Companies with robust cybersecurity programs may still be vulnerable to attack. A new, first-of-its-kind law in Ohio now recognizes this fact. On November 1, 2018, the Ohio Data Protection Act (SB 220) establishes a safe harbor from state tort actions in data breach cases for entities that have developed an information security program with “administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework.” Without establishing minimum cybersecurity standards, the Ohio law affords defendants an “affirmative defense” against state tort actions and establishes an important precedent that may serve as a model for other states and the federal government to follow. (more…)
On September 26, the Senate Commerce Committee invited tech and telecom companies to the Hill to discuss safeguards for consumer data privacy. “The question,” noted Chairman John Thune, “is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape that law should take.” The Senators and testifying witnesses expressed strong support for a comprehensive federal privacy law. (more…)
An increasing number of eyes are now turning to the U.S. Congress to see how it will react to these developments, and Data Matters – and the privacy community generally – will thus be closely watching the Senate Committee on Commerce, Science, and Transportation on Wednesday, September 26, 2018, when it hosts a hearing titled “Examining Safeguards for Consumer Data Privacy.” (more…)
On February 21, 2018, the U.S. Securities and Exchange Commission issued interpretive guidance (the Guidance) to assist public companies in drafting their cybersecuritydisclosures in SEC filings. See 83 FR 8166 (Feb. 26, 2018). In his public statement accompanying the issuance of this guidance, SEC Chairman Jay Clayton said he believed that “providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”1 In this new guidance, the SEC is likely intending to signal how it may focus future enforcement concerning the cybersecurity disclosure obligations of public companies, and their underlying disclosure controls, procedures and certifications. (more…)
On Jan. 3, the United States Court of Appeals for the Sixth Circuit issued a decision that effectively required a company to turn over materials relating to a privileged forensic data breach investigation because, the court concluded, the company had implicitly waived privilege when it disclosed certain of the forensic firm’s conclusions in response to a discovery request. The Sixth Circuit’s decision emphasizes the need for caution by litigants wishing to raise a defense that relies on privileged investigations and reports, including third-party forensic reports, or otherwise disclosing the conclusions of such investigations and reports. (more…)
This past year was marked by ever more significant data breaches, growing cybersecurity regulatory requirements at the state and federal levels and continued challenges in harmonizing international privacy and cybersecurity regulations. We expect each of these trends to continue in 2018.
As we begin this New Year, here is list of the top 10 privacy and cybersecurity issues for 2018: (more…)
On August 15, the FTC announced that it had reached an agreement with Uber to settle allegations that the company had made deceptive claims about its privacy and data security practices. The FTC’s settlement with Uber has important implications for privacy and data security measures that companies could take, and the representations they and their employees make in these areas. It also shed greater light on what the FTC means by “reasonable data security” measures that companies should implement, and underscores the importance of maintaining a robust insider threat prevention program. (more…)
State laws governing the collection and use of personal information continue to proliferate. The latest comes from New Jersey, which on July 21, 2017, signed into law legislation that restricts a merchant’s ability to collect personal data of shoppers and share such data with third parties. New Jersey’s Personal Information Privacy and Protection Act permits retailers to scan an identification card only for certain purposes—such as verifying the consumer’s identity—and requires retailers to store such data securely. Further, a retailer may not share the data with a third party unless the retailer discloses its data-sharing practices to the consumer. (more…)
On December 28, 2016, the New York State Department of Financial Services (the “NYDFS”) issued revised proposed regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Revised Proposed Regulations”). The NYDFS issued the Revised Proposed Regulations after considering feedback and criticism submitted during a 45-day comment period to address the initial proposal, issued on September 13, 2016. The agency has announced an additional and final 30-day comment period from the date of publication to address new comments not previously raised in the original comment process.