Cybersecurity

Subscribe to Cybersecurity via RSS

Potentially signaling an expansion of the scope of constitutional standing in data breach cases, a district court in the Northern District of California recently held that the exposure of users’ non-sensitive, publicly available personal information may be sufficient to establish an injury-in-fact.[1]
Continue Reading District Court Finds Allegations That Data Breach Exposed Publicly Available and Non-Sensitive Personal Information Sufficient for Article III Standing

On May 8, 2019, Commissioners from Federal Trade Commission repeated their calls for federal data privacy legislation enforceable by the FTC at a hearing by the House Committee on Energy & Commerce titled “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.”
Continue Reading FTC Commissioners Continue Calls for National Data Privacy and Security Legislation

On March 27, 2019, journalists affiliated with Reuters reported that the Kunlun Group (“Kunlun”), a China-based tech firm, was preparing to sell its wholly owned subsidiary, Grindr, after the Committee on Foreign Investment in the United States (“CFIUS”) informed the group that Kunlun’s continued ownership of Grindr constituted a national security risk.  This forced divestiture of Grindr is a pointed reminder that CFIUS remains focused on protecting the sensitive personal data of U.S. citizens, has the power to upend closed deals that have not been cleared by the committee, and is dedicating increased resources to the review of transactions that are not notified to CFIUS.
Continue Reading CFIUS Forces Kunlun to Unwind 2016 Acquisition of Grindr Over Concerns About the Protection of Sensitive Personal Data

On Friday, March 15, 2019, the U.S. Federal Trade Commission (“FTC”) issued its 2018 Privacy & Data Security Update (the “Update”) detailing its activities last year in seven “zones” of privacy and data security: enforcement, advocacy, rules, workshops, reports and surveys, consumer education and business guidance, and international engagement. 
Continue Reading Federal Trade Commission Issues 2018 Privacy and Data Security Update

On January 24 2019, Canada’s Office of the Superintendent of Financial Institutions (“OSFI”) released an Advisory detailing new requirements for Canadian federally regulated financial institutions (“FRFIs”) to report cyber incidents within 72 hours.  FRFIs include banks, trust companies, loan companies, life insurance companies, property and casualty insurance companies, and fraternal benefit societies.

The new reporting requirements become effective on March 31, 2019.
Continue Reading Canadian Financial Regulator Publishes New Cyber Incident Reporting Guidelines Effective March 2019

On February 6, 2019, the German antitrust agency, the Federal Cartel Office (“FCO”), imposed limitations on Facebook’s current practice of collecting and processing user data and prohibited using the related terms of service.  After an almost three-year long investigation, the FCO found that some of Facebook’s business practices amounted to an abuse of a dominant position.  For the first time, the FCO based its abuse-of-dominance analysis also on whether the dominant company complied with the GDPR – throwing compliance with the GDPR into their competition law assessment.[1]
Continue Reading Germany Limits Facebook’s Data Collection and Processing, Refers to GDPR

At the end of January, partners Daniel Ilan and Alexis Collins participated in a panel co-hosted by The Conference Board and Cleary Gottlieb to discuss cybersecurity and board oversight.

Moderator Doug Chia, executive director of The Conference Board, Nick Mankovich, Vice President and Chief Information Security Officer (“CISO”) at medical technology firm Becton Dickinson, Daniel, and Alexis discussed current cybersecurity risks, how cyber-attacks are changing, and the role that management and the board should play in ensuring that companies are prepared.
Continue Reading Cleary Partners Participate in Panel Discussion on Cybersecurity and Board Oversight

In 2018, data privacy and cyber breaches made headlines throughout the year.

Major companies continued to suffer data breaches, highlighting the risks and potential costs of cyber incidents across industries.  At the same time, a growing and overlapping thicket of data security and privacy regulations—within the U.S., European Union, Latin America, and elsewhere—continued to increase

Nearly a decade ago, WikiLeaks ushered in the age of mass leaks.  Since then, corporations, governments, public figures and private entities have increasingly had to reckon with a new reality: that vigilantes, activists, extortionists and even state actors can silently steal and rapidly disseminate proprietary information, including customer data and other sensitive information.  Last month, the Department of Justice (“DOJ”) indicted four individuals based on information first revealed in the “Panama Papers” leak.  This marks a significant milestone in law enforcement’s reliance on evidence based on an unauthorized mass leak of information.  While leaks and hacks are not a novel phenomenon—in 1971, the New York Times published top secret documents on the Vietnam War and, in 1994, a paralegal leaked tobacco industry documents that ultimately cost the industry billions of dollars in litigation and settlement costs—the frequency, scale and ease of dissemination of leaked information today presents a difference not only of degree, but of kind.  The new Panama Papers-based criminal case will likely raise a host of novel legal issues based on legal challenges to the DOJ’s reliance on information illegally obtained by a third party, as well as information that would ordinarily be protected by the attorney-client privilege.  In this memorandum, we discuss the potential issues raised by the prosecution and their implications.
Continue Reading U.S. Criminal Prosecution Based on Panama Papers Hack Raises Novel Legal Issues

On January 7, 2019 the National Futures Association (“NFA”) provided additional guidance on the required cybersecurity practices of certain NFA members by amending its Interpretive Notice entitled NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (the “Interpretive Notice”).  The Interpretive Notice currently requires each NFA member futures commission merchant (“FCM”), commodity trading advisor, commodity pool operator, introducing broker (“IB”), retail foreign exchange dealer, swap dealer (“SD”) and major swap participant to implement a written information systems security program (“ISSP”) and enact other cybersecurity procedures sufficient to identify, address and respond to cybersecurity incidents.  The amendments to the Interpretive Notice are informed by NFA examinations of member ISSPs since the Interpretive Notice became effective in March 2016.  They are intended to clarify certain common questions posed by NFA members related to internal approvals of the ISSP and employee training.  The amendments additionally impose a new notification requirement for specified cybersecurity incidents.
Continue Reading NFA Amends Interpretive Notice Regarding Cybersecurity Programs