Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Category Archives: Data Security

Subscribe to Data Security RSS Feed

Start With Security: Key Takeaways from the FTC’s Data Security Conference

Posted in Data Security, Emerging Technologies, Federal Trade Commission

By Lindsey Tonsager and Megan Rodgers The FTC held its “Start with Security” conference in San Francisco, California, last week, launching an initiative to provide companies with practical resources for implementing effective data security strategies. The event was targeted at tech start-ups and small- and medium-sized businesses, but the panelists included representatives from companies with… Continue Reading

UK Government Launches Cybersecurity Service For Healthcare Organizations

Posted in Cybersecurity, Data Breaches, Data Security, European Union, Health Privacy, United Kingdom

The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system.  The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016. 

Proposed Rule Would Amend Federal “Common Rule” Requirements

Posted in Data Security, Department of Health and Human Services, Health Privacy

On September 8, 2015, sixteen federal agencies published a long-awaited Notice of Proposed Rulemaking (NPRM) to modernize the Federal Policy for the Protection of Human Subjects, known as the “Common Rule.” The proposal, available here, includes a number of changes related to privacy and data security and other changes relevant to entities seeking to conduct… Continue Reading

Data Localization Requirements Through the Backdoor? Germany’s “Federal Cloud”, and New Criteria For the Use of Cloud Services by the German Federal Administration

Posted in Cloud Computing, Cybersecurity, Data Security, European Union, Sourcing, Technology Transactions

In May 2015, reports about the German government’s plans to establish federal German cloud infrastructure (the “Bundes-Cloud”) raised concerns about the possible introduction of data localization requirements (preventing the storage and processing of data outside Germany).  The criteria for the use of cloud services by Germany’s federal administration, which have recently been published, now give… Continue Reading

What You Need to Know About Germany’s Cybersecurity Law

Posted in Cybersecurity, Data Security, European Union

Whilst the discussions on the proposed Network and Information Security (NIS) Directive at European level are still ongoing (see Update on the Cybersecurity Directive − over to Luxembourg?, InsidePrivacy, June 12, 2015), less has been said about Germany new national Act to Increase the Security of Information Technology Systems (the “IT Security Law”).  The IT Security Law… Continue Reading

DoD Issues Interim Rule Addressing New Requirements for Cyber Incidents and Cloud Computing Services

Posted in Cloud Computing, Cybersecurity, Data Security, United States

By Susan Cassidy, Alex Sarria, Patrick Stanton, and Catlin Meade On August 26, 2015, the Department of Defense (DoD) issued an interim rule that significantly expands the obligations imposed on defense contractors and subcontractors to safeguard “covered defense information” and for reporting cyber incidents on unclassified information systems that contain such information.  The interim rule revises the… Continue Reading

FTC Releases Agenda for September 9th “Start with Security” Conference

Posted in Cybersecurity, Data Security, Federal Trade Commission, United States

By Megan L. Rodgers The FTC has announced its agenda and panelists for its conference on data security, which will be held on September 9, 2015 at University of California Hastings College of the Law, in San Francisco. This is the first in a series of conferences aimed at helping small- to medium-sized businesses protect… Continue Reading

Cybersecurity Risks with Connected Devices

Posted in Cybersecurity, Data Security, Health Privacy

By Bianca Nunes Cybersecurity vulnerability is becoming an increasing concern as medical devices are becoming more connected to the Internet, hospital networks, and other medical devices. As we previously reported, FDA has increasingly focused on promoting cybersecurity, recognizing that compromised medical devices can pose a risk to patient health and safety and to the confidentiality… Continue Reading

OMB Issues New Draft Cyber Guidance for Contractors

Posted in Cybersecurity, Data Security

By Susan Cassidy, Alex Sarria On August 11, 2015, the Office of Management and Budget (OMB) issued a draft guidance memorandum intended to improve cybersecurity protections in federal acquisitions. Specifically, the proposed memorandum provides direction to federal agencies on “implementing strengthened cybersecurity protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate,… Continue Reading

Multistakeholder Group Seeks Comment on Draft Framework for IoT Device Manufactures

Posted in Advertising & Marketing, Data Security, Emerging Technologies, Mobile Online, Privacy Policies

Earlier this week, the Online Trust Alliance released a draft framework of best practices for Internet of Things device manufacturers and developers, such as connected home devices and wearable fitness and health technologies.  The OTA is seeking comments on its draft framework by September 14. The framework acknowledges that not all requirements may be applicable… Continue Reading

China Issues Draft Network Security Law

Posted in China, Cybersecurity, Data Security, International

By Ashwin Kaja* and Yan Luo Close on the heels of a sweeping new National Security Law, the Standing Committee of the National People’s Congress released last month for public comment a very significant draft Network Security Law (“Draft Law”), also referred to as the draft Cybersecurity Law. Since it came into power in 2012,… Continue Reading

Neiman Marcus Asks Full 7th Circuit to Consider Standing Ruling in Breach Suit

Posted in Data Breaches, Data Security, Litigation, United States

A Seventh Circuit panel that allowed a data breach suit against Neiman Marcus to proceed misapplied the Supreme Court’s precedents on standing and, “if allowed to stand, will impose wasteful litigation burdens on retailers and the federal courts,” the retailer argues in a petition filed yesterday asking the full Seventh Circuit to rehear the case…. Continue Reading

Fiat-Chrysler Recalls 1.4 Million Vehicles In Response to Security Vulnerability

Posted in Data Security

Last Friday, Fiat Chrysler announced the recall of 1.4 million vehicles to fix security vulnerabilities, further highlighting the importance of properly addressing cybersecurity issues created by the use of connected devices.  The recall follows an article published last Tuesday by Wired magazine which described methods used by security researchers to remotely access a Jeep Cherokee,… Continue Reading

Data Breach Plaintiffs Allege Enough Risk of Harm for Suit to Proceed, Appeals Court Rules

Posted in Data Breaches, Data Security, Litigation, United States

Neiman Marcus customers whose credit card information potentially was exposed in a 2013 breach of the retailer’s computer systems may proceed with their proposed class action lawsuit against the retailer, a federal appeals court ruled Monday. Neiman Marcus discovered in December 2013 that some of its customers had found fraudulent charges on their credit cards,… Continue Reading

Carriers Agree to $3.5 Million FCC Fine For Alleged Privacy Violations

Posted in Data Security, Federal Communications Commission, United States

In a consent decree adopted yesterday by the Federal Communications Commission, two telecommunications carriers — TerraCom, Inc., and YourTel America, Inc. — agreed to pay a $3.5 million civil penalty and adhere to a three-year compliance program to settle allegations that the carriers violated the federal Communications Act by failing to adequately protect “proprietary information”… Continue Reading

Senate Panel Debates Law Enforcement Access to Encrypted Communications

Posted in Cybersecurity

The Senate Judiciary Committee today held a hearing about the increased challenges that encryption poses for law enforcement. Government officials testified that advances in encryption technology make it more difficult for them to monitor communications, but there was little indication that lawmakers are prepared to require technology providers to ensure that law enforcement has backdoor… Continue Reading

FTC Releases “Start with Security” Guide to “Practical Lessons” From Data Security Enforcement Actions

Posted in Data Security, Federal Trade Commission

As part of its ongoing outreach efforts to educate businesses about the importance of data security practices, the FTC has released a list of “10 practical lessons” drawn from its previous data security enforcement actions.  The list, entitled “Start with Security: A Guide for Business,” acknowledged that the FTC’s 50-plus data security enforcement actions are… Continue Reading

Update on the Cybersecurity Directive – over to Luxembourg?

Posted in Cybersecurity, Data Breaches, Data Security, European Union

Next week we expect to find out if the Council of the EU will finally agree (“adopt a general approach”) on its version of the proposed General Data Protection Regulation (GDPR).  Progress with a “little brother” of the GDPR – namely the proposed Network and Information Security (NIS) Directive, tagged the Cybersecurity Directive – continues in parallel.  Before… Continue Reading

Cybersecurity Discussions at the 2015 G-7 Summit

Posted in Cybersecurity

On Monday, the 2015 G-7 Summit ended with the President and other Leaders of the G-7 focused generally on a wide range of economic, security, and development issues, and specifically discussing the energy sector’s cybersecurity posture.  According to the White House, the Leaders “launched a new cooperative effort to enhance cybersecurity of the energy sector… Continue Reading

May 2015 EU mHealth Round-Up

Posted in Data Security, European Union, Health Privacy, Mobile Online, United Kingdom

May 2015 saw a number of developments in the EU mHealth sector worthy of a brief mention.  The European Commission announced that it would work on new guidance for mHealth apps, despite the European Data Protection Supervisor and British Standards Institution publishing their own just weeks earlier.  In parallel, the French data protection authority announced… Continue Reading

Dutch Parliament Adopts Data Breach Notification Obligation and Increases Fines

Posted in Data Breaches, European Union

On May 26th, 2015, the Dutch Senate passed a new law (“the Law”) (legislative proposal, as adopted, is accessible here), which introduces an obligation to notify the Dutch DPA ‘without delay’ in case of a data breach.  The law also broadens the powers of the Dutch DPA, enabling it to impose significantly higher fines for… Continue Reading

FTC Highlights Importance of Post-Breach Cooperation with Law Enforcement

Posted in Cybersecurity, Data Breaches, Data Security, Federal Trade Commission

Yesterday, the FTC published a blog post outlining what companies should expect if they find themselves as the subject of an FTC data security investigation.  In addition to highlighting the different phases of the FTC’s investigative process, the FTC’s discussed the types of information that it seeks as well as the questions it wants answered. … Continue Reading