Ballard Spahr’s Privacy and Data Security Group will again be hosting its Colorado Cybersecurity Summit on September 18, 2018, at Ballard Spahr’s Denver office and via webinar.

Highlights will include a discussion with the Colorado Deputy Attorney General who will be responsible for enforcing Colorado’s groundbreaking new cybersecurity law, as well as the former Director of Legislative Affairs who ushered the law through the state legislature. The Summit will also feature panel discussions on the current state of GDPR, how the new California Consumer Privacy Act will affect businesses, and innovative ways to mitigate risk in a world with quickly changing technology.

The Summit is co-sponsored by IMA Financial Group, Kivu Consulting, Noosa Yogurt, and Colorado = Security.

CO CLE and IAPP CPE credits are pending. Uniform Certificates of Attendance will also be made available for the purpose of seeking CLE credit in other jurisdictions.

For more information and to register please click here.

 

One of the most bedeviling aspects of data privacy and security law concerns the concept of “reasonable” data security, which has become the default statutory and common law standard.  The FTC began articulating a reasonableness standard in the early aughts, when the Commission first began scrutinizing companies’ data security practices.  Companies for years quietly grumbled about the vagueness of this standard, which isn’t defined in any regulations or federal statutes. Critics obtained a recent victory when the Eleventh Circuit, in LabMD v. FTC, struck down an FTC judgment on grounds that the relief sought by the FTC against LabMD– implementation of reasonable data security practices — was too vague to be enforceable. Continue Reading What Does “Reasonable” Data Security Mean, Exactly?

The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation. Continue Reading NYDFS Requires Consumer Credit Reporting Agencies to Comply with Cybersecurity Regulation

Last week, the Office of the Comptroller of the Currency (“OCC”) published the Spring 2018 Semiannual Risk Perspective (the “Report”), which uses up-to-date data to identify risks to U.S. banks and measure their compliance with applicable laws and regulations.  The Report concluded that some of the OCC’s primary concerns are with the elevation in operational risk “as banks adapt business models, transform technology and operating processes, and respond to evolving cyber threats.”  The Report also focused on elevated compliance risk associated with bank efforts to “manage money-laundering risks in a complex environment.”

Many of the OCC’s observations and recommendations remained the same from its Fall 2017 report, leaving readers to wonder what will spur less conversation and potentially more action among OCC-supervised banks or concrete guidance by the OCC.  Regardless, a common thread running throughout both reports is the potential risk presented to financial institutions by emerging technologies, which carry the simultaneous blessing and curse of greater business opportunities, but also greater operational and compliance risks. Continue Reading OCC Semiannual Risk Perspective Highlights Cybersecurity, Fraud, Money Laundering Concerns

Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country. The new law was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements. As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

Ballard Spahr attorneys David Stauss and Gregory Szewczyk will host a webinar on Monday, June 4, 2018, at noon PT/1 p.m. MT/3 p.m. ET to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance. Messrs. Stauss and Szewczyk are uniquely situated to discuss the new law, having assisted in developing the legislation, including Mr. Stauss testifying on the bill in front of the House Committee on State, Veterans, & Military Affairs. Click here for more information and to register.

The most notable provisions of the new law are discussed below.

Continue Reading Colorado Enacts Groundbreaking Privacy and Cybersecurity Legislation

South Carolina has become the first state to enact a version of the Insurance Data Security Model Law, which was drafted by the National Association of Insurance Commissioners (NAIC) in 2017. Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law on May 14, 2018. The Act will become effective on January 1, 2019.

South Carolina Insurance Director Raymond G. Farmer chaired the NAIC Cybersecurity Working Group that drafted the model law. The South Carolina Act appears to follow the Model Law closely, and bears similarities to cybersecurity laws and regulations enacted in other states and at the federal level – including the New York Department of Financial Services cybersecurity regulations, the new Alabama data breach law, and HIPAA/HITECH data security/breach notification requirements. Continue Reading South Carolina Enacts First Insurance Data Security Act

As part of the Rocky Mountain Information Security Conference hosted in Denver from May 8 to 10, 2018, Ballard Spahr Privacy and Data Security attorney David Stauss sat down with Robb Reck, Chief Information Security Officer for Ping Identity and Alex Wood, Chief Information Security Officer for Pulte Financial Services. The group discussed a wide-range on cybersecurity issues as well as Robb and Alex’s involvement with the RMISC and their weekly podcast Colorado = Security.

Continue Reading Ballard Spahr Interviews Two Leaders of the Colorado Information Security Community

The ACC Foundation will be hosting a second webcast on May 1, 2018 at 12:00 EDT to discuss the results of the Foundation’s State of Cybersecurity Report.  You can sign up for the webcast here.

The Report surveyed 600 in-house counsel from around the world on a range of cybersecurity issues including data breach response, information security standards, GDPR preparation, vendor management and cyberinsurance.  The Report provides valuable cybersecurity benchmarking in a range of industries and identifies hot button issues for in-house counsel with responsibility for managing their company’s cybersecurity programs to consider.

The second webcast will focus on how companies interact with law enforcement in the wake of a data breach, trends in the appointment of a DPO under the GDPR, respondents’ views on proposed breach legislation, and gaps in information security programs.

Ballard Spahr served as a sponsor for the Report (as it did in 2015 for the first Report).  Phil Yannella, co-chair of Ballard’s Privacy & Data Security Group, served on the Advisory Board for the Report and will participate in the webcast.

South Dakota (site of Ballard’s newest office) has become the 49th State to enact a data breach notification law.  South Dakota Governor Dennis Daugaard signed SB 62 into law on March 21, 2018.  The law will take effect on July 1, 2018.

As with similar measures pending in other state legislatures, SB 62 was introduced in the South Dakota Senate on January 9, 2018, in the wake of the disclosures relating to the Equifax breaches. The law generally mirrors those of many other states, but includes a few new wrinkles. Continue Reading South Dakota Enacts Data Breach Notification Law

Mossack Fonseca, the beleaguered law firm at the center of the international Panama Papers scandal, has announced that it is closing its doors.  The firm cited “reputational deterioration” that has caused “irreversible damage.”

Founded in 1977 by Jurgen Mossack and Ramon Fonseca, Mossack Fonseca had been perched at the top of offshore legal services providers until April 2016, when it became ground zero for a global controversy because approximately 11.5 million of the firm’s internal legal and financial documents were leaked to the media. These leaked documents – publicized primarily by the International Consortium of Investigative Journalists (“ICIJ”) – allegedly reveal a global system of undisclosed offshore accounts, money laundering and tax evasion, and how the rich and powerful around the world use shell companies to conceal assets and possible illegal activity.

The incident is the largest publicly disclosed data breach involving a law firm. Following the April 2016 publication of data, founding partner Ramon Fonseca and other public sources claimed that the firm’s network had been compromised by hackers sometime in 2015.  Security researchers and other public sources identified numerous unpatched vulnerabilities in Mossack’s website and email server, which could have been very easily compromised by hackers. Approximately 2.6 terabytes of data – including 4.8 million emails, 3 million database files, and 2.1 million.pdf files – were leaked, including client documents dating back to the 1970s.  Approximately one year after the alleged data theft, ICIJ published the Mossack data and set off numerous investigations into the firm and its clients. Continue Reading “Panama Papers” Law Firm Announces Its Closure Due to Fallout from Massive Data Breach