The U.S. Consumer Product Safety Commission (CPSC) recently announced that it will hold a hearing on May 16, 2018, to receive information on potential hazards with Internet of Things (IoT) products.

In its public notice, the CPSC explained that the “purpose of the public hearing . . . is to provide interested stakeholders a venue to discuss potential safety hazards created by a consumer product’s connection to IoT or other network-connected devices; the types of hazards (e.g., electrical, thermal, mechanical, chemical) related to the intended, unintended, or foreseeable misuse of consumer products because of an IoT connection; current standards development; industry best practices; and the proper role of the CPSC in addressing potential safety hazards with IoT-related products.” The notice also clarifies that the hearing “will not address personal data security or privacy implications of IoT devices.”

So why does this matter? 

Continue Reading  Data Security Litigation: CPSC to Hold Hearing on The Internet of Things and Consumer Product Hazards

The virtual world offers opportunities and obligations not found in nature.

For a couple of years, my wife has followed the adventures of a bonded eagle couple, Liberty and Freedom, residing in the hills near Hanover, Pennsylvania. A strategically positioned webcam offers a round-the-clock view of nesting activities. Last year the pair hatched two eggs and cared for the eaglets until they fledged.

This year, it appears as if calamity struck. Liberty has disappeared, and a new female, Lucy, has taken her place in the nest, destroying one of the eggs. Although the other egg remains in the nest, it is widely believed that the disturbance has rendered it unviable and that it will not hatch. It is possible that Lucy fought with the older Liberty and killed her.  The body has not been found.  It is also possible that Freedom and Lucy will now bond, but most viewers do not expect them to produce eggs this year.

In the virtual world, health care providers, health plans, health care clearinghouses, and their business associates have a responsibility to protect the treasured asset of individually identifiable information from predators and other dangers. But unlike eggs, which cannot be recovered if stolen or damaged, data is retrievable.
Continue Reading  Springtime for HIPAA

South Dakota (site of Ballard’s newest office) has become the 49th State to enact a data breach notification law.  South Dakota Governor Dennis Daugaard signed SB 62 into law on March 21, 2018.  The law will take effect on July 1, 2018.

As with similar measures pending in other state legislatures, SB 62 was introduced in the South Dakota Senate on January 9, 2018, in the wake of the disclosures relating to the Equifax breaches. The law generally mirrors those of many other states, but includes a few new wrinkles.
Continue Reading  South Dakota Enacts Data Breach Notification Law

On February 21, 2018, the U.S. Securities and Exchange Commission approved the release of Interpretive Guidance relating to public company disclosures of cybersecurity risks and incidents. This guidance replaces staff guidance from the Division of Corporate Finance issued way back in October 2011 – on the same day that iPhone 4 was released.

Although the Commission voted unanimously to release it, some Commissioners do not view the new guidance as going much beyond the 2011 staff guidance. In fact, Commissioner Kara Stein wondered whether the new guidance would cause public companies to step up their cybersecurity disclosures – or “will law firms simply produce a host of client alerts reaffirming their alerts from years past.” We sense a challenge.
Continue Reading  SEC Releases Guidance on Public Company Cybersecurity Disclosures

The Commodity Futures Trading Commission (CFTC) has made another foray into data security, announcing today an order settling charges against AMP Global Clearing LLC (AMP) stemming from AMP’s failure to supervise the implementation of its information systems security program. Between June 21, 2016 and April 17, 2017, AMP stored thousands of customer records  in an improperly protected internal network. This fact was discovered after an unknown third-party, with no affiliation to AMP, accessed AMP’s network and copied 97,000 files containing personally identifiable information. The third party then contacted federal authorities, and later AMP.  Although AMP cooperated with the CFTC and worked to fix the issue, the CFTC later brought charges against the company for failing to supervise the implementation of critical provisions of AMP’s information systems security program.
Continue Reading  CFTC Settles Charges Against AMP Global Clearing for Failing to Supervise Implementation of its Security Program

Lyft recently confirmed that it is investigating whether its employees were accessing its customer database without appropriate authorization to obtain personal information, including rides taken by Facebook CEO Mark Zuckerberg. The investigation was announced less than six months after Uber entered into a Federal Trade Commission (FTC) consent order to resolve allegations of similar behavior by its own employees.

The investigation demonstrates the importance of revisiting internal compliance measures in the wake of legal developments that may be relevant to a particular company or industry. Companies need to maintain comprehensive privacy programs to ensure the confidentiality of the personal information that they collect.  Such programs should include, at a minimum:
Continue Reading  Lyft Employees Demonstrate Need for Privacy Compliance Management

In the second part of a podcast series on autonomous driving vehicles, Philip N. Yannella, Co-Practice Leader of Ballard Spahr’s Privacy and Data Security Group, speaks to Joe Raczynski, a legal technologist and futurist for Thomson Reuters Legal, about the security and regulatory issues affecting driverless vehicles.
Continue Reading  Check Out Our Podcast on Autonomous Driving Vehicles

Federal contractors may soon be required to meet heightened requirements for information security under two new proposed rules issued by the General Services Administration (GSA). The first proposed rule, GSAR Case 2016-G511 “Information and Information Systems Security,” will require that federal contractors “protect the confidentiality, integrity and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities and threats in accordance with the Federal Information Security Modernization Act of 2014 and associated Federal cybersecurity requirements.”  This proposed rule builds on new cybersecurity requirements mandated by the Department of Defense for federal contractors, DFARS Section 252.204-7012 which recently became effective.
Continue Reading  Proposed GSA Rules Will Require Federal Contractors to Meet New Cybersecurity Standards

Add South Dakota (site of Ballard’s newest office) and North Carolina to the list of states considering new data security legislation. South Dakota is poised to become the 49th state to enact a data breach notification law, while North Carolina is considering a very significant expansion of its existing law.

Will South Dakota Become No. 49?

The South Dakota Senate passed SB 62 on January 25, 2018. The bill, which now heads to the South Dakota House of Representatives, generally would require an “information holder” to notify South Dakota residents of any “breach of system security” involving their “personal or protected information.” Subject to certain exceptions, notification to South Dakota residents must be made “not later than sixty days from the discovery or notification of the breach of system security.” The South Dakota Attorney General and “all consumer reporting agencies as defined in 15 U.S.C. § 1681a” also must be notified of breaches involving more than 250 South Dakota residents. Notification to South Dakota residents is not required “if following appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person.”
Continue Reading  South Dakota and North Carolina Consider New Data Security Legislation

With the New Year comes new data breach compliance obligations! Two Mid-Atlantic states have cybersecurity related compliance statutes that have – or will soon – take effect. Are you ready?

New Year’s Day ushered into effect the amended Maryland Personal Information Protection Act, which expands the definition of “personal information,” creates a 45-day deadline for providing notice of a breach, allows for substitute service when the breach enables an individual’s e-mail to be accessed, and increases the class of information subject to Maryland’s destruction of records laws. To the customary litany of data elements comprising “personal information,” Maryland has added personal health and health insurance information, biometric data, online account credentials and passport/government ID numbers. The amended data destruction provision now applies to customer and employee/former employee records containing personal information. See our prior alert detailing the amendments here.
Continue Reading  New 2018 Data Breach Compliance Obligations Begin Going into Effect