If Ben Franklin were alive today, he would add cybersecurity to his famous quote “…in this world nothing can be said to be certain, except death and taxes.” Cybersecurity is top of mind in every organization in part because of the recent massive ransomware attacks, new federal and state regulations (including the New York Division of Financial Services’ Cybersecurity Regulation) and the upcoming effective date of the European Union’s General Data Protection Regulation (GDPR). There is no one-size-fits-all solution for organizations that want to shore up their cybersecurity vulnerabilities, but there are a lot of useful reports and advice from federal government agencies.
The Era of “Big Data” and EU/U.S. Divergence for Refusals to Deal
The use of “big data” throughout all levels of the economy has led authorities in both Europe and the United States to begin examining how such data may be used as a commodity and, therefore, how it might regulated.
However, authorities on either side of the Atlantic seem to be offering different approaches on the matter; those in Europe are suggesting that big data should be subject to EU abuse of dominance law, whereas U.S. authorities are resisting the notion of big data as an “essential facility” and are suggesting it be considered as an asset within existing merger review processes.
Continue reading “The Era of “Big Data” and EU/U.S. Divergence for Refusals to Deal”
Delaware Amends Data Breach Notification Law
Delaware recently amended its data breach notification laws through House Bill 180, which now expands the definition of breach and personal information. It is now among 14 states to impose explicit data security obligations on businesses. While revisions to the law are in some ways more stringent, they are also more balanced by including a risk of harm requirement.
Under the amended law, which will go into effect on April 14, 2018, the definition of breach has been expanded to include not only unauthorized acquisition, but also disclosure of electronic or paper files, media, databases or other data. The law also broadens the scope of personal information to include user name or email address, in combination with a password or security question, and answer medical information, and unique biometric data.
Continue reading “Delaware Amends Data Breach Notification Law”
DC Circuit Deepens Circuit Split on Data Breach Class Standing
***09/06/17 UPDATE***
On Wednesday, September 6, the DC Circuit Court of Appeals granted an unopposed motion to stay its decision that reversed a district court order dismissing a potential class action arising from a 2014 data breach Chantal Attias et al. v. CareFirst Inc. et al., case number 16-7108. The order stays the mandate until December 7, 2017.
***ORIGINAL POST***
Last month, a three-judge panel on the United States Court of Appeals for the District of Columbia unanimously reversed a district court order dismissing a potential class action arising from a 2014 data breach, Chantal Attias et al. v. CareFirst Inc. et al., case number 16-7108. In reversing that order, the court permitted a health insurance company’s customers to proceed against that carrier, CareFirst, which serves one million customers in the District of Columbia, Maryland and Virginia.
Continue reading “DC Circuit Deepens Circuit Split on Data Breach Class Standing”
Recordkeeping Corner: All About Those Presidential Tweets & Self-Destructing Messages
President Trump’s first tweet in office was sent within an hour of his inauguration on January 20, 2017, and it has been followed by hundreds of tweets from both @POTUS and @realDonaldTrump. Are his tweets considered presidential records to be preserved permanently by the National Archives and Records Administration at a future Trump presidential library? What is the record status of his deleted tweets? And what is the record status of other state-of-the-art communications like Confide and Signal, which are designed to self-destruct like the message on the tape in “Mission: Impossible”?
“Do What You Say and Say What You Do” — The FTC’s Settlement with Uber
- Settlement reaffirms the importance for companies to deliver on to the privacy and security promises made to consumers
- Settlement is yet another reminder of one of the most important components of good data security – controlling access to sensitive information.
The Federal Trade Commission (“FTC”) announced, subject final approval after a 30-day comment period, a consent order with Uber Technologies (“Uber”) settling allegations that Uber misrepresented the extent to which it monitored its employees’ access to personal information about users and drivers and that it took reasonable steps to secure such information. The consent agreement does not contain monetary penalties, but does prohibit Uber from misrepresenting its privacy and security practices and requires that Uber establish a comprehensive privacy program that includes an independent third-party audit every two years for the next 20 years. The FTC’s complaint highlights practices that the FTC finds fail to provide reasonable security when utilizing the services of a third-party could storage service, Amazon Web Services (“AWS”).
Continue reading ““Do What You Say and Say What You Do” — The FTC’s Settlement with Uber”