By

Clayton G. Northouse

23 August 2017

FTC Uber Settlement Mandates a Comprehensive Privacy Program, Sheds Light on “Reasonable Data Security” Expectations, and Underscores Importance of Insider Threat Prevention

On August 15, the FTC announced that it had reached an agreement with Uber to settle allegations that the company had made deceptive claims about its privacy and data security practices. The FTC’s settlement with Uber has important implications for privacy and data security measures that companies could take, and the representations they and their employees make in these areas. It also shed greater light on what the FTC means by “reasonable data security” measures that companies should implement, and underscores the importance of maintaining a robust insider threat prevention program. (more…)

SHARE
EmailPrintShare
14 August 2017

State Privacy Laws: New Jersey Passes Consumer Privacy Act

State laws governing the collection and use of personal information continue to proliferate. The latest comes from New Jersey, which on July 21, 2017, signed into law legislation that restricts a merchant’s ability to collect personal data of shoppers and share such data with third parties.  New Jersey’s Personal Information Privacy and Protection Act permits retailers to scan an identification card only for certain purposes—such as verifying the consumer’s identity—and requires retailers to store such data securely.  Further, a retailer may not share the data with a third party unless the retailer discloses its data-sharing practices to the consumer. (more…)

SHARE
EmailPrintShare
05 January 2017

NYDFS Revises Cybersecurity Regulations Incorporating Risk-Based Approach; Maintains Prescriptive Requirements and Certifications

On December 28, 2016, the New York State Department of Financial Services (the “NYDFS”) issued revised proposed regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Revised Proposed Regulations”).  The NYDFS issued the Revised Proposed Regulations after considering feedback and criticism submitted during a 45-day comment period to address the initial proposal, issued on September 13, 2016.  The agency has announced an additional and final 30-day comment period from the date of publication to address new comments not previously raised in the original comment process.

(more…)

SHARE
EmailPrintShare
27 December 2016

NYDFS to Delay New Financial Cybersecurity Rules

After having received over 150 comments on proposed cybersecurity regulations, the New York Department of Financial Services will delay implementation and initiate a new round of notice and comment on a further revised version of cybersecurity regulations. As we reported previously, NYDFS proposed new cybersecurity regulations for the financial sector in September of this year, and the comment period closed mid-November. NYDFS previously announced that the new rules would be effective January 1, 2017 and that covered entities would have 180 days to comply. Reuters reports that NYDFS will now publish a further revised version of proposed regulations on December 28 for public comment with a new effective date of March 1, 2017.

SHARE
EmailPrintShare
07 September 2016

Why Design Matters: It Can Determine Whether an Online Agreement is Enforceable

*Updated on September 8, 2016

The Southern District of New York recently issued a ruling that raises new issues with customer consent and arbitration contracts in a simple click-through agreement, adding to the increasing judicial skepticism over the enforceability of browse-wrap agreements, despite the Supreme Court’s seeming endorsement of consumer arbitration clauses in AT&T Mobility v. Concepcion, 563 U.S. 333 (2011), based on preemption by the Federal Arbitration Act. Soon after this decision, however, the Ninth Circuit issued a ruling that went the other way and found that the arbitration terms in Uber’s terms and conditions were enforceable. Central to these cases has been findings relating to the degree to which terms of use can be considered binding.

(more…)

SHARE
EmailPrintShare
17 March 2016

FCC Proposes Privacy and Security Regulations for Internet Service Providers

On March 10, FCC Chairman Tom Wheeler issued a “fact sheet” summarizing a sweeping proposal to regulate the privacy and data-security practices of Internet service providers. The proposal would subject ISPs to new stringent requirements that other participants in the Internet ecosystem do not face because they are subject only to the more elastic oversight of the Federal Trade Commission under that agency’s general “unfair or deceptive” standard.

(more…)

SHARE
EmailPrintShare
18 February 2016

DHS Issues Guidance Pursuant to Cybersecurity Act of 2015

The Cybersecurity Act of 2015, which included the long anticipated Cybersecurity Information Sharing Act or CISA, was passed on December 18, 2015 to facilitate and encourage confidential two-way private sector sharing of cyberthreat information with the federal government. It also provided key liability shields for cyberthreat information sharing and network monitoring pursuant to the Act.  Under the Cybersecurity Act, the Department of Homeland Security (DHS) was designated to coordinate the sharing and was tasked with developing guidelines to facilitate implementation within 90 days.

(more…)

SHARE
EmailPrintShare
10 February 2016

President Takes Action On Cybersecurity

President Obama today unveiled a “Cybersecurity National Action Plan.” The administration’s proposed budget includes $19 billion for cybersecurity spending, $3 billion of which will be devoted to updating agency systems. The plan includes the creation of a Federal Chief Information Security Officer to guide the implementation of increased security across the federal government and reside within the Office of Management and Budget. President Obama also issued two executive orders. The first establishes the Commission on Enhancing National Cybersecurity within the Department of Commerce to be composed of technology, national security, and business leaders. The Commission is charged with developing by December 1, 2016 “detailed recommendations to strengthen cybersecurity in both the public and private sectors.” The second requires the establishment of a Senior Agency Official for Privacy at each agency and creates the Federal Privacy Council as “the principal interagency forum to improve the Government privacy practices of agencies and entities acting on their behalf.” The OMB Director will be chair of the Federal Privacy Council, which will have the focus of coordinating internal agency policies.

(more…)

SHARE
EmailPrintShare
21 December 2015

Cybersecurity Act of 2015 Signed Into Law

On December 18, President Obama signed into law an omnibus spending package for 2016 that included the Cybersecurity Act of 2015 (known in former versions as the Cybersecurity Information Sharing Act). After years of debate, the Cybersecurity Act establishes a framework to facilitate and encourage confidential two-way private sector sharing of cyberthreat information with the federal government and provides liability shields for cyberthreat information sharing, as well as for specific actions undertaken to defend or monitor corporate networks. The Cybersecurity Act also designates the Department of Homeland Security (DHS) to coordinate cyberthreat information sharing.

The Cybersecurity Act has important implications for cooperation among industry participants and with regulatory agencies in development of effective cybersecurity programs. Public-private cyberthreat information sharing is an important step to improve companies’ defenses and responses to the changing cyberthreat landscape. Though the Act is effective immediately, the attorney general and DHS secretary must release guidelines within 90 days.

(more…)

SHARE
EmailPrintShare
08 December 2015

The FAST Act’s Cybersecurity and Privacy Provisions for the Electric Grid, Internet of Things, and Connected Cars

On Friday, December 4, President Obama signed the Fixing America’s Surface Transportation (“FAST”) Act, a $300 billion-plus highway and transportation law and the first comprehensive transportation spending law in a decade. Despite its title, the bill impacts a number of regulated sectors. Nestled within this 490-page law are 13 pages that pertain to cybersecurity and other protections for the electric grid. As detailed below, the FAST Act also includes a number of privacy and cybersecurity provisions relating to privacy notices by financial institutions as required by the Gramm Leach Bliley Act, event data records in vehicles, Internet of Things technologies, and connected cars.

(more…)

SHARE
EmailPrintShare
XSLT Plugin by BMI Calculator