Posted in Breach Notification


Is SEC Cybersecurity Guidance Working?

Imagine that the FBI and DHS have arrived at your company to inform you of a potential cyber threat. Your public company disclosure obligations may not be the first thing on your mind, but such issues will quickly emerge.


SEC and Cybersecurity—What Publicly-Traded Companies Need to Know

With the news that Target intends to wait until it files its annual report in March with the Securities and Exchange Commission (SEC) on the investment consequences of its massive cybersecurity intrusion from 2013, the SEC and cybersecurity once again gains attention.


Is A Criminal Statute Necessary To Supplement a Federal Breach Notification Law?

A few weeks ago, Jason Weinstein introduced Privacy Perspectives readers to Sen. Patrick Leahy’s (D-VT) Personal Data Privacy and Security Act of 2014, a bill that would enact a federal security breach notification law. While Weinstein’s position is well taken and should be considered as this bill moves through Congress, I believe that there is another issue that deserves considerable debate. In addition to creating the federal breach notification law, §102 of Leahy’s bill would open the door to criminal liability for anyone who “intentionally and willfully” conceals the fact of a security breach. Adding criminal liability is not to be taken lightly, and it would be wise for the information privacy and security community to think critically about whether the bill’s criminal statute would be a prudent addition.

More from Andrew Proia

Practical Privacy

How to Lose Your Data In 10 Days

By Heather Federman, CIPP/US

It’s no longer an “if” you’re the target of a data breach; it’s just a matter of “when.” Data loss incidents are becoming an unfortunate rite of passage. More and more businesses have found themselves exposed and ill-prepared to manage the fallout. While the average cost of a breach equals $5.5 million, the public reaction fosters graver implications. The resulting “business shock” not only paralyzes operations, but it also damages relationships with regulators, partners and consumers.

How can you best prepare and defend your organization? How can we all make 2014 the year of “data stewardship?”

More from Heather Federman


Is the Congressional Response to the Target Breach Off-Target?

In the aftermath of the Target breach announced last month, there has been understandable anxiety on the part of consumers and understandable concern by lawmakers about how to respond to large-scale breaches of this type.

In recent weeks, there have been calls by members of Congress for hearings on the Hill. Several Senators have demanded an investigation by the Federal Trade Commission (FTC) and have discussed legislation beefing up the FTC’s enforcement powers—although as I’ve written here previously , the FTC has not exactly needed an engraved invitation to investigate data breaches in recent years and does not seem to have been inhibited at all by the lack of clear (some might say any) authority to do so. And just this week, Sen. Patrick Leahy (D-VT) reintroduced the Personal Data Privacy and Security Act, which among other things would create a national breach notification standard.

More from Jason Weinstein

Practical Privacy

The Data Breach Monster, Establishing Trusting Relationships and other PPS Takeaways

By Jedidiah Bracy, CIPP/US, CIPP/E
Wilson Sonsini’s Gerry Stegmaier at this year’s PPS in NYC

I had the pleasure this week of attending our Practical Privacy Series event in New York City. The program featured three tracks: Data Breach, Financial Services and Online Marketing. Though I didn’t get a chance to attend every session, each day was packed with professional and practical insight for privacy pros. I’ve attempted to put together some—just some—of the highlights. This barely scratches the surface of all that was covered. But, as you’ll see, we have included many of the speaker PowerPoint presentations for those wanting to delve further into the facts and figures.

More from Jedidiah Bracy

Breach Notification

The Many Lives of PII

By Annie C. Bai, CIPP/US

Can you believe how many different state laws we privacy pros need to reference just to determine what is PII? I mean, how many definitions could there be for one short phrase? I am not talking about Pi, the mathematical term, but the acronym for the likewise complex concept of “personally identifiable information.” 

The definition of PII is important because it is a trigger for breach notification requirements in 48 U.S. jurisdictions (that’s 46 states plus D.C. and Puerto Rico). But it varies so much that I find myself constantly referencing complex charts, links and statutes to check on its meaning in a given state. Thankfully, the spirit of Halloween has bestowed upon me some inspiration in my search for broader understanding of these definitions. I’ve clustered the 48 definitions of PII into seven groups with similar definitions and dressed them up for Halloween. It’s easier to get acquainted with these definitions when I imagine each cohort as a persona. These personae are the seven PII archetypes.

More from Annie C. Bai

Data Breach

Why You Need to Treat a Breach as a Customer—Not a Compliance—Issue

By Michael Bruemmer, CIPP/US

A breach happens. In my experience dealing with breach resolution, this means companies run to call forensic investigators, legal counsel, law enforcement and others. Then the breach notices arrive. Without the proper channels in place for a smooth and quick resolution, unfortunately I’ve seen consumers rush to call the media, litigators and the competition.

When all runs smoothly, you know you’re handling the technical and regulatory sides of breach response with aplomb. However, as I’ve seen time and time again, what you might be falling behind on is the consumer engagement side of breach response, and that’s when your customers start making calls.

More from Michael Bruemmer