Data Security

Subscribe to Data Security

In guidance released last week, the New York State Office of the Attorney General urged businesses to incorporate safeguards to detect and prevent credential-stuffing attacks in their data security programs.  The guidance stemmed from the AG’s finding that 1.1 million customer accounts at “well-known” companies appeared to have been compromised in credential-stuffing attacks.

Credential stuffing

FTC Advises Companies to Remediate Log4j VulnerabilityIn an unusual warning to companies running Java applications with Log4j in their environments, the Federal Trade Commission (FTC) recently cautioned that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j[] or similar known vulnerabilities in

On October 6, 2021, the Senate Commerce Committee conducted its second in a series of hearings dedicated to consumer privacy and data, this time addressing Data Security.  Similar to last week’s privacy hearing, the witnesses and Senators appeared to agree that federal data security standards – whether as part of privacy legislation or on their own – are urgently needed. If there were to be consensus around legislative principles, the hearing provides clues about what a compromise might look like.

Prepared Statements. In their opening statements, the witnesses emphasized the need for minimum standards governing data security.

  • James E. Lee, Chief Operating Officer of the Identity Theft Resource Center, explained that without minimum requirements, companies lack sufficient incentives to strengthen their data security practices to protect consumer data. Lee also advocated for more aggressive federal enforcement rather than the patchwork of state actions, which, he said, produce disparate impacts for the same conduct.
  • Jessica Rich, former Director of the FTC’s Bureau of Consumer Protection and counsel at Kelley Drye, emphasized that current laws do not establish clear standards for data security and accountability. She advocated for a process-based approach to prevent the law from being outpaced by evolving technologies and to ensure that it accommodates the wide range of business models and data practices across the economy. Among her recommendations, Rich suggested that Congress provide the FTC with jurisdiction over nonprofits and common carriers and authority to seek penalties for first-time violations.
  • Edward W. Felten, former Deputy U.S. Chief Technology Officer, former Chief Technologist of the FTC’s Bureau of Consumer Protection, and current Professor of Computer Science and Public Affairs at Princeton University, focused on the need to strengthen the FTC’s technological capabilities, including increasing the budget to hire more technologists. Notably, Felten advocated for more prescriptive requirements in data security legislation such as requiring companies to store and transmit sensitive consumer data in encrypted form and prohibiting companies from knowingly shipping devices with serious security vulnerabilities.
  • Kate Tummarello, Executive Director at Engine, a non-profit organization representing startups, addressed the importance of data security for most startups. Tummarello advocated for FTC standards or guidance with flexible options. Cautioning against overburdening startups, Tummarello explained that newer companies take data security seriously because they do not have the name recognition or relationships with consumers that larger companies may have, and a single breach could be extremely disruptive. Additionally, Tummarello highlighted that the patchwork of state laws provides inconsistent and unclear data security guidance and imposes high compliance costs.


Continue Reading Hope Emerges at Senate Data Security Hearing – But Will Congress Grab the Brass Ring?

Ad Law Access Podcast

Our increased reliance on the Internet to conduct our daily affairs has thrust an additional spotlight on data security that much important. On another 101 edition of the Ad Law Access podcast, it will cover data security and covers five key points businesses should keep in mind as they continue to refine their data security

Coronavirus testing and screening procedures are central to many companies’ return-to-work plans.  Because testing and screening data is often sensitive and may help to determine whether individuals are allowed to work, companies need to be aware of the privacy and security risks of collecting this data and protect it appropriately.  Failing to do so may

Effective January 1, 2020, New Hampshire’s new Insurance Data Security Law will impose certain information security requirements on entities that (1) are licensed under the state’s insurance laws and (2) handle “nonpublic information.” “Nonpublic information” is defined as information that is not publicly available and falls into one of the two following categories:

  1. Information that

Last week, the FTC sent a closing letter to Morgan Stanley Smith Barney LLC (“Morgan  Stanley”) relating to the agency’s investigation over whether Morgan Stanley engaged in unfair or deceptive acts or practices by failing to secure certain account information related to its Wealth Management clients.

The investigation examined allegations that a Morgan Stanley employee

On Tuesday, the California Attorney General released the second annual data breach report, summarizing the 167 data breaches reported to the Attorney General’s office in 2013, and providing privacy and security recommendations for businesses. According to the report, the retail, finance, and healthcare industries reported over 60 percent of the 167 breaches, over half