Privacy and Data Security

Companies subject to New York’s Department of Financial Services (DFS) new cybersecurity regulation should be preparing to comply with the first round of requirements by the upcoming August 28th deadline: enacting a cybersecurity program and policies, implementing user access privileges, designating a Chief Information Security Officer (CISO), employing qualified personnel, and implementing an incident response plan.

Over the past several years, we have witnessed a fundamental shift in orchestrated cyber-attacks from hacking credit card data and healthcare information to targeting businesses, their operations and bottom lines.

In conjunction with the American Bar Association’s Annual Meeting in New York next month, the ABA will feature a panel on “Cybersecurity for Law Firms: Does Size Matter?” The panel will discuss current cybersecurity threats facing law firms of all sizes, and will include perspectives from the U.S. Department of Justice, a forensics firm, and in-house counsel at a professional liability insurer.

The Federal Trade Commission (FTC) – often criticized for not providing clear guidance as to what the agency considers reasonable data security – announced on Friday that it would publish a weekly blog discussing “lessons learned” from data security investigations that were closed without a formal enforcement action

New York’s Department of Financial Services (DFS) has issued additional guidance for compliance with the state’s sweeping cybersecurity regulation that went into effect earlier this year.  Companies covered by the regulation must comply with the first round of requirements by August 28th.

Yesterday morning, the United States Court of Appeals for the Eleventh Circuit, sitting in Miami, heard oral argument in the case of LabMD, Inc. v. Federal Trade Commission, No. 16-16270.

For purposes of this post, we presume readers are familiar with this case, which we’ve blogged about extensively since the Federal Trade Commission lodged an Administrative Complaint against LabMD back in 2013.  Briefly, the core question on appeal is whether the FTC overstepped its authority under Section 5(n) of the Federal Trade Commission Act (codified at 15 U.S.C. § 45(n)) when it initiated an enforcement action against LabMD, a Georgia medical testing lab, after certain patient data files were apparently misappropriated, but no patent data actually fell into the wrong hands, and no individual patient suffered any cognizable injury, such as identity theft.

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

In complying with the New York State Department of Financial Services (DFS) cybersecurity regulation, financial institutions have a choice.  They can either employ “continuous monitoring” or, instead, conduct annual “penetration testing” and bi-annual “vulnerability assessments.”

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

Justice Shirley Kornreich recently issued one of the few New York state court decisions  that address the Computer Fraud and Abuse Act (“CFAA”).  Spec Simple, Inc. v. Designer Pages Online LLC,  No. 651860/2015, 2017 BL 160865 (N.Y. Sup. Ct. May 10, 2017).  The CFAA criminalizes both accessing a computer without authorization and exceeding authorized access and thereby obtaining information from any protected computer.  Id. at *3 (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA also provides a civil cause of action to any person who suffers damage or loss because of a violation of the CFAA.  Id. at *4 (citing 18 U.S.C. § 1030(g)).  As discussed below, the decision provides a helpful look into the interpretation of CFAA claims in the future.

On Tuesday, June 6th, Craig Newman will co-present a webinar with Steven Grossman, VP of Strategy and Enablement at Bay Dynamics, entitled, "How the Cybersecurity Executive Order Impacts Today’s IT Risk Strategy".

The Wall Street Journal recently reported that well-known cybersecurity startup Tanium, Inc. had been inadvertently exposing one of its clients’ sensitive data during product demonstrations.  Unbeknownst to the Tanium client—the non-profit El Camino Hospital, in Santa Clara County, California—Tanium had been giving prospective customers a look inside of El Camino’s secure network to show how well its cybersecurity software worked.  Not only did Tanium give the presentation “hundreds of times,” it also posted videos of the demonstration on its public website.  All of this was without El Camino’s permission.

In the latest decision on Article III standing in a data breach case, the U.S. Court of Appeals for the Second Circuit ruled that a credit card holder – who neither pleaded specific facts about the time or effort spent monitoring her credit after a data breach, nor sought leave to amend her complaint to do so – lacked standing to pursue a putative class action against Michael Stores, Inc. In a Summary Order issued earlier this week, the court affirmed the dismissal of claims related to a cyber-attack on the specialty retailer that affected 2.6 million credit cards and exposed payment card information.

Craig A. Newman will be speaking on a panel entitled, “Implementing the New DFS Cybersecurity Regulation” at a Cardozo Data Law Initiative CLE Program on April 28th in New York City. The Cardozo Data Law Initiative is a program designed to prepare law students for careers in the rapidly expanding legal fields of information governance, e-discovery, data privacy, social media law, and cybersecurity.

Increasingly, states are enacting cybersecurity regulations for financial institutions and investment advisors. Following New York’s groundbreaking regulation (which we have covered in detail here), Colorado recently proposed changes to its state securities act that would impose new cybersecurity requirements on broker-dealers and investment advisors that operate in the state. 

The Federal Trade Commission’s (FTC) sprawling and contentious legal battle with now-defunct medical testing company LabMD recently turned especially personal when a federal court allowed LabMD (and its former CEO) to proceed with claims against two of the three FTC attorneys who handled the FTC’s investigation and prosecution of LabMD.

The National Association of Insurance Commissioner’s (NAIC) model cybersecurity law will take center stage later this week at the group’s annual meeting in Denver.

New York State Department of Financial Services Superintendent Maria T. Vullo is scheduled to discuss the state’s new “first in the nation” cybersecurity regulation later this week at the National Association of Insurance Commissioners annual meeting in Denver.

While courts and the Federal Rules of Evidence take an increasingly pragmatic approach to the question of when inadvertent disclosure of privileged information results in waiver, a recent federal magistrate’s ruling serves as a potent warning that use of a file-sharing site – without sufficient safeguards – may constitute a waiver. Harleysville Insurance Co. v. Holding Funeral Home, Inc., No. 1:15-cv-00057 (W.D. Va. Feb. 9, 2017) is the first published decision to find that the use of a file-sharing site to exchange potentially privileged information constituted a waiver of the attorney-client privilege and work product protection—because the company failed to password protect its transmission.

March 9, 2017 - Craig A. Newman wrote "Digital Privacy Rights Take A U-Turn, And Congress Needs To Act," published in Forbes on March 7, 2017. For a link, please click here. In the article, Mr. Newman looks at two recent decisions issued by federal magistrates that are contrary to the a case decided just seven months ago by the U.S. Court of Appeals for the Second Circuit in Microsoft v. United States.

Over the last few months, the New York Department of Financial Services (“DFS”) cybersecurity regulation has undergone multiple revisions.  But late last week, DFS issued its final regulation, which will go into effect on March 1, 2017.

Earlier this month, the Fourth Circuit weighted in with the most recent decision in the developing case law on Article III standing in data breach litigation, a topic that we have been covering extensively on this blog.

The United States Court of Appeals for the Third Circuit recently ruled that a data breach class action may proceed on the basis of a Fair Credit Reporting Act (FCRA) violation alone, even where the putative class members do not allege that they were actually harmed by the breach.  The ruling, which both relies on and distinguishes the Supreme Court’s recent analysis of FCRA standing in Spokeo v. Robins, suggests that at least in the Third Circuit, “injury” from a data breach may be presumed from the fact of the breach itself.  This, in turn, could have the effect of expanding potential liability for any consumer-facing entity that suffers a breach.

On January 23, 2017, President Donald Trump named Ajit Pai as Chairman of the Federal Communications Commission (FCC).  In his previous role as the senior Republican on the FCC under President Barack Obama, Mr. Pai was an outspoken critic of the agency’s decision to assert jurisdiction over Internet Service Providers (“ISPs”) and its rules governing broadband privacy.  Pai’s appointment suggests that significant changes may be on the horizon.

Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland.  That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.