Category Archives: Data Breach

FTC’s Ability to Regulate Data Security Potentially Limited in FTC v. LabMD

Written by and
A November 13, 2015 decision from the Federal Trade Commission’s Chief Administrative Law Judge, D. Michael Chappell, calls into question FTC enforcement in the data privacy space.  The case began when the FTC filed a complaint on August 28, 2013 after an employee of LabMD, a cancer detection laboratory, downloaded peer-to-peer (“P2P”) software that exposed patient information on the file sharing network (also known as “1718 File”). An online security firm named Tiversa found this file on a peer-to-peer file-sharing network in 2008 and used it to solicit work protecting LabMD’s data. The [...] Read more

Alston & Bird Partners Speak at NAWL General Counsel Institute

Written by
Kim Peretti, partner and co-chair of Alston & Bird’s Cybersecurity Preparedness & Response Team, and Allison Ryan, partner, were speakers in the session "The Role of In-House Counsel in Cybersecurity in Both the Pre- and Post-Breach Worlds" at the 11th Annual General Counsel Institute. The Institute took place November 5-6 in New York and was hosted by the National Association of Women Lawyers (NAWL). Predicting data breaches and cyber threats to a company’s network can be extremely difficult, if not impossible.  Today the in-house lawyer’s role in cybersecurity must begin [...] Read more

FFIEC Warns of Increase in Cyber Attacks Involving Extortion, Encourages Financial Institutions to Develop Response Programs

Written by
Last week, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement warning of an “increasing frequency and severity of cyber attacks involving extortion.” The statement warned that criminals have been extorting financial institutions using a variety of tactics, including denial of service attacks, theft of sensitive information, and use of “ransomware,” which is software that prevents legitimate users from accessing company files unless a ransom is paid. To protect against these attacks, the FFIEC encouraged financial institutions to “develop and implement [...] Read more

Jan Dhont Presents at Privacy + Security Forum

Written by
Jan Dhont, Brussels partner and head of the firm’s European Privacy and Data Protection practice, presented at the First Annual Privacy + Security Forum in Washington, DC on October 22.  Jan spoke on BCRs with specific focus on their interoperability with CBPRs.  The forum combined privacy and security, which often exist in separate silos.  The attendees included privacy professionals, security professionals, chief information officers, law firm attorneys, policymakers, academics, experts from NGOs and think tanks, and technologists. To review the presentation slides, please click here. [...] Read more

Kim Peretti to Speak at Today’s General Counsel Institute

Written by
Kim Peretti, partner and co-chair of Alston & Bird’s Cybersecurity Preparedness & Response Team, will speak at “The Exchange” Data Privacy and Cybersecurity Forum in Washington, DC from November 4-5. The forum is being presented by Today’s General Counsel Institute.  Kim will be presenting on the topic “Breach Response: What Do I Do Now?”  The session will cover: What skills and best practices do you need? External experts on retainer What is “reasonable”? Recovering from the inevitable loss of data How best to report breaches to the public? …to the government [...] Read more

Alston & Bird to Host Live Program and Webinar on National Security, Espionage, and Data Breaches

Written by
On October 29, Alston & Bird’s Cybersecurity Preparedness & Response Team will host a live program and webinar called National Security, Cyber Espionage and “Bulk PII” Breaches in our Washington, DC office.  The program will examine the recent phenomenon of allegedly state-sponsored actors executing major cyber-attacks specifically targeting large databases of personal data for espionage purposes.  Speakers on the panel will include our own Senior Counsel Peter Swire; Luke Dembosky, Deputy Assistant Attorney General, National Security Division, U.S. Department of Justice; and Charles [...] Read more

California Updates Data Breach Notification Statute; Provides Model Notification Form

Written by
On October 6, California Governor Jerry Brown signed into law two different updates to California’s data breach notification statute. Both updates will become effective on January 1, 2016. The first update, AB 964, defines "encrypted" for purpose of the statute to mean ”rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.” The second amendment to the statute this year, SB570, requires notices of data breaches that are sent to individuals to be titled “Notice of [...] Read more

PCI Security Standards Council Publishes Data Breach Response Guidance

Written by
The PCI Security Standards Council (PCI-SSC) has released new guidance on its website advising merchants how to deal with a data breach. The guidance particularly details when a PCI Forensic Investigator (PFI) will be required, and provides tips on making the PFI process go smoothly. The PCI-SSC states that “preparing for the worst is the best defense” by having an incident response plan. In addition, PCI-SSC advises limiting data exposure by isolating affected systems without turning them off, notifying necessary business partners (such as the payment brands and merchant banks) immediately [...] Read more

Alston & Bird Conducts Cybersecurity Preparedness and Response Training with Industry Experts

Written by
Alston & Bird’s Cybersecurity Preparedness and Response (CPR) team recently partnered with Stroz Friedberg and Brunswick Group to conduct a comprehensive, all day breach preparedness and response training session for A&B team members.  Approximately 35 members of the firm participated in this in person multi-disciplinary training session.  CPR team members shared their experiences and insight from the entire CPR lifecycle, from preparing incident response plans to dealing with card brands in PCI breaches and everything in between.  Given the intense and unannounced nature in which [...] Read more

Third Circuit Affirms FTC’s Authority to Regulate Data Security

Written by
On August 24, 2015, the Third Circuit affirmed U.S. District Court Judge Esther Salas’ April 2014 ruling in FTC v. Wyndham Worldwide Corp., et al. (“Wyndham”) that the FTC has the authority to regulate private companies’ cybersecurity practices under Section 5 of the FTC Act. (Prior blog posts on this case can be found here and here).  In this highly anticipated precedential opinion, the Court decided that Wyndham’s cybersecurity practices as alleged by the FTC fit the definition of “unfair” when compared with its stated security policies.  In doing so, the Court rejected Wyndham’s [...] Read more