Russians Hack Clinton Campaign System; FTC: LabMD Liable in Data Security Suit; EU Member States issue statement on Privacy Shield; NIS Directive published – Implementation into national law by May 2018; EU Data Protection Supervisor: e-Privacy directive should meet GDPR-requirements.
Clinton Campaign Data Breach brings data security into 2016 campaign yet again
On July 29, an F.B.I. official told the New York Times that computer systems used by the Clinton presidential campaign were hacked in the latest in a string of cybersecurity attacks targeting political entities. The Times noted the attacks appeared to have been carried out by the Russian intelligence services. These revelations follow news of similar attacks carried out earlier in the summer, including a Russian government hack of the Democratic National Committee’s computer network. Investigations into both attacks are ongoing.
FTC Reasserts Data Security Enforcement Powers in suit against LabMD
Late last week, the FTC issued its long-awaited final order in its investigation of LabMD’s alleged unfair data security practices. FTC filed charges against LabMD, a clinical laboratory used by physicians, for allegedly failing to protect sensitive personal information for over 750,000 patients. An ALJ had earlier dismissed FTC’s charges, holding that LabMD’s data security practices failed to cause substantial consumer injury. The Commission unanimously reversed that decision.
FTC claimed that LabMD “lack[ed] even basic precautions to protect . . . sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.” Firms collecting personal information should note that future FTC enforcement is likely to note the absence of any of these systems as evidence of sub-par data security practices.
This suit follows the FTC’s 2014 victory in the Wyndham case, which validated the FTC’s authority to regulate data security. For more information on the Wyndham decision, see the Crowell Data Law blog post on the subject.