FDA Issues New Draft Cybersecurity Guidance for Medical Devices

The Food & Drug Administration has recently released for comment a draft expansion of guidance regarding Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Although the FDA issued existing guidance in 2014, the new guidance reflects concerns about the rapidly-changing nature of cybersecurity threats, and the potentially grave consequences of cybersecurity incidents involving healthcare and medical devices—particularly medical devices which connect to the internet, networks, or other devices. The draft guidance gives recommendations to medical device manufacturers about the device design, labeling, and documentation that the FDA expects to see in premarket submissions. It updates and expands beyond the prior guidance in several significant respects. Continue Reading

Live Free or Die Trying—New Hampshire Voters Enshrine Right to Privacy in State’s Constitution

On Election Day 2018, in the State that boasts the official motto of “Live Free or Die,” over 80% of New Hampshire voters overwhelmingly approved an amendment to the State Constitution enshrining an explicit “right to privacy” to New Hampshire residents. Question 2 on New Hampshire ballots asked voters to approve (or reject) the following language to the New Hampshire Constitution: An individual’s right to live free from governmental intrusion in private or personal information is natural, essential, and inherent. Having received the required approval of over two-thirds of voters, the language of Question 2 will be added as Article 2-b (“Right to Privacy”) to the New Hampshire Constitution. Continue Reading

Update on Enforcement of China’s Cybersecurity Law

Companies doing business in China may see an increase in enforcement actions with the enactment of a new cybersecurity regulation and the enforcement powers of the Public Security Bureaus (PSBs) officially codified. The regulation – Provisions on Internet Security Supervision and Inspection by Public Security Organs – is now in effect, more than a year after the enactment of the country’s Cybersecurity Law. Continue Reading

Ninth Circuit Opens Door for More Expansive Meaning of ATDS in TCPA Cases

In the recent case of Marks v. Crunch San Diego, LLC, 904 F.3d 1041 (9th Cir. 2018) the Ninth Circuit broadly interpreted the TCPA’s definition of automatic telephone dialing system (often referred to as ATDS) to include devices with the capacity to dial stored numbers automatically. The device at issue in Marks is called the “Textmunication” system, which the Court described as “a web-based marketing platform designed to send promotional text messages to a list of stored telephone numbers.” The defendant, Crunch Fitness, had communicated with current and prospective gym members by sending them text messages via the Textmunication system. The plaintiff, Jordan Marks, had signed up for a gym membership and subsequently received three text messages over an 11-month period. Marks sued Crunch Fitness and alleged that the text messages violated the TCPA.  The district court granted summary judgment in favor of Crunch Fitness after concluding that the Textmunication system did not constitute an ATDS because it presently lacked a “random or sequential number generator” and did not have the potential to add this feature. Continue Reading

Supermarket Held Vicariously Liable in UK’s First Data Leak Class Action

UK supermarket chain Morrisons has been held vicariously liable for the acts of a malicious employee in the UK’s first data leak class action. The issue began in 2014, when a disgruntled Morrison’s internal IT auditor posted to a public file-sharing website the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, national insurance numbers and bank details). The employee was found criminally liable in 2015 and jailed for eight years. A class action of 5,500 employees filed claims against Morrisons alleging breaches of the Data Protection Act 1998 (DPA). Although Morrisons acted swiftly and responsibly after the leak, and was found not to be primarily liable, the court of appeals has nonetheless now affirmed the lower court ruling that Morrisons is vicariously liable for the unlawful acts of its employee carried out in the course of his employment. Continue Reading

FTC Cyber Guidance for Small Business has Tips Helpful to All

The Federal Trade Commission recently issued a cyber guide that, while intended for small businesses, can be of help for all businesses. The purpose of the guide, which includes various modules, is to help smaller businesses address data security threats. These modules follow guidance the FTC issued in April, stressing the importance of cyber security preparedness and the help the FTC intended to give to small businesses on that front. Continue Reading

Ohio Gives Breach Safe Harbor for Companies with Written Data Security Program

Effective November 2, 2018, companies that suffer a breach may have certain defenses in Ohio if they have a written cybersecurity program in place. Under this new law, companies can use as an affirmative defense the existence of a cyber program in rebuttal to an argument that they failed to implement reasonable information security controls, and that failure resulted in a breach. The definition of breach (and personal information that if impacted gives rise to a duty to notify) is identical to Ohio’s existing breach notification law. The defense is available if the company has a written program in place, and that program conforms to “industry-recognized frameworks” like the National Institute of Standards and Technology’s Framework, ISO 27000, FedRAMP, PCI Standards, the Security Rule of the Health Insurance Portability and Accountability Act, or the Safeguards Rule of the Gramm-Leach-Bliley Act. Anticipating that these frameworks may be amended from time to time, the law gives companies a year to modify their programs to get into compliance with the amended law. Programs must meet minimal criteria to qualify. This includes (1) protecting the security and confidentiality of the information, (2) protecting against anticipated threats or hazards, and (3) protecting against unauthorized access to and acquisition of the information. The program would be right-sized to take into account the size of the business, nature of its business, type of information, cost of protection tools, and resources available to the company. The drafters emphasized that this provision does not give rise to a private right of action. Continue Reading

DealerBuilt Settles with New Jersey Over Data Breach

The New Jersey attorney general recently announced its settlement with software company LightYear Dealer Technologies, LLC- doing business as DealerBuilt- over a 2016 data breach. The company provides its clients, car dealerships, software to organize and manage both customer and employee information. That information includes drivers’ license numbers, Social Security numbers, and financial account information. According to the AG’s order, the company misconfigured a file synchronizing program. As a result, sensitive information was available publicly, and a security researcher downloaded almost 10GB of data in the fall of 2016. Included in the downloaded data was sensitive personal information of about five car dealerships’ customers and employees. Continue Reading

UK Issues Fine for Unsolicited Funeral Marketing Emails

The U.K. data protection authority recently fined a lead generation company £90,000 ($118,000) for a 2017 unsolicited email marketing campaign. The company, Boost Finance Ltd, sent over 4 million emails promoting pre-paid funeral plans under the name findmeafuneralplan.com. In reaching its decision, the ICO (the UK data protection regulator), said that the company violated the UK’s Privacy and Electronic Communications Regulations by sending the messages without consent. Continue Reading

SEC Issues $1 Million Identity Theft Rule Fine

The Securities and Exchange Commission recently settled with Voya Financial Advisors, Inc. for alleged violation of Regulation S-ID (otherwise known as the Identity Theft Red Flags Rule) and Regulation S-P (otherwise known as the Safeguards Rule).  According to the SEC, Voya had failed to implement a written identity theft program as required of broker-dealers and investment advisors by the Identity Theft Red Flags Rule, and failed to have written policies and procedures to protect customer records and information as required by the Safeguards Rule. Specifically, in April 2016 intruders impersonated Voya independent contractors and contacted the company’s technical support line. They asked for a reset of the contractors’ passwords, which support staff did, giving them temporary passwords over the phone. The bad actors used these credentials to gain access to the company’s proprietary web portal. The portal contained personally identifiable information of Voya customers, and according to the SEC the bad actors were able to access personal information for at least 5,600 of Voya’s customers. This information included address, date of birth, last four digits of Social Security numbers, and email addresses. And, for at least 2,000, full Social Security number or other government-issued ID number. Voya was contacted by one of the targeted contractors, who said that he had gotten an email about a password change, but he had not requested the change. After receiving this alert of suspicious activity Voya took some steps, according to the SEC, but not sufficient ones, including not terminating the bad actors’ access to the compromised accounts. Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree