Categories & Search

Search Results

410 results found for: sec

FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data

In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.

Go

Another State Data Security Law: Ohio Gets in on the Action

Starting today, Ohio businesses with written cybersecurity programs will be looking for a free pass if they are sued under state law over a data breach.

Ohio’s Data Protection Act (Senate Bill 220, Ohio Rev. Code § 1354.01, et seq.) goes into effect today, creating a safe harbor from tort liability for businesses that meet specific cybersecurity standards. The law won’t prevent litigation over a data breach, but provides an affirmative defense to companies hit with such claims if they have met the requirements of the new law. This includes adopting data security policies that conform to a number of existing industry standards including the NIST Cybersecurity Framework.

Go

Long and Wyndham Road: The Federal Trade Commission Extends Section 5 Unfairness to Regulate Data Security

In a surprising development, Wyndham Worldwide Corporation settled a long running dispute last week with the Federal Trade Commission that arose from three data breaches Wyndham suffered between 2008-2010.  After an investigation that required Wyndham to produce more than one million pages of information, the FTC filed suit against Wyndham in the District Court of New Jersey under, among other legal basis, the unfairness prong of Section 5 of the FTC Act.  

Go

FTC: Data Security Primer for Small Businesses and Start-ups

The Federal Trade Commission will host a one day-conference in Chicago at Northwestern’s Pritzker School of Law on June 15, 2016.  This event will be the fourth of the FTC’s Start with Security Events nationwide, which build on its publication of the same title Start with Security: A Guide for Business, released last June.

Go

California Court Weighs in on the FTC’s Data Security Enforcement Authority

Yesterday, a District Court in Northern California weighed in on the U.S. Federal Trade Commission’s (FTC) authority to protect consumers from “unfair” and “deceptive” data security practices.  The decision, which granted in part and denied in part the defendant’s motion to dismiss, is a mixed bag for the Commission.

Go

Hack of IT Service Provider May Affect Thousands of Private Businesses

On December 13, the software and service provider SolarWinds announced that its Orion software platform had been the target of a sophisticated cyber attack that may have resulted in malicious code being pushed to as many as 18,000 customers.  The SolarWinds software is used by many corporate and not-for-profit entities of all sizes to monitor the health of their IT networks.  Although the details of this breach are still unfolding, based on the information currently available, Orion users who updated their software between March and June of this year are potentially affected.

Go

California Enacts First-Ever State IoT Security Law

California is leading the pack. Once again.

On Friday, Governor Jerry Brown signed into law SB 327, the first- ever state legislation aimed at governing Internet of Things (IoT) devices.

Go

Keeping Section 5 Alive: The FTC Brings Suit Against D-Link

The U.S. Federal Trade Commission (“FTC”) has filed suit against Taiwan-based D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”), manufacturers and sellers of home networking devices including routers, cameras, baby monitors, and video recorders.  The lawsuit claims that D-Link failed to take reasonable steps to protect its devices from known and foreseeable risks of unauthorized access.

Go

Digital Divide Deepens: Tech Community Backs Second Circuit in Clash with Magistrates over Reach of U.S. Warrants

The technology community took aim at a recent federal magistrate’s ruling that ordered Google Inc. to comply with search warrants seeking customer emails stored on servers abroad, calling the decision “an impermissible extraterritorial application of U.S. law.” In rejecting a recent federal appeals court decision in a similar case in favor of Microsoft Corp., U.S. Magistrate Thomas J. Reuter in Philadelphia ruled that transferring emails from a foreign server to the U.S. was not tantamount to a seizure beyond American borders. The technology companies urged the court to reject the “fiction that such a foreign search and seizure is a domestic act….”

Go

CFPB’s First Data Security Consent Order: No Breach Required

On March 2, the Consumer Financial Protection Bureau (“CFPB”) issued its first Consent Order against a company for flawed data security practices in violation of the Consumer Protection Act’s prohibition on unfair, deceptive, or abusive acts or practices concerning a consumer financial product or service.  The Order signals the CFPB’s decision to prioritize data security issues, its willingness to pursue companies even before a breach occurs, and its scrutiny of companies’ representations about their data security practices.  The Order also provides some guidance as to the types of data security policies and practices the CPFB considers important.

Go

FTC Blasted in LabMD Data Security Case

In a long-running and highly contentious data security enforcement action against LabMD, a small medical testing laboratory, the Federal Trade Commission was handed a stunning defeat late Friday.  In a 92-page Initial Decision, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s case against LabMD – after a full administrative trial – based on the Commission’s failure to prove it was “likely” that consumers had been substantially injured in two alleged data security incidents dating back nearly seven years.

Go

Court Approves Historic Equifax Data Breach Settlement

The aftermath from one of the largest data breaches in U.S. history is nearing the end, as the presiding judge approved a proposed class action settlement resolving claims arising from Equifax’s September 2017 data breach.  As previously reported, approximately 147.9 million U.S. consumers’ personal information was compromised by that breach.

Go

Facebook Loses Second Attempt to Dismiss Biometric Data Class Action

Last week, a federal district judge in California shot down Facebook, Inc.’s second attempt to dismiss a putative class action alleging that its facial recognition software violates the Illinois Biometric Privacy Act (BIPA). The court found that plaintiffs had standing to proceed under the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robbins because the alleged BIPA violation was sufficient to give rise to a “concrete injury” for purposes of bringing suit.

Go

Back-Door Access to Encrypted Communications: Weakening Security to Improve Security?

Last month’s terror attacks in Paris have re-ignited the long-standing debate between national security and privacy advocates over whether technology companies should be required to provide the government special access to encrypted communications that travel on the internet, such as instant messages.

Go

Q&A with Glenn S. Gerstell, National Security Agency

In this occasional series, the chair of Patterson Belknap’s privacy and data security group, Craig A. Newman, interviews thought leaders – from both the public and private sectors – about the growing threat of cyber-attacks in the U.S. and abroad.  In our first installment, we had the privilege of interviewing Glenn S. Gerstell, General Counsel of the National Security Agency, about the agency’s cybersecurity role and priorities.  As one of our nation’s preeminent intelligence agencies, the NSA helps protect and defend U.S. systems that contain classified information or are critical to the U.S. military or intelligence functions.   

Go

Hints of a Narrowing of the FTC’s Section 5 Authority Under a Trump Presidency

The transition of power from President Barack Obama to President-Elect Donald Trump is underway.  Although President-Elect Trump did not lay out specific policy prescriptions about data privacy or consumer protection during his candidacy, his recent choice of Dr. Joshua D. Wright to lead transition efforts at the Federal Trade Commission provides some hints as to the direction the agency may take under a Trump administration.

Go

Data Security and The Internet of Things

The Internet of Things (IoT) encompasses any object or device that connects to the Internet to automatically send and/or receive data. This includes common office equipment, such as networked printers and photocopiers, devices that remotely or automatically adjust lighting or HVAC, security systems, such as security alarms and Wi-Fi cameras. Personal wearable devices that employees often bring to work, including fitness devices like Jawbone and Fitbit, smart watches like the Apple Watch and Android Wear, and Google Glass, are also part of the IoT. The IoT has grown very rapidly in recent years as technology companies create more devices with wireless internet capabilities and sensors, and internet access has become more widely available. The analyst firm Gartner estimates that 4.9 billion connected “things” are in use today and projects that number will rise to 25 billion by 2020.

Go

Lessons from LinkedIn: Privacy and Data Security Representations in the M&A Context

Microsoft’s blockbuster acquisition of LinkedIn earlier this month—a deal where concerns for privacy and data security loomed large—provides a glimpse into the growing trend of including separate privacy and data security representations in merger and acquisition agreements.  Because the trend is so recent, there is no consensus or standard practice at this point for drafting these representations.  The LinkedIn privacy and data security representation is a good example of the evolving nature of these representations.

Go

Amazon Sellers Hit With Phishing Scheme

Hackers have managed to break into the accounts of 100 sellers at Amazon.com. The hackers funneled money from the seller’s accounts—either from sales or loans—into their own bank accounts after stealing seller credentials. It is not clear how much money was stolen in the incident.

Go

Department of Health and Human Services Cracks Down on Vendor Oversight in Recent Hospital Settlements

From the rise in ransomware attacks to inadvertent disclosure of information by subcontractors, the health services industry is reminded that a potential consequence of a data breach is the threat of a regulatory enforcement action.  In what may be a sign of things to come, the Department of Health and Human Services (DHHS) is scrutinizing both “covered entities” and “business associates” under the authority of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Go

FTC Reviews Case Over Legal Standard For Data Security Enforcement Action

Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision.  The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.

Go

Second Circuit Court of Appeals Denies Rehearing in Microsoft Case

Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland.  That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.

Go

Asset Protection Wake Up Call: Data Security Top Concern for High Net Worth Investors

A recent study asked high net worth investors which of the following issues they were most concerned about: terrorism, data security, or a major illness.  The most prevalent response might surprise you.  Seventy-two percent of the investors surveyed ranked data security as their top concern, followed by terrorism and then a major illness.

Go

HIPAA Regulator Relaxes Enforcement for Telehealth Services During the COVID-19 Crisis

In response to the COVID-19 pandemic, on March 17, 2020, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) issued a notification of enforcement discretion, announcing that it would not impose civil penalties for HIPAA violations “against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency” (the “Notification”).  The Notification is important because, ordinarily, providing telehealth services does not modify a covered entity’s obligations under HIPAA.  If a covered entity’s provision of telehealth services involves protected health information (“PHI”), that entity must meet the same HIPAA Privacy, Security, and Breach Notification requirements that apply to in-person health services.  OCR’s Notification is clear that “this exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”  The Notification supplements an earlier OCR bulletin detailing the application of the HIPAA Privacy Rule during an outbreak of infectious disease.

Go

Recent Developments in the State Data-Privacy Landscape:  Is Federal Involvement the Best Way Forward?

With a dizzying array of state privacy laws on the horizon, the prospect of a federal solution has come into sharp focus.  Rather than a patchwork of regional legislation, a comprehensive national framework would potentially govern the precautions that companies must take when electronically collecting, using and storing customers’ personal information, regardless of where in the country the company—or the consumer—is located.  That is the current situation in the European Union under the General Data Protection Regulation (GDPR), and has been for many years.  It might one day be the case in the United States as well, if advocates of omnibus federal data privacy legislation have their way.  

Go

In Search of Immunity: MGM Fights to Define SAFETY Act Protection

Memories of the massacre of dozens of concertgoers at a Las Vegas music festival last year are unlikely to fade soon. In the deadliest shooting in U.S. history, Stephen Paddock killed 58 people and wounded hundreds from his perch within the Mandalay Bay hotel, owned by MGM Resorts International.

A legal battle is now underway over liability for the shooting and the first ever legal test of a little known federal law – the Support Antiterrorism by Fostering Effective Technologies Act of 2002 or SAFETY Act – will start later this month in a San Francisco courtroom. The SAFETY Act was enacted after the Sept. 11th terrorist attacks to provide different levels of legal protection for companies that developed antiterrorism technologies – including cybersecurity technologies and programs – and then passed a rigorous process administered by the U.S. Department of Homeland Security.

Go

Justice Department Accuses Google of “Alarming” Tactics in Fight over SCA Search Warrant

The ongoing dispute between the government and Google concerning the company’s refusal to hand over customer data stored on foreign servers has taken an odd twist.  Now, the Justice Department is demanding that Google be sanctioned for not abiding by the court’s most recent decision—ordering it to produce data associated with 22 email accounts—and calling Google’s conduct “a willful and contemptuous disregard of various court orders.”  The case is In the Matter of the Search of Content that Is Stored at Premises Controlled by Google, No. 16-mc-80263 (N.D. Cal.).

Go

MyFitnessPal Data Breach Lawsuit Sent to Arbitration

Many consumers have become painfully aware of the risks that data breaches pose in a digital world. And now, their legal claims may not be ultimately decided by a judge or jury but sent off to arbitration.

Go

Data-Security Assessments? You’re Going to Want a Lawyer for That.

These days, data breaches and cybersecurity attacks abound.  With each news cycle, we’re confronted with stories about yet another big breach, at another big company, with the potential exposure of another big pool of individuals’ private personal information.  Given the current threats to data privacy and cybersecurity, it’s no wonder that many companies—large and small—are taking proactive measures to guard against a data breach. 

Go

FBI Warns of Cyber Threat in Healthcare Sector

The FBI is warning the healthcare sector of a new cyber threat. In a Notification issued last week, the FBI said that it is “aware of criminal actors who are actively targeting” protected healthcare information (“PHI”) and other personally identifiable information (“PII”) from medical facilities “to intimidate, harass, and blackmail business owners.”

Go

Second Circuit Hears Argument in Microsoft Appeal: How Far Does a U.S. Warrant Reach?

In a 90-minute hearing earlier today, Microsoft Corp. asked the Second Circuit Court of Appeals to reverse a district court decision forcing the technology giant to turn over customer email traffic residing on a server in Ireland. American companies with data centers located outside the U.S., as well as privacy advocates and media organizations are closely watching this case.  During the argument, the Court acknowledged that the “implications of its ruling would be broad.”

Go

Inside the Stanford Breach: Exposed Records Lead to Financial Aid Scandal

A cybersecurity vulnerability at Stanford University exposed thousands of sensitive files containing details of sexual assault investigations and disciplinary actions. The story of what happened—and why it should be an object lesson for higher education. The second of a three-part series.

Go

Department of Homeland Security: “The C-Suite and Cybersecurity”

Federal and state cybersecurity agencies teamed up last week for a two-day summit focused on the evolving nature of cybersecurity threats to New Jersey businesses.  The event was sponsored by the U.S. Department of Homeland Security’s (“DHS”) Critical Infrastructure Cybersecurity Voluntary Program and The New Jersey Office of Homeland Security and Preparedness.

Go

US Regulators Investigate Chinese Steelmakers for Hacking Trade Secrets

The U.S. International Trade Commission (“ITC”) last week launched an investigation into United States Steel Corporation’s (“U.S. Steel”) complaint that Chinese hackers stole trade secret information—including proprietary methods for making lightweight steel—on behalf of Chinese steel producers.

Go