Categories & Search

Keeping Section 5 Alive: The FTC Brings Suit Against D-Link

The U.S. Federal Trade Commission (“FTC”) has filed suit against Taiwan-based D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”), manufacturers and sellers of home networking devices including routers, cameras, baby monitors, and video recorders.  The lawsuit claims that D-Link failed to take reasonable steps to protect its devices from known and foreseeable risks of unauthorized access.

Go

LabMD’s 11th Circuit FTC Appeal: The Opening Shot

Firing the opening salvo in its appeal of one of the most controversial data security decisions by the U.S. Federal Trade Commission in years, LabMD accused the agency of overstepping its authority and “destroy[ing] [the] small medical testing company” in the process.

Go

Indictment Issued in Law Firm Hacks

In what New York’s top federal prosecutor called a “wake-up call for law firms around the world,” three Chinese citizens have been charged with hacking into the servers of two prominent – but unidentified – international law firms to steal confidential client information in connection with pending M&A deals

Go

Uber Riders: Choosing Convenience or Privacy

What Consumers Should Know About Uber’s New Location Settings

In a recent update to its widely used application, Uber has implemented a change in location settings that some users are not happy about.  Before the update, users could limit Uber’s ability to track their location to “only while using app.”  But the new update strips users of that option. 

Go

NYS Cyber Regulation Gets Drubbing by Industry Groups in Albany

Industry groups continued their assault yesterday on New York’s “first-in-the-nation” cybersecurity regulation by telling state lawmakers that the proposed regime was inflexible and unfairly burdened smaller institutions.

Go

“Life is Short. Have an Affair.” And Then Settle With the FTC.

Yesterday, the Federal Trade Commission (“FTC”) announced a settlement with the owners of “dating site” AshleyMadison.com, arising from a July 2015 data breach that received broad media coverage.  According to a proposed order filed in the District Court for the District of Columbia, the operators of the website are also simultaneously settling with thirteen states—including New York—and the District of Columbia.

Go

DFS Cyber Regulation Gets Public Airing in Albany

Just weeks before the Cuomo administration’s “first-in-the-nation” cybersecurity regulation is scheduled to go into effect, the New York State Assembly Standing Committee on Banks will open a public hearing on Monday, December 19th into the controversial plan to require financial institutions that operate in New York to comply with a series of strict – and in some cases, unprecedented – data security measures.
 

Go

Wake-Up Call: Law Firms in the Cybersecurity Crosshairs

Last week marked the first time a U.S. law firm was publicly named in a class action data security lawsuit.  Originally filed in April 2016, the class action complaint in Shore v. Johnson & Bell, Ltd., 16-cv-4363 (N.D. Ill.), was unsealed last week after months of back-and-forth over whether the alleged security flaws had been patched.  The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of “systematically exposing confidential client information and storing client data without adequate security.”  The lawsuit makes no claim that any client information has been stolen or misused.  Even so, the filing of this complaint amplifies the risks already facing law firms – including reputational – at a time when data security is a top concern for law firms and their clients.

Go

Hints of a Narrowing of the FTC’s Section 5 Authority Under a Trump Presidency

The transition of power from President Barack Obama to President-Elect Donald Trump is underway.  Although President-Elect Trump did not lay out specific policy prescriptions about data privacy or consumer protection during his candidacy, his recent choice of Dr. Joshua D. Wright to lead transition efforts at the Federal Trade Commission provides some hints as to the direction the agency may take under a Trump administration.

Go

DFS Cyber Regulation: Part II - An Interview with Bay Dynamics’ Steven Grossman

This is the second installment in our interview with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, the cyber risk analytics company.  Here, Steven discusses the importance of aligning an institution’s risk profile with its cybersecurity plan and recommendations for bridging the gap between IT and the boardroom. 

Go

DFS Cyber Regulation: Changing the Rules - An Interview with Bay Dynamics’ Steven Grossman

As part of Patterson Belknap’s continuing focus on the New York Department of Financial Services (DFS) proposed cybersecurity regulation, we sat down with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, a cyber risk analytics company, to talk about cybersecurity in a highly regulated environment.  In the first installment of our 2-part interview with Steven, he discusses implementation of the new regulation and the fact that organizations shouldn’t confuse regulatory compliance with effective cybersecurity planning and strategy.

Go

Law Firms and Vendors Mandated to Up Their Cyber Game: Final Installment in a 3-Part Series

This is our final installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  In this installment, we provide an overview of the regulation’s impact on third-party vendors and business partners, including law firms.

Go

Cyber Regulation Demands Board Accountability: Part 2 in a 3-Part Series

This is our second installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  In this installment, we provide an overview of the regulation’s impact on corporate governance and the scope of liability for corporate boards.

Go

When Using a Computer Becomes a Crime, Part Two: ACLU, Facebook Weigh In on Ninth Circuit’s Answer

The Electronic Frontier Foundation (“EFF”) and the American Civil Liberties Union (“ACLU”) have weighed in on Facebook’s high-profile dispute with a social media aggregation company over whether it had unlawfully accessed Facebook’s computers.  The EFF and ACLU warned the Ninth Circuit that the panel’s ruling for Facebook risks chilling important investigations and makes “potential criminals out of millions of ordinary Americans on the basis of innocuous online behavior.”  The case is Facebook, Inc. v. Power Ventures, Inc., No. 13-17102. 

Go

Unpacking New York’s Cybersecurity Regulation: Part 1 in a 3-Part Series

This is the first installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  The Patterson Belknap Privacy and Data Security Team has studied the regulation, its legislative and regulatory underpinnings, and practical consequences.

Go

LabMD Scores Early Win in FTC Appeal

The fight between the Federal Trade Commission and LabMD, the defunct medical testing lab, entered a new chapter late yesterday.  In a 13-page ruling, the U.S. Court of Appeals for the Eleventh Circuit said that LabMD’s appeal presented “a serious legal question” as to the Commission’s interpretation of Section 5 of the FTC Act and that any enforcement of the agency’s order should be stayed until the appellate process had run its course.

Go

China’s Controversial New Cybersecurity Law

Earlier today, the Chinese government in Beijing approved a sweeping new cybersecurity law aimed at centralizing control over computer networks operating within China’s borders.  An unofficial English translation of the newly-enacted law is available here

Go

Cybersecurity Advice from President Obama

We’re writing this week to highlight some of the ways in which President Obama’s evolving views on cybersecurity can help guide corporate governance on this increasingly important subject.  In an interview with Wired Magazine, the President admitted that he is rethinking his own view on cybercrime: comparing it to a “pandemic” no longer addressed by traditional means such as the latest and greatest defensive technologies

Go

FinCEN Issues Advisory on the Reporting of Cyber-Events and Cyber-Enabled Crimes

The Financial Crimes Enforcement Network, or FinCEN, an arm of the United States Department of the Treasury, issued an advisory last week to remind financial institutions of their obligations to report cyber-events on Suspicious Activity Reports (SARs).  While FinCEN emphasizes that its advisory does not change existing reporting requirements, it goes to lengths to discuss its “expectations” about what and how information will be reported when it comes to cybersecurity events.

Go

A Long Road Ahead: Data Privacy and the Self-Driving Car

America has had a longstanding love affair with the automobile, as a manifestation of innovation and independence.  The next chapter is likely the advent of the (fully or partially) autonomous vehicle.

Go

New York DFS Proposes New Cybersecurity Regulations

Earlier this month, the New York State Department of Financial Services (“DFS”) announced proposed cybersecurity regulations for financial institutions.  This proposal is, according to Governor Cuomo, a “new first-in-the-nation regulation” that is designed to protect financial institutions and their consumers. The proposed regulations are not a surprise.  Late last year, the DFS announced its intention to issue...
Go

Galaria v. Nationwide: Data Breach Plaintiffs Standing Strong in the Sixth

This week, in the first post-Spokeo circuit court decision to address standing in a data breach class action, the Sixth Circuit joined the Seventh Circuit in holding that plaintiffs whose sensitive personal information has been obtained by hackers have Article III standing to sue based on the risk of future fraud and identity theft.

Go

Banner Health Suits Raise Significant Questions for Data Breach Class Actions

Banner Health recently announced that hackers may have gained “unauthorized access to patient information” and “payment card data” from approximately 3.7 million patients, health plan members, food and beverage customers, and physicians.  The breach has been reported as the largest for a hospital in 2016. 

Go

Asset Protection Wake Up Call: Data Security Top Concern for High Net Worth Investors

A recent study asked high net worth investors which of the following issues they were most concerned about: terrorism, data security, or a major illness.  The most prevalent response might surprise you.  Seventy-two percent of the investors surveyed ranked data security as their top concern, followed by terrorism and then a major illness.

Go

Post-Spokeo Standing: An Evolving Landscape

Several recent federal court decisions have added guidance on the still-unsettled question of when a plaintiff has Article III standing to sue based on a data breach or other data security or privacy event.  These cases—Attias v. CareFirst, Inc. (D.D.C.), Wood v. J. Choo USA, Inc. (S.D. Fla.), and Guarisma v. Microsoft (S.D. Fla.)—offer somewhat mixed guidance for defendants in class action privacy-related lawsuits looking to use a standing challenge as a quick escape.

Go

Craig A. Newman will moderate “Preparing a Cybercrime Incident Response Plan” at the ILTACON 2016 Annual Educational Conference on August 29th in Washington, D.C.

Craig A. Newman will moderate “Preparing a Cybercrime Incident Response Plan” at the ILTACON 2016 Annual Educational Conference on August 29th in Washington, D.C.  ILTACON is the annual conference for law firms and legal departments sponsored by the International Legal Technology Association.  Meticulous and thoughtful planning is required when putting together an organization’s data breach incident response plan, especially in today’s environment.  Craig will lead a panel of data security experts in walking through case studies of data security breaches with a special focus on doing so in a way that manages an organization’s litigation, governance and regulatory risk.  For additional information, please visit the event website.

Go

When Is Using a Computer a Crime? Rehearing Sought on Ninth Circuit’s “Distressingly Unclear” Answer

Facebook recently won a landmark victory in the Ninth Circuit against a company that accessed Facebook’s computers to help users manage their social network accounts.  Now the company, Power Ventures, Inc., says that the Ninth Circuit’s decision risks creating “widespread confusion” about when it is a crime to use a computer to access a website.

Go

Pokémon GO Exposes Risks of Bring-Your-Own-Device (BYOD) Policies

There’s no denying it: Pokémon GO is a phenomenon. 

The smartphone game, in which players use their mobile device camera and GPS to capture, battle, and train virtual creatures, was released in the United States on July 6th.  In a month, it has shot to the top of the App Store charts to become the biggest mobile game in U.S. history.  Within just days of its release, Pokémon GO already had surpassed app giants like Twitter and Tinder in number of downloads and active users, with more than 25 million users playing each day.

Go

HSS Issues New Guidance on Ransomware Attacks Against HIPAA-Covered Entities

Ransomware attacks at hospitals and other healthcare facilities have dramatically increased over the last several years, putting healthcare providers in the uncomfortable position of having to consider paying thousands of dollars to regain access to vital medical records.  Indeed, one recent study concluded that hospitals are hit with 88% of all ransomware attacks nationwide.

Go

FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data

In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.

Go

On the Move and At Risk: Safeguards for Mitigating Mobile Device Vulnerabilities While Traveling Overseas

Employees use their smartphones as a key tool for accessing information during a work day – especially when outside the office and traveling on business.  While smartphones, tablets, laptops and other devices may increase productivity by facilitating work flow and communications, a wireless mobile device and related data may be exploited by cybercriminals, and this risk increases significantly when overseas.  Organizations often overlook this increased vulnerability to business, customer, and client data when personnel use their mobile devices to conduct business while travelling outside the United States.  Organizations can mitigate the risk of compromising confidential information, intellectual property, and other sensitive data by adopting best practices for personnel travelling in other countries.

Go

Federal Regulators Focus on Minimum Cyber Standards For Banks

A new set of federal banking regulations are on the horizon aimed at helping financial institutions put in place minimum compliance standards to prevent future cyber-attacks.  Bloomberg Law has reported that the Federal Reserve, along with the Office of the Comptroller of Currency (“OCC”) and the Federal Deposit Insurance Corp. (“FDIC”), are working together to develop the standards.  

Go

Target Corp. Shareholders Walk Away from Derivative Lawsuits

The leadership team at Target Corp. has one less legal claim to worry about today from the company’s headline-making 2013 data breach.  And in an unusual twist, the shareholders who filed a series of derivative actions against Target’s directors and officers have waived the symbolic “white flag” by agreeing that the cases could be dropped so long as they were able to come back to Court to recover their legal fees.

Go

International Cyber Recommendations for the Financial Market: Collaboration is the Name of the Game

On June 29, 2016, the Bank for International Settlements’ (BIS) Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO) issued “Guidance on cyber resilience for financial market infrastructures” (Cyber Guidance), the first set of concrete recommendations following the 2012 CPMI-IOSCO Principles for Financial Market Infrastructure (PFMI). 

Go

Lessons from LinkedIn: Privacy and Data Security Representations in the M&A Context

Microsoft’s blockbuster acquisition of LinkedIn earlier this month—a deal where concerns for privacy and data security loomed large—provides a glimpse into the growing trend of including separate privacy and data security representations in merger and acquisition agreements.  Because the trend is so recent, there is no consensus or standard practice at this point for drafting these representations.  The LinkedIn privacy and data security representation is a good example of the evolving nature of these representations.

Go