FTC Blog Post Series Makes Common Sense Of Data Security

Recently, data security experts and regulators have said that “businesses should use a common sense approach” when addressing data security. However, rarely do I hear clients or other business professionals speak in those terms. Many organizations find data security to be daunting. It does not have to be. In fact, it can be a matter of common sense.

In 2015, the Federal Trade Commission (FTC) published a business guide called “Start with Security.” The guide is a compilation of lessons learned from cases brought by the FTC incorporated into 10 fundamentals that are applicable to any organization.

On July 21, 2017, the FTC announced that it would start a new initiative, Stick with Security, which is a weekly Business Blog post that tackles one of the 10 Start with Security principles. Continue Reading

SEC Cybersecurity Risk Alert Emphasizes Proactive Compliance and Ongoing Vigilance

On August 7, 2017, the Securities and Exchange Commission (SEC) released its latest cybersecurity risk alert, detailing findings from the examination of 75 broker-dealers, investment advisers and investment companies carried out by its Office of Compliance Inspections and Examinations (OCIE) pursuant to its 2015 cybersecurity examination initiative. In contrast with the previous round of examinations, the Cybersecurity 2 Initiative focused more on validating and testing cybersecurity procedures and controls, with the alert highlighting improvements, deficiencies and best practices for registered firms.

Although OCIE noted improvements across the board (with all or “nearly all” broker-dealers leading advisers and investment companies in a number of areas), it also identified a number of deficiencies. Continue Reading

FINRA Video Series Highlights Broker-Dealers’ Common Cybersecurity Deficiencies

In a series of three video programs published on the FINRA website in recent weeks, FINRA provided guidance on common deficiencies it has been seeing in its cybersecurity examinations of member firms, and recommended a number of measures to address these issues. Firms should heed these warnings both so that they are prepared for when FINRA (or SEC or state) examiners come calling and, perhaps more importantly, so that they are as protected as they reasonably can be from the variety of cyberattacks facing the financial industry. Read more >>

Are Industrial Control Systems the Linchpin for Critical Infrastructure Cybersecurity?

Over the past few months, news headlines around the globe have been littered with reports of cyberthreats to the critical infrastructure of countries of all sizes. What were once just ominous theories of catastrophic cyberattacks crippling the nation’s critical infrastructure are now deemed credible threats that critical infrastructure enterprises must consider in their cybersecurity, business continuity and incident response planning.

While the U.S. has not experienced a disruptive critical infrastructure cyberattack to date, such as the 2015 attack on Ukraine’s power grid that left more than 700,000 people without power for several hours, the frequency of cyberattacks on critical infrastructure enterprises is on the rise. This becomes an even greater concern with events such as the Russian hacking of the computer systems of numerous U.S. nuclear plants, which occurred just last month. As is becoming more and more common in attacks targeting critical infrastructure enterprises, these hackers targeted industrial control engineers, who had access to critical industrial control systems (ICS).  Continue Reading

FTC Announces Internal Process Reforms in Connection with Civil Investigative Demands

Has your company or client been served with a Civil Investigative Demand (CID)? Overwhelmed? Don’t despair – the future may be brighter, as the Federal Trade Commission (FTC) is now offering more clarity regarding its CID document requests process. On July 17, 2017 FTC Acting Chairman Maureen K. Ohlhausen issued a new internal process reform aimed at promoting clarity, efficiency and transparency, and designed to “reduce unnecessary and undue burdens” associated with FTC investigations.

The reform specifically addresses CIDs in consumer protection cases, and includes a plain-language explanation of the CID process and a more elaborate description of the purpose, scope and types of information sought by the FTC, so recipients can better comply and respond. The FTC will also work to lighten the burden on companies by limiting relevant time periods, expanding the response time and revising existing CID instructions for the production of electronically stored information. The FTC will adhere to its current practice and will follow up on the status of investigations “at least every six months” after companies comply with CIDs. Continue Reading

Oregon Expands Deceptive Trade Practices Act to Include Misrepresentations About PI Usage

Effective January 1, 2018, Oregon will join Pennsylvania and Nebraska in expanding its definition of deceptive trade practices to explicitly include a material misstatement regarding the use of personal information. House Bill 2090 applies to statements “publishe[d] on a website … or in a consumer agreement related to a consumer transaction.” Like the other states’ laws, Oregon’s law does not include a private right of action. However, the Oregon law is significantly broader than Pennsylvania’s and Nebraska’s laws in the following respects:

  • Oregon’s law does not include a mental state requirement. Both Pennsylvania’s and Nebraska’s laws require that the misrepresentation be made “knowingly.”
  • Oregon’s law applies to any “information that the person requests, requires or receives from a consumer” as opposed to limiting coverage to “personal information.”
  • Oregon’s law applies to representations regarding how a person will “use, disclose, collect, maintain, delete or dispose of information,” whereas the Pennsylvania and Nebraska laws apply only to “use.”

The following chart provides additional details regarding the similarities and differences between the three laws:


Nevada Enacts Online Privacy Policy Law; Illinois ‘Right to Know’ Bill Carried Over

Nevada recently became the latest state to pass a law requiring operators of websites and online services to post a public notice regarding their privacy practices. California was the first state to pass such a law in 2004, and Delaware enacted a similar law effective January 1, 2016.  Similar to its predecessors, the new Nevada legislation specifies that the posted notice must:

  • Identify the categories of personally identifiable information (PII) collected through the site;
  • Identify the categories of third parties with whom such PII may be shared;
  • Disclose whether third parties may collect information about a consumer’s online activities over time and across different websites when the consumer uses the site;
  • Provide information about the process for reviewing and requesting changes to PII collected through the site; and
  • List an effective date.

Continue Reading

Revocation of Consent Under the TCPA

The Telephone Consumer Protection Act (TCPA) was enacted as a consumer protection measure against companies that engage in telemarketing practices. The basic principle of the TCPA is that it seeks to prohibit a company from making “any telephone call to any residential telephone line using an artificial or prerecorded voice to deliver a message without the prior express consent of the called party.” 47 U.S.C. § 227(b)(1)(B). The deterrent for such acts is a hefty fine of up to $1,500 per incident (per call in this case, a number that can quickly add up).

But what happens if an individual gives a company “express written consent” and later seeks to revoke that consent? Prior case law, and a 2015 Federal Communications Commission (FCC) ruling, had stated that a consumer who freely gives informed consent may revoke it by “any reasonable means.” There have been various cases where the plaintiffs have successfully claimed that they revoked their initial consent and were therefore entitled to damages under the TCPA. The Second Circuit, in Reyes v. Lincoln Automotive Financial Services, No. 16-2104-cv, however, draws a clear distinction with those rulings and comes out stating that express consent can, in certain cases, be irrevocable. Continue Reading

Deeper Dive: Application of Work-Product Doctrine to Forensic Investigations

In a recent post, we addressed the role a forensic investigation plays in a company’s response to a data security incident. We noted that to maximize the likelihood that a forensic firm’s work will be covered by the work-product doctrine or attorney-client privilege, the engagement letter should include outside counsel and the forensic firm should conduct its investigation at the direction of counsel. At a minimum, the engagement letter should specify that the forensic firm has been engaged to assist counsel in providing legal advice and, when appropriate, should specify that the forensic firm is assisting counsel in anticipation of litigation. Since that post, a new court decision has shed additional light on the factors affecting whether the work-product doctrine will protect a forensic firm’s work from discovery.

In In re Experian Data Breach Litigation, Case No. 8:15-cv-01592-AG-DFM (C.D. Cal. May 18, 2017), the court denied a motion to compel discovery of a forensic firm’s report and related documents, holding that the materials were protected by the work-product doctrine. In Experian, the defendant retained outside counsel shortly after learning of an incident (but before any litigation commenced), and the outside counsel then retained the forensic firm to investigate the incident.

The court considered several facts to be significant in determining that the work-product doctrine applied. As already noted, the forensic firm was retained by outside counsel at a time when it was reasonable to anticipate litigation over the data breach. Additionally, the forensic firm’s report was shared only with outside and in-house counsel, not with the company’s broader incident response team. The company also submitted declarations establishing that the scope of the forensic firm’s engagement was limited to assisting the company’s counsel.  Continue Reading

New York DFS Updates FAQs to Clarify Applicability of Cybersecurity Regulation

With the first compliance deadline now less than two months away, the New York Department of Financial Services (NYDFS) has provided additional clarity concerning its new Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Regulation”) by publishing an update to previously issued Frequently Asked Questions.

We reported on the forthcoming Cybersecurity Regulation in January and February.

The new FAQs address the applicability of the Cybersecurity Regulation to three different types of entities. [1]

  • New York Branches of Out-of-State Banks. Pursuant to a 1997 Nationwide Cooperative Agreement among state banking regulators, NYDFS “will defer to the home state supervisor for supervision of New York branches.” However, NYDFS “maintains the right to examine branches located in New York” as they still must comply with New York law. Accordingly, NYDFS “strongly encourages all financial institutions, including New York branches of out-of-state domestic banks” to adopt safeguards and protections consistent with the Cybersecurity Regulation.
  • Subsidiaries and Other Affiliates. A Covered Entity must include Affiliates in its Risk Assessment to determine whether they present risks to the Covered Entity’s Information Systems or Nonpublic Information. If so, those risks must be addressed in the Covered Entity’s cybersecurity program and written cybersecurity policy.
  • Exempt Covered Entities. Because the exemptions set forth in Section 500.19 of the Cybersecurity Regulation are “limited in scope,” exempt Covered Entities must still comply with certain provisions of the Cybersecurity Regulation. For example (not listed in the FAQs), a Covered Entity that is exempt under Section 500.19(a) must still conduct a Risk Assessment that informs its cybersecurity program, written cybersecurity policy, access privileges, Third Party Service Provider security policy and data retention practices. Such an exempt Covered Entity also would be required to notify NYDFS of covered Cybersecurity Events and annually certify its compliance to the Superintendent.

We will continue to monitor and provide updates regarding additional NYDFS guidance or interpretations relevant to implementation of the Cybersecurity Regulation.

[1] Note: capitalized terms not defined below are defined in the Cybersecurity Regulation.