Tag Archives: Data Security

Federal Trade Commission Plans to Clarify its Data Security Standard

The Federal Trade Commission (FTC) has announced that it is launching a new initiative to improve data security guidance and transparency as part of a broader plan to implement process reform initiatives.  In an interview with Politico Pro (subscription required) last week, the new acting director of the FTC’s Bureau of Consumer Protection, Thomas Pahl, … Continue Reading

New Mexico Becomes 48th State with Data Breach Notification Law; Tennessee Restores Exemption for Encrypted Data

Last week, New Mexico and Tennessee both passed legislation updating each state’s requirements for notifying residents following a data breach.  New Mexico’s new law, H.B. 15, makes it the 48th U.S. state to enact a state data breach notification law, leaving Alabama and South Dakota as the only states that have not enacted similar laws.  … Continue Reading

Release of Cybersecurity EO May Have Notable Impact in Communications, Energy, and Defense Industrial Base Critical Infrastructure Sectors

The Trump Administration appears likely to release an Executive Order on Cybersecurity.  The most recent draft suggests this Executive Order may have notable impact in the Communications, Energy, and Defense Industrial Base sectors.  However, it remains unclear if and when the current draft will be signed. President Trump originally was scheduled to sign an Executive … Continue Reading

FTC Comments on NTIA’s Cybersecurity Vulnerability Disclosure Template

The FTC released public comments yesterday on the National Telecommunications and Information Administration’s (NTIA) draft “Early Stage” Coordinated Vulnerability Disclosure Template released in December 2016.  The draft template was released by the NTIA Safety Working Group as part of a multistakeholder process that convened security researchers and software and system developers and owners to address … Continue Reading

Updated OMB Breach Response Policy Includes Required Breach-Related Provisions for Federal Agency Contracts

Last week, the Office of Management and Budget issued an updated breach response policy for federal agencies, replacing a policy last updated in 2007.  The policy, set forth in memorandum M-17-12, provides minimum standards for federal agencies in preparing for and responding to breaches of personally identifiable information (PII).   In addition to setting forth requirements … Continue Reading

Reports Suggest New York DFS to Revise Proposed Cyber Regulations and Delay Implementation

Based on reports citing New York Department of Financial Services (“DFS”) sources (see here and here), DFS may propose a revised version of its first-in-the-nation cybersecurity regulations on December 28, 2016.  That revision would be followed by a new 30-day comment period, with the revised regulations scheduled to take effect on March 1, 2017. This … Continue Reading

Industry Reacts to New York’s Proposed Cybersecurity Regulation for Financial Services Institutions

On December 19, 2016, the New York State Assembly Standing Committee on Banks heard testimony about a proposed regulation introduced by the New York State Department of Financial Services that would require financial services companies to develop and implement cybersecurity programs to defend against cyber-attacks.  As we covered when Governor Andrew Cuomo announced this first-in-the-nation … Continue Reading

Ashley Madison Settles Data Security and Deception Charges

The FTC announced today that it has reached a settlement with the operators of AshleyMadison.com (Ashley Madison) for alleged data security deficiencies and deceptive trade practices.  According to the FTC, Ashley Madison, a dating website for married individuals, was hacked in July 2015, leading to the release of 36 million users’ account and profile information.  … Continue Reading

Insurance Coverage Issues for Cyber-Physical Risks

The recent National Institute of Standards and Technology (NIST) publication of cybersecurity guidance for the Internet of Things (IoT) is a useful reminder that hacking incidents can result not only in privacy breaches, but also in bodily injury or property damage — via critical infrastructure, medical devices and hospital equipment, networked home appliances, or even … Continue Reading

Advisory Group Releases Report on Internet of Things

Following NIST’s release of cybersecurity guidance for the Internet of Things last week, the Broadband Internet Technical Advisory Group (BITAG) released a report today titled Internet of Things (IoT) Security and Privacy Recommendations (the Report).  BITAG is a non-profit organization that brings together engineers and technologists in a working group to develop consensus on technical … Continue Reading

NIST Releases Cybersecurity Guidance for Internet of Things

On November 15, 2016, the National Institute of Standards and Technology (NIST) released its final guidance providing engineering-based solutions to protect cyber-physical systems and systems-of-systems, including the Internet of Things (IoT), against a wide range of disruptions, threats, and other hazards.  NIST Special Publication 800-160 (the “Guidance”) is the result of four years of research … Continue Reading

Appellate Court Stays Enforcement of FTC’s LabMD Order

In an order released last week, the Eleventh Circuit temporarily delayed enforcement of the Federal Trade Commission’s (FTC) order in the LabMD case.  As we reported earlier, the FTC ruled in July that LabMD’s data security practices violated the FTC Act, clarifying and expanding upon the FTC’s authority to regulate corporate data security practices.  After … Continue Reading

NIST Releases Cybersecurity Guide for Small Businesses

The National Institute of Standards and Technology (NIST) released guidance today designed to help small businesses improve their cybersecurity preparedness.  The document, Small Business Information Security: The Fundamentals, is based on NIST’s 2014 Framework for Improving Critical Infrastructure Cybersecurity, a widely used cybersecurity framework (Cybersecurity Framework).  For additional background on the Cybersecurity Framework, please see … Continue Reading

FTC Issues Guidance for Responding to Data Breaches

On Tuesday, the FTC issued new guidance for businesses on responding to data breaches, along with an accompanying blog post and video.  The data breach response guidance follows the issuance of the FTC’s “Start with Security” data security guidance last year and builds upon recent FTC education and outreach initiatives on data security and cybersecurity … Continue Reading

G-7 Publishes Fundamental Elements of Cybersecurity for the Financial Sector

On October 11, 2016, the finance ministers and central bank governors of the Group of 7 (G-7) countries announced the publication of the Fundamental Elements of Cybersecurity for the Financial Sector, a non-binding guidance document for financial sector entities.  The publication  describes eight fundamental “elements” of effective cybersecurity risk management to guide public and private … Continue Reading

UK Government Considering New Patient Data Security and Research Consent Standards, Sanctions

A new post on the Covington eHealth blog reports that the UK government is running a consultation around NHS patient data security standards and a new legal framework for secondary uses (e.g. research) of patient data.  To find out more about the proposals and the consultation, please click here.… Continue Reading

FTC: LabMD’s Data Security Practices Violated the FTC Act

The Federal Trade Commission (FTC) issued a unanimous opinion and order today, vacating the Administrative Law Judge’s (ALJ) initial decision and finding that LabMD’s data security practices were “unfair” under Section 5 of the FTC Act.  In August 2013, the FTC issued a complaint against LabMD, alleging that its failure to implement adequate data security … Continue Reading

Obama Administration Releases Final Data Security Policy Principles and Framework for Its Precision Medicine Initiative

Last week, our colleague Shruti Barker published an article on the Inside Medical Devices Blog, discussing eight data security principles that companies participating in the Precision Medicine Initiative should aim to meet.  The Administration’s guidance document additionally recommends a basic framework that organizations collecting, storing, and sharing patient information should adopt as current best practices.  The … Continue Reading

EU Cyber Security Directive To Enter Into Force In August

The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year.  Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities: designated* “operators of essential services” within … Continue Reading

Verizon Releases 2016 Data Breach Investigations Report

Verizon recently released its 2016 Data Breach Investigations Report (“DBIR”) that outlines cybersecurity threats, vulnerabilities, and trends from 2015.  Verizon, with the assistance of more than 60 contributors, analyzed over 64,000 information security incidents (security events that affect the integrity of an information system) and 2,200 data breaches (incidents that result in the “confirmed disclosure … Continue Reading

Seventh Circuit, Relying on Defendant’s Post-Breach Statements, Allows Data Breach Class Action to Proceed

Last week, the Seventh Circuit handed down another friendly ruling for data breach class action plaintiffs, reversing a district court’s dismissal of a class action complaint over a 2014 data breach at P.F. Chang’s restaurants.  In reversing the district court’s holding that the plaintiffs had not demonstrated Article III standing, the Seventh Circuit ruled that … Continue Reading

EU Passes Sweeping New Privacy and Data Security Laws

As forecast in our latest blog on the topic (available here), the European Parliament today voted into law a new General Data Protection Regulation (“GDPR”) that will replace the EU’s all-encompassing Data Protection Directive as of mid-2018. Today’s vote brings to a close a legislative process that has lasted nearly five years; the law’s official publication, which should be … Continue Reading
LexBlog