Archive: April 2017

Abbott Labs makes a costly mistake as FDA targets cybersecurity deficiencies
Draft law proposes security assessment of data exported out of China

Abbott Labs makes a costly mistake as FDA targets cybersecurity deficiencies

By Cameron Abbott and Giles Whittaker

The Food and Drug Administration (FDA), after a previous warning in 2014, threatens legal action against Abbott Labs if the company fails to address safety and security issues in implanted cardiac devices sold by St Jude Medical – a recent subsidiary acquired by Abbott Labs. The internet of things takes a much more serious tenure when it’s a medical device compared to your fridge!

The company recently purchased St. Jude Medical, which makes implanted cardiac devices that have been the subject of cybersecurity concerns. A warning letter issued by the FDA gives Abbott Labs 15 days to submit a plan to address errors in the products’ design that could allow hackers to tamper with the settings and drain the batteries of the devices. Many of the cybersecurity concerns first came to light after medical device security research firm MedSec submitted a report outlining a variety of alleged security flaws in St. Jude products to investment firm Muddy Waters Research (MWR). MWR subsequently publically announced the product design failures while short-selling St. Jude Medical’s stock in order to capitalise on the expected market response.

As the public increases its awareness of cybersecurity issues it becomes apparent that a failure to adequately consider these issues – as a day to day function of operating a business or prior to the acquisition of a new business – can result in significant damage to a company’s bottom line. The recent short-selling by MWR indicates the necessity for cybersecurity considerations to form central in a company’s business model, otherwise risk having its inadequacies called out in a public forum. And we are not even thinking about what litigation liability risk these sorts of issues might raise.

Draft law proposes security assessment of data exported out of China

By Cameron Abbott and Allison Wallace

The Cyberspace Administration of China has released a draft law that would impose an annual security assessment on firms exporting data out of China.

The proposed legislation would apply to any business which transfers more than 1000 gigabytes of data, or which affects more than 500,000 users, and is the latest of several safeguards announced in recent times against threats such as hacking and terrorism.

Under the draft law, economic, technological or scientific data whose transfer would post a threat to public or security interests would be banned, and there would be extra scrutiny of sensitive geographic data.

Businesses would also have to obtain the consent of users before transmitting it overseas.

The draft law follows another passed in November 2016 which formalised a range of controls over firms that handle data in industries the Chinese government labels critical to national interests.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.