This is the second post in our two-part series about DOJ’s revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” In the first installment, we looked at DOJ’s recommendations for preparedness. Today, we turn to the basics of data breach incident response and a list of DOJ’s “don’ts” when dealing with a hacker.
Data Security Law BlogVisit the Full Blog
DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.
The U.S. Department of Justice is increasing its outreach to the private sector on all things cyber.
Last week, the DOJ’s Criminal Division held a cybersecurity roundtable to discuss challenges in handling data breach investigations. As part of the roundtable discussion, the DOJ issued revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” The Best Practices guidance, summarized below, is the result of the DOJ’s outreach efforts concerning ways in which the government can work more effectively with the private sector to address cybersecurity challenges. The goal of the roundtable discussion, which started in 2015, is to foster and enhance cooperation between law enforcement and data breach victims, and to also encourage information sharing.
California’s landmark digital privacy law – signed into law late last week – is the most sweeping consumer data protection law in the U.S. The California Consumer Privacy Act of 2018 or CCPA promises to give consumers unprecedented control over their personal information including the right to know what information companies are collecting about them and how it is used.
California threw down the proverbial gauntlet last night and enacted a sweeping new digital privacy law aimed at giving the state’s consumers more control over their personal information.
In one of the first major tests of the Illinois biometric data privacy law, Facebook is headed to trial this summer over allegations that the social media giant unlawfully collects user data with its photo tagging function. Last week, U.S. District Judge James Donato denied cross motions for summary judgment in a class action pending in Northern California, noting the “multitude of fact disputes in the case.”
On its face, last week’s report that the number of data breaches reported last year to New York’s Attorney General spiked to an all-time high of 1,583 – up 23 percent from 2016 – was not good news.
But behind the numbers are even more disturbing trends. Start with the fact that hacking – the handy work of outside intruders – was the leading cause of reported breaches last year, accounting for 44 percent of reported breaches. Hacking also accounted for nearly 95 percent of all personal information exposed. In second place was employee error or negligence, which represented 25 percent of last year’s reported breaches.
On Tuesday, a Senate subcommittee grilled Uber’s Chief Information Security Officer, John Flynn, over a 2016 data breach that affected nearly 57 million drivers and riders. At the hearing, Uber faced backlash from lawmakers for its “morally wrong and legally reprehensible” conduct that “violated not only the law but the norm of what should be expected.”
Second in a two-part series.
Last week, in the first part of this series, we examined several key aspects of New York’s proposed data security law, Stop Hacks and Improve Data Security Act or SHIELD Act. In our second and final installment, we discuss three additional aspects of the proposed law.
First in a two-part series.
As we reported last week, New York Attorney General Eric T. Schneiderman has introduced a bill aimed at protecting New Yorkers from data breaches.
A data breach of the National Football League Players Association’s (“NFLPA”) website has exposed the personal information of nearly 1,200 players and agents.
In one of the first federal appellate court rulings following the Ninth Circuit’s decision in Robins v. Spokeo, the Eighth Circuit delivered a pyrrhic victory for customers victimized by a data breach. In Kuhns v. Scottrade, the Eighth Circuit ruled that, although the plaintiff had established standing to pursue a claim against Scottrade, Inc. resulting from a data breach that occurred in 2013, the customer failed to sufficiently allege that the brokerage firm breached its contractual obligations and affirmed dismissal of the case.
New York’s powerful Department of Financial Services (DFS) upended cybersecurity regulation with its new and sweeping “Cybersecurity Requirements for Financial Services Companies,” which took effect on March 1, 2017. But is the financial industry ready and equipped to comply with this detailed regulation? According to a recent survey published by Ponemon Institute and sponsored by Fasoo, the answer is an unequivocal “no.”
A recently introduced bipartisan bill seeks to provide state and local authorities with additional resources to assist in the fight against cybersecurity threats. Last month, Senators John Cornyn (R-Tex.), Patrick Leahy (D-Vt.), and Ted Cruz (R-Tex.) introduced the National Cybersecurity Preparedness Consortium Act, which would authorize the Department of Homeland Security to work with non-profit consortia to assist state and local governments with their cybersecurity preparedness and response efforts. House Representative Joaquin Castro (D-Tex.) introduced a companion bill the same day.
Firing the opening salvo in its appeal of one of the most controversial data security decisions by the U.S. Federal Trade Commission in years, LabMD accused the agency of overstepping its authority and “destroy[ing] [the] small medical testing company” in the process.