The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: State Attorneys General

  • From Vol. 4 No.40 (Nov. 28, 2018)

    The Growing Role of State AGs in Privacy Enforcement 

    Across the country, state Attorneys General are playing an increasingly active role in data privacy and security enforcement. D. Reed Freeman, a partner at WilmerHale, spoke to The Cybersecurity Law Report about a range of issues related to state AGs including, what laws they are enforcing, how they coordinate across state lines, the California Consumer Privacy Act, how to be proactive with state AGs and the impact of the 2018 midterm elections. See also “Takeaways From State AGs’ Record-Breaking Target Data Breach Settlement” (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.21 (Jul. 18, 2018)

    What to Expect From California’s Expansive Privacy Legislation

    The sweeping California Consumer Privacy Act of 2018 merits attention – it affects more companies than many realize, differs from the GDPR in important ways and may presage other similar state privacy laws. The law will most likely be amended before its January 1, 2020, implementation date, but organizations would be wise to start preparing now. We analyze the new requirements. See also “The GDPR’s Data Subject Rights and Why They Matter” (Feb. 28, 2018).

    Read Full Article …
  • From Vol. 4 No.15 (Jun. 6, 2018)

    Analyzing New and Amended State Breach Notification Laws

    With the recent adoption of statutes by Alabama and South Dakota this year, all 50 states have breach notification laws integrating notification procedures. Arizona, Colorado and Oregon have also recently revised and strengthened their existing data breach notification laws. This article details the provisions of the new statutes and amendments, with insights from McGuireWoods partner Janet P. Peyton. See “Synthesizing Breach Notification Laws in the U.S. and Across the Globe” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    NY AG and HHS Flex Regulatory Muscles in Recent Protected Health Information Breach Settlements

    Recent enforcement actions against Aetna Inc. and Fresenius Medical Care Holdings, Inc. resulted in respondents agreeing to pay significant fines and to update their policies, procedure and training. These cases, brought by the Office of the Attorney General of the State of New York and the Office for Civil Rights of the U.S. Department of Health & Human Services, are an important reminder that human error is often a significant factor in data breaches and that physical security is a critical component of data privacy. In addition, the Aetna action is the most recent example of New York's active cybersecurity efforts. "New York has been on the leading edge of data security regulation. . . The Attorney General [] has been proactive," Patterson Belknap partner Craig A. Newman told The Cybersecurity Law Report. "It's fair to say that cyber is at the top of the state's regulatory agenda." We detail the breaches and settlement terms. See also “Takeaways From State AGs’ Record-Breaking Target Data Breach Settlement” (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.2 (Jan. 31, 2018)

    Biometric Data Protection Laws and Litigation Strategies (Part One of Two)

    Both the public and private sectors are increasingly using biometric identification as a security method, making it more important than ever to understand the wide range of relevant legal requirements and restrictions. During a recent WilmerHale webinar, firm attorneys Jonathan G. Cedarbaum and Arianna Evers analyzed the regulatory landscape related to the collection and use of biometric data. In the first installment of our two-part series, we cover their presentation on relevant state laws and notable cases, litigation strategies and defenses. Part two will cover applicable federal and international regulations. See also “Actions Under Biometric Privacy Laws Highlight Related Risks” (Dec. 6, 2017).

    Read Full Article …
  • From Vol. 3 No.11 (May 31, 2017)

    Takeaways From State AGs’ Record-Breaking Target Data Breach Settlement

    In the largest multistate data breach settlement to date, Target Corporation recently agreed to pay $18.5 million, develop and implement an information security program and retain a third party to assess and report on the program. Target has now spent more than $200 million responding to the fallout from its 2013 holiday-season data breach. This settlement, along with the Safetech settlement in NY, is a clear indication that the state AGs are determined to have a say on best cybersecurity practices, experts told The Cybersecurity Law Report. This article addresses Target’s handling of the breach and its aftermath and offers compliance takeaways for other companies. See also “Lessons From the 2013 Target Data Breach: What Future Resolutions of Large-Scale Data Breaches May Look Like” (May 6, 2015).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    Lessons for Connected Devices From the FTC’s Warning Against Unexpected Data Collection 

    In a recently announced $2.2 million settlement with television manufacturer VIZIO, the FTC and the state of New Jersey emphasized the importance of providing notice and consent particularly when connected-device users may not expect the types of data collection and sharing taking place. The action demonstrates the coordination of federal and state enforcement agencies, and the settlement terms serve to inform connected-device companies about the agencies' expectations. In terms of data collection and disclosure, “companies should consider what consumers expect of a device, particularly if it was an analog device that has not been smart in the past,” FTC attorney Megan Cox told The Cybersecurity Law Report. See “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017); and “Privacy, Security Risks and Applicable Regulatory Regimes of Smart TVs” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Regulators Speak Candidly About Cybersecurity Trends, Priorities and Coordination

    Understanding the regulators’ priorities and concerns can help a company work effectively with them to investigate and respond to cybersecurity incidents. In a recent panel at the ABA National Institute on Cybersecurity Litigation, authorities from the DOJ, the SEC, the FCC and the Connecticut Attorney General’s office weighed in about the cyber threat landscape, their agencies’ enforcement priorities, strategies for collaboration (including when and how information shared with the government will remain confidential) and effective incident response. See also “Private and Public Sector Perspectives on Producing Data to the Government” (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    The Regulators’ View of Best Practices for Social Media and Mobile Apps

    Social media and mobile apps provide consumers and companies with a host of benefits, such as improved access to information and the tailoring of content to the consumer, but also present privacy and security challenges that are continually evolving. At a recent PLI program, a panel of regulators shared their views on the emerging regulatory landscape for social media and mobile apps. Laura D. Berger, a senior attorney in the division of privacy and identity protection at the FTC; Joanne McNabb, the director of privacy education and policy in the privacy enforcement and protection unit of California’s Attorney General’s office; and Thomas M. Selman, executive vice president, regulatory policy, and legal compliance officer of FINRA, discussed their respective agencies’ roles and responsibilities, the enforcement priorities of their agencies, and examples of best practices in the use and development of social media and mobile apps. D. Reed Freeman, Jr., a partner at WilmerHale, moderated the panel. See “Legal and Regulatory Expectations for Mobile Device Privacy and Security (Part One of Two)” Feb. 3, 2016; Part Two, Feb. 17, 2016.

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    Liability Lessons from Data Breach Enforcement Actions

    Inadequate cybersecurity measures can expose companies not only to data breach incidents, but to liability from multiple fronts, including state attorneys general, the FTC and civil litigants.  In a recent panel at the Practising Law Institute, Michael Vatis, a Steptoe & Johnson partner, and KamberLaw partner David Stampley discussed the dynamic enforcement and judicial climate in this space, distilling actionable takeaways from recent settlements with state attorneys general, FTC actions including Wyndham, and evolving consumer litigation jurisprudence.  The enforcement actions and litigations are instructive for companies seeking to fortify their internal information security and data privacy efforts and guard against the risk of liability in the event of a breach.  See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015). 

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Navigating the Evolving Mobile Arena Landscape (Part Two of Two)

    Mobile devices, and their constantly changing technology, present unique cybersecurity and privacy issues.  In the second installment of our coverage of a recent panel at PLI’s Sixteenth Annual Institute on Privacy and Data Security Law, Aaron P. Simpson, a partner at Hunton & Williams and H. Leigh Feldman, global chief privacy officer at Citi, discuss these challenges and contextualize relevant policy and regulatory landscapes in the U.S. and Europe, including enforcement activity.  The first article in the series explained the specific challenges related to mobile and wearable technology and presented best practices for stakeholders as consumers demand control of their information.  See also “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015). 

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?

    Recent reports detail a breathtaking and unrelenting rise in cyber breaches, with five malware events occurring every second, and 60% of successful attackers able to compromise an organization within minutes.  But the law has not kept pace with technological innovation.  There is no single uniform law protecting individual privacy, nor one that governs all of a company’s obligations or liabilities regarding data security and privacy.  As Jenny Durkan and Alicia Cobb, a partner and associate, respectively, at Quinn Emanuel Urquhart & Sullivan, detail in a guest post, any business that suffers a significant cyber breach almost certainly will face not only multiple civil suits, but multiple investigations by federal and state authorities.  The authors provide a roadmap to the key authorities and the patchwork of relevant rules and regulations.

    Read Full Article …