SEC Issues Disclosure Guidance as Part of Continued Focus on Cybersecurity

As cybersecurity attacks have continued to gain prominence as a threat posing critical risk management and compliance challenges for financial institutions, the Securities and Exchange Commission (SEC) has emerged as an active federal regulator in this arena. In September 2017, the SEC announced creation of a Cyber Unit housed within the SEC’s Enforcement Division that targets cyber-related misconduct, including hacking to obtain material nonpublic information, intrusions into retail brokerage accounts, and cyber-related threats to trading platforms and other ...

NYS DFS September 4, 2018 Cybersecurity Compliance Deadline

Tuesday, September 4, 2018 marked the New York State Department for Financial Service’s deadline for compliance with several sections of cybersecurity regulation 23 NYCRR 500 (the “Regulation”).  The Regulation covers any organization that operates (or is required to operate) under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law (Title 3 of the NYCRR), the Insurance Law (Title 11 of the NYCRR), or the Financial Services Law (Title 23 or the NYCRR) (a “Covered Entity”).  This is the third compliance ...

Update on California Consumer Privacy Act

By Bret Buckler and Todd Taylor
Recently the state of California passed a data privacy and security law called the California Consumer Privacy Act (“CCPA”) (Assembly Bill 375, found here).

The law, which takes effect on January 1, 2020, is aimed at establishing a defined set of rights for consumers with regard to how their personal information is being collected and used.  The political push for the law comes on the heels of a contentious few months where tech giants such as Facebook have admitted to potentially problematic data breaches and oversharing of personal information ...

What’s next for Facebook?

Now that the cameras have gone, the booster cushion has been removed from the witness chair, and Mark Zuckerberg is comfortably back in in Palo Alto, having survived his marathon two-days of testimony in front of a somewhat confused Congress, what’s next? 

Regulations  

Following the revelations that a political marketing firm, Cambridge Analytica, improperly obtained personal information from approximately 87 million Facebook user profiles (including even Mark Zuckerberg’s!), Congress has more support than ever to regulate Facebook and other social media tech.  On his ...

The CLOUD Act – Congress Passes New Bill Which Will Impact Access To Cross-Border Data

By Tandy Mathis

On Friday, March 23, 2018, Congress passed a 2,232 page omnibus spending bill. Included in the bill was a bipartisan act known as the “Clarifying Lawful Overseas Use of Data Act” or CLOUD Act, which will allow United States law enforcement to access the data stored abroad for U.S. citizens and will provide some relief to foreign law enforcement agencies to access the data of their citizens when that data is stored in the U.S..

The CLOUD Act Overhauls an Outdated Stored Communications Act (SCA) and an Overburdened Mutual Legal Assistance Treaty (MLAT) Act

At its core ...

North Carolina Security Breach Report 2017

By Nathan White

According to the recently released North Carolina Attorney General Security Breach Report, nearly 5,337,154 North Carolinians were impacted by security breaches in 2017.  The Report highlights several trends data protection specialists and North Carolina businesses should take into consideration.

The report breaks down 1,022 data breaches occurring in North Carolina during calendar year 2017.  For the first time since reporting was required in 2005, hacking constituted a slight majority of the reported breaches at 50.49%.  This reflects a continuing trend of ...

Two Proposed Data Security Laws Reflect National Trend Toward Affirmative Responsibilities

With major consumer data breaches making headlines on a semi-regular basis, legislators around the country are starting to hold businesses more accountable for cybersecurity compliance.  Industry-specific laws such as HIPAA and the Gramm-Leach-Bliley Act (GLBA) already establish federal data security standards for some companies, and the Federal Trade Commission has taken the position that failure to have reasonable security measures is a violation of the FTC Act (see our DataPoints post here). 

From Massachusetts to New Mexico, a handful of state legislatures also have ...

Delaware Amends Personal Information Protection Law

On August 17, 2017, Delaware amended its personal information protection law, Delaware Code Title 6, Chapter 12B.  The amendment becomes effective 240 days after enactment or March 14, 2018. The amended law significantly enhances the protections afforded Delaware residents whose personal information has been – or is reasonably believed to have been – breached, by adding obligations on the part of a person or entity who conducts business in Delaware or owns, licenses and maintains “personal information” as the Delaware law defines the term. The major changes to the law are ...

“Not so fast, my friend*” -- Judge Orders DreamHost Comply with DOJ’s Disruptj20 Search Warrant, with Caveats

By Nathan A. White

Can the government force the hosting service of an activist website company to turn over vast amounts of user data in order to track down political protesters?  According to a federal court ruling, the answer  -- Yes, but let’s slow this train down a little bit.  On Thursday, August 24, 2017, District of Columbia Superior Court Chief Judge Robert E. Morin ordered DreamHost to comply with a search warrant issued by the Department of Justice on July 12, 2017 seeking IP addresses and other data of visitors to “disruptj20.org” website hosted by DreamHost.  Disruptj20 ...

D.C. Circuit Finds that Theft of Health Insurance Subscriber ID Numbers Is a Cognizable Injury in Identity Theft Litigation

By Bill Butler

Recently, the D.C. Circuit Court of Appeals ruled in Attias v. CareFirst, Inc., No. 16-7108, that customers had standing to sue a health insurer for a 2014 data breach in which the customers’ information was stolen.  In reversing the district court’s dismissal of the class action, the D.C. Circuit held that the customers’ allegations that the hackers accessed and took their Social Security numbers, credit card numbers, and health insurance subscriber ID numbers were each independently sufficient to show actual or imminent injury.  The customers’ complaint ...

About Data Points: Privacy & Data Security Blog

The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.

Stay Informed

* indicates required
Jump to Page

Subscribe To Our Newsletter

Stay Informed

* indicates required

By using this site, you agree to our updated Privacy Policy and our Terms of Use.