Categories & Search

Industry: Tax-Exempt Organizations

Second Circuit Court of Appeals Denies Rehearing in Microsoft Case

Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland.  That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.

Go

FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data

In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.

Go

The Paper Trail: The Potential Data-Breach Sitting in your Printer

In April 2016, the sensitive personal medical information of NFL players was stolen from the car of a trainer who had left the files in a backpack in his locked car.  In 2014, Safeway, Inc. settled charges brought by the State of California stemming from an investigation concerning the improper disposal of hard copies of customer information.  In 2014, an insurance company was exposed when maintenance workers who were supposed to move four boxes of member records between floors, instead threw them out.  In 2011, sensitive information regarding an NYPD task force was found in a Manhattan trash can.

Go

LabMD’s Waiting Game: Lingering Questions over FTC’s Authority in Data Security Matters

A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek.  Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.

Go

Federal Appeals Court Set to Issue One of the Most Important Privacy Rulings in a Generation

For months, the technology and business communities have been waiting anxiously for a Federal appeals court ruling on whether American companies can be forced to turn over customer information to U.S. law enforcement when that information is stored on servers abroad.  It’s the result of a legal appeal filed last year by Microsoft Corporation that was argued before the U.S. Court of Appeals for the Second Circuit more than seven months ago.

Go

Traditional General Liability Policy Covers Medical Records Mishap

A U.S. appeals court yesterday held that a traditional corporate general liability policy triggered an insurer’s duty to defend a class action lawsuit alleging that a medical records company failed to properly secure patient records on its server.

Go

On the Front Lines of Cybersecurity: The Corporate Challenge

Recent surveys tell us that cybersecurity is the top risk faced by corporate America.  The Bank Director’s 2016 Risk Practices survey – out yesterday – disclosed that three quarters of bank executives and board members believe cybersecurity is their top concern.  And their general counsel agree.  In another recent study, general counsel said that cybersecurity was their top area of organizational risk as well.

Go

Are You Adequately Protected by Your Cybersecurity Insurance? The Sky is the Sub-Limit

For businesses and nonprofit organizations searching for cyber insurance, it is important to know if your coverage limits are adequate.  Whether you are in the market for a new policy or renewing an existing one, you should explore whether your policy has a “sub-limit” that places limitations on your losses and liabilities that may be covered.

Go

FTC Reviews Case Over Legal Standard For Data Security Enforcement Action

Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision.  The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.

Go

The Privilege of PR: Application of the Attorney-Client Privilege to Crisis Communications and Public Relations in Breach Response Planning

Cyber-attacks have become a matter of everyday reality for all businesses: regardless of industry or size, it is no longer if a data breach will happen, but when.  And waiting for a breach to occur before designing and implementing a cyber incidence response plan is generally a recipe for disaster.  

Go

FTC Blasted in LabMD Data Security Case

In a long-running and highly contentious data security enforcement action against LabMD, a small medical testing laboratory, the Federal Trade Commission was handed a stunning defeat late Friday.  In a 92-page Initial Decision, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s case against LabMD – after a full administrative trial – based on the Commission’s failure to prove it was “likely” that consumers had been substantially injured in two alleged data security incidents dating back nearly seven years.

Go

Steering Clear of Broken Promises

With last week’s ruling by the Third Circuit Court of Appeals in FTC v. Wyndham Worldwide Corp. solidifying the Federal Trade Commission’s authority to enforce data security practices, organizations that use online computers to store customer information should take notice.  Since 2005, the FTC has stepped up its enforcement efforts and has entered into more than 50 consent decrees relating to cybersecurity matters.  

Go

Third Circuit Affirms FTC’s Authority Over Companies’ Cybersecurity Practices

In a test of the Federal Trade Commission’s authority to police cybersecurity, the Third Circuit Court of Appeals yesterday ruled that the agency has broad power to take action against private sector companies which fail to take adequate steps to protect customer data.

In Federal Trade Commission v. Wyndham Worldwide Corporation, the Third Circuit upheld the FTC’s authority to pursue a lawsuit against the hotel and resort chain based on allegations that it failed to maintain reasonable data security standards.  After three successful cyber-attacks on Wyndham’s computer networks led to the theft of thousands of customers’ records, the FTC sued Wyndham in federal court, alleging that Wyndham’s cybersecurity practices were “unfair and deceptive trade practices.”  The district court denied Wyndham’s motion to dismiss, finding that the Commission had the authority to regulate data security practices.  On appeal, the Third Circuit affirmed the district court’s ruling, holding that the unfairness prong of Section 5 of the FTC Act authorized the FTC to bring enforcement actions for lax data security practices.

This is the first federal appellate decision finding that the FTC has broad cybersecurity enforcement authority under Section 5 of the FTC Act.  Since 2005, the FTC has settled 53 cases against companies related to data security.  Wyndham is one of two companies to challenge the FTC’s authority in this area.  The ruling opens the door for the FTC to commence additional enforcement actions against companies that do not employ reasonable data security practices, especially at a time when Congress has failed to pass comprehensive data security legislation.

Go

Nonprofits and Cybersecurity: Understanding and Managing the Risks of Cyber Threats

With cybercrime striking everywhere from government agencies to Major League Baseball, each new hack is making headlines, launching inquiries, and triggering lawsuits.  Although most of the focus has been on private sector companies and governmental agencies, nonprofit organizations are not exempt (no pun intended) from cyber threats or their consequences.  And sadly, it’s only getting worse.

Go