By

Alan Charles Raul

13 November 2017

U.S. Consumer Financial Protection Bureau’s Principles for Data Aggregation Services Could Have Broad Implications

On Oct. 18, 2017, the Consumer Financial Protection Bureau (CFPB) released a set of consumer protection principles (Principles) designed to protect consumer interests in the market for services built around consumer-approved use of financial information. The Principles are targeted to so-called “data aggregation” or “screen scraping” services that collect customer information in order to provide financial planning or other services. Over the past few years, data aggregation services and banks have struggled to develop the right model for sharing customer account data. The Principles issued by the CFPB seek to provide a potential data-sharing model for banks and data aggregation services while protecting consumer interests.

(more…)

SHARE
EmailPrintShare
30 October 2017

When And How Cos. Should Address Cyber Legal Compliance

*This post originally appeared in Law 360 on October 24, 2017.

We’ve seen it happen time and again. When a company experiences a major data breach or hacking incident, media attention turns to speculation or allegations about the company’s past history of underinvesting in cyber defenses, its supposed culture of cyber complacency, or its history of unaddressed (but, in retrospect, allegedly clear) vulnerabilities. New information may come to light indicating the victimized company suffered previous breaches months, or years, earlier. Rumors of cyber-inadequacy gain currency among current and former employees and, ultimately, regulators and plaintiffs. Sometimes (but not always), these rumors, allegations, supposition and speculation even turn out to be true. (more…)

SHARE
EmailPrintShare
24 August 2017

Eighth Circuit Rejects Implied Premise that a Hack Is Tantamount to Inadequate Information Security, Ruling Such “ ‘Naked Assertions’ … Cannot Survive a Motion to Dismiss.”

The Eighth Circuit held on August 21 that, in the absence of actual injury in a data breach case, “massive class action litigation should be based on more than allegations of worry and inconvenience.”  The Court found that no customers of the defendant securities brokerage firm had suffered fraud or identity theft resulting in financial loss from a 2013 data security incident.*  Kuhns v. Scottrade, Inc., Nos. 16-3426, 16-3542 (8th Cir. Aug. 21, 2017).

In a decision that is replete with great holdings and quotable language for defendants in data breach litigation, the Eighth Circuit demonstrated that even where constitutional standing is found, plaintiffs will not likely succeed if they can allege no real injury even years after the hack occurred. (more…)

SHARE
EmailPrintShare
23 August 2017

FTC Uber Settlement Mandates a Comprehensive Privacy Program, Sheds Light on “Reasonable Data Security” Expectations, and Underscores Importance of Insider Threat Prevention

On August 15, the FTC announced that it had reached an agreement with Uber to settle allegations that the company had made deceptive claims about its privacy and data security practices. The FTC’s settlement with Uber has important implications for privacy and data security measures that companies could take, and the representations they and their employees make in these areas. It also shed greater light on what the FTC means by “reasonable data security” measures that companies should implement, and underscores the importance of maintaining a robust insider threat prevention program. (more…)

SHARE
EmailPrintShare
19 May 2017

SEC Issues “WannaCry” Ransomware Alert to Broker-Dealers and Investment Companies

On May 17, 2017, the SEC’s Office of Compliance Inspections and Enforcement (OCIE) issued a cybersecurity alert to the securities firms it regulates. OCIE advised broker-dealers and investment companies to take certain actions in connection with the recent WannaCry and Wanna Decryptor ransomware attacks that affected numerous organizations in over one hundred countries.  Specifically, OCIE encouraged firms as follows: (more…)

SHARE
EmailPrintShare
15 May 2017

President Trump Signs Executive Order on Cybersecurity at Federal Agencies

On Thursday, May 11, President Trump signed an executive order aimed at strengthening the cybersecurity of federal networks and critical infrastructure.  The order is expected to prompt a broad examination of cybersecurity vulnerabilities at federal agencies and re-orient federal cybersecurity efforts toward modernization and shared services.  The order also reaffirms the previous administration’s approach to cybersecurity protections for critical infrastructure – with increased emphasis on the power grid – and seeks to promote the growth and sustainment of the nation’s cybersecurity workforce in the public and private sectors.  (more…)

SHARE
EmailPrintShare
14 March 2017

Google’s Overseas Warrants: A Game of Tug-of-War Over Access to Data

On February 3, 2017, Eastern District of Pennsylvania Magistrate Judge Thomas J. Rueter ordered Google to comply with FBI search warrants to produce emails stored on foreign servers as part of a domestic criminal investigation.  In re Search Warrant No. 16-960-M-01 to Google (E.D. Pa. Feb. 3, 2017).  This ruling comes on the heels of the Second Circuit’s decision in Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016) (denied rehearing on January 24, 2017), which reached an opposite decision and held that Microsoft could not be forced to turn over user data stored on a server located in Ireland.  (For more background, see Second Circuit Microsoft Ruling: A Plea for Congressional Action (August 8, 2016)).

(more…)

SHARE
EmailPrintShare
24 February 2017

New NACD Cyber-Risk Handbook a Reminder of Critical Board Oversight Duties

*This article first appeared in Bloomberg BNA Corporate Law & Accountability Report on February 23, 2017

On Jan. 12, 2017, the National Association of Corporate Directors (NACD) released its new “NACD Director’s Handbook on Cyber-Risk Oversight.” The NACD has suggested that directors can use this Cyber-Risk Oversight Handbook as a resource to “[l]earn foundational principles for board-level cyber-risk oversight” and gain insight into issues including how to:

  • “allocate cyber-risk oversight responsibilities at the board level”;
  • address “legal implications and considerations related to cybersecurity”;
  • “set expectations with management about the organization’s cybersecurity processes”;
  • “improve the dialogue between directors and management on cyber issues”; and,
  • “improve and enhance boardroom practices.”

Read More

SHARE
EmailPrintShare
13 February 2017

Sidley Perspectives on M&A and Corporate Governance: Cybersecurity M&A Due Diligence and Protecting Privilege

The potential liability from a material cyber-attack is wide-ranging. Accordingly, companies that experience network intrusions, system disruptions or unauthorized access to information databases must be prepared for a variety of potential consequences, each attended by its own costs…[read more]

SHARE
EmailPrintShare
31 January 2017

2016 Year in Review and 2017 Preview: Top Ten for Data Protection and Privacy

2016 was a year of seismic changes in the global data protection and privacy landscape.  Here, we look back at the top ten events and issues that shaped 2016, and are poised to shape the year ahead as well.

Year In Review

1. GDPR Adoption

On April 14, the European Parliament voted to adopt the long-awaited EU General Data Protection Regulation (GDPR), formally completing adoption of the GDPR. The GDPR was published in the Official Journal of the EU on May 25, 2016, giving companies and Member States until the May 25, 2018 effective date to implement the Regulation fully. In the wake of its adoption, businesses should have planning under way for implementation of the significantly expanded Regulation by evaluating whether they are subject to the expanded jurisdiction, and if so, completing an internal gap analysis of current data protection practices as compared with the new requirements and rights under the Regulation. Some of the key aspects to consider include data breach response planning under the new 72-hour notice requirement, reviewing existing data protection notices and consents for the more robust obligations, identifying current profiling activities and existing data protection and retention policies and procedures, ensuring privacy impact assessments are carried out where required, and evaluating whether there is an obligation to appoint a data protection officer.  Despite the time until the effective date, the extensive preparation necessary to comply presents a challenge as companies around the world refocus resources to develop compliance plans.

2. Political Cyber Warfare

There is a new front in geopolitical battles.  (more…)

SHARE
EmailPrintShare
1 2 3 7
XSLT Plugin by BMI Calculator