Concluding its investigation into the internal accounting controls of nine public issuers who were recent cyber fraud victims, the Securities and Exchange Commission (“SEC”), Division of Enforcement explicitly reminded issuers to consider cyber-related threats in developing and deploying their Section 13(b)(2)(B) internal accounting controls.

The SEC emphasized the importance of tailoring internal accounting controls to cyber-related threats, noting that cyber frauds like those carried out in the nine cases it investigated have caused “over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017.”
Continue Reading

The Federal Energy Regulatory Commission (“FERC”) recently proposed that the North American Electric Reliability Corporation (“NERC”), which is responsible for promulgating and enforcing FERC-approved mandatory electric reliability standards, revise its Critical Infrastructure Protection (“CIP”) standards to require additional circumstances under which reporting of cybersecurity incidents is mandatory.   FERC’s goal is to enhance the awareness of

On January 8, 2018, the FTC announced settlement of its first connected toy case with VTech Electronics Ltd (“VTech”) for violating the Children’s Online Privacy Protection Act (COPPA) Rules by failing to properly collect and protect personal information about and from children and violating the FTC Act by misrepresenting its security practices. In addition to paying a $650,000 civil penalty, VTech agreed to comply with COPPA, implement and maintain a comprehensive information security program with regular third-party security audits for the next twenty years, and not misrepresent its privacy and data security practices.

The settlement comes more than two years after VTech learned that a hacker had gained remote access to databases for its interactive electronic learning products (ELPs), including for its Kid Connect chat application, in what was described at the time as the largest known hack targeting children. According to the FTC’s Complaint, the hacker accessed VTech’s databases “by exploiting commonly known and reasonably foreseeable vulnerabilities,” and VTech was unaware of the intrusion until it was informed by a reporter.
Continue Reading

Please join us for a seminar on December 5 in Washington, D.C. or December 6 in New York City on “Law Firm Data Security”. Our very own Partner Evan Wolff will be presenting alongside RSA’s Doug Howard and Niloofar Howe. Our panelists will cover all sorts of critical issues such as:

  • How to defend high-demand

The U.S. Court of Appeals for the D.C. Circuit has now weighed in on whether plaintiffs can bring a putative class action arising from an alleged data breach in lieu of allegations of actual misuse of compromised data.  Emphasizing the “low bar to establish [] standing at the pleading stage,” the D.C. Circuit reversed a

On July 21, 2017, Governor Chris Christie signed the Personal Information Privacy and Protection Act (S-1913) (the “Act”) into law, further enhancing the protections afforded to consumers who make retail credit card purchases in New Jersey.  As technology has evolved, many retailers rely on electronic barcode scanners to review and capture information on

On June 19, 2017, the Federal Trade Commission (FTC) issued a public comment regarding the National Telecommunications & Information Administration’s (NTIA) draft guidance titled Communicating IoT Device Security Update Capability to Improve Transparency for Customers.  In commenting on the guidance, the FTC acknowledged the benefits of and challenges to IoT device security, and encouraged

Earlier this week, a federal Illinois court dismissed a class action against book retailer Barnes & Noble that alleged breach of contract, invasion of privacy, and violations of state consumer fraud and breach reporting laws. The case, dismissed for failing to establish economic harm, marks another data point in demarcating actionable data breaches and highlights