The Equifax and Facebook-Cambridge Analytica scandals, coupled with the proliferation of state privacy and security laws such as the California Consumer Privacy Act (CCPA)—as well as proposed laws in Washington and Massachusetts—have increased demand for a comprehensive national privacy law. Last week, the Senate announced plans to hold hearings to discuss a proposed privacy law. The Government Accountability Office (GAO) has just released its report recommending that Congress develop comprehensive privacy legislation to enhance consumer protections. Continue Reading Government Accountability Office Recommends Comprehensive Privacy Legislation
As we turn the page on 2018, let’s reflect on some of the key privacy and cybersecurity issues that will continue to occupy our hearts and minds in 2019.
Owning the Mega-Breach
2018 was the year in which data breaches in mergers and acquisitions became the iceberg in full view. This fuller realization of cyber risk in transactions, though, actually has its origin in September 2016 – when Yahoo and Marriott were in the midst of deals that would involve some of the largest data breaches on record. Continue Reading Some Thoughts on the Year in Privacy and Data Security Law
On November 21, 2018, the Pennsylvania Supreme Court drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an Internet-accessible computer. The Court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty. Continue Reading Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees’ Personal Data
The U.S. Securities and Exchange Commission (SEC) has joined the government chorus in sounding the alarm about the rapid rise in “business email compromises” that are victimizing organizations across industry sectors.
On October 16, 2018, the SEC released a “Report of Investigation” calling for public companies to reassess their internal accounting controls “in light of emerging risks, including risks arising from cyber-related frauds.” In particular, the report focuses on certain types of “business email compromises” (BEC), in which a bad actor uses spoofed or compromised email accounts to trick an organization’s personnel into effectuating wire transfers to financial accounts controlled by fraudsters. Continue Reading SEC Special Report: Rampant Business Email Compromises Require Reassessment of Internal Accounting Controls
The Federal Election Commission (FEC) released a draft advisory opinion (draft AO) yesterday, holding that a nonprofit corporation providing certain cybersecurity services to candidates and political parties are not in-kind contributions.
Defending Digital Campaigns, Inc. (DDC) is a nonprofit corporation under Washington, D.C., law, exempt from federal income tax under § 501(c)(4). Its stated purpose is “to provide education and research for civic institutions on cybersecurity best practices and assist them in implementing technologies, processes, resources, and solutions for enhancing cybersecurity and resilience to hostile cyber acts targeting the domestic democratic process.” DDC’s request for an AO seeks the FEC’s guidance on whether the Federal Election Campaign Act, 52 U.S.C. §§ 30101-45 allows DDC to provide certain cybersecurity services, software, and hardware to candidates for federal office and political parties for free or at a reduced cost, or whether those actions would constitute in-kind contributions. Continue Reading FEC: Cybersecurity Services to Candidates, Political Parties Not In-Kind Contributions
This month marks 15 years of observing National Cyber Security Awareness Month (NSCAM) in October.
The program was started way back in 2004, by the U.S. Department of Homeland Security and the National Cyber Security Alliance to educate Americans about ways to stay safer and more secure online.
Technology has transformed most aspects of daily life since 2004, when:
- Smartphones didn’t exist (Blackberry’s don’t count).
- Thefacebook.com was born in a Cambridge dorm room.
- Google launched a new product called “gmail” – and went public.
- “Blog” was Merriam-Webster’s word of the year.
- Twitter, YouTube et al. did not exist.
- Netflix was a mail-order, DVD-rental business.
- California was the only state that had enacted a data breach notification law.
Please join Ballard Spahr on October 4, 2018 in New York City for “Concordant Crossroads: Regulation and Innovation in the Automotive Industry,” presented by the Thomson Reuters Legal Executive Institute. Co-chaired by Ballard Spahr partners Neal Walters and Philip N. Yannella, this conference offers a practical and robust examination of the disruption that autonomous technology and regulation pose to transportation and the automotive industry. Continue Reading Join Us at Concordant Crossroads: Regulation and Innovation in the Automotive Industry
Ballard Spahr’s Privacy and Data Security Group will again be hosting its Colorado Cybersecurity Summit on September 18, 2018, at Ballard Spahr’s Denver office and via webinar.
Highlights will include a discussion with the Colorado Deputy Attorney General who will be responsible for enforcing Colorado’s groundbreaking new cybersecurity law, as well as the former Director of Legislative Affairs who ushered the law through the state legislature. The Summit will also feature panel discussions on the current state of GDPR, how the new California Consumer Privacy Act will affect businesses, and innovative ways to mitigate risk in a world with quickly changing technology.
The Summit is co-sponsored by IMA Financial Group, Kivu Consulting, Noosa Yogurt, and Colorado = Security.
CO CLE and IAPP CPE credits are pending. Uniform Certificates of Attendance will also be made available for the purpose of seeking CLE credit in other jurisdictions.
For more information and to register please click here.
One of the most bedeviling aspects of data privacy and security law concerns the concept of “reasonable” data security, which has become the default statutory and common law standard. The FTC began articulating a reasonableness standard in the early aughts, when the Commission first began scrutinizing companies’ data security practices. Companies for years quietly grumbled about the vagueness of this standard, which isn’t defined in any regulations or federal statutes. Critics obtained a recent victory when the Eleventh Circuit, in LabMD v. FTC, struck down an FTC judgment on grounds that the relief sought by the FTC against LabMD– implementation of reasonable data security practices — was too vague to be enforceable. Continue Reading What Does “Reasonable” Data Security Mean, Exactly?
The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation. Continue Reading NYDFS Requires Consumer Credit Reporting Agencies to Comply with Cybersecurity Regulation