Author Archives: Justin Hemmings

Justin Hemmings
Justin Hemmings is an associate in Alston & Bird’s Technology practice and Cybersecurity Preparedness & Response Team. He focuses his practice on cybersecurity, data security and information privacy.  Read More

Swire Discusses European Data Economy at European Political Strategy Centre Policy Hearing

Written by
Peter Swire, Alston & Bird Senior Counsel and Nancy J. and Lawrence P. Huang Professor of Law and Ethics at the Georgia Institute of Technology’s Scheller College of Business, recently participated in a policy hearing held by the European Political Strategy Centre, the in-house think tank of the European Commission. Swire joined five other experts in answering a series of questions posed by the Centre’s moderators on how Europe can build its data economy to compete globally, protect fundamental privacy rights, and guard against anti-competitive behavior. In his remarks, Swire pointed [...] Read more

New York High Court Denies Facebook’s Challenge of Bulk Stored Communications Act Warrants

Written by
The Court of Appeals for the State of New York recently rejected Facebook’s appeal of its challenge to bulk search warrants issued pursuant to the Stored Communications Act (SCA) and separately challenged the warrants’ nondisclosure component. The Court affirmed the lower court’s ruling that Facebook could not appeal the rejection of its motion to quash the SCA warrant. In this case, at the request of the Manhattan District Attorney’s Office, the New York Supreme Court issued 381 warrants directing Facebook to “retrieve, enter, examine, copy, analyze, and . . . search” the targeted [...] Read more

New York Attorney General Announces Record Number of Data Breach Notices in 2016

Written by
On March 21, 2017, New York Attorney General (NYAG) Eric T. Schneiderman announced that his office had received a record breaking 1,282 data breach notices to his office affecting 1.6 million New York residents during 2016. Compared to 2015, these figures represent a 60 percent increase in the number of notices and a 300 percent increase in the number of New York residents affected. These research figures build on the NYAG’s 2014 report “Information Exposed: Historical Examination of Data Security in New York State,” which analyzed eight years of security breach statistics in New York from [...] Read more

WP29 Issues Guidance on the Right to Data Portability under the GDPR

Written by
Late last week, the Article 29 Working Party (“WP29”) issued detailed guidance on companies’ obligations under three key provisions of the General Data Protection Regulation ("GDPR").  This is part two of a three-part Alston & Bird series evaluating WP29's positions, and relates to the Right of Data Portability for data subjects and its obligations for data controllers.  Part 1 deals with Data Protection Officer obligations, under the GDPR, while part 3 analyzes guidance on the Lead Supervisory Authority mechanism. Article 20 of the GDPR creates a new right to data portability [...] Read more

D.C. Circuit Holds CFPB is Unconstitutionally Constructed; Removes For-Cause Removal Protection from CFPB Director

Written by
On Tuesday, October 11, 2016, the D.C. Circuit Court issued its opinion in PHH Corp. v. Consumer Financial Protection Bureau, holding that the Consumer Financial Protection Bureau (CFPB) was unconstitutionally structured. In the majority opinion, Judge Kavanaugh described the position of CFPB Director as, in terms of unilateral authority, “the single most powerful official in the entire U.S. Government, other than the President.” (Maj. Opinion at 27). The Court’s ruling severs the for-cause removal protection provision for the Director from the Dodd-Frank Act, repositioning the CFPB as an [...] Read more

Report Suggests Organizations Still Vulnerable to Credential Management and Network Segmentation Attacks

Written by
The Multi-State Information Sharing and Analysis Center (MS-ISAC) published its 2016 mid-year review on August 22, 2016, highlighting large incidents of malware infections, with particular emphasis on ransomware and click fraud malware.  In contrast to the MS-ISAC report, however, an August 2016 report suggests most organizations would benefit from addressing issues of credential management and network segmentation.  The report is based on data collected over the course of 100 internal penetration tests (i.e., tests assuming one user on the network has already had their account compromised) on [...] Read more

FTC seeks public comment on Safeguards Rule and proposed changes

Written by
On August 29, 2016, the FTC announced it is seeking public comment on its Safeguards Rule as part of a systematic review of all FTC rules and guides. The Safeguards Rule came into force in 2003 after the Gramm-Leach-Bliley Act (GLBA) required that the FTC and other agencies establish administrative, technical, and physical information security standards for financial institutions. Of particular note is the FTC’s call for comments on whether it should reference or incorporate other standards, such as PCI-DSS or NIST standards, which may signal a shift from the FTC’s previous resistance toward [...] Read more

FTC Overrules LabMD Dismissal, Finds Unfair Data Security Practices

Written by
The FTC issued an Opinion and Final Order reversing the previously dismissed charges against LabMD on July 29.  FTC Administrative Law Judge (ALJ) D. Michael Chappell had dismissed the case against LabMD on November 13, 2015 based on an insufficient showing of harm, as required to find an act or practice unfair under § 5 of the FTC Act (15 U.S.C. § 45(n)).  In overturning the ALJ’s Initial Decision, the FTC clarified its view of the proper standard for unfairness under § 5.  The FTC further detailed specific security failings of LabMD and signaled the importance of timely and effective [...] Read more