AUTHOR ARCHIVES: Kate Hanniford

Kate Hanniford

Kate Hanniford is a member of the Technology & Privacy Group and Cybersecurity Preparedness & Response Team. She focuses her practice on cybersecurity counseling, as well as federal securities law compliance, enforcement, and litigation. Read more→

NYDFS Cybersecurity Requirements Compliance Deadline Nears for Key Provisions

Posted on: 16 Aug 2018

September 4, 2018 marks the end of the transitional period for covered entities to comply with several key provisions of the NYDFS Cybersecurity Requirements that require certain systemic and sustained measures. These provisions include the encryption and audit trail requirements as well as ones relating to the implementation of monitoring policies, procedures, and controls, application security, and data retention limitations. Encryption (500.15): The regulation requires covered entities to encrypt Nonpublic Information held or transmitted by a covered entity both in transit over external […] Read more

LabMD: The End of the FTC in Cyber or Just a New Path?

Posted on: 12 Jul 2018

The U.S. Court of Appeals for the Eleventh Circuit recently issued its opinion in LabMD, Inc. v. FTC, No. 16-16270 (11th Cir. June 6, 2018), declaring unenforceable a Federal Trade Commission (FTC) order requiring LabMD to implement an extensive cybersecurity plan. The case is noteworthy for its lengthy procedural background—during which time LabMD became defunct—and its holding, which has called into question the FTC’s authority to impose wide-ranging, comprehensive cybersecurity plans. The LabMD matter dates to 2005, when LimeWire file sharing software was installed on a company computer, […] Read more

Colorado Enacts Expanded Data Breach Notification Law

Posted on: 05 Jun 2018

Consistent with recent expansions to state data breach notification laws, Colorado recently enacted an expanded data privacy law that strengthens the state’s existing breach notification law and that requires policies and procedures concerning the protection and destruction of personal identifying information (“PII”).  The law applies to any individual or commercial entity that maintains, owns, or licenses “personal information” or PII, as applicable, in the course of its business, vocation, or occupation, and also contains largely identical provisions that apply to state and local governments.  […] Read more