Regulation

Announced GDPR Fine Against Marriott Raises Reporting and Coverage Implications

By: Joshua Mooney and Andrew Lipton

Last week on July 9, 2019, the United Kingdom’s Information Commission Office (ICO) announced its intention to fine Marriott International £99.3 million (about $124 million), or 2.5% of Marriott’s worldwide annual revenue, in connection with the Starwood Customer loyalty program. Last November, Marriott announced a breach of the Starwood brand reservation database, potentially compromising the accounts of approximately 500 million guests. The compromise reportedly first took place in 2014 before Marriott had acquired Starwood in 2016. According to the ICO’s statement, the breach involved a variety of personal data found in approximately 339 million guest records, including 30 million records relating to residents of 31 countries in the European Economic Area (EEA) and 7 million records relating to UK residents.[1]

A Warning to Law Firms and Litigants: Unlawful Disclosure of PHI in Litigation Can Lead to Trouble

By: Joshua A. Mooney

The handling of sensitive data with appropriate care in litigation is a critical aspect of legal practice. Recent ABA Formal Opinions 477 and 483 discuss requirements for securing protected client information and lawyers’ obligations after a cyberattack. Conduct during litigation is no different. Unless stated otherwise by statute, the context of litigation does not effect a person’s legal duties when handling sensitive data. In Menorah Park Ctr. for Senior Living v. Rolston, 2019 Ohio App. LEXIS 2175 (May 30, 2019 Ohio Ct. App.), a plaintiff of a small-claims matter is learning this lesson the hard way.

The FTC Wants More Power to Investigate Corporate Data Privacy Violations: Will Cyber Insurance Cover the Costs of a Company’s Response?

On May 8, 2019, all five commissioners of the U.S. Federal Trade Commission (FTC) testified before a congressional hearing on data privacy regulation and enforcement. At the hearing, the FTC commissioners testified that the FTC seeks enhanced powers to investigate and prosecute privacy violations by large companies. According to the commissioners, fines are not enough. As FTC Commissioner Rohit Chopra noted during the testimony, “[the FTC] cannot change behavior without finding out who at the top caused those problems.” The clear takeaway from this testimony? Companies that collect, process and store personal data from their customers should prepare themselves for an increase in data privacy-related investigations, especially coming from the FTC.

Data Protection Laws: Following GDPR Enactment, US States Take Action

By: Sedgwick Jeanite

The European Union’s General Data Protection Regulation (GDPR) governs the processing of “personal data.” Having an arguable extra-jurisdictional reach, it is perhaps the most significant change in the EU’s data protection regime in the last 20 years, and its effect has been widespread. Since May 2018, several U.S. States have proposed or enacted their own data protection laws, some of which have consumer rights and requirements that mirror rights and requirements found in GDPR. The most notable legislation is the California Consumer Privacy Act of 2018 (CCPA). Much already has been written on the legislation. Since then, several other states have proposed similar laws. Most bills have been introduced within the last few months, and are as follows: …

The SEC Expands Its Enforcement Efforts to Include Cryptocurrency Exchanges

By: Sedgwick Jeanite and Neil Thomson

In an enforcement action filed on November 8, 2018, the Securities and Exchange Commission (SEC) ordered that 31-year-old Zachary Coburn, founder of the EtherDelta cryptocurrency exchange, cease and desist from operating the trading platform. The SEC’s enforcement action is significant because it marks the first time the U.S. securities regulator pursued an unregistered cryptocurrency exchange, and is indicative of a growing trend of enforcement against a booming – but previously little-regulated – industry. In this case, Coburn had failed to register EtherDelta as an exchange as required by Section 6 of the Securities Exchange Act of 1934 (the Exchange Act), and was therefore found to be in violation of Section 5 of the Exchange Act.

OIG Recommendations to the FDA for Medical Device Cybersecurity: Foretelling Additional Regulation and Requirements for Controls?

By: Sedgwick Jeanite

With more and more medical devices connected to the Internet of Things (IoT), there is increasing concern over the potential vulnerabilities for cyberattacks against such devices. This vulnerability represents not only greater exposure of manufacturers and healthcare providers employing IoT medical devices, but also insurance carriers who insure against such risks. As a further highlight of this concern, a recent report released by the Office of the Inspector General (OIG) implied that the Food and Drug Administration (FDA) has insufficient controls to respond to cybersecurity problems with medical devices already in the market. The Federal Food, Drug, and Cosmetic Act provides that the FDA’s mission is to ensure that medical devices legally marketed in the United States are safe and effective for their intended uses. …

New York’s Cyber Regulations Now Apply to Credit Reporting Agencies

By: Josh Mooney and Emma Bechara

On June 25, 2018, the New York Department of Financial Services (NYDFS) issued a final regulation that requires any credit reporting agency (CRA) with “significant operations” in New York to register with the NYDFS and comply with the NYDFS cyber regulations under Part 500. CRAs must register by September 15, 2018. Significantly, as outlined below, CRAs also must begin complying with New York’s cyber regulations as early as November 1, 2018 – i.e., in four months. …

FTC to Investigate Facebook’s Use of Personal Data

By: Josh Mooney and Gwenn Barney

Allegations that Facebook allowed a data analytics company to mine the information of at least 50 million Americans have led to the opening of a Federal Trade Commission (FTC) investigation as to whether the company breached its 2011 consent decree with the agency by transferring personal data to Cambridge Analytica without the users’ prior knowledge and affirmative consent. …

Insider Trading Charges Brought Against CIO for Post-Breach Trading

By: Joshua Mooney and Gwenn Barney

On March 14, 2018, the Securities and Exchange Commission (SEC) charged a chief information officer (CIO) for a US business division of Equifax with insider trading in advance of Equifax’s September 2017 disclosure of the massive security breach it suffered that exposed personal information of approximately 148 million Equifax customers. …

SEC Updated Guidance on Cyber Disclosure by Publicly Traded Companies in a Digitally-Connected World

“To win a race, the swiftness of a dart availeth not without a timely start.”
~ Jean de La Fontaine

The Securities and Exchange Commission (the “Commission”) Wednesday announced updated cybersecurity guidance for public companies. This guidance reinforces the Division of Corporation Finance guidance issued in October 2011 and expands upon it to include two new topics: (i) the importance of cybersecurity policies and procedures and (ii) the application of insider trading prohibitions in the cybersecurity context. The guidance itself and early reactions make it evident that the Commission is committed to aggressively regulating this area over the long haul. …