data security

Subscribe to data security via RSS

Alabama officially joined the data breach notification party last month when the state’s governor signed a data breach notification law that will take effect on June 1, 2018.  Although Alabama was the last state in the country to enact such a law, its new law will immediately take its place among the most stringent in the nation.… Continue Reading

The CFPB’s Office of Inspector General has issued a report indicating that, in performing an audit of the CFPB’s encryption of data on mobile devices issued to staff members, the OIG found the CFPB had not yet completed all of the steps previously identified by the OIG to address the risk created by unaccounted-for-laptops. … Continue Reading

The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues.  In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras). … Continue Reading

Last week, the Federal Trade Commission (FTC) Bureau of Consumer Protection’s Acting Director, Thomas Pahl, posted on the FTC’s Business Blog about the FTC’s role as the federal agency with the “broadest jurisdiction” to pursue privacy and data security issues. Pahl noted that for over twenty years the FTC has used its authority, “thoughtfully and forcefully to protect consumers even as new products and services emerge and evolve.” … Continue Reading

On September 29th, the Office of the Inspector General (OIG) that oversees the CFPB released a memorandum detailing the major management challenges facing the CFPB.  The memo identified four areas of improvement that, unless addressed, would otherwise hamper the CFPB’s ability to accomplish its strategic objectives:

  • Ensuring an Effective Information Security Program
  • Ensuring Comprehensive Policies and Procedures Are in Place and Followed
  • Maturing the Human Capital Program
  • Managing and Acquiring Sufficient Workspace to Support CFPB Activities

Despite the vast quantities of consumer information being collected by the CFPB as part of its consumer protection mission, the CFPB has not fully implemented an information security continuous monitoring program, including a comprehensive data loss prevention system and oversight of contractor-operated information systems. … Continue Reading

Last August, we blogged about a Third Circuit decision that held the FTC can regulate cybersecurity policies and procedures as “unfair” acts or practices under Section 5 of the FTC Act.  In our blog post, we commented that banks and other companies subject to the CFPB’s jurisdiction faced the possibility that the CFPB could begin using its Dodd-Frank authority  to bring enforcement actions against companies engaged in unfair, deceptive, and abusive acts and practices (UDAAP) to regulate cybersecurity policies and procedures. … Continue Reading

As we have previously observed, banks and other companies subject to the CFPB’s jurisdiction face the possibility that the CFPB could begin using its authority under Sections 1031 and 1036 of the Dodd-Frank Act (which proscribe unfair, deceptive or abusive acts or practices) to regulate cybersecurity policies and procedures.

For companies also subject to the FTC’s jurisdiction, the threat of FTC regulation of their cybersecurity policies and procedures became significantly more imminent as a result of the Third Circuit’s August 2015 decision in FTC v.Continue Reading