Category: Cybersecurity

Pending IoT Legislation Would Impose Significant Obligations on Manufacturers

Share

With the House and Senate returning to Washington in September, two recently-introduced Senate bills seek to address perceived vulnerabilities in the security of Internet of Things (IoT) devices sold to the federal government and medical devices which regularly connect to the Internet.

Among the key takeaways in the legislation:

  • Legislation covers both products sold to the federal government and medical devices;
  • Legislation addresses “life of device” obligations of IoT device manufacturers;
  • Disclosure and Certification Requirements could create additional liability for manufacturers of Internet of Things devices.

Continue reading “Pending IoT Legislation Would Impose Significant Obligations on Manufacturers”

White House Issues ATC Report and Seeks Comments on IT Implementation Plan

Share

On August 30, the Trump administration unveiled an ambitious plan to upgrade the federal government’s cyberdefenses by shifting digital functions to the cloud and prioritizing security upgrades for the government’s most important systems.  In this plan, which in many ways continues the cyberefforts of the Obama administration, the White House’s American Technology Council (ATC) justified this large-scale approach due to what it characterized as the federal government’s longstanding less-than-adequate cyberefforts in the face of years of mounting digital threats.

The plan, grounded in the President’s May 2017 Executive Order (EO) 13,800,   tasked  the Director of the ATC to coordinate the preparation of a report to the President from the Secretary of the Department of Homeland Security (DHS), the Director of the Office of Management and Budget (OMB), and the Administrator of the General Services Administration (GSA), in consultation with the Secretary of Commerce (Commerce), regarding the modernization of Federal Information Technology (IT).  In accordance with EO 13,800, a draft IT Modernization report was submitted to the President last week.

Continue reading “White House Issues ATC Report and Seeks Comments on IT Implementation Plan”

Cybersecurity and Adware: The FTC’s Settlement with Lenovo

Share

The FTC and 32 state attorneys general announced a settlement with Lenovo Inc., one of the largest computer manufacturers, resolving allegations that Lenovo harmed consumers by pre-loading software on some laptops that compromised security protections in order to deliver ads to consumers.

The FTC’s complaint alleged that in August 2014 Lenovo began selling consumer laptops that came with preinstalled ad-injecting software known as VisualDiscovery, which was developed by Superfish, Inc.  This adware delivered pop-up ads of similar-looking products sold by Superfish’s retail partners whenever a consumer’s cursor hovered over the image of a product on a shopping website. To facilitate its injection of pop-up ads into encrypted https:// websites, Visual Discovery installed a self-signed root certificate in the laptop’s operating system, which caused consumers’ browsers to automatically trust the VisualDiscovery-signed certificates.  Digital certificates are part of the Transport Layer Security protocol that, when properly validated, serve as proof that consumers are communicating with the authentic https:// website and not an imposter.

Continue reading “Cybersecurity and Adware: The FTC’s Settlement with Lenovo”

Death, Taxes and Cybersecurity

Share

If Ben Franklin were alive today, he would add cybersecurity to his famous quote “…in this world nothing can be said to be certain, except death and taxes.”  Cybersecurity is top of mind in every organization in part because of the recent massive ransomware attacks, new federal and state regulations (including the New York Division of Financial Services’ Cybersecurity Regulation) and the upcoming effective date of the European Union’s General Data Protection Regulation (GDPR).  There is no one-size-fits-all solution for organizations that want to shore up their cybersecurity vulnerabilities, but there are a lot of useful reports and advice from federal government agencies.

Continue reading “Death, Taxes and Cybersecurity”

Delaware Amends Data Breach Notification Law

Share

Delaware recently amended its data breach notification laws through House Bill 180, which now expands the definition of breach and personal information. It is now among 14 states to impose explicit data security obligations on businesses. While revisions to the law are in some ways more stringent, they are also more balanced by including a risk of harm requirement.

Under the amended law, which will go into effect on April 14, 2018, the definition of breach has been expanded to include not only unauthorized acquisition, but also disclosure of electronic or paper files, media, databases or other data.  The law also broadens the scope of personal information to include user name or email address, in combination with a password or security question, and answer medical information, and unique biometric data.

Continue reading “Delaware Amends Data Breach Notification Law”

DC Circuit Deepens Circuit Split on Data Breach Class Standing

Share

***09/06/17 UPDATE***

On Wednesday, September 6, the DC Circuit Court of Appeals granted an unopposed motion to stay its decision that reversed a district court order dismissing a potential class action arising from a 2014 data breach Chantal Attias et al. v. CareFirst Inc. et al., case number 16-7108.  The order stays the mandate until December 7, 2017.

***ORIGINAL POST***

Last month, a three-judge panel on the United States Court of Appeals for the District of Columbia unanimously reversed a district court order dismissing a potential class action arising from a 2014 data breach,  Chantal Attias et al. v. CareFirst Inc. et al., case number 16-7108.  In reversing that order, the court permitted a health insurance company’s customers to proceed against that carrier, CareFirst, which serves one million customers in the District of Columbia, Maryland and Virginia.
Continue reading “DC Circuit Deepens Circuit Split on Data Breach Class Standing”

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy