Antitrust Law Source

Archives: Privacy & Data Security

Subscribe to Privacy & Data Security RSS Feed

Still need a data breach response plan? The FTC offers a guide to help.

If you have not yet developed a data breach response plan, the FTC has stepped in to help. The FTC has prepared a guide, a short video and a corresponding segment on its business blog to help businesses prepare for data breach events. The guide and video provide key considerations, including having your computer forensic expert or team identified, steps to notify effected parties and law enforcement, and processes to remediate a breach event. The Guide also points to additional resources for breaches of electronic health information. Perhaps most helpful, the guide offers a simple template data breach notification …

FTC has ruled….and companies better beware!

In a move the surprised no one, the Federal Trade Commission (FTC) reversed the decision of its own Administrative Law Judge (ALJ) and held that LabMD’s “data security practices constitute an unfair act or practice within the meaning of Section 5 of the FTC Act.” There are two noteworthy aspects to the opinion. First, if the magnitude of the harm is great enough, the risk of its occurrence can be low and still satisfy the “substantial injury” requirement. Second, believe it or not, the word “likely” does not mean “probably.” …

Part two: Privacy matters

Continuing with part two of this three-part series about privacy and data security, Ana Crawford gives an update on which federal agencies and states are dipping their toes in the data protection arena.…

Part one: Privacy matters

In this three-part series, Jay speaks with attorneys across Porter Wright’s departments and practices about privacy and data security. Today’s podcast begins with Christina Hultsch who talks about the options available for European Union companies to transfer data. …

Consumer data breaches

What happens if your personally identifiable information is stolen, but no harm has come to you…yet? Do the eyes of the court feel that simply the fear of harm warrants relief? Jay and Ryan Graham discuss the differing decisions to date and how things may evolve in the future.…

ABA Section of Antitrust Law Spring Meeting 2016: The FTC and the new frontier of privacy

Continuing our series on the 2016 Spring Meeting, Ryan Graham, an associate in the Antitrust Group and former analyst with the FBI’s Cyber Division, summarizes the panelists’ thoughts on the FTC’s future focus as it relates to privacy and data security.

Privacy and data security lawyers would love to know what initiatives the Federal Trade Commission (FTC) will be spearheading in privacy and data security in the future. A recent panel discussion at the Spring Antitrust Meeting sponsored by the American Bar Association provided some predictive insight into this question. In the panel discussion entitled “The FTC and the New …

Are data breaches covered under insurance policies?

In defending against a class action case where patient information was found online for months without being secured, the insurance company was found to have a duty to defend the defendant, who held an insurance policy that covered the publication of patient information. The case, Travelers Indemnity vs. Portal Healthcare, is important because it’s one of the first decisions to rule on whether data breach litigation is covered under commercial insurance policies.…

Big data and what can be done with it: Part three

In our last installment of the big data podcast series (listen to part one and part two), Jay and Phil discuss how companies deal with data breaches. They talk about how consumer trust is vital and how customers may prepare in advance for these breaches. Finally, Phil shares three tips when it comes to using customers’ information for competitive advantage.…

Big data and what can be done with it: Part one

In part one of this three-part series, Jay talks with Phil Rist, executive vice president of Prosper Business Development, about how his company collects big data and utilizes it to detect trends that aid his clients in developing their strategic plans. Phil discusses how his company not only takes data available from the federal government, but how they administer “emotional surveys” to track the feelings of today’s population to build predictive models for future events. Phil and Jay discuss challenges and opportunities for big data in 2016 – how the internet of things (wearable devices, Bluetooth enabled devices, trackable …

Health care data breaches – inevitable, but you can minimize the damage

Data breaches in health care can be the most devastating, both to the consumers whose personally identifiable information was exposed, but also to the institutions that possessed this sensitive data. In this podcast Jay and Christina Hultsch review the various issues surrounding such data breaches, including when to review data security policies, how to prepare for a potential breach and how to deal with third-party vendor access.…

FTC chief administrative law judge: No harm, no foul

In a long awaited decision, the FTC’s chief administrative law judge (ALJ) ruled against FTC staff and held that LabMD did not violate Section 5 of the FTC Act by not reasonably securing customer data. The basis for the decision was that staff could not prove that customers would suffer “substantial injury” from LabMD’s data breach. Because the ALJ decided the case on those grounds, he never reached two critical issues – namely, were LabMD’s data security protections “unreasonable” and does the FTC have jurisdiction to enforce the unfairness prong of Section 5 to reach unreasonable data protection measures. …

Third Circuit’s Wyndham decision – Part two

So what did the Third Circuit hold in FTC vs. Wyndham and what does the decision really mean? Jay and Ryan continue their discussion of the Third Circuit’s decision and give you some key takeaways on what this means for companies that collect personally identifiable information.…

Third Circuit’s Wyndham decision – Part one

In part one of this two part series, Jay is joined by Ryan Graham, a colleague at Porter Wright and former FBI analyst, to discuss the Third Circuit’s decision in FTC vs. Wyndham. Ryan and Jay discuss generally the various agencies who have authority over data security and the challenges facing companies who have experienced a data breach. They also outline the issues involved in the Wyndham case.…

Third Circuit affirms FTC authority to sanction companies’ insufficient cyber security postures

The Third Circuit’s recent ruling in FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd Cir. Aug. 24, 2015) marks a watershed moment in the ongoing saga of Wyndham Worldwide Corporation’s (Wyndham) data breach litigation. Prior to this decision, federal cyber security regulation has existed in the legal badlands, with the Federal Trade Commission (FTC), the Securities and Exchange Commission and the Department of Justice regulating different aspects of data security using separate and overlapping authorities. Congress has shown little consensus on passing a comprehensive federal data breach law, and the states have created what could generously be described as …

Managing post-data breach litigation just got harder

Data breaches are messy stuff, no doubt about that. They consume a huge amount of corporate resources, damage a company’s goodwill and can cost a lot of money. No real news there. And while the technological challenges in preventing, and responding to, data breaches are ever-changing – fueling the booming cybersecurity industry – the corporate response to a data breach is fairly standardized. Basic steps include (not necessarily in this order):

  • Convene response team, including IT, HR, legal and crisis management, among others (you do have a response team, right? If not, let’s talk)
  • Figure out what happened, including whether

Ascertainability is different from other class action elements …seriously, we aren’t joking

A little over a year ago we wrote to discuss the FTC’s Order against Aaron’s, one of the country’s largest rent-to-own (“RTO”) stores, charging that its franchisees were spying on its customers.  Well, the inevitable follow-on class actions were filed and recently, in Byrd v. Aaron’s Inc., — F.3d –, 2015 U.S. App. LEXIS 6190 (3d Cir. Apr. 16, 2015), the Third Circuit clarified the analysis for the ascertainability requirement for class actions.  While perhaps not as salacious a topic as the conduct underlying the actions themselves, the opinion could have important repercussions for antitrust and consumer class …

Hospital pays six figures to settle data breach enforcement suit

At the end of last month, Boston hospital Beth Israel Deaconess Medical Center (BIDMC) settled a data breach lawsuit brought by the Massachusetts Attorney General related to the 2012 theft of a physician’s laptop. Under a consent decree entered on Nov. 20, 2014, BIDMC agreed to pay $100,000 and to take a number of steps to ensure future compliance with state and federal data security laws.

The state of Massachusetts filed the enforcement suit against BIDMC on the same day as the consent decree’s entry, alleging that an unauthorized person gained access to a BIDMC physician’s unlocked office on campus …

LexBlog