FTC Settles With Retail Tracking Firm Regarding Alleged Opt-out Misrepresentation

Written by
On April 23, 2015, the FTC and Nomi Technologies, Inc. (“Nomi”) settled the FTC's misrepresentation charges related to Nomi's “Listen” service, a multiple sensor technology that allows retailers to measure consumers’ in-store movements. Nomi’s sensors track consumers as they browse physical stores. According to the complaint, “Nomi places sensors in its clients’ retail locations that detect the media access control (“MAC”) address broadcast by a mobile device when it searches for WiFi networks.” Nomi hashes the MAC addresses, but it creates and stores a persistent unique [...] Read more

NAIC Publishes Principles for Effective Cybersecurity

Written by
The National Association of Insurance Commissioners (NAIC) Cybersecurity Task Force adopted Principles for Effective Cybersecurity Insurance Regulatory Guidance on April 16, 2015. The document identifies types of safeguards regulators expect insurers to have in place to protect consumers from cybersecurity breaches. The guiding principles are intended to establish insurance regulatory guidance that promotes coordination and protects insurance consumers. The principles themselves say that “[s]tate insurance regulators should collaborate with insurers, insurance producers and the federal government [...] Read more

DOJ to Host Cybersecurity Roundtable on Data Breaches

Written by
On April 29, 2015, the Department of Justice’s Criminal Division will host a cybersecurity industry roundtable on data breaches. The event, which will include audience question and answer sessions, will focus on a range of recent industry developments. The event will feature a discussion of cybersecurity from the national security perspective by John P. Carlin, Assistant Attorney General in the National Security Division; a conversation on government-industry interaction featuring James C. Trainor, Acting Assistant Director of the Cyber Division at the FBI, and Stuart J. Tryon, Special Agent [...] Read more

SEC Confirms Plans To Issue New Cybersecurity Disclosure Rules

Written by
According to Smeeta Ramarathnam, Chief of Staff to SEC Commissioner Luis Aguilar, the SEC is currently engaging in a comprehensive re-work of its investor disclosure rules, including with respect to rules bearing on cybersecurity incident disclosure. The SEC, which is formally tasked with overseeing issues that concern market integrity and disclosure of material information, revealed its plan to overhaul its disclosure rules during an April 23 panel at the 2015 RSA Conference in San Francisco, during which Ramarathnam stated that the SEC was entering “a time of great change” with respect to [...] Read more

HHS Issues Guidance on HIPAA and Workplace Wellness Programs

Written by
On Thursday, April 16, 2015, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued guidance, consisting of two frequently asked questions (FAQs), on the application of the HIPAA Privacy, Security, and Breach Notification Rules to workplace wellness programs. HHS explains in one of the FAQs that the application of HIPAA to workplace wellness programs depends on whether the wellness program is offered as part of a group health plan for employees, or if it is offered independent of such a group health plan.  If the wellness program is offered as a part [...] Read more

FTC Proposes Settlement with Two Companies Over False Safe-Harbor Claims

Written by
On April 7, 2015, two U.S. companies agreed to settle Federal Trade Commission (“FTC”) allegations that they falsely claimed to be in compliance with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework. In the concurrently filed complaints against TES Franchising, LLC (“TES”), a franchisee coaching business, and American International Mailing, a mail delivery company, the FTC accused the companies of violating Section 5 of the FTC Act by indicating on their websites that they were currently certified under the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe [...] Read more

FCC Adopts Consent Order with AT&T Over Alleged Data Security Violations

Written by
The Federal Communications Commission (FCC) announced on April 8 that it had adopted a consent decree between its Enforcement Bureau and AT&T Services, Inc. (AT&T), including a civil penalty of $25 million and a requirement to adopt a comprehensive compliance plan, among other actions.  The consent decree alleges that AT&T “failed to protect the confidentiality” of approximately 280,000 customers’ “sensitive personal information” and “account-related customer proprietary network information,” or “CPNI,” and questions whether AT&T made the necessary notifications [...] Read more

Kim Peretti and Dominique Shelton Speaking at Georgetown’s 2015 Cybersecurity Law Institute

Written by
Kim Peretti and Dominique Shelton will be featured speakers at the 3rd Annual Cybersecurity Law Institute, hosted by Georgetown Law Continuing Legal Education, and co-sponsored by the American Bar Association Cybersecurity Legal Task Force, Bloomberg BNA, and the Center for Internet Security. The Institute, designed by a national advisory board of professionals, will be held on May 20-21, 2015. This two-day program is a highly-regarded event in the cybersecurity space and will provide in-house and outside counsel with the practical, pragmatic advice they need to effectively address today’s [...] Read more

New York State Regulator to Examine Insurers on Cybersecurity Following Comprehensive Risk Assessments

Written by
On March 26, 2015, Benjamin Lawsky, Superintendent of the New York State Department of Financial Services (DFS), sent a letter to the CEOs, General Counsel, and Chief Information Officers of all insurers doing business in the state to inform them of a mandatory cybersecurity questionnaire and the initiation of targeted cybersecurity examinations.  Approximately 160 insurers will be affected by the initiative. In the letter, Lawsky “encourages all [financial] institutions to view cyber security as an integral aspect of their overall risk management strategy, rather than solely as a subset [...] Read more

FFIEC Issues Warnings on Malware and Cyber Attacks

Written by
The Federal Financial Institutions Examination Council (FFIEC) has issued two joint statements warning of specific cyber risks.  The warnings, which were issued on March 30, 2015, address risks arising from destructive malware, which can destroy sensitive data, and cyber-attacks that compromise user credentials.  In both statements, the FFIEC also provides guidance on how to mitigate these risks. The statement on destructive malware warns financial institutions about the increasing use of malware that successfully compromises databases and destroys the information or renders the system hosting [...] Read more