New York State Financial Services Regulator Issues Proposed Cybersecurity Regulations

Written by
On September 13, 2016, Governor Andrew Cuomo announced the issuance of proposed “first-in-the-nation” cybersecurity regulations for entities regulated by the New York Department of Financial Services (DFS), including jurisdictional banks, insurance companies, and other financial institutions.  The proposed regulation will be subject to a 45-day comment period prior to being issued as a final rule.  Once finalized, the regulation would become effective on January 1, 2017, at which point a 180 day "transitional period" would go into effect, during which entities would need to come into compliance [...] Read more

German DPA Publishes First Privacy Shield Guidelines, Requires German-Law Contracts for Transfers

Written by
On June 7, 2016, the European Commission adopted the US-EU Privacy Shield.  Companies that self-certify under Privacy Shield with the US Department of Commerce – dubbed “Privacy Shield organizations” – are thus officially recognized by the EU as providing an adequate level of protection for data transferred from the EU.  As a result, Privacy Shield organizations may in principle freely receive transfers of personal data from the EU.  (For more information on Privacy Shield, visit our Privacy Shield FAQs.) One question that many organizations had following Privacy Shield’s adoption [...] Read more

Centers for Medicare and Medicaid Services Issues Emergency Preparedness Requirements That Address Cyber-Attacks

Written by
The Centers for Medicare and Medicaid Services (“CMS”) issued a final rule on September 8th, 2016 establishing national emergency preparedness requirements for providers and suppliers participating in Medicare and Medicaid in response to “inconsistency in the level of emergency preparedness amongst healthcare providers.”  The rule will be officially published in the Federal Register on September 16th, 2016, and providers and suppliers subject to the rule must comply by November 15th, 2017.  Notably, CMS describes cyber-attacks as a potential risk to assess when implementing the emergency [...] Read more

Report Suggests Organizations Still Vulnerable to Credential Management and Network Segmentation Attacks

Written by
The Multi-State Information Sharing and Analysis Center (MS-ISAC) published its 2016 mid-year review on August 22, 2016, highlighting large incidents of malware infections, with particular emphasis on ransomware and click fraud malware.  In contrast to the MS-ISAC report, however, an August 2016 report suggests most organizations would benefit from addressing issues of credential management and network segmentation.  The report is based on data collected over the course of 100 internal penetration tests (i.e., tests assuming one user on the network has already had their account compromised) on [...] Read more

Eighth Circuit Decision Interpreting Spokeo Shows Impact of Supreme Court Decision on Privacy Actions

Written by
In issuing its decision in Braitberg v. Charter Communications, the Eighth Circuit recently became the first federal appellate court to issue a published opinion interpreting Spokeo and, as predicted, shows that the Supreme Court’s ruling will have a significant impact on the viability of privacy-related claims.  In Braitberg, the plaintiff alleged that Charter indefinitely retained consumer data in violation of the Cable Communication Policy Act. The plaintiff did not allege any “actual injury;” instead, the plaintiff argued that a violation of the statute alone was sufficient to establish [...] Read more

Austrian Supreme Court Refers Schrems Consumer Class Action to ECJ

Written by
Just under a year ago today, the European Court of Justice (ECJ) issued its Schrems decision, which invalidated Safe Harbor and led to substantial developments in US-EU data-transfer mechanisms.  In parallel to the ECJ Safe Harbor litigation, Mr. Schrems has maintained two further legal proceedings in the EU: (1) a challenge in the Irish courts to EU Standard Contractual Clauses, which permit data to be transferred internationally between contract parties; and (2) an attempt to certify an EU-wide consumer class action before the Austrian courts. Today, the Austrian Supreme Court took a major [...] Read more

FTC seeks public comment on Safeguards Rule and proposed changes

Written by
On August 29, 2016, the FTC announced it is seeking public comment on its Safeguards Rule as part of a systematic review of all FTC rules and guides. The Safeguards Rule came into force in 2003 after the Gramm-Leach-Bliley Act (GLBA) required that the FTC and other agencies establish administrative, technical, and physical information security standards for financial institutions. Of particular note is the FTC’s call for comments on whether it should reference or incorporate other standards, such as PCI-DSS or NIST standards, which may signal a shift from the FTC’s previous resistance toward [...] Read more

German DPAs to Create Model Processing Records for GDPR Compliance

Written by
On May 25, 2018, the EU General Data Protection Regulation (GDPR) enters into force.  One of the major changes the GDPR introduces is a duty for in-scope controllers and processors to maintain written records of processing activities.  Under Article 30 GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth, inter alia, the purposes of processing operations, international transfers, and retention periods.  Companies must provide their processing records (sometimes informally referred to as a “processing [...] Read more

Department of Commerce Announces First Privacy Shield Participants

Written by
Over the weekend, the Department of Commerce’s Privacy Shield website was updated to show the first participants in the U.S.-EU Privacy Shield.  In total, about 45 companies have registered for Privacy Shield.  Prominent examples include Microsoft Corp. (along with 20 subsidiaries), Salesforce, and corporate-travel giant World Travel, Inc. Companies with questions about Privacy Shield are welcomed to visit our detailed Privacy Shield FAQs. Alston & Bird is closely following the development of Privacy Shield and advising companies on all aspects of EU data protection compliance.  [...] Read more

FTC Overrules LabMD Dismissal, Finds Unfair Data Security Practices

Written by
The FTC issued an Opinion and Final Order reversing the previously dismissed charges against LabMD on July 29.  FTC Administrative Law Judge (ALJ) D. Michael Chappell had dismissed the case against LabMD on November 13, 2015 based on an insufficient showing of harm, as required to find an act or practice unfair under § 5 of the FTC Act (15 U.S.C. § 45(n)).  In overturning the ALJ’s Initial Decision, the FTC clarified its view of the proper standard for unfairness under § 5.  The FTC further detailed specific security failings of LabMD and signaled the importance of timely and effective [...] Read more