On October 19, 2016, the Court of Justice of the European Union (CJEU) decided that the dynamic IP address of a website visitor is “personal data” under Directive 95/46EC (Data Protection Directive) in the hands of a website operator that has the means to compel an internet service provider to identify an individual based on the IP address.
October 2016
Hong Kong SFC Launches Review on Brokers’ Internet and Mobile Trading Systems
The Hong Kong Securities and Futures Commission (SFC) has launched a new cybersecurity review to assess the cybersecurity preparedness, compliance and resilience of brokers’ internet and mobile trading systems. This follows the increasing number of security incidents in which customers’ internet and mobile trading accounts were hacked, including 16 incidents involving seven securities brokers and unauthorized trades in excess of $100 million over the past 12 months.
Skimming Case Highlights Difference Between Having Standing and Stating a Cause of Action
The U.S. District Court for the Northern District of Illinois dismissed a putative class action against Barnes & Noble last week based on an incident in 2012 in which criminals tampered with payment card PIN pad terminals to steal customer payment card information from retail stores in nine states. The court’s decision highlights an important difference between the legal concepts of an “injury-in-fact” (which is necessary to support a finding of Article III standing so as to be able to maintain a case in federal court) and “damages” (which must be alleged to maintain many causes of action, such as for breach of contract). Although a plaintiff may have sufficiently alleged an “injury-in-fact” to enable a federal court to consider the case, those same allegations may be insufficient to allow the plaintiff to withstand a motion to dismiss.
FTC Enforcement Possible for Failing to Guard Against Ransomware
Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may foreshadow additional FTC action, building upon a developing trend of US regulators engaging in pre-breach enforcement action.