Spotlight: US still lacking countrywide data breach notification law

The European Union is on its way to developing a single, European data breach notification law, and Australia and New Zealand are each developing similar laws for their countries. Yet the U.S., despite 47 states having their own notification laws, lacks a single, national law at the federal level, Gov Info Security noted today. The article pointed out that two separate House committees have passed such laws, but Republican leaders in the House haven’t indicated if they want to bring either up for a floor vote.

Article source:


No Comments

LinkedIn emails users about data breach

Business-orientated social media site LinkedIn has emailed users explaining the circumstances behind a recent data breach.

The security issue, which first became apparent on 17 May this year, relates to passwords and login details which are being posted online by hackers.

LinkedIn believes the passwords were stolen in a 2012 data breach and the leak is not the result of a fresh security leak.

The data breach referred to in 2012 resulted in the details of 6.5 million user accounts being stolen by cybercriminals and posted on a Russian password site.

After data resurfaced this month on website LeakedSource, LinkedIn’s legal team successfully persuaded the site’s operators to remove the data from their pages.

A statement from LeakedSource read: “We received a typical cease and desist letter from LinkedIn’s lawyers… for the next couple of days we are going to censor hashes from that particular data set while we consult with our legal team from OUR jurisdiction.”

However it is believed that the details surfaced again on the ‘dark web’.

In its email to users, LinkedIn’s helpdesk sought to reassure account holders: “We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach.”

The social media site also advises that it is working with law enforcement authorities and has taken “significant steps to strengthen account security since 2012”.

The email advises that users visit LinkedIn’s Safety Centre to learn how to enable their two-step verification safeguard.

Widely used by professionals, LinkedIn has more than 400 million users worldwide and over 15 million active users in the UK. Its results for the first quarter of 2016 announced a 35 per cent year-on-year revenue increase to £584 million pounds.

Article source:


No Comments

NI Prison Service: data breach ‘not serious security threat’

The person who received the information works for a company that carries out work for the prison service, and they have been security vetted

Image caption

The person who received the information works for a company that carries out work for the prison service, and they have been security vetted

A data breach involving the personal details of hundreds of Northern Ireland Prison Service employees has been described as “a major embarrassment”.

However, the BBC understands it is not being treated as a major security breach.

A junior employee at the Department of Justice sent a spreadsheet with names and dates of birth of prison officers and civilian staff.

It was mistakenly sent to an outside contractor.

The person who received the information is employed by a company that carries out work for the prison service, and they have been security vetted.

It is understood that the recipient contacted the Department of Justice to make them aware of the mistake, and deleted the information they had been sent.

Prison officers who contacted the BBC after the department informed them about the data breach expressed concern about their personal security.

Image caption

It is not the kind of issue new justice minister Claire Sugden would have wanted to land in her in-tray on her first day in the job

The sources told the BBC that the lives of prison officers and civilian staff had not been put at risk, because the information had been quickly deleted.

In a statement, the Department of Justice confirmed that an incident occurred and said it takes its obligations under data protection legislation very seriously.

It added: “A full investigation is under way and the incident has been reported to the Information Commissioner’s Office.”

While the department has played down the significance of the incident, it is clearly not the kind of issue new justice minister Claire Sugden would have wanted to land in her in-tray on her first day in the job.

Article source:


No Comments

The frustrating aftermath of a data breach at American Type Culture Collection

In April, American Type Culture Collection (ATCC) was targeted by a Phishing attack seeking W-2 records. The attempt was successful, leaving employees stressed about their finances and the long-term impact this breach could have on them.

But it’s the actions by the company after the incident that’s left some employees feeling as if ATCC’s leadership stopped caring.

ATCC does business globally. If someone does any type of biological science or scientific research, the odds are good they’ve interacted with ATCC in some way– including governments, academia, and private industry. Lately, ATCC has been in the news due to their lung cancer research and research related to the Zika Virus.

A source familiar with April’s data breach shared internal memos and communications related to the breach’s aftermath with Salted Hash.

The reasoning behind the disclosure, according to the source, who asked to remain anonymous, is that unlike other major firms that have had their W-2 records compromised by a targeted Phishing attack, ATCC managed to avoid the limelight.

The source felt compelled to share the documents because “all the clients we serve should be aware [of the data breach] and question how we keep their data safe.”

The memos sent internally are outlined below. However, along with the communications, there is another aspect to this story – the human one. While the company was victimized by a criminal seeking W-2 records, so too were the employees.

At least one staffer at ATCC is still waiting on a tax return filed in March, and they had to jump through several hoops with the IRS to confirm their identity. Other employees affected by the breach are said to have had credit taken out under their names.

In addition, perception is a strong motivator when it comes to workplace morale. The way this data breach was handled, the source told Salted Hash, has left some staffers feeling left out in the cold, as they can no longer get questions answered. In short, they feel ignored and forgotten. That’s a painful feeling considering it’s only been just over a month since the breach occurred.

Salted Hash reached out to ATCC for comment, asking a number of questions related to awareness training, the protection offerings, and the incident itself. There was no response. Should that change, this story will be updated.

April 11 (Monday)

Company sends the first of several notices to employees. The IRS has informed ATCC that W-2 data for all employees has been compromised. In response, ATCC will send the IRS a list of staff SSNs in order to flag the individual as a victim of ID theft. The flag is supposed to prevent fraudulent returns.

ATCC says that to their knowledge “at this time, the unauthorized access of W-2 information by identity thieves occurred though a fraudulent email requesting internal transfer of the information” to Ralph Koch, ATCC’s CFO.

The notice says that the federal government is investigating the incident.

April 12 (Tuesday)

A follow-up communication explains that the company was contacted by the IRS the previous Friday (April 8). A weekend investigation, which ended the morning of April 12, determined the root cause of the data breach to be a Phishing email.

“What happened is a fairly common social engineering attack where someone posing as me [Ralph Koch, CFO] asked for W-2 information. Both HR and Finance personnel were targeted in recent weeks. Despite awareness training and reminder emails, we nonetheless failed to detect the attack,” the notice explains.

The notice goes on to reference the fact that many employees have been contacted by tax authorities in their state indicating irregularities with their returns. In addition, arrangements are being made in order to provide credit protection services, if they’re interested.

April 15 (Friday)

A third notice from the ATCC CFO informs employees of a SharePoint portal hosting a FAQ about the Phishing attack. Staff are also told about a one-year offer for ID theft protection, provided by IDShield.

“We want to assure you that the cause of this issue has been identified and we are taking steps to prevent this type of intrusion from happening again. Specifically, we are looking at ways to strengthen our internal data security protocols and elevate our IT Security Awareness training.”

The notice also offers security tips.

It advises employees to challenge and confirm requests for sensitive company data via email, no matter who is making the request. Employees should call or meet with the requestor face-to-face to confirm.

Also, requests for such information should be verified by at least two parties. Moreover, they should engage IT Security before the data is released.

April 22 (Friday)

A forth notice about the incident informs staff that there is a delay in IDShield registrations. It says more than 200 employees attended optional data incident meetings that week.

April 26 (Tuesday)

The IDShield registration page, which was supposed to have been operational the previous Friday, is still not available.

The delay is blamed on glitches in the registration process, and missing customization. There is no confirmed time for resolution.

As a result, employees are offered a $120 payroll credit, which is said to be the equivalent of one year of employee-only ID theft protection.

Insufficient response:

When asked about the data incident meetings, the source said the general feeling was that the meetings were rushed. They were 15 minutes in length, and included a short QA with the CFO. The representative conducting the meeting was actually from Legal Shield and could not answer specific questions about the IDShield product.

“They more or less wanted to shuffle us in and out, and it was – to be honest – not very helpful,” the source explained.

Prior to the data breach, ATCC employees received yearly security awareness training, which is an interactive program that takes about thirty minutes to an hour to complete. A portion of the training covers different types of scams that can arise in the workplace, and there is additional training for those who work with government contracts.

Since the breach was disclosed internally, the source said, there have been no changes to the awareness programs, and no new additional training provided. If such changes have been implemented, not everyone is aware of them.

When the ID theft protection glitches prevented enrollment, employees were offered a $120 credit as an alternative, should they chose to purchase their own protection. The problem is, this credit doesn’t cover most of the known services on the market, which run $20 per month on average.

“The ID Shield credit service they recommended covers one of three credit bureaus, which I did not feel was adequate,” a person familiar with the offer explained.

“Let’s face it; the one they wanted us to sign up for is the cheapest option on the market with sub-optimal customer reviews.”

Having read previous Salted Hash articles related to BEC scams and W-2 Phishing attacks, the source said they felt ATCC’s response was insufficient for a number of reasons.

“There was a lack of transparency, timeliness, and follow through,” the source explained.

“The CFO is no longer fielding questions on the matter. He has made comments such as our information will become less valuable in a year and this sort of scam happens all the time which shows a general lack of the severity of the issue. The people who have been affected are still waiting for tax returns, some of which were relying upon for large financial payments, such as mortgages. Some now have the added stress of restoring their credit.”

Lessons learned:

Again, Salted Hash reached out to ATCC for comment, including emails to executives directly. However, there has been no response from the company.

The assumption is that ATCC had a BCDR plan already established prior to the Phishing attack.

If that assumption is true, then the lesson here is that most plans fall apart the moment they’re actually needed. Organizations have to try and plan for this, and have alternative provisions to deal with shortfalls and hiccups. Such problems can be resolved by ensuring that BCDR plans are updated regularly, and fully address actual risk scenarios – such as Phishing and Social Engineering.

The notion that employees feel there was a lack of follow though on the incident is a painful reminder that BCDR plans have to include the people that make the organization function.

They’re humans, with real human concerns, that don’t go away with the passing of time. Yes, the stolen information will become less valuable over time, but that doesn’t offset the here and now, and such facts don’t make the issue go away.

In this case, clearly there was a breakdown somewhere. Just over a month later, employees feel as if they’ve been forgotten and the solutions offered didn’t really address their concerns.

The truth? Security is hard, but not impossible. Balancing the needs of people as well as the needs of the company can complicate things, but there should always be a path available to help both sides move forward.

Article source:


No Comments

Data Breaches Cost Health Care Industry $6.2 Billion

Data breaches are costing the health care industry an estimated $6.2 billion, with 89% of organizations represented in a new study by the Ponemon Institute having experienced a data breach in the past two years and 45% reporting more than five breaches in the same time period.

The Sixth Annual Benchmark Study on Privacy Security of Healthcare Data, sponsored by ID Experts, found that 69% of health care organizations believe they are at greater risk than other industries for a data breach. Fifty-one percent blamed a lack of vigilance in ensuring their partners and other third parties protect patient information as a top reason for their vulnerability, and 44% say it’s due to a lack of skilled IT security practitioners.

“In the last six years of conducting this study, it’s clear that efforts to safeguard patient data are not improving. More health care organizations are experiencing data breaches now than six years ago,” said Larry Ponemon, chairman and founder, Ponemon Institute. “Negligence—sloppy employee mistakes and unsecured devices—was a noted problem in the first years of this research and it continues. New cyber threats, such as ransomware, are exacerbating the problem.”

With recent health care data breaches making headlines, the industry is on high alert. Sixty-seven percent of health care organizations say well-publicized breaches have affected their security practices in the following ways:

  • 61% became more vigilant in ensuring partners and other third parties have necessary precautions in place to safeguard patient information.
  • 58% increased their investment in technologies to mitigate a data breach.
  • 52% increased employee training.

Another study released around the same time from the Brookings Institution, Hackers, phishers, and disappearing thumb drives: Lessons learned from major health care data breaches, found similar results.  Over the last six years, more than 155 million Americans have had medical data potentially exposed through nearly 1,500 breaches, with a per-record cost of $363.

Niam Yaraghi, author of the report and a Brookings Institution Fellow, said in a podcast, “These hacking incidents unfortunately will continue because there is no immediate solution to decrease them at the moment; however, they will also be a wakeup call for hospitals to take information security much more seriously than before and implement long-term solutions.”

The Brookings Institution report takes industry knowledge on data breaches a step further, and includes policy recommendations to better protect patient privacy and prevent breaches:

  • Prioritize patient privacy and use available resources to protect medical data through spending more on security technologies or diligently implementing privacy policies.
  • Greater communication between health care organizations through information sharing about security technologies, privacy policies, and breach incidents.
  • Develop a cyber-insurance market where companies can conduct audits and proactively manage privacy protection efforts.
  • Release Office for Civil Rights data breach investigation details.
  • Establish a universal HIPAA certification system and conduct preventive audits.

Article source:


No Comments

Noodles & Company investigates customer data breach

Frank Abagnale, international fraud expert, is encouraging Hoosiers to call the IndyStar Call for Action hotline. (Clark Wade/IndyStar)
Clark Wade/IndyStar

Article source:


No Comments

Noodles & Company investigates customer data breach

File photo of Noodles  Company

File photo of Noodles Company

File photo of Noodles  Company

File photo of Noodles Company

INDIANAPOLIS, Ind. – if you’ve eaten at Noodles Company recently and paid with your credit card, you’ll want to check your bank statement.

The restaurant chain is investigating a customer data breach. According to Krebs on Security, multiple financial institutions detected a pattern of fraudulent charges on customer cards that were used at various Noodles Company locations between January 2016 and the current date.

Noodles Company released this statement to Krebs on Security: “We are currently investigating some unusual activity reported to us Tuesday, May 16, 2016 by our credit card processor. Once we received this report, we alerted law enforcement officials and we are working with third party forensic experts. Our investigation is ongoing and we will continue to share information.”

The company has over 500 locations nationwide, and it is unknown at this time which locations were targeted.

Article source:


No Comments

Six steps to avoid becoming a data breach statistic

In the first half of 2015, 246 million records were breached globally and 82% were classed as mega-breaches, because of the numbers of records hacked. Often, the first an organisation knows of their systems being compromised is when an external party tells them.

Even where this isn’t the case, data breach notification obligations mean businesses can’t always remain silent about a breach while they deal with the fallout. As a result, rarely a month goes by without a news story on a high profile data breach emerging.

Whether from malicious hackers, an insider job or employee errors, there are a number of proactive steps organisations can take to mitigate the risk avoid becoming one of this year’s data breach statistics.

Address authentication

Stolen credentials are a prime entry point to systems for hackers. Introducing Identity and Access Management (IAM) technology means that regardless of how a network and data is being accessed, it’s being accessed securely through correct identity mapping, correct access assignments and robust authentication flows.

See also: A retailer’s guide to cyber security

Enterprise IAM solutions can even provide real-time, continuous risk analysis on users, detailing who has access to what, who has access to privileged resources, their activity and summarising their behaviour and access rights with a risk score per user.

Enhance security around applications

Building on this, one of the best practices for securing data is extending security around applications by using multi-factor authentication – providing several separate items of evidence to be authenticated – right across systems.

This can mean, for example, proving identity through possession of a hardware token in addition to the user’s password. Multi-factor authentication should particularly be used for granting access to privileged users.

Limit access to systems and applications and apply fine grained controls

However, the fact that someone has established his or her identity as an employee should not result in unfettered access. It’s important to work on the principle of least privilege here to ensure employees only have access to the services they really need.

Should everyone have root access to server? Should everyone have access to every system? Routing access through a single point, role based access can be used to limit who has right to use to which systems and applications. In general, businesses need to be more rigorous on who has access to what.

Finally, businesses should consider provisioning and de-provisioning systems to help with automating new hire enrolment and performing necessary clean up tasks when employees leave. No one wants a disgruntled employee using their old account to hack into the company network.

Test, monitor and learn on a daily basis

The most common means of hacker into a company’s network are through exploiting system vulnerabilities, default passwords, SQL injections, and targeted malware attacks and these need to be continually monitored for.

Constantly testing how robust systems and services are, phishing and probing for weak points and possible points of entry should form part of the IT team’s daily tasks. Monitoring and auditing is useful not only in ‘after the fact’ analysis of how the business was breached but also as an upfront real-time proactive measure to help an organisation avoid breaches in the first place.

IT systems provide a plethora of data every day that can be analysed and used to mitigate breaches before they happen. This should include regular checks on control systems such as password settings, firewall configuration, public facing server configuration, open ports, reducing opportunities of exposure.

Any public facing SSH servers that are vital for business operations should be locked behind firewalls just like other public facing systems with root access disabled. Any server with port 22 open will likely be bombarded by brute force password attempts from XOR.DDoS botnets and so an IP restriction policy needs to be imposed or the server placed behind an SSH gateway that can monitor and protect access to the critical servers behind.

If the worst does happen, data leak prevention software can help even once a hacker is in to prevent, block and alert access of sensitive data.

Password management and self service

Password management and self-service solutions can also be part of an organisation’s security arsenal and help mitigate against data breaches.

Access to the network may be well locked down with applications secured behind firewalls and DMZ’s or perimeter network, authentication and IAM in place, but one element that can be lacking is security from the end user’s perspective in the form of a password policy and password management.

See also: Companies should NOT force companies to keep changing their passwords – GCHQ

Passwords are so commonplace that people can become complacent with their use. Repeated, simple, low entropy passwords can result in increased attack vectors.

Password self-service solutions can help combat identity theft, account hacking, data theft and improve security practices of end users by introducing strong password policies with the ability for a user to self-reset should they forget.

Hackers rely heavily on mining information from social networking sites, so employees should avoid using the same passwords on social sites as they do on accessing company resources.

Create a security-aware culture

There is one final element that is less to do with systems, authentication and access, but can make a huge difference to how successfully an organisation can stand up to a potential hack – culture. Best practice in network, systems and data security needs to be enshrined in a strong and well communicated security policy.

It needs to be embedded with a company’s culture, rigorously monitored and taken seriously at every level – from the CEO down.

Key protocols here include having unified data protection policies that cross the entire organisation, and a consistent policy across all servers, networks, computers, devices to help reduce risk.

A prevent and response plan needs to be constantly updated, outlining critical actions in the event of a breach, for example locking and moving sensitive information.

While reports of data breaches might be appear to be getting more frequent and the hackers ever more sophisticated, the reality is that most data breaches are low level in their complexity and are often the result of simple employee error.

Following these steps and employing security best practices throughout the organisation covering everything from office security to password, authentication and access policies will go a long way to reducing the chances of a breach.

Sourced from Lee Painter, CEO Hypersocket Software 

Article source:


No Comments

Employee Negligence The Cause Of Many Data Breaches

Enterprise privacy and training programs lack the depth to change dangerous user behavior, Experian study finds.

More than half of organizations attribute a security incident or data breach to a malicious or negligent employee, according to a new survey.

Sixty-six percent of the 601 data protection and privacy training professionals surveyed for the Managing Insider Risk through Training Culture report say their employees are the weakest link in their efforts to create a strong security posture.

Awareness of the insider risk, though, is not influencing many companies to put in place practices to improve the security culture and training of their employees, the Experian Data Breach Resolution and Ponemon Institute report found.

Only 35% say senior executives think it is a priority to ensure that employees are knowledgeable about how data security risks affect their organizations, and 60% say employees are not knowledgeable or have no knowledge of the company’s security risks.

“It’s no surprise that employee-related security risk is their number one concern,” says Michael Bruemmer, vice president of Experian Data Breach Resolution. “As we have seen in our incident response service that we do for clients, about 80% of all the breaches we service have a root cause in some type of employee negligence.”

Training Programs Inadequate

Each of the organizations in the survey has a training program, but many of these programs do not have the depth and breadth of content to drive significant behavioral changes and reduce the insider risk. Only half of the companies agree or strongly agree that current employee training actually reduces noncompliant behaviors.

Forty-three percent of respondents say that training consists of only one basic course for all employees. These basic courses often do not provide training on the risks that can result in a data breach: 49% of the respondents say training in their organization does not include phishing and social engineering attacks. Only 38% of respondents say the course includes mobile device security, and only 29% say courses include the secure use of cloud services.

Less than half –45% — say their organizations make training mandatory for all employees. Even when mandatory, exceptions are made for certain individuals. For example, 29% of respondents say the CEO and senior level executives in their companies are not required to take the course.

Additionally, if an employee doesn’t pass a privacy test or do well on a training course, 60% of the companies in the survey don’t require them to do anything else but check off the right answers on the test, Bruemmer says.

Responsibility Starts At The Top

The responsibility for data protection and cybersecurity should start at the top with company board members and senior management, he notes. Cybersecurity should be one of the top five strategic priorities, he says. And if companies are setting up an organizational structure, the chief information security officer or an executive with that responsibility, must report at a minimum to the CEO, if not directly to the board. 

“So cybersecurity, privacy, and data breach response must have a priority at the highest level of the organization,” Bruemmer says. To back up that argument, Bruemmer notes that 29% of the cybersecurity professionals surveyed say that the lack of senior executive buy-in contributed to the inefficient training.

“In this day and age, given the cost of a data breach, which is about $6.2 million per incident, to not spend the money upfront to address the number one cause of data breaches – a relatively low cost compared to some of the other preparations – it just seems like there is a real miss here,” Bruemmer says.

Mitigating the insider risk, according to Bruemmer, should include both culture and training. Sixty-seven percent of respondents say their organizations do not provide incentives to employees for being proactive in protecting sensitive information or reporting potential issues.

The report recommends that companies should provide employees with incentives to report security issues and safeguard confidential and sensitive information, as well as better communicate the consequences of a data breach. Plus, companies should “gamify” training to make learning about potential security and privacy threats fun.

Meanwhile, federal cybersecurity professionals also recognize that people can be their organization’s greatest cybersecurity asset or greatest liability: 42% of cybersecurity executives surveyed for a new (ISC)² and KPMG LLP report say that people are currently their agency’s greatest vulnerability to cyberattacks.

Lack of accountability was also a consistent theme throughout the federal survey results, as some respondents were unable to identify a senior leader at their agency whose sole responsibility is cybersecurity. Federal cybersecurity executives are still struggling to understand how attacks could potentially breach their systems a year after hackers stole the personal information of 22 million people from the Office of Personal Management databases, according to the (ISC)² report.

Related Content:

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the … View Full Bio

Article source:


No Comments

How to Draft an Effective Data Breach Incident Response Plan

JD Supra provides users with access to its legal industry publishing services (the “Service”) through its website (the “Website”) as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement (“Policy”). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users’ names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user’s experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the “opt-out of future email” option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at [email protected] In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: [email protected]

Article source:


No Comments