Apr 152014

Mark Wolski of Bloomberg BNA reports:

April 8 –Iowa Gov. Terry Branstad (R) recently signed legislation (S.F. 2259) that amends the state’s data breach notification law to require covered entities to notify the state attorney general of breaches affecting more than 500 Iowans.

Under the measure, covered entities must notify the attorney general within five business days after notifying affected individuals.

S.F. 2259, which was signed by the governor April 3, will take effect July 1.

Paper Documents Now Covered

S. 2259 expands the scope of the state’s data breach notice law beyond coverage for breaches affecting unencrypted computerized data to now include personal information in any form, including paper.

Read more on Bloomberg BNA.

One of the additional benefits of the new amendment is that we will now have another state with a centralized repository of data breach reports that I can seek under FOI. More work for me, but yay!

Apr 142014

Here’s another commentary/analysis of Judge Salas’s ruling on Wyndham’s motion to dismss that is worth noting here, by the law firm of Covington & Burling: They write, in part:

The FTC’s data-security authority is still in jeopardy. Although the FTC is the plaintiff in this case, it is really Wyndham that is on the offensive. If Wyndham prevails in the court of appeals on the issue of the FTC’s statutory authority or the need for rulemaking, it would be a major blow to the agency’s ability to pursue companies for lax data-security practices. Wyndham could also prevail in the district court if the FTC fails to produce sufficient evidence in support of its claims to survive a motion for summary judgment, a result that could be nearly as devastating to the FTC as a loss in the court of appeal. On the other hand, if the FTC manages to win in the district court and the court of appeals, the victory will simply ensure that the agency can continue doing what it has been doing for years: using its unfairness authority to regulate data-security practices.

Read more on Covington & Burling.


Apr 142014

As I expected, a slew of law firms posted their analyses and commentaries on Judge Salas’s ruling on Wyndham’s motion to dismiss the FTC’s complaint about its data security.

I haven’t linked to most of them, but took note of this commentary by Lance Koonce and Christin McMeley of Davis Wright Tremaine as they take a less FTC-friendly view on the issue of fair notice.  They write, in part:

There is a tension between Judge Salas’ rejection of numerous consistent public statements by the FTC disavowing its power as “unconvincing,” discussed above, and the judge’s willingness to accept a patchwork of publications and statements and consent decrees by the FTC as giving fair notice of a discernible standard for reasonable data protection that businesses everywhere must understand and follow.  Indeed, the public statements and business guidance brochures can hardly meet the specificity of an interpretive rule or general statement of policy that would be required to go through a rigorous public (and congressional) comment period and give affected businesses an opportunity to conform to the any applicable standard.


The question is whether this is the manner in which we want our agencies to promulgate guidance for all businesses operating with the jurisdiction of the United States on a topic as important as data security, rather than through formal rulemaking. Moreover, do we want agencies to then be able to bring standalone enforcement actions for violations of that guidance? While it may be possible for scholars to assemble lists of standards from various sources, is this the optimal way for companies to ascertain the applicable standards and apply them on the ground? How thoroughly must a company scour FTC literature, public statements and settlements, and to what extent must every piece of guidance be followed—for instance, is “Privacy by Design” now a requirement that must be followed, and what type of documentation of compliance with that rubric will suffice if the FTC challenge’s a company’s compliance? How will a company ever feel confident that it is providing “FTC-sufficient” protection for its customers’ data?

Apr 112014

Wow. The U.S. Court of Appeals for the Third Circuit just reversed Andrew Auernheimer (“Weev”)’s conviction – not based on anything to do with the Computer Fraud and Abuse Act issues that defense counsel had raised, but because the court determined that the case never should have been heard in New Jersey. Ars Technica and TechDirt have some preliminary media coverage.

You can read the opinion here.

For Weev, this is certainly good news, as he has been subjected to not only prison, but lengthy periods of isolation.

Kudos to the defense and appeals team on this one, but obviously, Weev’s not out of the woods and the important issues about narrowly interpreting CFAA did not get addressed.

Apr 102014

Jeff Kosseff writes:

Based on the extensive news coverage of this week’s court ruling against Wyndham Hotels and Resorts in its battle with the Federal Trade Commission (FTC), one would think that the sky is falling on efforts to resist FTC enforcement actions relating to data security.

Adweek wrote that the case is “a test for how much authority the FTC has in bringing cases against companies the agency deems have inadequate data security standards.”Law360 dubbed the opinion “the latest and most important federal court decision on data security enforcement.” Nextgov called the ruling “a major win for the agency.”

I offer a different take on the ruling: The sky is not falling.

Indeed, it may even be safe to say that nothing has changed in the past week.

Read more on IAPP.


Apr 052014

Robert R. Baron, Jr., David S. Fryman, Corinne Militello, and Philip N. Yannella of Ballard Spahr write:

A Pennsylvania federal magistrate judge has tossed an employer’s claims under the Computer Fraud and Abuse Act (CFAA), holding that the CFAA does not extend to punish employees for the misuse of information that was accessed with permission. The recent ruling follows the Fourth and Ninth Circuits, and district courts in the Third Circuit, in endorsing a narrow view of the CFAA, making it more difficult for employers in those jurisdictions seeking to state a claim under the CFAA against disloyal former employees.

Read more about Carnegie Strategic Design Engineers v. Cloherty, et al on LexisNexis.