Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

Category Archives: Cybersecurity / Data Security

Subscribe to Cybersecurity / Data Security RSS Feed

New Internet of Things (IoT) NIST Draft Publication Provides Welcomed Guidance

Posted in Cybersecurity / Data Security, Government Agencies, Government Regulations & FISMA, Health IT, Internet of Things, Privacy
Responding to the rise of interconnected technology, the National Institute for Standards and Technology (NIST) has recently issued an introductory document in a planned series of cybersecurity publications addressing Internet of Things (IoT) privacy risks.  Open for comment through October 24, 2018, the Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy… Continue Reading

No Summer Vacation for Government as New Cybersecurity Legislation Passes

Posted in Cybersecurity / Data Security
The federal government has kept busy this summer by issuing multiple regulations impacting government contractors’ cybersecurity.  First, the Department of Defense released the 2019 National Defense Authorization Act (NDAA), which included notable cybersecurity provisions involving foreign ownership and Controlled Unclassified Information (CUI), among others.  Second, Congress passed the NIST Small Business Cybersecurity Act requiring the National Institute of Standards… Continue Reading

SAFETY ACT LIABILITY PROTECTIONS WILL BE TESTED

Posted in Cybersecurity / Data Security, Government Agencies, Government Contracting, Government Regulations & FISMA, Litigation
After over a decade, the first action has been filed that may test the bounds of the Support Anti-Terrorism by Fostering Effective Technologies Act (“SAFETY Act”) of 2002. MGM Resorts International recently filed suit related to the October 2017 Mandalay Bay country music concert shooting, asking a federal court to rule that it cannot be… Continue Reading

Upcoming NIST Hosted DFARS Safeguarding Clause & CUI Training – October 18, 2018

Posted in Cybersecurity / Data Security
The National Institute of Standards and Technology (“NIST”) is hosting a cybersecurity workshop on the Defense Federal Acquisition Regulation System (“DFARS”) Safeguarding Clause and related regulations on Thursday, October 18, 2018.  The workshop, in coordination with the Department of Defense (“DoD”) and the National Archives and Records Administration (“NARA”), will provide an overview of Controlled… Continue Reading

Colorado’s New Data Privacy Bill Increases Notification and Safeguarding Requirements

Posted in Cybersecurity / Data Security, Privacy
The Colorado legislature recently passed a new data privacy law, House Bill 18-1128, which heightens requirements for corporate and public entities handling personal information of Colorado residents.  Effective September 1, 2018, the law aims to strengthen consumer data privacy by 1) shortening the time frame required to notify affected Colorado residents and the Attorney General… Continue Reading

The CLOUD Act and the Future of International Access to E-Evidence

Posted in Cloud Computing, Criminal Law, Cybersecurity / Data Security, Government Agencies, Preservation, Privacy
Attorney General Jeff Sessions and EU Justice Commissioner Věra Jourová have met twice over the last two weeks, signaling momentum towards a new EU-U.S. solution for the sharing of electronic evidence. These meetings occurred in the wake of proposed regulations on the sharing of electronic evidence in the EU, and the passage of the Clarifying… Continue Reading

Seventh Circuit Revives Data Breach Case Despite No Evidence Of Monetary Harm

Posted in Cybersecurity / Data Security
The U.S. Court of Appeals for the Seventh Circuit (the “7th Circuit”) recently issued an opinion in Heather Dieffenbach, et al. v. Barnes & Noble, Inc. that is potentially concerning for current and potential defendants in class action claims related to data breaches.  The case relates to a 2012 incident where Barnes & Noble discovered… Continue Reading

Political Data Firm Improperly Accessed Facebook Users’ Data

Posted in Cybersecurity / Data Security
Facebook faces government investigations on both sides of the Atlantic after recent revelations that Cambridge Analytica, a British political data firm with ties to President Trump’s 2016 campaign, collected and used the personal information of more than 50 million Facebook users in a manner that violates Facebook’s stated policy regarding access, disclosure, and use of… Continue Reading

PayPal Settles FTC Claims Regarding Venmo’s Disclosure, Privacy, and Security Practices

Posted in Cybersecurity / Data Security
On February 27, 2018, the Federal Trade Commission (“FTC”) announced a proposed administrative settlement with PayPal, Inc. over allegations that the company failed to make adequate disclosures to users regarding its Venmo peer-to-peer payment service. The settlement underscores the importance of effectively disclosing material information to consumers, including accurately communicating privacy and security practices and… Continue Reading

Learn about how Regulation Will Shape Digital Transformation in Crowell & Moring’s 2018 Regulatory Forecast Cover Story: “Digital Transformation: The Sky’s The Limit”

Posted in Cybersecurity / Data Security, Litigation
Crowell & Moring has issued its “Regulatory Forecast 2018: What Corporate Counsel Need to Know for the Coming Year.” The Forecast cover story, “Digital Transformation: The Sky’s the Limit,” provides a look at how technology is helping companies soar to new heights and how regulation can help companies to succeed. It is clear digital technology… Continue Reading

U.S. Securities and Exchange Commission Ups the Ante for Addressing Corporate Cyber Risks

Posted in Cybersecurity / Data Security
On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) voted unanimously to disseminate its Statement and Guidance on Public Company Cybersecurity Disclosures, an “interpretive guidance” designed to help publicly-traded companies satisfy their cybersecurity risk disclosure obligations. The new guidance supplements the SEC’s initial October 13, 2011 Cybersecurity Disclosure Guidance, which was relatively broad,… Continue Reading

Is Government Data at Risk? Study Finds Industry Cybersecurity Lagging Government

Posted in Cybersecurity / Data Security
Security ratings firm BitSight recently released a report citing a gap in cybersecurity performance between the U.S. Government and contractors.  The report was the result of a comparative security assessment between 1,212 randomly selected government contractors and 122 federal agencies. The assessment found that federal agencies were at least 15 points better than the mean for… Continue Reading

Former IT Administrator Sentenced to Prison for Hacking Canadian Pacific Railway Network

Posted in Cybersecurity / Data Security
Yesterday, U.S. District Judge Patrick Schiltz sentenced a former IT administrator to 366 days in federal prison following a Consumer Fraud and Abuse Act conviction. Christopher V. Grupe was employed as an IT professional by Canadian Pacific Railway from September 2013 to December 2015. In December of 2015, Grupe was suspended for insubordination after a confrontation… Continue Reading

National Archives Issues New, But Limited, CUI Contract Guidance

Posted in Cybersecurity / Data Security
The Information Security Oversight Office (“ISOO”) within the National Archives and Records Administration (“NARA”) recently issued guidance for all non-executive branch entities  (such as elements of the legislative or judicial branches of the Federal Government; state, tribal or local government elements; and private organizations including contractors) concerning controlled unclassified information (“CUI”).  Specifically, the ISOO  issued… Continue Reading

Fourth Circuit Raises Bar for DMCA Safe Harbor Defense

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation, Uncategorized
Last Thursday, the Fourth Circuit decided a closely followed case on one of the safe harbor defenses under the Digital Millennium Copyright Act (DMCA). See BMG Rights Management (US) LLC v. Cox Communications, Inc., No. 16-1972 (4th Cir. Feb. 1, 2018). The court also addressed the intent standard for contributory copyright infringement. BMG, an owner… Continue Reading

U.K. Announces Fines Up To $24M For Cyber Noncompliance

Posted in Cybersecurity / Data Security
The United Kingdom’s National Cyber Security Centre (“NCSC”) recently announced guidance whereby industries could be fined up to $24 million (£17 million) for not having effective cybersecurity measures in place.  The penalties apply to critical infrastructure sectors including energy, transportation, water and healthcare.  While the U.K. government stated that these penalties will be “a last… Continue Reading

FERC Proposes to Require Expanded Cyber Security Incident Reporting

Posted in Cybersecurity / Data Security, Data Breach, Government Agencies, Uncategorized
The Federal Energy Regulatory Commission (“FERC”) recently proposed that the North American Electric Reliability Corporation (“NERC”), which is responsible for promulgating and enforcing FERC-approved mandatory electric reliability standards, revise its Critical Infrastructure Protection (“CIP”) standards to require additional circumstances under which reporting of cybersecurity incidents is mandatory.   FERC’s goal is to enhance the awareness of… Continue Reading

FTC Settles First Connected Toy Case With VTech After Massive Data Breach

Posted in Cybersecurity / Data Security, Data Breach, Privacy
On January 8, 2018, the FTC announced settlement of its first connected toy case with VTech Electronics Ltd (“VTech”) for violating the Children’s Online Privacy Protection Act (COPPA) Rules by failing to properly collect and protect personal information about and from children and violating the FTC Act by misrepresenting its security practices. In addition to paying… Continue Reading

Comment Period Extended for NIST SP 800-171 Assessment Guide

Posted in Cybersecurity / Data Security, Government Agencies, Government Contracting, Government Regulations & FISMA, Information Management, Public Sectors
Less than two weeks after the National Institute of Standards and Technology (NIST) published a draft version of NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, on November 28, the National Archives and Records Administration (NARA) announced today that the comment period has been extended to January 15, 2018.  This gives interested parties… Continue Reading

Can You Copyright Infringe Anonymously? Revisited.

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation
On November 28, 2017, the Sixth Circuit, in a 2:1 decision, ruled on the anonymous copyright infringement case we discussed back in April. The central issue in the case involved whether an adjudicated copyright infringer can remain anonymous. A decision in favor of the infringer could encourage anonymous unlawful speech. A decision in favor of… Continue Reading

Report on the Autonomous Vehicle Safety Regulation World Congress 2017

Posted in Cybersecurity / Data Security, Privacy, Product Liability & Torts
The big takeaways from The Autonomous Vehicle Safety Regulation World Congress centered on the importance of a federal scheme for AV regulation and the reality of the states’ interest in traditional issues such as traffic enforcement, product liability, and insurance coverage.  In keeping with those messages, the World Congress kicked off with NHTSA Deputy Administrator… Continue Reading

DOJ Asks Supreme Court to Resolve Split over Its Ability to Compel Foreign Records

Posted in Criminal Law, Cybersecurity / Data Security
U.S.-based technology companies and courts across the country have disagreed over the extraterritorial application of the Stored Communications Act in allowing U.S. law enforcement to enforce warrants to reach data stored overseas.  Some courts have treated the data stored overseas as a “physical” object  and, therefore, refused to extend the reach of the Act abroad. … Continue Reading

New Jersey Restricts Retailers’ Collection and Use of Customer Information

Posted in Cybersecurity / Data Security, Data Breach, Information Management, Privacy
On July 21, 2017, Governor Chris Christie signed the Personal Information Privacy and Protection Act (S-1913) (the “Act”) into law, further enhancing the protections afforded to consumers who make retail credit card purchases in New Jersey.  As technology has evolved, many retailers rely on electronic barcode scanners to review and capture information on customers’ driver’s… Continue Reading