cybersecurity

DOJ Releases “Best Practices for Victim Response and Reporting of Cyber Incidents,” Version 2.0

Written by

On September 27, 2018, the Department of Justice Computer Crime and Intellectual Property (CCIPS) Cybersecurity Unit released Version 2.0 of its “Best Practices for Victim Response and Reporting of Cyber Incidents.” Originally issued in 2015, the updated guidance seeks to help organizations better equip themselves to be able to respond effectively and lawfully to cyber incidents. The updated version distills insights from private and public sector experts, incorporating new incident response considerations in light of technical and legal developments in the past three years. While the guidance [...] Read more

SEC Brings First Enforcement Action for Violation of the Identity Theft Red Flags Rule

Written by and

On September 26, 2018, the SEC brought its first ever enforcement action for violations of Regulation S-ID (the “Identity Theft Red Flags Rule”), 17 C.F.R. § 248.201, in addition to violations of Regulation S-P, 17 C.F.R. 30(a) (the “Safeguards Rule”). Regulation S-ID and Regulation S-P apply to SEC-registered broker-dealers, investment companies, and investment advisers, and require those entities to maintain written policies and procedures to detect, prevent and mitigate identity theft, and to safeguard customer records and information, respectively. The SEC’s action against Voya Financial […] Read more

South Carolina Enacts Insurance Data Security Act

Written by

South Carolina recently enacted a prescriptive data security law for insurers. The law bears resemblance to the New York Department of Financial Services (NYDFS) cybersecurity rules that entered into force last year. In short, the South Carolina law requires licensees (defined below) to develop and implement a comprehensive written information security program (a “WISP”) and to notify the South Carolina Department of Insurance of certain cybersecurity events. Effective on January 1, 2019, the law includes extended deadlines for compliance with the requirement to implement a WISP (July 1, 2019) […] Read more

German DPA Announces GDPR Compliance Survey of Large Companies – Translation Provided

Written by

Following a two-year grace period, EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018.  For many companies, preparing for the GDPR was a multi-year project involving multiple teams and input or assistance from across the organization.  On this blog, we have outlined the items we have seen as particularly time- or resource-intensive. On June 29, 2018, the Data Protection Authority (DPA) of the German state of Lower Saxony (Niedersachsen) announced it would be surveying GDPR compliance among companies under its jurisdiction.  Germany has 16 state-run DPAs with general [...] Read more

FBI Publishes its 2017 Internet Crime Report

Written by

The FBI recently published its 2017 Internet Crime Report highlighting trends and statistics compiled by the FBI’s Internet Crime Complaint Center (“IC3”) during 2017. The report compiles data from a total of 301,580 complaints which reported losses of over $1.4 billion. In addition to an explanation of the IC3’s history and operations, the report includes five “hot topics” from 2017: business email compromise (“BEC”), ransomware, tech support fraud, extortion, and the Justice Department’s Elder Justice Initiative. Business Email Compromise: This category of attack targets [...] Read more

Georgia Court of Appeals Reaffirms Lack of Duty to Safeguard Personal Information

Written by

The Georgia Court of Appeals recently reaffirmed its prior conclusion that there is no duty to safeguard personal information under Georgia law.  In McConnell v. Ga. Dep’t of Labor, --- S.E.2d ----, 2018 WL 2173252 (Ga. App. May 11, 2018), the Court of Appeals addressed whether a plaintiff whose social security number and other personal identifying information (“PII”) had allegedly been negligently disclosed by an employee of the Georgia Department of Labor stated a negligence claim in connection with the unauthorized disclosure. In urging that the Court of Appeals should recognize such [...] Read more

Lenovo Wins Second Motion to Dismiss in Adware Class Action

Written by

By Jay Repko A California district court recently dismissed—for the second time—consumer claims that technology giant Lenovo Inc. violated New York’s Deceptive Acts and Practices Statute by selling laptops with preinstalled VisualDiscovery software that allegedly invades users’ privacy and exposes users to security breaches.  In reaching this decision, Judge Haywood S. Gilliam, Jr. concluded that dismissal was warranted for two reasons: (i) the plaintiffs lacked standing and (ii) the plaintiffs failed to adequately allege actual damages. By its very terms, New York’s Deceptive [...] Read more

NIST Releases Updated Cyber Framework V1.1

Written by

On December 5, 2017, the National Institute of Standards and Technology (NIST) released a revised draft of its proposed updates to its Framework for Improving Critical Infrastructure Cybersecurity. The revised draft includes a new section on communicating with stakeholders about cybersescurity requirements, addresses stakeholder concerns regarding cybersecurity supply chain risk management and measuring cybersecurity risks and benefits, and addresses six new topics, including the Cyber-Attack Lifecycle. NIST has updated both the Framework and its accompanying Roadmap. The revised Framework includes [...] Read more

Eighth Circuit Affirms Dismissal of Scottrade Data Breach Suit

Written by

The United States Court of Appeals for the Eighth Circuit recently affirmed the district court’s dismissal of a putative class action brought by customers of the brokerage firm Scottrade in the wake of an alleged data breach impacting Scottrade in 2013.  The named plaintiffs had asserted several contract-based claims against Scottrade, alleging that Scottrade had violated its contractual obligations to take adequate steps to safeguard the personal identifying information (“PII”) of its customers. The Eighth Circuit first considered whether the plaintiffs had adequately alleged standing.  [...] Read more

Fourth Circuit Court of Appeals Allows Wikimedia Upstream Suit to Proceed

Written by

On May 23, 2017, the Fourth Circuit Court of Appeals issued its opinion on Wikimedia foundation v. NSA/CSS. The Court vacated and remanded the NSA’s previously successful motion to dismiss Wikimedia’s Fourth and First Amendment claims against the NSA’s Upstream surveillance program, while a 2-1 majority upheld the dismissal of the eight other organizations joined as co-plaintiffs. The Court held that Wikimedia’s complaint contained sufficient factual allegations to determine Article III standing and that the District Court misapplied Clapper v. Amnesty International USA’s analysis of [...] Read more