US Safe Harbor Regime Invalidated by Europe’s Highest Court

The Court of Justice of the European Union ruled this morning that the Safe Harbor regime, which enables transatlantic data transfers from the European Union to the United States, is invalid, thereby giving each national supervisory authority the chance to revisit the question of whether the U. S. provides an adequate level of protection for EU citizens’ data.  A copy of the decision be found here. Continue Reading

FTC v. Wyndham: The Third Circuit Recognizes FTC Authority to Regulate Commercial Cyber Security Practices

In 2014, the United States Court of Appeals for the Third Circuit ruling in FTC v. Wyndham Worldwide Corporation agreed to hear an immediate appeal on two issues: “whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.” On August 24, 2015 the Third Circuit affirmed the decision of the District Court and denied Wyndham’s motion to dismiss the complaint. Continue Reading

Barbarians at the Gate: Seventh Circuit Finds Article III Standing for Data Breach Class Actions

As a result of the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013), data breach class actions were largely considered dead in the water.  The overwhelming majority of courts, relying heavily on Clapper, dismiss data breach actions for the simple reason that until a consumer suffers actual identity theft, she lacks Article III standing to sue.  In other words, without actual identity theft, the risk of future harm—as well as any money spent attempting to protect against potential identity theft—is purely speculative and does not suffice to constitute a legally cognizable injury. Continue Reading

The Baby and the Bathwater: The Department of Commerce’s Bureau of Industry and Security (BIS) Intrusion and Surveillance Software Export Licensing Proposal

If you are not aware, please take note that the July 20, 2015 deadline is fast approaching for comments to the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) proposed rule on the export control of certain intrusion and surveillance related software.  The proposed rule, which addresses changes to the U.S. Export Administration Regulations (EAR), is designed to align with agreements made in the December 2013 Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, a multilateral export control regime with 41 participating states committed to promoting transparency and responsibility in cross-border transfers of arms and dual-use goods and technologies.  The wide-reaching rule proposes adding new controls in Category 4 of the EAR’s Commerce Control List (CCL) intended to address “intrusion software” used by hackers and other cybercriminals.  The difficulty is that, in the way the proposed rule is worded (and explained), it also subjects network penetration testing products, the type that use “intrusion software” to identify cyber-vulnerabilities, to the same export licensing requirements.  That is to say, the manner in which the controlled intrusion software would be defined includes the good as well as the bad, and – could have a chilling effect on beneficial research and development of defensive software. Continue Reading

Ransoming Sensitive Personal Information: Will OPM’s Data Breach Trigger Your Insider Threats?

Perhaps it’s the books I’ve been reading or the television shows I’ve been watching, but my mind can’t seem to stop linking the recent barrage of cybersecurity attacks with those ne’er-do-wells that plagued the Caribbean from 1650 through the 1730s.  Yes, I’m talking about pirates, but not the Errol Flynn/Johnny Depp-style buccaneer, more the Edward Teach model, the notorious “Blackbeard.”  One of Blackbeard’s most infamous successes occurred in Charleston, South Carolina in 1718 when he blockaded Charleston Harbor and held some of the town’s leading citizens for ransom.  Rather than demand the typical jewels and money, Blackbeard wanted something else – he held both the town and its people ransom for £300 of medicine.  After a circus of errors conspired to delay the ransom payment, Blackbeard received his medicine and released both the harbor and his prisoners – minus, of course, much of their finer possessions (they were pirates after all) – and sailed off into legend.  So what does this jaunt down piracy lane have to do with cybersecurity and federal contractors?  Simple, sometimes we don’t know what’s really of value and how that value can be used.  Case in point – the OPM breach. Continue Reading

ALERT: NIST Issues Final Guidance on Federal Contractor Cybersecurity Standards for Controlled Unclassified Information

On June 19, 2015, the National Institute of Standards and Technology (“NIST”) published the final version of guidance for federal agencies to ensure sensitive information remains confidential when stored outside of federal systems.  The guidelines, Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, apply to nonfederal information systems and organizations that process, store, or transmit federal controlled unclassified information, or “CUI,” and match the guidelines published for public comment last fall.  The new guidance is step two in a three-part plan with the National Archives and Records Administration (“NARA”), discussed in last month’s blog, to ensure the confidentiality of sensitive federal information no matter where it is stored.  As data breaches continue to make near-daily news, federal contractors not using the “recommendations” laid out in SP 800-171 would be wise to take another look, as they contain, more than ever, the Government’s express expectations of how it wants its information protected. Continue Reading

Another Blow to Call Recording Class Actions

Back in February, the California Court of Appeal in Hataishi v. First American Home Buyers Protection Corp., 223 Cal. App. 4th 1454 (Feb. 21, 2014), dealt a significant blow to call recording class actions across California.  The Court held that plaintiffs asserting claims under California Penal Code section 632 (“Section 632”) had to establish that the telephone calls that were monitored or recorded were “confidential” – meaning that the plaintiffs had an objectively reasonable expectation that their calls were not being overheard or recorded.  Applying this standard classwide was impossible.  Each individual’s objectively reasonable expectations would turn on individualized inquiries, including the length of the class member’s experience with the defendant, whether the class member had ever been notified that her calls with the defendant may be monitored or recorded, and each class member’s experience with other businesses that record or monitor calls.  We asked then whether call recording class actions were doomed.

Continue Reading

Cyber-Breach & NISPOM Conforming Change 2 – It’s What’s on the Inside That Counts

Most companies are worried about external threats – things that are coming at their people, their group, their company, their government, all from an outside actor.  Like government’s with an eye on counter-intelligence, however, savvy businesses also realize that their employees can also pose a very real, internal threat.  While an insider breach is not necessarily a common event, when it does happen, it tends to happen on a large scale.  Last year, the FBI reported that when a malicious insider breach surfaced, it cost industry $412,000 per incident, on average.  Over ten years, the average loss per industry is $15 million.  And, unless you’ve been hiding under a rock, you know that the Government is not immune to insider breaches and the reputational impact to federal contractors resulting therefrom.  Exacerbating, or perhaps facilitating, this threat is the manner in which companies (and governments) store, transfer, and maintain vital company records and data.  With the right password and a $16 thumb drive, an intern can steal the corporate keys to the kingdom, and still be home in time for lunch.  Simply put, all employers face the risk of insider threats which are more perilous than ever in the computer age.  Recognizing that internal threats are real, the issue, then, is how to stop these threats from manifesting.  Learning from recent high-profile mistakes, the Government is trying to make sure its contractors stay ahead of the risk of an internal breach.

Continue Reading

Russian Parliament Moving To Advance Commencement Date On Data Protection And Information Legislation

In July 2014, the Russian President signed data protection and information legislation that requires all “data operators” who are processing personal data of Russian citizens, including over the Internet, to do so from servers/databases within Russia.  While the original law provided for a September 1, 2016 commencement date, new legislation is moving through the Russian Parliament that would advance the commencement date to January 1, 2015.  This law should significantly impact the collection, processing and storage of personal data of Russian citizens.

This issue was recently reported on by our friends at Bird & Bird.  Click this link to read the Bird & Bird alert.