Photo of Jim Barbuto

On February 26, 2019, the Federal Trade Commission’s (FTC) Bureau of Competition announced a new Technology Task Force, which will monitor anticompetitive conduct in U.S. technology markets “to ensure consumers benefit from free and fair competition.” With the consumer protection agency already a chief arbiter of privacy enforcement in the tech sector, the new task force increases the likelihood that the continued convergence between competition and consumer protection policy, which began in earnest at the dawn of the current century, may be gaining momentum.

German approach. The announcement comes just a few weeks after Germany’s antitrust regulator used its competition authority to enforce principles of data privacy and processing. On February 7, 2019, the Bundeskartellamt issued a decision against Facebook, ruling that the practice of combining user personal data from different sources by a dominant market participant violated EU data protection law. This was a noteworthy decision from a competition authority being influenced by and seeking to enforce the General Data Protection Regulation, which would otherwise be enforced by data protection authorities. The decision is not yet final, but if upheld it could have the notable impact of limiting the data footprint used to inform advertising, and may influence regulators’ willingness to use competition law to buttress limitations placed on the flexibility of data collectors and processors. Please see our previous client alert on the Facebook ruling. If this approach informs the FTC’s position on competition and privacy enforcement, it could extend a trend of regulators outside the data protection sphere using broader authority as a bridge to enforce privacy issues against companies they view to have a dominant market position.

Continue Reading In privacy we (anti)trust: Regulators worldwide consider competition law as tool for consumer protection

China’s National Information Security Standardization Technical Committee issued draft amendments (Amendments) to the standards that govern the protection of personal information, “Information Security Technology – Personal Information Security Specification” (Standards, effective May 1, 2018) on February 1, 2019. The Standards provide guidance on interpreting China’s Cybersecurity Law (CSL) and set out best practices for the

On November 13, 2018, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) released comments it received from over 200 government, non-profit, academic, and private sector organizations on developing the Administration’s approach to consumer privacy.[1]

Since September, the NTIA has sought public comments to specifically address a number of questions that focused on the outcomes, goals, risks, and implementation of its proposed high-level framework for consumer privacy protection. The Administration’s framework articulated a set of organizational practices focused on data transparency, minimization of collection, the storage, use, and sharing of data, security, and risk management, in addition to broader goals to reconcile a disparate regulatory patchwork and ensure that resources for privacy protections and enforcement are properly allocated. If a few of these concepts sound familiar, it’s because they loosely mirror elements of existing privacy frameworks established at the industry, state, and international levels, and the sources and arbiters of those frameworks took this opportunity to urge the Administration to follow these examples more closely. As the Executive Branch agency principally responsible by law for advising the president on information policy issues, the goal of the NTIA’s request for comment is to inform the Administration’s approach to consumer privacy. As such, the Administration’s consideration and reaction to the comments received is likely to affect future discussions and proposals in the ongoing debate regarding federal privacy legislation. As expected, many of the comments are framed against the backdrop of recent, related changes in law, with particular focus on the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Here, we summarize some of the significant comments and proposals received by the NTIA.

Continue Reading Public comment for private matters: NTIA receives over 200 comments on proposed approach to protecting consumer privacy informed by GDPR, CCPA & more

In recent months, the U.S. Securities and Exchange Commission (“SEC”) has emphasized cybersecurity as both an enforcement priority and corporate responsibility, demonstrating its continued focus on the need for issuers to have sufficient measures in place, including up-to-date compliance and incident response programs in order to maintain the integrity of the capital market system.

The

Company response to major data breach results in first-of-its-kind fine for improper disclosure to investors

On April 24, 2018, U.S. Securities and Exchange Commission (SEC) and Altaba Inc., (formerly known as Yahoo! Inc.) agreed to settle SEC Division of Enforcement charges stemming from the compromise of 3 billion Yahoo accounts that occurred in 2013 and 2014, but were not disclosed until 2016.[1] The 2014 incident was attributed to Russian hackers by the U.S. government in March 2017.[2]

 The SEC’s administrative proceeding order pointed to Altaba’s delayed disclosure of the 2013–2014 security incident as well as the company’s public filing of multiple reports with the SEC, which commented on the risks and consequences of a breach in general, but did not notify investors that such a threat had already been realized in 2013 and 2014.[3] Unlike previous high-profile fines for improper incident response arising from failures to disclose to affected customers or subjects of breached data, the $35 million fine levied against Altaba is the first of its kind to focus on disclosure to investors of a public company that has suffered a breach, and should encourage companies to direct commensurate focus to their data breach response plans to meet responsibilities to shareholders.

Continue Reading Being first isn’t always best: SEC settles for $35 million fine for failure to disclose data breach to investors

In the wake of recent cyberattacks, cities and states are taking a stand.

On March 29, New York City (the City) Mayor Bill de Blasio announced NYC Secure, an initiative that will include a suspicious activity alert app for residents and security upgrades to the City’s public Wi-Fi networks.[1]The initiative is intended as a citywide effort to better protect citizens and mitigate systemic-level cyber threats to citizens or City infrastructure, not unlike the ransomware attack suffered by the City of Atlanta last month, which included the disabling of public Wi-Fi.[2]

 Hailed as New York City’s “first ever cybersecurity initiative,” NYC Secure will be developed and implemented by NYC Cyber Command, and will offer free resources to increase cybersecurity for residents and visitors to the Big Apple starting this summer. Core features of the app include alerting users to suspicious mobile device activity, identifying potentially malicious Wi-Fi networks, apps or websites, and providing tips for users to be more aware of their digital activities. While the app’s intentions are admirable, the City has already recognized the risks of improper implementation, particularly with respect to the potential for increasing the surface area of attack by creating another access point to user data.
Continue Reading Keys to the City: Recent developments in New York City address cybersecurity risks

On Tuesday, January 23, Lloyd’s of London co-published a report with AIR Worldwide highlighting the significant financial fallout that could occur in the event of a cyber incident or shutdown of a cloud computing provider in the United States, noting that losses could be to the tune of about $19 billion – of which only

On November 20-21, 2017, Tether, the company behind USDT, a digital token backed by fiat currencies like the dollar and euro, disclosed that a hack resulted in the loss of $30.95 million worth of tokens. The Tether hack illuminates the privacy, reputational, financial and recovery risks associated with issuing, owning and storing digital currencies. These