Vermont’s “Data Brokers” Law is a Glimpse into the Future for Many Industries

Cybersecurity has been a field where the concept of state governments acting as legislative laboratories has been observed in real time, with multiple states passing different pieces of legislation every year. One of the more unique laws passed in 2018, and effective as of January 1, 2019, is Vermont’s descriptively titled “act relating to data brokers and consumer protection.” Although unknown to most consumers, there is a booming industry of “data brokers” who act as middlemen between companies who collect data and those looking to…
Continue reading...

Absence of DOJ Regulations Does Not Bar Liability for Failure to Comply with the ADA

In the face of an ever-growing number of lawsuits based upon allegedly non-ADA compliant website designs, defendants have enjoyed little success obtaining dismissal at the pleadings stage of proceedings. One lingering glimmer of hope had been the viability of a due process argument premised upon the “primary jurisdiction” defense, which formed the basis of Judge Otero’s decision dismissing the plaintiff’s complaint in Robles v. Domino’s Pizza, LLC. In short, the defendant argued that the plaintiff’s action must be either stayed or dismissed because the…
Continue reading...

National Counterintelligence and Security Center Launches Effort to Protect Industry Against State Actors

On January 7, 2019, the National Counterintelligence and Security Center (NCSC), which coordinates counter-intelligence efforts within the U.S. government, announced that it would begin disseminating its “Know the Risk, Raise Your Shield” materials in an effort to assist the private sector in guarding against threats from foreign intelligence entities and other adversaries.  This campaign appears to have been prompted by the Trump administration’s efforts to drive U.S. companies to better protect their trade secrets from foreign hackers.  This comes on the heels of recent cyber-attacks…
Continue reading...

Department of Health and Human Services Releases Cybersecurity Guide for Healthcare Providers

Over a year of collaboration between the Department of Health and Human Services (HHS) and industry partners has culminated in the publication of a cybersecurity guide for medical providers of all sizes. HHS describes it as “a set of voluntary, consensus-based principles and practices to improve cybersecurity in the health sector,” that looks to “raise the cybersecurity floor” across the country. Although the guide emphasizes its wide applicability, much of the discussion appears directed at small and mid-sized providers. For example, HHS highlights a recent…
Continue reading...

TSA Releases Cybersecurity Roadmap to Guard Against Evolving Cyber Threats

The Transportation Security Agency (TSA) has released its first Cybersecurity Roadmap to prioritize cybersecurity measures within the TSA and the nation’s transportation system, the Transportation Systems Sector (TSS). The TSA’ Cybersecurity Roadmap closely aligns with the more general DHS Cybersecurity Strategy published earlier this year. The roadmap notes that TSA’s mission responsibilities include: (1) securing its own networks, and (2) working with its partners and TSS stakeholders, in coordination with the Department of Homeland Security (DHS), to secure its cyberspace. In order to ensure cybersecurity…
Continue reading...

An International Vow to Address Cybersecurity

On Monday, November 12, 2018 , during the Internet Governance Forum at UNESCO’s headquarters in Paris, the French President Emmanuel Macron announced an international agreement referred to as the “Paris Call for Trust and Security in Cyberspace.” The agreement was signed by over 50 countries as well as businesses, including Facebook, Google, and Microsoft, and other organizations. Australia, the United States, Israel, Russia, and China are notably absent. The agreement first highlights the central role cyberspace plays in every aspect of present life and reaffirms…
Continue reading...

In Line with GDPR, Canada Amends its Privacy Protection Regulation to Include Stringent and Mandatory Breach Notification Rules

On November 1, 2018, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was amended to include stringent, mandatory breach notification rules. These rules are similar to the European Union’s General Data Protection Regulation (GDPR), which took effect in May, 2018. Organizations that conduct business in Canada will be subject to PIPEDA as well as the GDPR, if that organization is accessible in the European market. The new PIPEDA regulations reinforce the image of Canada as an international leader in personal data protection…
Continue reading...

GAO Report on Cybersecurity Provides Useful Strategies for Federal Agencies and Private Industry

The Government Accountability Office (GAO) recently published another report in its High-Risk Series detailing the major cybersecurity challenges facing the federal government and outlines key strategic elements to address those challenges. While the report focuses on issues pertaining to federal agencies, several of the observations, and recommendations are also applicable to private businesses. To start, the report details five key elements that are needed to make progress in addressing cyber threats: 1) Leadership Commitment; 2) Capacity; 3) Action Plan; 4) Monitoring; and 5) Demonstrated Progress.…
Continue reading...

The FTC Gang’s All Here, Part III

As we noted in a previous post, the United States Senate has confirmed five new commissioners, bringing a full complement to the Federal Trade Commission (FTC). Four of those commissioners have taken their seats, with the fifth likely to join in the Fall. Here we will provide the biographies of the last two commissioners (based on seniority).  We have already discussed the other three new commissioners. Commissioner Rebecca Kelly Slaughter – Commissioner Slaughter was sworn in in May 2018. She comes to the…
Continue reading...

Compliance Deadline Approaching for NY Cybersecurity Regulation

A key compliance date for the NY Cybersecurity Regulation is quickly approaching. September 4, 2018 will serve as the third key implementation date for individuals and companies (Covered Entities) governed by New York’s Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500). Unless the Covered Entity qualifies for one of the exemptions under 23 NYCRR 500.19, by September 4, all Covered Entities must have completed the following*:
  • create and maintain systems that can reconstruct material financial transactions to support and maintain the obligations of

Continue reading...