Enforcement - Federal Agency and State AG Action

On November 9, 2020 the FTC entered into a consent agreement with Zoom Video Communications, Inc. to address concerns over the videoconferencing platform’s security practices. With the onset of the COVID-19 pandemic, the need for a reliable, online videoconferencing and meeting platform skyrocketed. Zoom met that need. It advertised its platform as a secure space with various safety measures to protect user data, including “end-to-end” 256-bit encryption. In short order, individuals, businesses, and organizations quickly flocked to the user-friendly communications platform; and, by the end of April 2020 Zoom’s user base was booming.

Then came a backlash of sorts. The FTC began investigating Zoom’s security practices, and private plaintiffs brought class-action lawsuits alleging violations of the California Consumer Privacy Act and failure to adhere to Zoom’s terms of service. The FTC’s complaint alleged several concerns with Zoom’s advertising and security promises, concluding that Zoom made misleading claims about the strength of its encryption and security of its platform that gave customers a false sense of security. The five-count complaint alleged that Zoom:

Continue Reading FTC “Zooms” Into Settlement Agreement with Communications Company Over Concerns with its Security Practices

The Department of Defense is rolling out new regulations over the next five years to set progressive steps toward mandatory cybersecurity certification for government contractors. The first set of requirements goes into effect Nov. 30.

Click here to learn what contractors must do now to ensure they are eligible for award of new contracts, task

Did the U.S. Supreme Court ruling in Barr v. American Association of Political Consultants wipe out nearly five years of liability under the Telephone Consumer Protection Act? One district court answered yes. Does the TCPA apply to text messages? An amicus brief in another case headed to the Supreme Court argued no.

For analysis of

Monetary penalties are the attention-grabbing headline when the FTC or any regulator brings an enforcement action against a company.  They are the looming threat to incentivize and influence compliance.  Over the summer, FTC Chairman Joseph J. Simons (“Chairman Simons”) issued a statement in connection with a settlement that Chairman Simons believes “the goal of a civil penalty should be to make compliance more attractive than violation.  Said another way, violation should not be more profitable than compliance.”

Continue Reading FTC Fines: FTC Chairman Reminds Companies That Fines Are the FTC’s Strategic Tool To Deter Noncompliance

On September 17, 2020, four Republican Senators (Roger Wicker – Mississippi, Chairman, John Thune – South Dakota, Deb Fischer – Nebraska, and Marsha Blackburn – Tennessee) introduced sweeping federal privacy legislation entitled: Setting an American Framework to Ensure Data Access, Transparency, and Accountability (“SAFE DATA”) Act. This proposed comprehensive national privacy law has three main components:

  1. Provides consumers with more choice and control over their data
  2. Directs business to be more transparent and accountable
  3. Strengthens the FTC’s enforcement power


Continue Reading Federal Data Privacy Legislation: Will it Help the US Remain Competitive in the Global Marketplace?

On July 21, the New York Department of Financial Services (NYDFS) filed charges against First American Title Insurance Company (First American) for violating multiple sections of the New York Cybersecurity Regulation,  23 NYCRR 500.00, et seq.  The significance of the NYDFS enforcement action cannot be overemphasized.  This is the first action filed under the Cybersecurity Regulation, signaling a more aggressive enforcement stance by the regulator.  The good news is the filings provide important guidance on best practices and red flags to avoid agency sanctions.

The NYDFS Statement of Charges alleges that First American knowingly exposed tens of millions of documents containing consumer sensitive personal information (e.g., bank account numbers, bank statements, mortgage records, Social Security numbers, wire transaction receipts, drivers’ license images, etc.). The charges further allege that for almost 5 years (from October 2014 through May 2019) these records were available on First American’s public-facing website to anyone with a web browser.  The fact that First American failed to remediate the vulnerability, even after it was discovered by a penetration test in December 2018, was particularly troublesome for the regulators.  The charges state that, “Remarkably, [First American] allowed unfettered access to the personal and financial data of millions of its customers for six more months. . .”   Clearly, the NYDFS found this treatment of sensitive consumer data unconscionable and that First American demonstrated a total disregard for the Cyber Regulations.

Continue Reading NYDFS State of Mind: Regulator Focus and Enforcement Trends

FINRA’s examination program has undergone its most significant reorganization in decades. As stated in a press release, Oct. 1, 2018, FINRA’s goal for the reorganization was to “consolidate its Examination and Risk Monitoring Programs, integrating three separate programs into a single, unified program to drive more effective oversight and greater consistency, eliminate duplication and

On January 7, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released its 2020 examination priorities.  OCIE is prioritizing practices, products, and services that it believes present heightened risks to investors or market integrity.  The examination priorities are organized around seven themes, many of which build on OCIE’s priorities

In one of this year’s largest HIPAA settlements, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is set to collect $3 million from the University of Rochester Medical Center (URMC). This settlement over potential violations of the Privacy and Security Rules under HIPAA also requires URMC to follow a corrective action plan that includes two years of HIPAA compliance monitoring by OCR.
Continue Reading Unencrypted Mobile Devices Cost Medical Center $3 Million In HIPAA Settlement

National Cybersecurity Awareness Month (NCSAM) is coming to a close, but diligent cybersecurity efforts must continue. In honor of another successful NCSAM, below we have gathered some of our most popular cybersecurity content you can use as a quick reference for all of your cyber-related interests.