In June 2018, medical laboratory LabMD obtained the first-ever court decision overturning a Federal Trade Commission (FTC) cybersecurity enforcement action. (The team directing that effort – led by Doug Meal and Michelle Visser – joined Orrick in January 2019). There, the Eleventh Circuit held that an FTC cease-and-desist order imposing injunctive relief requiring LabMD to implement “reasonable” data security was impermissibly vague. In the wake of LabMD, the FTC’s new Chairman, Joseph Simons, stated that he was “very nervous” that the agency lacked the remedial authority it needed to deter allegedly insufficient data security practices and that, among other things, the FTC was exploring whether it has additional untapped authority it could use in this space. In this regard, Chairman Simons and Commissioner Rebecca Kelly Slaughter announced that the FTC is examining whether it can “further maximize its enforcement reach, in all areas, through strategic use of additional remedies” such as “monetary relief.” READ MORE
This past September Governor Brown signed into law Senate Bill 327, which is the first state law designed to regulate the security features of Internet of Things (IoT) devices. The bill sets minimum security requirements for connected device manufacturers, and provides for enforcement by the California Attorney General. The law will come into effect on January 1, 2020, provided that the state legislature passes Assembly Bill 1906, which is identical to Senate Bill 327. READ MORE
The California Consumer Privacy Act of 2018 (the “CCPA” or the “Act”), which we reported on here and here continues to make headlines as the California legislature fast-tracked a “clean up” bill to amend the CCPA before the end of the 2018 legislative session. In a flurry of legislative activity, the amendment bill (“SB 1121” or the “Amendment”) was revised at least twice in the last week prior to its passage late in the evening on August 31, just hours before the legislative session came to a close. The Amendment now awaits the governor’s signature.
Although many were hoping for substantial clarification on many of the Act’s provisions, the Amendment focuses primarily on cleaning up the text of the hastily-passed CCPA, and falls far short of addressing many of the more substantive questions raised by companies and industry advocates as to the Act’s applicability and implementation. READ MORE
Game-changing Calif. Consumer Privacy Act of 2018 puts statutory breach damages on the table
The recently-enacted California Consumer Privacy Act of 2018 is a game-changer in a number of respects. The Act imports European GDPR-style rights around data ownership, transparency, and control. It also contains features that are new to the American privacy landscape, including “pay-for-privacy” (i.e., financial incentives for the collection, sale, and even deletion of personal information) and “anti-discrimination” (i.e., prohibition of different pricing or service-levels to consumers who exercise privacy rights, unless such differentials are “reasonably related to the value provided to the consumer of the consumer’s data”). Privacy teams will be hard at work assessing and implementing compliance in advance of the January 1, 2020 effective date. READ MORE
Noting the “astounding” statistics on the use of smartphones and other mobile devices to “shop, bank, play, read, post, watch, date, record, and go” across consumer populations, the FTC has recently re-focused its attention on mobile security issues. As the amount of information collected on mobile devices, and through applications on those devices, continues to rise exponentially, unsurprisingly, mobile devices have become increasingly fertile grounds for cyberattacks. Against this backdrop, in February 2018 the FTC issued a 134-page report titled Mobile Security Updates: Understanding the Issues (the “Report”). Not long afterward, on April 2, 2018, the FTC appointed a new Acting General Counsel, Alden Abbot, who has substantial experience in the mobile-communication industry, including serving in key legal roles at Blackberry Corporation and the National Telecommunications and Information Administration in the Department of Commerce. Although the Report is narrowly focused on processes for patching vulnerabilities and software updates, the FTC notes that the Report is “part of an on-going dialogue” and that it intends to work with industry, consumer groups, and lawmakers to further the “goals of reasonable security and greater transparency” in its efforts to improve mobile-device security. READ MORE
Given the explosive growth in the connectivity of every day “things,” several government agencies are focused on how best to support innovation and the benefits of an increasingly connected, data driven society, while weighing options for mitigating the cybersecurity and privacy risks relating to the Internet of Things. The pace of development with respect to connected cars and autonomous vehicles has drawn particular attention. READ MORE
A recent skirmish about standing in data breach class actions (this time in the Eighth Circuit), involving securities and brokerage firm Scottrade, suggests that, even if plaintiffs win that limited question, there are other key battles that can win the war for defendants. As we reported with Neiman Marcus, P.F. Chang’s, Nationwide, and Barnes & Noble, the Eighth Circuit’s decision in Kuhn v. Scottrade offers important proactive steps that organizations should consider taking that can mitigate post-breach litigation exposure. READ MORE
This week, a high profile plaintiffs’ firm (Edelson) stated that “if done right,” the data breach class actions against Equifax should yield more than $1 billion in cash going directly to more than 143 million consumers (i.e., roughly $7 per person).
No defendant to date has paid anything close to $1 billion. In fact, the largest class settlements in breach cases hardly get close: Target Stores paid $10 million (cash reimbursement for actual losses) and The Home Depot paid $13 million (cash reimbursement for actual losses + credit monitoring). Will Equifax be different?
Part of the answer revolves around the increasingly debated role and importance of “consumer harm” in resolving data breach disputes. READ MORE
Shortly after the new year, the Federal Trade Commission filed suit in the Northern District of California against D-Link Corporation, a Taiwan-based maker of wireless routers, Internet Protocol (IP) cameras, and software used in consumer electronics (such as baby monitors). The complaint alleges that D-Link failed to reasonably secure its products from hackers. Notably, the FTC has not alleged that D‑Link products were exploited by hackers or that a data breach or cyberattack resulted from any alleged security vulnerabilities. Rather, the action is based squarely on security vulnerabilities that “potentially compromis[ed] sensitive consumer information, including live video and audio feeds from D-Link IP cameras” and marketing statements made by D-Link that touted the products’ security features.
We at Trust Anchor have our ears to the ground. Here are some of the most important things we heard regulators, courts, and legislatures say about cybersecurity in 2016, and what they mean for you and your organization
There is no such thing as compliance with the NIST Cybersecurity Framework (FTC). In September, the FTC dispelled a commonly held misconception regarding the NIST Framework: It “is not, and isn’t intended to be, a standard or checklist. . . . there’s really no such thing as ‘complying with the Framework.'” The Framework provides guidance on process. It does not proscribe the specific practices that must be implemented. Rather, the NIST Framework lays out a risk-based approach to assessment and mitigation that is “fully consistent” with the concept of “reasonableness” embedded in the FTC’s Section 5 enforcement record. Takeaway: Organizations should consider using the NIST Framework—or another framework—to guide their cybersecurity investments and program development. Use of the NIST Framework alone does not signal that an organization is secure.