UK Regulator Issues Guidance About Encryption Under GDPR

By Shanna Pearce and Liisa Thomas on December 13, 2018 Posted in EU Privacy

The UK Information Commissioner’s Office recently released helpful encryption guidance. Although released to address the GDPR security requirements, this document may be helpful more broadly because of the detail around encryption the ICO provides. In the guidance, the ICO points to certain types of encryption (symmetric and asymmetric) and when to use the different methods. The ICO also clarifies that “hashing” is not encryption, two things that are often confused. The ICO also gives information about how to implement encryption. Namely, to choose the right algorithm, the right size key, and the right software. The ICO also reminds companies to keep the key itself secure. The ICO gives links to several resources to learn more about encryption and encryption methods and standards. Continue Reading

US Breach Laws Are Coming: Iowa

By Liisa Thomas and Shanna Pearce on December 12, 2018 Posted in Data Breach, Data Security

As we approach 2019, companies will want to keep in mind the changes that are coming to various US states’ breach notice laws. On January 1, 2019 Iowa’s law, which has already been amended twice since it was passed in 2008, will change again. Continue Reading

FDA Issues New Draft Cybersecurity Guidance for Medical Devices

By Shanna Pearce on November 29, 2018 Posted in Healthcare Privacy

The Food & Drug Administration has recently released for comment a draft expansion of guidance regarding Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Although the FDA issued existing guidance in 2014, the new guidance reflects concerns about the rapidly-changing nature of cybersecurity threats, and the potentially grave consequences of cybersecurity incidents involving healthcare and medical devices—particularly medical devices which connect to the internet, networks, or other devices. The draft guidance gives recommendations to medical device manufacturers about the device design, labeling, and documentation that the FDA expects to see in premarket submissions. It updates and expands beyond the prior guidance in several significant respects. Continue Reading

Live Free or Die Trying—New Hampshire Voters Enshrine Right to Privacy in State’s Constitution

By David Poell on November 19, 2018 Posted in Consumer Privacy

On Election Day 2018, in the State that boasts the official motto of “Live Free or Die,” over 80% of New Hampshire voters overwhelmingly approved an amendment to the State Constitution enshrining an explicit “right to privacy” to New Hampshire residents. Question 2 on New Hampshire ballots asked voters to approve (or reject) the following language to the New Hampshire Constitution: An individual’s right to live free from governmental intrusion in private or personal information is natural, essential, and inherent. Having received the required approval of over two-thirds of voters, the language of Question 2 will be added as Article 2-b (“Right to Privacy”) to the New Hampshire Constitution. Continue Reading

Update on Enforcement of China’s Cybersecurity Law

By Amber Thomson on November 15, 2018 Posted in Chinese Privacy, Consumer Privacy

Companies doing business in China may see an increase in enforcement actions with the enactment of a new cybersecurity regulation and the enforcement powers of the Public Security Bureaus (PSBs) officially codified. The regulation – Provisions on Internet Security Supervision and Inspection by Public Security Organs – is now in effect, more than a year after the enactment of the country’s Cybersecurity Law. Continue Reading

Ninth Circuit Opens Door for More Expansive Meaning of ATDS in TCPA Cases

By David Poell on November 14, 2018 Posted in Consumer Privacy, TCPA, Telecommunications Privacy

In the recent case of Marks v. Crunch San Diego, LLC, 904 F.3d 1041 (9th Cir. 2018) the Ninth Circuit broadly interpreted the TCPA’s definition of automatic telephone dialing system (often referred to as ATDS) to include devices with the capacity to dial stored numbers automatically. The device at issue in Marks is called the “Textmunication” system, which the Court described as “a web-based marketing platform designed to send promotional text messages to a list of stored telephone numbers.” The defendant, Crunch Fitness, had communicated with current and prospective gym members by sending them text messages via the Textmunication system. The plaintiff, Jordan Marks, had signed up for a gym membership and subsequently received three text messages over an 11-month period. Marks sued Crunch Fitness and alleged that the text messages violated the TCPA. The district court granted summary judgment in favor of Crunch Fitness after concluding that the Textmunication system did not constitute an ATDS because it presently lacked a “random or sequential number generator” and did not have the potential to add this feature. Continue Reading

Supermarket Held Vicariously Liable in UK’s First Data Leak Class Action

By Shanna Pearce on November 13, 2018 Posted in Consumer Privacy, Data Security, EU Privacy

UK supermarket chain Morrisons has been held vicariously liable for the acts of a malicious employee in the UK’s first data leak class action. The issue began in 2014, when a disgruntled Morrison’s internal IT auditor posted to a public file-sharing website the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, national insurance numbers and bank details). The employee was found criminally liable in 2015 and jailed for eight years. A class action of 5,500 employees filed claims against Morrisons alleging breaches of the Data Protection Act 1998 (DPA). Although Morrisons acted swiftly and responsibly after the leak, and was found not to be primarily liable, the court of appeals has nonetheless now affirmed the lower court ruling that Morrisons is vicariously liable for the unlawful acts of its employee carried out in the course of his employment. Continue Reading

FTC Cyber Guidance for Small Business has Tips Helpful to All

By Liisa Thomas on November 12, 2018 Posted in Cybersecurity, FTC

The Federal Trade Commission recently issued a cyber guide that, while intended for small businesses, can be of help for all businesses. The purpose of the guide, which includes various modules, is to help smaller businesses address data security threats. These modules follow guidance the FTC issued in April, stressing the importance of cyber security preparedness and the help the FTC intended to give to small businesses on that front. Continue Reading

Ohio Gives Breach Safe Harbor for Companies with Written Data Security Program

By Amber Thomson and Liisa Thomas on October 30, 2018 Posted in Data Breach, Data Protection, Data Security

Effective November 2, 2018, companies that suffer a breach may have certain defenses in Ohio if they have a written cybersecurity program in place. Under this new law, companies can use as an affirmative defense the existence of a cyber program in rebuttal to an argument that they failed to implement reasonable information security controls, and that failure resulted in a breach. The definition of breach (and personal information that if impacted gives rise to a duty to notify) is identical to Ohio’s existing breach notification law. The defense is available if the company has a written program in place, and that program conforms to “industry-recognized frameworks” like the National Institute of Standards and Technology’s Framework, ISO 27000, FedRAMP, PCI Standards, the Security Rule of the Health Insurance Portability and Accountability Act, or the Safeguards Rule of the Gramm-Leach-Bliley Act. Anticipating that these frameworks may be amended from time to time, the law gives companies a year to modify their programs to get into compliance with the amended law. Programs must meet minimal criteria to qualify. This includes (1) protecting the security and confidentiality of the information, (2) protecting against anticipated threats or hazards, and (3) protecting against unauthorized access to and acquisition of the information. The program would be right-sized to take into account the size of the business, nature of its business, type of information, cost of protection tools, and resources available to the company. The drafters emphasized that this provision does not give rise to a private right of action. Continue Reading

DealerBuilt Settles with New Jersey Over Data Breach

By Liisa Thomas and Amber Thomson on October 29, 2018 Posted in Data Breach, Data Security

The New Jersey attorney general recently announced its settlement with software company LightYear Dealer Technologies, LLC- doing business as DealerBuilt- over a 2016 data breach. The company provides its clients, car dealerships, software to organize and manage both customer and employee information. That information includes drivers’ license numbers, Social Security numbers, and financial account information. According to the AG’s order, the company misconfigured a file synchronizing program. As a result, sensitive information was available publicly, and a security researcher downloaded almost 10GB of data in the fall of 2016. Included in the downloaded data was sensitive personal information of about five car dealerships’ customers and employees. Continue Reading

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree