Cybersecurity

FTC Publishes Report Regarding Privacy Workshop

Written by

In October 2018, the Federal Trade Commission (“FTC”) published a report that summarized discussions at a December 2017 workshop discussing the potential impact to consumers of privacy and security incidents. The purpose of the workshop was to explore whether government intervention in this arena is warranted under the enforcement authority granted to the FTC under the FTC Act, 15 U.S.C. § 41 et seq. The report reveals that the workshop participants identified several types of potential impacts that they believe consumers may face in the wake of a data security incident that could warrant [...] Read more

Are You Ready for Canada’s New Privacy Breach Rules?

Written by

Mandatory privacy breach notification, reporting and record-keeping obligations under Canada’s federal data protection law called the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force as of November 1, 2018. Earlier this year, the Canadian government published new privacy-related obligations under PIPEDA.  PIPEDA applies to private-sector organizations and sets the ground rules for how businesses must handle personal information in the course of commercial activity.  The new obligations present challenges to organizations, requiring an additional [...] Read more

SEC Investigative Report Cautions Public Companies to Consider Cyber Threats When Implementing Internal Accounting Controls

Written by and

The Securities and Exchange Commission issued an investigative report last week cautioning public companies to consider cyber incidents and threats when implementing internal accounting controls.  The report details the SEC Enforcement Division’s investigations of nine public companies that were victims of cyber-related fraud schemes to determine whether the companies may have violated the federal securities laws by failing to maintain a sufficient system of internal accounting controls.  Based on the investigations, the report concludes that public companies’ internal accounting controls […] Read more

DOJ Releases “Best Practices for Victim Response and Reporting of Cyber Incidents,” Version 2.0

Written by

On September 27, 2018, the Department of Justice Computer Crime and Intellectual Property (CCIPS) Cybersecurity Unit released Version 2.0 of its “Best Practices for Victim Response and Reporting of Cyber Incidents.” Originally issued in 2015, the updated guidance seeks to help organizations better equip themselves to be able to respond effectively and lawfully to cyber incidents. The updated version distills insights from private and public sector experts, incorporating new incident response considerations in light of technical and legal developments in the past three years. While the guidance [...] Read more

SEC Brings First Enforcement Action for Violation of the Identity Theft Red Flags Rule

Written by and

On September 26, 2018, the SEC brought its first ever enforcement action for violations of Regulation S-ID (the “Identity Theft Red Flags Rule”), 17 C.F.R. § 248.201, in addition to violations of Regulation S-P, 17 C.F.R. 30(a) (the “Safeguards Rule”). Regulation S-ID and Regulation S-P apply to SEC-registered broker-dealers, investment companies, and investment advisers, and require those entities to maintain written policies and procedures to detect, prevent and mitigate identity theft, and to safeguard customer records and information, respectively. The SEC’s action against Voya Financial […] Read more

Ohio Enacts Cybersecurity Safe Harbor Law

Written by

Ohio recently enacted the Ohio Data Protection Act (2018 SB 220), a law that offers a breach litigation safe harbor to businesses meeting specific cybersecurity standards. While the law does not prevent a plaintiff from filing a lawsuit following a data breach, it does provide an affirmative defense to companies defending themselves against such claims. If an entity’s data security policies conform to one of several listed cybersecurity frameworks, the entity can invoke the safe harbor as a defense, and possibly defeat a tort claim alleging that the company’s failure to comply with reasonable […] Read more

South Carolina Enacts Insurance Data Security Act

Written by

South Carolina recently enacted a prescriptive data security law for insurers. The law bears resemblance to the New York Department of Financial Services (NYDFS) cybersecurity rules that entered into force last year. In short, the South Carolina law requires licensees (defined below) to develop and implement a comprehensive written information security program (a “WISP”) and to notify the South Carolina Department of Insurance of certain cybersecurity events. Effective on January 1, 2019, the law includes extended deadlines for compliance with the requirement to implement a WISP (July 1, 2019) […] Read more

NYDFS Cybersecurity Requirements Compliance Deadline Nears for Key Provisions

Written by

September 4, 2018 marks the end of the transitional period for covered entities to comply with several key provisions of the NYDFS Cybersecurity Requirements that require certain systemic and sustained measures. These provisions include the encryption and audit trail requirements as well as ones relating to the implementation of monitoring policies, procedures, and controls, application security, and data retention limitations. Encryption (500.15): The regulation requires covered entities to encrypt Nonpublic Information held or transmitted by a covered entity both in transit over external [...] Read more

LabMD: The End of the FTC in Cyber or Just a New Path?

Written by

The U.S. Court of Appeals for the Eleventh Circuit recently issued its opinion in LabMD, Inc. v. FTC, No. 16-16270 (11th Cir. June 6, 2018), declaring unenforceable a Federal Trade Commission (FTC) order requiring LabMD to implement an extensive cybersecurity plan. The case is noteworthy for its lengthy procedural background—during which time LabMD became defunct—and its holding, which has called into question the FTC’s authority to impose wide-ranging, comprehensive cybersecurity plans. The LabMD matter dates to 2005, when LimeWire file sharing software was installed on a company computer, [...] Read more

Oregon and Arizona Amend Breach Notification Laws

Written by

Amended breach notification laws recently took effect in Oregon or will soon take effect in Arizona. In both cases, the amended laws heighten existing requirements and reflect broader trends in the breach notification landscape at the state level, including by expanding the scope of “personal information” that triggers notification and requiring notification within a specified timeframe. In Oregon’s case, the amendments supplement already-existing data security requirements for companies the handle the personal data of Oregon residents. Oregon Broadened Definition of Personal Information Like [...] Read more