in the number of lawsuits alleging violations.

The Trouble with Biometrics

While convenient, there are several drawbacks to using this data to authenticate a user. Biometrics cannot be changed, like a password or government-issued identification number, if compromised. Consequently, lawmakers continue to regulate the collection, use, storage, and destruction of this sensitive data.

BIPA Basics

Generally, BIPA requires organizations to give written notice and receive consent from the individuals whose biometric data is being collected or used. Biometric identifiers include fingerprints and voiceprints as well as retina, iris, hand, and facial geometry scans.

Companies are required to publish a privacy policy describing their biometric data retention policy. BIPA also gives individuals a private right of action to sue companies and obtain damages for violations.

Technical Violations Benefit Plaintiffs

Rosenbach v. Six Flags significantly changed the litigation landscape regarding biometric data handling. According to the Illinois Supreme Court, an individual could be “aggrieved” simply by a technical violation of BIPA even without suffering an actual injury or damage.

Prior to this case, plaintiffs had to show actual harm to collect damages. In short, this decision makes it much easier for plaintiffs to successfully sue companies for BIPA violations.

Practical Advice

This recent decision highlights the importance of notice and consent procedures related to collecting biometric information. Here are some things you can do today.

  • If you collect biometric data, get familiar with BIPA requirements and other biometric privacy laws (e.g. Texas).
  • Provide adequate informed notice and receive written consent before collecting or using biometric data.
  • Review your privacy policy for notice and consent procedures designed to educate individuals about the company’s privacy practices.
  • Review vendor relationships and determine whether third parties have access to or use your biometric data. If so, make sure you disclose that in your privacy policy!
  • Train your employees to properly handle biometric data.

Canada’s New Consent Guidelines are Effective Now!

Consent is an important element in privacy law.

Last year, Canadian officials jointly issued guidelines on how to obtain meaningful consent under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) which generally requires that you obtain meaningful consent for the collection, use and disclosure of personal information.

The guidelines outline seven principles for obtaining meaningful consent.

  1. Emphasize key elements

Organizations must allow individuals to quickly and easily review key elements affecting their privacy decisions early in the process. Key elements include what information is being collected, why it is being collected and who it is shared with. Continue reading Canada’s New Consent Guidelines are Effective Now!

A Data Breach Can Cost a Small Business $2.5 Million

SMBs are attractive targets to cybercriminals because they typically have smaller cybersecurity budgets and may lack an internal security team dedicated to timely discovering and responding to cyberattacks. Critically, these organizations may also lack resources to train their employees to identify preventable breaches like phishing campaigns.

The Cisco Report

Late last year, Cisco published a special cybersecurity report (Cisco’s SMB Cybersecurity Report)(Report) focused how cyberattacks affect SMBs. The Report includes 1,816 survey respondents from 26 countries.

When surveyed, respondents listed these as the most concerning threats.

  • Targeted employee attacks (BEC and phishing)
  • Advanced persistent threats (new malware)
  • Ransomware

Continue reading A Data Breach Can Cost a Small Business $2.5 Million

Employers Have a Legal Duty to Protect Employee Data

The cybersecurity standard of care is getting clearer: if you collect sensitive data, you must take reasonable measures to protect it.

Recently, in Dittman v. UPMC, the Pennsylvania Supreme Court ruled that an employer has a common law duty to use reasonable care to safeguard its employees’ personal information stored on an internet-accessible computer. This decision paves the way for a much broader application because the case was decided based on the mere act of collecting and storing sensitive information (and not the employer/employee context).

The Facts

The case relates to a data breach of the University of Pittsburgh Medical Center’s (UPMC) network and the theft of sensitive personal information belonging to more than 60,000 employees (e.g., Social Security numbers, confidential tax information, and bank account information). The employees sued but lost in the trial court, which held that Pennsylvania law did not recognize a duty to secure employee data stored on internet-accessible computers. Continue reading Employers Have a Legal Duty to Protect Employee Data

HHS Publishes Cybersecurity Best Practice Guide

The U.S. Department of Health and Human Services (HHS) recently published voluntary cybersecurity best practices entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (Best Practice Guide). These best practices were compiled over a two-year period by 150 cybersecurity and healthcare experts from both the public and private sector and are a cybersecurity roadmap for healthcare organizations of all types and sizes, from small local clinics to large regional hospital systems.

All entities, especially those in the healthcare field, can learn from this valuable resource.

The Four-Part Best Practice Guide

The Best Practice Guide is four sections: a main document (entitled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients); two technical volumes; and resources and templates. The Best Practice Guide’s goal is to increase awareness, provide sound practices, and consistently mitigate today’s most damaging cybersecurity threats in the healthcare industry. Continue reading HHS Publishes Cybersecurity Best Practice Guide

5 Top Cybersecurity Myths Revealed! Protect Your Organization Today!

How much do you know about cyber risks? If the answer is, “Less than I should,” then your company may be at risk. A data breach can be costly. To minimize your cyber risks, learn the reality behind these cybersecurity myths!

Myth 1: IT is responsible for cybersecurity.

Reality: Everyone is responsible for cybersecurity.

IT may create and enforce cybersecurity policies and procedures, but everyone plays a role in keeping a company safe from cyber attacks. For example, phishing email attacks present a big risk. Effective employee training can reduce the chances of this type of breach and also reduce the harm it causes.

Myth 2: My organization doesn’t have anything of value to hackers.

Reality: Every organization is a target. Continue reading 5 Top Cybersecurity Myths Revealed! Protect Your Organization Today!

Online Privacy in Australia Takes a Major Hit. Who’s Next?

The latest law passed by Australian Parliament has outraged global privacy advocates. The Assistance and Access Bill (AA Bill) essentially allows Australian officials to access the content of end-to-end encrypted communications. While it may be an Australian law, global privacy advocates predict it will impact global privacy rights, and other countries may follow suit.

Here’s what you need to know. The most controversial parts of the AA Bill are the “frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies” that allow the Australian government to access encrypted communication content.

  • What does “industry assistance” mean?

It means the Australian government can force “designated communication providers” to use known capabilities to intercept communications or build a new interception capability.

  • Who is a “designated communication provider?”

In short, anyone who touches hardware, software, or data used in end-to-end communication, including online services like websites. Continue reading Online Privacy in Australia Takes a Major Hit. Who’s Next?

Get “Incident Response” Ready with Help from the DOJ

Being ready and able to effectively respond to a cyber incident is vital in terms of minimizing the resulting damages, but do you know what to do or where to look for assistance?

An effective response means having a plan before a cyber incident occurs. To help with your incident response planning efforts, the U.S. Department of Justice (“DOJ”) recently released a revised version of its “Best Practices for Victim Response and Reporting of Cyber Incidents” (Guidance). The DOJ’s Guidance was based on the real-life lessons learned by federal officials with input from private companies who managed cyber incidents.

The Guidance consists of four sections: Continue reading Get “Incident Response” Ready with Help from the DOJ

OCR Releases Improved HIPAA Security Risk Assessment Tool

Under the HIPAA Security Rule, a covered entity or business associate must perform risk assessments to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Failing to conduct risk assessments is a common basis for significant fines.

Risk assessments, however, can be a taunting task, particularly for smaller organizations with limited resources. In an effort to help organizations perform risk assessments and comply with the HIPAA Security Rule, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool.

The SRA Tool is designed for small to medium sized health care practices (up to 10 health care providers) and business associates to help them identify ePHI risks and vulnerabilities. Continue reading OCR Releases Improved HIPAA Security Risk Assessment Tool

New Ohio Law Creates Legal Incentive to Create Cybersecurity Program

Implementing a robust cybersecurity program is a business investment. Recently, numerous states have proposed a return on that investment in the form of statutory incentives for organizations that maintain certain technical safeguards. Incentive-based legislation can be used to convince management that investing in a cybersecurity program will create a return in the future.

For example, last year, Ohio proposed a bill that created a legal incentive for companies to create and implement a cybersecurity program. The proposed bill has now passed and will become effective November 2, 2018 (“Ohio Data Protection Act” or “Act”).

Under the Act, a company can raise an affirmative defense to data breach tort claims (such as negligence) brought under the laws or in the courts of Ohio if the company created, maintained and complied with a written cybersecurity program. To establish the defense, a company would have to show that its security program contained administrative, technical and physical safeguards designed to protect either “personal information” or “personal information and restricted information.” Continue reading New Ohio Law Creates Legal Incentive to Create Cybersecurity Program