By

Clayton G. Northouse

25 January 2018

Protecting Privilege in the Aftermath of a Data Breach

On Jan. 3, the United States Court of Appeals for the Sixth Circuit issued a decision that effectively required a company to turn over materials relating to a privileged forensic data breach investigation because, the court concluded, the company had implicitly waived privilege when it disclosed certain of the forensic firm’s conclusions in response to a discovery request. The Sixth Circuit’s decision emphasizes the need for caution by litigants wishing to raise a defense that relies on privileged investigations and reports, including third-party forensic reports, or otherwise disclosing the conclusions of such investigations and reports. (more…)

EmailPrintShare
02 January 2018

Privacy and Cybersecurity Top 10 for 2018

This past year was marked by ever more significant data breaches, growing cybersecurity regulatory requirements at the state and federal levels and continued challenges in harmonizing international privacy and cybersecurity regulations. We expect each of these trends to continue in 2018.

As we begin this New Year, here is list of the top 10 privacy and cybersecurity issues for 2018: (more…)

EmailPrintShare
23 August 2017

FTC Uber Settlement Mandates a Comprehensive Privacy Program, Sheds Light on “Reasonable Data Security” Expectations, and Underscores Importance of Insider Threat Prevention

On August 15, the FTC announced that it had reached an agreement with Uber to settle allegations that the company had made deceptive claims about its privacy and data security practices. The FTC’s settlement with Uber has important implications for privacy and data security measures that companies could take, and the representations they and their employees make in these areas. It also shed greater light on what the FTC means by “reasonable data security” measures that companies should implement, and underscores the importance of maintaining a robust insider threat prevention program. (more…)

EmailPrintShare
14 August 2017

State Privacy Laws: New Jersey Passes Consumer Privacy Act

State laws governing the collection and use of personal information continue to proliferate. The latest comes from New Jersey, which on July 21, 2017, signed into law legislation that restricts a merchant’s ability to collect personal data of shoppers and share such data with third parties.  New Jersey’s Personal Information Privacy and Protection Act permits retailers to scan an identification card only for certain purposes—such as verifying the consumer’s identity—and requires retailers to store such data securely.  Further, a retailer may not share the data with a third party unless the retailer discloses its data-sharing practices to the consumer. (more…)

EmailPrintShare
05 January 2017

NYDFS Revises Cybersecurity Regulations Incorporating Risk-Based Approach; Maintains Prescriptive Requirements and Certifications

On December 28, 2016, the New York State Department of Financial Services (the “NYDFS”) issued revised proposed regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Revised Proposed Regulations”).  The NYDFS issued the Revised Proposed Regulations after considering feedback and criticism submitted during a 45-day comment period to address the initial proposal, issued on September 13, 2016.  The agency has announced an additional and final 30-day comment period from the date of publication to address new comments not previously raised in the original comment process.

(more…)

EmailPrintShare
27 December 2016

NYDFS to Delay New Financial Cybersecurity Rules

After having received over 150 comments on proposed cybersecurity regulations, the New York Department of Financial Services will delay implementation and initiate a new round of notice and comment on a further revised version of cybersecurity regulations. As we reported previously, NYDFS proposed new cybersecurity regulations for the financial sector in September of this year, and the comment period closed mid-November. NYDFS previously announced that the new rules would be effective January 1, 2017 and that covered entities would have 180 days to comply. Reuters reports that NYDFS will now publish a further revised version of proposed regulations on December 28 for public comment with a new effective date of March 1, 2017.

EmailPrintShare
07 September 2016

Why Design Matters: It Can Determine Whether an Online Agreement is Enforceable

*Updated on September 8, 2016

The Southern District of New York recently issued a ruling that raises new issues with customer consent and arbitration contracts in a simple click-through agreement, adding to the increasing judicial skepticism over the enforceability of browse-wrap agreements, despite the Supreme Court’s seeming endorsement of consumer arbitration clauses in AT&T Mobility v. Concepcion, 563 U.S. 333 (2011), based on preemption by the Federal Arbitration Act. Soon after this decision, however, the Ninth Circuit issued a ruling that went the other way and found that the arbitration terms in Uber’s terms and conditions were enforceable. Central to these cases has been findings relating to the degree to which terms of use can be considered binding.

(more…)

EmailPrintShare
17 March 2016

FCC Proposes Privacy and Security Regulations for Internet Service Providers

On March 10, FCC Chairman Tom Wheeler issued a “fact sheet” summarizing a sweeping proposal to regulate the privacy and data-security practices of Internet service providers. The proposal would subject ISPs to new stringent requirements that other participants in the Internet ecosystem do not face because they are subject only to the more elastic oversight of the Federal Trade Commission under that agency’s general “unfair or deceptive” standard.

(more…)

EmailPrintShare
18 February 2016

DHS Issues Guidance Pursuant to Cybersecurity Act of 2015

The Cybersecurity Act of 2015, which included the long anticipated Cybersecurity Information Sharing Act or CISA, was passed on December 18, 2015 to facilitate and encourage confidential two-way private sector sharing of cyberthreat information with the federal government. It also provided key liability shields for cyberthreat information sharing and network monitoring pursuant to the Act.  Under the Cybersecurity Act, the Department of Homeland Security (DHS) was designated to coordinate the sharing and was tasked with developing guidelines to facilitate implementation within 90 days.

(more…)

EmailPrintShare
10 February 2016

President Takes Action On Cybersecurity

President Obama today unveiled a “Cybersecurity National Action Plan.” The administration’s proposed budget includes $19 billion for cybersecurity spending, $3 billion of which will be devoted to updating agency systems. The plan includes the creation of a Federal Chief Information Security Officer to guide the implementation of increased security across the federal government and reside within the Office of Management and Budget. President Obama also issued two executive orders. The first establishes the Commission on Enhancing National Cybersecurity within the Department of Commerce to be composed of technology, national security, and business leaders. The Commission is charged with developing by December 1, 2016 “detailed recommendations to strengthen cybersecurity in both the public and private sectors.” The second requires the establishment of a Senior Agency Official for Privacy at each agency and creates the Federal Privacy Council as “the principal interagency forum to improve the Government privacy practices of agencies and entities acting on their behalf.” The OMB Director will be chair of the Federal Privacy Council, which will have the focus of coordinating internal agency policies.

(more…)

EmailPrintShare
XSLT Plugin by BMI Calculator