August 2015

By Susan Cassidy and Alex Sarria

On August 26, 2015, the Department of Defense (DoD) issued an interim rule that significantly expands the obligations imposed on defense contractors and subcontractors to safeguard “covered defense information” and for reporting cyber incidents on unclassified information systems that contain such information.  The interim rule revises the Defense Federal

As part of its broader effort to develop a “Do Not Track” (DNT) web browser privacy standard, the World Wide Web Consortium (“W3C”), an international organization that develops Internet standards, recently released a draft of one technical component of the standard to gather implementation experience from the developer community.
Continue Reading Web Standards Group Releases Candidate Recommendation As Part of Broader “Do Not Track” Review

The Third Circuit released its decision in FTC v. Wyndham Worldwide Corp. earlier today, affirming the district court’s decision that the FTC has the authority to regulate companies’ data security practices under the “unfair practices” prong of Section 5 of the FTC Act.  The highly anticipated precedential opinion dismissed Wyndham’s arguments that the FTC lacks the authority to regulate cybersecurity practices, finding instead that neither Congressional legislation nor the FTC’s prior statements contradicted the FTC’s attempts to assert its cybersecurity powers.  The court also held that Wyndham received fair notice of the potential application of the unfairness standard under Section 5 to data security practices, rejecting Wyndham’s argument that it should receive notice of which specific cybersecurity practices are required to satisfy the Section 5 standard.  Finally, the court held that the FTC sufficiently alleged a “substantial injury” to consumers, as required under Section 5’s unfairness prong.  An analysis of the highlights of the Third Circuit’s opinion is available after the jump.
Continue Reading Third Circuit Upholds FTC’s Data Security Authority in FTC v. Wyndham

By Megan L. Rodgers

The FTC has announced its agenda and panelists for its conference on data security, which will be held on September 9, 2015 at University of California Hastings College of the Law, in San Francisco.

This is the first in a series of conferences aimed at helping small- to medium-sized businesses protect

Cybersecurity vulnerability is becoming an increasing concern as medical devices are becoming more connected to the Internet, hospital networks, and other medical devices. As we previously reported, FDA has increasingly focused on promoting cybersecurity, recognizing that compromised medical devices can pose a risk to patient health and safety and to the confidentiality of personal medical information. In addition, the National Institute of Standards and Technology (NIST) has recently provided a draft practice guide for securing health records maintained on mobile devices.
Continue Reading Cybersecurity Risks with Connected Devices

By Susan Cassidy, Alex Sarria

On August 11, 2015, the Office of Management and Budget (OMB) issued a draft guidance memorandum intended to improve cybersecurity protections in federal acquisitions. Specifically, the proposed memorandum provides direction to federal agencies on “implementing strengthened cybersecurity protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate,

Earlier this week, the Online Trust Alliance released a draft framework of best practices for Internet of Things device manufacturers and developers, such as connected home devices and wearable fitness and health technologies.  The OTA is seeking comments on its draft framework by September 14.

The framework acknowledges that not all requirements may be applicable

By Ashwin Kaja* and Yan Luo

Close on the heels of a sweeping new National Security Law, the Standing Committee of the National People’s Congress released last month for public comment a very significant draft Network Security Law (“Draft Law”), also referred to as the draft Cybersecurity Law.

Since it came into power in 2012, China’s current leadership has attached an unprecedented level of attention to network security, which it sees as a core aspect of national security. Marking the establishment of a new Central Leading Group for Cyberspace Affairs in 2014 that he himself would lead, President Xi Jinping declared that “network security and informatization are key strategic issues related to national security and development,” and that “national security no longer exists without network security.” President Xi went on, in those remarks, to call for the development of a legal infrastructure for the administration of cyberspace, with particular emphasis on the protection of “critical information infrastructure” (see further discussion below). The resolution of the Fourth Plenum of the Central Committee of the Chinese Communist Party in October 2014 echoed this theme.

The focus on network security appears to stem from the explosive development and extensive usage of network and information technologies, made more pressing by Edward Snowden’s disclosures in 2013 regarding activities of the US National Security Agency (NSA). Since the Snowden leaks, it has been repeatedly reported that the Chinese government is working actively to wean government networks and financial systems off of IT products and services from foreign companies. The Draft Law is the government’s latest effort to consolidate existing security-related requirements and grant government agencies more security-related powers. On its face, the Draft Law does not discriminate against foreign products and services. However, designed to “safeguard cyberspace sovereignty and national security,” it could be implemented to become an additional hurdle for foreign companies seeking to access China’s vast market if and when it comes into effect.
Continue Reading China Issues Draft Network Security Law

By Ani Gevorkian

The FTC has issued a request for public comment regarding Riyo’s application to recognize a new proposed verifiable parental consent method under the FTC’s Children’s Online Privacy Protection Act Rule.  The Rule, which implements the Children’s Online Privacy Protection Act (COPPA), requires certain website operators, mobile applications, and other online services to

A Seventh Circuit panel that allowed a data breach suit against Neiman Marcus to proceed misapplied the Supreme Court’s precedents on standing and, “if allowed to stand, will impose wasteful litigation burdens on retailers and the federal courts,” the retailer argues in a petition filed yesterday asking the full Seventh Circuit to rehear the case.

Last month, a Seventh Circuit panel ruled that Neiman Marcus customers whose credit card information potentially was exposed in a 2013 breach of the retailer’s computer systems could proceed with their proposed class action lawsuit against the retailer. The panel found that the plaintiffs alleged sufficient “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” to establish their standing to sue in federal court, and that affected customers “should not have to wait until hackers commit identity theft or credit‐card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” The panel also found it “telling” that the retailer offered affected customers a year of free credit monitoring and identity-theft protection, and appeared to interpret this as a tacit acknowledgment that the risk to customers was more than “ephemeral.”
Continue Reading Neiman Marcus Asks Full 7th Circuit to Consider Standing Ruling in Breach Suit