Category: In the News
New York State Department of Financial Services Superintendent Maria T. Vullo is scheduled to discuss the state’s new “first in the nation” cybersecurity regulation later this week at the National Association of Insurance Commissioners annual meeting in Denver.
Digital Divide Deepens: Tech Community Backs Second Circuit in Clash with Magistrates over Reach of U.S. Warrants
The technology community took aim at a recent federal magistrate’s ruling that ordered Google Inc. to comply with search warrants seeking customer emails stored on servers abroad, calling the decision “an impermissible extraterritorial application of U.S. law.” In rejecting a recent federal appeals court decision in a similar case in favor of Microsoft Corp., U.S. Magistrate Thomas J. Reuter in Philadelphia ruled that transferring emails from a foreign server to the U.S. was not tantamount to a seizure beyond American borders. The technology companies urged the court to reject the “fiction that such a foreign search and seizure is a domestic act….”
Back in December of last year, we reported that for the first time, a U.S. law firm – Johnson & Bell, a mid-sized Chicago firm – was publicly named in a class action data security lawsuit. Last month, the firm obtained a significant victory in the case.
The United States Court of Appeals for the Third Circuit recently ruled that a data breach class action may proceed on the basis of a Fair Credit Reporting Act (FCRA) violation alone, even where the putative class members do not allege that they were actually harmed by the breach. The ruling, which both relies on and distinguishes the Supreme Court’s recent analysis of FCRA standing in Spokeo v. Robins, suggests that at least in the Third Circuit, “injury” from a data breach may be presumed from the fact of the breach itself. This, in turn, could have the effect of expanding potential liability for any consumer-facing entity that suffers a breach.
Today, the U.S. Court of Appeals for the Eighth Circuit vacated the class action settlement between Target Corp. and consumers whose card data was compromised in the company’s 2013 data breach.
On January 23, 2017, President Donald Trump named Ajit Pai as Chairman of the Federal Communications Commission (FCC). In his previous role as the senior Republican on the FCC under President Barack Obama, Mr. Pai was an outspoken critic of the agency’s decision to assert jurisdiction over Internet Service Providers (“ISPs”) and its rules governing broadband privacy. Pai’s appointment suggests that significant changes may be on the horizon.
Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland. That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.
The U.S. Securities and Exchange Commission is reportedly looking into whether two data breaches at Yahoo!, Inc. should have been disclosed earlier. In a front page article today, the Wall Street Journal reported that “people familiar with the matter” say the SEC is investigating whether Yahoo!’s disclosures complied with the securities laws.
Hedge funds and broker dealers can expect their cybersecurity preparedness to come under scrutiny again this year by federal securities regulators.
Firing the opening salvo in its appeal of one of the most controversial data security decisions by the U.S. Federal Trade Commission in years, LabMD accused the agency of overstepping its authority and “destroy[ing] [the] small medical testing company” in the process.
In what New York’s top federal prosecutor called a “wake-up call for law firms around the world,” three Chinese citizens have been charged with hacking into the servers of two prominent – but unidentified – international law firms to steal confidential client information in connection with pending M&A deals
Today, Reuters reported that the New York Department of Financial Services (“DFS”) will delay the effective date of its new cybersecurity regulation. According to a “person familiar with the matter,” the DFS will publish a new version of the cyber security regulation on December 28, 2016, and the effective date for the rule will now be March 1, 2017.
Industry groups continued their assault yesterday on New York’s “first-in-the-nation” cybersecurity regulation by telling state lawmakers that the proposed regime was inflexible and unfairly burdened smaller institutions.
On Wednesday, Yahoo! disclosed that more than 1 billion of its users’ personal information was exposed in a newly discovered cyber-attack, making it the largest data breach reported to date. The breach apparently took place in August of 2013.
Yesterday, the Federal Trade Commission (“FTC”) announced a settlement with the owners of “dating site” AshleyMadison.com, arising from a July 2015 data breach that received broad media coverage. According to a proposed order filed in the District Court for the District of Columbia, the operators of the website are also simultaneously settling with thirteen states—including New York—and the District of Columbia.
Just weeks before the Cuomo administration’s “first-in-the-nation” cybersecurity regulation is scheduled to go into effect, the New York State Assembly Standing Committee on Banks will open a public hearing on Monday, December 19th into the controversial plan to require financial institutions that operate in New York to comply with a series of strict – and in some cases, unprecedented – data security measures.
Last week marked the first time a U.S. law firm was publicly named in a class action data security lawsuit. Originally filed in April 2016, the class action complaint in Shore v. Johnson & Bell, Ltd., 16-cv-4363 (N.D. Ill.), was unsealed last week after months of back-and-forth over whether the alleged security flaws had been patched. The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of “systematically exposing confidential client information and storing client data without adequate security.” The lawsuit makes no claim that any client information has been stolen or misused. Even so, the filing of this complaint amplifies the risks already facing law firms – including reputational – at a time when data security is a top concern for law firms and their clients.
The transition of power from President Barack Obama to President-Elect Donald Trump is underway. Although President-Elect Trump did not lay out specific policy prescriptions about data privacy or consumer protection during his candidacy, his recent choice of Dr. Joshua D. Wright to lead transition efforts at the Federal Trade Commission provides some hints as to the direction the agency may take under a Trump administration.
This is the second installment in our interview with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, the cyber risk analytics company. Here, Steven discusses the importance of aligning an institution’s risk profile with its cybersecurity plan and recommendations for bridging the gap between IT and the boardroom.
As part of Patterson Belknap’s continuing focus on the New York Department of Financial Services (DFS) proposed cybersecurity regulation, we sat down with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, a cyber risk analytics company, to talk about cybersecurity in a highly regulated environment. In the first installment of our 2-part interview with Steven, he discusses implementation of the new regulation and the fact that organizations shouldn’t confuse regulatory compliance with effective cybersecurity planning and strategy.
This is our final installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation. In this installment, we provide an overview of the regulation’s impact on third-party vendors and business partners, including law firms.
This is our second installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation. In this installment, we provide an overview of the regulation’s impact on corporate governance and the scope of liability for corporate boards.
This is the first installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation. The Patterson Belknap Privacy and Data Security Team has studied the regulation, its legislative and regulatory underpinnings, and practical consequences.
The fight between the Federal Trade Commission and LabMD, the defunct medical testing lab, entered a new chapter late yesterday. In a 13-page ruling, the U.S. Court of Appeals for the Eleventh Circuit said that LabMD’s appeal presented “a serious legal question” as to the Commission’s interpretation of Section 5 of the FTC Act and that any enforcement of the agency’s order should be stayed until the appellate process had run its course.
Earlier today, the Chinese government in Beijing approved a sweeping new cybersecurity law aimed at centralizing control over computer networks operating within China’s borders. An unofficial English translation of the newly-enacted law is available here.
We’re writing this week to highlight some of the ways in which President Obama’s evolving views on cybersecurity can help guide corporate governance on this increasingly important subject. In an interview with Wired Magazine, the President admitted that he is rethinking his own view on cybercrime: comparing it to a “pandemic” no longer addressed by traditional means such as the latest and greatest defensive technologies
The Financial Crimes Enforcement Network, or FinCEN, an arm of the United States Department of the Treasury, issued an advisory last week to remind financial institutions of their obligations to report cyber-events on Suspicious Activity Reports (SARs). While FinCEN emphasizes that its advisory does not change existing reporting requirements, it goes to lengths to discuss its “expectations” about what and how information will be reported when it comes to cybersecurity events.
Bank regulators are continuing to demand more accountability from corporate leaders when it comes to compliance with cybersecurity safeguards.
The aftermath of Yahoo’s data breach has raised a number of questions from customers, law enforcement, and most recently six U.S. Senators.
In the midst of its acquisition by Verizon Communications Inc., Yahoo Inc. disclosed what looks like one of the largest reported thefts of user information in U.S. history.
As New York public schools increase the use of technology in day-to-day operations and in the classroom, they increasingly face data management and data security threats similar to those faced by businesses and non-profit institutions.
Several recent federal court decisions have added guidance on the still-unsettled question of when a plaintiff has Article III standing to sue based on a data breach or other data security or privacy event. These cases—Attias v. CareFirst, Inc. (D.D.C.), Wood v. J. Choo USA, Inc. (S.D. Fla.), and Guarisma v. Microsoft (S.D. Fla.)—offer somewhat mixed guidance for defendants in class action privacy-related lawsuits looking to use a standing challenge as a quick escape.
There’s no denying it: Pokémon GO is a phenomenon.
The smartphone game, in which players use their mobile device camera and GPS to capture, battle, and train virtual creatures, was released in the United States on July 6th. In a month, it has shot to the top of the App Store charts to become the biggest mobile game in U.S. history. Within just days of its release, Pokémon GO already had surpassed app giants like Twitter and Tinder in number of downloads and active users, with more than 25 million users playing each day.
Ransomware attacks at hospitals and other healthcare facilities have dramatically increased over the last several years, putting healthcare providers in the uncomfortable position of having to consider paying thousands of dollars to regain access to vital medical records. Indeed, one recent study concluded that hospitals are hit with 88% of all ransomware attacks nationwide.
FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data
In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.
On July 21st, Patterson Belknap and Berkeley Research Group hosted a Practising Law Institute (PLI) briefing on law firm cybersecurity.
In a ruling issued this morning, the Federal Trade Commission found that LabMD, the defunct Atlanta-based cancer detection lab, failed to protect patient information and is liable for unfair data security practices. The Commission’s ruling reverses an Initial Decision by an administrative law judge (ALJ) that had dismissed the FTC charges against LabMD.
The leadership team at Target Corp. has one less legal claim to worry about today from the company’s headline-making 2013 data breach. And in an unusual twist, the shareholders who filed a series of derivative actions against Target’s directors and officers have waived the symbolic “white flag” by agreeing that the cases could be dropped so long as they were able to come back to Court to recover their legal fees.
On June 29, 2016, the Bank for International Settlements’ (BIS) Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO) issued “Guidance on cyber resilience for financial market infrastructures” (Cyber Guidance), the first set of concrete recommendations following the 2012 CPMI-IOSCO Principles for Financial Market Infrastructure (PFMI).
Microsoft’s blockbuster acquisition of LinkedIn earlier this month—a deal where concerns for privacy and data security loomed large—provides a glimpse into the growing trend of including separate privacy and data security representations in merger and acquisition agreements. Because the trend is so recent, there is no consensus or standard practice at this point for drafting these representations. The LinkedIn privacy and data security representation is a good example of the evolving nature of these representations.
State and federal regulators are turning their attention to the lead generation and data aggregation business – firms that compile massive databases of detailed consumer information ranging from spending and dieting habits to political affiliation.
The Federal Trade Commission has decided to put off until late July a decision about whether to overturn a ruling by the agency’s chief administrative law judge in the closely watched data security action against LabMD, the Atlanta-based medical detection firm. In a one-paragraph order issued late yesterday, the Commission extended the deadline for decision until July 28th “in order to give full consideration to the issues presented by the appeal in this proceeding.”
In part II of our interview with LabMD CEO Michael Daugherty, we discuss the Federal Trade Commission’s much anticipated decision in this long-running data security enforcement action.
- Page 3 of 5