Data Law InsightsMaida Oringher Lerner

$1M Fine for Morgan Stanley Data Breach; German DPA Issues Data Transfer Fines; FTC Critiques FCC Privacy Proposal; New Contractor Cybersecurity Rules; Drone Operations Best Practices

Morgan Stanley fined $1M for alleged failure to secure client data

The U.S. Securities and Exchange Commission (“SEC”) and Morgan Stanley Smith Barney LLC (“Morgan Stanley”) reached a settlement of $1 million for alleged cybersecurity failures that led to exposure of client information.  The SEC alleged that Morgan Stanley violated the Safeguards Rule, a federal regulation concerning customer data protection, by failing to implement written policies and procedures protecting confidential information.  These failures, combined with the failure to monitor employee access to data, ultimately led to a Morgan Stanley employee unlawfully downloading and selling confidential information of more than 730,000 clients between 2011 and 2014.

This may be a telling sign for the future of SEC involvement in data breaches. The SEC’s announcement reflects its expectation that “SEC registrants of all sizes [will] have policies and procedures that are reasonably designed to protect customer information.”  Presumably, failures to implement such policies may invite aggressive SEC scrutiny and investigation.  Companies within the SEC’s jurisdiction should ensure that their procedures comply with federal regulations.  If not, future data breaches may give rise to enforcement and fines by the SEC, in addition to other agency enforcement as well as civil damages available to affected parties under state or federal data breach laws.

German Data Protection Authority fines three companies for U.S. data transfers

The threat of enforcement action based on the invalidation of the former “U.S.-EU Safe Harbor Framework” for data transfers from Europe to the U.S. for a long time was a rather theoretical concern. The German Data Protection Authority (“DPA”) of Hamburg has now made this concern viral, announcing that it has fined three companies for continued transfers of personal data from Europe to the U.S. without additional safeguards.

Although the fines are comparatively low (€ 8,000 – € 11,000), this is definitely the last wake-up call for companies, who have not yet implemented additional safeguards for their EU-U.S. data transfers – the Hamburg DPA is continuing to investigate and has already announced that the next fines it will impose on companies can be expected to be higher. For more on this development, see our recent client alert.

FTC comments on FCC proposed privacy rules

The Federal Trade Commission (“FTC”) recently provided its comments on the Federal Communications Commission’s (“FCC”) Notice of Proposed Rulemaking (“NPRM”) regarding privacy of broadband internet customers.  The FTC lauded the FCC’s efforts in many areas, such as defining personally identifiable information to include information “linkable” to an individual, requiring conspicuous disclosure of privacy policies, employing an opt-in approach to sharing sensitive or confidential data, creating efforts to impose baseline data security protocols, and imposing data breach notifications.

The FTC also made a number of recommendations, including development of a standard or “model” privacy notice and safe harbor related to the model notice; advance notice of material changes to policies; increasing the ease with which consumers can exercise opt-in or opt-out choices; data disposal rules; and improvement of data security protections and breach notifications.

The FTC did note that it is “not optimal” to impose upon broadband internet providers requirements that would not apply to other entities collecting and using large amounts of data. This comment is similar to criticism by three members of the House Committee on Energy and Commerce who suggested the FCC’s proposal would “new complexity and uncertainty” for both consumers and companies.  Presumably, FCC adoption of many FTC suggestions would bring the NPRM closer to existing standards and alleviate some concern about mucking up the privacy landscape with a new set of privacy rules for broadband providers.

New data security rules for Federal contractors

The Department of Defense (“DoD”), General Services Administration (“GSA”), and National Aeronautics and Space Administration (“NASA”) have issued a rule aimed at improving contractor cybersecurity.  By applying certain requirements from the National Institute of Standards and Technology Special Publication 800-171 to any contractor information system containing Federal contract information, the rule has a broad reach.  The rule is intended to require “only the most basic level of safeguarding” and will not supersede any specific requirements by the contracting agency, such as the more onerous DFARS Safeguarding Rule.  The final rule is effective June 15.  While the requirements do not apply until a contract containing the relevant clause is awarded, the breadth of its application means that contractors should consider taking action now to ensure their systems satisfy these requirements.  More information on the new rule can be found in our recent Government Contracts Bullet Point.

NTIA issues best practices for data collection via drones

The National Telecommunications and Information Administration (“NTIA”) issued its “Voluntary Best Practices for UAS [Unmanned Aircraft Systems] Privacy, Transparency, and Accountability.”  This document is aimed at those who use drones to collect data, and makes a number of recommendations regarding notice, use, storage, and security of data collected via both private and commercial drone operations.  These best practices are the result of a 2015 Presidential Memorandum directing the NTIA to engage stakeholders for the purposes of creating these voluntary best practices.