On June 11, 2018, the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) announced the launch of the CERES Forum, an information sharing initiative for central banks, regulators, and supervisors designed to strengthen responses to cyber and physical threats. The new forum will become operational on July 1, 2018. Although FS-ISAC primarily comprises private financial … Continue Reading
By Bruce Bennett, Carlo Kostka, Charlotte Hill, Craig Pollack, Dan Cooper, Gemma Nash, Kristof Van Quathem, Mark Young, and Sophie Bertin The EU Payment Services Directive (PSD2), which took effect on January 13, 2018, puts an obligation on banks to give Third Party Providers (TPPs) access to a customer’s payment account data, provided the customer expressly … Continue Reading
On December 12, 2017, the Federal Trade Commission (“FTC”) hosted a workshop examining “informational injury,” defined by Acting Chairman Maureen Ohlhausen in her opening remarks as the harm consumers suffer due to privacy and data security breaches. Chairman Ohlhausen emphasized three main purposes for the workshop: First, to better identify qualitatively different injuries; second, to … Continue Reading
Covington’s global cross-practice Digital Health team has posted an illuminating three-part series on the Covington Digital Health blog that covers key questions entities should be asking as they seek to fit together the regulatory and commercial pieces of the complex digital health puzzle. In the first part of the series, the Digital Health team answers key regulatory questions … Continue Reading
Earlier this year, the FTC’s staff released a series of blog posts entitled Stick with Security that updated and expanded upon the prior Start with Security best-practices guide for information security practices. The Stick with Security series draws from FTC complaints, consent orders, closed investigations, and input from companies around the country to provide deeper … Continue Reading
On September 19, 2017, the U.S. District Court for the Northern District of California dismissed three of the six counts in the Federal Trade Commission’s (“FTC’s”) January 2017 complaint against D-Link Systems, Inc., allowing the FTC until October 20, 2017 to amend its complaint. The FTC’s complaint alleged that D-Link engaged in unfair and deceptive … Continue Reading
Last week, in his annual State of the European Union Address, the President of the European Commission Jean-Claude Juncker called out cybersecurity as a key priority for the European Union in the year ahead. In terms of ranking priorities, President Juncker placed tackling cyber threats just one place below the EU leading the fight against … Continue Reading
Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive). The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or … Continue Reading
Delaware Gov. John Carney has signed into law a bill that will impose more stringent obligations for notifying affected Delaware residents in the event of a data breach, in addition to establishing requirements for Delaware businesses to maintain “reasonable” data security practices. In addition to expanding the types of information that would require notification of … Continue Reading
On August 1, 2017, a bipartisan group of Senators introduced legislation (fact sheet) that would establish minimum cybersecurity standards for Internet of Things (“IoT”) devices sold to the U.S. Government. As Internet-connected devices become increasingly ubiquitous and susceptible to evolving and complex cyber threats, the proposed bill attempts to safeguard the security of executive agencies’ … Continue Reading
Last week, the U.S. Department of Justice (“DOJ”) released a voluntary framework for organizations to use in the development of a formal program to receive reports of network, software, and system vulnerabilities, and to disclose vulnerabilities identified in other organizations’ environments. This framework provides private entities a series of steps to establish a formal program … Continue Reading
The FTC announced today a new “Stick With Security” Initiative, building on its prior “Start With Security” guide as “part of its ongoing efforts to help businesses ensure that they are taking reasonable steps to protect and secure consumer data.” Stick With Security constitutes a series of blog posts published each Friday using “hypothetical examples … Continue Reading
In a new post on the Covington Digital Health blog, our colleagues discuss a new European Cloud in Health Advisory Council whitepaper calling for a review of European healthcare data protection rules holding back greater adoption of cloud computing and AI; and for more discussion about the ethics and governance of re-use of patient data for research and planning. To read … Continue Reading
On May 11, 2017, President Trump signed an Executive Order titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (the “Order”). The long-anticipated directive was issued months after the White House originally planned to release a cybersecurity order in February. Since then, revised drafts of the order were circulated, including a version from February … Continue Reading
The Federal Trade Commission (FTC) has announced that it is launching a new initiative to improve data security guidance and transparency as part of a broader plan to implement process reform initiatives. In an interview with Politico Pro (subscription required) last week, the new acting director of the FTC’s Bureau of Consumer Protection, Thomas Pahl, … Continue Reading
Last week, New Mexico and Tennessee both passed legislation updating each state’s requirements for notifying residents following a data breach. New Mexico’s new law, H.B. 15, makes it the 48th U.S. state to enact a state data breach notification law, leaving Alabama and South Dakota as the only states that have not enacted similar laws. … Continue Reading
The Trump Administration appears likely to release an Executive Order on Cybersecurity. The most recent draft suggests this Executive Order may have notable impact in the Communications, Energy, and Defense Industrial Base sectors. However, it remains unclear if and when the current draft will be signed. President Trump originally was scheduled to sign an Executive … Continue Reading
The FTC released public comments yesterday on the National Telecommunications and Information Administration’s (NTIA) draft “Early Stage” Coordinated Vulnerability Disclosure Template released in December 2016. The draft template was released by the NTIA Safety Working Group as part of a multistakeholder process that convened security researchers and software and system developers and owners to address … Continue Reading
Last week, the Office of Management and Budget issued an updated breach response policy for federal agencies, replacing a policy last updated in 2007. The policy, set forth in memorandum M-17-12, provides minimum standards for federal agencies in preparing for and responding to breaches of personally identifiable information (PII). In addition to setting forth requirements … Continue Reading
Based on reports citing New York Department of Financial Services (“DFS”) sources (see here and here), DFS may propose a revised version of its first-in-the-nation cybersecurity regulations on December 28, 2016. That revision would be followed by a new 30-day comment period, with the revised regulations scheduled to take effect on March 1, 2017. This … Continue Reading
On December 19, 2016, the New York State Assembly Standing Committee on Banks heard testimony about a proposed regulation introduced by the New York State Department of Financial Services that would require financial services companies to develop and implement cybersecurity programs to defend against cyber-attacks. As we covered when Governor Andrew Cuomo announced this first-in-the-nation … Continue Reading
The FTC announced today that it has reached a settlement with the operators of AshleyMadison.com (Ashley Madison) for alleged data security deficiencies and deceptive trade practices. According to the FTC, Ashley Madison, a dating website for married individuals, was hacked in July 2015, leading to the release of 36 million users’ account and profile information. … Continue Reading
The recent National Institute of Standards and Technology (NIST) publication of cybersecurity guidance for the Internet of Things (IoT) is a useful reminder that hacking incidents can result not only in privacy breaches, but also in bodily injury or property damage — via critical infrastructure, medical devices and hospital equipment, networked home appliances, or even … Continue Reading
Following NIST’s release of cybersecurity guidance for the Internet of Things last week, the Broadband Internet Technical Advisory Group (BITAG) released a report today titled Internet of Things (IoT) Security and Privacy Recommendations (the Report). BITAG is a non-profit organization that brings together engineers and technologists in a working group to develop consensus on technical … Continue Reading
