Written by David Barres
A federal district court in New Jersey has dismissed with prejudice a shareholder derivative suit, Palkon v. Holmes, No. 14-CV-01234 (SRC) (D.N.J.), that tried to blame the directors and officers at hospitality company Wyndham Worldwide Corporation (“Wyndham”) for a series of data breaches. The court’s decision is notable because it illustrates some of the steps that directors and officers can take to help shield themselves from liability in cybersecurity litigation. Continue Reading
Written by Joshua T. Foust
In past posts we’ve taken a close look at the Framework for Improving Critical Infrastructure Cybersecurity put forth by the National Institute of Standards and Technology (NIST), exploring its wide-ranging implications for companies across a number of different industries. As we’ve explained elsewhere, cybersecurity is an increasingly hot issue for agencies like the SEC, and the NIST Framework continues to shape how governmental and private actors alike tackle cybersecurity issues.
And this month, the beat goes on: last week, the FDA released its final cybersecurity guidance for medical device manufacturers incorporating the NIST Framework. While not yet mandatory, the FDA strongly recommends that manufacturers follow the guidance in explicitly addressing cybersecurity risks in premarket submissions for medical devices, particularly those that rely heavily on software, access patient data, and connect with electronic networks.
So what, exactly, are the highlights of the FDA’s guidance for medical device manufacturers? And what are the take-away lessons for companies in the industry, whether or not they’re in the process of seeking premarket approval for new devices?
Written by Kristina Eastham
This marks the second week of National Cyber Security Awareness Month, and one focused on the Secure Development of IT Products, so it seems only appropriate to discuss security and The Internet of Things and a recent panel discussion on privacy and IoT.
Last week, privacy and security professionals gathered at CyberTech’s CyberFest 2014 in San Diego, which included a panel on IoT: War on Privacy. Continue Reading
A new month, a new Privacy Monday.
JPMorgan Chase: Baiting the Hook for Phishers
Cybercrime researchers say that the 83 million customer records (76 million consumer and 7 million small business) swiped from JPMC could be the fuel for years of fraud. In its 10-K filing with the Securities and Exchange Commission, JPMC disclosed the nature and scope of the information. See here. Pay attention to the fact that hackers penetrated one of the world’s largest banks and stole nothing of apparent value: they did not steal a single account number, Social Security number or password. Continue Reading
October is National Cyber Security Awareness Month. This is an opportunity to remind employees (and yourselves) about how to keep corporate networks and their own cyber lives secure. All month, we will post articles that might be useful for distribution as “reminders….” along with tips and reminders.
Written by Heidi Lawson, CPCU and Danny Harary
“Cyber liability insurance” is often used to describe a range of insurance policies, in the same way that the word cyber is used to describe a broad range of information security related tools, processes and services. Everyone is talking about the need for “stand alone” cyber liability insurance policies. These stand-alone cyber liability insurance policies basically cover expenses related to the management of a breach, e.g, the investigation, remediation, notification and credit checking. However, cyber liability coverage is also found in some existing insurance policies, including kidnap and ransom and professional liability coverage. There may also be some limited coverage through a crime policy if electronic theft is added to that policy.
As we promised in our post on the Yelp and TinyCo Federal Trade Commission COPPA enforcement actions, the Mintz Privacy Team has prepared an extensive review and analysis of both actions, and a helpful guide to avoiding COPPA violations.
Client Advisory is available here. Continue Reading
Written by Ernie Cooper
In a ruling issued late last week, the Ninth Circuit held that a marketing consultant that hired a firm to send text messages for a third party could also be held vicariously liable for violations of the Telephone Consumer Protection Act (TCPA). The marketing consultant acknowledged that Federal Communications Commission orders have established that a telemarketer can be held liable under the TCPA for calls made by agents they have hired to make the calls, but argued that vicarious liability should not extend to a marketing consultant that serves a middle-man role. The Ninth Circuit disagreed, holding that it should apply “ordinary tort-related vicarious liability rules,” and saying that “[i]t makes little sense to hold the merchant vicariously liable for a campaign he entrusts to an advertising professional, unless that professional is equally accountable for any resulting TCPA violation.”
The Campbell-Ewald Company had been hired by the United States Navy to distribute text messages to targeted individuals as part of a multimedia recruiting campaign. The plaintiff alleged that one of the text messages had been sent to him despite the fact that he had not consented to receive the message and despite the Navy’s testimony that messages were intended to be sent to only persons who had consented to receive them. The TCPA prohibits use of autodialing equipment to send calls to wireless phones without the prior express consent of the called party. Both the FCC and the courts have held that text messages are the equivalent of calls for purposes of the TCPA.
The court also rejected Campbell-Ewald’s argument that it should be granted some form of immunity because the calls were made on behalf of the Navy.
The Ninth Circuit’s ruling overturns a summary judgment order issued by the district court in favor of Campbell-Ewald and remanded the case to the district court for further proceedings.
Gomez v. Campbell-Ewald Co., No. 13-55486 (9th Cir. Sept. 19, 2014).
Happy autumnal equinox — http://www.skyandtelescope.com/astronomy-news/observing-news/autumnal-equinox-2014-arrives-09222014/
Home Depot Breach – By the Numbers
56 million cards at risk (compare to Target = 40 million)
$62 million in estimated costs (compare to Target =$146 million and counting)
$27 million insurance coverage (compare to Target = $100 million in cover)
Lawsuits filed – at least 1 in US and 1 in Canada
Filed 8-K with Securities and Exchange Commission on September 8 (Took Target 2 months to file)