With 2019 coming to a close, we wanted to take a look at what can be learned from the FTC’s cybersecurity enforcement actions this year.  As we have previously noted, the FTC came under criticism last year in the LabMD decision for not providing companies with sufficient clarity as to
Continue Reading What the Last Year of Cyber Enforcement Tells Us About the FTC’s Compliance Expectations

The Cybersecurity Law Report recently published an article by Davis Polk titled Lessons from Equifax on How to Mitigate Post-Breach Legal Liability.  The article analyzes the July 2019 settlement between Equifax and the Federal Trade Commission, Consumer Financial Protection Bureau, and 50 state and territorial attorneys general and uses
Continue Reading Lessons from Equifax on How to Mitigate Post-Breach Legal Liability, by the Davis Polk Cyber Blog Team, published in The Cybersecurity Law Report

On Episode 4 of the Davis Polk Dialogues podcast, Avi Gesser joined Davis Polk partners Jon Leibowitz and Ronan Harty and former Federal Trade Commission (“FTC”) official Eileen Harrington to discuss the FTC’s Hearings on Competition and Consumer Protection in the 21st Century.  The episode covers, among other topics, the
Continue Reading Avi Gesser Discusses FTC Hearings and Cybersecurity Issues on Davis Polk Dialogues Podcast

Momentum is building in Congress for federal privacy legislation and several states have their own privacy laws in the works.  But, as concerns grow that companies are collecting and sharing personal information about U.S. residents without their knowledge and not adequately protecting that data, regulators and plaintiffs aren’t waiting for
Continue Reading Regulators and Plaintiffs Aren’t Waiting for Privacy Legislation: Companies Face Potential Liability Now and Can Take Steps to Reduce Risks

In our first Cyber Blog post, we predicted that the rules-based approach adopted by the NYDFS would become the model for cybersecurity regulation.  Two years later, we’re feeling pretty good about that prediction, as the FTC recently proposed incorporating a number of aspects of the NYDFS cybersecurity rules into
Continue Reading The FTC Moves Toward a Rules-Based Approach to Cybersecurity Regulation for Financial Institutions

On June 6, 2018, the Eleventh Circuit vacated a cease and desist order issued by the FTC against LabMD as unenforceably vague.  The FTC’s Order, which resulted from a finding that LabMD had failed to maintain an adequate cybersecurity program, directed LabMD to “establish and implement, and thereafter maintain,
Continue Reading Standards vs. Rules for Cyber Regulation – The Eleventh Circuit Weighs in Against the FTC and in Tacit Support for the NYDFS Approach

On April 30, 2018, BLU Products, Inc. (“BLU”) reached a settlement with the Federal Trade Commission (“FTC”) over allegations that BLU allowed ADUPS Technology Co. LTD (“ADUPS”) to collect detailed personal information about BLU’s consumers without their knowledge or consent, despite BLU’s assurances that
Continue Reading FTC Reaches Proposed Settlement With Mobile Phone Manufacturer BLU, Highlighting the Importance of Effective Oversight of Third-Party Vendor Data Security and Privacy Practices

On April 23, 2018, Senators Klobuchar (D-Minn.) and Kennedy (R-La.) introduced the Social Media Privacy Protection and Consumer Rights Act of 2018 (“the Act”), which was referred to the Senate Commerce Committee. Like the CONSENT Act introduced by Senators Markey (D-Mass.) and Blumenthal (D-Conn.)—discussed in detail in our
Continue Reading New Bipartisan Bill Shows Renewed Congressional Attention to Data Privacy and Security

Plaintiffs in data breach cases have tried many theories of recovery, including negligence, negligence per se, violations of state data protection statutes, violations of the Fair Credit Reporting Act, breach of fiduciary duty, and violations of the constitutional right to privacy, with mixed results.

Courts have rejected many of these
Continue Reading The Rise of State Consumer Protection Act Cyber Cases