Following months of intense debate, an attempted filibuster, and close votes in both the House and Senate, Congress last week finally extended Section 702 of the Foreign Intelligence Surveillance Act (FISA).
On January 8, the FTC announced a settlement with VTech (a maker of electronic children’s toys) for violations of COPPA, adding to the regulatory activity mounting in the last few years around the Internet of Toys. The company agreed to pay $650,000 to settle allegations that its Kid Connect app and its Learning Lodge platform collected personal information from almost 3,000,000 children without providing direct notice and obtaining their parent or guardian’s consent. (more…)
This past year was marked by ever more significant data breaches, growing cybersecurity regulatory requirements at the state and federal levels and continued challenges in harmonizing international privacy and cybersecurity regulations. We expect each of these trends to continue in 2018.
As we begin this New Year, here is list of the top 10 privacy and cybersecurity issues for 2018: (more…)
On October 26, 2017, the U.S. Department of Treasury released a 176-page Report examining the current regulatory framework for asset management and insurance industries. The Report, titled A Financial System That Creates Economic Opportunities: Asset Management and Insurance, identifies laws and regulations that are inconsistent with the Trump Administration’s Core Principles for financial regulation as set forth in Executive Order 13772 (Feb. 3, 2017), and makes recommendations to ensure alignment. For data privacy and security, the Report commented on the Insurance Data Security Model Law (the “Model Law”) adopted by the National Association of Insurance Commissioners’ (the “NAIC”) on October 24, 2017 (for more information on the development of the Model Law, see our prior coverage). The Model Law attempts to set a baseline for cybersecurity, although it depends on legislative action on the state level. (more…)
*Article first appeared in Corporate Board Member on November 7, 2017
At a time when a major cybersecurity incident can cost a company millions, it’s crucial that acquiring companies give cybersecurity the same level of scrutiny as they do more traditional risks and opportunities in the M&A due diligence process. Yet too many deals suffer from superficial consideration of these issues.
Why the disconnect? Unlike other areas where companies face legal and regulatory implications, in-house and outside legal teams often lack well-developed methods to analyze cybersecurity risks, too often considering them technical issues beneath the notice of the bankers and lawyers. In many cases, deal teams lack the skill sets to analyze the issues effectively and cannot even speak the language of the CIOs and CISOs well enough to spot “alternative facts.” Boards need to ensure that they or their advisers—preferably both—have sufficient skills to assess cybersecurity risks and ask the right questions. (more…)
*This post originally appeared in BNA’s Corporate Law & Accountability Report on November 6, 2017.
Cyberattacks and data breaches are increasingly the subject of front-page headlines and can have material effects on our personal lives. And yet, reports suggest that many corporate directors and managers remain relatively unaware of important cybersecurity issues, risks, and strategies that directly relate to their organizations.
For example: imagine that your company has fallen victim to a successful cyberattack and customer data was stolen. In the aftermath, the securities plaintiffs’ bar undoubtedly will be searching for stockholders to(among other things) pursue claims for violations of state and federal securities laws and/or for breaches of fiduciary duty against the company’s board. Are you, your colleagues, managers, and directors prepared to respond to and manage this type of incident and the subsequent litigation and regulatory investigations? Have you documented your diligence in governing cybersecurity risk? For many, the answer may be no.
This article discusses the scope of this problem, how it can directly impact you and your company, and steps you can take now to help prepare for the unknown. It is certainly true that even the best cybersecurity programs cannot guarantee deterrence of all attacks. But such programs unquestionably mitigate the risk of a breach, support organizational resilience, and help control the fallout should one occur.
On October 3, 2017, the Article 29 Working Party (“WP29”) adopted draft guidelines regarding notification of personal data breaches under the EU’s General Data Protection Regulation (“GDPR”) which will require breach notification within 72 hours of awareness of a breach. (“Draft Guidelines”) (The Draft Guidelines appear to have been released for public comment during the week of 16th October). The deadline for comment is November 24, 2017. The Draft Guidelines are available here. The WP29 is a collective of EU data privacy supervisory authorities (“DPAs”). (more…)
With the continued rise of data breaches rooted in a compromise of user credentials, interest has continued to build in more secure form of digital identities for authentication. Supporting controls for federal agencies as well as innovation in the market, the National Institute of Standards and Technology (“NIST”) published its four-volume Digital Identity Guidelines earlier this year on June 22, 2017. The Guidelines encourage online service providers (“OSPs”) to adopt design practices that promise to reduce unnecessary user frustration with password and identity verification systems, while at the same time increasing security. The primary purpose of the Guidelines is to promulgate technical requirements for federal agencies, businesses, however, could use the Guidelines as a baseline for their own cybersecurity systems—both to establish credibility and enhance the user experience. (more…)