“Do What You Say and Say What You Do” — The FTC’s Settlement with Uber

  • Settlement reaffirms the importance for companies to deliver on to the privacy and security promises made to consumers
  • Settlement is yet another reminder of one of the most important components of good data security – controlling access to sensitive information.

The Federal Trade Commission (“FTC”) announced, subject final approval after a 30-day comment period, a consent order with Uber Technologies (“Uber”) settling allegations that Uber misrepresented the extent to which it monitored its employees’ access to personal information about users and drivers and that it took reasonable steps to secure such information.  The consent agreement does not contain monetary penalties, but does prohibit Uber from misrepresenting its privacy and security practices and requires that Uber establish a comprehensive privacy program that includes an independent third-party audit every two years for the next 20 years. The FTC’s complaint highlights practices that the FTC finds fail to provide reasonable security when utilizing the services of a third-party could storage service, Amazon Web Services (“AWS”).

Continue reading ““Do What You Say and Say What You Do” — The FTC’s Settlement with Uber”

Fact Sheet: NYDFS Cyber Regulations


The New York Department of Financial Services’ Cyber Requirements for Financial Services Companies, 23 NYCRR 500 (“Cyber Regulations”) went into effect on March 1, 2017. The Cyber Regulations are intended to require financial companies to assess their internal cybersecurity risks and develop a cybersecurity program to protect customer information and their IT systems, as well as respond, recover, and report cyber threats. The Cyber Regulations establish a comprehensive set of proactive cybersecurity standards for companies to follow, involving everything from appointing a designated Chief Information Security Officer (CISO) to submitting an annual compliance notice, and conducting penetration testing and vulnerability assessments.

Here is an overview of some key terms, requirements and deadlines under these new regulations.

Continue reading “Fact Sheet: NYDFS Cyber Regulations”

Beyond FERPA: Safeguarding Student Data Is Key Obligation for Postsecondary Educational Institutions


Most institutions of higher education are very familiar with the Family Educational Rights Protection Act (FERPA), which applies to all state and local, public and private educational institutions that receive federal funds through programs administered by the U.S. Department of Education (ED). Unless at least one of FERPA’s exceptions applies, institutions risk sanctions from ED – including the potential loss of all federal funding – if they disclose a student’s personally identifiable information (PII) from an education record without the student’s express prior written consent.  Beyond FERPA, higher education institutions have additional legal responsibilities to assiduously secure and protect student data from inadvertent disclosure, particularly financial information maintained by an institution regarding students or their families.

Continue reading “Beyond FERPA: Safeguarding Student Data Is Key Obligation for Postsecondary Educational Institutions”

OCR Responds to Rise in Health Care Cyberattacks


After recent WannaCry ransomware and Petya/notPetya malware attacks exposed the data security vulnerabilities of health care organizations and pharmaceutical companies globally, the Department of Health and Human Services and Office for Civil Rights have rolled out resources to prevent future attacks. The OCR’s resources, such as its Quick-Response Checklist, infographic and informational newsletter, are meant to support health care organizations every step of the way, from planning and contingency plans to response and mitigation procedures.

We’ve outlined some of the key points in the OCR and HHS documents in this recent alert.

And the Winner is….. FTC Announces Winner of IoT Home Device Security Contest


Earlier this year the FTC launched the IoT Home Inspector Challenge competition to challenge innovators to create a tool that will help protect consumers from security vulnerabilities in the software of home IoT devices.  Submissions were received in May and reviewed by a panel of five judges, including security experts from a range of private companies, universities and the government.  The FTC announced the winners on July 26, 2017.
Continue reading “And the Winner is….. FTC Announces Winner of IoT Home Device Security Contest”

Time to Focus on Cybersecurity in Health Care


In the wake of the WannaCry global attack that impacted the U.K.’s National Health Service, the need to protect valuable health care data has never been more urgent. The U.S. government has begun to take steps in the right direction with the passing of executive orders on cybersecurity, the Cybersecurity Act of 2015, and the Government Accountability Office report on the Internet of Things.

Continue reading “Time to Focus on Cybersecurity in Health Care”

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy