On February 21, 2018, the U.S. Securities and Exchange Commission (SEC) released its latest Interpretive Guidance on Public Company Cybersecurity Disclosures. Although cybersecurity has been a focus of the SEC for many years, the
Continue Reading New SEC Cybersecurity Guidance Highlights Disclosure Controls
2018 promises to be an interesting year in the world of privacy and cybersecurity. In this article, we highlight a few of the most notable developments we expect this year, including major developments in Europe, changes and pending cases at the Federal Trade Commission (FTC), notable U.S. Supreme Court cases scheduled to be decided this year, and some areas of legislation that actually may become law in the U.S.
Big Changes Taking Effect in the European Union
One of the biggest areas where everyone in the privacy field will be looking in 2018 is the European Union (EU). On the legislative front, the General Data Protection Regulation (GDPR) will enter into force on May 25, 2018; the proposed e-Privacy Regulation is scheduled to be adopted this year; and the EU parliament will issue a report on the proposed Regulation on Non-Personal Data. Additionally, the Court of Justice of the EU (CJEU) will rule on several important data protection cases, including on third-party tracking, the right to be forgotten, and the possibility of class actions.Continue Reading A Look Ahead at Privacy and Data Security in 2018
On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo, Inc., regarding the company’s practice of pre-loading advertising software on its laptops that compromised consumers’ cybersecurity and privacy.1 In many respects, the case was reasonably straightforward: the facts as alleged were clear, and the terms of the settlement were not unusual. But what makes this case interesting are the dueling concurrences issued by Acting Chairman Ohlhausen and Commissioner McSweeny regarding the FTC’s authority to challenge omissions. These concurrences continue a debate that has been stirring on and off at the FTC for more than 30 years, and they raise important questions about the agency’s future enforcement priorities.
Continue Reading To Disclose or Not To Disclose: The FTC’s Dueling Concurrences over Deceptive Omissions in Lenovo
The U.S. District Court for the Northern District of California recently issued a mixed ruling on D-Link Systems’ motion to dismiss in FTC v. D-Link Sys., Inc.1 D-Link sells routers and Internet protocol (IP) cameras that it markets as having good data security, including “the latest wireless security features to help prevent unauthorized access” and “the best possible encryption.”2 The Federal Trade Commission (FTC) filed a complaint against D-Link, alleging that the company’s products were in fact subject to “widely known and reasonably foreseeable risks of unauthorized access,” and that, among other things, D-Link failed to deploy “free software, available since at least 2008, to secure users’ mobile app login credentials.”3 The complaint alleges five claims for deceptive marketing practices and one count for unfair practices under Section 5 of the FTC Act.
Continue Reading Northern District of California Drops FTC Unfairness Claim Against D-Link Systems
The biggest question looming over every class-action case filed in response to a data breach is: Will the plaintiffs have standing? The answer has divided courts in recent cases across the country.
Last year, the U.S. Supreme Court held in Spokeo, Inc. v. Robins that Congress could not confer standing to plaintiffs based on a violation of a statute alone.1 Instead, the Court held that, even if a statute has been violated, plaintiffs must prove they have an injury-in-fact and that the injury is both concrete and particularized. Spokeo added a new layer of complexity in pleading standing in data breach cases. Previously, the Supreme Court held in Clapper v. Amnesty International USA that “conjectural” or “hypothetical” injuries were insufficient to confer standing and that harm must be “certainly impending.”2 What Spokeo and Clapper mean in practice for data-breach cases is far from settled.Continue Reading Class Action Standing and Data Breaches: When Is There an Injury-in-Fact?
On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo regarding the company’s practice of pre-loading software on its laptops that compromised consumers’
Continue Reading Lenovo Settles FTC Charges Regarding Pre-Installed Software That Compromised Consumers’ Cybersecurity and Privacy