Cybersecurity

Subscribe to Cybersecurity via RSS

On August 15, 2017, the Federal Trade Commission (FTC) announced that it had reached an agreement with Uber Technologies to settle allegations that the ride-sharing company had deceived consumers by failing to live up to its privacy and data security promises.1 Specifically, the FTC levied two deception counts against Uber: (1) that the company had failed to consistently monitor and audit internal access to consumers’ personal information, despite public promises to do so; and (2) that the company had failed to provide reasonable security for consumers’ personal information stored in its databases, despite its security promises. Under the resulting proposed consent order, Uber will be prohibited from misrepresenting how it monitors or audits internal access to consumers’ personal information and how it protects and secures that data. Uber will also be required to implement a comprehensive privacy program that will be subject to independent biennial audits for the next 20 years, and will need to comply with the standard set of consent order recordkeeping and compliance reporting and monitoring requirements.
Continue Reading Key New Takeaways from Uber’s Privacy and Data Security Settlement with the FTC

On July 3, 2017, the Federal Trade Commission (FTC) announced that it had settled charges that defendants Blue Global, an operator of dozens of consumer loan lead generation websites, and its founder and CEO, Christopher Kay, violated the FTC Act. The FTC alleges that the defendants had, among other practices, misled consumers about Blue Global’s data security practices and shared information characterized by the FTC as consumers’ “sensitive personal information” with a variety of potential bidders after promising to disclose such information only to “trusted lending partners” meeting specified criteria. As part of the settlement, the defendants are subject to a judgment for more than $104 million,1 must maintain stringent oversight of third-party recipients of consumers’ sensitive personal information, and are enjoined from disclosing a consumer’s sensitive personal information other than when specified conditions, including having obtained that consumer’s express, informed consent, are met.
Continue Reading FTC Cracks Down on Lead Generation Company’s Indiscriminate Sharing of Consumers’ Sensitive Data

ThinkstockPhotos-524882074_webOn March 1, 2017, new cybersecurity rules went into effect for entities regulated by the New York State Department of Financial Services (DFS). The Cybersecurity Requirements for Financial Services Companies are designed to help protect business and customer information and the IT systems of the entities that DFS regulates. While the Cybersecurity Requirements took effect on March 1, regulated entities have 180 days to comply. The final requirements are available here.

Who Is Regulated? 

The Cybersecurity Requirements apply to companies “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” (“covered entities”). Covered entities include banks, savings and loans, trust companies, check cashers, credit unions, money transmitters, lenders, insurers, holding companies, investment companies, mortgage brokers, originators, and servicers, and certain other regulated types of companies doing business in New York. Smaller covered entities are exempt from certain components of the Cybersecurity Requirements, but they are required to file an exemption form with DFS.
Continue Reading New Cybersecurity Rules Now in Effect for Entities Regulated by New York State Department of Financial Services

On July 6, 2016, the European Parliament adopted the first-ever pan-European law on cyber security. The law, entitled the “Directive on the Security of Network and Information Systems” (NIS Directive), imposes security requirements and security
Continue Reading EU Cyber Security and Incident Notification Rules Enacted