The FTC Gang’s All Here – Five New Commissioners Confirmed

The Federal Trade Commission (FTC) is widely recognized as the primary federal regulator of cybersecurity and data privacy by virtue of its authority under Section 5 of the Federal Trade Commission Act to take enforcement action against unfair and deceptive trade practices, which authority has been upheld by various courts including the U.S. Court of Appeals for the Third Circuit. For just over a year, the FTC has operated with only two commissioners, one Republican and one Democrat. On April 26, 2018, the United States…
Continue reading...

Papua New Guinea Shuts Down Facebook…Temporarily

The democratic government of Papua New Guinea (PNG) has announced a one-month shutdown of Facebook access within the nation, to allow the government to assess the spread of objectionable content, and to “allow information to be collected to identify users that hide behind fake accounts, users that upload pornographic images, users that post false and misleading information on Facebook to be filtered and removed.” While regimes such as Iran, North Korea, and China currently censor the social networking site, PNG is the first democratic nation…
Continue reading...

Firewall’s Up: South Carolina Passes First-of-its-Kind Insurance Data Security Act

South Carolina recently became the first state to pass legislation modeled closely on the Insurance Data Security Model Law that was approved by the National Association of Insurance Commissioners (NAIC) last October. Amid the rising incidence of cyberattacks, cyber security is a key issue facing the insurance sector. South Carolina has taken a proactive step in protecting their business and customers from possible data breaches. The South Carolina Department of Insurance (SCDOI) Data Security Act, signed by the Governor on May 3, 2018, will become…
Continue reading...

Newsflash: Internet-Connected Devices Are Not Private

Last week, Amazon confirmed that it’s Alexa-powered Echo device may, in fact, listen in on private conversations, whether or not the device had been intentionally activated by a user. In this “extremely rare occurrence,” a couple’s private conversation was not only recorded, but was sent to a random number in the user’s address book without their permission. Earlier this year, users also reported “unexpected and unwarranted bursts of robotic laughter,” which many found to be extremely “creepy,” and which Amazon characterized as the…
Continue reading...

The SEC is Focused on Public Company Disclosure of Cybersecurity Risks

While new data privacy rules in the European Union have dominated the news lately, the U.S Securities and Exchange Commission (SEC) has not so quietly been making waves of its own in the regulation of cybersecurity. In February ,the SEC issued fresh guidance to public companies on the disclosure of cybersecurity issues, both in identifying risks prospectively and in disclosing breaches quickly. It then followed up that guidance in April with its first ever fine of a public company for failing to promptly disclose a…
Continue reading...

Data Breach Settlement Highlights Need for Proactive Management of Data Security Threats

Lincare Inc. recently agreed to settle a class action lawsuit for $875,000. The class plaintiffs consisted of employees whose personal information was compromised in 2017. The breach involved a business email compromise scam. The settlement amount is not the only cost to the company and in fact may cost less than implementing remedial measures (credit/identity monitoring) and IT reforms to prevent such an incident from happening in the future. For example, the settlement terms dictate that an additional two years of free credit and identity…
Continue reading...

GDPR: The Countdown to Compliance

Many companies, large and small, are scrambling with last-minute preparations for compliance with the European Union’s General Data Protection Regulation (GDPR), which goes into effect May 25, 2018. This is because If they don’t comply, they face fines of up to 4 percent of a company’s worldwide revenue for serious infractions or $20 million euros – whichever is higher. A recent IAPP survey of U.S. and European companies carried out by the Pokémon Institute has revealed that only 52 percent of companies expect to achieve
Continue reading...

Chili’s Carefully Announces Limited Data Breach

On May 11, 2018, Chili’s Grill & Bar learned that “some of [their] guest’s payment card information was compromised at certain Chili’s restaurants” as the result of a “data incident,” according to a press release on the company’s website. Preliminary investigations suggest malware was used to gather payment card information for purchases between March and April 2018. While such data incidents are increasingly common, Chili’s press release is notable for two reasons. Firstly, The release, presented as a letter to “valued guests,” provided…
Continue reading...

No More Chits to Call In: Computer Crime Policy Does Not Cover Fraudulent Transaction

In Interactive Communications International, Inc. v. Great American Insurance Company, a lawsuit closely monitored by those in the cyberinsurance space, the Eleventh Circuit affirmed a Georgia federal court’s decision, finding an insurance policy’s “Computer Fraud” coverage did not extend to certain losses caused by fraudsters. The decision comports with other recent decisions finding that social engineering fraud schemes do not satisfy the policy’s requirement of losses resulting directly from the use of a computer. Here, the devil was in the details. InComm operated a…
Continue reading...

FTC Settles False Representation Claim Against Mobile Phone Manufacturer

The Federal Trade Commission (FTC) has settled with BLU Products, Inc. over allegations that the unlocked mobile phone manufacturer allowed a third-party provider to collect detailed personal information about its consumers without their knowledge or consent. In 2016, BLU Products admitted that a third-party app called “Wireless Update” has been “collecting unauthorized personal data in the form of text messages, call logs and contacts from customers” on some devices. The FTC alleged that BLU Products, its co-owner, and president falsely claimed that only information needed…
Continue reading...