Categories & Search

Category: In the News

11th Circuit Hears Oral Argument in LabMD Case

Yesterday morning, the United States Court of Appeals for the Eleventh Circuit, sitting in Miami, heard oral argument in the case of LabMD, Inc. v. Federal Trade Commission, No. 16-16270.

For purposes of this post, we presume readers are familiar with this case, which we’ve blogged about extensively since the Federal Trade Commission lodged an Administrative Complaint against LabMD back in 2013.  Briefly, the core question on appeal is whether the FTC overstepped its authority under Section 5(n) of the Federal Trade Commission Act (codified at 15 U.S.C. § 45(n)) when it initiated an enforcement action against LabMD, a Georgia medical testing lab, after certain patient data files were apparently misappropriated, but no patent data actually fell into the wrong hands, and no individual patient suffered any cognizable injury, such as identity theft.

Go

A question of harm: LabMD to face off with FTC at 11th Circuit

In a consequential test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit will hear argument tomorrow in a case that will determine whether the agency must show a concrete consumer injury as an element of an enforcement action, just as private plaintiffs have been required to do for years.

Go

NYS Cyber Regulation Countdown: Continuous Monitoring

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

In complying with the New York State Department of Financial Services (DFS) cybersecurity regulation, financial institutions have a choice.  They can either employ “continuous monitoring” or, instead, conduct annual “penetration testing” and bi-annual “vulnerability assessments.”

Go

DFS Cyber Compliance Nightmare?

New survey reports less than half of financial firms will meet deadline

A new survey by the Ponemon Institute reports that less than half of the financial institutions covered by New York’s sweeping new cybersecurity regulation say they will “likely” meet next February’s compliance deadline. And even more stunning is the fact that only 13% of those institutions surveyed reported “with certainty” that they would be in full compliance with the regulation by next year.

Go

NYS Cyber Regulation Countdown: “Risk Assessment” – Now or Later?

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

Go

Ninety Days and Counting: NY Cyber Regulation’s First Deadline

Faced with an approaching August 28th deadline, the more than 3,000 financial institutions that do business in New York should be knee-deep in implementing the first wave of requirements under the State’s sweeping and unprecedented cybersecurity regulation.

Go

The Computer Fraud and Abuse Act Will Need To Wait Another Day In New York’s Commercial Division

Justice Shirley Kornreich recently issued one of the few New York state court decisions  that address the Computer Fraud and Abuse Act (“CFAA”).  Spec Simple, Inc. v. Designer Pages Online LLC,  No. 651860/2015, 2017 BL 160865 (N.Y. Sup. Ct. May 10, 2017).  The CFAA criminalizes both accessing a computer without authorization and exceeding authorized access and thereby obtaining information from any protected computer.  Id. at *3 (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA also provides a civil cause of action to any person who suffers damage or loss because of a violation of the CFAA.  Id. at *4 (citing 18 U.S.C. § 1030(g)).  As discussed below, the decision provides a helpful look into the interpretation of CFAA claims in the future.

Go

The Tanium Affair Reminds Us That Cybersecurity Risks Are Everywhere

The Wall Street Journal recently reported that well-known cybersecurity startup Tanium, Inc. had been inadvertently exposing one of its clients’ sensitive data during product demonstrations.  Unbeknownst to the Tanium client—the non-profit El Camino Hospital, in Santa Clara County, California—Tanium had been giving prospective customers a look inside of El Camino’s secure network to show how well its cybersecurity software worked.  Not only did Tanium give the presentation “hundreds of times,” it also posted videos of the demonstration on its public website.  All of this was without El Camino’s permission.

Go

Colorado Regulator Proposes New Cybersecurity Rules for Financial Institutions

Increasingly, states are enacting cybersecurity regulations for financial institutions and investment advisors. Following New York’s groundbreaking regulation (which we have covered in detail here), Colorado recently proposed changes to its state securities act that would impose new cybersecurity requirements on broker-dealers and investment advisors that operate in the state. 

Go

Digital Divide Deepens: Tech Community Backs Second Circuit in Clash with Magistrates over Reach of U.S. Warrants

The technology community took aim at a recent federal magistrate’s ruling that ordered Google Inc. to comply with search warrants seeking customer emails stored on servers abroad, calling the decision “an impermissible extraterritorial application of U.S. law.” In rejecting a recent federal appeals court decision in a similar case in favor of Microsoft Corp., U.S. Magistrate Thomas J. Reuter in Philadelphia ruled that transferring emails from a foreign server to the U.S. was not tantamount to a seizure beyond American borders. The technology companies urged the court to reject the “fiction that such a foreign search and seizure is a domestic act….”

Go

Final DFS Cybersecurity Regulation Issued

New York’s Department of Financial Services issued its final Cybersecurity Regulation last night with an effective date of March 1, 2017. For a comparison between the previous proposal and the final regulation, please click here.

Go

Third Circuit Finds FCRA Violation Alone Confers Standing for Data Breach Suit

The United States Court of Appeals for the Third Circuit recently ruled that a data breach class action may proceed on the basis of a Fair Credit Reporting Act (FCRA) violation alone, even where the putative class members do not allege that they were actually harmed by the breach.  The ruling, which both relies on and distinguishes the Supreme Court’s recent analysis of FCRA standing in Spokeo v. Robins, suggests that at least in the Third Circuit, “injury” from a data breach may be presumed from the fact of the breach itself.  This, in turn, could have the effect of expanding potential liability for any consumer-facing entity that suffers a breach.

Go

Ajit Pai and the FCC’s Role in ISP Privacy Regulation under President Trump

On January 23, 2017, President Donald Trump named Ajit Pai as Chairman of the Federal Communications Commission (FCC).  In his previous role as the senior Republican on the FCC under President Barack Obama, Mr. Pai was an outspoken critic of the agency’s decision to assert jurisdiction over Internet Service Providers (“ISPs”) and its rules governing broadband privacy.  Pai’s appointment suggests that significant changes may be on the horizon.

Go

Second Circuit Court of Appeals Denies Rehearing in Microsoft Case

Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland.  That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.

Go

LabMD’s 11th Circuit FTC Appeal: The Opening Shot

Firing the opening salvo in its appeal of one of the most controversial data security decisions by the U.S. Federal Trade Commission in years, LabMD accused the agency of overstepping its authority and “destroy[ing] [the] small medical testing company” in the process.

Go

Indictment Issued in Law Firm Hacks

In what New York’s top federal prosecutor called a “wake-up call for law firms around the world,” three Chinese citizens have been charged with hacking into the servers of two prominent – but unidentified – international law firms to steal confidential client information in connection with pending M&A deals

Go

Uber Riders: Choosing Convenience or Privacy

What Consumers Should Know About Uber’s New Location Settings

In a recent update to its widely used application, Uber has implemented a change in location settings that some users are not happy about.  Before the update, users could limit Uber’s ability to track their location to “only while using app.”  But the new update strips users of that option. 

Go

NYS Cyber Regulation Gets Drubbing by Industry Groups in Albany

Industry groups continued their assault yesterday on New York’s “first-in-the-nation” cybersecurity regulation by telling state lawmakers that the proposed regime was inflexible and unfairly burdened smaller institutions.

Go

“Life is Short. Have an Affair.” And Then Settle With the FTC.

Yesterday, the Federal Trade Commission (“FTC”) announced a settlement with the owners of “dating site” AshleyMadison.com, arising from a July 2015 data breach that received broad media coverage.  According to a proposed order filed in the District Court for the District of Columbia, the operators of the website are also simultaneously settling with thirteen states—including New York—and the District of Columbia.

Go

DFS Cyber Regulation Gets Public Airing in Albany

Just weeks before the Cuomo administration’s “first-in-the-nation” cybersecurity regulation is scheduled to go into effect, the New York State Assembly Standing Committee on Banks will open a public hearing on Monday, December 19th into the controversial plan to require financial institutions that operate in New York to comply with a series of strict – and in some cases, unprecedented – data security measures.
 

Go

Wake-Up Call: Law Firms in the Cybersecurity Crosshairs

Last week marked the first time a U.S. law firm was publicly named in a class action data security lawsuit.  Originally filed in April 2016, the class action complaint in Shore v. Johnson & Bell, Ltd., 16-cv-4363 (N.D. Ill.), was unsealed last week after months of back-and-forth over whether the alleged security flaws had been patched.  The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of “systematically exposing confidential client information and storing client data without adequate security.”  The lawsuit makes no claim that any client information has been stolen or misused.  Even so, the filing of this complaint amplifies the risks already facing law firms – including reputational – at a time when data security is a top concern for law firms and their clients.

Go

Hints of a Narrowing of the FTC’s Section 5 Authority Under a Trump Presidency

The transition of power from President Barack Obama to President-Elect Donald Trump is underway.  Although President-Elect Trump did not lay out specific policy prescriptions about data privacy or consumer protection during his candidacy, his recent choice of Dr. Joshua D. Wright to lead transition efforts at the Federal Trade Commission provides some hints as to the direction the agency may take under a Trump administration.

Go

DFS Cyber Regulation: Part II - An Interview with Bay Dynamics’ Steven Grossman

This is the second installment in our interview with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, the cyber risk analytics company.  Here, Steven discusses the importance of aligning an institution’s risk profile with its cybersecurity plan and recommendations for bridging the gap between IT and the boardroom. 

Go

DFS Cyber Regulation: Changing the Rules - An Interview with Bay Dynamics’ Steven Grossman

As part of Patterson Belknap’s continuing focus on the New York Department of Financial Services (DFS) proposed cybersecurity regulation, we sat down with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, a cyber risk analytics company, to talk about cybersecurity in a highly regulated environment.  In the first installment of our 2-part interview with Steven, he discusses implementation of the new regulation and the fact that organizations shouldn’t confuse regulatory compliance with effective cybersecurity planning and strategy.

Go

Law Firms and Vendors Mandated to Up Their Cyber Game: Final Installment in a 3-Part Series

This is our final installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  In this installment, we provide an overview of the regulation’s impact on third-party vendors and business partners, including law firms.

Go

Cyber Regulation Demands Board Accountability: Part 2 in a 3-Part Series

This is our second installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  In this installment, we provide an overview of the regulation’s impact on corporate governance and the scope of liability for corporate boards.

Go

Unpacking New York’s Cybersecurity Regulation: Part 1 in a 3-Part Series

This is the first installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  The Patterson Belknap Privacy and Data Security Team has studied the regulation, its legislative and regulatory underpinnings, and practical consequences.

Go

LabMD Scores Early Win in FTC Appeal

The fight between the Federal Trade Commission and LabMD, the defunct medical testing lab, entered a new chapter late yesterday.  In a 13-page ruling, the U.S. Court of Appeals for the Eleventh Circuit said that LabMD’s appeal presented “a serious legal question” as to the Commission’s interpretation of Section 5 of the FTC Act and that any enforcement of the agency’s order should be stayed until the appellate process had run its course.

Go

China’s Controversial New Cybersecurity Law

Earlier today, the Chinese government in Beijing approved a sweeping new cybersecurity law aimed at centralizing control over computer networks operating within China’s borders.  An unofficial English translation of the newly-enacted law is available here

Go

Cybersecurity Advice from President Obama

We’re writing this week to highlight some of the ways in which President Obama’s evolving views on cybersecurity can help guide corporate governance on this increasingly important subject.  In an interview with Wired Magazine, the President admitted that he is rethinking his own view on cybercrime: comparing it to a “pandemic” no longer addressed by traditional means such as the latest and greatest defensive technologies

Go

FinCEN Issues Advisory on the Reporting of Cyber-Events and Cyber-Enabled Crimes

The Financial Crimes Enforcement Network, or FinCEN, an arm of the United States Department of the Treasury, issued an advisory last week to remind financial institutions of their obligations to report cyber-events on Suspicious Activity Reports (SARs).  While FinCEN emphasizes that its advisory does not change existing reporting requirements, it goes to lengths to discuss its “expectations” about what and how information will be reported when it comes to cybersecurity events.

Go