Two Recent Cases Highlight the Insider Trading Risks Associated with Cyber Breaches

The recent convictions of two traders for using hacked press releases and the settlement of SEC insider trading charges against a former Equifax manager highlight the significant insider trading risks companies face when dealing with a cyber event.  These risks come in two forms.

First, there is the risk that someone (either inside or outside the company) has gained unauthorized electronic access to material nonpublic information (“MNPI”) about the company or one of its business … Continue Reading

Standards vs. Rules for Cyber Regulation – The Eleventh Circuit Weighs in Against the FTC and in Tacit Support for the NYDFS Approach

On June 6, 2018, the Eleventh Circuit vacated a cease and desist order issued by the FTC against LabMD as unenforceably vague.  The FTC’s Order, which resulted from a finding that LabMD had failed to maintain an adequate cybersecurity program, directed LabMD to “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. . … Continue Reading

Private Actions Under the GDPR—One More Privacy Concern for U.S. Companies to Worry About?

In the lead-up to the EU’s General Data Protection Regulation (“GDPR”) becoming effective on May 25, little attention was paid in the U.S. to the private right of action that the GDPR creates. But so far, private actors have filed approximately 24 cross-border GDPR complaints with EU regulators.

At least four significant complaints were filed on May 25 by privacy activist Max Schrems—who brought down the U.S.-EU Safe Harbor Framework in 2015—and his non-profit organization, … Continue Reading

NYDFS Brings Its First Cybersecurity Enforcement Action

We had previously predicted that the Equifax data breach could lead to increased state-level cybersecurity enforcement. On June 27, the NYDFS announced that Equifax has agreed to take corrective action for its 2017 data breach, as set forth in a consent order reached with the NYDFS and seven other state banking regulators.  This enforcement action comes quickly after the NYDFS was given authority to regulate credit reporting agencies for cybersecurity.  The order requires Equifax … Continue Reading

Getting Rid of Old Data Is Becoming a Regulatory Requirement

For years, the default setting at many companies was to keep electronic data indefinitely. Storage is cheap, there are legal risks associated with deleting data, and you never know when an email from 10 years ago is going to become important. Some companies have document management policies, but often they are not rigorously enforced or they are suspended whenever litigation arises. The result is that most companies have enormous amounts of old data and are … Continue Reading

New Breach Notification Regulations – More Requirements with Less Time to Respond

Readers of our blog know that the NYDFS cybersecurity rules and the European GDPR are part of a trend in regulation towards onerous breach notification requirements with very short (i.e., 72-hour) deadlines.  But there are other, less well-known examples.

Alabama and South Dakota recently passed data security statutes, which means there are now breach notification obligations for all 50 states.  Alabama’s Data Breach Notification Act, effective on June 1, has a 45-day notification deadline, … Continue Reading

More Companies Doing ‘Tabletop’ Exercises to Test Crisis Management

A recent article in the American Lawyer highlights the growing relevance of lawyer-led “tabletop” exercises, where companies engage in half-day or full-day drills designed to test their response plans for various crisis scenarios.

Executives are increasingly utilizing these exercises to hone their emergency policies, procedures, and decision-making.  Originally developed to help oil and gas companies prepare to respond to environmental disasters, tabletops are now commonly used for cyber breach trainings and, increasingly, other kinds of … Continue Reading

NYDFS Highlights Continued Importance of Cybersecurity in M&A Due Diligence

The New York Department of Financial Services (“NYDFS”) recently issued guidance for its covered entities[1] highlighting the importance of cybersecurity as a necessary part of M&A due diligence. This guidance comes in the greater context of the Yahoo! SEC resolution to demonstrate that regulators are paying close attention to the cybersecurity risks posed by mergers.  According to the NYDFS Frequently Asked Questions page, its Covered Entities are expected to conduct “a serious due diligence … Continue Reading

GDPR Is Almost Here, Making Breach Notification Even More Complicated

For U.S. companies subject to the GDPR, figuring out breach notification obligations is about to get even harder as the GDPR adds another layer of complexity to the existing patchwork of 50 different state breach notification laws and several federal ones.

The GDPR will come into force on May 25, 2018, and it will apply to thousands of U.S. companies that use or store the personal data of individuals living in the EU.  Not only … Continue Reading

FTC Reaches Proposed Settlement With Mobile Phone Manufacturer BLU, Highlighting the Importance of Effective Oversight of Third-Party Vendor Data Security and Privacy Practices

On April 30, 2018, BLU Products, Inc. (“BLU”) reached a settlement with the Federal Trade Commission (“FTC”) over allegations that BLU allowed ADUPS Technology Co. LTD (“ADUPS”) to collect detailed personal information about BLU’s consumers without their knowledge or consent, despite BLU’s assurances that it would keep the information secure and private, and that BLU generally failed to implement appropriate security procedures to oversee the security practice of its … Continue Reading

LexBlog