Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Category Archives: Cybersecurity & Data Breaches

Subscribe to Cybersecurity & Data Breaches RSS Feed
Posted in Cybersecurity & Data Breaches

“Reasonable Security” Becomes Reasonably Clear to the California Attorney General

A growing number of state and federal laws require organizations to implement reasonable security safeguards to protect personal information. But what constitutes reasonable data security? This question has vexed organizations and spurred a considerable amount of litigation. On February 16, 2016, the California Attorney General’s Office released its 2016 Data Breach Report, which for the first time provides a listing of safeguards that the Attorney General views as constituting reasonable information security practices. Despite being focused on California, the Report’s recommendations are likely to have an impact far beyond the borders of the Golden State.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

FTC Says Listen Up When Vulnerability Reports Come In

The FTC wants companies to listen. More precisely, the FTC wants companies to pay attention to and promptly to respond to reports of security vulnerabilities. That’s a key takeaway from the Commission’s recent settlement with ASUSTek. In its complaint against the Taiwanese router manufacturer, the FTC alleged that ASUS misrepresented its security practices and failed to reasonably secure its router software, citing the company’s alleged failure to address vulnerability reports as one of the Commission’s primary concerns. The settlement reiterates the warnings contained in the FTC’s recent Start with Security Guide and prior settlements with HTC America and Fandango: the FTC expects companies to implement adequate processes for receiving and addressing security vulnerability reports within a reasonable time.

Posted in Cybersecurity & Data Breaches

Privacy, Security, and IoT Prominent Themes at Silicon Flatirons DBM Conference

On January 31, 2016, the Silicon Flatirons Center for Law, Technology, and Entrepreneurship at the University of Colorado hosted its annual Digital Broadband Migration Symposium. The theme of this year’s conference was “The Evolving Industry Structure of the Digital Broadband Landscape.” The two-day conference brought together an array of leaders from government, academia, and industry to examine the role of regulatory oversight, antitrust law, and intellectual property policy in regulating industry structure and to discuss what policy reforms may be appropriate for the constantly changing digital broadband environment. As outlined below, a recurring topic throughout this year’s conference was the relationship between privacy, security, and the evolving digital landscape.

Posted in Cybersecurity & Data Breaches

Congress Looking at Potential Energy-Sector Cybersecurity and Privacy Reform

Energy-sector cybersecurity and privacy is generating significant attention of late. Last month, the Federal Energy Regulatory Commission issued a final rule creating new standards for the cybersecurity of the electric grid. FERC followed this issuance with a report on electrical grid recovery and restoration planning that makes a number of recommendations for improved cyber-incident response and recovery plans.

In parallel, the U.S. Congress is working on a variety of measures to combat perceived cybersecurity and privacy threats related to the powergrid. The failure of the powergrid in Ukraine due to security breaches; reports of ISIS and other foreign threats attempting to hack the U.S. grid; and news reports about the sensitivity of data on home energy usage have added a sense of urgency to this work.

Posted in Cybersecurity & Data Breaches

FDIC Publication Emphasizes Framework for Cybersecurity

Earlier this month, the Federal Deposit Insurance Corporation’s Division of Risk Management Supervision released “A Framework for Cybersecurity” in its Winter 2015 issue of Supervisory Insights. The FDIC article outlines the current and evolving cyber threat landscape and identifies the challenges presented by these threats as “critical” to financial institutions. The article describes regulatory steps the FDIC has taken and also how banks should incorporate cybersecurity into their overall risk management framework. The article is helpful for understanding the FDIC’s cybersecurity focus and the issues upon which it expects banks subject to its supervision to focus.

Posted in Cybersecurity & Data Breaches

Cybersecurity Information Sharing Act Procedures and Guidance Released

The Cybersecurity Information Sharing Act of 2015 provides limited liability protection and information disclosure protections for private-to-private and private-to-government cybersecurity information sharing. On February 16, 2016, two key U.S. agencies released a set of documents describing how CISA’s provisions are expected to work in practice.

Posted in Cybersecurity & Data Breaches

What’s New in the Cybersecurity National Action Plan

The passage of the Cybersecurity Information Sharing Act of 2015 is proving to be just the beginning of a national focus and call for a “bold reassessment of the way we approach security in the digital age” in order to not only combat evolving cyber threats but also to cultivate an environment for a continually evolving digital age with boundless opportunities for the American economy. On February 9, 2016, the President directed his Administration to implement a Cybersecurity National Action Plan designed to do just that.

Posted in Cybersecurity & Data Breaches, News & Events

Hogan Lovells Expands Cybersecurity Practice; Launches Cyber Risk Services

Anyone reading this blog already knows that cybersecurity is a team sport. No longer does the IT security department bear sole responsibility for protecting a company’s data and systems. Today companies are setting up enterprise-wide councils to oversee cybersecurity that include lawyers, risk managers, technical professionals, and other leaders. And if a breach occurs, that […]

Posted in Cybersecurity & Data Breaches

Key U.S. Cybersecurity Provisions Signed into Law

Last month, tucked into a 2,000-page spending bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law. Years in the making, CISA is intended to incentivize organizations to share cyber threat indicators with the federal government and to promote the dissemination of this information to organizations facing similar threats. The spending bill included a number of other cybersecurity provisions covering topics ranging from federal preparedness to foreign policy strategy. Most notably, the bill directs the Department of Health and Human Services to develop cybersecurity best practices for organizations in the healthcare industry. The bill also directs federal agencies to create new plans to fortify federal information systems and identify cyber-related gaps in the federal workforce.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

Online Trust Alliance Releases Internet of Things Trust Framework

One of the most common devices in the emerging Internet of Things (IoT) was reportedly discovered to have a bug. According to the research firm Fortinet, a popular fitness tracker was vulnerable to wireless attacks through its unsecured Bluetooth port. A savvy attacker could install malware wirelessly within ten seconds—simply by coming within a few feet of the tracker. When the device’s owner returned home to sync daily activity with a computer, the malware could, in principle, infect the computer as well.

Posted in Cybersecurity & Data Breaches

Cyber at Sea: House-Passed Legislation Signals Focus on Maritime Cybersecurity

Recent developments in the United States suggest that cybersecurity of the maritime sector will come under increasing focus in 2016. On December 16, 2015, H.R. 3878, “Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015,” passed the House of Representatives. The Bill’s language echoes and expands upon recommendations made by the General Accountability Audit in its June 5, 2014 study Maritime Port Cybersecurity. It also reflects congressional focus on enabling cybersecurity information sharing as seen in the recent passage of the Cybersecurity Information Sharing Act.

Posted in Cybersecurity & Data Breaches

NIST Outlines Methods for Protecting Data from Cyber Attacks

The threat of ransomware is one of three example scenarios highlighted in a recent white paper released by the National Institute of Standards and Technology, titled Data Integrity: Reducing the Impact of an Attack. The paper launches a joint project led by the National Cybersecurity Center of Excellence, with participation by the Financial Services Information Sharing and Analysis Center and several private sector organizations.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

Agreement Reached on First EU-Wide Rules to Improve Cybersecurity

At a trialogue meeting on December 7, the Luxembourg Presidency of the Council of the European Union reached agreement with the European Parliament on common rules to strengthen network and information security (NIS) across the EU.  The new directive will set out the first ever EU-wide cybersecurity obligations for operators of essential services and digital […]

Posted in Cybersecurity & Data Breaches

New York Department of Financial Services Previews Rigorous Cybersecurity Rules for Financial Sector

On November 9, 2015, Anthony Albanese, Acting Superintendent of the New York State Department of Financial Services, issued a letter to a wide array of federal and state financial services regulators that are part of the Financial and Banking Information Infrastructure Committee. The FBIIC members work together to enhance the reliability and security of financial sector infrastructure. Mr. Albanese’s letter outlines potential new cybersecurity regulations that would impact NYDFS-regulated financial institutions. The letter, which follows numerous steps taken by the NYDFS in recent years to better understand and mitigate cybersecurity risks, further positions the NYDFS as a leading regulator on cybersecurity issues in the U.S., particularly with respect to the financial sector. While no precise timeline was specified for enacting the potential regulations outlined, it appears likely that the NYDFS may formally propose comprehensive cybersecurity regulations in the months ahead.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

Data Users Alert: New Guidance on Data Breach Handling in Hong Kong

On 9 October 2015, the Privacy Commissioner for Personal Data published a Guidance Note on “Data Breach Handling and the Giving of Breach Notifications”, a revised version of its June 2010 edition. The Guidance Note gives guidance to data users on how to deal with data breaches. In particular, the Guidance Note provides more of a focus on the relationship between data users and data processors. A data user engaging a data processor must adopt contractual or other means to ensure personal data security.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

China Proposes New Cybersecurity Rules for Insurance Industry

On 9 October 2015, the China Insurance Regulatory Commission issued draft Supervisory Rules for Adoption of Information Technology by Insurance Institutions for public comment. The Draft Insurance IT Rules have been issued to replace the 2009 Guidance on Administration of Adoption of Information Technology by Insurance Companies and they build on the requirements set forth in the 2011 Guidelines on the Information System Security Management of Insurance Companies.

Posted in Cybersecurity & Data Breaches

U.S. Senate Passes Cybersecurity Information Sharing Legislation

After a prolonged debate and months-long consideration of amendments, the Senate has passed S. 754, which includes the Cybersecurity Information Sharing Act (“CISA”) of 2015, by a vote of 74-21. CISA has the support of the White House and many industry stakeholders, but some of the most well-recognized privacy advocacy organizations oppose it. The House of Representatives must now decide whether to pass CISA or work with the Senate on compromise legislation that incorporates the House cybersecurity information sharing bills, H.R. 1560 and H.R. 1731. It remains to be seen what form the final cybersecurity information sharing bill will take, but the Senate’s overwhelming vote for CISA suggests that the chances for overall passage are stronger than ever.

Posted in Cybersecurity & Data Breaches, Privacy & Security Litigation

Target Court Upholds Attorney-Client Privilege in Cyber Investigations

In a decision issued late last Friday, the United States District Court for the District of Minnesota rejected an effort by class action Plaintiffs to access materials created in the course of Target’s investigation of its 2013 payment card breach that Target claimed were protected by the attorney-client privilege and work product doctrine.

Posted in Cybersecurity & Data Breaches

Chris Wolf Receives Prestigious IAPP Privacy Vanguard Award

We are very proud to report that today, the International Association of Privacy Professionals (IAPP) awarded our very own Chris Wolf with its Privacy Vanguard Award, provided to an individual who has shown exceptional leadership, knowledge and creativity in the field of privacy and data protection.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

NIST Releases Draft Framework on the Internet of Things

The National Institute of Standards and Technology released the draft Framework for Cyber-Physical Systems on September 18. The Framework is intended to serve as a common blueprint for the development of safe, secure, and interoperable systems as varied as smart energy grids, wearable devices, and connected cars. The NIST Cyber-Physical Systems Public Working Group developed the draft document over the past year with input from several hundred experts from industry, academia, and government. NIST will be accepting public comment on the draft for the next 45 days.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

Recap of the OCR/NIST Conference on Safeguarding Health Information

Government officials and experts from the private sector discussed enabling precision medicine and efforts to bolster patients’ rights to access medical records, and also emphasized the importance of controlling access to protected health information at the eighth annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference held from September 2–3, 2015, and co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services, Office for Civil Rights. Comprehensive risk analysis and risk management practices remained a point of emphasis throughout the conference. This blog post addresses the following additional themes that emerged during the conference.

Posted in Cybersecurity & Data Breaches

Life is Short. Take Cybersecurity Seriously

This article is not about morality but about an urgently-needed change in behaviour. For real and for good. The much talked-about saga involving the theft and subsequent publication of customer data from extramarital affairs website Ashley Madison, has sparked many debates. Opinions have ranged from those who see this as a just punishment for the organised cheating industry to those who have ranked this hack as the most serious privacy violation since the invention of the Internet. The degree of sympathy for the victims has also been variable, but what appears to be a constant theme is the perception that this incident will have more dramatic consequences than any other cyber-attacks we have seen.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

Analysis of FTC v. Wyndham: Third Circuit Affirms FTC Authority to Regulate Data Security

On Monday, August 24, 2015, the U.S. Court of Appeals for the Third Circuit issued its opinion in FTC v. Wyndham Worldwide Corp upholding the authority of the Federal Trade Commissionto oversee cybersecurity practices. The Wyndham case first made headlines in June 2012, when it became the first cybersecurity enforcement action to be litigated instead of being resolved by settlement. Wyndham Worldwide Corp. moved to dismiss the FTC’s claims that allegedly insufficient cybersecurity practices constituted unlawful “unfair” and “deceptive” business practices, arguing that the FTC’s unfairness authority did not extend to cybersecurity, and that the statements in its online privacy policy were not deceptive. Since that time, the case has been closely watched as the District Court for the District of New Jersey and the Third Circuit Court of Appeals considered the issue of whether the FTC had authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act.