Archives: Data Security

Subscribe to Data Security RSS Feed

Auto Industry Releases Cybersecurity Best Practices

The Automotive Information Sharing and Analysis Center (“Auto-ISAC”) has released a set of cybersecurity best practices for the automotive industry.  The best practices are primarily geared toward automakers, but note that suppliers of motor vehicle components might also benefit from implementing them. The best practices include seven functions, each of which includes several recommendations: (1) … Continue Reading

Significant HIPAA Fine Follows Business Associate’s Stolen iPhone

A new post over on Covington’s eHealth blog discusses a recent enforcement action taken by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) against Catholic Health Care Services, a business associate under HIPAA, arising out of a stolen iPhone.  This recent enforcement action should put business associates … Continue Reading

Federal Government Releases Final Guidance on CISA

Yesterday, the Department of Homeland Security (“DHS”) and Department of Justice released final guidance as required by Title I of the Cybersecurity Act of 2015 (“CISA”), which was enacted into law this past December.  The guidance was prepared in consultation with several additional federal agencies, and includes four separate documents.  We summarize each of the … Continue Reading

Cyber Insurer Seeks to Void Data Breach Coverage Because of Purported Misstatements in Policy Application

Cyber insurers commonly require insureds to complete detailed applications, often including extensive technical disclosure and risk self-assessments. The complaint recently filed by the insurer in Columbia Casualty Co. v. Cottage Health System illustrates the pitfalls in these requirements. Cottage Health, an operator of a hospital network, suffered a data breach in 2013 resulting in thousands … Continue Reading

P.F. Chang’s Ruling Highlights Potential Pitfalls of Cyber Insurance

Data breaches suffered by retailers and other businesses that handle payment cards can result in substantial assessments by card brands such as MasterCard and Visa. Retailers typically do not process payment card transactions directly with the banks that issue their customers’ cards. Instead, they contract with an intermediary—called an acquiring or servicing bank—to process their … Continue Reading

Morgan Stanley to Pay $1 Million Penalty in SEC Cybersecurity Settlement

By Ciarra Chavarria and Keir Gumbs On June 8, 2016, the Securities and Exchange Commission announced that Morgan Stanley Smith Barney LLC (“Morgan Stanley”) had agreed to pay $1 million as a penalty for charges relating to its “failures to protect customer information.” Morgan Stanley’s settlement with the SEC came several months after a federal … Continue Reading

EU Cyber Security Directive To Enter Into Force In August

The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year.  Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities: designated* “operators of essential services” within … Continue Reading

China Likely to Impose New Cybersecurity Regulations in 2016

As readers of this blog know, China has been increasingly active in proposing new cybersecurity and privacy regulations. In late 2015, China enacted a new counter-terrorism law.  In August 2015, it issued a draft network security law.  Also last summer, China issued new draft regulations on Internet advertising and clarified requirements for text marketing.  And, … Continue Reading

Verizon Releases 2016 Data Breach Investigations Report

Verizon recently released its 2016 Data Breach Investigations Report (“DBIR”) that outlines cybersecurity threats, vulnerabilities, and trends from 2015.  Verizon, with the assistance of more than 60 contributors, analyzed over 64,000 information security incidents (security events that affect the integrity of an information system) and 2,200 data breaches (incidents that result in the “confirmed disclosure … Continue Reading

Digital Single Market – New Initiatives for Cloud Computing and Internet of Things

By Vera Coughlan, Monika Kuschewsky and Kristof Van Quathem Yesterday, the European Commission launched its “Digitising European Industry” package, a series of industry related initiatives aimed at “updating Europe’s digital infrastructure”, see press release here, Q&A here and homepage here.  The package includes reports and proposals addressing cloud computing, ICT standardization, eGovernment, Internet of Things … Continue Reading

FTC Releases Online Tool to Help Health App Developers Identify Applicable Laws

A new post on the Covington eHealth blog discusses the new web-based interactive tool released by the FTC, in conjunction with HHS and the FDA, to assist mobile health app developers in navigating applicable federal laws and regulations in the areas of advertising and marketing, medical devices, and data security and privacy.  As part of … Continue Reading

Turkey’s First Comprehensive Data Protection Law Comes Into Force

This post is authored by guest blogger, Naz Değirmenci, BTS & Partners.   Not affiliated with Covington & Burling LLP. On April 7, 2016, Turkey’s law on Personal Data Protection, number 6698 (the “Law”) was published in the Official Gazette and came into force. Although the Turkish Constitution establishes a general right to privacy, and there … Continue Reading

FCC Releases NPRM on Broadband Privacy Rules

Last Friday, the Federal Communications Commission (“FCC”) released its much-anticipated Notice of Proposed Rulemaking (NPRM) setting forth and seeking comment on proposed rules to govern the privacy practices of broadband internet access service providers (BIAS providers).  Among other things, the NPRM outlines the FCC’s proposed rules for broadband privacy policies, the level of customer approval … Continue Reading

Tennessee Amends Breach Notification Law to Cover Breaches of Encrypted Information

Last week, Tennessee Governor Bill Haslam (R) signed S.B. 2005 into law, amending Tennessee’s breach notification law to broaden the scope of information covered and require quicker notifications of the state’s residents.  Most notably, when the amendments enter into force on July 1, 2016, Tennessee will become the only U.S. state that could require notification … Continue Reading

CFPB Issues $100,000 Fine in First-Ever Data Security Enforcement Action

On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered into a consent order with online payment systems operator Dwolla, Inc., based on allegations that Dwolla deceived consumers about its data security practices and the safety of its online payment system. The CFPB brought this action under its authority in Sections 1031(a) and 1036(a)(1) … Continue Reading

FTC Settles Deception and Unfairness Charges Against ASUS Over Router Security

The FTC has cautioned that a recent settlement holds lessons for companies involved in the Internet of Things.  The settlement, announced on Tuesday, was reached with  hardware manufacturer ASUS over concerns that its router products carried certain security vulnerabilities.  Notably, in addition to alleging that ASUS’s actions violated promises to consumers, the FTC alleged that … Continue Reading

Germany Extends Right of Qualified Consumer Associations to Challenge Privacy Violations

By Monika Kuschewsky Today, a German law to strengthen the private enforcement of certain data protection provisions that aim to protect consumers (the Law) entered in to force, following its publication in the Official Journal yesterday. We previously reported on the draft law here. The Law empowers certain qualified associations to seek injunctive relief against companies … Continue Reading

White House’s Cybersecurity National Action Plan (CNAP) Includes Cybersecurity Awareness Campaign, Creation of Federal Privacy Council

Following the announcement of the President’s Cybersecurity National Action Plan (CNAP), an initiative designed to “enhance cybersecurity capabilities within the Federal Government and across the country,” the White House has released a fact sheet outlining the different components of the CNAP.  The announcement of the CNAP follows the President’s request for $19 billion in funding … Continue Reading

After Two-Day Workshop, CDRH Releases Postmarket Cybersecurity Draft Guidance

By Christopher Hanson On January 22, 2016, CDRH announced in the Federal Register the publication of the draft guidance,“Postmarket Management of Cybersecurity in Medical Devices.”  The release of the draft guidance coincided with the conclusion of a two-day public workshop hosted by FDA entitled, “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity.”  We previously discussed … Continue Reading

Judge Denies Neiman’s Motion to Dismiss Data Breach Class Action

A federal judge in the Northern District of Illinois has denied Neiman Marcus Group LLC’s (“Neiman”) motion to dismiss a consumer class action lawsuit arising from a December 2013 data breach at the retailer that exposed about 350,000 credit cards.  As we previously reported, the plaintiffs sued Neiman alleging various claims arising from fraudulent charges … Continue Reading

Senators Introduce Bill Requiring Cybersecurity Expertise Reports to SEC

On December 17, 2015, Senators Reed (D-RI) and Collins (R-ME) introduced the Cybersecurity Disclosure Act of 2015 (S. 2410), which has been referred to the Committee on Banking, Housing, and Urban Affairs.  According to the press release accompanying the bill, it “seeks to strengthen and prioritize cybersecurity at publicly traded companies by encouraging the disclosure … Continue Reading

European Parliament Committee Approves EU Cybersecurity Rules and Publishes Agreed Text

By Mark Young and Vera Coughlan Formal adoption of the EU Network and Information Security (NIS) Directive is a step closer following a vote on January 14 by the European Parliament’s internal market and consumer protection (IMCO) committee. As we reported in December, the European institutions reached an informal political agreement on the NIS Directive … Continue Reading

Scope of Preemption in Proposed Data Security Legislation is Uncertain

According to a recent analysis by the Congressional Research Service (“CRS”), the extent of state law preemption in recent federal legislative proposals relating to data security is unclear.  Several bills introduced in the 114th Congress would impose federal data security or breach notification requirements on covered entities, similar to existing requirements in nearly every state. … Continue Reading
LexBlog