Cybersecurity / Data Security

Subscribe to Cybersecurity / Data Security via RSS

On February 27, 2018, the Federal Trade Commission (“FTC”) announced a proposed administrative settlement with PayPal, Inc. over allegations that the company failed to make adequate disclosures to users regarding its Venmo peer-to-peer payment service. The settlement underscores the importance of effectively disclosing material information to consumers, including accurately communicating privacy and security practices and user control over optional settings.

Specifically, the FTC alleged that VenmoContinue Reading PayPal Settles FTC Claims Regarding Venmo’s Disclosure, Privacy, and Security Practices

Crowell & Moring has issued its Regulatory Forecast 2018: What Corporate Counsel Need to Know for the Coming Year.

The Forecast cover story, Digital Transformation: The Sky’s the Limit,” provides a look at how technology is helping companies soar to new heights and how regulation can help companies to succeed.

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) voted unanimously to disseminate its Statement and Guidance on Public Company Cybersecurity Disclosures, an “interpretive guidance” designed to help publicly-traded companies satisfy their cybersecurity risk disclosure obligations. The new guidance supplements the SEC’s initial October 13, 2011 Cybersecurity Disclosure Guidance, which was relatively broad, by: 1) articulating the SEC’s expectations regarding the adequacy of disclosures; and, for the first time, 2) recommending the implementation of policies and procedures that address disclosure controls as well as insider trading. 
Continue Reading U.S. Securities and Exchange Commission Ups the Ante for Addressing Corporate Cyber Risks

Security ratings firm BitSight recently released a report citing a gap in cybersecurity performance between the U.S. Government and contractors. 

The report was the result of a comparative security assessment between 1,212 randomly selected government contractors and 122 federal agencies. The assessment found that federal agencies were at least 15 points better than the mean

The United Kingdom’s National Cyber Security Centre (“NCSC”) recently announced guidance whereby industries could be fined up to $24 million (£17 million) for not having effective cybersecurity measures in place.  The penalties apply to critical infrastructure sectors including energy, transportation, water and healthcare.  While the U.K. government stated that these penalties will be “a last

FCC adopts privacy rules; Privacy Shield challenge; Amendments to EU data transfer decisions; FTC data breach guidance; DOT vehicle cybersecurity best practices; HHS guidance on HIPAA and FTC compliance

FCC approves privacy rules for broadband providers

In a 3-2 vote, the Federal Communications Commission approved new rules governing internet service providers’ collection and use

Russians Hack Clinton Campaign System; FTC: LabMD Liable in Data Security Suit; EU Member States issue statement on Privacy Shield; NIS Directive published – Implementation into national law by May 2018; EU Data Protection Supervisor: e-Privacy directive should meet GDPR-requirements.

Clinton Campaign Data Breach brings data security into 2016 campaign yet again

On July 29, an F.B.I. official told the New York Times that computer systems used by the Clinton presidential campaign were hacked in the latest in a string of cybersecurity attacks targeting political entities. The Times noted the attacks appeared to have been carried out by the Russian intelligence services.  These revelations follow news of similar attacks carried out earlier in the summer, including a Russian government hack of the Democratic National Committee’s computer network. Investigations into both attacks are ongoing.

FTC Reasserts Data Security Enforcement Powers in suit against LabMD

Late last week, the FTC issued its long-awaited final order in its investigation of LabMD’s alleged unfair data security practices. FTC filed charges against LabMD, a clinical laboratory used by physicians, for allegedly failing to protect sensitive personal information for over 750,000 patients.  An ALJ had earlier dismissed FTC’s charges, holding that LabMD’s data security practices failed to cause substantial consumer injury. The Commission unanimously reversed that decision.

FTC claimed that LabMD “lack[ed] even basic precautions to protect . . . sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.” Firms collecting personal information should note that future FTC enforcement is likely to note the absence of any of these systems as evidence of sub-par data security practices.

This suit follows the FTC’s 2014 victory in the Wyndham case, which validated the FTC’s authority to regulate data security.  For more information on the Wyndham decision, see the Crowell Data Law blog post on the subject.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of July 24

Yesterday, Crowell & Moring hosted an International Association of Privacy Professionals (IAPP) KnowledgeNet featuring the Federal Trade Commission’s (FTC) new Chief Technologist, Lorrie Cranor.

In her short time at the FTC, Cranor has already made waves by encouraging companies to rethink mandatory password changes.  At the event, Cranor spoke about the focus of her

FTC Settles IoT Enforcement Action; HHS Releases HIPAA/NIST Crosswalk; HHS Provides FAQs on Patient Fees for PHI Release; Judicial Redress Act Becomes Law

FTC Identifies Reasonable Security Measures Through IoT Enforcement Action

The Federal Trade Commission (FTC) settled charges with ASUSTek Computer, Inc. (ASUS), a manufacturer of home router and home networking (or “home cloud”) equipment, related to the security of the devices. According to the settlement, ASUS advertised that its home routers and networking equipment could protect the connected computers “from any unauthorized access, hacking, and virus attacks.” The FTC alleged, however, that ASUS did not secure data in a reasonable way and instead exposed consumers to hackers. The settlement emphasizes the FTC’s interest in securing devices connected to the Internet of Things (IoT) and provides additional guidance regarding the FTC’s view of “reasonable” security.Continue Reading Privacy & Cybersecurity Weekly News Update