Data Security Law BlogVisit the Full Blog
DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.
Last week, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its “Observations from Cybersecurity Examinations” conducted pursuant to OCIE’s “Cybersecurity 2 Initiative.” A copy of the summary is available here. This is a follow-on to an earlier series of examinations (the “Cybersecurity 1 Initiative”) conducted in 2014.
Yesterday morning, the United States Court of Appeals for the Eleventh Circuit, sitting in Miami, heard oral argument in the case of LabMD, Inc. v. Federal Trade Commission, No. 16-16270.
For purposes of this post, we presume readers are familiar with this case, which we’ve blogged about extensively since the Federal Trade Commission lodged an Administrative Complaint against LabMD back in 2013. Briefly, the core question on appeal is whether the FTC overstepped its authority under Section 5(n) of the Federal Trade Commission Act (codified at 15 U.S.C. § 45(n)) when it initiated an enforcement action against LabMD, a Georgia medical testing lab, after certain patient data files were apparently misappropriated, but no patent data actually fell into the wrong hands, and no individual patient suffered any cognizable injury, such as identity theft.
The Wall Street Journal recently reported that well-known cybersecurity startup Tanium, Inc. had been inadvertently exposing one of its clients’ sensitive data during product demonstrations. Unbeknownst to the Tanium client—the non-profit El Camino Hospital, in Santa Clara County, California—Tanium had been giving prospective customers a look inside of El Camino’s secure network to show how well its cybersecurity software worked. Not only did Tanium give the presentation “hundreds of times,” it also posted videos of the demonstration on its public website. All of this was without El Camino’s permission.
The United States Court of Appeals for the Third Circuit recently ruled that a data breach class action may proceed on the basis of a Fair Credit Reporting Act (FCRA) violation alone, even where the putative class members do not allege that they were actually harmed by the breach. The ruling, which both relies on and distinguishes the Supreme Court’s recent analysis of FCRA standing in Spokeo v. Robins, suggests that at least in the Third Circuit, “injury” from a data breach may be presumed from the fact of the breach itself. This, in turn, could have the effect of expanding potential liability for any consumer-facing entity that suffers a breach.
Earlier today, the Chinese government in Beijing approved a sweeping new cybersecurity law aimed at centralizing control over computer networks operating within China’s borders. An unofficial English translation of the newly-enacted law is available here.
Ransomware attacks at hospitals and other healthcare facilities have dramatically increased over the last several years, putting healthcare providers in the uncomfortable position of having to consider paying thousands of dollars to regain access to vital medical records. Indeed, one recent study concluded that hospitals are hit with 88% of all ransomware attacks nationwide.
Come Back With a Warrant: Proposed Rule Change Expands the Government’s Ability to Access Electronically Stored Information in Criminal Investigations
On April 28, 2016 the United States Supreme Court proposed a modification to Federal Rule of Criminal Procedure 41 that significantly alters the manner in which the government can obtain search warrants to access computer systems and electronically stored information that will no doubt have an effect on hackers and hacking victims alike. The modification will go into effect on December 1, 2016, barring Congressional intervention.
Earlier today, President Obama issued an Executive Order creating a Commission on Enhancing National Cybersecurity within the Department of Commerce. The commission “will make detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices.”
Many organizations, particularly those outside of the technology sector, rely heavily on third-parties—including cyber security specialists, lawyers, and public relations firms—to help pick up the pieces after a data breach. But what happens when a third-party vendor doesn’t fix the problem?
Self-defense is a natural, almost reflexive human instinct. But it has a complicated history in American law, full of contradiction and compromise. Many jurisdictions have long recognized that an otherwise illegal act—such as taking a swing at a purse-snatcher—may be justifiable (and therefore legally permissible) in the context of fending off a physical threat or attack. But victims of cyber-attacks—who may be tempted to “hack back”—have yet to enjoy such a privilege. In fact, following through on this natural instinct in cyberspace could lead to criminal and civil liability.