Questions of Authority – who will be the federal regulatory cop on the privacy beat? FTC? FCC? Privacy, Data Security Jurisdiction Questions to the Forefront in 2015
Written by Christopher Harvie
As privacy and data security gain more visibility among policy-makers, questions of federal agency authority and jurisdiction are also gaining a higher profile.
Since 2002, the Federal Trade Commission (FTC) has brought 50 enforcement actions under Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices,” against companies alleged to have put consumers’ personal data at unreasonable risk. Earlier this year, in response to a court challenge brought by Wyndham Hotels, a Federal court in New Jersey upheld the FTC’s authority under Section 5 to bring enforcement actions to remedy unreasonable data security practices that lead to data breaches that cause consumer harm. The court ruled that Congress need not explicitly grant the FTC authority to bring Section 5 actions against companies that cause consumer harm through inadequate data security practices and that the FTC does not need to adopt prior data security regulations detailing permissible and impermissible data security practices. Instead, the court determined that the FTC complaint against Wyndham adequately plead “substantial injury to consumers” caused by data breaches linked to Wyndham’s “failure to implement reasonable and appropriate security measures” – including the failure to require use of complex passwords, erect adequate firewalls to prevent access by 3rd parties and insecure devices to enterprise servers, utilize up-to-date operating systems that could receive security patches and upgrades, or adequately inventory its computers in order to readily locate compromised device. Issued in response to a Wyndham motion to dismiss for lack of jurisdiction, the courts’ decision does not constitute a ruling on the merits of the FTC complaint. The jurisdictional issue is the subject of an interlocutory appeal to the 3rd Circuit, which remains pending while the parties engage in court-ordered mediation. Read our posts here and here for more information on the Wyndham case. Continue Reading
many more than six different hacks…….and headaches……
Written by Jonathan Ursprung
With the holiday season in full swing, many of us are struggling with that age-old question: “what do you get for the person who has everything?” Well, if that person happens to be your supreme leader, the answer may very well be “a massive download of electronic dirty laundry on their sworn enemy”.
In late November of this year, the disturbing outline began to form of a massive data breach at Sony Pictures. Early indications suggested that the perpetrators may have been acting on behalf of, or to curry favor with, Kim Jong-un of North Korea; Sony Pictures had been promoting its upcoming film “The Interview”, which features a fictional assassination plot targeting the head of state. While North Korea has since denied involvement, the possibility that state-sponsored hackers had carried out this attack was both credible and, ultimately, unsurprising. Continue Reading
sing it with me now….
Five Golden Rules…….(well, five new privacy laws/requirements)
There are five significant new privacy laws/amendments that will be effective as of New Year’s Day — January 1, 2015 — and four are from California. Pull up a chair, brew that cup of tea. It’s time to review and prepare. Continue Reading
gaps in my cyber liability coverage……………..
Written by Heidi Lawson and Danny Harary
What can companies and insurers expect in the new year when it comes to cyber liability insurance coverage? While we wait for some court decisions interpreting these new stand-alone cyber liability insurance policies that are being heavily pushed in the market, there are some steps a company can take now to make sure the scope of their insurance coverage is consistent with their expectations.
With many insurers now entering the market looking to make a profit on this new coverage, the question is: how broad is this new coverage – really? Continue Reading
…….Shareholder Proposals on Cybersecurity and Privacy: Another Country Heard From
Written by Megan Gates
As the holiday season slips into the rear view mirror, another season looms large for public companies —- proxy season. Adding to the ever-growing chorus of demands for increased transparency by public companies on cybersecurity and privacy matters, institutional shareholders have recently begun to contribute their own distinctive voices to the discussion. One powerful tool being deployed in this regard by institutional shareholders is the ability to require public companies to include certain shareholder proposals in proxy statements for shareholder meetings. This right allows public company shareholders who jump through the procedural and substantive hoops created by Rule 14a-8 under the Securities Exchange Act of 1934, as amended, to air their concerns publicly and directly through the company’s own proxy statement, and to require that a vote be taken at the meeting on their proposals, alongside the company’s own proposals. Continue Reading
. . . still more privacy litigation. In 2015, we are likely to see further development of the law in data breach class actions, continuing growth in statutory privacy claims, and increased risk of privacy-related claims arising from burgeoning merger and acquisition activity.
Written by Kevin McGinty and Meredith Leary
“Trying to predict the future is a mug’s game.” Douglas Adams, The Salmon of Doubt: Hitchhiking the Galaxy One Last Time.
For the Second Day of Privacy, we boldly go where no self-respecting trial lawyer ever wants to go – to the future. Litigators are renowned – if not reviled – for wielding 20-20 hindsight with the unerring precision of a Monday morning quarterback. But ask a litigator what might happen six months or a year from now, the reply will invariably be a rock solid, “It depends.” We are comforted, however, by the wisdom of Oliver Wendell Holmes, Jr., who sagely observed that “[e]very year if not every day we have to wager our salvation upon some prophecy based upon imperfect knowledge.” Abrams v. United States, 250 U.S. 616, 630 (1919) (Holmes, J., dissenting). No matter how uncertain events might be, some foresight can never go amiss in planning for the future, even in the realm of litigation. And we can predict with 100% certainty that there will be privacy litigation in 2015. Whether arising from data breaches, statutory violations, or breaches of representations and warranties in transactional documents, privacy-related claims are likely to be the source of a substantial amount of litigation in 2015.
Significant data breach litigation will continue into 2015 Continue Reading
Welcome to our series, “The 12 Days of Privacy” as we look to “gifts” that may be received this season and some of the big issues ahead ….
Written by Susan Foster
(LONDON) Does Santa Claus have to comply with EU Data Protection laws?
If your company doesn’t have an office in the EU, but collects or receives personal data from the EU in the course of running its business, it can be a bit tricky to determine whether or not EU Data Protection laws apply to you. The new Data Protection Regulation, expected sometime in 2015, may make this easier to work out. However, the Regulation is not likely to stray far from the current approach.
Let’s take Santa Claus. Santa is the president of a long-established business (The Workshop) with a global reputation and particularly strong markets in North America, South America and Europe. Right now, his business (unincorporated, although the elves are lobbying to convert it to a collective) has a single manufacturing and distribution center located in the North Pole. However, the company’s CEO (Chief Elf Officer) wants to establish distribution depots in Chicago, Buenos Aires, London and Naples to make that critical peak period (100% of orders delivered within 24 hours each year) easier to manage with less stress on the reindeer.
Santa has been wondering whether all of those wish lists from the little boys and girls in Europe (all signed very politely, with their full names and addresses to make sure their gifts aren’t tragically mis-delivered) need to be treated in accordance with EU Data Protection laws. Santa (who had never hired a GC) decided to look into this question under the current Data Protection Directive. Continue Reading
Our series last year was a reader favorite, so we decided to put our prognosticator hats on again and present:
Rather than look back at 2014, starting tomorrow, the Privacy & Security blog will count down The 12 Days of Privacy, looking ahead to what we might expect in 2015 and what we might be talking about in the year to come.
Don’t miss a day starting tomorrow!
Day One – 12/9 – Does Santa Claus Have to Comply with EU Data Protection Laws: 2015 Compliance Considerations for Non-EU Companies
Day Two – 12/10 – Through the Looking Glass: Privacy Litigation
Day Three – 12/11 -What the 2015 Proxy Season Might Bring……
Day Four – 12/12 – Cyberliability Policies: What to Expect in 2015
Day Five – 12/15 – California Dreaming … New Legislation Effective January 1
Day Six – 12/16 – Hacks and the State Actor: What Sony Portends…
Day Seven – 12/17 — Questions of Authority: Who is “the cop” on the Privacy and Data Security Beat?
Day Eight – 12/18 – Health Data Sharing – How much is too much?
Day Nine – 12/19 — OCR Corrective Action Planning in 2015: The Gift That Keeps on Giving
Day Ten – 12/22 —Wearables: What will that new gadget be spilling about you?
Day Eleven – 12/23 –ISO and the Courts: How Your Coverage is Likely to Narrow in 2015 (and why….)
Day Twelve – 12/24 –On the Twelfth Day…..
Join us each day as we celebrate the 12 Days of Privacy, v.2014!
Written by Kevin Mc Ginty
Federal District Judge Paul Magnuson has ruled that banks that issued credit and debit cards to customers whose data was stolen in the December 2013 Target data breach could continue to litigate claims against Target for negligence and violation of Minnesota’s Plastic Security Card Act (“MPCSA”), Minn. Stat. § 325E.64. The claims of the issuer banks originated in multiple lawsuits that were among the 71 separate actions filed nationwide that the federal Judicial Panel on Multidistrict Litigation consolidated for pretrial proceedings in the District of Minnesota. The December 2 ruling is significant both for its conclusion that Target owed a duty of care to issuer banks with respect to data security and for its rejection of Target’s argument that the MPSCA should not apply to all Target transactions nationwide, but instead should be limited to transactions that occurred in Minnesota stores. The decision does not, however, eliminate challenges that the issuer banks are likely to face both with respect to proving their allegations and obtaining certification of a plaintiff class.
Welcome to December – we hope you had a restful and enjoyable Thanksgiving holiday.
Here are a few privacy bits and bytes to start your week.
1. ICYMI – 60 Minutes Explains Credit Card Hacking
In preparation for Cyber Monday, 60 Minutes presented a well-researched and interesting story on
credit card hacking. For privacy and security professionals, it may be old news, but as a consciousness-raising and mainstream piece of reporting, it is first-rate. Some points:
- From the time of intrusion into a system, the average time to detection of the bad guys is a “whopping 229 days.”
- 80 percent of breaches involve stolen or weak passwords. The most common — “123456″ (Hey, it meets the minimum requirements of 6 characters!)
- “Detect it sooner. Respond sooner.”
See the entire script and video here
(or play it for your favorite CEO….).
2. Sony Pictures Entertainment Hit by Possible Retribution Attack
that Sony Entertainment Pictures has retained Mandiant, a forensics security firm, to investigate and remediate a cyber attack that knocked out the studio’s network a week ago. The FBI is also reportedly involved in the investigation into the possibility that hackers working on behalf of North Korea may be behind the attack. The timing coincides with the upcoming release of Sony’s “The Interview,” depicting a CIA plot to assassinate North Korean leader Kim Jong-Un. The nation’s state-owned outlets have threatened “merciless retaliation
” against the U.S. and other nations if the film is released.
The hack also apparently leaked five unreleased Sony films to file-sharing sites. The studio has confirmed that it is working with law enforcement to track down the leaks.
Read more here
3. The Microsoft Storm – The View from Ireland
Back in August, we wrote
about Microsoft’s court battle over production of email data held in its Irish data center. That battle continues on appeal from a New York court’s refusal to grant Microsoft’s request to quash the U.S. government’s warrant seeking that particular data. Karlin Lillington
, the technology columnist for the Irish Times
, writes about the view of this battle from the data’s country of residence — and its potential to influence the future of cloud computing. Worth a read here
4. Hey GC, When’s the Last Time You Spoke with Your CTO or CISO?
One would expect that corporate Chief Information Officers (CIO), Chief Information Security Officers (CISO) and General Counsels/Chief Legal Officers have a lot to talk about these days including data privacy, breach response, network security assessments, e-discovery, BYOD policies and cloud computing security risks. However, a recent Gartner survey of CLOs found that over half of them have conversations with the CIOs no more than once a month.
Take some time to view a free webinar discussing how CIO/CISOs and CLOs can (and should) collaborate to overcome the obstacles to effective cyber risk management including:
- Risk mitigation options
- Planning for the best, expecting the worst