Categories & Search

FDA Issues Updated Guidance on Medical Apps Oversight

Last month, the Food & Drug Administration (FDA) issued a long-awaited revision to its Policy for Device Software Functions and Mobile Medical Applications Medical App - Guidance for Industry and Food and Drug Administration Staff (the Guidance).  The revised Guidance was among several newly announced policies aimed at advancing the FDA’s digital health initiative that promotes innovation, while also permitting efficient and up-to-date regulatory oversight.

Go

A New Era of COPPA Enforcement?

Earlier this month, YouTube and its parent company, Google, entered into a record $170 million proposed settlement to resolve allegations brought by the Federal Trade Commission (FTC) and the New York Attorney General (NYAG) under the federal Children’s Online Privacy Protection Act (COPPA). According to the complaint in the case, YouTube collected personal information on video channels directed to children without parental consent using persistent identifiers that can track individuals across the Internet. This is the largest penalty to date in a COPPA enforcement action.

Go

Amendments to the California Consumer Privacy Act: Six Clarifications

As readers of the Data Security Blog will know, the California Consumer Privacy Act (“CCPA”) becomes operative on January 1, 2020.  The CCPA is the most sweeping consumer privacy law in the United States, covering most for-profit businesses that do business in California and collect the personal information of “consumers,” meaning California residents. 

Go

SEC’s Proposed Revisions to Regulation S-K Will Minimally Impact Cybersecurity Disclosure Requirements

It has been thirty years since the Securities and Exchange Commission (the “SEC”) significantly revised Regulation S-K, which sets forth reporting requirements for public companies. The SEC is now taking a fresh look at the rules, proposing for public comment amendments to modernize the description of business, legal proceedings, and risk factor disclosures that public companies must make. This represents a good opportunity to revisit key disclosure requirements—including Items 503(c) (now Item 105), 101, and 103—that are the subject of the revised guidance and that potentially impact reporting obligations associated with cybersecurity.

Go

Home Depot Joins Facebook and Others in Facing Suit for Scanning Faces

This past week, The Home Depot, Inc. became the latest business hit with a class action lawsuit for their use of facial recognition security cameras allegedly in violation of the Illinois Biometric Information Privacy Act.  If successful, Home Depot faces statutory damages of up to $5,000 for each time a shopper’s information was collected in violation of BIPA.

Go

Capital One Hack Prosecution Raises New and Old Questions about Adequacy of CFAA

On August 28, 2019, almost a month after Paige A. Thompson was arrested based on allegations that she hacked into servers rented by Capital One Financial Corporation, a criminal indictment was returned charging her with one count each of computer and wire fraud, as well as forfeiture allegations.  The indictment includes new allegations that, in addition to hacking Capital One’s data, Thompson illegally accessed and copied data from more than 30 different entities that rented or contracted servers at an unnamed cloud-computing company at which she previously worked.  The indictment provides additional details concerning Thompson’s hacking scheme.  According to the indictment, Thompson used devices that allowed her to scan servers rented or contracted by Capital One and other entities at the cloud-computing company.  From the scans, Thompson was able to identify servers that had firewall misconfigurations, which she then exploited to obtain security credentials that allowed her to access and copy the entities’ data.  In addition to copying the data, Thompson also used the stolen computing power of the servers to mine cryptocurrency—in a scheme colloquially known as “cryptojacking.” 

Go

The Perils of Sharing Privileged Communications with Third-Party Vendors

On May 6, 2019, Magistrate Judge Gorenstein issued an order that should be a wake-up call for attorneys contemplating hiring and sharing privileged communications with an outside public relations firm.  This decision also has wider implications, especially for companies engaging a forensic consultant to assist in responding to a cyber incident or data breach.

Go

A Closer Look at the CCPA’s Private Right of Action and Statutory Damages

The California Consumer Privacy Act (CCPA) has significantly altered the potential consequences of a data breach under California law by permitting California consumers to bring civil suits for statutory damages, Cal. Civ. Code § 1798.150(a)(1), and to seek statutory damages of between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” Id. § 1798.150(a)(1)(A). The ability to seek statutory damages is in addition to injunctive or declaratory relief. Id. § 1798.150(a)(1)(B),(C).

Go

New York’s SHIELD Act Is Signed Into Law

Last Thursday, Governor Cuomo signed New York’s latest data security bill – the Stop Hacks and Improve Electronic Data Security, or “SHIELD” Act.  The Act, which we have followed on this blog since November 2017, imposes new notification obligations on businesses managing private data when a security breach occurs.  Capital One’s recent breach underscores the significance of the changing regulatory landscape, as both businesses and the government attempt to navigate and protect against large-scale cybersecurity attacks, and the importance of understanding notification obligations, should those efforts fail.

Go

An Old Hack Comes Back to Haunt (Newly-Public) Slack

Last Thursday, Slack Technologies, Inc. (Slack) announced that it would reset passwords for a number of accounts compromised by a security breach that occurred more than four years ago, in March 2015. Slack—a fast-growing messaging service that launched in 2014 and went public last month—provided little explanation for its delay in action and minimized the scope of the incident, claiming that it only affected a small percentage of current Slack users. The narrow scope and timing of Slack’s disclosure raise interesting questions about the heightened scrutiny public companies now face when dealing with cybersecurity incidents.

Go

D.C. Circuit Breathes New Life into OPM Data Breach Litigation

The U.S. Office of Personnel Management (“OPM”) made headlines when several hacks of confidential data came to light in 2015, intrusions that compromised the personal data of over 20 million individuals. On July 21, 2019, in AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), Nos. 17-5217, 17-5232, 2019 U.S. App. LEXIS 18609 (D.C. Cir. June 21, 2019), a divided panel of the United States Court of Appeals for the D.C. Circuit breathed new life into litigation stemming from those breaches and injected yet another piece into the growing puzzle surrounding constitutional standing in breach litigation. The case had previously been dismissed after a district court held that the plaintiffs lacked standing based on their failure to allege concrete injuries. In a divided opinion, the D.C. Circuit panel reversed, holding that the plaintiffs’ allegations of potential future harm were sufficient for the case to move forward.

Go

New York’s SHIELD Act Heads to the Governor’s Desk

The New York State Senate recently passed The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, leaving only the Governor’s signature as the final step to the SHIELD Act becoming the country’s newest—and one of the most stringent—breach notification laws.  Given Governor Cuomo’s previous support for robust cybersecurity protections, New York may soon join a growing number of states beefing up their notification statutes.

Go

A Shield From Cyber Liability: Beyond the Statute

Part 3 in a 3-Part Series

As we’ve written about in the past, the SAFETY Act has the potential to help companies mitigate their risk from cyber-terrorism.  As previously noted, the statute has never been fully tested in courts, so the full contours of its protection remain uncertain. Nonetheless, the benefits of SAFETY Act approval may extend well beyond those mandated by Congress: to the right company, SAFETY Act approval could be a significant market differentiator and, in the right circumstances, could be a powerful tool in litigation even when the Act does not itself apply.

Go

Patterson Belknap Mourns the Loss of Partner Craig A. Newman

Patterson Belknap Webb & Tyler LLP is deeply saddened to announce the passing of our partner and friend Craig A. Newman, the founding editor of the Data Security Law Blog. Craig was a litigation partner with Patterson Belknap from 2015 to 2019 and served as chair of the Firm’s Privacy & Data Security practice. He was a source of wisdom, warmth and humor, and will be missed. More information can be found on the Firm’s website here.

Go

New York Launches Cybersecurity Unit

Today, New York’s top financial regulator, the Department of Financial Services, announced the formation of a dedicated “Cybersecurity Division.” In a news release issued earlier today, the agency said the new division “will focus on protecting consumers and industries from cyber threats ….”

Go

Amazon Sellers Hit With Phishing Scheme

Hackers have managed to break into the accounts of 100 sellers at Amazon.com. The hackers funneled money from the seller’s accounts—either from sales or loans—into their own bank accounts after stealing seller credentials. It is not clear how much money was stolen in the incident.

Go

A Shield From Cyber Liability: Diving Deeper Into the SAFETY Act

Part 2 in a 3-Part Series

As we’ve discussed in previous posts, the SAFETY Act has the potential to serve as a valuable tool for companies looking to mitigate risk from cyber-terrorism. This is part two of a three-part series; be sure to read part one, which describes how the SAFETY Act applies to cybersecurity.

Go

Executive Order: Cybersecurity Skill Gap in Federal Government

Last week President Trump issued an executive order targeted at improving the quality of the federal government’s cybersecurity workforce. The executive order—which acknowledges the shortage of qualified employees for cybersecurity jobs—would implement a number of steps to strengthen and expand cyber knowledge within the federal government.

Go

FBI Reports An Increasing Rate Of Internet-Facilitated Crime

The FBI’s Internet Crime Complaint Center, better known as IC3, released its 2018 Internet Crimes Report.  For those unfamiliar with the IC3, it was established by the FBI in May 2000 as a central repository for public complaints of internet-based crimes. Since its inception, IC3 has received more than 4 million complaints. To facilitate law enforcement efforts and promote public awareness, IC3 analyzes the complaints it receives and disseminates information to the public and law enforcement. Among other things, it identifies trending scams, refers scams that do not meet federal law enforcement thresholds to state and local law enforcement, and provides victim services. New in 2018, IC3 created the Recovery Asset Team to help victims of internet-facilitated schemes recover funds and the Victim Specialist-Internet Crime position to provide crisis intervention, needs assessments, and referrals.

Go

After a Year on the Books, DOJ Releases White Paper on CLOUD Act

In its first official statement about the CLOUD Act – the Clarifying Lawful Overseas Use of Data Act – the U.S. Department of Justice has published a white paper, “Promoting Public Safety, Privacy and the Rule of Law Around the World:  The Purpose and Impact of the CLOUD Act,” discussing its view on the law enacted in March 2018. The CLOUD Act, established revised procedures for government requests for data held by technology companies outside of the U.S.

Go

SEC Warns Advisers Over Privacy Compliance Issues

The Securities and Exchange Commission is warning investment firms to step up their game when it comes to following the agency’s privacy rules. In a Risk Alert issued by the Office of Compliance Inspections and Examinations (OCIE), a laundry list of compliance “deficiencies or weaknesses” were identified in recent examinations of SEC-registered investment advisers and broker dealers.

Go

Online Trust Alliance Audit Hands Feds Rare Honor

The federal government’s record for effective cyber defenses of its own websites has not been stellar over the past few years. Federal government agencies ranging from the Office of Personnel Management to the National Archives have suffered data breaches, as have nearly a dozen other agencies.

Go

Part III: Our Last Look at the CCPA’s Definition of “Personal Information”

In our third and final installment on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information,” we look at other sections of the CCPA that either limit the applicability of the law’s “personal information” definition or exclude information from coverage under the law.

Go

Part II: A Closer Look at the CCPA’s Definition of “Personal Information”

Our three-part series on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information” is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part I, we explored the breadth of the definition. We now turn to the law’s two explicit exclusions from the definition of “personal information.” 

Go

FBI’s Brief Expands to Combat Cyber Threats

The nation’s top law enforcement agency is rebooting its cybercrime capabilities.

In an effort to keep up with the evolving threats against property, critical infrastructure and human life posed by cyber-attacks –especially those launched by foreign adversaries – the Federal Bureau of Investigation is seeking to reposition its priorities and fortify its capacity to fight cybercrime.

Go

New Utah Privacy Law Requires Search Warrant

Companies from California to New York are already scrambling to comply with a growing patchwork of privacy laws covering both businesses and consumers.

Go

Are Bug Bounty Programs Worth It?

Almost weekly, it seems there is another news article about a bug bounty program sponsored by a major corporation where an amateur hacker – often a teenager – is paid a sizeable sum of money for finding a bug in a company’s operating system or code. Often, these articles describe just how much money these teens make from bug bounty programs; one headline from March 12, 2019 describes how bug bounty programs have made “one teen a millionaire hacker.” In another from February 2019, Apple paid a 14-year-old hacker an undisclosed sum after he found a security flaw in FaceTime.  

Go

FTC Looks to NY’s Cyber Regulation in Proposed Changes to Safeguards Rule

When New York’s far-reaching cybersecurity law for financial institutions was enacted more than two years ago, some predicted it would serve as a national blueprint for future data security laws. Now, as the U.S. Federal Trade Commission considers changes to two privacy rules designed to safeguard customer information held by financial institutions, the proposed changes to one law – the Safeguards Rule – hue closely to a handful of requirements already in place in New York.

Go

Yet Another Proposal to Require Disclosure of Board’s Cyber Expertise

Before investing in a company, would you want to know whether the board of directors had cybersecurity expertise?

A bipartisan group of senators have proposed a bill, Senate Bill 592, that would require every public company to disclose the cybersecurity background of its directors, and, if none exists, explain why the company doesn’t believe it is necessary.

Go

MyFitnessPal Data Breach Lawsuit Sent to Arbitration

Many consumers have become painfully aware of the risks that data breaches pose in a digital world. And now, their legal claims may not be ultimately decided by a judge or jury but sent off to arbitration.

Go

DNA Collection: The Next Big Thing in Privacy Litigation?

The use of biometric technology is fast becoming the next big thing in privacy litigation. There was last month’s decision by the Illinois Supreme Court that upheld a consumer’s right to sue companies for collecting biometric data – such as fingerprints and iris scans – without first disclosing how such information will be used. See our blog on that ruling here.

Go

GAO Backs “Comprehensive” Privacy Legislation

A recent report by the Government Accountability Office (GAO) is recommending that Congress adopt comprehensive federal data privacy legislation. The GAO’s proposal is, in part, meant to address limitations of the current privacy regulatory landscape, which is mostly piecemeal, industry-specific regulation at both the federal and state levels. The GAO’s 56-page report follows more than a year of interviews with officials from various federal agencies that have taken active roles in data security issues, including the Federal Trade Commission (FTC), Federal Communications Commission, and the Consumer Financial Protection Bureau, as well as stakeholders from industry and academia.

Go

NYS Cyber Regulation: New Rules for Third-Parties

It’s been almost two years since New York’s top banking regulator implemented one of the nation’s most stringent cybersecurity regulations.  Since then, thousands of financial institutions have recruited chief information security officers, implemented cybersecurity programs, performed penetration testing, and imposed encryption requirements on their most sensitive information.

Go

New York’s DFS Cyber Deadlines Loom

It’s a marathon month for the thousands of financial institutions and insurance companies covered by New York’s landmark cybersecurity regulation. In little more than a week, these businesses must file their second annual certification of compliance with the State’s Department of Financial Services. Two weeks later, they must also come into compliance with the regulation’s third-party vendor requirements, the final milestone in the two-year roll out of the cybersecurity regulation.

Go

Trade Off Between Privacy and Convenience: Germany’s New Digital Mail Service

In a country renowned for protecting the privacy of its citizens, Germany has undertaken a pilot that does just the opposite. In a trade off between privacy and convenience, German residents can enroll in a digital service where their mail is emailed to them anywhere in the world.

Go

A Shield From Cyber Liability: Integrating SAFETY Act Protections Into Institutional Cyber Governance

An obscure federal law called the SAFETY Act recently captured national headlines when MGM Resorts International invoked it in a series of pre-emptive, declaratory judgment law suits against the victims of the 2017 Harvest Festival Las Vegas shooting. MGM sued the victims in an effort to avoid liability in connection with the tragedy. MGM owns the Mandalay Bay hotel, where Stephen Paddock, from his 32nd floor suite, shot and killed 58 people and wounded hundreds more who were attending a music festival next door.

Go

The New York Times Features Op-Ed by Craig Newman: "Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement"

The New York Times featured an op-ed last week written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement.” In the op-ed, Mr. Newman discusses how the January 2019 settlement “marked the first time that shareholders have been awarded monetary damages in a derivative lawsuit related to a data breach.” Mr. Newman notes, “the settlement signals that director and officer liability for cybersecurity oversight is entering new and potentially perilous territory.”

To read the full article, click here.

Go

Illinois Biometric Law: Scanning Fingerprints Can Get You Sued

In a ruling with wide-spread implications, the Illinois Supreme Court on Friday upheld a consumer’s right to sue companies for collecting biometric data – such as finger prints and iris scans – without disclosing how such information will be used.

Go

HHS Releases New Cybersecurity Guidance

In a four-part publication, a Task Force that included the Department of Health and Human Services (HHS) and private sector industry leaders released guidance for the healthcare industry on cybersecurity best practices. The guidance, Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, focuses on healthcare providers, payors and pharmaceutical companies.

Go

PayPal Shareholders’ Data Breach Stock-Drop Suit Dismissed

Among other things, 2018 was the year of the shareholder data breach stock-drop lawsuit. As we’ve previously reported, it was the year that shareholders began routinely suing companies after an announcement of a data breach, seeking damages for a hit to the company’s stock price. 

Go

A Closer Look at California’s New Privacy Regime: Two Critical Definitions

Businesses covered by the recently enacted California Consumer Privacy Act of 2018 (CCPA) are scrambling to comply with the statute, which becomes “operative” on January 1, 2020, unless that date is changed by the California legislature. As we have noted in earlier blog posts, the CCPA is the most sweeping privacy law in the U.S. and has significant implications for any business that falls within its coverage.

Go