Photo of Jeffrey L. Poston

 

The federal government has kept busy this summer by issuing multiple regulations impacting government contractors’ cybersecurity.  First, the Department of Defense released the 2019 National Defense Authorization Act (NDAA), which included notable cybersecurity provisions involving foreign ownership and Controlled Unclassified Information (CUI), among others.  Second, Congress passed the NIST Small Business Cybersecurity Act requiring the

Facebook faces government investigations on both sides of the Atlantic after recent revelations that Cambridge Analytica, a British political data firm with ties to President Trump’s 2016 campaign, collected and used the personal information of more than 50 million Facebook users in a manner that violates Facebook’s stated policy regarding access, disclosure, and use of personal information. Legislators in the U.S. and the UK have called for hearings.

The Federal Trade Commission (“FTC”) has confirmed it is conducting an investigation into whether Facebook violated the terms of its November 2011 consent decree requiring it to, among other things, “not misrepresent . . . the extent to which it maintains the privacy or security of [personal] information,” and “establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of [personal] information.” Several state attorneys general have also announced investigations, and Facebook faces at least one a shareholder lawsuit alleging that Facebook did not properly disclose the third-party access to users’ personal information.
Continue Reading

Last week, the U.S. Court of Appeals for the Ninth Circuit revived a class action lawsuit related to a 2012 data breach, determining that the future risk of identity theft suffices to establish Article III standing, even where there has been no actual harm. At issue in the case, In re Zappos.com, was whether

The U.S. Court of Appeals for the D.C. Circuit has now weighed in on whether plaintiffs can bring a putative class action arising from an alleged data breach in lieu of allegations of actual misuse of compromised data.  Emphasizing the “low bar to establish [] standing at the pleading stage,” the D.C. Circuit reversed a

On June 19, 2017, the Federal Trade Commission (FTC) issued a public comment regarding the National Telecommunications & Information Administration’s (NTIA) draft guidance titled Communicating IoT Device Security Update Capability to Improve Transparency for Customers.  In commenting on the guidance, the FTC acknowledged the benefits of and challenges to IoT device security, and encouraged

On June 12, Nevada Gov. Brian Sandoval (R) signed into law a bill requiring the operator of an Internet website to disclose the type of information it collects on Nevada residents.  Under the law, any company or person who (1) owns or operates an Internet website or online service for commercial purposes, (2) collects information

Earlier this week, a federal Illinois court dismissed a class action against book retailer Barnes & Noble that alleged breach of contract, invasion of privacy, and violations of state consumer fraud and breach reporting laws. The case, dismissed for failing to establish economic harm, marks another data point in demarcating actionable data breaches and highlights