A recent FTC settlement highlights the need for companies to oversee their service providers, with respect to both collection of personal information and data security practices.

On April 30, 2018, the U.S. Federal Trade Commission (“FTC”) announced a settlement with BLU Products, Inc. (“BLU”), a Florida-based mobile device manufacturer, resolving allegations that BLU shared sensitive consumer data with a third-party service provider in violation of BLU’s privacy policy and the FTC Act.   Continue Reading FTC Settlement Signals the Importance of Service Provider Oversight

On April 18, 2018, government officials and cyber industry experts gathered in Washington, D.C., for the 2018 Incident Response Forum addressing legal and compliance challenges that arise following a data breach.  At the conference, representatives from the SEC, DOJ, FTC, and other federal and state enforcement agencies discussed their top data breach-related concerns and enforcement priorities.  Representatives spoke in their own capacity and were not making official agency statements, but their opinions can provide useful insight into agencies’ decision making processes and substantive views. Continue Reading Regulators and Law Enforcement Discuss Cyber Enforcement Priorities and Urge Cooperation Following Data Breaches

Over recent months, numerous state regulators, including in Massachusetts, Texas, and New Jersey, have been exercising greater oversight of cryptocurrency businesses.[1]  On April 17, 2018, the office of the New York Attorney General Eric Schneiderman (“NYAG”) launched the Virtual Markets Integrity Initiative, which will seek information from various platforms that trade cryptocurrencies to better protect consumers.  The initiative responds to concerns that cryptocurrency trading platforms may not provide consumers with the same information available from traditional exchanges.  As part of the initiative, the NYAG’s Investor Protection Bureau sent thirteen major cryptocurrency trading platforms questionnaires relating to internal policies, controls, and best practices.  The Bureau intends to consolidate and disseminate to consumers the information it receives. Continue Reading New York Attorney General Becomes Most Recent State Regulator To Foray Into Cryptocurrency Oversight

The US-China Business Council (“USCBC”) released a report on February 5, 2018.  The report identifies three key areas in which the China Cybersecurity Law (the “CCL”), which came into effect in June 2017, has posed significant challenges to companies’ ability to conduct business in China, and sets forth detailed recommendations to the Chinese regulators to address such challenges. We previously discussed the CCL and the international business community’s concerns regarding the law’s expansive scope, prescriptive requirements, and lack of clarity on a range of critical issues. The new USCBC report raising many of these same concerns can be accessed hereContinue Reading US China Business Council Lays Out Recommendations to Improve China’s Cybersecurity Regulations

In the wake of recent high-profile data breaches and in the absence of federal data protection legislation, states continue to propose new laws aimed at protecting the personal data of their residents.  On January 23, 2018, the Senate Judiciary Committee of South Dakota approved and forwarded for consideration by the full senate a bill that would require companies and individuals who operate and collect personal data in South Dakota to report data breaches affecting residents of the state within 60 days of discovery and, if more than 250 residents are affected by a data breach, to the Attorney General and consumer reporting agencies as well.  Following a number of comments received from state business associations, the Senate Judiciary Committee added to the proposed bill a threshold for risk of harm such that if, pursuant to “an appropriate investigation” and following notice to the Attorney General, a company reasonably determines that a breach is not likely to result in harm to an affected South Dakota resident, then notice to such resident is not required.  Failure to comply with the breach notification law could constitute a “deceptive act or practice” under state law enforceable by the Attorney General, who is also empowered under the law to recover civil damages not to exceed $10,000 per violation per day.  The bill will next be considered by the full senate and if passed, would leave Alabama as the sole U.S. state without a consumer data breach notification law. Continue Reading South Dakota and Colorado are Latest States to Propose New Data Privacy Laws

A recent decision by an intermediate Illinois appellate court, Rosenbach v. Six Flags Entm’t Corp.,[1] suggests that state courts—which are not bound by federal Article III standing limitations in entertaining suits—will not necessarily provide a more plaintiff-friendly forum for data privacy suits than their federal counterparts.

Earlier this month, we wrote about the Second Circuit’s summary order in Vigil v. Take-Two Interactive Software, Inc.[2]  There, the court affirmed the dismissal of a class action lawsuit brought in the Southern District of New York under the Illinois Biometric Information Privacy Act[3] (“BIPA”) for want of Article III standing because the plaintiffs had failed to allege an injury-in-fact, but remanded the case with instructions to amend the judgment and enter a dismissal without prejudice.[4]  The district court had ruled that the BIPA’s limitation of the private right of action to a “person aggrieved by a violation” meant that the plaintiffs’ failure to allege an injury-in-fact was also fatal to their claims as a matter of state law, meaning that the case should be dismissed with prejudice for failure to state a claim.[5]  The Second Circuit vacated that portion of the ruling on jurisdictional grounds, which left the door open for the plaintiffs to attempt to bring their claims in state court without any allegation of actual harm. Continue Reading Illinois Appellate Court Holds That Mere Technical Violations Of Data Privacy Statute Are Insufficient To State A Claim

In the wake of the high-profile breaches at Equifax and Uber, several constituencies have been making a sustained push for a federal data protection and breach statute.  Last week, a broad coalition of bank, insurance and retail associations urged Congress to pass national legislation establishing uniform data protection and breach notification standards.  In their letter, the organizations stressed that businesses and consumers would benefit from uniform requirements, in contrast to the current regime involving overlapping and sometimes differing State requirements.  Among other things, the letter urged Congress to adopt legislation that imposed flexible and scalable standards for data protection depending on the size and nature of the company and exclusive enforcement of the new national standards by the FTC and state Attorneys General (other than entities subject to state insurance regulation or who comply with the Gramm-Leach-Bliley Act and HIPAA). Continue Reading 2018 Brings Continued Calls for a Federal Data Protection and Breach Statute

On Monday, December 11, 2017, SEC Chairman Jay Clayton waded into the ongoing debate surrounding cryptocurrencies, initial coin offerings, and the regulation of both.  In a statement urging potential investors to exercise caution and market professionals to focus on their responsibility to help protect investors, the Chairman warned of the susceptibility of the burgeoning crypto markets to manipulation and fraud. Continue Reading SEC Chairman Offers Views on Initial Coin Offerings

On December 5, 2017, the National Institute of Standards and Technology (“NIST”) published a proposed update to its Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”).  NIST is a non-regulatory federal agency within the Department of Commerce, with a mission to promote innovation and industrial competitiveness in the United States by advancing measurement science, standards and technology in beneficial ways.  The Framework was initially developed as a result of the issuance of Executive Order 13636 in 2013 (“Executive Order”), which specifically addressed the cybersecurity of critical infrastructure (defined below) and directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to such critical infrastructure.  Therefore, the Framework provides nonbinding guidance, and compliance is not mandatory.  In practice, the Framework is used as the basis for best practices by many companies in the United States that have cybersecurity policies and procedures.  The Framework has generally been praised as a successful example of cooperation between the public and private sector and is cited by many as a more effective approach than prescriptive regulatory requirements. Continue Reading NIST Proposes Fine-Tuning of its Framework for Improving Critical Infrastructure Cybersecurity

On Monday, December 4, 2017, the U.S. Securities and Exchange Commission (SEC) obtained an emergency order from a U.S. District Court in New York to enjoin an allegedly fraudulent initial coin offering scheme.  The SEC’s complaint alleges that Dominic Lacroix, a recidivist securities law violator, and his company PlexCorps violated the anti-fraud and registration provisions of the U.S. federal securities laws in collecting up to $15 million in investor funds purportedly in exchange for digital tokens and promised returns in excess of 1,000% in 29 days.  The complaint also charges Lacroix’s partner Sabrina Paradis-Royer with securities fraud.  Among other relief, the district court has granted the SEC’s request to freeze the defendants’ assets.

Continue Reading Newly Created SEC Cyber Unit Takes First Action Against Allegedly Fraudulent ICO