RC: Could you outline the latest legal and regulatory developments affecting corporate handling of data in North America?

Gottlieb: Federal regulators are focusing on data security more than ever before. To date, the FTC has brought over 50 enforcement actions concerning data breaches. These actions typically result in a settlement in which the target company agrees to bring a monitor in house and follow a privacy framework. There is pending litigation that has challenged the scope of the FTC’s authority to regulate corporate data security practices, and if the Government loses in that litigation, its authority to regulate private data security practices will weaken without new legislation. Congress is considering legislation that would authorise the Commission to seek civil penalties for data security violations. Following Dodd-Frank, the SEC and the CFTC promulgated Regulation S-ID, which requires certain financial institutions and creditors to implement comprehensive identity theft programs to protect customer data. And earlier this year, the SEC and FINRA both announced that they would be enhancing their focus on cyber attacks and data breaches. Finally, in February 2014, following an Executive Order from President Obama, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity. While the Framework is voluntary, companies may over time face serious pressure to adopt its standards even outside of the critical infrastructure area.

Apr-Jun 2014 Issue

Boies, Schiller & Flexner LLP

Drinker Biddle & Reath LLP

Goodwin Procter LLP

Hogan Lovells US LLP

Whiteford, Taylor & Preston LLP