On Friday, February 7, 2020, the California Attorney General’s (AG) Office released modified regulations to the California Consumer Privacy Act (CCPA). The modified regulations incorporate amendments to the CCPA signed into law after the AG’s Office promulgated regulations in October 2019. The modified regulations also reflect public comments made during the initial comment period, which
Just two days after the Federal Trade Commission (“FTC”) announced a historic settlement of privacy and security claims against Equifax, the FTC today announced that Facebook has agreed to pay $5 billion in civil fines, arising from its violation of a 2012 consent order with the FTC. According to the FTC, this is the largest fine ever levied by a U.S. regulatory agency against a company for a privacy or data security violation by a factor of 20—and one of the largest penalties ever assessed by the U.S. government.
On November 13, 2018, Ballard Spahr lawyers presented a webinar on the SEC’s recent “Report of Investigation” into “business email compromises” affecting public companies.
As noted in our prior blog post, the Report was prompted by the SEC’s investigation into whether nine public companies violated U.S. securities laws “by failing to have sufficient accounting controls” to prevent approximately $100 million in losses as a result of business email compromises targeting their personnel. The SEC investigated whether these companies violated Sections 13(b)(2)(B)(i) and (iii) of the Securities and Exchange Act of 1934. Although declining to pursue enforcement actions against the companies, the SEC emphasized its recent cybersecurity guidance, advising public companies that “[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws.” (See our prior alert and blog post regarding the Interpretive Guidance).…
The U.S. Securities and Exchange Commission (SEC) has joined the government chorus in sounding the alarm about the rapid rise in “business email compromises” that are victimizing organizations across industry sectors.
On October 16, 2018, the SEC released a “Report of Investigation” calling for public companies to reassess their internal accounting controls “in light of emerging risks, including risks arising from cyber-related frauds.” In particular, the report focuses on certain types of “business email compromises” (BEC), in which a bad actor uses spoofed or compromised email accounts to trick an organization’s personnel into effectuating wire transfers to financial accounts controlled by fraudsters.…
One of the most bedeviling aspects of data privacy and security law concerns the concept of “reasonable” data security, which has become the default statutory and common law standard. The FTC began articulating a reasonableness standard in the early aughts, when the Commission first began scrutinizing companies’ data security practices. Companies for years quietly grumbled about the vagueness of this standard, which isn’t defined in any regulations or federal statutes. Critics obtained a recent victory when the Eleventh Circuit, in LabMD v. FTC, struck down an FTC judgment on grounds that the relief sought by the FTC against LabMD– implementation of reasonable data security practices — was too vague to be enforceable.…
The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation.…
South Carolina has become the first state to enact a version of the Insurance Data Security Model Law, which was drafted by the National Association of Insurance Commissioners (NAIC) in 2017. Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law on May 14, 2018. The Act will become effective on January 1, 2019.
South Carolina Insurance Director Raymond G. Farmer chaired the NAIC Cybersecurity Working Group that drafted the model law. The South Carolina Act appears to follow the Model Law closely, and bears similarities to cybersecurity laws and regulations enacted in other states and at the federal level – including the New York Department of Financial Services cybersecurity regulations, the new Alabama data breach law, and HIPAA/HITECH data security/breach notification requirements.…
The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.
Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010.…
The U.S. Consumer Product Safety Commission (CPSC) recently announced that it will hold a hearing on May 16, 2018, to receive information on potential hazards with Internet of Things (IoT) products.
In its public notice, the CPSC explained that the “purpose of the public hearing . . . is to provide interested stakeholders a venue to discuss potential safety hazards created by a consumer product’s connection to IoT or other network-connected devices; the types of hazards (e.g., electrical, thermal, mechanical, chemical) related to the intended, unintended, or foreseeable misuse of consumer products because of an IoT connection; current standards development; industry best practices; and the proper role of the CPSC in addressing potential safety hazards with IoT-related products.” The notice also clarifies that the hearing “will not address personal data security or privacy implications of IoT devices.”
So why does this matter?
The virtual world offers opportunities and obligations not found in nature.
For a couple of years, my wife has followed the adventures of a bonded eagle couple, Liberty and Freedom, residing in the hills near Hanover, Pennsylvania. A strategically positioned webcam offers a round-the-clock view of nesting activities. Last year the pair hatched two eggs and cared for the eaglets until they fledged.
This year, it appears as if calamity struck. Liberty has disappeared, and a new female, Lucy, has taken her place in the nest, destroying one of the eggs. Although the other egg remains in the nest, it is widely believed that the disturbance has rendered it unviable and that it will not hatch. It is possible that Lucy fought with the older Liberty and killed her. The body has not been found. It is also possible that Freedom and Lucy will now bond, but most viewers do not expect them to produce eggs this year.
In the virtual world, health care providers, health plans, health care clearinghouses, and their business associates have a responsibility to protect the treasured asset of individually identifiable information from predators and other dangers. But unlike eggs, which cannot be recovered if stolen or damaged, data is retrievable.…