By

Edward R. McNicholas

26 March 2018

South Dakota Becomes 49th State to Enact a Data Breach Notification Law

On March 21, Governor Daugaard of South Dakota signed SB 62, making South Dakota the 49th state to enact a data breach notification statute (leaving only Alabama without a state data breach law).  South Dakota’s attorney general issued a statement after the law was signed, observing that the connected economy comes with “an increased risk of theft and fraud,” and “we need the tools to combat these breaches and thefts of our personal information.” (more…)

EmailPrintShare
13 March 2018

Potential Congressional Action on Cross Border Data? A Primer on the CLOUD Act

In recent years, the rise of cloud computing has led to more and more data being stored somewhere other than the jurisdiction in which it was created.  This trend increasingly has led U.S. law enforcement officials to demand access to information held abroad, just as foreign officials increasingly want access to data held inside the United States.  But satisfying these growing desires for cross-border access has proven complicated.  The Mutual Legal Assistance Treaty (MLAT) process has not kept pace with the Internet-fueled increase in data requests, nor has a workable alternative to that process emerged.  And questions remain as to whether relevant U.S. statutes authorize extraterritorial legal process.  Even if law enforcement officials do have tools that allow them to seek data held elsewhere, the holders of such data may face a conflict between their obligations to respond to one country’s lawful process and the obligations to comply with another country’s privacy protections or blocking statutes. (more…)

EmailPrintShare
02 March 2018

SEC Issues New Guidance on Cybersecurity Disclosure Requirements

On February 21, 2018, the U.S. Securities and Exchange Commission issued interpretive guidance (the Guidance) to assist public companies in drafting their cybersecuritydisclosures in SEC filings. See 83 FR 8166 (Feb. 26, 2018). In his public statement accompanying the issuance of this guidance, SEC Chairman Jay Clayton said he believed that “providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”1 In this new guidance, the SEC is likely intending to signal how it may focus future enforcement concerning the cybersecurity disclosure obligations of public companies, and their underlying disclosure controls, procedures and certifications. (more…)

EmailPrintShare
25 January 2018

Protecting Privilege in the Aftermath of a Data Breach

On Jan. 3, the United States Court of Appeals for the Sixth Circuit issued a decision that effectively required a company to turn over materials relating to a privileged forensic data breach investigation because, the court concluded, the company had implicitly waived privilege when it disclosed certain of the forensic firm’s conclusions in response to a discovery request. The Sixth Circuit’s decision emphasizes the need for caution by litigants wishing to raise a defense that relies on privileged investigations and reports, including third-party forensic reports, or otherwise disclosing the conclusions of such investigations and reports. (more…)

EmailPrintShare
09 January 2018

Internet of Toys Enforcement: VTech Agrees to COPPA Settlement

On January 8, the FTC announced a settlement with VTech (a maker of electronic children’s toys) for violations of COPPA, adding to the regulatory activity mounting in the last few years around the Internet of Toys.  The company agreed to pay $650,000 to settle allegations that its Kid Connect app and its Learning Lodge platform collected personal information from almost 3,000,000 children without providing direct notice and obtaining their parent or guardian’s consent.  (more…)

EmailPrintShare
02 January 2018

Privacy and Cybersecurity Top 10 for 2018

This past year was marked by ever more significant data breaches, growing cybersecurity regulatory requirements at the state and federal levels and continued challenges in harmonizing international privacy and cybersecurity regulations. We expect each of these trends to continue in 2018.

As we begin this New Year, here is list of the top 10 privacy and cybersecurity issues for 2018: (more…)

EmailPrintShare
21 November 2017

Jamaica’s New Privacy Protection Bill

On 10 October 2017, Jamaica introduced into its House of Parliament a comprehensive Bill for privacy and data protection, entitled “An Act to Protect the Privacy of Certain Data and for Connected Matters.”  The new law would cover personal data, including data in an “accessible record” such as a health record or an educational record.  If passed, the new law will be named the “Data Protection Act, 2017.”  (more…)

EmailPrintShare
16 November 2017

M&A Due Diligence: The Devil in Their Data

*Article first appeared in Corporate Board Member on November 7, 2017

At a time when a major cybersecurity incident can cost a company millions, it’s crucial that acquiring companies give cybersecurity the same level of scrutiny as they do more traditional risks and opportunities in the M&A due diligence process. Yet too many deals suffer from superficial consideration of these issues.

Why the disconnect? Unlike other areas where companies face legal and regulatory implications, in-house and outside legal teams often lack well-developed methods to analyze cybersecurity risks, too often considering them technical issues beneath the notice of the bankers and lawyers. In many cases, deal teams lack the skill sets to analyze the issues effectively and cannot even speak the language of the CIOs and CISOs well enough to spot “alternative facts.” Boards need to ensure that they or their advisers—preferably both—have sufficient skills to assess cybersecurity risks and ask the right questions. (more…)

EmailPrintShare
13 November 2017

U.S. Consumer Financial Protection Bureau’s Principles for Data Aggregation Services Could Have Broad Implications

On Oct. 18, 2017, the Consumer Financial Protection Bureau (CFPB) released a set of consumer protection principles (Principles) designed to protect consumer interests in the market for services built around consumer-approved use of financial information. The Principles are targeted to so-called “data aggregation” or “screen scraping” services that collect customer information in order to provide financial planning or other services. Over the past few years, data aggregation services and banks have struggled to develop the right model for sharing customer account data. The Principles issued by the CFPB seek to provide a potential data-sharing model for banks and data aggregation services while protecting consumer interests.

(more…)

EmailPrintShare
07 November 2017

Hack Attack: Reducing the Risks of Stockholder Litigation Arising From Data Breaches

*This post originally appeared in BNA’s Corporate Law & Accountability Report on November 6, 2017.

Cyberattacks and data breaches are increasingly the subject of front-page headlines and can have material effects on our personal lives. And yet, reports suggest that many corporate directors and managers remain relatively unaware of important cybersecurity issues, risks, and strategies that directly relate to their organizations.

For example: imagine that your company has fallen victim to a successful cyberattack and customer data was stolen. In the aftermath, the securities plaintiffs’ bar undoubtedly will be searching for stockholders to(among other things) pursue claims for violations of state and federal securities laws and/or for breaches of fiduciary duty against the company’s board. Are you, your colleagues, managers, and directors prepared to respond to and manage this type of incident and the subsequent litigation and regulatory investigations? Have you documented your diligence in governing cybersecurity risk? For many, the answer may be no.

This article discusses the scope of this problem, how it can directly impact you and your company, and steps you can take now to help prepare for the unknown. It is certainly true that even the best cybersecurity programs cannot guarantee deterrence of all attacks. But such programs unquestionably mitigate the risk of a breach, support organizational resilience, and help control the fallout should one occur.

Read More

EmailPrintShare
1 2 3 5
XSLT Plugin by BMI Calculator