In a continued pursuit for cybersecurity compliance, New York Attorney General (AG) Letitia James has sued Dunkin’ Brands, Inc. (franchisor of Dunkin’ Donuts) over two data breaches in 2015 and 2018, accusing the company of mishandling a series of cyberattacks that together compromised more than 320,000 customer accounts. In the complaint filed last week, AG … Continue Reading
The Federal Trade Commission’s (FTC) recently announced settlement with background check provider SecurTest, Inc. shows the agency remains vigilant regarding businesses’ claims that they comply with the EU-U.S. Privacy Shield Framework (Privacy Shield). Privacy Shield provides U.S. businesses with a legally recognized mechanism for receiving personal data in the United States from the EU. In … Continue Reading
They are the stars of the young generation, brand ambassadors for organizations and leaders on social media: influencers. With their strong presence on social media channels such as Facebook, Instagram or Twitter, influencers have a power that pays off. Thousands of users follow the day-to-day posts of their role models. Influencers are becoming increasingly important … Continue Reading
On May 7, 2019, Governor Jay Inslee of Washington signed HB 1071 into law, which strengthens the state’s data breach notification law. Washington joins the growing list of states that have recently amended their breach notification laws. Although Washington’s law was amended in 2015, the law was initially enacted nearly 14 years ago. This amendment, … Continue Reading
On January 25, 2019, a settlement agreement was reached between a utility company, which allegedly violated the Critical Infrastructure Protection (CIP) Reliability Standards, and the North American Reliability Corporation (NERC). Through this settlement, NERC provides guidance to the electric industry for compliance with the CIP Reliability Standards. The substantial penalties should prompt companies to educate … Continue Reading
In recent months, the U.S. Securities and Exchange Commission (“SEC”) has emphasized cybersecurity as both an enforcement priority and corporate responsibility, demonstrating its continued focus on the need for issuers to have sufficient measures in place, including up-to-date compliance and incident response programs in order to maintain the integrity of the capital market system. The … Continue Reading
The Food and Drug Administration (FDA) published a draft update to its premarket cybersecurity guidance for device makers on October 18, 2018. The expanded draft guidance includes recommendations on tiered classification of cybersecurity risk, trustworthiness, cybersecurity bill materials, and device cybersecurity labeling that are specific enough to be helpful to manufacturers while at the same … Continue Reading
China’s new “Regulation on the Internet Security Supervision and Inspection by Public Security Organs” went into effect on November 1, 2018. It is the latest regulation passed by China’s Ministry of Public Security that executes China’s Cybersecurity Law, which took effect in June of last year. The regulation gives China’s Public Security Bureaus (PSBs) broad … Continue Reading
On September 27, 2018, as part of the Department of Justice’s (DOJ) cybersecurity roundtable discussion, the DOJ’s Cybersecurity Unit issued Best Practices for Victim Response and Reporting of Cyber Incidents (the Best Practices), including a Cyber Incident Preparedness Checklist. As noted by the DOJ, the Best Practices do not have the force of law, and … Continue Reading
Company response to major data breach results in first-of-its-kind fine for improper disclosure to investors On April 24, 2018, U.S. Securities and Exchange Commission (SEC) and Altaba Inc., (formerly known as Yahoo! Inc.) agreed to settle SEC Division of Enforcement charges stemming from the compromise of 3 billion Yahoo accounts that occurred in 2013 and … Continue Reading
In the wake of recent cyberattacks, cities and states are taking a stand. On March 29, New York City (the City) Mayor Bill de Blasio announced NYC Secure, an initiative that will include a suspicious activity alert app for residents and security upgrades to the City’s public Wi-Fi networks.[1]The initiative is intended as a citywide … Continue Reading
A Washington Legal Foundation legal opinion titled “The FTC’s Black-Box Determination of Information’s Sensitivity Imperils First Amendment and Due-Process Rights” and written by Gerry Stegmaier, Wendell Bartnick, and Kelley Chittenden illustrates the troubling fact that although businesses are tasked with implementing “reasonable” data security that hinges, in part, on the sensitivity of information, the Federal … Continue Reading
On Tuesday, January 23, Lloyd’s of London co-published a report with AIR Worldwide highlighting the significant financial fallout that could occur in the event of a cyber incident or shutdown of a cloud computing provider in the United States, noting that losses could be to the tune of about $19 billion – of which only … Continue Reading
With breaches of nearly 150 million Americans’ personal information flooding the news the last few weeks, followed by the filing of more than 50 class action lawsuits to date, and the announcement of an FTC investigation, cybersecurity is squarely on the minds of and on the table in boardrooms across the country. On September 14, … Continue Reading
Cyber attacks are becoming increasingly sophisticated and the potential fall out from such an attack can be extremely costly. Modern day ships are run by computers which provides an opportunity for malicious programmes to take control of a vessel. Click here to read more about this issue on our Ship Law Log blog. … Continue Reading
On Monday, May 11, 2017, President Donald Trump signed an Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The Executive Order comes after Trump had postponed signing a similar executive order on cybersecurity on Feb. 1, and another draft executive order had been circulated Feb. 10. The final Executive Order aligns … Continue Reading
In the recent case of Prince Moulay Hicham v Elaph Publishing Limited, the Court of Appeal held in a unanimous decision that a claimant could include an action under the UK Data Protection Act 1998 (‘DPA’) as an alternative means of redress. To read our full client alert in relation to this judgment, please click … Continue Reading
In a span of a few weeks in early January 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced two major settlements under the Health Insurance Portability and Accountability Act (“HIPAA”) relating to the breach of protected health information (“PHI”). Neither settlement included an admission of any liability, but … Continue Reading
Following the United Kingdom’s vote to leave the European Union, one thing is clear: the negotiations for the terms of the UK’s exit are likely to overlap with the implementation across the EU of the General Data Protection Regulation (GDPR) in May 2018. We have prepared a client alert to lay out the facts as they … Continue Reading
Just days after the Supreme Court’s ruling in Spokeo v. Robins, the highly anticipated decision is already impacting data breach class actions across the country. The defendant in the Spokeo case contended that the plaintiff had suffered no concrete injury, and that a mere statutory violation is not enough of an injury to give plaintiffs … Continue Reading
On April 5-7 2016, the National Institute of Science and Technology (NIST) hosted a workshop on its popular Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). The workshop was preceded by a request for information that prompted 105 responses, many from industry associations representing hundreds of companies. The discussions at the workshop are likely to influence … Continue Reading
Ransomware and malware could potentially cripple your company and personal networks. Our previous post, Companies can insure against cyber ransom, states, “Ransomware is a form of malicious software, or ‘malware,’ that encrypts information or aspects of an organization’s computer network, preventing authorized users from accessing it.” As online hackers become more advanced, your company and … Continue Reading
On February 8 and 9, 2016, the French Directorate-General for Competition, Consumer Affairs and Prevention of Fraud (the ‘DGCCRF’) and the French Data Protection Authority (the ‘CNIL’), through an obviously concerted action, have publicised regulatory enforcement measures they are undertaking against Facebook. The DGCCRF is requiring Facebook to re-write its Terms and Conditions on the … Continue Reading
As the technology world is on the upswing, organizations may be at an increased risk for data breaches and cybersecurity incidents. “The Office of the Comptroller of the Currency examiners will be using the agency’s new Cybersecurity Assessment Tool in conjunction with information security and operational risk supervisory activities to determine an institution’s ability to … Continue Reading
