The Eleventh Circuit recently issued a long awaited ruling in the LabMD case. In that case, the FTC had gone after a cancer detection facility that suffered a data breach. The agency criticized the company for lax data security and in July 2016 issued a broad order against the company requiring changes to the company’s systems. Unlike most other companies that find themselves in the FTC’s crosshairs, LabMD fought back. It objected to the FTC’s original administrative complaint on both substantive and procedural grounds and prevailed before an Administrative Law Judge, who was then overruled by the FTC. This led LabMD to appeal to the Eleventh Circuit, which punted on some key issues it could have addressed, including what type of injury is cognizable when it comes to data breaches, a question that is posing itself frequently in data privacy cases of all types, not just those relating to Section 5. It also did not discuss what type of notice the FTC must provide for companies to know what it considers “reasonable” security measures. Instead, it issued a relatively narrow ruling relating to the vagueness of the FTC’s order. Namely, that requiring LabMD to cease and desist its prior practices and revise and replace its data security program was not specific enough. Because of this ruling, we expect to see more specific orders from the FTC, along the lines of the BLU settlement we reported on recently.
Continue Reading FTC Pursuing, and Getting More Specific, About Privacy Post-LabMD Finding
FTC Signals that It Will Enforce Statements of GDPR Compliance
Just as companies may be catching their breath after sprinting to get ready for GDPR in time for its recent implementation date, the FTC has now entered the enforcement fray. It has stated that, where companies are choosing to apply GDPR protections to American consumers, the FTC may enforce any failures to abide by those commitments. What does this mean for US companies? As many implemented compliance with GDPR, a number of companies stated publicly that they would be providing some -or all- of the same protections to their other customers. It made sense for the companies – once they were reconfiguring their policies and systems to meet the GDPR requirements for European customers, why not offer the same protections to individuals outside the EU? It was comparatively easy to do and it was good consumer PR. But now the FTC plans to hold them to it.
Continue Reading FTC Signals that It Will Enforce Statements of GDPR Compliance
DHS Releases New Cybersecurity Strategy
On May 15, the Department of Homeland Security released its long-awaited Cybersecurity Strategy.
The Strategy aims to reduce cybersecurity risk through “an innovative approach that fully leverages our collective capabilities across the Department and the entire cybersecurity community.” It sets a course of cybersecurity policy for the Department for the next five years and signals a more assertive approach to cyber vis a vis other agencies by setting forth clearer consequence for agencies that don’t adopt best practices. It also fleshes out an initiative for DHS to engage the private sector more actively and share cybersecurity tools directly with industry, especially critical infrastructure sectors such as hospitals, information technology, health care, transportation systems and chemical plants.
Continue Reading DHS Releases New Cybersecurity Strategy
White House Eliminates Top Cybersecurity Position
On May 15, the White House announced that it was eliminating the position of Cybersecurity Coordinator at the National Security Council, the highest position at the White House devoted to cybersecurity. While not unexpected, this move is significant.
Continue Reading White House Eliminates Top Cybersecurity Position
Dawn of the New FTC
On April 26, the Senate voted to confirm nominees to all five Commissioner slots on the Federal Trade Commission. It was the first time the entire FTC has been confirmed at once since its founding in 1914. The new roster of Commissioners raises new questions about the role the FTC will play in cybersecurity and privacy. It has become increasingly active in this area in recent years and wholesale turnover at the top of the Commission could have a lasting effect on this body of law.
Continue Reading Dawn of the New FTC
Crypto-Crime: The SEC and DOJ Go After BitFunder and Its BitFounder
Taking further steps into the world of cryptocurrency, two entities of the federal government recently took legal action against BitFunder, a now-defunct Bitcoin exchange, and its founder, Jon Montroll. The Securities and Exchange Commission filed civil charges against BitFunder and Montroll, and the U.S. Attorney’s Office in Manhattan brought criminal charges of perjury and obstruction of justice against Montroll, who was arrested and taken into custody. BitFunder was an exchange that, among other things, empowered its customers to create and trade Bitcoin denominated shares of enterprises. The numerous allegations and charges against the defendants include:
Continue Reading Crypto-Crime: The SEC and DOJ Go After BitFunder and Its BitFounder
SEC Takes Baby Steps on Cyber, but Signals Greater Vigilance
On February 21, the Securities and Exchange Commission issued new Interpretive Guidance regarding disclosures of cybersecurity-related information by publicly traded companies. This guidance comes in the context of public pressure on the SEC to update its 2011 Division of Corporation Finance guidance regarding cybersecurity risks and incidents. According to SEC Chairman Jay Clayton’s statement, this new document serves to reinforce and expand the prior guidance. It lays out principles that companies should follow in determining when cybersecurity information should be disclosed, and what should be disclosed.
Continue Reading SEC Takes Baby Steps on Cyber, but Signals Greater Vigilance
Justice Department Creates Cyber-Digital Task Force
On February 20, the Department of Justice announced that Attorney General Sessions had created a new, cross-departmental Cyber-Digital Task Force. He directed the Task Force to advise him on the most effective ways for DOJ to confront cyber threats and keep Americans safe. Specifically, the Task Force is charged with canvassing the work the Department is already doing on cyber, and making recommendations on “how federal law enforcement can more effectively accomplish its [cyber] mission.” He asked for a report from the Task Force by June 30.
Continue Reading Justice Department Creates Cyber-Digital Task Force
The Encryption Battle Will Continue in 2018
While they may disagree in other areas, one thing that former FBI Director James Comey, current Deputy Attorney General Rod Rosenstein, and current FBI Director Christopher Wray all have in common is their distaste for strong encryption that prevents the government from accessing information. In 2016, Comey and the Justice Department went to court to try to force Apple to help the government decrypt messages sent by the San Bernardino terrorist attackers. A few months ago, Rosenstein picked up that torch, discussing the need for government access to encrypted information in two separate speeches in October, then repeating his views in the wake of November’s mass shooting at a church in Texas. On January 10, Wray raised the subject in a speech, referring to it as “an urgent public safety issue.” At the same time, as tech companies are quick to point out, the rising tide of information snooping by foreign governments and private actors makes the need for strong encryption greater than ever. The Trump Administration’s strong law-and-order stance, and relative lack of sympathy for tech companies and civil libertarians, mean that 2018 could lead to new developments in this area.
Continue Reading The Encryption Battle Will Continue in 2018
2018 Likely a Year of Rising Government Standards for Securing Information
For companies that do business with the government, 2017 was a year of transition, as many began to follow the NIST Cybersecurity Framework, worked to accomplish Federal Risk and Authorization Management Program (FedRAMP) certification, or rushed to rid their systems of products from Kaspersky Lab. Perhaps most significant was the rush of Pentagon contractors to come into compliance by year’s end with NIST Special Publication (SP) 800-171, as mandated by a new provision of the Defense Federal Acquisition Regulation Supplement (DFARS). This provision requires contractors to comply with NIST’s standards on protecting Controlled Unclassified Information (CUI).
Continue Reading 2018 Likely a Year of Rising Government Standards for Securing Information