Data Security

Recent years have seen significant amounts of legislative activity related to state data breach notification laws, and 2018 was no exception.  Not only did South Dakota and Alabama enact new data breach notification laws in 2018, becoming the last of 50 U.S. states to enact such laws, but other states also enacted changes to existing data breach notification laws during 2018 to expand their scope and implement additional notification requirements.  Following up on our global year-end review of major privacy and cybersecurity developments, we’ve summarized the major developments and trends observed with regards to state data breach notification laws over the past year.
Continue Reading State Data Breach Notification Laws: 2018 in Review

On December 6, 2018, the Australian Parliament passed a bill that aims to address concerns raised by national security and law enforcement agencies regarding encrypted communications.

Introduced in September, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (the Act) may affect technology companies around the globe.  As discussed in our previous post, the Act requires “designated communications providers” (a definition that includes foreign and domestic communications providers) to provide support to Australian government agencies under new legal bases provided by the Act’s framework.  A Technical Assistance Notice (TAN), for example, will permit certain government entities to require assistance that a designated communications provider is already capable of giving.  If the provider lacks the capability to assist, a Technical Capability Notice (TCN) may require the provider to build such capability.

As described in greater detail in the Act’s accompanying Explanatory Memorandum, the ability to issue TANs and TCNs is not without limitation.  Importantly, neither forms of Notice may require providers to implement or build a “systemic weakness or systemic vulnerability” into their electronic protections, or prevent providers from patching such weaknesses or vulnerabilities.  Recent additions to the Act took this prohibition even further—requiring that in any case where a weakness is selectively introduced to a “target” technology connected with a particular person, the prohibition against systemic weaknesses or vulnerabilities extends to anything that would “jeopardize the security of information held by any other person” aside from the intended target.  The phrase “jeopardize the security of information” is defined by the Act as any “act or thing that creates a material risk that otherwise secure information can be accessed by an unauthorized party.”Continue Reading Australia’s Encryption Bill Becomes Law

On December 4, 2018, the Federal Trade Commission (“FTC”) announced that it is accepting public comments regarding its Identity Theft Detection Rules, 16 C.F.R. Part 681 (the “Rules”), as part of a systematic review of the Commission’s regulations and guidelines. The review of the Rules is particularly noteworthy because identity theft is among the top consumer complaints to the FTC, and has been an enforcement priority for the FTC’s Bureau of Consumer Protection.
Continue Reading FTC Solicits Public Comment on Identity Theft Detection Rules

The EU Payment Services Directive (PSD2), which took effect on January 13, 2018, puts an obligation on banks to give Third Party Providers (TPPs) access to a customer’s payment account data, provided the customer expressly consents to such disclosure.  The new legislation is intended to improve competition and innovation in the EU market for payment services.  The General Data Protection Regulation (GDPR), which is due to take effect from May 25, 2018, enhances individuals’ rights when it comes to protecting their personal data.  The interaction between PSD2, aimed at increasing the seamless sharing of data, and the GDPR, aimed at regulating such sharing, raises complicated compliance concerns.

For example, where banks refrain from providing TPPs access to customer payment data for fear of breaching the privacy rights of their customers under the GDPR, competition authorities may consider this a breach of competition law.  This concern is already becoming a reality for banks – on October 3, 2017, the European Commission carried out dawn raids on banking associations in Poland and the Netherlands following complaints from fintech rivals that the associations were not providing them with what they considered legitimate access to customer payment data.
Continue Reading Overlap Between the GDPR and PSD2

Covington’s global cross-practice Digital Health team has posted an illuminating three-part series on the Covington Digital Health blog that covers key questions entities should be asking as they seek to fit together the regulatory and commercial pieces of the complex digital health puzzle.

  • In the first part of the series, the Digital Health team answers

Earlier this year, the FTC’s staff released a series of blog posts entitled Stick with Security that updated and expanded upon the prior Start with Security best-practices guide for information security practices.  The Stick with Security series draws from FTC complaints, consent orders, closed investigations, and input from companies around the country to provide deeper insights into the ten principles articulated in the Start with Security guide.  These guidelines serve as a set of minimum recommended standards for “reasonable” data security practices by organizations with access to personal data (i.e. information related to consumers and employees), although they can be applied to other types of data as well.  The recommendations are not legal requirements, of course, but it can be useful for companies to consider the views of the FTC’s staff on the practices that are likely to be seen by the FTC as “reasonable.”  This post summarizes the recommendations made by the FTC’s staff in the Stick with Security series.
Continue Reading Key Information Security Pointers from the FTC’s Stick with Security Guidance

On September 19, 2017, the U.S. District Court for the Northern District of California dismissed three of the six counts in the Federal Trade Commission’s (“FTC’s”) January 2017 complaint against D-Link Systems, Inc., allowing the FTC until October 20, 2017 to amend its complaint.

The FTC’s complaint alleged that D-Link engaged in unfair and deceptive practices by marketing its routers and Internet-protocol (“IP”) cameras as providing the “latest wireless security features to help prevent unauthorized access” and the “best possible encryption” protections, but nonetheless failing to protect its products from “widely-known and reasonably foreseeable risks of unauthorized access.”
Continue Reading District Court Dismisses Multiple Counts in FTC’s Complaint Against D-Link

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).

We summarise the UK Government’s plans below, including which organisations may be in scope — for example, in the energy, transport and other sectors, as well as online marketplaces, online search engines, and cloud computing service providers — and the proposed security and incident reporting obligations.

Organisations that are interested in responding to the consultation have until September 30, 2017 to do so.  The UK Government will issue a formal response within 10 weeks of this closing date, and publish further security guidance later this year and next.  A further consultation on incident reporting for digital service providers will be run later this year; the Government invites organisations that are interested in taking part to provide appropriate contact details.
Continue Reading UK Government Proposes Cybersecurity Law with Serious Fines

Delaware Gov. John Carney has signed into law a bill that will impose more stringent obligations for notifying affected Delaware residents in the event of a data breach, in addition to establishing requirements for Delaware businesses to maintain “reasonable” data security practices.  In addition to expanding the types of information that would require notification of affected individuals if breached, the amendments will also require an entity to provide credit monitoring services if the breach involves Social Security numbers.  Once the bill enters into force, entities will also have to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents.  The amendments will enter into force on approximately April 14, 2018.
Continue Reading Delaware Amends Data Breach Notification Law to Require Credit Monitoring, Attorney General Notification