Tag Archives: cybersecurity

The Weekly Privacy Rewind

By Aaron Lancaster on August 28, 2018 Posted in Weekly Privacy Rewind

Biometric Information Privacy Act AGCO Corp., Ceridian HMC Inc. and Hegewisch Development Corp. Latest Employers to Face Allegations of BIPA Violations • Lawsuits against employers for alleged violations of Illinois’ Biometric Information Privacy Act (BIPA) show no signs of slowing, with three more employers, AGCO Corp., Ceridian HCM Inc. and Hegewisch Development Corp., all facing … Continue Reading

11th Circuit Issues Opinion Vacating Order That Required LabMD to Overhaul Its Data Security Program

By Kathryn Carey and Aaron Lancaster on June 8, 2018 Posted in Cybersecurity, Medical Privacy

On June 6, the 11th Circuit issued its long-awaited decision on LabMD Inc. v. Federal Trade Commission, vacating as unenforceable the Federal Trade Commission’s (FTC’s) cease and desist order that required LabMD to create and implement a variety of protective measures with respect to data security. Notably, however, the decision did not address the most … Continue Reading

SEC Clarifies Existing Cybersecurity Disclosure Guidance

By Craig A. Hoffman, Jonathan A. Forman and John Busch on February 28, 2018 Posted in Cybersecurity, Data Breach Notification Laws

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued cybersecurity disclosure guidance for public companies (“SEC Guidance”) that, according to SEC Chair Jay Clayton, “reinforces and expands” on the SEC Division of Corporation Finance’s prior guidance from 2011 (“Corp Fin Guidance” as we previously covered) regarding disclosure requirements under the federal securities … Continue Reading

Looking Back: The Federal Trade Commission Issues Annual Data Privacy Report for 2017

By John Busch on February 6, 2018 Posted in Cybersecurity, Enforcement, News

On Jan. 18, 2018, the Federal Trade Commission (FTC) published its Annual Privacy and Data Security Update. The update is helpful to businesses in that it recaps the efforts and areas of involvement the FTC has targeted in the past year as well as guides data protection strategies for 2018. The report provides a detailed … Continue Reading

New York DFS Updates FAQs to Clarify Applicability of Cybersecurity Regulation

By Melinda L. McLellan and Jonathan A. Forman on July 7, 2017 Posted in Financial Privacy, State Legislation

With the first compliance deadline now less than two months away, the New York Department of Financial Services (NYDFS) has provided additional clarity concerning its new Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Regulation”) by publishing an update to previously issued Frequently Asked Questions. We reported on the forthcoming Cybersecurity Regulation in January and … Continue Reading

Countdown Begins for Cybersecurity Compliance

By W. Barron A. Avery on July 6, 2017 Posted in Cybersecurity

This month marks an important waypoint for defense contractors subject to the new cybersecurity requirements imposed by the Department of Defense. For contractors subject to the requirements of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (the clause), the deadline for compliance with the clause’s cybersecurity requirements is … Continue Reading

Colorado Proposes Cybersecurity Requirements for Investment Advisers and Broker-Dealers

By Melinda L. McLellan and Jonathan A. Forman on April 6, 2017 Posted in Cybersecurity, Financial Privacy, Information Security

On March 27, 2017, the Colorado Department of Regulatory Agencies proposed changes to the Colorado Securities Act that would impose new cybersecurity requirements on investment advisers and broker-dealers (the “Proposed Rule”). Among other obligations, the Proposed Rule would require these entities to include cybersecurity as part of their risk assessments, and establish and maintain written … Continue Reading

Finalized New York Department of Financial Services Cybersecurity Regulation to Take Effect March 1

By Melinda L. McLellan and Jonathan A. Forman on February 23, 2017 Posted in Cybersecurity, Enforcement, Financial Privacy, Information Security

On February 16, 2017, the New York Department of Financial Services (NYDFS) announced the release of its finalized Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Regulation”), which will take effect on March 1, 2017. This final iteration, issued following an additional 30-day comment period, is in large part the same as the revised version dated … Continue Reading

New York Department of Financial Services Issues Revised Cybersecurity Regulations

By Melinda L. McLellan and Jonathan A. Forman on January 3, 2017 Posted in Cybersecurity, Enforcement, Financial Privacy

With the clock ticking down to the new year, on December 28, 2016, the New York State Department of Financial Services (NYDFS) released highly anticipated revisions to its proposed Cybersecurity Requirements for Financial Services Companies (the “Proposal”). As we previously reported, the NYDFS first announced the proposed regulations in September; at that time, they were … Continue Reading

FCC Wades Back Into Data Privacy and Security for ISPs With Revised Privacy Proposal

By Alan L. Friel and Suchismita Pahi on October 20, 2016 Posted in Cybersecurity, Enforcement

Recently, Federal Communications Commission (FCC or Commission) Chairman Tom Wheeler circulated to the Commission a revised proposed order to regulate the data privacy and security practices of internet service providers (ISPs) (also known by the Commission as broadband internet access service (BIAS) providers). We previously wrote about the Commission’s initial proposal in this regard (available … Continue Reading

Former SEC Commissioner Louis A. Aguilar Describes Corporate Directors’ Cybersecurity Duties

By Randal L. Gainer on September 26, 2016 Posted in Cybersecurity, Data Breaches

When Louis A. Aguilar was a commissioner at the Securities and Exchange Commission, he helped organize the SEC’s March 2014 roundtable to discuss the cyber risks facing public companies. The numerous data breaches that have occurred at public companies, from Target to Yahoo and many more, show that public companies have not yet succeeded in … Continue Reading

Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity

By David M. Brown on August 24, 2016 Posted in Cybersecurity, Data Breaches, Enforcement, Online Privacy, Retail Industry

On Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information. According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an … Continue Reading

Deeper Dive: Plan for Regulatory Scrutiny in Financial Services Data Security Incidents

By Gerald J. Ferguson and Jenna N. Felz on May 16, 2016 Posted in Cybersecurity, Financial Privacy

Financial services industry companies were involved in 18% of the over 300 data security incidents we helped manage in 2015, and reported in our 2016 BakerHostetler Data Security Incident Response Report (the “Report”). After healthcare, the financial services industry was the second most affected industry according to the data we reported. It is not surprising … Continue Reading

New Take on Old Phishing Scam Wreaking Havoc on HR Departments

By Kevin Wallace and Melinda L. McLellan on March 8, 2016 Posted in Cybersecurity

From would-be Nigerian princes to foreign lottery officials, cybercriminals have been known to assume all sorts of false identities to carry out email phishing scams that trick unsuspecting consumers into clicking on fraudulent links or divulging personal information to strangers. We often see a spike in this type of activity around tax season, when fraudsters … Continue Reading

Protecting Patient Data From Hacker Ransom Demands

By Suchismita Pahi on February 26, 2016 Posted in Medical Privacy

Forty bitcoins later (approximately $17,000), Hollywood Presbyterian Hospital can now access its electronic medical health records and return to treating its patients as scheduled. But as hackers develop new tools to access information, an increasing number of providers will be targeted and ransom demands will escalate, putting hospitals and patients at risk. Focusing on technical … Continue Reading

Data Security in the Financial Industry: Five Key Developments to Keep An Eye on in 2016

By Jenna N. Felz on January 27, 2016 Posted in Financial Privacy

According to a 2015 report on threats to the financial services sector, 41% of financial services organizations polled had experienced a data breach or failed a compliance audit in the previous year, and 57% listed preventing a data breach as their top IT priority. Reflecting the ever-increasing awareness of threats to financial data security, 2015 … Continue Reading

The CFTC’s Proposed Standards Identify Cybersecurity Best Practices

By Randal L. Gainer on January 19, 2016 Posted in Cybersecurity

The Commodity Futures Trading Commission (CFTC) offered several reasons for proposing five new cybersecurity testing requirements for the commodity trading platforms it regulates in its December 23, 2015, Notice of Proposed Rulemaking: More than half of the securities exchanges surveyed in 2013 reported that they had been the victim of cyberattacks. 80 Fed Reg. at … Continue Reading

EU’s Network and Information Security Directive: Regulating “operators of essential services” and “digital service providers”

By Suchismita Pahi and Kathryn Mellinger on December 22, 2015 Posted in Cybersecurity

The European Union continues to move forward with a proposed unified framework to strengthen network and information security systems across its member countries. On December 18, 2015, the Permanent Representatives Committee (Coreper) approved a provisional agreement reached on December 7, 2015, by the European Parliament and European Council on the Network and Information Security Directive … Continue Reading

What the FTC’s Settlement With Wyndham Means for Your Company

By Gerald J. Ferguson and Alan L. Friel on December 18, 2015 Posted in Cybersecurity, Data Breaches

The recent settlement entered into between the Federal Trade Commission (FTC) Wyndham Hotels and Resorts and related companies (Wyndham) provides an important roadmap for companies seeking to avoid running afoul of the FTC’s regulation of data security. In particular, this settlement, as embodied in a Consent Order entered by the Court provides Wyndham Hotels and … Continue Reading

New York Department of Financial Services Sets Forth Extensive Cybersecurity Regulatory Framework Proposal

By Suchismita Pahi and Kathryn Mellinger on December 1, 2015 Posted in Cybersecurity, Information Security, State Legislation

On November 9, 2015, the New York State Department of Financial Services (NYDFS) issued a letter to the members of the Financial and Banking Information Infrastructure Committee (FBIIC) detailing a new cybersecurity framework proposal for “covered entities,” or financial institutions regulated by NYDFS. The framework builds on data from NYDFS reports surveying cybersecurity programs from … Continue Reading

The SEC OCIE Announces Increased Scrutiny of Broker-Dealers’ and Investment Advisers’ Cybersecurity Programs

By Will R. Daugherty on September 28, 2015 Posted in Cybersecurity

On September 15, 2015, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert (2015 Risk Alert) to provide broker-dealers and investment advisers with information on the focus areas of its upcoming round of cybersecurity examinations. OCIE is building on its previous cybersecurity examinations to increase … Continue Reading

Cybersecurity is a Real Risk, So Become “Compromise Ready”

By Craig A. Hoffman on April 29, 2015 Posted in Cybersecurity

Many have heard that “it is not a matter of if a company will be attacked, but when.” Statements like this used to be met with skepticism – companies would say we do not have information hackers want, we outsource our security so we have no risk, or the IT department said it will never … Continue Reading

Obama Administration Recognizes Cyber Threats to U.S. Critical Infrastructure as a National Emergency

By Gerald J. Ferguson on April 7, 2015 Posted in Cybersecurity

Many cybersecurity experts have warned that the United States is already engaged in covert cyber warfare against hostile actors around the world. The latest cybersecurity Executive Order reflects formal recognition that, regardless of whether we call it war, cyber threat activity directed at U.S. critical infrastructure has created a national emergency. Exercising authority granted by … Continue Reading

FTC Director Jessica Rich Discusses Privacy and Data Security at BakerHostetler Symposium

By Tanya Forsheit and William W. Hellmuth on February 26, 2015 Posted in Cybersecurity, Events

On February 26, 2015, Jessica L. Rich, Director of the Bureau of Consumer Protection at the Federal Trade Commission, spoke at the BakerHostetler Symposium on Section 5 of the FTC Act on how the FTC approaches privacy and data security. Director Rich’s comments on this subject were particularly timely, with the Third Circuit poised to … Continue Reading