The Federal Trade Commission (FTC) has been at it again, settling on December 31, 2014 with Snapchat over privacy and data security concerns stemming from its text and video mobile messaging services. The settlement is instructive for gauging the FTC’s enforcement priorities and illustrates the steep costs a company can face when the FTC alleges the company has engaged in deceptive or unfair trade practices.
Continue Reading Snapchat Settlement Highlights Continued FTC Scrutiny of Privacy and Security Representations
Government Regulations & FISMA
Florida Continues Trend to Strengthen Breach Laws
On June 20, 2014, Florida enacted the Florida Information Protection Act of 2014 (FIPA) to strengthen its data breach notification law. The amendments, which take effect July 1, will make Florida one of the strictest jurisdictions for reporting deadlines (which shortens to 30 days) and the types of information that trigger notification obligations (Which now…
Crowell & Moring Releases “Data Law Trends & Developments” and Announces Expanded “Data Law Insights” Blog
We are pleased to announce the publication of a report titled “Data Law Trends & Developments: E-Discovery, Privacy, Cyber-Security & Information Governance.” The report explores recent trends and anticipated future developments on critical issues related to the intersection of technology and the law, which affect a wide range of companies and industries. In addition, the report highlights key cases and issues to watch in 11 areas of data law, including: information governance, cybersecurity, social media, technology-assisted review, criminal law, regulatory, cooperation, privacy, cross border transfers, bring your own device (BYOD), and privilege.
Continue Reading Crowell & Moring Releases “Data Law Trends & Developments” and Announces Expanded “Data Law Insights” Blog
Navigating a Hostile Regulatory Climate: Practical Lessons Following OCR’s Latest $4.8 MM HIPAA Settlements
On May 7, 2014, the Department of Health and Human Services Office of Civil Rights (“OCR”) announced the latest in a string of increasingly aggressive settlements of alleged Health Insurance Portability and Accountability Act (“HIPAA”) violations. The twin settlements with New York and Presbyterian Hospital (“NYP”) and Columbia University (“CU”) are the largest settlements to…
The “Cyber Framework” Arrives
After a year of development, NIST has released the long-awaited Cybersecurity Framework, which promises to have significant implications for the public and private sectors alike. The final version retains much of the Framework Core set forth in the draft version and provides a blueprint to align cybersecurity efforts (along with the accompanying Roadmap document…
NIST Eliminates Privacy Appendix from Cybersecurity Framework
In a January 15, 2014 update, the National Institutes of Standards and Technology (“NIST”) announced that it would eliminate contentious privacy provisions in Appendix B of the Preliminary Cybersecurity Framework. The appendix was originally intended “to protect individual privacy and civil liberties” as part of the February 2012 Executive Order 13636 requiring NIST…
New DFARS Safeguards and Reporting Requirements
A DFARS final rule (Nov. 18, 2013) on the safeguarding of unclassified, controlled technical information requires contractors, among other things, to report within 72 hours of discovery any “cyber incident” (an action that results in an actual or potentially adverse affect on an information system and/or the information residing therein), preserve relevant data for at…
Guess What? You’re Now Subject to HIPAA (Yes, You!): The Broad Reach of HIPAA over Business Associates
With the HIPAA Final Rule now in place, business associates as well as subcontractors must comply with the entire Security Rule (among other aspects of HIPAA) and face direct liability for the failure to do so. Some entities may be surprised to learn they are subject to HIPAA given the recently expanded definition of “business…
Cybersecurity and Data Privacy in 2013: Contracting in a Time of Increased Scrutiny
2013 has been a historic year for cybersecurity, privacy and data breach issues. From the President’s Executive Order, to the revised NIST security & privacy controls, and to the groundbreaking Mandiant report on cyber espionage, the pressure is on for companies to secure their handling of sensitive data.
In order to mitigate the risk of…
Regulating Cybersecurity On A Piecemeal Basis—Can The Executive Order Harmonize The Cyber Law Patchwork?
With no comprehensive cybersecurity legislation nearing the finish line, Congress and federal agencies have attempted to fill the void with a series of piecemeal laws, regulations, and polices leaving both the public and private sector with fragmented — even inconsistent — guidance on how to defend cyberspace. As we discuss in our recent article, “…