Here are three privacy stories to start your week -

1.  Dear “financial institution” : how is your data security?!

Senator Elizabeth Warren (D-Mass) announced (press release) that on November 18 the Senator together with Rep. Elijah E. Cummings (D-Md) sent letters to sixteen (16) financial services providers requesting detailed information about the providers’ data security programs (including vendor management practices) as well as disclosure of cyber-attacks  and data breaches experienced by the entities over the past year. The previous week, Representative Cummings sent similar letters to certain organizations that experienced large data breaches in the recent past, including to the U.S. Postal Service and U.S. Investigations Services. 

In the letters sent last week, the lawmakers expressed deep concern about the frequency and sophistication of cyber-attacks upon both private and public institutions over the past twelve months,  noting the significant implications of these attacks on the country’s economy and on consumers:

“The increasing number of cyber-attacks and data breaches is unprecedented and poses a clear and present danger to our nation’s economic security… Each successive cyber-attack and data breach not only results in hefty costs and liabilities for businesses, but exposes consumers to identity theft and other fraud, as well as a host of other cyber-crimes. Your ability to protect consumers and safeguard their personal information is central to earning and maintaining consumer confidence in our economic system.”

The letters referenced a recent USA Today story reporting the alarming number of financial records stolen by hackers over the past year-approximately 439 million in the past six months and approximately 519 million in the past 12 months- and mentioned the  recent cyber-attack on JP Morgan Chase that, according to the company’s filing with the Securities and Exchange Commission, compromised account holder names, addresses, and phone numbers of nearly 76 million households and 7 million small businesses.

Calling for “greater collaboration to improve data security” and for assistance “as Congress examines federal cybersecurity laws and any necessary improvements to protect sensitive consumer and government information,” Senators Warren and Representative Cummings requested the recipients to provide the following information by December 19:

  1. a description of all data breaches each recipient has experienced over the past year, including the date and the manner and method by which the entity first discovered the breaches, the dates the breaches are believed to have begun and ended, and the types of data breached;
  2. the approximate number of customers that may have been affected by the breaches, and the manner in which customers were notified of the breaches;
  3. the findings from forensic investigative analyses or reports concerning the breaches, including findings about vulnerabilities to malware, the use of data segmentation to protect personally identifiable information, and why the breaches went undetected for the length of time they did;
  4. the individuals or entities suspected or believed to have caused the data breaches, and whether they have been reported to the appropriate law enforcement agencies;
  5. a description of data protection improvement measures each recipient has undertaken since discovering the breaches;
  6. an estimate of the number and value of fraudulent transactions that were connected to the data breaches, including the approximate number of federal, state, and local government customers whose information was exposed during the data breaches at issue, as well as the number and value of fraudulent transactions that were connected to federal, state, and local government customers exposed in the data breaches;
  7. a description of the data security policies and procedures that govern each recipient’s relationships with its vendors, third-party service providers, and subcontractors, including the manner by which each recipient ensures that entities performing work on its behalf have reasonable data security controls in place to thwart cyber-attacks; and
  8. any recommendations for improvements in cybersecurity laws or the coordination of efforts to identify and respond to emerging trends in cybersecurity risks to help prevent future data breaches.

The lawmakers also requested a briefing from each financial institution’s Chief Information Security Officer or similar chief IT security professional by December 8, 2014.

2.  Psst….hey buddy….wanna buy a data breach?

It is becoming more important than ever for due diligence in the context of investments or mergers & acquisitions to include a review of the target’s data privacy and security.

We all know a rep and warranty review isn’t telling the full story. You wouldn’t purchase a home without an inspection by an engineer, so why would you spend millions (if not billions) without getting technical and taking the pulse of the security environment and culture of the target organization?  Alex Gross with our friends at Kroll has published a very useful post that should be in every deal conversation.     Read it here.

3.  Beware the Black Friday hack….

It wouldn’t be a Privacy Monday before Black Friday without a word of warning.   Where there is money changing hands online, there will be hackers.  Rachael King reports in the Wall Street Journal on her interview with Gartner cyber-guru Avivah Litan.  It probably goes without saying that retailers will likely face a surge in hacker attacks this holiday season, given that the retail industry accounts for more than 36% of all 2014 data breaches so far this year – but we are saying it.   Don’t be that guy…..