Photo of Jonathan E. Meyer

Jonathan Meyer is a partner in the Government Contracts, Investigations and International Trade Practice Group in the firm's Washington, D.C. office.

In the aftermath of Equifax’s data breach, a federal court recently found that allegations of poor cybersecurity coupled with misleading statements supported a proper cause of action. In its decision, the U.S. District Court for the Northern District of Georgia allowed a securities fraud class action case to continue against Equifax. The lawsuit claims the company issued false or misleading statements regarding the strength and quality of its cybersecurity measures. In their amended complaint, the plaintiffs cite Equifax’s claims of “strong data security and confidentiality standards” and “a highly sophisticated data information network that includes advanced security, protections and redundancies,” when, according to the plaintiffs’ allegations, Equifax’s cybersecurity practices “were grossly deficient and outdated” and “failed to implement even the most basic security measures.” The court found that data security is a core aspect of Equifax’s business and that investors are likely to review representations on data security when making their investment decisions.
Continue Reading Court Finds Cybersecurity-Related Claims Sufficient in Securities Class Action

As the first month of 2019 comes to a close, it is clear that this year will be another busy one in the world of privacy. To help get a handle on what to worry about this year, it is helpful to look back on the privacy developments from 2018 and consider what will be recurring or new themes in the year to come. To help on this front, we have put together our comprehensive “year in review” bulletin. In this document, we’ve included all of the developments we reported on in 2018, in one handy spot. You can view the summary here. There were many themes that emerged, from biometrics to targeting, breach laws to breach enforcement, 2018 was a busy year in privacy. We expect 2019 to be equally packed with privacy developments.
Continue Reading Year In Review: Eye on Privacy 2018

It is common for individuals to see the “padlock icon” on their browser bar when visiting a website, and assume they are safe. Sadly, this assumption is no longer valid. As we approach Data Privacy Day (January 28, 2019) many companies are taking extra steps to train employees about steps they can take to protect themselves – and their organizations. Here’s one to pass along to the team.
Continue Reading Pass It On: Locks Don’t Prevent Leaks

The U.S. Government is increasingly taking the initiative to alert companies to the cybersecurity risks of certain foreign corporations. Whether by issuing binding directives on agencies, passing laws or promulgating regulations that include prohibitions on the use of these companies’ products – including by government contractors, the Government is becoming less reluctant to interfere in the private market in favor of warning American companies of the cybersecurity dangers out there.
Continue Reading When the U.S. Government Declares Companies Cyber-Insecure, We Should All Pay Attention

On August 6, the FTC announced that it is seeking comment on a number of topics that are fundamental to its work, including on privacy. These topics will form the basis of its hearings on “Competition and Consumer Protection in the 21st Century”, which it will hold from September through January 2019, as we recently mentioned on this blog. The hearings will cover a variety of topics critical to the FTC, a few of which relate directly to privacy issues. These include:

• The intersection of privacy, big data, and competition, including the benefits and costs of privacy laws, and the benefits, costs and conflicts of such laws existing at different levels of government (federal, state, local, etc.);
• The Commission’s remedial authority to deter unfair and deceptive conduct. This is probably the most significant topic, because it touches on the expansiveness of the Commission’s authority to regulate privacy issues. It follows on Commission Chairman Simons’s recent testimony in the House of Representatives that the Commission may need more and better authority in the privacy realm than its current reliance on Section 5 of the Federal Trade Commission Act’s focus on unfair and deceptive practices;
• The welfare effects and privacy implications of using algorithmic decision tools and predictive analytics; and
• The efficacy of the FTC’s current investigation and remedial processes.
Continue Reading FTC Seeks Comment on Fundamental Privacy Enforcement Issues

As many of you have no doubt seen, the Justice Department recently released the report of the Attorney General’s Cyber Digital Task Force, a body the Attorney General had created in February. In the report, the Task Force, chaired by Deputy Attorney General Rod Rosenstein, seeks to answer the question: “How is the Department responding to cyber threats?” On the off chance that you’re not dying to read all 144 pages, we have provided a short summary and a couple of takeaways below.
Continue Reading DOJ Report Suggests Direction For Addressing Cyber Threats

The Eleventh Circuit recently issued a long awaited ruling in the LabMD case. In that case, the FTC had gone after a cancer detection facility that suffered a data breach.  The agency criticized the company for lax data security and in July 2016 issued a broad order against the company requiring changes to the company’s systems.  Unlike most other companies that find themselves in the FTC’s crosshairs, LabMD fought back.  It objected to the FTC’s original administrative complaint on both substantive and procedural grounds and prevailed before an Administrative Law Judge, who was then overruled by the FTC.  This led LabMD to appeal to the Eleventh Circuit, which punted on some key issues it could have addressed, including what type of injury is cognizable when it comes to data breaches, a question that is posing itself frequently in data privacy cases of all types, not just those relating to Section 5. It also did not discuss what type of notice the FTC must provide for companies to know what it considers “reasonable” security measures.  Instead, it issued a relatively narrow ruling relating to the vagueness of the FTC’s order. Namely, that requiring LabMD to cease and desist its prior practices and revise and replace its data security program was not specific enough.  Because of this ruling, we expect to see more specific orders from the FTC, along the lines of the BLU settlement we reported on recently.
Continue Reading FTC Pursuing, and Getting More Specific, About Privacy Post-LabMD Finding

Just as companies may be catching their breath after sprinting to get ready for GDPR in time for its recent implementation date, the FTC has now entered the enforcement fray. It has stated that, where companies are choosing to apply GDPR protections to American consumers, the FTC may enforce any failures to abide by those commitments. What does this mean for US companies? As many implemented compliance with GDPR, a number of companies stated publicly that they would be providing some -or all- of the same protections to their other customers. It made sense for the companies – once they were reconfiguring their policies and systems to meet the GDPR requirements for European customers, why not offer the same protections to individuals outside the EU? It was comparatively easy to do and it was good consumer PR. But now the FTC plans to hold them to it.
Continue Reading FTC Signals that It Will Enforce Statements of GDPR Compliance

On May 15, the Department of Homeland Security released its long-awaited Cybersecurity Strategy.

The Strategy aims to reduce cybersecurity risk through “an innovative approach that fully leverages our collective capabilities across the Department and the entire cybersecurity community.” It sets a course of cybersecurity policy for the Department for the next five years and signals a more assertive approach to cyber vis a vis other agencies by setting forth clearer consequence for agencies that don’t adopt best practices. It also fleshes out an initiative for DHS to engage the private sector more actively and share cybersecurity tools directly with industry, especially critical infrastructure sectors such as hospitals, information technology, health care, transportation systems and chemical plants.
Continue Reading DHS Releases New Cybersecurity Strategy