On June 5, the Supreme Court agreed to review a case addressing an individual’s expectation of privacy in his or her historical cellphone location records. This case may well change the way we approach individual privacy in the digital age – not only with regard to cell phone records, but also information relating to email and internet activity, among other things. Continue Reading
On May 11, President Donald Trump issued his long-awaited Executive Order on cybersecurity, the ‘‘Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.’’ It had been in the works since early in the administration, and its release had been announced (and drafts leaked) several times, only to be pulled back and reworked further. The Executive Order calls for a government-wide review and analysis of federal information technology infrastructure, including known risks and vulnerabilities, as well as consideration of the U.S.’s cybersecurity capabilities in relation to the rest of the world. Continue Reading
This is not a drill.
Companies and law enforcement agencies around the world have been left scrambling after the world’s most prolific ransomware attack hit over 500,000 computers in 150 countries over a span of only 4 days. The ransomware – called WannaCry, WCry, WannaCrypt, or WannaDecryptor – infects vulnerable computers and encrypts all of the data. The owner or user of the computer is then faced with an ominous screen, displaying a countdown timer and demand that a ransom of $300 be paid in bitcoin before the owner can regain access to the encrypted data. The price demanded increases over time until the end of the countdown, when the files are permanently destroyed. To date, the total amount of ransom paid by companies is reported to be less than $60,000, indicating that companies are opting to let their files be destroyed and to rely instead on backups rather than pay the attackers. Nevertheless, the total disruption costs to businesses is expected to range from the hundreds of millions to the billions of dollars. Continue Reading
Enforcement of the Digital Advertising Alliance “Application of the Principles of Transparency and Control to Data Used Across Devices” (DAA Cross-Device Principles) officially began on February 1, just a week after the FTC issued a staff report discussing the application of the FTC Online Behavioral Advertising Principles in the context of “Cross Device Tracking” and suggesting that the DAA Cross-Device Principles, while commendable, could be stronger. Continue Reading
In late December, New York State’s Department of Financial Services (“DFS”) released its revised proposed cybersecurity regulation (the “DFS Rule”). While the revisions pare back some of the DFS Rule’s original requirements and add some much needed flexibility, the regulation will still impose many new obligations upon a wide array of financial institutions doing business in New York. The DFS Rule will become effective on March 1, 2017.
Much has been written about the challenges and issues that companies will face when implementing new policies and adjusting to the obligations of the new European General Data Protection Regulation, GDPR in short. The following paragraphs will give you the gist of the new Regulation and the essential elements that you must take into consideration in your endeavors to adjust to the GDPR, which will take effect across the EU as of May 25, 2018. There is enough time for your organization to adjust, but work must start now. Our key approach in implementing new obligations and making the necessary adjustments to this new European framework for personal data collection and processing is based on two simple rules: simplicity and efficiency.
In a recent article in Entrepreneur, Sheppard Mullin partner Jonathan Meyer, a former Senate counsel to Vice President Biden and Deputy General Counsel at the Department of Homeland Security, points out that Congressional oversight of companies is likely to increase in the next two years, and that cybersecurity is among the hottest topics it is likely to focus on. The public’s increasing attention to issues such as DDoS attacks, the vulnerability of the Internet of Things, and allegations of politically-motivated hacks from overseas will only increase this likelihood. As always, companies should keep an eye on Capitol Hill, and be ready for what might come their way.
The U.S. Copyright Office’s new electronic system for copyright-agent registration and maintenance goes into effect on December 1, 2016, and with it comes new rules. Beginning December 1, all online service providers must submit new designated-agent information to the Copyright Office through the online registration system. Electronic designations should be filed on December 1, 2016, or as soon as possible thereafter. Service providers who fail to timely submit electronic designations will be ineligible for the safe harbor from copyright-infringement liability provided by § 512(c) of the Digital Millennium Copyright Act.
Last Thursday, in a vote split along party lines, the Federal Communications Commission (“FCC”) approved a new regulatory regime staking its claim to privacy regulation of both fixed and mobile Internet service providers (“ISPs”) like Comcast, Verizon, and AT&T. The FCC’s rules follow its decision in the Open Internet Order, released last year and analyzed here, to classify broadband Internet access service as a common-carrier telecommunications service. The FCC’s new rules are intended to give consumers control over the ways in which ISPs use and share their customers’ private information. While the FCC has yet to release its Report and Order, the FCC’s Fact Sheet and statements by the commissioners indicate that the new privacy rules in many respects track the proposed rules the FCC put forward earlier this year, which seek to make the FCC the “toughest” privacy regulator in the Internet ecosystem by imposing on ISPs significantly more onerous and restrictive requirements for use and collection of consumer data than the Federal Trade Commission (“FTC”) imposes on its non-ISP competitors.
In Federal Trade Commission v. LeadClick Media, LLC, 2016 U.S. App. LEXIS 17383 (2nd Cir. 2016), the Second Circuit recently held that an affiliate marketing network provider could be subjected to liability under the Federal Trade Commission Act (“FTC Act”) for deceptive marketing materials published by the affiliates. It also concluded that Section 230 of the Communications Decency Act (“CDA”) did not immunize the network provider from liability. In doing so, the Second Circuit emphasized that the network provider had knowledge of and the authority to control the content of the affiliate websites. This ruling could increase the exposure of internet businesses to liability for deceptive acts or practices engaged in by third-party vendors or independent contractors.