As the world began to grapple with the implications of the UK’s vote to withdraw from the European Union, or “Brexit,” the UK Information Commissioner has sought to provide reassurance, issuing a statement reinforcing continuity of data protection principles and a commitment to the digital economy.
The DHS and DOJ have issued final rules and guidance for receipt of cyber threat indicators and defensive measures, including Guidelines for privacy and civil liberties protections. On June 15, the DHS and DOJ announced the release of their joint rules for government handling of cybersecurity information shared by companies, along with expanded guidance for companies wishing to share cybersecurity threat information and take advantage of CISA’s liability shields for certain information sharing and defensive monitoring activities. The newly released rules incorporate and implement provisions of the Cybersecurity Information Sharing Act (CISA) which was passed in December 2015. CISA authorizes and protects information-sharing for certain cybersecurity purposes. It applies to all organizations and it offers companies a broad safeguard from liability for voluntarily sharing “cyber threat indicators” or engaging in certain cybersecurity “defensive measures.”
Securities and Exchange Commission Chair Mary Jo White emphasized the agency’s focus on cybersecurity preparedness and response at a conference in Washington, D.C. in mid May, stating “we can’t do enough in this sector.” Reuters reports that Chair White views cybersecurity as the biggest risk facing the financial system, quoting her as saying that “what we [have] found…is a lot of preparedness, a lot of awareness but also….policies and procedures [that] are not tailored to [entities’] particular risks.”
This article originally appeared in the Bloomberg BNA Privacy and Security Law Report on May 23, 2016.
In Spokeo, Inc. v. Robins, decided May 16, the U.S. Supreme Court ruled that plaintiffs who allege violations of statutes that contain a private right of action and statutory damages do not have automatic ‘‘standing’’ to sue. The Court instead found that to meet the constitutional requirement of standing, the plaintiff must establish not only the ‘‘invasion of a legally protected interest’’ defined by Congress, but also that the plaintiff suffered a “concrete and particularized” harm to that interest.
On Monday, May 16, the Supreme Court addressed the question of whether an alleged violation of the Fair Credit Reporting Act (FCRA), without allegation of concrete injury, is ever sufficient for Article III standing. The case, Spokeo Inc. v. Robbins, No. 13-1339 (2016), involved a class action against data broker Spokeo Inc.. The plaintiff, Thomas Robins, alleged that Spokeo violated the FCRA by inaccurately reporting online that he was a wealthy, married man with children and a graduate degree when he was actually unmarried and out of work. He argued that those inaccuracies could have hurt his chances with potential employers. The district court dismissed Mr. Robins’s case for failure to show any actual harm from the false information, but in 2014, the U.S. Court of Appeals for the Ninth Circuit allowed the case to move forward based on its analysis that Mr. Robins’s injury allegation was particularized because he alleged that Spokeo violated his individual rights when it handled his information.
On April 26, the US District Court in Seattle granted the FTC’s motion for summary judgment against Amazon for providing allegedly inadequate parental controls to limit their children’s in-app purchases. Case No. C14-1038-JCC. The FTC alleged that the company’s failure to require more robust password re-entry meant that many in-app purchases by children resulted in unauthorized charges to the parents.
On April 29, 2016, the FBI published an alert regarding “Incidents of Ransomware on the Rise.”
The piece provides FBI guidance on how to protect organizations, as well as the FBI’s recommendation not to pay the ransom (though in practice, they have acknowledged that it may be necessary to do so if no backup is available for essential data).
On March 10, FCC Chairman Tom Wheeler issued a “fact sheet” summarizing a sweeping proposal to regulate the privacy and data-security practices of Internet service providers. The proposal would subject ISPs to new stringent requirements that other participants in the Internet ecosystem do not face because they are subject only to the more elastic oversight of the Federal Trade Commission under that agency’s general “unfair or deceptive” standard.