Archives: Cybersecurity

Subscribe to Cybersecurity RSS Feed

FTC Closing Letter Confirms the Importance of Implementing Employee Access Controls

Companies have been pressing the Federal Trade Commission (FTC) for additional guidance on data security, and the agency recently delivered. On August 10, 2015, the FTC issued a public closing letter to Morgan Stanley Smith Barney LLC (Morgan Stanley) regarding the agency’s investigation into concerns that the company “fail[ed] to secure, in a reasonable and … Continue Reading

DOJ Issues Guidance for Responding to Cyber Attacks

Cyber attacks can result in significant monetary and reputational damage to a wide range of businesses. Recently, the U.S. Department of Justice (DOJ) increased its efforts to engage businesses on cybersecurity issues. Earlier this year, as part of that effort, the department published a new resource for companies victimized by a cyber attack. The guidance, … Continue Reading

FCC Open Internet Rules Contain Important New Privacy, Data Security, and Transparency Measures

The Federal Communication Commission’s (FCC’s) newly promulgated Open Internet rules (2015 rules)—also known as the net neutrality rules—went into effect on June 12, 2015.1 The new rules apply specifically to broadband Internet access service providers, and not to Internet content, application, and device providers (edge providers). Nonetheless, by design, the rules will have a potentially … Continue Reading

President Obama Creates New Sanctions Regime to Combat Foreign Cyberthreats

On April 1, 2015, President Obama issued an executive order declaring “cyber-enabled malicious activities” a national emergency due to the “increasing prevalence and severity” of such attacks originating from or directed by persons outside the United States.1 The executive order gives the Secretary of the Treasury, in consultation with the Attorney General and the Secretary … Continue Reading

New EU Trends: Cybersecurity and Breach Notification

On June 29, 2015, the Council of the European Union (comprised of representatives of the 28 EU Member States) reached a political agreement with the European Parliament on the main principles of the draft Directive on Network and Information Security (NIS Directive) governing cybersecurity issues.1 The draft NIS Directive is an advanced piece of draft … Continue Reading

Navigating Public Company Cybersecurity Obligations: Advising Boards and Disclosing to Investors

This article is the second in a series of articles that discuss the importance of privacy and data security considerations in the transactional context. In light of numerous costly security breaches affecting disparate sectors of the American economy, public companies—ranging from merchants like Target Corporation and The Home Depot to technology firms like Adobe Systems, … Continue Reading

Recent Executive Order to Push for Security of Consumer Financial Transactions, Identity Theft Remediation

On October 17, 2014, the White House released its plans for a “BuySecure Initiative” in an executive order entitled “Improving the Security of Consumer Financial Transactions.” The initiative aims to push the market toward adopting more secure payment methods and to reduce the burden on consumers seeking to remediate identity theft incidents. The White House … Continue Reading

FCC Dives into Privacy and Data Security Enforcement

Making a splash with its first-ever data security enforcement actions, the Federal Communications Commission (FCC) entered uncharted waters late last year by aggressively asserting its role in safeguarding consumer information. In the fall of 2014, for the first time, the FCC took administrative enforcement action in two instances against telecommunications carriers that misused data, misrepresented … Continue Reading

California Amends Data Breach Notification Law and State Attorney General’s Data Breach Report May Lead to More Changes

Prompted by data breaches affecting large retailers in the United States, the California legislature recently passed Assembly Bill 1710 (A.B. 1710) to update the state’s breach notification law to require breached entities to provide free credit monitoring services to affected individuals following certain types of data breaches. This change, effective January 1, 2015, was recommended … Continue Reading

Federal Agencies Reduce Barriers to Cyber Threat Information Sharing

Federal regulators released guidance in the first half of 2014 that should provide comfort to businesses that are considering sharing information relating to cybersecurity risks with other companies and the government. Although these advisory opinions are nonbinding and do not carry the force of law, they provide strong indications of the priorities of the U.S. … Continue Reading

FTC Recommends Improved Transparency and Security in Mobile Shopping Apps

In August 2014, the Federal Trade Commission (FTC) published a staff report that evaluates the consumer disclosures made by a number of popular mobile shopping applications and makes recommendations to the providers and users of those apps.1 The FTC staff did not address or find any fault with app platforms, like Google Play or Apple’s … Continue Reading

Privacy and Data Security Risk Assessments: An Overview

Recent large-scale data breaches provide a stark reminder of the risks and challenges associated with today’s data-driven economy. The exploding number of devices connected to the Internet and amount of information collected about people by organizations make it increasingly important for officers, directors, and senior management to fully understand the privacy and data security risks … Continue Reading

The Wyndham Rulings and the FTC’s Leadership on Data Security Enforcement

Despite reaching settlements with more than 50 organizations on data security issues since the late 1990s, no organization seriously challenged the Federal Trade Commission’s (FTC’s) authority to bring such cases until FTC v. Wyndham Worldwide Corp. made headlines in 20121 The case brought rampant speculation from the privacy and data security community on the likely … Continue Reading

President’s Counselor Makes Recommendations on Privacy and Other Values in Big Data Age

In January 2014, President Barack Obama charged his counselor John Podesta with looking at: (a) how the challenges inherent in big data are being confronted in the public and private sectors; (b) whether the United States can forge international norms on how to manage big data; and (c) how the United States can continue to … Continue Reading

Proposed California Law Would Impose Data Breach Liability on Retailers and Create More Stringent Data Security Requirements for Businesses

A proposed California law, the Consumer Data Breach Protection Act (A.B. 1710),1 has the potential to upend the calculus of determining liability after retail data breaches, create additional data security requirements for retailers and other consumer-facing businesses operating in California, and establish new standards for data breach reporting for breaches affecting California residents. The bill, … Continue Reading

Kaiser Foundation Health Plan Settles California Attorney General Charges over Delayed Data Breach Notification

Kaiser Foundation Health Plan, Inc. (Kaiser) recently agreed to settle charges brought by California Attorney General Kamala Harris alleging that Kaiser, a component of Kaiser Permanente, the largest health maintenance organization in the U.S., violated California’s unfair competition law by taking too long to notify more than 20,000 current and former employees that their personal … Continue Reading

Breach Notification: Timing Is Everything

A data security incident can be daunting for an organization, quickly spurring it into full-blown crisis mode. Once an incident is discovered, IT and security personnel may work around the clock to attempt to identify and fix security vulnerabilities, assess and mitigate any damage from the incident, and report their findings and efforts to senior … Continue Reading

Barnes & Noble Dodges Suit over PIN Pad Data Breach

A trial court in the Seventh Circuit recently dismissed a data breach class action case against Barnes & Noble (B&N) due to the plaintiffs’ failure to allege actual or imminent injuries.1 This is one of the first data breach cases following the U.S. Supreme Court’s recent decision about pleading actual damages in Clapper v. Amnesty … Continue Reading

California Extends Security Breach Notification Requirements to Online Account Credentials

California, which enacted the pioneering security breach notification law in 2002, again has taken the lead in security breach notification legislation. In an effort to protect consumers against unauthorized access to their online accounts, California has extended its security breach notification law to cover individuals’ online account credentials (i.e., a user name or email address, … Continue Reading

European Regulators Opine on “Purpose Limitation” Principle – What Constitutes “Compatible Use” in the Context of Big Data?

On April 2, 2013, the European data protection regulators (the “Article 29 Working Party” or the “WP29”) issued a 70-page opinion providing guidance on how to comply with the core EU data protection principle of “purpose limitation.”1 This opinion gives a good indication of how EU regulators would apply their national data protection law to … Continue Reading
LexBlog

We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.

I agree