Gibson Dunn Reviews U.S. Cybersecurity and Data Privacy

In 2016, companies, governments, and consumers were again challenged to navigate an evolving landscape of cybersecurity and privacy issues.  This year saw flash points impacting the trajectory for data breach litigation, the future for privacy class actions, and the scope of government powers to both regulate data collection practices and gather data itself.  Cybersecurity also burst onto the international regulatory and political scene.

Among other developments, this year the Supreme Court issued its decision in Spokeo, Inc. v. Robins, a long-awaited development addressing (somewhat) plaintiffs’ burden to show concrete injury to satisfy Article III standing.  Plaintiffs and defendants had … Read more

Gibson Dunn explains the New EU-Wide Rules on Cybersecurity

On July 6, 2016, the European Parliament officially adopted the Network and Information Security (NIS) Directive[1] which is expected to fully enter into force in May 2018.  The NIS Directive is the first set of cybersecurity rules to be implemented on the EU level, adding to an already complex array of laws which companies have to comply with when implementing security and breach response plans.  The Directive aims to set a minimum level of cybersecurity standards and to streamline cooperation between EU Member States at a time of growing cybersecurity breaches.

The final text (which took the EU and … Read more

Gibson Dunn discusses The Third Circuit Upholding the U.S. Federal Trade Commission’s Authority to Regulate Cybersecurity

The Federal Trade Commission’s longstanding effort to establish itself as the primary federal regulator of cybersecurity survived its first appellate test on Monday when the Third Circuit allowed the FTC to continue pursuing its case against Wyndham Worldwide Corp.[1]  The FTC sued Wyndham after the hotelier suffered three data breaches that allegedly compromised the payment card information of more than 600,000 customers.  The FTC alleged, among other things, that Wyndham’s failure to use encryption, firewalls, and non-obvious passwords constituted an “unfair” practice under Section 5 of the FTC Act.  The district court denied Wyndham’s motion to dismiss the FTC’s case, … Read more

Gibson Dunn discusses Cybersecurity Regulation in the Financial Sector

In response to a string of publicly disclosed cyberattacks against financial institutions in recent months, New York and federal regulators are pushing the financial sector to better protect itself and, notably, are seeking additional information about banks’ cybersecurity efforts.  Benjamin Lawsky, the Superintendent of the New York State Department of Financial Services (“DFS”) has been at the forefront of this increased regulatory focus.

New York State

On October 21, 2014, Superintendent Lawsky reportedly sent a letter to dozens of banks that not only urges them to address the cybersecurity of their third-party service providers but also requests detailed information about … Read more