Payment Law Advisor Legal Commentary and Resources for the Payment Industry

Category Archives: Privacy and Data Security

Subscribe to Privacy and Data Security RSS Feed

NY Proposes Cybersecurity Regulations for Financial Services

Posted in Financial Services Litigation and Enforcement, Privacy and Data Security
Banks, insurers, and other financial services companies in the Empire State may have to abide by new cybersecurity regulations come January 1, 2017. On September 13, New York Governor Andrew Cuomo and the New York Department of Financial Services (NYDFS) announced new regulations that, if put into effect, would impose a myriad of cybersecurity requiremRead the rest

Just Around the Corner – HIPAA Audits for Business Associates

Posted in Privacy and Data Security
Financial organizations that are business associates can expect a wave of HIPAA desk audits to evaluate the HIPAA compliance efforts of business associates.  These audits have a limited focus and are conducted by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).  For business associates, desk audits will target breacRead the rest

HIPAA Wake-Up Call for Financial Institutions: First HIPAA Settlement with Business Associate

Posted in Privacy and Data Security
It’s a HIPAA first. A business associate has settled a direct enforcement action over allegations that it potentially violated the Health Insurance Portability and Accountability Act (HIPAA). This settlement portends future HIPAA enforcement actions against business associates. What Happened? It all started with the theft of a smart phone. On Jun… Read the rest

PCI DSS v. 3.2: New Requirements Coming to Protect Your Customers’ Wallets

Posted in Privacy and Data Security
PCI Council announces that new requirements will be considered “best practices” until compliance becomes mandatory on Feb.1, 2018 The Payment Card Industry (PCI) Security Standards Council (PCI Council) released Version 3.2 of the PCI Data Security Standard (PCI DSS), containing several new requirements for merchants, acquirers, and other ent… Read the rest

Credit Card Data Breaches: Protecting Against Surprises

Posted in Privacy and Data Security
For retailers, the costs involved with a credit card data breach go well beyond the immediate needs of retaining a privileged forensic investigator, hiring outside counsel and public relations and crisis management advisors, and notifying customers of the breach and offering credit protection services to them. DWT PrivSec and Payments team member Cou… Read the rest

Webinar: Legal Issues in the Mobile Landscape

Posted in Deals and Technology, Privacy and Data Security
The days of swiping a credit card on a card reader are over. Companies are increasingly exploring new and creative ways to allow their customers to pay for items using smartphones, computers, and mobile technologies. In a webinar scheduled for 12 PM EDT on Thursday, May 12, DWT Privacy and Security and Payments team member Courtney Stout, along with David Ze… Read the rest

HIPAA Audits to Include Financial Institutions—There’s an App for That

Posted in Privacy and Data Security, Regulatory and Compliance
The Phase 2 audit program for HIPAA compliance now is underway — and financial institutions are on the list as potential targets.  Many financial institutions are business associates under HIPAA, usually because of their “value-added” services to clients that are health care providers and health plans. Other financial institutions are cl… Read the rest

Webinar: How to Improve Data Security in Payment Systems

Posted in Privacy and Data Security
How to Improve Data Security in Payment Systems: Changing Risks and Changing Technology for In-House Counsel  Thursday, March 31st, 2016 12:00 PM EDT Davis Wright Tremaine presents this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter, a Thomson Reuters business. With new technology behind how credit card tr… Read the rest

Simplification of Privacy Disclosures: An Experimental Test

Posted in Privacy and Data Security, Regulatory and Compliance
PLA today posts “Simplification of Privacy Disclosures: An Experimental Test,” in which Omri Ben-Shahar and Adam Chilton, both of the University of Chicago School of Law, having studied the consumer impact of such disclosures, conclude: “Our results reveal that none of the simplification techniques help inform respondents or affect their beha… Read the rest

Chip-and-PIN (EMV) Credit Card Liability Shift is Oct. 1: Are You Ready?

Posted in Privacy and Data Security
October 1 is right around the corner. Merchants, retailers, hotels and restaurants: are you ready for what’s in your customers’ wallets? Starting next month, the payment card industry’s transition to chip-and-PIN (also known as EMV) payment cards will take effect. As part of this transition, merchants, retailers, and all other businesses that a… Read the rest

Upcoming HIPAA Audits May Target Financial Institutions—Here’s How to Prepare

Posted in Privacy and Data Security
Much like a tornado watch, the conditions appear to be right for a coming storm: the upcoming Phase 2 HIPAA audits. The Department of Health and Human Services Office for Civil Rights (OCR) has begun verifying contact information of potential audit targets. This serves as a warning that OCR will be auditing for HIPAA compliance, which unlike the pilot audit… Read the rest

Legal Departments: New PCI DSS Requirements Mandatory in June

Posted in Privacy and Data Security
PCI Council publishes new PCI Data Security Standard Version 3.1 and provides very short time to implement new encryption standards. The PCI Council just published a new version of the PCI Data Security Standard (PCI DSS).  The newVersion 3.1 (agreement required) is available to use immediately and becomes mandatory on June 30, 2015.  If your company… Read the rest

President Obama’s April Fools’ Day Order on Cyberterrorism – No Joking About It!

Posted in Privacy and Data Security
While it’s not clear whether the President’s release today of an Executive Order, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” was purposefully timed to coincide with April Fools’ Day, it is apparent that the government is ratcheting up its fight against cyberterror… Read the rest

President Obama’s Proposed Consumer Privacy Bill of Rights

Posted in Privacy and Data Security
Our colleagues over at the DWT PrivSec Blog are closely monitoring the Obama administration’s proposed Consumer Privacy Bill of Rights. In a six-part series of posts, they will explore: Personal Data, De-Identification, and Retention Requirements Notice, Choice, and Context What’s Not Covered Data Security Accountability Expanded FTC Jur… Read the rest

Webinar: Re-Identification Risks for Credit Card Data

Posted in Privacy and Data Security, Regulatory and Compliance
Join us March 10 at 1PM EST (10AM PST) for Re-identification Risks for Credit Card Data, featuring DWT payments team members Christin McMeley and Brian Hurh as well as Khaled El Emam, Founder and CEO of Privacy Analytics. An article was published recently in Science magazine claiming that it is “easy” to re-identify credit card transaction… Read the rest

Cybersecurity: The Human Factor

Posted in Privacy and Data Security
Financial institutions are under a constant and growing cyber assault from hacktivists that want to cause online mischief, criminals that want to steal consumer data and nation-states that are looking for a military, political or economic advantage. In this increasingly costly war, the focus is often on the latest hardware, software and analytics to fo… Read the rest

Federal Financial Institutions Examination Council Releases Cybersecurity Assessment Results: Boards of Directors and Senior Management Need to Engage

Posted in Privacy and Data Security
The Federal Financial Institutions Examination Council (FFIEC) released general observations yesterday from a cybersecurity assessment of over 500 community financial institutions. The cybersecurity assessment evaluated the institutions’ preparedness to mitigate cyber risks. It ultimately found that due to the critical dependence of finan… Read the rest

Mobile Applications: Security Best Practices

Posted in Deals and Technology, Privacy and Data Security
The industry for mobile applications is growing rapidly. As companies and independent developers look to gain—or strengthen—footholds in this competitive space, the Federal Trade Commission (FTC) asks, “…is security keeping up” with mobile application companies’ public assurances of safety? The potential pitfalls of overpromising… Read the rest

Federal Financial Institutions Examination Council Launches Cybersecurity Webpage and Begins Cybersecurity Assessments

Posted in Privacy and Data Security
Our friends over at the DWT PrivSec blog are helping us keep a close eye on developments at the FFIEC. In comments before the Risk Management Association’s Governance, Compliance, and Operational Risk Conference last month, Thomas J. Curry, Comptroller of the Currency and Chairman of the Federal Financial Institutions Examination Council stated tha… Read the rest

“…Because That’s Where the Money Is.” OCC Head Highlights Oversight of Cybersecurity for Financial Industry—Will All Vendors Cooperate?

Posted in Privacy and Data Security
Why are banks often tempting targets for criminals and terrorists alike? Thomas Curry, the head of the Office of the Comptroller of the Currency (OCC), recently reminded us: “…because that’s where the money is.” But what most worries the Comptroller is not a modern-day Bonnie & Clyde or John Dillinger attacking banks from without, but rather… Read the rest

“Getting to Know You, Getting to Know All About You…” FTC Data Brokers Report Calls for More Industry Transparency, Regulation in How Data Brokers Use Consumers’ Personal Information

Posted in Privacy and Data Security, Regulatory and Compliance
“You may not know them, but data brokers know you,” Federal Trade Commission (FTC) Chairwoman Edith Ramirez said when she announced the release of the Commission’s newest report on the data broker industry. And in the FTC’s opinion, Congress and the data brokerage industry need to take concerted action to bring transparency to the industry, prot… Read the rest