In an interesting IAPP article, Kelce Wilson, InfraGard General Counsel, describes how bad actors without any hacking expertise can potentially inject themselves into the middle of a data breach notification effort and engage in widespread identity theft. The other unanticipated consequence of data breach notification is this: with the trend toward public disclosure of data breach notification letters and statistics, more and more information is in the public domain about the types of data our organizations collect and whether or not we encrypt that data. Case in point, Massachusetts, where yearly Data Breach Notification Reports are available on-line. The 2018 Report shows data breaches reported to Massachusetts authorities this year.
New Suit by Delta Reminds Everyone About the Importance of Data Security Protection in the Context of Third-Party Service Provider Relationships
On July 16th, the IRS issued controversial guidance eliminating the requirement for non-charitable exempt organizations to report the names of contributors on their tax returns.
The guidance is the end, for now, of a simmering political controversy relating to information available to the government regarding “dark money” and donations to non-charitable exempt organizations.
In a classic story of “it’s never over until it’s over,” cybersecurity David LabMD challenged the FTC’s Goliathan ability to issue sweeping orders in relation to security concerns under Section 5(a) of the Federal Trade Commission Act. LabMD had lost its challenge of the FTC’s underlying authority to issue such orders, but continued in its fight, ultimately challenging the wording of the FTC’s form order itself. And LabMD ultimately won in a landmark decision that can be found here.
On June 28, 2018 the Department of Justice (“DOJ”) and the Securities and Exchange Commission (“SEC”) announced parallel criminal and civil charges against Sudhakar Reddy Bonthu, a former software development manager, for selling his shares of Equifax stock before Equifax publicly announced that it had suffered an immense data breach.
As cybersecurity regulatory frameworks mature, the move has been toward risk-adjusted security requirements rather than prescriptive controls mandated by a legislature or administrative agency. This makes sense, of course, for two primary reasons.