The Department of Homeland Security Cybersecurity & Infrastructure Security Agency recently released its Cyber Essentials guide. Consistent with the NIST Cybersecurity Framework, these Cyber Essentials provide “a starting point to cyber readiness,” and are specifically aimed at small businesses and local government agencies that may have fewer resources to dedicate to cybersecurity. The guide suggests a holistic approach for managing cyber risks, and is broken down into six “Essential Elements of a Culture of Cyber Readiness:” (1) Yourself; (2) Your Staff; (3) Your Systems; (4) Your Surroundings; (5) Your Data; and (6) Your Actions Under Stress. The final section of the guide provides a list of steps that can be taken immediately to increase organizational preparedness against cyber risks. These include backing up data, implementing multi-factor authentication, enabling automatic updates, and deploying patches quickly.
Continue Reading CISA Releases “Cyber Essentials” to Assist Small Businesses
Talk About Ironic: Brexit Group Fined Under EU-Related Privacy Regulations
In an ironic twist, the British Information Commissioner’s Office (ICO) recently fined a Brexit advocacy group for violating regulations issued under an EU directive. The fines, totaling £120,000, were levied against Leave.EU and a related insurance company, Eldon Insurance, for sending marketing emails to each other’s subscribers without sufficient consent. Leave.EU had sent marketing emails to over 300,000 of Eldon’s customers, and the two entities had carried out unlawful joint marketing campaigns through Leave. EU’s mailing list.
Continue Reading Talk About Ironic: Brexit Group Fined Under EU-Related Privacy Regulations
Cyber Concerns Lead to EU Recall of a Connected Kids Devices
Citing cybersecurity concerns with a children’s smartwatch, the European Commission recently issued a recall of the device. The Safe-KID-One is a smartwatch that gives parents the ability to track and communicate with their children. According to the European Commission, security issues with the device could allow a hacker to access a user’s data, including location history, phone numbers and serial number. Additionally, the hacker could use the watch to “call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.” This is one of the first recalls of an internet of things device by the European Commission and puts device makers on notice that they should take cybersecurity seriously when designing new devices.
Continue Reading Cyber Concerns Lead to EU Recall of a Connected Kids Devices
Court Finds Cybersecurity-Related Claims Sufficient in Securities Class Action
In the aftermath of Equifax’s data breach, a federal court recently found that allegations of poor cybersecurity coupled with misleading statements supported a proper cause of action. In its decision, the U.S. District Court for the Northern District of Georgia allowed a securities fraud class action case to continue against Equifax. The lawsuit claims the company issued false or misleading statements regarding the strength and quality of its cybersecurity measures. In their amended complaint, the plaintiffs cite Equifax’s claims of “strong data security and confidentiality standards” and “a highly sophisticated data information network that includes advanced security, protections and redundancies,” when, according to the plaintiffs’ allegations, Equifax’s cybersecurity practices “were grossly deficient and outdated” and “failed to implement even the most basic security measures.” The court found that data security is a core aspect of Equifax’s business and that investors are likely to review representations on data security when making their investment decisions.
Continue Reading Court Finds Cybersecurity-Related Claims Sufficient in Securities Class Action
Year In Review: Eye on Privacy 2018
As the first month of 2019 comes to a close, it is clear that this year will be another busy one in the world of privacy. To help get a handle on what to worry about this year, it is helpful to look back on the privacy developments from 2018 and consider what will be recurring or new themes in the year to come. To help on this front, we have put together our comprehensive “year in review” bulletin. In this document, we’ve included all of the developments we reported on in 2018, in one handy spot. You can view the summary here. There were many themes that emerged, from biometrics to targeting, breach laws to breach enforcement, 2018 was a busy year in privacy. We expect 2019 to be equally packed with privacy developments.
Continue Reading Year In Review: Eye on Privacy 2018
Pass It On: Locks Don’t Prevent Leaks
It is common for individuals to see the “padlock icon” on their browser bar when visiting a website, and assume they are safe. Sadly, this assumption is no longer valid. As we approach Data Privacy Day (January 28, 2019) many companies are taking extra steps to train employees about steps they can take to protect themselves – and their organizations. Here’s one to pass along to the team.
Continue Reading Pass It On: Locks Don’t Prevent Leaks
When the U.S. Government Declares Companies Cyber-Insecure, We Should All Pay Attention
The U.S. Government is increasingly taking the initiative to alert companies to the cybersecurity risks of certain foreign corporations. Whether by issuing binding directives on agencies, passing laws or promulgating regulations that include prohibitions on the use of these companies’ products – including by government contractors, the Government is becoming less reluctant to interfere in the private market in favor of warning American companies of the cybersecurity dangers out there.
Continue Reading When the U.S. Government Declares Companies Cyber-Insecure, We Should All Pay Attention
FTC Seeks Comment on Fundamental Privacy Enforcement Issues
On August 6, the FTC announced that it is seeking comment on a number of topics that are fundamental to its work, including on privacy. These topics will form the basis of its hearings on “Competition and Consumer Protection in the 21st Century”, which it will hold from September through January 2019, as we recently mentioned on this blog. The hearings will cover a variety of topics critical to the FTC, a few of which relate directly to privacy issues. These include:
• The intersection of privacy, big data, and competition, including the benefits and costs of privacy laws, and the benefits, costs and conflicts of such laws existing at different levels of government (federal, state, local, etc.);
• The Commission’s remedial authority to deter unfair and deceptive conduct. This is probably the most significant topic, because it touches on the expansiveness of the Commission’s authority to regulate privacy issues. It follows on Commission Chairman Simons’s recent testimony in the House of Representatives that the Commission may need more and better authority in the privacy realm than its current reliance on Section 5 of the Federal Trade Commission Act’s focus on unfair and deceptive practices;
• The welfare effects and privacy implications of using algorithmic decision tools and predictive analytics; and
• The efficacy of the FTC’s current investigation and remedial processes.
Continue Reading FTC Seeks Comment on Fundamental Privacy Enforcement Issues
DOJ Report Suggests Direction For Addressing Cyber Threats
As many of you have no doubt seen, the Justice Department recently released the report of the Attorney General’s Cyber Digital Task Force, a body the Attorney General had created in February. In the report, the Task Force, chaired by Deputy Attorney General Rod Rosenstein, seeks to answer the question: “How is the Department responding to cyber threats?” On the off chance that you’re not dying to read all 144 pages, we have provided a short summary and a couple of takeaways below.
Continue Reading DOJ Report Suggests Direction For Addressing Cyber Threats
FTC Pursuing, and Getting More Specific, About Privacy Post-LabMD Finding
The Eleventh Circuit recently issued a long awaited ruling in the LabMD case. In that case, the FTC had gone after a cancer detection facility that suffered a data breach. The agency criticized the company for lax data security and in July 2016 issued a broad order against the company requiring changes to the company’s systems. Unlike most other companies that find themselves in the FTC’s crosshairs, LabMD fought back. It objected to the FTC’s original administrative complaint on both substantive and procedural grounds and prevailed before an Administrative Law Judge, who was then overruled by the FTC. This led LabMD to appeal to the Eleventh Circuit, which punted on some key issues it could have addressed, including what type of injury is cognizable when it comes to data breaches, a question that is posing itself frequently in data privacy cases of all types, not just those relating to Section 5. It also did not discuss what type of notice the FTC must provide for companies to know what it considers “reasonable” security measures. Instead, it issued a relatively narrow ruling relating to the vagueness of the FTC’s order. Namely, that requiring LabMD to cease and desist its prior practices and revise and replace its data security program was not specific enough. Because of this ruling, we expect to see more specific orders from the FTC, along the lines of the BLU settlement we reported on recently.
Continue Reading FTC Pursuing, and Getting More Specific, About Privacy Post-LabMD Finding