Category Archives: Data Security

Subscribe to Data Security RSS Feed

FTC Settles with Company Over Alleged Deceptive Security Practices

The FTC recently settled with smart lock maker Tapplock, Inc., a Canadian company, over allegations that it deceived consumers with false claims about its product’s security practices. These allegations arose based on vulnerabilities that a security researcher demonstrated – not in the aftermath of a data security breach where these complaints often originate.… Continue Reading

Turn on the Camera Part Two: Are You Prepared to Handle a Breach Remotely and Do You Know Your Legal Security Obligations?

During their COVID-19 preparations, companies are dusting off -and deploying- their business continuity plans. Also worth revisiting are incident response plans. Teams working remotely, if faced with a data breach, will still face privilege issues. For this reason simply moving to asynchronous forms of communication (email, chat, etc.) may not suffice, or may increase legal … Continue Reading

NY SHIELD Act Data Security Requirements Effective This Month

Businesses collecting personal information from New York residents will soon be expected to apply enhanced data security requirements. The New York SHIELD Act, signed into law in July 2019, expanded breach notice requirements in October 2019. Now, On March 21, 2020, the remaining provisions related to data security will also come into effect. As we … Continue Reading

Buyers (And Sellers) Beware!: SEC Observations on Cybersecurity and Resiliency

The Securities and Exchange Commission recently published a set of observations designed to assist financial market participants. While not legally binding, the observations are guideposts for investment companies, securities issuers, and others. They outline steps to improve cyber preparedness and to protect against well-known and evolving cybersecurity threats faced by companies in the United States … Continue Reading

Iran’s Imminent Cybersecurity Threat

In response to the killing of Major General Qassim Suleimani, the government of Iran and its supreme leader, Ayatollah Ali Khamenei, have declared the country’s intention to strike back at the United States. According to reports, their desire is to respond proportionally, but not start a war, and they are contemplating multiple options, any subset … Continue Reading

New European Data Protection Board Guidance on Data Protection by Design and by Default

The European Data Protection Board recently requested comments on its data protection “by design and default” guidelines. Comments are due by mid-January of next year. The Guidelines provide clarity about how to address GDPR’s requirement that companies take “appropriate” technical and organizational steps to protect personal information and individuals. Part of the law’s requirements, according … Continue Reading

FTC and Software Company Reach Security Settlement Over Unfair Practices

The FTC recently settled with Infotrax Systems, L.C. a technology company providing software to the direct sales industry. The settlement followed a breach suffered by the company, and involved allegations the company had failed to use reasonable security. According to the FTC, for almost two years, a hacker accessed InfroTrax’s server unnoticed at least seventeen … Continue Reading

CISA Releases “Cyber Essentials” to Assist Small Businesses

The Department of Homeland Security Cybersecurity & Infrastructure Security Agency recently released its Cyber Essentials guide. Consistent with the NIST Cybersecurity Framework, these Cyber Essentials provide “a starting point to cyber readiness,” and are specifically aimed at small businesses and local government agencies that may have fewer resources to dedicate to cybersecurity.  The guide suggests … Continue Reading

Preparing for New York’s New Data Security Requirements

New York recently passed the SHIELD Act, which, among other things, newly establishes data security requirements for companies that collect private information about New York residents. The data security protections required by the Act go into effect in March 2020. Companies that are already subject to and compliant with data security requirements under HIPAA, GLBA, or … Continue Reading

Bombas Settles with NYAG Over Credit Card Data Breach

Modern sock maker, Bombas, recently settled with New York over a credit card breach, agreeing to pay $65,000 in penalties.  According to the NYAG, malicious code was injected into Bombas’ Magento ecommerce platform in 2014.  The company addressed the issue over the course of 2014 and early 2015, and according to the NYAG, determined that … Continue Reading

Maryland Adds Requirements to Breach Notice Law

Maryland has amended its breach notification law to require businesses that maintain data, not just those that own or license the data, to conduct “a reasonable and prompt investigation” into whether personal information has been or will be misused. This requirement will go into effect in October 2019. Starting then, vendors who maintain information will … Continue Reading

Texas Breach Law Will Change in 2020, To Require Attorney General Notification

New requirements to the Texas data breach statute, including a requirement to notify the Texas attorney general of a breach, are set to go into effect January 1, 2020. The legislation, signed by Texas Governor, Greg Abbot, on June 14, 2019, requires that the Texas attorney general be notified of a breach within 60 days. … Continue Reading

FTC and Car Dealership Software Company Reach Security Settlement

The FTC recently settled with LightYear Dealer Technologies, maker of DealerBuilt software, over allegations that the company failed to provide adequate protection for the personal data it houses. The companies’ clients include many car dealers across the country, and allows those dealerships to house consumer information that is collected during the car purchase process. This … Continue Reading

Maine Passes Broadband Privacy Bill

Maine entered the privacy fray last week when Governor Janet T. Mills signed legislation targeting internet service providers by prohibiting the sale of information about customers’ internet use. The new restriction covers, in part, customer web browsing history, application usage history, and geolocation information. An internet service provider may only use, disclose, sell or permit … Continue Reading

SEC Issues Alert On Outsourcing and Data Security

The SEC recently issued a risk alert warning about using vendors and cloud-based platforms. Many broker dealers and investment advisors are turning to these third parties to store customer data. In its alert, the SEC’s Office of Compliance Inspections and Examinations warns firms that relying on those third parties’ security tools is not, in and … Continue Reading

Feds Want New IoT Guidance to Address Security Vulnerabilities

“Internet of Things” devices are listening.  And now the federal government is taking notice. As we reported in our Government Contracts and Investigations blog, to date, federal cybersecurity regulations for government contractors focus on implementing safeguards to protect sensitive government data. A gap has emerged where the federal government purchases IoT devices. Those devices collect and send data … Continue Reading

New Jersey Breach Notice Law Expands To Cover Online Account Breaches

New Jersey joins a growing list of states that include user name, email address or any other identifier in combination with any password or security question and answer would permit access to an online account as personal information that, if breached, would give rise to a duty to notify. Other states that include these identifiers … Continue Reading

Utah Requires Law Enforcement Search Warrants

Effective this week, law enforcement in Utah will need a search warrant to obtain for certain electronic records. The new state legislation looks to expand privacy protections for content that consumers store online. Generally, the third-party doctrine limits the protection this type of information receives under Fourth Amendment protections against unreasonable searches and seizures. The … Continue Reading

North Dakota Data Misuse Law Amended

North Dakota criminal law currently contains penalties for misusing the personal information of another. That law has been expanded, and beginning August 1, 2019, it is a class B felony to use a skimmer or scanning device to try get information from a payment card, credit card, or state ID without the permission of the … Continue Reading

FTC Looks Back at 2018

As we enter into the second quarter of the year, the FTC has released its annual report on privacy and data security, and the steps it took in those areas over the course of 2018. The report includes summaries of its actions against companies for alleged violations of the FTC Act,  CAN-SPAM, and COPPA, among … Continue Reading
LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree