In the wake of numerous cyberattacks aimed at companies spanning various industries, it is no surprise that yet another federal agency—this time the SEC—is stressing the importance of proper cybersecurity protocols for the entities it regulates. Broker-dealers, investment advisors, and others in the securities industry often have access to some of the most sensitive client and consumer financial information, making data security a high priority for the SEC.
Continue Reading SEC Increases Focus on Cybersecurity–A Look at Recent Data Security Guidance and Enforcement
FTC Begins “Start with Security” Conference Series
On September 9, 2015, the Federal Trade Commission (FTC) held its first “Start with Security” conference at the University of California Hastings College of the Law in San Francisco. The conference was the first in a series of events hosted by the agency intended to provide additional guidance to businesses regarding how to keep consumers’ information secure.
The FTC’s San Francisco event was aimed primarily at start-ups and software developers, with panels focusing on building a culture of security, scaling security during periods of rapid growth, investing in security, vulnerability disclosure and response, and implementing security features. The panels were each moderated by a staff attorney from the FTC’s Division of Privacy and Identity Protection, with panelists hailing primarily from Silicon Valley tech companies. Each panel is summarized below.
Continue Reading FTC Begins “Start with Security” Conference Series
Privacy and Data Security Due Diligence
This article is the third in a series of articles that discuss the importance of privacy and data security considerations in the transactional context.
In any transaction in which an entity invests in or acquires another business or its assets, the investing or acquiring entity (the “Acquiror”) should fully evaluate its counterparty (the “Company”), the Company’s assets, and the Company’s liabilities and risks prior to the consummation of the transaction. A spate of significant data security incidents and exposés in the past few years has raised awareness across industries of the need to adequately contemplate privacy concerns and appropriately secure data systems. Businesses, acquirors, and investors increasingly understand that expensive data security incidents, lawsuits, and government investigations can result from basic failures to comply with applicable privacy laws or data processing contracts or, with regard to information security, well-established industry best practices.
Continue Reading Privacy and Data Security Due Diligence
Comcast Enters into Largest Privacy Settlement on Record with California Attorney General
On September 17, 2015, California Attorney General Kamala Harris announced a $33 million settlement with Comcast Corp. to resolve an investigation into Comcast’s publishing of phone numbers that consumers had paid the company not to publish.1 Notably, the settlement is the largest privacy settlement on record to date, surpassing the recent $25 million settlement the Federal Communications Commission (FCC) obtained from AT&T in April 2015.2 The action is also notable for which agency brought it and which agencies did not participate—this was a California state action and not an FCC or Federal Trade Commission (FTC) enforcement proceeding. The FTC has been the leading privacy enforcer over the last twenty years, and the FCC has spent the last two years nipping at the FTC’s heels on privacy enforcement. So, why did the two leading federal privacy regulators apparently sit on the sidelines for the largest privacy settlement on record? This article examines that question and posits some theories on why the other agencies may not have proceeded. Regardless of whether federal regulators decided to act in this case, the Comcast settlement with California offers a stark reminder for companies that failing to protect consumer privacy or misleading consumers about privacy protections can land you in expensive hot water on a wide variety of regulatory fronts.
Continue Reading Comcast Enters into Largest Privacy Settlement on Record with California Attorney General
EU Data Protection Regulators Issue Guidance on Drones
On June 16, 2015, the body of European data protection regulators known as the Article 29 Working Party (WP29) issued an opinion1 that clarifies EU data protection rules in the context of civil drones. The opinion explains how the principles of EU data protection law apply to drones, and provides a list of recommendations for drone manufacturers and operators, regulators and policymakers, and other stakeholders. This article highlights the key takeaways of the WP29 opinion.
Continue Reading EU Data Protection Regulators Issue Guidance on Drones
Technical Standards Open New Avenue to EU Data Protection Compliance
Historically, businesses have called for greater connection between the legal requirements of European data protection law and the requirements of information technology standards. The new International Organization for Standardization (ISO) standard for securely processing personal information in cloud computing environments, ISO 27018, could be a significant and major first step toward creating technical standards that take privacy legal requirements into account.1 While its effects on compliance under the forthcoming EU General Data Protection Regulation (GDPR) remain to be seen, ISO 27018 offers a promising look at what a more harmonized data protection regime might look like.
Continue Reading Technical Standards Open New Avenue to EU Data Protection Compliance