Archives: Cybersecurity

Subscribe to Cybersecurity RSS Feed

“Two Cops on the Beat is Nothing Unusual”: Ninth Circuit Reverses Panel Decision, Rules FTC Act’s “Common Carrier” Exemption is Activity-Based

On February 26, 2018, the U.S. Court of Appeals for the Ninth Circuit issued an en banc decision in FTC v. AT&T holding that the Federal Trade Commission (FTC) Act’s “common carrier” exemption is activity-based, reversing the panel’s decision that the exemption is status-based, which would have opened a large enforcement gap for telecommunications companies … Continue Reading

FTC Announces Settlement with PayPal for Alleged FTC Act and GLBA Violations by Venmo

On February 27, 2018, the Federal Trade Commission (FTC) announced1 that it had reached an agreement with PayPal to settle allegations that its peer-to-peer payment service, Venmo, engaged in deceptive acts and practices and violated the Gramm-Leach-Bliley Act (GLBA)’s Safeguards Rule2 and Privacy Rule.3 Since 2011, Venmo has offered peer-to-peer payment services through an app … Continue Reading

New SEC Cybersecurity Guidance Highlights Disclosure Controls

On February 21, 2018, the U.S. Securities and Exchange Commission (SEC) released its latest Interpretive Guidance on Public Company Cybersecurity Disclosures. Although cybersecurity has been a focus of the SEC for many years, the release is the first formal guidance issued by the agency. Previously, the SEC’s Division of Corporation Finance issued informal staff guidance … Continue Reading

A Look Ahead at Privacy and Data Security in 2018

2018 promises to be an interesting year in the world of privacy and cybersecurity. In this article, we highlight a few of the most notable developments we expect this year, including major developments in Europe, changes and pending cases at the Federal Trade Commission (FTC), notable U.S. Supreme Court cases scheduled to be decided this … Continue Reading

To Disclose or Not To Disclose: The FTC’s Dueling Concurrences over Deceptive Omissions in Lenovo

On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo, Inc., regarding the company’s practice of pre-loading advertising software on its laptops that compromised consumers’ cybersecurity and privacy.1 In many respects, the case was reasonably straightforward: the facts as alleged were clear, and … Continue Reading

Northern District of California Drops FTC Unfairness Claim Against D-Link Systems

The U.S. District Court for the Northern District of California recently issued a mixed ruling on D-Link Systems’ motion to dismiss in FTC v. D-Link Sys., Inc.1 D-Link sells routers and Internet protocol (IP) cameras that it markets as having good data security, including “the latest wireless security features to help prevent unauthorized access” and … Continue Reading

Lenovo Settles FTC Charges Regarding Pre-Installed Software That Compromised Consumers’ Cybersecurity and Privacy

On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo regarding the company’s practice of pre-loading software on its laptops that compromised consumers’ cybersecurity and privacy. As part of the settlement, Lenovo agreed to pay $3.5 million in penalties to the states, and per an … Continue Reading

Key New Takeaways from Uber’s Privacy and Data Security Settlement with the FTC

On August 15, 2017, the Federal Trade Commission (FTC) announced that it had reached an agreement with Uber Technologies to settle allegations that the ride-sharing company had deceived consumers by failing to live up to its privacy and data security promises.1 Specifically, the FTC levied two deception counts against Uber: (1) that the company had … Continue Reading

FTC Cracks Down on Lead Generation Company’s Indiscriminate Sharing of Consumers’ Sensitive Data

On July 3, 2017, the Federal Trade Commission (FTC) announced that it had settled charges that defendants Blue Global, an operator of dozens of consumer loan lead generation websites, and its founder and CEO, Christopher Kay, violated the FTC Act. The FTC alleges that the defendants had, among other practices, misled consumers about Blue Global’s … Continue Reading

The Serious and Immense Impact of a Medical Device Hack

On August 25, 2016, investment firm Muddy Waters Research announced it had taken a short position in St. Jude Medical, Inc., and released a report suggesting a “strong possibility that close to half of” St. Jude revenues were about to disappear for a period of roughly two years because St. Jude’s implantable cardiac devices were allegedly … Continue Reading

New Cybersecurity Rules Now in Effect for Entities Regulated by New York State Department of Financial Services

On March 1, 2017, new cybersecurity rules went into effect for entities regulated by the New York State Department of Financial Services (DFS). The Cybersecurity Requirements for Financial Services Companies are designed to help protect business and customer information and the IT systems of the entities that DFS regulates. While the Cybersecurity Requirements took effect on March … Continue Reading

W-2 Phishing Scammers Are Targeting Tech Companies

The W-2 phishing scams are back. Fraudsters have learned that W-2 phishing scams can be highly effective when targeting businesses while they are handling and sending employee income-tax-related documents early in a new year. Once fraudsters obtain the information on W-2 tax forms about employees from businesses, they quickly attempt to commit tax identity theft … Continue Reading

EU Cyber Security and Incident Notification Rules Enacted

On July 6, 2016, the European Parliament adopted the first-ever pan-European law on cyber security. The law, entitled the “Directive on the Security of Network and Information Systems” (NIS Directive), imposes security requirements and security incident notification obligations on digital service providers and operators of essential services. The NIS Directive was enacted as part of … Continue Reading

Tennessee Updates Data Breach Notification Law

The State of Tennessee recently amended its data breach notification statute, Tenn. Code Ann. § 47-18-2107, which is set to go into effect on July 1, 2016. Numerous commentators have proclaimed that the amendment1 marks a watershed moment—that with the enactment of S.B. 2005, Tennessee becomes the first state to eliminate the encryption safe harbor … Continue Reading

CFPB Brings First Data Security Enforcement Action

The Consumer Financial Protection Bureau (CFPB) recently brought its first data security enforcement action, adding itself to the growing list of federal regulators tackling data security issues. The CFPB’s enforcement action was against Dwolla Inc., a Des Moines, Iowa-based online payment platform. The CFPB alleged that Dwolla misrepresented its data security practices, and as a … Continue Reading

WSGR Alert: New EU Data Protection Regulation Is Now Enacted

On April 14, 2016, the European Parliament formally adopted the General Data Protection Regulation (GDPR). With this vote, the new EU data protection legal framework will become legally effective in two years and 20 days from its publication in the EU Official Journal (expected in May 2016). By May 2018, companies will have to comply … Continue Reading

WSGR Alert: FTC Settles with Manufacturer of Home Network Routers over Alleged Data Security Flaws

On February 23, 2016, the Federal Trade Commission (FTC) announced a settlement with computer hardware maker ASUSTeK Computer, Inc. (ASUS). The ASUS settlement highlights the FTC’s position regarding security in the connected device market: connected device manufacturers are responsible for security shortcomings in their devices and are expected to promptly update or patch any identified … Continue Reading

FAST Act Eases GLBA Compliance Burdens for Many Companies, Addresses Transportation and Infrastructure Privacy and Cybersecurity Issues

President Obama signed the Fixing America’s Surface Transportation Act (FAST Act) into law on December 4, 2015. The FAST Act not only provides long-term funding for highway and infrastructure improvements and other transportation projects, but also includes several privacy- and security-related provisions, including an important provision that may reduce consumer confusion and industry compliance costs … Continue Reading

EU Agrees to New Cybersecurity and Incident Notification Rules

The European Union will soon have its own first-ever cybersecurity rules, which will impact a broad range of industries, such as transportation, energy, and online marketplaces. On December 7, 2015, the European Parliament and the Council of the European Union, which is comprised of representatives of the 28 EU countries, reached a political agreement on … Continue Reading

PCI Security Standards Council Issues Guidance on Responding to a Data Breach

On September 29, 2015, the PCI Security Standard Council (PCI SSC) issued guidance regarding data breach responses for merchants and service providers who process payment cards. The PCI SSC is a global forum founded by card brands (American Express, Discover, JCB, MasterCard, and Visa), and it is responsible for the development and management of the … Continue Reading

SEC Increases Focus on Cybersecurity–A Look at Recent Data Security Guidance and Enforcement

In the wake of numerous cyberattacks aimed at companies spanning various industries, it is no surprise that yet another federal agency—this time the SEC—is stressing the importance of proper cybersecurity protocols for the entities it regulates. Broker-dealers, investment advisors, and others in the securities industry often have access to some of the most sensitive client … Continue Reading

FTC Begins “Start with Security” Conference Series

On September 9, 2015, the Federal Trade Commission (FTC) held its first “Start with Security” conference at the University of California Hastings College of the Law in San Francisco. The conference was the first in a series of events hosted by the agency intended to provide additional guidance to businesses regarding how to keep consumers’ … Continue Reading

Privacy and Data Security Due Diligence

This article is the third in a series of articles that discuss the importance of privacy and data security considerations in the transactional context. In any transaction in which an entity invests in or acquires another business or its assets, the investing or acquiring entity (the “Acquiror”) should fully evaluate its counterparty (the “Company”), the … Continue Reading
LexBlog