In 2022, the stakes for data breaches grew in more ways than one. IBM reported the average cost of a data breach is up to $4.35 million. More importantly, though, regulators have zeroed in on higher-level executives and...more
The Federal Trade Commission (FTC) recently announced its position on breach notification: “Regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties...more
On June 10, 2021, China’s national legislature – the Standing Committee of the National People's Congress passed the Data Security Law (the “DSL”). The DSL (see here for a non-official English translation) took effect on...more
In the wake of a cyber incident, regulators and law enforcement agencies closely scrutinize the cyber security measures in place at the affected organization. ...more
Earlier this month, Andrew Smith, the FTC’s Director of the Bureau of Consumer Protection, announced that the Commission had made “three major changes” to its data security orders. Citing recent hearings at the FTC, as well...more
In June 2018, medical laboratory LabMD obtained the first-ever court decision overturning a Federal Trade Commission (FTC) cybersecurity enforcement action. (The team directing that effort – led by Doug Meal and Michelle...more
3/14/2019
/ Cease and Desist Orders ,
Corporate Counsel ,
Cybersecurity ,
Data Security ,
Enforcement Actions ,
Enforcement Authority ,
Federal Trade Commission (FTC) ,
FTC Act ,
Injunctive Relief ,
LabMD ,
Popular ,
Remediation
Shortly after the new year, the Federal Trade Commission filed suit in the Northern District of California against D-Link Corporation, a Taiwan-based maker of wireless routers, Internet Protocol (IP) cameras, and software...more
2/6/2017
/ Corporate Counsel ,
Data Security ,
Federal Trade Commission (FTC) ,
Hackers ,
Popular ,
Security Standards ,
Software ,
Taiwan ,
Technology ,
Technology Sector ,
Vulnerability Assessments ,
Young Lawyers
For businesses that work with the U.S. Department of Defense (“DoD”), two important rules for safeguarding certain categories of sensitive information and reporting cyber incidents were recently finalized, updating the...more
Last week, FinCEN (Financial Crimes Enforcement Network) issued a formal Advisory to Financial Institutions and published FAQs outlining specific cybersecurity events that should be reported through Suspicious Activity...more
11/4/2016
/ Anti-Money Laundering ,
Bank Secrecy Act ,
Banking Sector ,
BSA/AML ,
Cyber Attacks ,
Cybersecurity ,
Cybersecurity Act of 2015 ,
Cybersecurity Framework ,
Data Breach ,
Data Security ,
Distributed Denial of Service ,
FFIEC ,
Financial Institutions ,
FinCEN ,
Information Sharing ,
Malware ,
Patriot Act ,
Ransomware ,
Reporting Requirements ,
Suspicious Activity Reports (SARs)
Aravind Swaminathan, global co-chair of Orrick’s Cybersecurity & Data Privacy team, recently spoke with Global Investigations Review regarding new plans proposed by New York’s Department of Financial Services that will...more
9/26/2016
/ Cyber Attacks ,
Cyber Crimes ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Data Security ,
Financial Institutions ,
Hackers ,
Incident Response Plans ,
Negligence ,
Risk Management
Last week, the FTC published a blog post titled The NIST Cybersecurity Framework and the FTC, in which the agency issued a nuanced answer to an oft-asked question: “If I comply with the NIST Cybersecurity Framework, am I...more
On July 5, 2016, the Ninth Circuit Court of Appeals issued its highly anticipated decision in the most recent chapter of United States v. Nosal, holding that an individual acts "without authorization" as used in the Computer...more
After 4 years of negotiation, today the European Parliament adopted the General Data Protection Regulation (“GDPR“). In doing so, it signaled the end of the EU approval process and put businesses on alert that they now have...more
This month, the Federal Communications Commission (FCC) will consider issuing a Notice of Proposed Rulemaking (NPRM) for privacy regulations that will apply to broadband providers. The goals and objectives of the proposed...more
In a much anticipated move, on March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered the cybersecurity foray with its first enforcement action against Dwolla, Inc., an online payment processing start-up. ...more
On Monday, January 25th, the Supreme Court issued the most recent Computer Fraud and Abuse Act decision in Michael Musacchio v. United States. After leaving his employer to start his own company, the defendant (a former...more
On November 13, 2015, the Federal Trade Commission and the Federal Communications Commission entered into a Memorandum of Understanding to address coordination of consumer protection actions by each agency. Following a wave...more
Earlier this month, privacy and security professionals from around the globe gathered for “Privacy. Security. Risk. 2015”—the second joint conference between the International Association of Privacy Professionals and the...more
10/15/2015
/ Big Data ,
Cloud Computing ,
Compliance ,
Covered Entities ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Data Protection Authority ,
Data Security ,
Department of Health and Human Services (HHS) ,
Dropbox ,
Edward Snowden ,
Enforcement Actions ,
Ethics ,
EU Data Protection Laws ,
European Commission ,
European Court of Justice (ECJ) ,
Facebook ,
FCC ,
Federal Trade Commission (FTC) ,
Google ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
International Data Transfers ,
Internet of Things ,
Ireland ,
Microsoft ,
National Security ,
National Security Agency (NSA) ,
OCR ,
Personal Data ,
Popular ,
Privacy Laws ,
Right to Privacy ,
Safe Harbors ,
Schrems I & Schrems II ,
Security Risk Assessments ,
US-EU Safe Harbor Framework
1. CJEU finds Safe Harbor Invalid -
In a landmark ruling delivered today, Europe's highest court, the Court of Justice of the European Union (CJEU) declared that the EU Commission's US - EU Safe Harbour regime is...more
10/7/2015
/ Cloud Computing ,
Corporate Counsel ,
Cybersecurity ,
Data Protection ,
Data Security ,
Data Transfers ,
Due Diligence ,
EU ,
European Court of Justice (ECJ) ,
European Economic Area (EEA) ,
Facebook ,
International Data Transfers ,
Personal Data ,
Popular ,
Privacy Concerns ,
Privacy Policy ,
Safe Harbors ,
US-EU Safe Harbor Framework ,
Young Lawyers
As we head into the end of 2015, state legislators across the country continue to strengthen, update and, in some instances, broaden the scope of their respective state data breach notification laws. Specifically, many...more
10/1/2015
/ Bank Accounts ,
Breach Notification Rule ,
Credit Cards ,
Cyber Attacks ,
Cyber Crimes ,
Cybersecurity ,
Data Breach ,
Data Breach Plans ,
Data Protection ,
Data Security ,
Debit Cards ,
Hackers ,
Passwords ,
Personally Identifiable Information ,
Privacy Laws ,
Proposed Legislation ,
Social Security Numbers
Officials at the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) have recently selected a vendor to conduct the second wave of HIPAA audits. These so-called "Phase 2 Audits" are set to commence...more
9/21/2015
/ Breach Notification Rule ,
Cloud Computing ,
Corrective Actions ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Medical Records ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HITECH Act ,
Hospitals ,
OCR ,
Personally Identifiable Information ,
PHI ,
Privacy Rule ,
Risk Assessment
On Monday, the Third Circuit issued a highly anticipated opinion affirming the Federal Trade Commission's authority to regulate "unfair" cybersecurity practices under Section 5 of the FTC Act. In allowing the data breach...more
8/27/2015
/ Credit Cards ,
Cyber Attacks ,
Cyber Crimes ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Data Security ,
Debit Cards ,
Enforcement Actions ,
Federal Trade Commission (FTC) ,
Fraudulent Charges ,
FTC v Wyndham ,
Hackers ,
Section 5 ,
Wyndham
Earlier this summer, the Federal Financial Institutions Examination Council (FFIEC) released its highly anticipated Cybersecurity Assessment Tool (Assessment), which is designed to assist financial institutions in identifying...more
8/26/2015
/ ATMs ,
Banking Sector ,
Banks ,
Caremark claim ,
Cloud Computing ,
Compliance ,
Credit Cards ,
Cyber Attacks ,
Cyber Crimes ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Data Security ,
Debit Cards ,
FFIEC ,
Financial Institutions ,
Hackers ,
Internet Service Providers (ISPs) ,
Mobile Payments ,
NCUA ,
NIST ,
OCC ,
Regulatory Standards ,
Risk Management
Earlier this month, the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) announced that it had entered into a settlement agreement with St. Elizabeth's Medical Center (SEMC) in Brighton,...more
7/31/2015
/ Compliance ,
Corporate Counsel ,
Corporate Governance ,
Corrective Actions ,
Cybersecurity ,
Data Security ,
De-Identified Protected Health Information ,
Department of Health and Human Services (HHS) ,
Department of Justice (DOJ) ,
EHR ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
Personally Identifiable Information ,
Security Rule ,
Settlement