Category

Data Breaches

12 June 2018

11th Circuit Vacates LabMD Enforcement Order; Casts Doubt on Decades of FTC Cybersecurity Enforcement Practices

In recent years, the Federal Trade Commission has increasingly exercised its enforcement authority to target deceptive and unfair information security practices.  During this time, enforcement actions have targeted companies for failing to honor their promises to implement “reasonable” or “industry standard” security practices, defend against well-known security threats, put in place basic security measures, or take many other basic data security steps.  And despite challengers arguing that the FTC provided insufficient notice before pursuing these actions or that the actions otherwise exceeded the FTC’s Section 5 enforcement authority, the Commission generally has a track record of successfully defending its prerogatives.     (more…)

EmailShare
11 June 2018

State Activity on Privacy: Vermont Is First to Regulate Data Brokers

Although the prospect of federal legislation on data privacy remains uncertain, states appear to be stepping up the range of their activity on privacy and security.  Washington State notably adopted a law on net neutrality and there is the prospect of a ballot initiative in California that would give individuals the right to know which categories of their or their children’s personal data have been collected or traded by businesses.  Though Vermont is one of the smallest states, it has been active in privacy regulation and, on May 22, 2018, enacted the first state-level measure aimed at data brokers.  (more…)

EmailShare
05 June 2018

President Trump Signs Financial Services Regulatory Reform Legislation

On May 24, 2018, President Donald Trump signed into law the Economic Growth, Regulatory Relief, and Consumer Protection Act (the Act). The Act is effective immediately except as otherwise stated in certain provisions.

The Act makes many significant modifications to the postcrisis financial regulatory framework, although it leaves the core of that framework intact.

One major consequence of the Act may be an increased potential for mergers, acquisitions and organic growth among regional and midsize banks, as well as community banks, because of provisions that increase the thresholds that must be met before various financial regulatory requirements apply.

(more…)

EmailShare
24 May 2018

GDPR Day is Here!

Whether you are marking today with a glass of champagne, a shot of whiskey, or a hot cup of tea, today marks a significant day for privacy professionals world-wide.

Here’s to all of the privacy professionals who have put in so many hours to prepare for the GDPR, fully effective as of Friday May 25, 2018 at midnight in Brussels; that is 6 PM eastern on Thursday, May 24th for toasting purposes.

For business executives, policymakers, and consumers who have become aware of the GDPR in recent weeks and are interested in learning more, visit our GDPR resource page here.

EmailShare
11 May 2018

Arizona Updates Data Breach Law

Changes to data breach notification laws continue to pop up across the country this Spring.  The latest comes from a new law signed by Arizona Governor Doug Ducey that amends the state’s data breach standards.  Although much of the Arizona law has remained the same, the new law updates a few key provisions, including the definition of personal information, the requirements for the content of the data breach notice, the timing of notice, and the capping of penalties.  (more…)

EmailShare
23 April 2018

An Approach to Cybersecurity Risk Oversight for Corporate Directors

*This article first appeared in In-House Defense Quarterly on April 3, 2018

The growing volume and severity of cyber-attacks directed against public companies has caught the attention of federal regulators and investors. Recent guidance from the Securities and Exchange Commission (SEC) on disclosure and enforcement actions by the Federal Trade Commission (FTC) make clear that cybersecurity is no longer a niche topic, but a concern significant enough to warrant the oversight of corporate boards of directors. A high-profile cyber incident may cause substantial financial and reputational losses to an organization, including the disruption of corporate business processes, destruction or theft of critical data assets, loss of goodwill, and shareholder and consumer litigation. More and more, directors are viewing cyber-risk under the broader umbrella of corporate strategy and searching for ways to help mitigate that risk. Increasingly, thought leaders, professional organizations, and government agencies are beginning to provide answers. (more…)

EmailShare
30 March 2018

Alabama Passes Data Breach Notification Law; Breach Laws Now on the Books in All 50 States

And then there were none. Alabama has joined the ranks of the other 49 states with breach notification requirements by enacting the Alabama Data Breach Notification Act of 2018 (the “Act”). The Act, which was signed into law by Alabama Governor, Kay Ivey on March 28, 2018, requires companies to provide Alabama residents with notification of a breach within 45 days of discovery.  Notification is triggered by a determination of a breach that poses a risk of harm to impacted individuals. Alabama exempts from the definition of breach the good faith acquisition of sensitive personally identifying information by an employee or agent of a covered entity, unless the information is used for a purpose unrelated to the business or subject to further unauthorized use. Companies must notify the state AG in the same period if the breach requires notification of more than 1,000 “individuals” (defined as Alabama residents whose “sensitive personally identifiable information” was, or is reasonably believed to have been, accessed as a result of the breach). In addition, if more than 1,000 individuals are notified at a single time, companies must provide notice to consumer reporting agencies “without unreasonable delay.” Third parties who are contracted to process sensitive personally identifiable information must provide notice of a breach to the owner of that information within ten days of discovering the breach. Notice from a third party then triggers the 45-day notification period for the covered entity.

(more…)

EmailShare
26 March 2018

South Dakota Becomes 49th State to Enact a Data Breach Notification Law

On March 21, Governor Daugaard of South Dakota signed SB 62, making South Dakota the 49th state to enact a data breach notification statute (leaving only Alabama without a state data breach law).  South Dakota’s attorney general issued a statement after the law was signed, observing that the connected economy comes with “an increased risk of theft and fraud,” and “we need the tools to combat these breaches and thefts of our personal information.” (more…)

EmailShare
13 February 2018

SEC Office of Compliance Inspections and Examinations Publishes 2018 Exam Priorities

On February 7, 2018, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (the Commission) released its annual National Exam Program Examination Priorities (Exam Priorities).1 As has been widely reported, the Exam Priorities’ general focus areas include:

  • retail investors
  • compliance and risks in critical market infrastructure
  • oversight of the Financial Industry Regulatory Authority (FINRA) and Municipal Securities Rulemaking Board (MSRB)
  • cybersecurity
  • anti-money laundering (AML) programs

The majority of these Exam Priorities are not surprising because they reflect the Commission’s continued focus on retail investors, conflicts of interest, fee disclosure, cybersecurity, cryptocurrency and AML programs.2 The Exam Priorities can serve as a roadmap for firms to assess their policies, procedures and compliance programs, and to prepare for OCIE exams. This post outlines and elaborates on each of the Exam Priorities. (more…)

EmailShare
XSLT Plugin by BMI Calculator