The National Institute of Standards and Technology (“NIST”) is hosting a cybersecurity workshop on the Defense Federal Acquisition Regulation System (“DFARS”) Safeguarding Clause and related regulations on Thursday, October 18, 2018.  The workshop, in coordination with the Department of Defense (“DoD”) and the National Archives and Records Administration (“NARA”), will provide an overview of Controlled

On February 27, 2018, the Federal Trade Commission (“FTC”) announced a proposed administrative settlement with PayPal, Inc. over allegations that the company failed to make adequate disclosures to users regarding its Venmo peer-to-peer payment service. The settlement underscores the importance of effectively disclosing material information to consumers, including accurately communicating privacy and security practices and user control over optional settings.

Specifically, the FTC alleged that VenmoContinue Reading PayPal Settles FTC Claims Regarding Venmo’s Disclosure, Privacy, and Security Practices

Crowell & Moring has issued its Regulatory Forecast 2018: What Corporate Counsel Need to Know for the Coming Year.

The Forecast cover story, Digital Transformation: The Sky’s the Limit,” provides a look at how technology is helping companies soar to new heights and how regulation can help companies to succeed.

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) voted unanimously to disseminate its Statement and Guidance on Public Company Cybersecurity Disclosures, an “interpretive guidance” designed to help publicly-traded companies satisfy their cybersecurity risk disclosure obligations. The new guidance supplements the SEC’s initial October 13, 2011 Cybersecurity Disclosure Guidance, which was relatively broad, by: 1) articulating the SEC’s expectations regarding the adequacy of disclosures; and, for the first time, 2) recommending the implementation of policies and procedures that address disclosure controls as well as insider trading. 
Continue Reading U.S. Securities and Exchange Commission Ups the Ante for Addressing Corporate Cyber Risks

Security ratings firm BitSight recently released a report citing a gap in cybersecurity performance between the U.S. Government and contractors. 

The report was the result of a comparative security assessment between 1,212 randomly selected government contractors and 122 federal agencies. The assessment found that federal agencies were at least 15 points better than the mean

The United Kingdom’s National Cyber Security Centre (“NCSC”) recently announced guidance whereby industries could be fined up to $24 million (£17 million) for not having effective cybersecurity measures in place.  The penalties apply to critical infrastructure sectors including energy, transportation, water and healthcare.  While the U.K. government stated that these penalties will be “a last

Please join us for a seminar on December 5 in Washington, D.C. or December 6 in New York City on “Law Firm Data Security”. Our very own Partner Evan Wolff will be presenting alongside RSA’s Doug Howard and Niloofar Howe. Our panelists will cover all sorts of critical issues such as:

  • How to defend high-demand

FCC adopts privacy rules; Privacy Shield challenge; Amendments to EU data transfer decisions; FTC data breach guidance; DOT vehicle cybersecurity best practices; HHS guidance on HIPAA and FTC compliance

FCC approves privacy rules for broadband providers

In a 3-2 vote, the Federal Communications Commission approved new rules governing internet service providers’ collection and use

Russians Hack Clinton Campaign System; FTC: LabMD Liable in Data Security Suit; EU Member States issue statement on Privacy Shield; NIS Directive published – Implementation into national law by May 2018; EU Data Protection Supervisor: e-Privacy directive should meet GDPR-requirements.

Clinton Campaign Data Breach brings data security into 2016 campaign yet again

On July 29, an F.B.I. official told the New York Times that computer systems used by the Clinton presidential campaign were hacked in the latest in a string of cybersecurity attacks targeting political entities. The Times noted the attacks appeared to have been carried out by the Russian intelligence services.  These revelations follow news of similar attacks carried out earlier in the summer, including a Russian government hack of the Democratic National Committee’s computer network. Investigations into both attacks are ongoing.

FTC Reasserts Data Security Enforcement Powers in suit against LabMD

Late last week, the FTC issued its long-awaited final order in its investigation of LabMD’s alleged unfair data security practices. FTC filed charges against LabMD, a clinical laboratory used by physicians, for allegedly failing to protect sensitive personal information for over 750,000 patients.  An ALJ had earlier dismissed FTC’s charges, holding that LabMD’s data security practices failed to cause substantial consumer injury. The Commission unanimously reversed that decision.

FTC claimed that LabMD “lack[ed] even basic precautions to protect . . . sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.” Firms collecting personal information should note that future FTC enforcement is likely to note the absence of any of these systems as evidence of sub-par data security practices.

This suit follows the FTC’s 2014 victory in the Wyndham case, which validated the FTC’s authority to regulate data security.  For more information on the Wyndham decision, see the Crowell Data Law blog post on the subject.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of July 24

Yesterday, Crowell & Moring hosted an International Association of Privacy Professionals (IAPP) KnowledgeNet featuring the Federal Trade Commission’s (FTC) new Chief Technologist, Lorrie Cranor.

In her short time at the FTC, Cranor has already made waves by encouraging companies to rethink mandatory password changes.  At the event, Cranor spoke about the focus of her