Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector. This digest summarizes the most notable events in privacy and cybersecurity.
3rd Circuit Affirms FTC’s Authority to Regulate Companies’ Data Security
On Monday, the Third Circuit issued its much-awaited decision in FTC v. Wyndham Worldwide et al. and held that the Federal Trade Commission (FTC) has statutory authority under Section 5 of the FTC Act to bring enforcement actions against defendants for allegedly “unfair” data security practices. Upholding the New Jersey district court’s decision not to dismiss the case, the Third Circuit supported the FTC’s broad interpretation of its enforcement authority. For more detailed analysis of this decision click here.
OMB Proposes Cybersecurity Guidance
Open for comment until September 10, the recently released OMB cybersecurity guidance, Improving Cybersecurity Protections in Federal Acquisitions, marks another attempt by the Obama Administration to improve our nation’s cybersecurity through the regulation of federal contractors. Although it addresses key areas concerning cybersecurity risk management, Crowell & Moring attorneys explain in this Law360 article why the proposed guidance may generate more problems than it resolves by creating the potential for even more inconsistency across agency standards.
FTC Announces PrivacyCon and Issues Call to Whitehat Researchers
The Federal Trade Commission (FTC) announced that it plans to host a conference in January to examine research and trends in protecting consumer privacy and security. The FTC’s First Ever “PrivacyCon” will bring together “whitehat” researchers, academics, industry representatives, federal policy makers and consumer advocates to discuss privacy and cybersecurity challenges posed by emerging technology and ways to address them. For our blog post about PrivacyCon, click here.
California State Auditor Finds Information Security Vulnerabilities in State entities
A California state auditor’s report revealed significant information security vulnerabilities in state entities under the direct authority of the Governor. Ironically, given California’s leadership in promulgating and enforcing privacy and cybersecurity standards, the state auditor found deficiencies in cybersecurity compliance at each of the five state entities that it reviewed in depth, reported that 73 of the 77 entities responding to its questionnaire had not fully complied with state information security requirements, and added that more than a third of the responding entities “indicated that they did not understand all of the requirements in the security standards.” The report recommends legislative and state entity initiatives to improve information security guidance, oversight, and compliance.
Target: SEC Won’t Recommend Enforcement Action Against Us Over Data Breach
In its quarterly earnings statement, Target noted that the U.S. Securities and Exchange Commission (SEC) does not intend to recommend enforcement action against for the 2013 data breach, in which hackers stole the payment card data of more than 40 million Target customers. In its earnings statement, Target estimated that it has paid $264 million in cumulative expenses in response to the breach, which will be offset by an expected $90 million in insurance recovery. SEC declined to comment on Target’s statement.
DC Circuit Revives NSA Phone Surveillance Program
The DC Circuit overruled the DC District Court (attached) and lifted an injunction against the National Security Agency’s phone metadata collection program. In a 2-1 decision, the Circuit Court held that the plaintiffs did not have a substantial likelihood of winning the case. The majority emphasized that plaintiffs “barely fulfilled the requirements for standing,” because they could not present any evidence that the government collected their metadata.