*This article first appeared in In-House Defense Quarterly on April 3, 2018
The growing volume and severity of cyber-attacks directed against public companies has caught the attention of federal regulators and investors. Recent guidance from the Securities and Exchange Commission (SEC) on disclosure and enforcement actions by the Federal Trade Commission (FTC) make clear that cybersecurity is no longer a niche topic, but a concern significant enough to warrant the oversight of corporate boards of directors. A high-profile cyber incident may cause substantial financial and reputational losses to an organization, including the disruption of corporate business processes, destruction or theft of critical data assets, loss of goodwill, and shareholder and consumer litigation. More and more, directors are viewing cyber-risk under the broader umbrella of corporate strategy and searching for ways to help mitigate that risk. Increasingly, thought leaders, professional organizations, and government agencies are beginning to provide answers. (more…)
Sidley hosted the firm’s fourth annual Privacy and Cybersecurity Roundtable in the DC office on Monday, March 26, 2018.
Following an introduction by Sidley partner Alan Raul, Giovanni Buttarelli, European Data Protection Supervisor, and Helen Dixon, Data Protection Commissioner for Ireland, discussed the EU General Data Protection Regulation which will go into effect on May 25, 2018. Both Helen Dixon and Giovanni Buttarelli shared their insights on preparation for, and life after May 25. Following their remarks, Sidley Partner and Privacy practice Co-Leader, Ed McNicholas (D.C.) moderated a lively discussion that included Cam Kerry, Senior Counsel (D.C./Boston) and new Sidley Partner, Wim Nauwelaerts (Brussels). (more…)
On August 15, the FTC announced that it had reached an agreement with Uber to settle allegations that the company had made deceptive claims about its privacy and data security practices. The FTC’s settlement with Uber has important implications for privacy and data security measures that companies could take, and the representations they and their employees make in these areas. It also shed greater light on what the FTC means by “reasonable data security” measures that companies should implement, and underscores the importance of maintaining a robust insider threat prevention program. (more…)
Washington, D.C. – Sidley Austin LLP is pleased to announce that Timothy J. Muris has joined the firm as senior counsel in its Antitrust/Competition practice. Mr. Muris, a former chairman of the Federal Trade Commission (FTC), has substantial experience in every aspect of antitrust enforcement as well as in key consumer protection issues, including advertising, consumer finance and privacy regulation.
On April 3, 2017, President Trump signed the bill repealing the Federal Communications Commission’s much-debated broadband privacy rules. The House of Representatives voted 215–205 to disapprove the rules, after a party-line Senate vote of 50–48. The result is that the FCC’s key rules governing internet service providers’ collection and use of consumer data, as well as data security, will not go into effect as scheduled. Moreover, the FCC will be precluded from promulgating any regulation in “substantially the same” form until a future Congress allows such action.
The U.S. Court of Appeals for the Eleventh Circuit has ordered the FTC to halt enforcement of its data security order against LabMD while LabMD challenges the action.
To recap the events leading up to this stay, a data security company allegedly obtained sensitive data from LabMD via a peer-to-peer file-sharing program. Allegedly, after LabMD refused to purchase the company’s security products, it reported the alleged data security vulnerability to the FTC. The FTC accused LabMD of unfair practices in failing to provide reasonable and appropriate security for customers’ personal information, which was allegedly likely to cause harm to customers. In 2015, an Administrative Law Judge dismissed the case, finding that the FTC failed to prove LabMD’s practices were likely to cause substantial customer injury. In July 2016, upon appeal to the full Commission, the FTC reversed the ALJ decision. Although LabMD stopped operating in 2014, the FTC nevertheless ordered LabMD to implement several information security compliance measures because the Lab still maintains medical records. LabMD appealed to the Eleventh Circuit and filed a motion to stay the FTC’s order.
On August 31, 2016, the Federal Trade Commission published “The NIST Cybersecurity Framework and the FTC” on its blog. The post describes how, in many ways, the FTC’s enforcement actions are “aligned” with the NIST Cybersecurity Framework and that many of the Commission’s enforcement actions can be analyzed under the Framework’s five core principles. The post also makes plain, however, that a company’s compliance with the Framework is not necessarily required, nor is adoption of the Framework clearly sufficient to satisfy the Commission’s requirement that companies establish “reasonable” cybersecurity practices. (more…)
The Federal Trade Commission hosted its fourth Start with Security event in Chicago, IL on June 15, 2016. This event was the latest installment of the Start with Security business education initiative launched last summer to engage in proactive outreach with the business community on information security standards and FTC expectations at a time when the FTC’s authority to reactively regulate data security was being challenged in federal court. In addition to the Start with Security events, the FTC also responded by synthesizing their 50+ data security settlements into “10 practical lessons” to guide companies looking to proactively comply with FTC data security expectations.