On November 21, 2018, the Pennsylvania Supreme Court drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an Internet-accessible computer. The Court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty. Continue Reading Pennsylvania Supreme Court Recognizes Common Law Duty to Safeguard Employees’ Personal Data

The U.S. Securities and Exchange Commission (SEC) has joined the government chorus in sounding the alarm about the rapid rise in “business email compromises” that are victimizing organizations across industry sectors.

On October 16, 2018, the SEC released a “Report of Investigation” calling for public companies to reassess their internal accounting controls “in light of emerging risks, including risks arising from cyber-related frauds.”  In particular, the report focuses on certain types of “business email compromises” (BEC), in which a bad actor uses spoofed or compromised email accounts to trick an organization’s personnel into effectuating wire transfers to financial accounts controlled by fraudsters. Continue Reading SEC Special Report: Rampant Business Email Compromises Require Reassessment of Internal Accounting Controls

The Federal Election Commission (FEC) released a draft advisory opinion (draft AO) yesterday, holding that a nonprofit corporation providing certain cybersecurity services to candidates and political parties are not in-kind contributions.

Defending Digital Campaigns, Inc. (DDC) is a nonprofit corporation under Washington, D.C., law, exempt from federal income tax under § 501(c)(4). Its stated purpose is “to provide education and research for civic institutions on cybersecurity best practices and assist them in implementing technologies, processes, resources, and solutions for enhancing cybersecurity and resilience to hostile cyber acts targeting the domestic democratic process.” DDC’s request for an AO seeks the FEC’s guidance on whether the Federal Election Campaign Act, 52 U.S.C. §§ 30101-45 allows DDC to provide certain cybersecurity services, software, and hardware to candidates for federal office and political parties for free or at a reduced cost, or whether those actions would constitute in-kind contributions. Continue Reading FEC: Cybersecurity Services to Candidates, Political Parties Not In-Kind Contributions

This month marks 15 years of observing National Cyber Security Awareness Month (NSCAM) in October.

The program was started way back in 2004, by the U.S. Department of Homeland Security and the National Cyber Security Alliance to educate Americans about ways to stay safer and more secure online.

Technology has transformed most aspects of daily life since 2004, when:

  • Smartphones didn’t exist (Blackberry’s don’t count).
  • Thefacebook.com was born in a Cambridge dorm room.
  • Google launched a new product called “gmail” – and went public.
  • “Blog” was Merriam-Webster’s word of the year.
  • Twitter, YouTube et al. did not exist.
  • Netflix was a mail-order, DVD-rental business.
  • California was the only state that had enacted a data breach notification law.

Continue Reading Welcome to National Cybersecurity Awareness Month

Please join Ballard Spahr on October 4, 2018 in New York City for “Concordant Crossroads: Regulation and Innovation in the Automotive Industry,” presented by the Thomson Reuters Legal Executive Institute. Co-chaired by Ballard Spahr partners Neal Walters and Philip N. Yannella, this conference offers a practical and robust examination of the disruption that autonomous technology and regulation pose to transportation and the automotive industry. Continue Reading Join Us at Concordant Crossroads: Regulation and Innovation in the Automotive Industry

Ballard Spahr’s Privacy and Data Security Group will again be hosting its Colorado Cybersecurity Summit on September 18, 2018, at Ballard Spahr’s Denver office and via webinar.

Highlights will include a discussion with the Colorado Deputy Attorney General who will be responsible for enforcing Colorado’s groundbreaking new cybersecurity law, as well as the former Director of Legislative Affairs who ushered the law through the state legislature. The Summit will also feature panel discussions on the current state of GDPR, how the new California Consumer Privacy Act will affect businesses, and innovative ways to mitigate risk in a world with quickly changing technology.

The Summit is co-sponsored by IMA Financial Group, Kivu Consulting, Noosa Yogurt, and Colorado = Security.

CO CLE and IAPP CPE credits are pending. Uniform Certificates of Attendance will also be made available for the purpose of seeking CLE credit in other jurisdictions.

For more information and to register please click here.

 

One of the most bedeviling aspects of data privacy and security law concerns the concept of “reasonable” data security, which has become the default statutory and common law standard.  The FTC began articulating a reasonableness standard in the early aughts, when the Commission first began scrutinizing companies’ data security practices.  Companies for years quietly grumbled about the vagueness of this standard, which isn’t defined in any regulations or federal statutes. Critics obtained a recent victory when the Eleventh Circuit, in LabMD v. FTC, struck down an FTC judgment on grounds that the relief sought by the FTC against LabMD– implementation of reasonable data security practices — was too vague to be enforceable. Continue Reading What Does “Reasonable” Data Security Mean, Exactly?

The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation. Continue Reading NYDFS Requires Consumer Credit Reporting Agencies to Comply with Cybersecurity Regulation

Last week, the Office of the Comptroller of the Currency (“OCC”) published the Spring 2018 Semiannual Risk Perspective (the “Report”), which uses up-to-date data to identify risks to U.S. banks and measure their compliance with applicable laws and regulations.  The Report concluded that some of the OCC’s primary concerns are with the elevation in operational risk “as banks adapt business models, transform technology and operating processes, and respond to evolving cyber threats.”  The Report also focused on elevated compliance risk associated with bank efforts to “manage money-laundering risks in a complex environment.”

Many of the OCC’s observations and recommendations remained the same from its Fall 2017 report, leaving readers to wonder what will spur less conversation and potentially more action among OCC-supervised banks or concrete guidance by the OCC.  Regardless, a common thread running throughout both reports is the potential risk presented to financial institutions by emerging technologies, which carry the simultaneous blessing and curse of greater business opportunities, but also greater operational and compliance risks. Continue Reading OCC Semiannual Risk Perspective Highlights Cybersecurity, Fraud, Money Laundering Concerns

Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country. The new law was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements. As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

Ballard Spahr attorneys David Stauss and Gregory Szewczyk will host a webinar on Monday, June 4, 2018, at noon PT/1 p.m. MT/3 p.m. ET to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance. Messrs. Stauss and Szewczyk are uniquely situated to discuss the new law, having assisted in developing the legislation, including Mr. Stauss testifying on the bill in front of the House Committee on State, Veterans, & Military Affairs. Click here for more information and to register.

The most notable provisions of the new law are discussed below.

Continue Reading Colorado Enacts Groundbreaking Privacy and Cybersecurity Legislation