CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘Security’

South Dakota Introduces Data Breach Notification Legislation

Posted on: February 14th, 2018

By: Kacie L. Manisco

On January 23, 2018, South Dakota’s Senate Attorney Judicial Committee unanimously voted in favor of introducing data breach notification legislation. Senate Bill 62 would require an “Information Holder,” i.e., a person or business conducting business in South Dakota that owns or retains computerized personal or protected information, to notify South Dakota residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The law would require notification within 45 days from the discovery of the breach, unless notification would impede a criminal investigation. Moreover, when there is a breach affecting more than 250 South Dakota residents, the Information Holder would be required to notify the state’s Attorney General and all consumer reporting agencies of the timing, distribution and content of the breach notification.

The Bill defines a “breach” as “the acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by an unauthorized person that materially compromises security, confidentiality, or integrity of personal or protected information maintained by the information holder.”

The Bill further empowers the South Dakota Attorney General’s office to investigate and enforce violations. The Attorney General would be authorized to impose criminal penalties for the failure to disclose a breach as an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices and Consumer Protection law. In addition, the Attorney General could impose a civil penalty of $10,000 per day per violation and recover attorneys’ fees and costs associated with any action brought against the Information Holder.

Currently, Alabama and South Dakota are the only two states in the United States without data breach notification statutes. If the South Dakota legislation passes, Alabama may soon be the only state lacking a data breach notification law.

If you have any questions or would like more information, please contact Kacie Manisco at [email protected].

Off-Duty Police Officer Immune from Excessive Force Claim

Posted on: October 2nd, 2015

By: Brian Dempsey

In a recent opinion, the Georgia Court of Appeals granted official immunity to an off-duty police officer, Jose Vidal, who was providing security at an IHOP restaurant when he arrested a patron and allegedly used excessive force. 

These events occurred during the early morning hours, after plaintiff Ashley Leavell and some friends had drinks at a bar.   After being seated, Leavell noticed Officer Vidal approach a nearby booth and begin to speak to a group of young women seated there. Leavell began to video the scene with her cell phone because she believed that Vidal was acting too aggressively. Officer Vidal instructed the women in the booth, and all those around him, to stop touching him.

After another officer arrived and appeared to be engaged in stopping Vidal from his interactions with the women, Leavell admitted that she grabbed Vidal’s shoulder “to get his attention.” At this point, Officer Vidal slapped Leavell in the face. Video footage of the incident revealed that Leavell then violently swung at the officer several times before another officer grabbed her arm.

As the other officer was holding Leavell’s arm, Officer Vidal punched Leavell on the side of the head. Officer Vidal then threw Leavell to the floor, dragged her to the front entrance, and handcuffed her.

Leavell sued Officer Vidal for battery, negligence, and excessive force. Although Vidal was off duty, it was undisputed that he was engaged in a discretionary law enforcement function when he arrested Leavell.  As such, Vidal was entitled to claim the defense of official immunity

Noting that the doctrine of official immunity requires a plaintiff to prove that an officer acted with actual malice or an actual intent to injure, the court emphasized that a plaintiff must show more than the officer’s ill will towards her to meet that burden. Rather, the actual malice standard requires a showing that an officer “acted with the deliberate intent to commit a wrongful act or with the deliberate intent to harm.” Georgia courts have consistently distinguished actual malice from “implied malice,” which is defined as “conduct exhibiting a reckless disregard for human life.” The court reminded litigants that “evidence demonstrating frustration, irritation, and possibly even anger is not sufficient to penetrate official immunity, nor is proof of ill will, unless the ill will is combined with the intent to do something wrongful or illegal.”

While concluding that the officer’s actions did not rise to the level of “actual malice,” the court disapproved of the officer’s actions, stating that “we do not condone the officer’s actions in this case.”  This opinion underscores the reality that Georgia courts will adhere to the doctrine of official immunity — even when a court disagrees with an officer’s actions. 

The case is:  Vidal v. Leavell, 333 Ga. App. 159, 775 S.E.2d 633, 634-37 (2015).

 

FMG Cyber Toolkit Now Available to Help Prevent Data Breaches and Reduce Costs

Posted on: July 31st, 2015

By: David Cole

FMG is  pleased to announce the availability of a new FMG Data Breach Toolkit.  The toolkit consists of policy and form documents intended to provide your organization with everything it needs from a document standpoint to help prevent a data breach from occurring and respond effectively if one happens.

Included in the Toolkit are :

  1. Data Security Plan for maintaining the security of sensitive information that employees may access during their employment;
  2. Data Breach Response Plan with procedures to be followed in the event of a data breach, such as the creation of data breach response team, steps for identification and assessment of the breach, containment and recovery of the breach, and notification to affected individuals, employees, and the public; and
  3. Multiple form documents to be use during execution of the Data Breach Response Plan, including a data breach incident reporting form, data breach response checklist, chronology of events to document steps taken, chain of custody forms, and sample breach notification letters and website provisions.
  4. Access to our firm’s Cyber Emergency Response Team (see here).

Studies  consistently have shown that organizations that implement these preventive policies are less vulnerable to attacks and save a lot money when responding to a breach.  For instance, the 2015 Ponemon Cost of Data Breach Study, released in June, reported that that some of the best preventative and cost-reducing measures for any organization are to adopt a data breach response plan and train employees on it and on data security in general.  As the report stated, “[t]he most profitable investments companies can make seem to be an incident response plan . . . employee training, [and] board-level involvement[.]”   The Ponemon report found a per record cost of response in the United States of $217.  However, implementing an incident response plan ahead of time dropped the per-record cost by $12.60, conducting employee training on information security practices reduced costs by $8 per record, and having board involvement in cyber security policy development lowered costs by $5.50 per record.

If you have been reading our blog (see here and here) or attending our seminars, then you know this issue has been a point of emphasis and concern for clients.  It is essential that every organization not relegate data security and privacy to the IT department, but instead make it a “board room issue.”  In addition, just like every organization should have an employee handbook that sets forth your personnel policies, every organization should have in place a data breach response plan that is part of your training to employees.

To discuss the toolkit for your organization, as well as training that is available for your workplace, please contact one of our Data Security, Privacy and Cyber Liability Practice Team  attorneys:

David Cole – Partner in Charge (Atlanta office)
(770) 818-1287 (o)
(404) 805-6558 (c)
[email protected]

John Goselin –  (Atlanta office)
(770) 818-1423(o)
(678) 478-3570(c)
[email protected]

Joshua Lott –  (Atlanta office)
(770)-818-1283 (o)
(706) 248-6132 (c)
[email protected]

Jonathan Romvary – (Philadelphia office)
(267) 758-6009 (o)
(609) 304-2883 (c)
[email protected]

Behnam Salehi – (Philadelphia office)
(267) 758-6013 (o)
(949) 2949230 (c)
[email protected]

Kacie Manisco – (San Francisco office)
(415) 689-1215 (o)
(909) 969-3757 (c)
[email protected]

VISA Issues Security Alert Due to Increased Data Breaches Caused by Insecure Remote Access

Posted on: July 30th, 2014

By: David Cole

When a merchant experiences a data breach involving credit card information, it is often required by the card brands to hire a Payment Card Industry Forensic Investigator (PFI). The PFI investigates the incident and then provides a report to the card brands on what happened, how it happened, and whether the merchant’s system complied with the Payment Card Industry Data Security Standards (PCI DSS).  The card brands receive hundreds of PFI reports each year, and they occasionally issue security alerts when they see an emerging threat pattern in PFI reports.

Just this month, Visa issued a security alert titled “Insecure Remote Access and User Credential Management,” in which it reported an increase in data security breaches stemming from insecure remote access.  The alert notes that a number of remote access solutions are commonly used to provide remote management and support for merchants, such as LogMeIn, PCAnywhere, VNC, and Microsoft Remote Desktop.  When used correctly, applications like these are effective ways to provide technical support among large numbers of merchants.  But if used maliciously, they can expose payment card data and other sensitive information to cyber criminals. This is because insecurely deployed remote access applications create a conduit for cyber criminals to log in, establish additional “back doors” by installing malware, and steal payment card data.

The alert warns that the circumstances around multiple data breaches in the last several months suggest that an actor or group of actors are targeting merchants who share common Point-of-Sale (POS) integrators or remote support vendors.  It then identifies several common vulnerabilities that are allowing intruders to gain access through remote applications.  These include: (1) remote access ports and services always being available on the Internet; (2) outdate or unpatched systems; (3) use of default passwords or no passwords at all; (4) use of common usernames and passwords; (5) single factor authentication; and (6) improperly configured firewalls.

To protect against these vulnerabilities, the alert advises merchants to examine their remote management software for insecure configurations, use of outdated or unpatched applications, common or easily-guessed usernames and passwords, and ensure that overall payment processing environment is securely configured and maintained in accordance with the PCI DSS.  In addition, merchants should follow these other security practices to mitigate their risk:

  • Ensure proper firewalls rules are in place, only allowing remote access only from known IP addresses.
  • If remote connectivity is required, enable it only when needed.
  • Contact your support provider or POS vendor and verify that a unique username and password exists for each of your remote management applications.
  • Use the latest version of remote management applications and ensure that the latest security patches are applied prior to deployment.
  • Plan to migrate away from outdated or unsupported operating systems like Windows XP.
  • Enable logging in remote management applications.
  • Do not use default or easily-guessed passwords.
  • Restrict access to only the service provider and only for established time periods.
  • Only use remote access applications that offer strong security controls.
  • Always use two-factor authentication for remote access. Two-factor authentication can be something you have (a device) as well as something you know (a password).