Latest Articles

The Food and Drug Administration (FDA) published a draft update to its premarket cybersecurity guidance for device makers on October 18, 2018. The expanded draft guidance includes recommendations on tiered classification of cybersecurity risk, trustworthiness, cybersecurity bill materials, and device cybersecurity labeling that are specific enough to be helpful to manufacturers while at the same time keeping the guidance sufficiently flexible to comply with an industry filled with advancing devices that pose greater and more…
California enacted Internet of Things (IoT) legislation intended to help protect consumer privacy and safety from potential hacking of connected devices. Under the state legislation that may apply to any connected devices sold in California, manufacturers of connected devices are required to equip the devices with security options suitable to the nature of the device and the information processed by the device. The objective of the legislation is to protect consumers, yet adapt to different…
The Office of the Inspector General (OIG) published a report in September 2018 after a review of the Food and Drug Administration’s (FDA) policies, procedures, and guidance relating to cybersecurity reviews of networked medical1 devices. In its findings, covered in our recent client alert, the OIG determined that while the FDA has started to include cybersecurity concerns in its review process, the FDA should take steps to ensure their cybersecurity review is systematic and…
On February 28, 2018, the Federal Trade Commission (FTC) released a report about security update practices for businesses providing mobile phones and other connected devices. The report recommends that manufacturers and carriers provide security updates that are consistent with consumer expectations, provide better information regarding their security practices and educate consumers on their role in the update process. While the report is framed as offering recommendations, businesses should keep in mind that such reports often…
On Jan. 5, 2018, the Department of Homeland Security (DHS) and the Department of Commerce (DOC) released their joint draft report on “Enhancing the Resilience of the Internet and Communications Ecosystem against Botnets and Other Automated, Distributed Threats” for public comment. The report provides a series of recommendations for addressing the threats presented by botnets as well as improving security for Internet-connected devices or the Internet of Things (IoT). Chief among these was a call…
On August 17, 2017, Delaware Governor John Carney signed into law House Substitute 1 for House Bill 180, making the first significant amendment to Delaware’s data breach notification law since 2005.  The bill, scheduled to go into effect April 14, 2018, requires private organizations to maintain reasonable security policies and procedures; expands the definition of “personal information” to include medical information, biometric identifiers, and electronic signatures; and adds additional breach notification and credit monitoring…
On Monday, May 11, 2017, President Donald Trump signed an Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”  The Executive Order comes after Trump had postponed signing a similar executive order on cybersecurity on Feb. 1, and another draft executive order had been circulated Feb. 10. The final Executive Order aligns with the preceding Executive Order 13636, “Improving Critical Infrastructure Security,” signed by the Obama administration on Feb.…
Lender license requirements recently included in the New York governor’s proposed 2017-2018 budget would expand the jurisdiction of the New York State Department of Financial Services (NYDFS) to cover many financial technology (FinTech) credit-lending companies that are currently exempt from license requirements.  The proposed budget would prohibit businesses that are not registered as licensed lenders from making personal loans with a principal of $25,000 or less, and commercial loans of $50,000 or less, regardless of…
Lender license requirements recently included in the New York governor’s proposed 2017-2018 budget would expand the jurisdiction of the New York State Department of Financial Services (NYDFS) to cover many financial technology (FinTech) credit-lending companies that are currently exempt from license requirements.  The proposed budget would prohibit businesses that are not registered as licensed lenders from making personal loans with a principal of $25,000 or less, and commercial loans of $50,000 or less, regardless of…
On January 4, 2017, the National Institute of Standards and Technology (“NIST”) published the final version of NIST IR 8062 “An Introduction to Privacy Engineering and Risk management in Federal Systems.”  The report introduces the concept of applying systems engineering practices to privacy and provides a new model for conducting privacy risk assessments on systems.  In the blog post accompanying the release, NIST notes that the report is intended to address the absence…