Photo of Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Earlier this month, the U.S. Chamber of Commerce submitted comments in response to the National Institute of Standards & Technology’s request for information regarding cybersecurity and the digital economy. The Chamber’s comments focused on specifics such as the NIST Cybersecurity Framework and the Cybersecurity Information Sharing Act of 2015, but it also discussed more

The Second Circuit today issued a much-anticipated ruling holding that U.S. firms are not required to turn over user data stored overseas, even in the face of a government warrant.  This decision arose from Microsoft’s December 2014 appeal of a civil contempt ruling against the tech giant for refusing to turn over the personal data

The Panama Papers Leak – An overview on histories’ biggest data leak; Article 29 Working Party about to release opinion on EU-U.S. Privacy Shield; EU: GDPR and PCJ DPD about to be approved next week – final consolidated text published by Council; US: New HIPAA Audit Protocol Released as a Guidance Tool for phase two of Compliance Audits; U.S. Sneak News: Defend Trade Secrets Act, NPRM and Sony Settlement Approval. EU: GDPR, PCJ DPD and PNR Directive adoped by Parliament; U.S.: House Judiciary Committee approves E-Mail Privacy Act; Senate to require airlines to report cyberattacks; FTC issues online tool identifying applicable law for health apps; Global: Turkey releases first comprehensive Data Protection law; Connected cars found vulnerable for cyberattacks; Data Breaches May Waive Attorney-Client Privilege?; Encryption Continues to Dominate Privacy Headlines; Hospital Settles with HHS for $ 2.2 Million in HIPAA Action; Southern District of New York Adds Ransomware Conspirator to Hacking Case; European and Canadian Data Protection Authorities Investigate IoT Devices; Norway Requires Data Breach Notification for Individuals

The Panama Papers Leak – An overview on histories’ biggest data leak

On April 3, 2016, reports revealed that a set of 11.5 million confidential documents (“the Panama Papers”), providing detailed information about more than 200,000 offshore companies connected to Panamanian legal service provider Mossack Fonseca, had been made available to German Daily Newspaper Süddeutsche Zeitung by an anonymous source in 2015.

The documents, which form part of the biggest data leak in history, reveal aspects on (potential) exploitations of offshore tax regimes and other illegal purposes, such as fraud or drug trafficking. Among the people concerned are not only big companies, but also twelve national leaders among 143 politicians, celebrities, government officials or other law firms. The Süddeutsche Zeitung, given the scope of the leak, involved the International Consortium of Investigative Journalists (ICIJ) and about 400 other journalists in 76 different countries to investigate and analyze the documents. ICIJ has promised to publish a full list of companies involved in early May 2016.

Mossack Fonseca, the leaked firm, defended its commercial conduct, stating that itself would always comply with applicable laws and carry out thorough due diligence on its clients. However, the leak will have a huge impact on the offshore business, as the biggest selling point of this business, secrecy, has been massively cracked.Continue Reading Privacy & Cybersecurity News Update- 3 Week Summary

DoD Issues Year-End DFARS Changes; Russians Now Have the “Right to Be Forgotten”; No Injury in Michael’s Data Breach Suit; FAA Issues Interim Final UAS Rule; New Penalties for Distributing Unique Medical Identifiers

Holiday Gift from Defense Department: More Time to Comply with DFARS Safeguarding Rule

Last Wednesday, the Department of Defense issued an interim rule making several changes to the Defense Federal Acquisition Regulation Supplement (DFARS), including extending the deadline for government contractors to comply with data protection requirements in DFARS 252.204-7012.  Even though the Department extended the compliance window, contractors still face an obligation to inform DoD if their security programs do not yet fully comply with the regulation.  For more information, or to seek assistance in meeting these changes, affected contractors can refer to the Crowell & Moring Alert on this topic, or contact the attorneys listed therein.

Search Engines in Russia Now Subject to “Right to Be Forgotten” Requests

On January 1, a Russian law went into effect requiring search engines operating in Russia to delist websites containing “false” or “obsolete” personal information upon that person’s request.  Search engines need not remove certain information, such as criminal convictions or the salaries of public employees.  Russia’s protections mimic those of the European Union, where the European Court of Justice upheld this right in 2014.  Web companies operating in Russia and offering information aggregation services—companies that could be fined up to one million rubles ($13,000) per occurrence for their non-compliance with this measure—should take note of this development.Continue Reading Privacy & Cybersecurity Weekly News Update

FTC Settles False Ad Claim with LifeLock for $100M; CISA Signed into Law; University of Washington Settles HIPAA Claims Arising from 2013 Data Breach; Senators Urge White House to Search Social Media Profiles During Visa Background Checks; FTC Announces COPPA Settlements with App Developers; Cybersecurity Enters the 2016 Presidential Race.

FTC Announces Staggering Sum in Settlement with LifeLock

The FTC announced Thursday that identity protection firm LifeLock would pay $100 million to settle allegations that it violated a 2010 federal court order requiring the firm to secure its customers’ personal data – the largest settlement ever reached by the FTC under an order enforcement action. The FTC alleged that LifeLock failed to maintain an adequate information security program and that the firm misled its customers into believing that LifeLock provided security protections tantamount to those offered by financial institutions.

Cybersecurity Bill Signed into Law

On Friday morning, Congress passed a sizeable omnibus spending bill with several policy riders, including the Cybersecurity Information Sharing Act of 2015 (“CISA”). Under CISA, any “non-federal entity” can now share information with federal government agencies “notwithstanding any other provision of law.” CISA also calls for information sharing portals whereby companies can send information to federal law enforcement authorities, and provides liability protections to those entities who voluntarily share cyber threat indicators or defensive measures with the government. President Obama signed the $1.8 trillion deal into law Friday evening.Continue Reading Privacy-Cybersecurity Weekly News Update December 14-18, 2015

Wyndham-FTC Settlement Looks to PCI; Target Consumer Appeals Settlement; Leaders Propose Encryption Commission; Ashley Madison MDL in St. Louis; FTC Commissioner Warns of FCC ISP Overreach; Moms Sue Over Doll’s IoT Capability

Wyndham to Implement PCI-Focused Information Security Program in Settlement with FTC

On Wednesday, the FTC and Wyndham settled a long-standing dispute regarding the hospitality company’s alleged “unfair and deceptive” data security practices, a suit that confirmed the FTC’s authority to regulate in the space.  Wyndham agreed to establish a comprehensive information security program designed to protect payment cardholder data and to conduct regular structural audits of its information security systems – taking cues from the Payment Card Industry Data Security Standard.

Target Consumer Appeals $10M Data Breach Settlement

Californian James Sciaroni has appealed the $10 million consumer class action settlement approved in November by Judge Paul Magnuson.  When Sciaroni objected to the settlement in July, he argued that it “does not adequately compensate the class,” totaling only about 9 cents per class member in compensatory damages, in addition to the information security standards Target accepted.Continue Reading Privacy-Cybersecurity Weekly News Update December 6- 11, 2015

The Internet of Things has found its way into the court room once again.  Last week, two mothers filed a putative class action stemming from their children’s use of “Hello Barbie,” an interactive version of the popular doll that relies on cloud-based technology to talk back to its playmates and that the mothers allege violated

Target Settles Data Breach Claims with Banks and Insurers

On Thursday, Target agreed to settle claims with a group of financial institutions arising from its 2013 data breach involving customers’ credit card information.  Target reportedly will pay $39 million to settle the class-action suit in federal court in Minnesota.  This settlement follows a $67 million settlement with Visa in August and a $10 million settlement of a consumer class action in March.

Chinese Government Arrests Suspected OPM Hackers

The Washington Post reported Wednesday that Chinese officials arrested several hackers purportedly connected with the data breach of 22 million OPM personnel records earlier this year.  The arrests occurred shortly before President Xi’s September state visit.  The Post noted that one U.S. official responded that “[w]e don’t know that [sic] if the arrests the Chinese purported to have made are the guilty parties . . . [t]here is a history [in China] of people being arrested for things they didn’t do . . . .”

OMB Director Donovan Announces New Federal Privacy Council

In a speech Wednesday to the Federal Privacy Summit, Office of Management & Budget (OMB) Director Shaun Donovan announced the establishment of the Federal Privacy Council.  The Council will be tasked with interagency integration and sharing of best-practices and to “professionalize the privacy profession.”Continue Reading Privacy-Cybersecurity Weekly News Update November 29- December 4, 2015

Congress has taken another step to emphasize the importance of detecting and deterring cyber crime, as the House recently passed the Strengthening State and Local Cyber Crime Fighting Act.  Please see Trade Secrets Trends for a post by our colleagues John McCarthy and Craig Lytle for more details about the bill’s passage and significance.

 

Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors.  Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts.  The Interim Rule proposes to significantly expand the scope of covered information and to require subcontractors to report cyber incidents directly to the DoD (in addition to prime contractors).  Together, these changes will likely increase the scope of potential liability for government contractors and subcontractors who fail to implement adequate cybersecurity measures.

The Interim Rule seeks to enhance cybersecurity protections primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate.  Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors.  First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls.  Second, they must report various cyber incidents to the DoD within 72 hours of their discovery.  These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application. 

The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI).  CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule.  But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information,  marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.”  Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes.  To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.”Continue Reading Interim Rule Could Expand Already Onerous DFARS Cyber Requirements