N.Y. Attorney General Enforces Mobile App Security Initiative, Announces Settlements with Five Companies


In December 2018, the New York Attorney General’s Office announced settlements with five companies operating mobile apps, including Equifax and Western Union. The N.Y. Attorney General stated that the companies failed to keep sensitive information secure on their mobile apps and have agreed to implement improved security controls. The settlements came following a data privacy initiative by the Attorney General’s Office to proactively identify security vulnerabilities before consumer information is breached. As part of this effort, the Attorney General’s Office tested dozens of mobile apps that collect sensitive information.

Continue reading “N.Y. Attorney General Enforces Mobile App Security Initiative, Announces Settlements with Five Companies”

OMB Releases Report on Federal Cybersecurity Risk


This is the first post in a DBR on Data series on Executive Order 13800 and updates on its implementation a year after passage.

The White House Office of Management and Budget (OMB) released in May 2018 its report to the president on federal cybersecurity risk determination. The report, which responds to the President’s May 2017 Executive Order 13800, entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” comes as several key reports also required by Executive Order 13800 have been recently released in full or in summary form. The Federal Cybersecurity Risk Determination Report and Action Plan concludes that the recent government-wide cybersecurity risk assessment conducted by the OMB, in collaboration with the Department of Homeland Security (DHS), confirms the need for the U.S. government to take “bold approaches” to improve federal cybersecurity.

Continue reading “OMB Releases Report on Federal Cybersecurity Risk”

Sedona Conference Working Group on Data Security and Privacy Liability Releases Draft Incident Response Guide


The Sedona Conference®, a nonprofit research and educational think tank dedicated to the advanced study of law, particularly in information governance, has released its Incident Response Guide , open for public comment through June 19, 2018.  Drafted by Working Group on Data Security and Privacy Liability (WG11), the guide is meant to serve as a practical resource for practitioners dealing with the legal, technical, and policy issues related to data-related incidents – from distributed denial-of-service to ransomware attacks.

Continue reading “Sedona Conference Working Group on Data Security and Privacy Liability Releases Draft Incident Response Guide”

FTC Announces Expanded Settlement with Uber


The FTC withdrew its August 2017 administrative complaint and proposed consent agreement with Uber Technologies, Inc. (Uber) and issued a revised complaint against Uber Technologies, Inc. Uber has accepted a revised proposed consent agreement which will be subject to public comment for 30 days.

Continue reading “FTC Announces Expanded Settlement with Uber”

Legislative Spotlight: Self-Driving Cars Part 1


The House of Representatives passed H.R. 3388, the “Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act” or the “SELF DRIVE Act” last month. The bill would remove regulatory barriers to develop self-driving or autonomous cars by giving the National Highway Traffic Safety Administration (NHSTA) authority to establish federal safety, design, and performance standards for automated cars, excluding commercial vehicles, such as trucks and buses. States would still be responsible for the vehicle registration, driver’s licensing, insurance, and safety and emissions inspections. The bill would also allow states to impose stricter performance requirements than those set by NHTSA.

We have outlined the privacy and cybersecurity provisions of this bill, as well as the NHTSA’s voluntary security standards for self-driving cars.

Continue reading “Legislative Spotlight: Self-Driving Cars Part 1”

U.S. Government Restricts the Use of Kaspersky Cybersecurity Software


Earlier this month, the Department of Homeland Security (DHS) issued a binding order restricting the government’s use of cybersecurity software developed by Moscow-based Kaspersky Labs.

Government departments and agencies have 90 days to remove or discontinue use of any Kaspersky Labs software products—but the buck doesn’t stop there. Kaspersky boasts more than 400 million users and 270,000 corporate clients, meaning organizations that provide any services involving federal information systems would be wise to investigate whether they, either directly or indirectly, use Kaspersky products and services. Continue reading “U.S. Government Restricts the Use of Kaspersky Cybersecurity Software”