Data & Cyber Security

Subscribe to Data & Cyber Security

On March 15, 2022, the Federal Trade Commission (“FTC”) issued a proposed settlement with online custom merchandise platform CafePress in connection with the company’s alleged: (1) failure to implement reasonable security measures to secure consumers’ Personal Information; and (2) attempt to cover up a significant 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to victims of the data breaches. The FTC’s Complaint alleges that CafePress misrepresented its security practices and unfairly failed to implement reasonable security measures to protect the Personal Information of consumers and merchants stored on the company’s systems. Although similar in content to previous FTC orders, the current order addresses a myriad of unique provisions and provides a glimpse into the FTC’s future enforcement of cybersecurity issues.

Continue Reading CafePress FTC settlement signals future approach to enforcement actions

Following the recent adoption of a new draft EU cybersecurity directive (we wrote about it here), the UK government has now also launched a consultation on its proposal to reform the existing UK cybersecurity legislation  (see consultation here).

A recap of the current UK cybersecurity law: NIS Regulations

One of the key pieces of cybersecurity legislation in the UK is the Network and Information Systems Regulations 2018 (NIS Regulations), which implemented the EU Cybersecurity Directive 2016 prior to Brexit.

Under the NIS Regulations, businesses who provide certain essential services (referred to as operators of essential services, or OES) and relevant digital service providers (RDSP) are required to register with the relevant competent authorities; meet a baseline level of cybersecurity requirements; and report any incident which has a significant impact on the continuity of the essential services.

Continue Reading Cybersecurity 2.0: the UK follows suit with the EU in launching cybersecurity law reform

The Securities and Exchange Commission (SEC) is proposing new rules to require registered funds (RFs) and investment advisers (RIAs) to implement comprehensive cybersecurity programs. Under the proposed rules, the SEC seeks to accomplish four main objectives, requiring RFs and RIAs to:

  • Maintain and implement cybersecurity policies and procedures;
  • Adopt new recordkeeping standards;
  • Report significant cybersecurity incidents to the commission; and
  • Disclose cybersecurity risks and incidents to clients and investors.


Continue Reading SEC proposes cybersecurity rules for registered funds and investment advisers

During the autumn of 2021, the European Parliament adopted a draft cybersecurity directive, the revised ‘Directive on security of network and information systems’ (commonly referred to as ‘NIS2’). When it moved to the Council, additional changes were made; one was to extend the time for Member States to transpose it into national law from 18 months to two years.

Continue Reading Cybersecurity 2.0: European Parliament adopts new draft directive

The Federal Trade Commission (FTC or Commission) has issued a final rule clarifying its data security requirements for certain covered financial institutions. The new rule, which amends the Safeguards Rule originally promulgated in 2002 under the Gramm-Leach-Bliley Act (GLBA), outlines specific criteria to be incorporated as part of GLBA-covered financial institutions’ information security programs. The primary changes include:

  • A requirement to designate a single qualified individual responsible for overseeing the information security program and periodically reporting to the board (or other governing body)
  • Identification of specific security risk assessment criteria and a requirement that such assessments be documented in writing
  • Specific required safeguards, including access controls, encryption, data disposal procedures, continuous monitoring, and penetration testing
  • Service provider selection criteria and a related requirement to periodically assess service providers based on perceived risk
  • Expansion of the definition of “financial institution” to clarify that it includes entities providing “finder” services incidental to financial activities

The updated rule takes effect 30 days after publication in the Federal Register, but some of the more significant new requirements will not take effect for another year.

Continue Reading FTC significantly amends GLBA Safeguards Rule

On October 5, 2021, California Governor Gavin Newsom signed into law amendments to the California Consumer Privacy Act (CCPA) via Assembly Bill 694. Businesses are eagerly awaiting clarification on many aspects of the CCPA and the California Privacy Rights Act (CPRA) (the CPRA is set to go into effect on January 1, 2023, with a

As a result of the COVID-19 pandemic, many more organisations have moved their business operations online.  From a cybersecurity and privacy perspective, this brings hackers and criminals greater opportunities to try to infiltrate the increased amount of devices and even deploy ransomware attacks. This is where malware is installed to block access to the user’s data by locking the computer or encrypting the data until the demanded ransom is paid. In some cases, the attackers also threaten to disclose the stolen data if the ransom is not paid.

Ransom attacks are on the rise, with the ICO reporting an increase from 13 ransomware incidents per month to 42 at its 2021 conference. In the U.S., the recent Kaseya ransomware attack affected nearly 200 companies, while the recent pipeline attack disrupted fuel supplies to the East Coast for several days, leading to fuel shortages.

According to a global survey conducted by Sophos, the average total cost of recovery from a ransomware attack has more than doubled, increasing from $761,106 in 2020 to $1.85 million in 2021. These remediation costs include business downtime, lost orders and operational costs. The average ransom paid is $170,404, yet only 8 per cent of organisations managed to recover all of their data after paying a ransom.

In 2020 and so far this year in 2021, the manufacturing, government, education, services and healthcare industries have been particularly hard hit by ransomware attacks. However, no industry is immune from such attacks and ransomware attacks are featured across all industries, including utilities, technology, logistics, transportation, finance and retail.

Continue Reading Ransomware is on the rise – what to do if you are faced with a cyber attack

Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends, from product and technology development to operational and compliance issues that practitioners encounter every day.

What’s new in data protection in the EU

It has been a busy few weeks in the EU for all things data protection, particularly data transfers. Cynthia O’Donoghue and Andy Splittgerber walk us through the new Standard Contractual Clauses (SCCs) for international transfers and for controllers to processors, the newly issued EDPB Supplementary Measures Recommendations, and the UK adequacy decision. (18 mins)

M365 in 5: Compliance and governance in M365

E-Discovery consultant Lighthouse returns to our M365 in 5 series for a discussion about the importance of compliance and governance in M365 and collaboration among stakeholders to balance risk and business needs. Reed Smith’s Anthony Diana and Therese Craparo join Lighthouse’s John Holliday to discuss implementing controls and managing data to mitigate risk. (8 mins)

Continue Reading Tune in for the latest updates on our Tech Law Talks podcast

The U.S. Department of Labor (DOL) announced in April new cybersecurity guidance (the Guidance) for protecting ERISA-covered plan data from internal and external cybersecurity threats. This Guidance is the first of its kind from the DOL and supplements DOL regulations that govern electronic records and disclosures to plan participants and beneficiaries.

The Guidance recognizes that

Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends. We cover product and technology development to operational and compliance issues that technology practitioners encounter every day.

On this channel, we host regular discussions about the legal and business issues around data protection, privacy and security; data