Data Security

Subscribe to Data Security via RSS

A Washington Legal Foundation legal opinion titled “The FTC’s Black-Box Determination of Information’s Sensitivity Imperils First Amendment and Due-Process Rights” and written by Gerry Stegmaier, Wendell Bartnick, and Kelley Chittenden illustrates the troubling fact that although businesses are tasked with implementing “reasonable” data security that hinges, in part, on the sensitivity of information, the Federal

Over the last several years, the Federal Trade Commission (FTC) has regularly used its authority under Section 5 of the FTC Act to bring cases against companies due to their allegedly unreasonable data security measures. The FTC has paid particular attention to the safeguards that manufacturers have implemented in electronic devices sold to consumers.  Recently, D-Link Systems Inc., a router manufacturer, successfully challenged the FTC’s position that a Section 5 claim can be supported based solely on the existence of a data security vulnerability without any evidence that the vulnerability was actually exploited resulting in consumer harm.

The FTC’s Authority. Under Section 5 of the FTC Act, the FTC can investigate and obtain injunctive and equitable relief against companies that engage in unfair or deceptive acts or practices.  To establish that a company’s practices are unfair, the FTC must show that the practices cause or are likely to cause substantial injury to consumers that is not reasonably avoidable by them, and that is not outweighed by countervailing benefits to them.

The FTC’s Position is that “Unreasonable” Data Security Is an “Unfair” Practice. In its complaints, the FTC commonly alleges that a company’s unreasonable data security measures are an unfair act or practice that violates Section 5.  Typically, to support its position that consumers were harmed, the FTC points to evidence of both (a) a vulnerability created by the allegedly unreasonable data security practices, and (b) exploitation of such vulnerability to gain unauthorized access to data or systems.  It would seem that exploitation is necessary to create a nexus between a vulnerability and any consumer harm.  But, to the surprise of many, the FTC has also filed complaints against companies alleging only the existence of a vulnerability, without evidence that such vulnerability actually was exploited.  In at least two cases, the FTC has alleged that the risk of cyber attack from a vulnerability was alone enough to satisfy the Section 5 requirement that the practice “causes or is likely to cause substantial consumer injury.”
Continue Reading Court Deals Blow to FTC’s Position on Unfair Data Security Practices

On August 17, 2017, Delaware Governor John Carney signed into law House Substitute 1 for House Bill 180, making the first significant amendment to Delaware’s data breach notification law since 2005.  The bill, scheduled to go into effect April 14, 2018, requires private organizations to maintain reasonable security policies and procedures; expands the definition of “personal information” to include medical information, biometric identifiers, and electronic signatures; and adds additional breach notification and credit monitoring requirements.  The bill comes on the heels of other amendments to data breach notification requirements by states such as California, Illinois, Nebraska, Tennessee, and Arizona.

Reasonable Data Security

Delaware’s amended data breach law now requires that any “person” that conducts business in Delaware and “owns, licenses, or maintains” personal information shall “implement and maintain reasonable procedures and practices” for the protection of personal information collected or maintained in the course of business.

Delaware now joins at least 13 other states with data breach laws that affirmatively require private organizations to maintain reasonable security procedures and practices.  Under Delaware’s amended data breach law and similar state statutes, private organizations may incur liability for failing to maintain adequate security controls, even where breach notifications to residents are not required.

Breach Notification and Credit Monitoring

Delaware’s amended data breach law also requires that organizations shall provide notice to Delaware residents that their personal information was breached or is reasonably believed to have been breached without “unreasonable delay,” and no later than 60 days after the discovery of the breach, unless a shorter notification period is required by federal laws (e.g., HIPAA or the GLBA), or law enforcement requests a delay. Organizations are not required to provide notice if an investigation reveals that the breach was unlikely to result in harm to the affected residents.

The amended law also does not require notification for the breach of encrypted data, unless the breach includes an encryption key that the organization reasonably believes could render the encrypted information readable or useable.

In addition, the amended law now requires organizations to provide one year of credit monitoring to Delaware residents whose Social Security numbers may have been exposed as part of the breach. This provision mirrors similar provisions in California and Connecticut.
Continue Reading Delaware Amends Data Breach Notification Law to Require Reasonable Data Security and Expand the Scope of Personal Information Requiring Notice

Three bipartisan Senate bills are up for consideration in Congress that would attempt to modernize the legal standards under which the U.S. government can access communications electronically stored by email service providers and cloud computing companies.

The proposed bills, introduced July 27, 2017, each provide a different scheme in updating the Electronic Communications Privacy Act (ECPA), which has been criticized for being woefully outdated, given the rise of the Internet of Things and how people currently share, store, and use information. Accordingly, many have publicly called for Congress to completely overhaul the Reagan-era statute.

Current Framework: The ECPA

Although ECPA has undergone amendment since its passage in 1986, the most scrutinized aspects of the law, such as those related to email retention, remain unchanged from when it was passed more than 30 years ago.

ECPA currently requires law enforcement officials to obtain a warrant in order to access data less than 180 days old. A warrant requirement is a strict legal standard, requiring that any request be supported by probable cause – a reasonable suspicion of criminal activity based on articulable facts.

However, if the data is more than 180 days old, ECPA considers those older communications to be abandoned, and therefore not subject to a reasonable expectation of privacy. Thus, law enforcement officials are entitled to access those emails and other electronic communications without a warrant.  Instead, government officials need only issue a subpoena for the information or obtain a court order.
Continue Reading ECPA Reform Legislation on the Horizon (Again)

Having proper internal systems and procedures in place to manage data security is essential for organizations storing personal information in any industry. But health care organizations that rely on external vendors to process, store, or otherwise use such information must take extra steps to ensure those vendors take proper security measures, because a failure on

On October 25, the Federal Trade Commission released “Data Breach Response: A Guide for Business,” its latest guidance on data privacy and security regulation. The Guide seeks to help businesses comprehend the Agency’s understanding of both legal requirements and best practices, although what is legally required versus what is encouraged continues to be challenging for many companies to identify in these pronouncements.

Although the Guide is not a regulation, the Commission has historically used such guidance to help signal where its enforcement efforts might focus as it evaluates companies’ conduct. The introduction suggests that the FTC considers following its advice to be at least one way to “make smart, sound decisions.”

The Guide outlines tasks for companies affected by a breach:

  • Secure Your Operation
  • Fix Vulnerabilities
  • Notify Appropriate Parties

Continue Reading FTC’s New Guidelines Provide Agency View on Data Breach Response

In an election season in which it seems Americans cannot agree on much, a new poll shows that data privacy and security reform is a unifying issue.

The U.S. Chamber of Commerce Institute for Legal Reform (ILR) has released the findings of a poll shedding light on American voters’ perception of the legal landscape for

Initial comments are due on May 27, 2016 regarding the Notice of Proposed Rulemaking (NPRM) released last month by the FCC in its broadband privacy proceeding. The rules proposed in the NPRM have already been the subject of contentious discussions throughout the federal government and the communications industry. Those discussions included a hearing earlier

Georgia Attorney General Sam Olens has come out in support of federal data breach preemption as a more realistic way to ask companies to comply with regulatory requirements in the wake of a breach or data loss incident.  His statement comes on the heels of California Attorney General Kamala Harris’ report that the burden on companies to comply with the patchwork of state data breach laws is too heavy, and that state laws should be harmonized to lessen that burden.

Speaking at the National Association of Attorneys General summit May 3, Olens asserted, “I frankly think it’s absurd that there are 30 or 40 different state laws on cybersecurity and breach.”

Rather than requiring companies that have been hacked to report to 30 different AGs with 30 different forms, Olens said, there should be a standard form that both the federal government and the states use.  He pointed out that treating hacked companies as the bad guys right off the bat and imposing the immense burden of such rigorous and varying compliance is counterproductive.
Continue Reading Georgia Attorney General Supports Federal Data Breach Standard