Initial comments are due on May 27, 2016 regarding the Notice of Proposed Rulemaking (NPRM) released last month by the FCC in its broadband privacy proceeding. The rules proposed in the NPRM have already been the subject of contentious discussions throughout the federal government and the communications industry. Those discussions included a hearing earlier
Georgia Attorney General Sam Olens has come out in support of federal data breach preemption as a more realistic way to ask companies to comply with regulatory requirements in the wake of a breach or data loss incident. His statement comes on the heels of California Attorney General Kamala Harris’ report that the burden on companies to comply with the patchwork of state data breach laws is too heavy, and that state laws should be harmonized to lessen that burden.
Speaking at the National Association of Attorneys General summit May 3, Olens asserted, “I frankly think it’s absurd that there are 30 or 40 different state laws on cybersecurity and breach.”
Rather than requiring companies that have been hacked to report to 30 different AGs with 30 different forms, Olens said, there should be a standard form that both the federal government and the states use. He pointed out that treating hacked companies as the bad guys right off the bat and imposing the immense burden of such rigorous and varying compliance is counterproductive.
Continue Reading Georgia Attorney General Supports Federal Data Breach Standard
The UK Information Commissioner’s Office (ICO) has released updated guidance on the use of encryption. The guidance highlights that in many areas, the ICO expects encryption software to be used, and in the future where data breaches occur and encryption has not been used, “regulatory action may be pursued”.
Although the term “encryption” is not found in the UK’s Data Protection Act 1998, the requirement to implement the technique for certain types of data is derived from the obligation to implement “appropriate technical and organisational measures” to protect against loss, destruction or damage to personal data. The guidance makes clear that while it is not necessary or possible to encrypt all personal data, organisations must take a risk-based approach to using the technique.
Continue Reading New Encryption Guidance Published by the ICO
It is commonplace to turn on the television news and hear of a new data breach from a large retailer or someone else. No one wants the legal problems (not to mention the embarrassment and the hit to reputation) from having their systems breached. Consequently, data security is on everyone’s mind.
However, many companies have…
The Consumer Financial Protection Bureau (“CFPB”) has announced its first data security enforcement action. On Wednesday (March 2), the CFPB released a consent order against Dwolla, an online payment platform company, alleging it failed to maintain adequate data security practices despite representations made on the company website and in communications with consumers that the company has implemented practices that exceed industry standards. As a result, Dwolla must pay out $100,000 in penalties and endeavor to repair its security initiatives.
Continue Reading CFPB Takes First Action Against Company for Lax Data Security Practices
Businesses scrambling to comply with the dozens of varying state laws governing data privacy and security breaches may have a new ally in California Attorney General Kamala Harris, but they shouldn’t expect her to relax any standards.
In her introduction to the 2016 California Data Breach Report, Harris addressed the concerns of many who have pointed out the inconsistencies and wildly different requirements for handling a breach among the states. Rather than a federal breach law that would preempt the laws of forty-seven states — including the very protective standard in California – the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, Harris proposed that states come to an agreement on certain key points.
Continue Reading California AG Proposes State Consensus on Breach Laws
Should “cyber products” be added to the United States Munitions List (USML)? Cyber-hacking and cyberterrorism are growing concerns for the national security of the United States, so this question could not go unanswered.
The Defense Trade Advisory Group (DTAG) decided that “cyber products” should not be added to the USML. The addition of this broad…
Still recovering from its 2013 data breach, Target Corp. agreed to a $39 million settlement with a class of banks suing the well-known retailer, marking the settlement as the first class-wide data breach pact ever reached on behalf of financial institutions.
Target’s data breach exposed 40 million credit and debit cards to fraud during the 2013 holiday season. The Minneapolis-based company’s breach still ranks among the most high-profile data incidents to hit retailers in recent years.
The class-wide pact stems from a consolidated class action complaint filed in August 2014 to recover an estimated $200 million in losses stemming from the breach, including costs to reimburse fraudulent charges and issue new payment cards. The complaint alleges that Target failed to take precautions to protect consumer data and violated the Minnesota Plastic Card Security Act.
Continue Reading Target Agrees to $39 Million Settlement with Credit Card Issuers’ Data Breach Claims
In a landmark decision, an administrative law judge dismissed the FTC’s long-running data security lawsuit against Atlanta-based cancer screening laboratory, LabMD Inc., following an alleged data breach. Chief Administrative Law Judge D. Michael Chappell (the “ALJ”) ruled in his Initial Decision that the FTC had failed to prove that the laboratory’s alleged conduct harmed, or could potentially harm, consumers.
Continue Reading ALJ Dismisses FTC’s Data Security Suit Against LabMD for Failure to Prove ‘Substantial Injury’ to Consumers
With the onslaught of smart watches, smart thermostats, and even smart refrigerators that allow you to Tweet hangry messages to your followers, it’s only natural that a “smart city” would follow.
This week, San Francisco city officials agreed to run a one-year pilot project with Sigfox – an FCC certified French start-up that builds low-power wireless networks – to create an Internet of Things (“IoT”) wireless network that caters exclusively to smart devices with low-bandwidth apps. While the term “wireless network” typically conjures up thoughts of the ubiquitous Wi-Fi symbol, this low-power, wide area network (“LPWAN”) on which Sigfox will operate is entirely separate from traditional cellular networks, which require a much higher level of data streaming and power usage.
Sigfox and city technology crews have installed about 20 of its base stations throughout San Francisco, using libraries and other city buildings. Each base station covers about 12 to 18 miles and is roughly the size of a briefcase. Device makers who want to join the network must install a radio chip that costs less than $2 and comes loaded with the Sigfox firmware.
Continue Reading San Francisco Launches First “Internet of Things” Wireless Network in United States