Archives: Data Security

Subscribe to Data Security RSS Feed

Judge Denies Neiman’s Motion to Dismiss Data Breach Class Action

A federal judge in the Northern District of Illinois has denied Neiman Marcus Group LLC’s (“Neiman”) motion to dismiss a consumer class action lawsuit arising from a December 2013 data breach at the retailer that exposed about 350,000 credit cards.  As we previously reported, the plaintiffs sued Neiman alleging various claims arising from fraudulent charges … Continue Reading

Senators Introduce Bill Requiring Cybersecurity Expertise Reports to SEC

On December 17, 2015, Senators Reed (D-RI) and Collins (R-ME) introduced the Cybersecurity Disclosure Act of 2015 (S. 2410), which has been referred to the Committee on Banking, Housing, and Urban Affairs.  According to the press release accompanying the bill, it “seeks to strengthen and prioritize cybersecurity at publicly traded companies by encouraging the disclosure … Continue Reading

European Parliament Committee Approves EU Cybersecurity Rules and Publishes Agreed Text

By Mark Young and Vera Coughlan Formal adoption of the EU Network and Information Security (NIS) Directive is a step closer following a vote on January 14 by the European Parliament’s internal market and consumer protection (IMCO) committee. As we reported in December, the European institutions reached an informal political agreement on the NIS Directive … Continue Reading

Scope of Preemption in Proposed Data Security Legislation is Uncertain

According to a recent analysis by the Congressional Research Service (“CRS”), the extent of state law preemption in recent federal legislative proposals relating to data security is unclear.  Several bills introduced in the 114th Congress would impose federal data security or breach notification requirements on covered entities, similar to existing requirements in nearly every state. … Continue Reading

China Enacts New Counter-Terrorism Law

On December 27, 2015, the Standing Committee of the National People’s Congress (NPC), China’s top legislative body, enacted a Counter-Terrorism Law (see the Chinese version here, and an unofficial English translation here), which took effect on January 1, 2016.  The adoption of this law, a year after the first draft was released for public comment, … Continue Reading

Congress Passes the Cybersecurity Act of 2015

The Cybersecurity Act of 2015 (the “Act”) was passed by Congress today as part of the 2016 omnibus spending package.  The Act is very similar to the Cybersecurity Information Sharing Act (“CISA,” S. 754), which passed the Senate on October 27 and was the subject of our previous analysis, although there are some important differences … Continue Reading

FTC Obtains Record $100 Million Settlement with LifeLock

By Megan Rodgers The FTC announced that the identity theft protection firm LifeLock will pay $100 million to resolve allegations that the company made false statements about its services and failed to safeguard consumer data.  This settlement represents the largest of its kind in an FTC order enforcement action. The FTC first sued LifeLock in … Continue Reading

Wyndham Settles FTC Charges

Wyndham Hotels and Resorts has agreed to settle the FTC’s charges that its corporate data security practices were deficient under the unfairness prong of Section 5 of the FTC Act.  Assuming the district court approves the proposed stipulated consent order, this concludes the litigation between Wyndham and the FTC.  Under the terms of the twenty-year … Continue Reading

A Closer Look at CISA’s Cybersecurity Information-Sharing Provisions

As we reported on October 27, the U.S. Senate passed the Cybersecurity Information Sharing Act (“CISA,” S. 754).  If enacted into law, CISA would, among other things, establish a voluntary framework for the sharing of cybersecurity threat information between and among the federal government and private entities.  CISA must now be reconciled with two similar … Continue Reading

Cox Communications to Pay $595,000 in Data Breach Settlement

By Hannah Lepow Yesterday the FCC announced that it has entered into a $595,000 settlement agreement with Cox Communications to resolve an investigation into whether the company failed to protect its customers’ personal information when it suffered a data breach in 2014.  This is the first privacy  and data security enforcement action the FCC Enforcement … Continue Reading

Senate Passes Cybersecurity Information Sharing Legislation

The U.S. Senate passed the Cybersecurity Information Sharing Act (“CISA,” S. 754) today.  In material part, the bill: establishes a voluntary framework for real-time information sharing of “cyber threat indicators” and “defensive measures” between private organizations (defined to also include state and local governments) and the federal government; with respect to information sharing among private … Continue Reading

FTC Releases Agenda for November 5th “Start with Security” Conference

By Megan L. Rodgers The FTC has announced its agenda and panelists for its conference on data security, which will be held on November 5th, 2015, at the University of Texas, in Austin. This is the second in a series of conferences aimed at helping small- to medium-sized businesses protect consumers’ information.  The first conference … Continue Reading

Covington Attorneys Author Chapter on the Challenges of Managing Third-Party Outsourcing Risks

As businesses increasingly work with various types of third parties that process sensitive information and, in some cases, access a company’s networks, there is an inherent risk:  these third parties create new avenues of attack against a company’s data, systems, and networks.   Covington attorneys David Fagan, Nigel Howard, Kurt Wimmer, and Elizabeth Canter describe these … Continue Reading

Three-Bill Package Makes Revisions to California’s Data-Breach Notification Statute

By Brandon Johnson On October 6, 2015, California Governor Jerry Brown signed into law a trio of bills that is intended to clarify key elements of the state’s data-breach notification statute and provide guidance to persons, businesses, and state and local agencies that deal with electronically stored personal information.  The bills, which were passed together … Continue Reading

Start With Security: Key Takeaways from the FTC’s Data Security Conference

By Lindsey Tonsager and Megan Rodgers The FTC held its “Start with Security” conference in San Francisco, California, last week, launching an initiative to provide companies with practical resources for implementing effective data security strategies. The event was targeted at tech start-ups and small- and medium-sized businesses, but the panelists included representatives from companies with … Continue Reading

UK Government Launches Cybersecurity Service For Healthcare Organizations

The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system.  The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016. … Continue Reading

Proposed Rule Would Amend Federal “Common Rule” Requirements

On September 8, 2015, sixteen federal agencies published a long-awaited Notice of Proposed Rulemaking (NPRM) to modernize the Federal Policy for the Protection of Human Subjects, known as the “Common Rule.” The proposal, available here, includes a number of changes related to privacy and data security and other changes relevant to entities seeking to conduct … Continue Reading

Data Localization Requirements Through the Backdoor? Germany’s “Federal Cloud”, and New Criteria For the Use of Cloud Services by the German Federal Administration

In May 2015, reports about the German government’s plans to establish federal German cloud infrastructure (the “Bundes-Cloud”) raised concerns about the possible introduction of data localization requirements (preventing the storage and processing of data outside Germany).  The criteria for the use of cloud services by Germany’s federal administration, which have recently been published, now give … Continue Reading

What You Need to Know About Germany’s Cybersecurity Law

Whilst the discussions on the proposed Network and Information Security (NIS) Directive at European level are still ongoing (see Update on the Cybersecurity Directive − over to Luxembourg?, InsidePrivacy, June 12, 2015), less has been said about Germany new national Act to Increase the Security of Information Technology Systems (the “IT Security Law”).  The IT Security Law … Continue Reading

DoD Issues Interim Rule Addressing New Requirements for Cyber Incidents and Cloud Computing Services

By Susan Cassidy, Alex Sarria, Patrick Stanton, and Catlin Meade On August 26, 2015, the Department of Defense (DoD) issued an interim rule that significantly expands the obligations imposed on defense contractors and subcontractors to safeguard “covered defense information” and for reporting cyber incidents on unclassified information systems that contain such information.  The interim rule revises the … Continue Reading

FTC Releases Agenda for September 9th “Start with Security” Conference

By Megan L. Rodgers The FTC has announced its agenda and panelists for its conference on data security, which will be held on September 9, 2015 at University of California Hastings College of the Law, in San Francisco. This is the first in a series of conferences aimed at helping small- to medium-sized businesses protect … Continue Reading

Cybersecurity Risks with Connected Devices

By Bianca Nunes Cybersecurity vulnerability is becoming an increasing concern as medical devices are becoming more connected to the Internet, hospital networks, and other medical devices. As we previously reported, FDA has increasingly focused on promoting cybersecurity, recognizing that compromised medical devices can pose a risk to patient health and safety and to the confidentiality … Continue Reading

OMB Issues New Draft Cyber Guidance for Contractors

By Susan Cassidy, Alex Sarria On August 11, 2015, the Office of Management and Budget (OMB) issued a draft guidance memorandum intended to improve cybersecurity protections in federal acquisitions. Specifically, the proposed memorandum provides direction to federal agencies on “implementing strengthened cybersecurity protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate, … Continue Reading

Multistakeholder Group Seeks Comment on Draft Framework for IoT Device Manufactures

Earlier this week, the Online Trust Alliance released a draft framework of best practices for Internet of Things device manufacturers and developers, such as connected home devices and wearable fitness and health technologies.  The OTA is seeking comments on its draft framework by September 14. The framework acknowledges that not all requirements may be applicable … Continue Reading
LexBlog