The National Association of Insurance Commissioners held its Summer 2017 National Meeting in Philadelphia, Pennsylvania from August 6 to 9, 2017. This Sidley Update summarizes the highlights from this meeting. (more…)
Governor John Carney signed Delaware’s updated breach notification law on August 17, 2017. The revised law, which will come into force on April 14, 2018, includes key changes to the definition of personal information, introduces credit monitoring obligations, and heightens notice requirements. The law will also create new general information security requirements. (more…)
On August 15, the FTC announced that it had reached an agreement with Uber to settle allegations that the company had made deceptive claims about its privacy and data security practices. The FTC’s settlement with Uber has important implications for privacy and data security measures that companies could take, and the representations they and their employees make in these areas. It also shed greater light on what the FTC means by “reasonable data security” measures that companies should implement, and underscores the importance of maintaining a robust insider threat prevention program. (more…)
On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a cybersecurity Risk Alert summarizing its observations from its second cybersecurity survey of financial services firms. Overall, OCIE observed increased cybersecurity preparedness since its first 2014 “Cybersecurity 1” Initiative, but also the SEC noted a number of areas where compliance and oversight merit attention. Perhaps the most general observation from the “Cybersecurity 2” risk alert is that, while the OCIE noted that most firms now have written policies and procedures, the message was clear that simply having a generic policy is not adequate. Firms must instead have policies that are adapted to their actual operations as well as procedures that demonstrate the implementation of these policies and documented results of compliance with those procedures. (more…)
The D.C. Circuit recently widened a significant circuit split regarding standing in data breach cases by overturning a district court’s dismissal of a complaint for lack of standing. See Attias v. CareFirst, Inc., D.C. Cir. No. 16-7108.
Courts have long been occupied by the question of whether the mere fact of having personal information subject to unauthorized acquisition is, in itself, an injury sufficient for standing. Hopes were high that the Supreme Court would resolve the issue in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). In that case, the Supreme Court held that plaintiffs who allege violations of statutes that contain a private right of action and statutory damages must establish not only “invasion of a legally protected interest,” but also that they suffered a “concrete and particularized” harm, in order to satisfy Article III’s standing requirement. Defense counsel were cheered by the restatement of the law of standing, but plaintiffs have argued that Spokeo opened the door for even the most minor of statutory violations even in the absence of quantifiable damage. The Spokeo ruling has had substantial but unpredictable implications for data breach litigation. Federal courts of appeals have subsequently reached different conclusions about how Spokeo applies to allegations of an increased risk of identity theft following a data breach with several circuits overtly splitting over the issue. (more…)
Singapore’s Personal Data Protection Commission (PDPC) has launched a public consultation into a proposed revision to the law that would require reporting of certain data breaches. Singapore currently uses a voluntary approach to data breach notifications, but, according to the PDPC, this has resulted in uneven notification practices. Under the proposals, it will be mandatory for organizations to inform customers of personal data breaches that pose any risk of impact or harm to the affected individual as soon as they are discovered. If an incident involves 500 or more individuals, organizations will need to notify the PDPC as soon as possible but no later than 72 hours after discovery of the breach. The proposals aim to allow individuals to take steps to protect their interests in the event of a data breach, for example, by changing their password. (more…)
Businesses and consumers are increasingly using Internet of Things (“IoT”) devices to communicate and process quantities and types of information that have never before been captured. In response, more federal agencies are turning their attention to the potential risks, and developing guidance for the deployment of IoT technologies. The latest to weigh in on risks include the Governmental Accountability Office and the Department of Commerce. (more…)
On June 20, 2017, the New York State Department of Financial Services (“NYDFS”) expanded its set of frequently asked questions (“FAQs”) and answers concerning its recently finalized Cybersecurity Regulations (23 NYCRR 500.01), which set forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk. The now 17 questions included in the release address the types of entities that fall within the scope of the Regulations, the notice requirements attending a Cybersecurity Event (as defined in the Regulations), the annual certification requirement, and additional specific elements of the rules. (more…)
On May 17, 2017, the SEC’s Office of Compliance Inspections and Enforcement (OCIE) issued a cybersecurity alert to the securities firms it regulates. OCIE advised broker-dealers and investment companies to take certain actions in connection with the recent WannaCry and Wanna Decryptor ransomware attacks that affected numerous organizations in over one hundred countries. Specifically, OCIE encouraged firms as follows: (more…)
*This post was originally distributed as a privacy and cybersecurity client alert on Monday, May 15, 2017. Sign up for our privacy and cybersecurity distribution list here.
As you likely will have heard, there is an ongoing major cyber-attack involving the WannaCry ransomware. It is affecting businesses across the world and across sectors, including financial services firms, healthcare entities and even manufacturers. We are actively advising clients on cybersecurity matters, and we have recently guided clients through ransomware attacks. We have also recently authored a major report on improving transatlantic cybersecurity in collaboration with the US Chamber of Commerce.
Following the WannaCry attack, many companies and their counsel will need to consider and coordinate the following: (more…)