Data Security

Subscribe to Data Security

On October 25, the Federal Trade Commission released “Data Breach Response: A Guide for Business,” its latest guidance on data privacy and security regulation. The Guide seeks to help businesses comprehend the Agency’s understanding of both legal requirements and best practices, although what is legally required versus what is encouraged continues to be challenging for many companies to identify in these pronouncements.

Although the Guide is not a regulation, the Commission has historically used such guidance to help signal where its enforcement efforts might focus as it evaluates companies’ conduct. The introduction suggests that the FTC considers following its advice to be at least one way to “make smart, sound decisions.”

The Guide outlines tasks for companies affected by a breach:

  • Secure Your Operation
  • Fix Vulnerabilities
  • Notify Appropriate Parties

Continue Reading FTC’s New Guidelines Provide Agency View on Data Breach Response

In an election season in which it seems Americans cannot agree on much, a new poll shows that data privacy and security reform is a unifying issue.

The U.S. Chamber of Commerce Institute for Legal Reform (ILR) has released the findings of a poll shedding light on American voters’ perception of the legal landscape for

Initial comments are due on May 27, 2016 regarding the Notice of Proposed Rulemaking (NPRM) released last month by the FCC in its broadband privacy proceeding. The rules proposed in the NPRM have already been the subject of contentious discussions throughout the federal government and the communications industry. Those discussions included a hearing earlier

Georgia Attorney General Sam Olens has come out in support of federal data breach preemption as a more realistic way to ask companies to comply with regulatory requirements in the wake of a breach or data loss incident.  His statement comes on the heels of California Attorney General Kamala Harris’ report that the burden on companies to comply with the patchwork of state data breach laws is too heavy, and that state laws should be harmonized to lessen that burden.

Speaking at the National Association of Attorneys General summit May 3, Olens asserted, “I frankly think it’s absurd that there are 30 or 40 different state laws on cybersecurity and breach.”

Rather than requiring companies that have been hacked to report to 30 different AGs with 30 different forms, Olens said, there should be a standard form that both the federal government and the states use.  He pointed out that treating hacked companies as the bad guys right off the bat and imposing the immense burden of such rigorous and varying compliance is counterproductive.
Continue Reading Georgia Attorney General Supports Federal Data Breach Standard

The UK Information Commissioner’s Office (ICO) has released updated guidance on the use of encryption. The guidance highlights that in many areas, the ICO expects encryption software to be used, and in the future where data breaches occur and encryption has not been used, “regulatory action may be pursued”.

Although the term “encryption” is not found in the UK’s Data Protection Act 1998, the requirement to implement the technique for certain types of data is derived from the obligation to implement “appropriate technical and organisational measures” to protect against loss, destruction or damage to personal data. The guidance makes clear that while it is not necessary or possible to encrypt all personal data, organisations must take a risk-based approach to using the technique.
Continue Reading New Encryption Guidance Published by the ICO

It is commonplace to turn on the television news and hear of a new data breach from a large retailer or someone else. No one wants the legal problems (not to mention the embarrassment and the hit to reputation) from having their systems breached. Consequently, data security is on everyone’s mind.

However, many companies have

The Consumer Financial Protection Bureau (“CFPB”) has announced its first data security enforcement action. On Wednesday (March 2), the CFPB released a consent order against Dwolla, an online payment platform company, alleging it failed to maintain adequate data security practices despite representations made on the company website and in communications with consumers that the company has implemented practices that exceed industry standards. As a result, Dwolla must pay out $100,000 in penalties and endeavor to repair its security initiatives.
Continue Reading CFPB Takes First Action Against Company for Lax Data Security Practices

Businesses scrambling to comply with the dozens of varying state laws governing data privacy and security breaches may have a new ally in California Attorney General Kamala Harris, but they shouldn’t expect her to relax any standards.

In her introduction to the 2016 California Data Breach Report, Harris addressed the concerns of many who have pointed out the inconsistencies and wildly different requirements for handling a breach among the states. Rather than a federal breach law that would preempt the laws of forty-seven states — including the very protective standard in California – the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, Harris proposed that states come to an agreement on certain key points.
Continue Reading California AG Proposes State Consensus on Breach Laws

Should “cyber products” be added to the United States Munitions List (USML)? Cyber-hacking and cyberterrorism are growing concerns for the national security of the United States, so this question could not go unanswered.

The Defense Trade Advisory Group (DTAG) decided that “cyber products” should not be added to the USML. The addition of this broad