The SEC announced enforcement actions against three sets of advisers for alleged failures in cybersecurity policies that violate the Safeguards Rule.
information security
Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information
On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks.
California Consumer Privacy Act: GDPR-like definition of personal information
This is the Data Protection Report’s third blog post in a series of CCPA blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.
The California Consumer Privacy Act (“CCPA” or the “Act”) sets a new precedent with its sweeping definition of Personal Information (“PI”). The CCPA defines “[p]ersonal information” as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
FTC Enforcement Possible for Failing to Guard Against Ransomware
Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may foreshadow additional FTC action, building upon a developing trend of US regulators engaging in pre-breach enforcement action.
NIS Directive Published: EU Member States Have Just Under Two Years to Implement
The Directive on Security of Network and Information Systems (known as the NIS Directive) was published in the Official Journal of the European Union on July 19, 2016. Member States will have until May 9, 2018 to implement this Directive into national laws and a further six months to identify “operators of essential services.”
Summary of the NIS Directive
The NIS Directive is the first comprehensive piece of EU legislation relating to the 2013 EU Cybersecurity Strategy. Its objective is to achieve a high common level of security of network and information systems across the EU through improved cybersecurity capabilities at a national level and increased EU-level cooperation. It also requires “operators of essential services” and “digital service providers” to take appropriate steps to manage security risk and to report security incidents to the national competent authorities. Below, we highlight key provisions of the NIS Directive.
FTC Orders PCI DSS Compliance Reports
The Federal Trade Commission (FTC) has ordered nine companies to file Special Reports detailing how they assess their clients’ compliance with Payment Card Industry Data Security Standards (PCI DSS). Payment card issuing companies require businesses that process over one million card transactions per year to undergo PCI DSS compliance assessments, or audits, performed by PCI Qualified Security Assessors (QSAs), to ensure that the businesses comply with PCI DSS and are adequately protecting their customers’ sensitive personal information. The Order includes a laundry list of requests related to the targeted companies’ PCI DSS assessment process, from the bidding for and staffing of compliance assessments, to the number and percentage of clients that are ultimately determined to be PCI DSS compliant or non-compliant.
Council and European Parliament reach agreement on NIS Directive
On December 7, 2015, the Council of the European Union (the Council) reached an informal agreement with the European Parliament on a new EU directive on network and information security (NISD).
The agreement marks the conclusion of two years of work, since the European Commission (the Commission) and the High Representative of the European Union for Foreign Affairs and Security Policy published a strategy for ‘An Open, Safe and Secure Cyberspace’ and proposed a directive in 2013. Once adopted, likely in early 2016, EU Member States will have 21 months to adopt the necessary national provisions to comply with the NISD.
The Security, Privacy and Legal Implications of the Internet of Things (“IoT”) Part one – The Context and Use of IoT
Disrupted, yet again. The world is fast preparing for the invasion of objects connected to the Internet, otherwise known as the Internet of Things (“IoT”).
IoT is here, and it will revolutionize how both individuals and corporations interact with the world. In this multi-part series we will explore this quickly evolving revolution and the privacy and security legal issues and risks that corporations will have to address in order to leverage IoT and move the world into a new reality. Part One of this series provides background and context surrounding IoT and highlights the legal issues organizations seeking to leverage IoT will face. Subsequent parts will dive much deeper into IoT.
To start, consider the following portrayal of a day in the life of IoT:
By the time Lazlo Hollyfeld’s smartwatch detected the proper biorhythms to roust him out of sleep, his coffee was brewing and his curtains were drawn back. “It is cold this morning, Mr. Hollyfeld, but no rain today in the forecast,” stated his computer assistant over the Bluetooth speaker by his bed. Lazlo haphazardly waved his watch at the T.V., which automatically began streaming his morning news program. He fumbled for the slippers by the bed, and reached for his morning smart pills which were remotely dosed according to a physician’s review of Laszlo’s wearable health monitoring devices. Health readings from the pills taken after ingested would later be sent to Lazlo’s physicians.
As he arose, motion detectors relayed to his home automation system to bring the lights up to 30%. Stumbling into the bathroom, both the lights and his television stream followed him. The shower was running at a comfortable temperature and Lazlo’s favorite album started to play on the shower stereo as he walked in.
Running late, Lazlo quickly dressed and dashed downstairs to grab his coffee. Tracking his motion and triangulating the Bluetooth signal from his watch, the home automation system brought up Laszlo’s schedule and to do list on the refrigerator screen, shut down the heat system in the house, turned off the lights in the living quarters, and signaled to his car to start the engine and turn on the seat warmers. Lazlo scanned his email on the fridge screen, and swiped a few emails to the car icon. As he ran to the garage, he grabbed the last of the orange juice in the fridge, triggering a reorder to be delivered by drone later that evening. By the time he pulled out of the driveway, his television stream was already playing in the car. Meanwhile, his home automation system locked the doors, set the alarm system, and turned on the sprinklers.
Lazlo entered the highway where his watch, reading his skin surface temperature, signaled the car to remove power from the seat warmers. As he comfortably locked in cruise control, his car began reading the emails he had swiped to the car icon on the fridge. Lazlo took his hands off the controls because his car was communicating with the other vehicles on the highway to maintain the proper speed and lane location. Lazlo dimmed the car windows and settled into to his traffic-free relaxing morning commute.
Does this sound like the distant future to you? Think again. Much of the technology discussed in this article already exists in the marketplace (or soon will). For businesses, IoT will present enormous competitive advantages and financial opportunities, and also pose challenging legal, security and privacy risks. To fully enable IoT organizations will have to consider privacy and security legal issues at the outset, and design IoT technologies and devices in way that address these issues and limit risk to both the users and companies. Let’s begin exploring.
NAIC adopts cybersecurity guidance for insurance regulators and the insurance industry
The National Association of Insurance Commissioners (“NAIC”), a standards-setting organization comprised of insurance regulators from across all U.S. jurisdictions, has recently adopted twelve Principles for Effective Cybersecurity Insurance Regulatory Guidance (the “Principles”). The Principles arrive in in the wake of the prominent Anthem data breach, highlighting the importance of protecting sensitive personal data in the insurance sector. Addressing this challenge, the NAIC established the Principles to provide state insurance regulators and industry participants guidance regarding the protection of sensitive personal, financial, and healthcare data. The Principles broadly lay out the practices, guidelines, and measures that both regulators and the industry should take to protect personal information.
Cybersecurity Efforts Turn Focus to Financial Institutions, Technology Service Providers and “Cyber Resilience”
Financial institutions around the country recently received cybersecurity guidance in the form of a new appendix to the Federal Financial Institutions Examination Council’s (“FFIEC’s”) Business Continuity Planning Booklet, which is part of its Information Technology Examination Handbook. In the guidance, the FFIEC places the onus on financial institutions, their boards of directors, and senior management to manage the cybersecurity risks, recovery services, testing programs, and “cyber resilience” associated with outsourced or third-party technology services. The guidance came just a week before another important event for financial and other institutions: the White House Summit on Cybersecurity and Consumer Protection that was held at Stanford University on Friday, February 13, 2015, and that featured, as attendees and speakers, government and industry leaders, including those from financial institutions.
The FFIEC is the federal interagency body tasked with setting forth uniform principles, standards, and forms for examining and supervising financial institutions. In that capacity, the FFIEC provides guidance on “business continuity planning” or how financial institutions will recover and resume their businesses after an unexpected disruption, which, in today’s world, necessarily includes cyber breaches and attacks.
Here is our take on the FFIEC’s recent round of updates: