Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery
On May 3, 2022, the European Commission published a proposed regulation (the “EHDS Proposal”) for the establishment of a European Health Data Space (or “EHDS”). This is the first proposal for establishing domain-specific common European data spaces following the European strategy for data and an important step in building a European “Health Union”.
In short, the…
Russians Hack Clinton Campaign System; FTC: LabMD Liable in Data Security Suit; EU Member States issue statement on Privacy Shield; NIS Directive published – Implementation into national law by May 2018; EU Data Protection Supervisor: e-Privacy directive should meet GDPR-requirements.
Clinton Campaign Data Breach brings data security into 2016 campaign yet again
On July 29, an F.B.I. official told the New York Times that computer systems used by the Clinton presidential campaign were hacked in the latest in a string of cybersecurity attacks targeting political entities. The Times noted the attacks appeared to have been carried out by the Russian intelligence services. These revelations follow news of similar attacks carried out earlier in the summer, including a Russian government hack of the Democratic National Committee’s computer network. Investigations into both attacks are ongoing.
FTC Reasserts Data Security Enforcement Powers in suit against LabMD
Late last week, the FTC issued its long-awaited final order in its investigation of LabMD’s alleged unfair data security practices. FTC filed charges against LabMD, a clinical laboratory used by physicians, for allegedly failing to protect sensitive personal information for over 750,000 patients. An ALJ had earlier dismissed FTC’s charges, holding that LabMD’s data security practices failed to cause substantial consumer injury. The Commission unanimously reversed that decision.
FTC claimed that LabMD “lack[ed] even basic precautions to protect . . . sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.” Firms collecting personal information should note that future FTC enforcement is likely to note the absence of any of these systems as evidence of sub-par data security practices.
This suit follows the FTC’s 2014 victory in the Wyndham case, which validated the FTC’s authority to regulate data security. For more information on the Wyndham decision, see the Crowell Data Law blog post on the subject.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of July 24
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.
