Earlier this week, the FTC and FCC announced “parallel” investigations into how carriers and mobile device makers release information on vulnerabilities, and how and when mobile security patches are distributed. The regulators, who have publicly jockeyed for position on privacy and cybersecurity matters in the past year, appear to have reached a truce of sorts, allowing each agency to examine industry players within its core jurisdiction.
In a news conference today President Obama addressed rules and proposed regulations announced Thursday intended to help the U.S. fight tax evasion and other crimes connected to anonymous offshore companies and accounts. The announcements come after a month of intense review by the administration following the first release of the so-called Panama Papers, millions of documents stolen or leaked from Panamanian law firm Mossack, Fonseca. The papers have revealed a who’s who of international politicians, business leaders, sports figures and celebrities involved with financial transactions accomplished through anonymous shell corporations.
On April 6, 2016, National Telecommunications and Information Administration (NTIA) issued a federal notice to request public comment on the benefits, challenges, and potential roles for the government in fostering the advancement of the Internet of Things (IoT). (RFC at http://www.ntia.doc.gov/files/ntia/publications/fr_rfc_iot_04062016.pdf).
Comments are due on May 23, 2016.
In Campbell-Ewald v. Gomez, 136 S. Ct. 663 (Jan. 20, 2016), the Supreme Court resolved a split among courts and held that an unaccepted settlement offer of complete individual relief does not moot the plaintiff’s lawsuit. However, the Court expressly left open the question of “whether the result would be different if a defendant deposits the full amount of the plaintiff’s individual claim in an account payable to the plaintiff, and then the court enters judgment for the plaintiff in that amount.” 136 S. Ct. at 672. Continue Reading
On July 20, 2015, the Seventh Circuit issued its opinion in Remijas v. Neiman Marcus Group, 794 F. 3d 688 (7th Circ. 2015), which immediately became the low-water mark for Article III standing in data breach cases. In short, Remijas became the first Circuit decision to expressly and expansively recognize that risk of future injury and time and money spent protecting against identity theft as a result of a data breach were sufficient to confer Article III standing.
For years, litigants have battled over whether a defendant’s offer of judgment, which completely satisfies the plaintiff’s individual claim, can moot a class action. In Campbell-Ewald v. Gomez, 136 S. Ct. 663 (2016), the U.S. Supreme Court recently held that no case is mooted when a plaintiff refuses to accept an offer of judgment. The Supreme Court, however, left open the question of what happens when a defendant follows through with its offer by tendering complete individual relief, depositing the monetary relief with the court, and moving for entry of judgment. Continue Reading
Big name companies, government agencies and individuals are all falling victim to “ransomware” attacks in record and still-rising numbers. Recently, Hollywood Presbyterian Hospital’s communications capabilities were disabled for 10 days before the hospital paid a ransom of 40 bitcoins – about $17,000 – and regained access to its system. And this week Medstar Health, a system of ten major hospitals in the Washington, DC area, reportedly suffered a similar attack. All this activity has led experts to label 2016 as “the year of ransomware.” And this new form of cyberattack requires a different approach to cybersecurity and incident recovery than your data breach prevention plan. Continue Reading
On February 29, 2016, the European Commission and United States released the terms of the much-anticipated renewed framework for the transfer, sharing, and processing of European individuals’ data to the United States. The framework replaces the “Safe Harbour” mechanism, which enabled U.S. companies to transfer data from the EU to the United States by self-certifying that their practices ensured an adequate level of protection for personal data under the EU Data Protection Directive. In October, the “Safe Harbour” framework was declared invalid by the European Court of Justice in the Schrems decision covered earlier in this blog. Continue Reading
On February 16, 2016, Secretary of Homeland Security Jeh Johnson announced interim guidelines and procedures for sharing cyber threat indicators under the Cybersecurity Information Sharing Act of 2015 (“CISA”). Because the guidelines are voluntary, the next question is, Should your company share information with the Government? Continue Reading
The European Perspective
Privacy activists across Europe raised their data protection banner following the announcement by EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová on Tuesday 2 February 2016 that a political agreement had been reached between the EU and the US on a new framework for handling transatlantic data flows. This does not bode well, especially because the exact content of the new agreement which will replace the “Safe Harbour” mechanism is still unknown. We will expand on the indications provided by the Commissioner on some of the negotiated protection mechanisms. More importantly, we will highlight the risks that over 4.000 companies, mainly US tech companies, still face and the measures they should put in place to ensure compliance with EU data protection rules. Continue Reading