Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Category Archives: Data Security

Subscribe to Data Security RSS Feed

FDA Releases Final Guidance on Cybersecurity in Medical Devices, Public Workshop to Follow on October 21-22, 2014

Posted in Cybersecurity, Data Security, United States

On October 2, 2014, the Food and Drug Administration (FDA) released a final guidance document titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”.  The FDA said that the “need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and… Continue Reading

New Jersey Legislature Considers Additional Protections for Car “Black Box” Data

Posted in Data Security

By Caleb Skeath You’ve added a passcode to your phone, checked your social network privacy settings (twice), and kept close tabs on the cookies in your web browser. But have you ever thought closely about the information your car collects about you? New Jersey legislators are debating two identical bills that would provide additional safeguards… Continue Reading

Department of Justice Clears Cybersecurity Information Sharing Platform

Posted in Cybersecurity

By David Fagan and Sumon Dantiki Last week the Antitrust Division of the Department of Justice (“DOJ”) issued a business review letter in response to a request by CyberPoint International LLC (“CyberPoint”).   At issue in the request was whether a proposed cyber threat information sharing system among possible competitors (“the TruSTAR platform”) raised antitrust concerns. … Continue Reading

California Amends Data Breach Legislation

Posted in Data Breaches, Data Security, State Legislatures

Continuing our coverage of the flurry of bills signed into law by California Governor Jerry Brown last week, we turn now to AB 1710, an amendment to California’s data breach legislation. The data breach amendment makes three notable changes to existing laws regarding personal information privacy: 1.  Requires Companies that Maintain Personal Information to Implement… Continue Reading

Ponemon Institute Releases Second Annual Study on Data Breach Preparedness

Posted in Data Breaches, Data Security

The second annual study on data breach preparedness was released by the Ponemon Institute on September 24, and the study indicates that the number of companies that have had a data breach is on the rise. Ponemon Institute conducts independent research on privacy, data protection, and information security policy.  For the September 2014 study, Is… Continue Reading

ISO’s New Cloud Privacy Standard

Posted in Cloud Computing, Data Security, European Union, International

This summer, the International Standards Organization (ISO) adopted a new voluntary standard governing the processing of personal data in the cloud — ISO 27018.  Although this recent development has gone mostly unnoticed by the technology and media press to date, the new cloud standard provides a useful privacy compliance framework for cloud services providers that… Continue Reading

Client Event: “Data Protection & Privacy Law – 2nd Edition,” September 23, 2014

Posted in Cybersecurity, Data Breaches, Data Security, United States

Covington will be hosting a book launch for the 2014 title ‘Data Protection & Privacy Law 2nd Edition’, edited by Monika Kuschewsky, in partnership with The European Lawyer (Thomson Reuters) on September 23, 2014 in Brussels. The event will comprise a half-day workshop followed by a drinks reception. We are pleased to confirm that the… Continue Reading

FTC Settlement Requires Fandango and Credit Karma to Establish Comprehensive Security Programs to Protect Consumers’ Sensitive Personal Information

Posted in Cybersecurity, Data Breaches, Data Security, Federal Trade Commission, Financial Privacy, Privacy Policies

The Federal Trade Commission (“FTC”) has approved final orders settling charges against Fandango and Credit Karma that the companies misrepresented the security of their mobile apps and failed to protect the transmission of consumers’ sensitive personal information.  The FTC specifically alleged that, although the companies made security promises to consumers that their information was adequately… Continue Reading

Federal Trade Commission Releases Report on Mobile Shopping Apps: Finds Insufficient Disclosures to Consumers

Posted in Data Security, Emerging Technologies, Federal Trade Commission, Financial Privacy, Privacy Policies, Technology Transactions

Today, the Federal Trade Commission (“FTC”) issued a staff report examining the consumer-protection implications of popular shopping apps.  These services are intended to ease and enhance the shopping experience by allowing consumers to, for example, compare prices in-store across retailers, collect and redeem deals, or pay for purchases while shopping in brick-and-mortar stores.  The FTC… Continue Reading

Federal Appellate Court to Consider FTC Data Security Authority

Posted in Data Security, Federal Trade Commission, United States

The U.S. Court of Appeals for the Third Circuit this week agreed to consider whether the Federal Trade Commission has the authority to regulate companies’ data security practices. On Tuesday, the Third Circuit granted Wyndham Hotel and Resorts’ petition for interlocutory review of Judge Esther Salas’s denial of a motion to dismiss a FTC lawsuit… Continue Reading

House of Representatives Passes Three Cybersecurity Bills

Posted in Congress, Cybersecurity, Uncategorized, United States

By David Fagan, Richard Hertling, and Sumon Dantiki On July 28, 2014, the U.S. House of Representatives (“House”) passed three cybersecurity bills, the National Cybersecurity and Critical Infrastructure Protection Act of 2014 (H.R. 3696) (“NCCIP Act”), the Critical Infrastructure Research and Development Advancement Act (H.R. 2952) (“CIRDA Act”), and the Homeland Security Cybersecurity Boots-on-the-Ground Act… Continue Reading

Florida Enacts Stringent Breach Notice Law

Posted in Data Breaches, Data Security, State Legislatures, United States

Last Friday, Florida’s governor signed into law the Florida Information Protection Act of 2014 (“FIPA”), a bill repealing Florida’s existing data security breach notice law and replacing it with what will be one of the nation’s most stringent breach notice laws.  This post summarizes the key aspects of the new law, which becomes effective July… Continue Reading

Senate Subcommittee Examines Online Advertising and Security

Posted in Congress, Cybersecurity, Data Security, United States

Yesterday, the U.S. Senate Permanent Subcommittee on Investigations held a hearing on “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy.”  The hearing was based on a year-long investigation into a broader set of issues related to consumer privacy and security on the Internet, which narrowed over time to focus specifically on the… Continue Reading

When are Public Companies Required to Disclose that They Have Experienced a Material Data Security Breach?

Posted in Cybersecurity, Data Breaches, Data Security, United States

Recent discoveries of data security breaches have raised a perennial question for public companies:  are public companies required by law or practice to provide material updates to their investors when bad things happen?  The answer can be quite surprising.  Disclosure at the Time of the Event As a threshold matter, federal securities law does not… Continue Reading

Snapchat Settles FTC Charges

Posted in Advertising & Marketing, Data Security, Federal Trade Commission, Mobile, Social Media

On Thursday, mobile messaging application Snapchat agreed to settle Federal Trade Commission (“FTC”) charges that it made false or misleading representations about the ephemeral nature of its messages, the collection of user information, and the nature of its security practices. The FTC Complaint alleges six counts, many of which demonstrate the Commission’s aggressive enforcement of… Continue Reading

Data Breaches on the Rise in 2014

Posted in Cybersecurity, Data Breaches, Data Security, International, United States

More than 200 million records were lost in digital breaches during the first three months of 2014, according to a new report that parses publicly available information on data breaches.   The records were lost in connection with at least 254 publicized breaches, according to SafeNet, a data security company that published the report. Those numbers… Continue Reading

European Regulators Set Out Data Anonymization Standards

Posted in Data Security, European Union

By Kristof van Quathem and Dan Cooper On April 10, 2014, the Article 29 Working Party adopted an Opinion on anonymization techniques.  The Working Party accepts that anonymization techniques can help individuals and society reap the benefits of “open data” initiatives – initiatives intended to make various types of data more freely available – while… Continue Reading

Ten Things You Should Know About the SEC’s New Cybersecurity Examinations

Posted in Cybersecurity, Data Breaches, Data Security, Financial Institutions, Financial Privacy

Last week, the Securities and Exchange Commission announced that it will conduct more than 50 cybersecurity examinations to identify risks and ensure that broker-dealers and investment advisers are adequately protecting customer information.  Below are some key takeaways from the Risk Alert that the SEC’s Office of Compliance Inspections and Examinations released with its announcement:

DHS Announces Reconsideration Process for “Critical Infrastructure at Greatest Risk”

Posted in Cybersecurity, United States

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity directed the Secretary of Homeland Security to identify “critical infrastructure at greatest risk” within 150 days after issuance of the Order on February 12, 2013.  Section 9 of the Order specified that the Secretary, in consultation with sector-specific agencies, should “use a risk-based approach to identify critical… Continue Reading

Kentucky Enacts Data Breach Notification Law

Posted in Data Breaches, Data Security, United States

Last week, Kentucky governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation.  The law requires companies that suffer a data breach to provide notice of the breach to Kentucky residents “whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”… Continue Reading

Breaking Down the Court’s Decision in FTC v. Wyndham Worldwide Corp.

Posted in Cybersecurity, Data Security, Federal Trade Commission, Litigation, United States

Last week, a federal judge in the District of New Jersey denied Wyndham Hotels and Resorts’ motion to dismiss the FTC’s complaint alleging Wyndham violated the FTC Act by failing to provide reasonable security for its customers’ personal information.  This Covington E-Alert provides a detailed look at the parties’ arguments and the court’s holdings in… Continue Reading

DOJ and FTC Issue Antitrust Policy Statement on Sharing of Cybersecurity Information

Posted in Cybersecurity, United States

On April 10, 2014, the U.S. Department of Justice (“DOJ”) and the Federal Trade Commission (“FTC”) issued a joint “Antitrust Policy Statement on Sharing of Cybersecurity Information.” Information sharing between the government and the private sector and among private sector entities has been a major consideration in ongoing legislative and executive branch efforts to address… Continue Reading

Iowa Amends Breach Notice Law to Require Notice to State AG

Posted in Data Breaches, Data Security, United States

Iowa’s governor recently signed into law S.F. 2259, which amends Iowa’s data breach notification law.  Under the amendment, entities that suffer breaches of personal information that are required to notify more than 500 state residents will also be required to notify the state’s attorney general.  The notice to the attorney general must be provided within… Continue Reading