A PubKGroup Product
PubKCyber is the go-to source for the most critical regulatory, policy, and oversight developments related to federal cybersecurity. Our coverage includes federal cyber regulations and policy, local and state activity, international law and agreements, federal regulatory body activity, congressional and agency oversight, and industry standards, as well as legal actions and court decisions related to cybersecurity, privacy, and fallout from security breaches.
Ability to subscribe and post job announcements and advertisements online
A daily email summarizing the day’s top cyber developments relevant to contractors
PubK Event Board
A weekly community calendar emailed to your inbox
Coming in 2017:
A bimonthly update collecting critical developments, with added insight and context, and links to important resources
To help their clients manage multi-state data breach notification efforts, Snell & Wilmer’s Breach Response Team has developed an interactive Data Breach Map that provides an overview of the data breach statutes in all 50 states as well as the territories of the United States.
By clicking on a state, you can see a summary of the key features of its notification statute; highlights include PII and breach definitions, along with notification requirements, including the circumstances in which the state Attorney General’s Office or a similar consumer protection agency is required to be notified, as well as timing requirements for the notifications to individuals.
It additionally provides a visual summary for those states that require notification when PII has merely been accessed as compared to those states that only require notification when PII has been acquired.
The Eleventh Circuit has issued its decision in LabMD v. FTC, a closely watched case in which LabMD challenged the Federal Trade Commission’s authority to regulate the data security practices of private companies. The Court of Appeals declined to decide that issue, instead finding that the FTC’s order requiring LabMD to implement certain data security reforms was unenforceable because it lacked specificity. The court’s decision may nevertheless impact many of the FTC’s consent orders—even those not having to do with data security.
As we previously reported, the FTC faulted LabMD for failing to have “basic” data security practices. The Commission found that this failure resulted in the unauthorized disclosure of personal information pertaining to 9,300 individuals. As a result, it ruled that LabMD’s data security practices amounted to “unfairness” under Section 5 of the FTC Act. And similar to many of the FTC’s other data security cases, it ordered LabMD to reform those practices
LabMD challenged the FTC’s order in federal court. Its primary argument was that the FTC exceeded its legal authority in finding that LabMD’s data security practices were unfair acts or practices under the FTC Act. After the Eleventh Circuit stayed enforcement of the FTC’s order, some observers believed that the court might agree with LabMD on this point. This would have created a circuit split with the Third Circuit, which upheld the FTC’s authority to regulate data security under the “unfair practices” prong of Section 5 of the FTC Act. However, the Eleventh Circuit did not address the FTC’s legal authority to regulate data security. Instead, the court assumed as true that LabMD’s failure to maintain reasonable data security was an unfair act or practice under Section 5.
Although the court did not limit the FTC’s legal authority to regulate data security, the Eleventh Circuit nonetheless ruled against the FTC—and in doing so may have limited the Commission’s ability to enforce broad remedial orders.
The court began its analysis by noting that the harm at issue in the case—the unauthorized disclosure of consumers’ personal information—occurred because a LabMD employee installed a peer‑to‑peer file‑sharing application on her work computer, against the company’s policy. The opinion suggests that the FTC could have crafted a sufficiently specific order to remedy this harm by requiring that LabMD eliminate the possibility that employees “could install unauthorized programs on their work computers.” Instead, the FTC went beyond this specific occurrence and alleged that LabMD’s data security practices were deficient as a whole. As the court put it: for the Commission, “it was LabMD’s multiple, unspecified failures to act in creating and operating its data-security program that amounted to an unfair act or practice.” And in order to remedy this perceived widespread failure, the FTC’s order included “sweeping prophylactic measures” that would have regulated “all aspects” of LabMD’s data security practices.
It was the vagueness—in the court’s view—of these prophylactic measures that resulted in the Eleventh Circuit vacating the FTC’s order for lack of specificity. The court found that the order would have required LabMD to satisfy “an indeterminable standard of reasonableness” rather than instructing the company “to stop committing a specific act or practice.” And in requiring that LabMD meet this standard, the order included “precious little about how this [would have been] accomplished.” As a consequence of failing to include greater specificity in the order, the Eleventh Circuit feared that it would have fallen on a federal district court in enforcement proceedings to give concrete meaning to the order’s requirements. But because the order was “devoid of any meaningful standard informing the court what constitutes a ‘reasonably designed’ data-security program,” the district court would have no way of determining whether LabMD was complying with the order.
It is not yet clear how the FTC will respond to this decision. The Commission might seek rehearing en banc or appeal the decision to the Supreme Court in order to address some of the questions left unanswered by the Eleventh Circuit’s opinion. For example, in reaching its conclusion, the court did not discuss the long-standing “fencing-in” doctrine—under which the FTC has historically justified its broad remedial orders—although the Commission raised the issue in its brief.
If the decision stands, however, it could affect the viability of some of the Commission’s remedial powers. Many of the consent orders that the FTC has required companies to adopt—particularly those involving data security but also some related to other issues—have included broad prophylactic remedies that are similarly premised on a reasonableness standard. In the wake of this decision, perhaps some of those companies may now wonder whether their orders are also unenforceable.
Commerce Secretary Wilbur Ross reports that the U.S. and China reached a deal that will allow ZTE Corp. to get back to business, ending a nearly two-month shutdown of the Chinese telecommunication giant’s operations, despite a backlash in Washington.
The agreement requires ZTE to pay a $1 billion fine and allow U.S. enforcement officers inside the Chinese company to monitor its actions. In return, ZTE can resume buying components from U.S. suppliers that it needs to make smartphones and build telecoms networks.
Following an unusual intervention by the White House, the Department of Commerce has reversed export restrictions prohibiting Chinese telecom firm ZTE from purchasing U.S.-made hardware and software. Commerce levied the sanctions in March, after ZTE failed to comply with an earlier settlement and fine imposed amid allegations the firm was doing business with sanctioned companies. The ban would have prevented ZTE from buying Qualcomm computer chips and using Google’s Android operating system.
Instead, ZTE now will pay $1 billion on top of $892 million in penalties it has already paid to the U.S. under the earlier agreement, and put $400 million in an escrow account, bringing ZTE’s penalty total to $2.29 billion. Additionally, ZTE will allow the U.S. to oversee its compliance program for 10 years.
The U.S. Court of Appeals for the Eleventh Circuit ruled in favor of LabMD, a now-defunct cancer testing laboratory, in its longstanding legal dispute with the Federal Trade Commission. The court vacated a 2013 FTC enforcement action against the lab, which was filed after the commission concluded that LabMD violated Section 5 of the FTC Act, which relates to unfair or deceptive business practices, when it failed to protect patient data from security breaches. FTC’s consent order required the firm to establish a comprehensive information security program; obtain periodic independent, third-party assessments of the program for 20 years; and advise consumers affected by the breach on methods for protecting themselves from identity theft. That order was issued in 2016 despite an earlier decision by FTC’s administrative law judge dismissing the case.
In vacating the action, the Eleventh Circuit held the commission’s cease and desist order was unenforceable and that the consent order failed to enjoin a specific act or practice. Instead, it mandated a complete overhaul of LabMD’s data security program, while saying little about how the lab should accomplish this, the court explained.