Global Privacy & Security Compliance Law Blog

Category Archives: Security

Subscribe to Security RSS Feed

US Magistrate Judge Upholds Search Warrants for Google Data Stored Overseas, “Shards” and All

By Serrin Turner and Megan Behrman Another front recently emerged in the legal battle over whether US law enforcement authorities can use a search warrant issued under the Stored Communications Act (SCA) to obtain data stored overseas. Until now, the battle has been focused in New York, where Microsoft filed a challenge in December 2013 … Continue Reading

Keeping Your Company’s Data Safe This Tax Season

By Jennifer Archie and Alex Stout Tax-related identity theft is nothing new, but tax season 2016 took tax schemes to a new level. Last year, our cyber experts advised a large cluster of clients (public and private companies) over a period of only two weeks, following a nationwide explosion of deviously simple attacks—mostly targeted at … Continue Reading

Financial Institutions Await Response to Concerns Over New York State Department of Financial Services’ Proposed Cybersecurity Rules

By Jennifer Archie, Alan Avery, Serrin Turner, and Pia Naib Dozens of financial institutions and trade associations have lodged emphatic objections with the New York State Department of Financial Services (NYSDFS) in response to the Department’s September 28, 2016 Notice of Proposed Rulemaking entitled “Cybersecurity Requirements for Financial Services Companies” (the Proposed Rules). As published … Continue Reading

Around the Table: Behind the Headlines of Evolving Cyberthreats

Latham partners Serrin Turner, Jennifer Archie and Jeffrey Tochner sat down with Eric Friedberg, Executive Chairman at Stroz Friedberg, and Matt Olsen, President – Consulting at IronNet Cybersecurity, to discuss current cyberthreat levels and the growing need for companies to devote resources for future risk mitigation.    … Continue Reading

Prevent and Prepare for a Cybersecurity Breach

By Jennifer Archie, Gail Crawford, Andrew Moyle, Serrin Turner, and Brian Meenagh Hacking of organizations’ systems is becoming increasingly commonplace, even with advancements in security practices. To mitigate risk, a company must have an enterprise-level, cross-functional incident response plan that is rehearsed and practiced. In the event of an incident a company with a rehearsed … Continue Reading

Anonymous or Not: Court of Justice Issues Ruling on IP Addresses

By Gail Crawford and Ulrich Wuermeling On October 19, 2016, the Court of Justice of the European Union (CJEU) issued a ruling on the question of whether IP addresses constitute personal data. The ruling has direct implications on the general question of when data can be regarded as anonymous and, thus, fall outside the scope of data … Continue Reading

“Yarovaya” Law – New Data Retention Obligations for Telecom Providers and Arrangers in Russia

By Ksenia Koroleva On July 6, 2016, Russian President Vladimir Putin signed Federal Law No 374-FZ. This law is also known as the “Yarovaya” law (named after a Russian senator who was the main driving force for the law to come into existence). The Yarovaya law introduces amendments to certain Russian federal laws. The majority … Continue Reading

Proposal of EU-US Privacy Shield Leaves Businesses in State of Uncertainty

By Ulrich Wuermeling, Gail Crawford and Jennifer Archie Earlier this week, the European Commission announced that a “political” agreement has been reached on a new framework for data flows from the EU to the US. The announcement highlights a few changes from the old Safe Harbor regime, such as more direct and active oversight by US … Continue Reading

MEPs Agree to Europe’s First-Ever EU Cybersecurity Law

By Gail Crawford and Andrea Stout On December 7th, members of the European Parliament (MEPs) and the Luxembourg Presidency of the EU Council of Ministers provisionally agreed to the text of the long awaited network and information security directive also known as the cybersecurity directive (Directive). While the text of the proposed Directive has yet … Continue Reading

St. Elizabeth’s Medical Center Pays $218,400 to Settle Alleged HIPAA Security Case Stemming from Use of Cloud-Based Document Sharing Service

By Jennifer Archie, Susan Ambler Ebersole, and Kasey Branam Alleged HIPAA Violations Resulted from Medical Center’s Failure to Risk Assess Internet-Based Document Sharing Application and Inadequate Breach Response The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached a settlement in the form of a Resolution Agreement and Corrective Action … Continue Reading

SEC Issues Regulation SCI Upping Information Security Requirements for Key Market Participants

The SEC today published in the Federal Register its Regulation SCI (Regulation Systems Compliance and Integrity), which requires key market participants to have and implement written policies and procedures reasonably designed to ensure the availability, confidentiality and integrity of their systems as necessary to assure the fair and orderly operation of the markets.  Among the … Continue Reading

Singapore’s first data breach?

The Straits Times reported on 14 August that Singapore’s Personal Data Protection Commission (the “Commission”) is investigating a complaint from a user that Xiaomi has breached the Personal Data Protection Act 2012 (“PDPA”). This is believed to be the first investigation under the main PDPA rules unrelated to the Do Not Call registry which came … Continue Reading

Webcast: The Role of General Counsel Before and After a Data Breach Incident

Speakers: Jennifer Archie, Kevin Boyle, Gail Crawford & David Schindler The legal and business consequences of recent high-profile data breaches are varied and severe. Today, lawyers and executives for large enterprises must assess and advise on complex multi-jurisdictional notification, investigation, litigation and remedial issues that arise following a major data breach incident. How are general … Continue Reading

Data Security Compliance and APTs: New Insights from “Putter Panda”

By Kevin Boyle and Alex Stout On Monday, the data security firm CrowdStrike released a new report pointing a digital finger at the Chinese Army for cyber espionage against western technology companies. It has long been known that some of the most serious cyber challenges stem from state-sponsored attacks using encryption, customized tools that anti-virus … Continue Reading

Eight Key Takeaways from FTC’s Settlement with Snapchat

By Jennifer Archie, Kevin Boyle & Alex Stout Yesterday, the Federal Trade Commission announced a settlement with Snapchat, the young mobile messaging company. The complaint alleges misrepresentations about functionality and related security as well as privacy violations, including misrepresenting the amount of data Snapchat collected from users and the use of location data for analytics … Continue Reading

Heartbleed: What to do now

By Kevin Boyle & Alex Stout Hardly a day passes now without some new report of a security vulnerability with inevitable breaches that follow, but Monday’s news about the two-year old vulnerability in OpenSSL is (or should be) catching everyone’s attention.  The problem is a coding error in a widely used cryptographic software library for … Continue Reading

HIPAA Omnibus Final Rule Compliance Deadline is Today – 3 Things You Need to Know

By, Jeremy M. Alexander, Natalie E. Brown & Susan A. Ebersole The day all covered entities and business associates have been working toward is here—September 23, 2013, the deadline to comply with the changes in the HIPAA omnibus final rule, published on January 25, 2013.  Here is a review of the top three compliance categories … Continue Reading

FDA Issues Draft Guidance on “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”

By Elizabeth Richards and Kevin Boyle On June 14, 2013, the Food and Drug Administration (“FDA”) issued a draft guidance entitled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” (“Guidance”). The Guidance was issued in response to growing concerns about IT vulnerabilities due to the increased use of wireless, Internet and network-connected … Continue Reading

HHS Publishes Omnibus HIPAA/HITECH Final Rule

By Susan Ambler Ebersole HHS today published the long-awaited HIPAA/HITECH omnibus final rule.  A pre-publication version of the Rule was released on January 17.  The Rule is effective March 26, 2013, but covered entities and business associates have until September 23, 2013 to comply.  While Latham & Watkins is still engaged in a comprehensive review … Continue Reading

Compliance and Enforcement in the Hospitality Industry Webinar Available

An August 2 webcast on Compliance and Enforcement in the Hospitality Industry  looked at the FTC proceedings in the Wyndham Hotels matter and identified some key takeaways, while considering how similar issues might play out in the European Union. (For those unable to follow the live webcast, the full presentation is now available online.) Some … Continue Reading

Data Security: Compliance and Enforcement in the Hospitality Industry

August 2 Webcast to Consider Risks and Responses A recent high-profile enforcement action by the Federal Trade Commission (FTC) provides meaningful context and occasion for examining data security risks in the hospitality industry. In late June, the FTC filed suit against global hospitality company Wyndham Worldwide Corp. and three of its subsidiaries for alleged data security … Continue Reading
LexBlog