As connected devices become ubiquitous, it comes as no surprise that interactive toys that connect to the internet are more popular than ever. At the same time, regulators have taken note of the privacy and security concerns raised by lawmakers and privacy advocates about the proliferation of smart toys that collect personal information from kids. Recent guidance issued by both the Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) suggests that the agencies may be taking a closer look at the rapidly expanding connected toy market, a small part of the largely unregulated “Internet of Things.” Continue Reading
On July 21, 2017, Judge John A. Ross of the U.S. District Court for the Eastern District of Missouri issued a preliminary approval of a settlement agreement between the owner of AshleyMadison.com and the class representing former users whose personal information was breached in July 2015. Under terms of the settlement, Ruby Corp, the operator of the Ashley Madison website, is scheduled to pay $11.2 million. For some, the settlement announcement is a missed opportunity: the litigation represented a chance to clarify the scope of actionable consumer harm in breach-related litigation, as unlike in other notable breaches, the mere identification of individuals who used the website (and were thus affected by the breach) likely produced unwanted consequences. Nonetheless, the settlement agreement is interesting by itself, as it offers unique solutions to address class members seeking financial remuneration but wishing to avoid further publicity regarding their connection to AshleyMadison.com. Continue Reading
The EU Parliament Committee in charge of reviewing the EU Commission’s Proposal for an e-Privacy Regulation (Proposal) recently released a Draft Report proposing amendments to the regulation.
The e-Privacy Regulation will regulate new electronic communication services such as instant messaging, VOIP services, web-based email, and IoT devices, and will impose significant additional obligations on Internet services and related technologies, including cookies and similar technologies. It supplements the General Data Protection Regulation (GDPR) adopted last year, which becomes effective May 25, 2018.
The Draft Report is the EU Parliament’s first legislative step towards the adoption of the e-Privacy Regulation, after the EU Commission Proposal earlier this year. We expect the final position of the EU Parliament to come in a Fall 2017 vote. However, this week’s Draft Report sets the tone for forthcoming discussions.
For more information, please see our complete WSGR Alert, which provides background information, identifies the main takeaways of the Draft Report, and gives an overview of the next steps.
On August 25, 2016, investment firm Muddy Waters Research announced it had taken a short position in St. Jude Medical, Inc., and released a report suggesting a “strong possibility that close to half of” St. Jude revenues were about to disappear for a period of roughly two years because St. Jude’s implantable cardiac devices were allegedly vulnerable to cyberattacks. The report further stated that the cyberattacks included crash attacks that cause devices to malfunction—including by apparently pacing at a potentially dangerous rate and battery drain attack that could be particularly harmful to device-dependent users.
In the Summer 2017 edition of The Life Sciences Report, a group of attorneys from Wilson Sonsini Goodrich & Rosati explore select ramifications of a medical device hack, and provide some suggested best practices for companies that offer medical devices to the public. Click here to read the complete article.
On March 1, 2017, new cybersecurity rules went into effect for entities regulated by the New York State Department of Financial Services (DFS). The Cybersecurity Requirements for Financial Services Companies are designed to help protect business and customer information and the IT systems of the entities that DFS regulates. While the Cybersecurity Requirements took effect on March 1, regulated entities have 180 days to comply. The final requirements are available here.
Who Is Regulated?
The Cybersecurity Requirements apply to companies “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” (“covered entities”). Covered entities include banks, savings and loans, trust companies, check cashers, credit unions, money transmitters, lenders, insurers, holding companies, investment companies, mortgage brokers, originators, and servicers, and certain other regulated types of companies doing business in New York. Smaller covered entities are exempt from certain components of the Cybersecurity Requirements, but they are required to file an exemption form with DFS. Continue Reading
The W-2 phishing scams are back. Fraudsters have learned that W-2 phishing scams can be highly effective when targeting businesses while they are handling and sending employee income-tax-related documents early in a new year. Once fraudsters obtain the information on W-2 tax forms about employees from businesses, they quickly attempt to commit tax identity theft by filing fraudulent tax returns to obtain victims’ refunds or to otherwise commit identity theft. Given that the Internal Revenue Service (IRS) is now accepting 2016 tax returns, we are seeing an increase in these W-2 phishing emails. Smaller and younger businesses, such as tech start-ups, can be particularly attractive to fraudsters since they are less likely to have formal policies and procedures in place for handling employee information.
Click here to read our complete WSGR Alert discussing the recent phishing scams.