Archives: Data Security

Subscribe to Data Security RSS Feed

Federal Trade Commission Plans to Clarify its Data Security Standard

The Federal Trade Commission (FTC) has announced that it is launching a new initiative to improve data security guidance and transparency as part of a broader plan to implement process reform initiatives.  In an interview with Politico Pro (subscription required) last week, the new acting director of the FTC’s Bureau of Consumer Protection, Thomas Pahl, … Continue Reading

New Mexico Becomes 48th State with Data Breach Notification Law; Tennessee Restores Exemption for Encrypted Data

Last week, New Mexico and Tennessee both passed legislation updating each state’s requirements for notifying residents following a data breach.  New Mexico’s new law, H.B. 15, makes it the 48th U.S. state to enact a state data breach notification law, leaving Alabama and South Dakota as the only states that have not enacted similar laws.  … Continue Reading

China Seeks Public Comments on Draft Regulation on Cross-Border Data Transfer

On April 11, 2017, the Cyberspace Administration of China (“CAC”) released a draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (“the Draft Measures”) for public comment (official Chinese version available here).  The comment period ends on May 11, 2017. The issuance of the long-anticipated Draft Measures … Continue Reading

NY Data Breaches Reached Record Levels in 2016

New York Attorney General Eric T. Schneiderman announced this week that there were a record number of data breach notices in New York in 2016, with nearly 1,300 reported data breaches exposing the personal records of 1.6 million New Yorkers.  These numbers represented a 60 percent year-over-year increase in the number of data breaches reported, … Continue Reading

Senators Reintroduce Cybersecurity Legislation for Cars and Planes

Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) reintroduced a pair of bills today relating to the cybersecurity of cars and aircraft, which would impose affirmative security, disclosure, and consent requirements on manufacturers and air carriers.  The Security and Privacy in Your Car (“SPY Car”) Act and Cybersecurity Standards for Aircraft to Improve Resilience (“Cyber … Continue Reading

House Democrats Propose Three Bills that Would Bolster FCC Influence over Cybersecurity

On March 2nd, Democratic members of the House Energy and Commerce Committee introduced three pieces of legislation that would expand the Federal Communications Commission’s (FCC) authority over the cybersecurity practices of communications network providers. The first bill, the “Securing IoT Act of 2017” (introduced by Rep. Jerry McNerney (D-CA)), would expand the FCC’s certification authority … Continue Reading

Release of Cybersecurity EO May Have Notable Impact in Communications, Energy, and Defense Industrial Base Critical Infrastructure Sectors

The Trump Administration appears likely to release an Executive Order on Cybersecurity.  The most recent draft suggests this Executive Order may have notable impact in the Communications, Energy, and Defense Industrial Base sectors.  However, it remains unclear if and when the current draft will be signed. President Trump originally was scheduled to sign an Executive … Continue Reading

FTC Comments on NTIA’s Cybersecurity Vulnerability Disclosure Template

The FTC released public comments yesterday on the National Telecommunications and Information Administration’s (NTIA) draft “Early Stage” Coordinated Vulnerability Disclosure Template released in December 2016.  The draft template was released by the NTIA Safety Working Group as part of a multistakeholder process that convened security researchers and software and system developers and owners to address … Continue Reading

The Securities and Exchange Commission and Financial Industry Regulatory Authority Release Examination Priorities for 2017

The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) and the Financial Industry Regulatory Authority, Inc. (“FINRA”) (a private self-regulatory organization overseen by OCIE), recently released their 2017 examination priorities.  It is no surprise to find cybersecurity listed as an examination priority again this year. OCIE and FINRA have repeatedly recognized … Continue Reading

Extension of Time for Comments on the Federal ANPR on Cyber Risk Management Standards

For those considering submitting comments on the federal advance notice of proposed rulemaking (ANPR) on enhanced cyber risk management standards, you’ve been granted an extension.  The agencies involved—the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation—announced that they will extend the comment period … Continue Reading

CDRH Releases Postmarket Cybersecurity Final Guidance

By Christopher Hanson On December 28, 2016, CDRH announced the publication of the final guidance “Postmarket Management of Cybersecurity in Medical Devices.”  In a separate post, we reported on the January 22, 2016 draft version of this guidance document.  The final guidance provides FDA’s recommendations on a risk-based framework for medical device manufacturers to assess and … Continue Reading

Updated OMB Breach Response Policy Includes Required Breach-Related Provisions for Federal Agency Contracts

Last week, the Office of Management and Budget issued an updated breach response policy for federal agencies, replacing a policy last updated in 2007.  The policy, set forth in memorandum M-17-12, provides minimum standards for federal agencies in preparing for and responding to breaches of personally identifiable information (PII).   In addition to setting forth requirements … Continue Reading

China’s New Draft National Standards on Personal Information Protection

In our previous post, we discussed seven draft cybersecurity and data protection national standards released by China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), on December 21, 2016. “Information Security Technology – Personal Information Security Specification” … Continue Reading

Reports Suggest New York DFS to Revise Proposed Cyber Regulations and Delay Implementation

Based on reports citing New York Department of Financial Services (“DFS”) sources (see here and here), DFS may propose a revised version of its first-in-the-nation cybersecurity regulations on December 28, 2016.  That revision would be followed by a new 30-day comment period, with the revised regulations scheduled to take effect on March 1, 2017. This … Continue Reading

Industry Reacts to New York’s Proposed Cybersecurity Regulation for Financial Services Institutions

On December 19, 2016, the New York State Assembly Standing Committee on Banks heard testimony about a proposed regulation introduced by the New York State Department of Financial Services that would require financial services companies to develop and implement cybersecurity programs to defend against cyber-attacks.  As we covered when Governor Andrew Cuomo announced this first-in-the-nation … Continue Reading

China Seeks Comment on Seven Draft Cybersecurity and Data Privacy National Standards

By Tim Stratford and Yan Luo China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), released seven draft national standards related to cybersecurity and data privacy for public comment on December 21, 2016.  The public comment period … Continue Reading

Data Breach Allegations Sufficient for Standing After Spokeo, Court Says

On Monday, the U.S. District Court for the District of Kansas ruled that the named plaintiff for a putative class of CareCentrix employees whose personal information was compromised had alleged enough harm for standing under Spokeo, Inc. v. Robins.  The case is Hapka v. CareCentrix, Inc. In early 2016, a phishing attack compromised defendant CareCentrix’s systems, … Continue Reading

Ashley Madison Settles Data Security and Deception Charges

The FTC announced today that it has reached a settlement with the operators of AshleyMadison.com (Ashley Madison) for alleged data security deficiencies and deceptive trade practices.  According to the FTC, Ashley Madison, a dating website for married individuals, was hacked in July 2015, leading to the release of 36 million users’ account and profile information.  … Continue Reading

The Commission on Enhancing National Cybersecurity Releases Its Report on Securing and Growing the Digital Economy

On December 1, 2016, the Commission on Enhancing National Cybersecurity released its Report on Securing and Growing the Digital Economy. In its Report, the Commission, established in February 2016 by President Obama, provided detailed short- and long-term recommendations to strengthen cybersecurity in the public and private sectors. The Commission took a multi-stakeholder approach, emphasizing the … Continue Reading

Insurance Coverage Issues for Cyber-Physical Risks

The recent National Institute of Standards and Technology (NIST) publication of cybersecurity guidance for the Internet of Things (IoT) is a useful reminder that hacking incidents can result not only in privacy breaches, but also in bodily injury or property damage — via critical infrastructure, medical devices and hospital equipment, networked home appliances, or even … Continue Reading

Advisory Group Releases Report on Internet of Things

Following NIST’s release of cybersecurity guidance for the Internet of Things last week, the Broadband Internet Technical Advisory Group (BITAG) released a report today titled Internet of Things (IoT) Security and Privacy Recommendations (the Report).  BITAG is a non-profit organization that brings together engineers and technologists in a working group to develop consensus on technical … Continue Reading

NIST Releases Cybersecurity Guidance for Internet of Things

On November 15, 2016, the National Institute of Standards and Technology (NIST) released its final guidance providing engineering-based solutions to protect cyber-physical systems and systems-of-systems, including the Internet of Things (IoT), against a wide range of disruptions, threats, and other hazards.  NIST Special Publication 800-160 (the “Guidance”) is the result of four years of research … Continue Reading

NIST Releases Cybersecurity Guide for Small Businesses

The National Institute of Standards and Technology (NIST) released guidance today designed to help small businesses improve their cybersecurity preparedness.  The document, Small Business Information Security: The Fundamentals, is based on NIST’s 2014 Framework for Improving Critical Infrastructure Cybersecurity, a widely used cybersecurity framework (Cybersecurity Framework).  For additional background on the Cybersecurity Framework, please see … Continue Reading
LexBlog