The incoming chief of New York’s top financial services regulator called cybersecurity “the number one threat facing all industries and governments globally” during a speech on Friday, April 12, 2019 at the Association of the Bar of the City of New York.
Data Security Law BlogVisit the Full Blog
DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.
A Shield From Cyber Liability: Integrating SAFETY Act Protections Into Institutional Cyber Governance
An obscure federal law called the SAFETY Act recently captured national headlines when MGM Resorts International invoked it in a series of pre-emptive, declaratory judgment law suits against the victims of the 2017 Harvest Festival Las Vegas shooting. MGM sued the victims in an effort to avoid liability in connection with the tragedy. MGM owns the Mandalay Bay hotel, where Stephen Paddock, from his 32nd floor suite, shot and killed 58 people and wounded hundreds more who were attending a music festival next door.
In Warning Shot to Foreign Hackers, U.S. Indicts Two Iranian Nationals for Massive Ransomware Attacks
Yesterday, the United States indicted two Iranian hackers for their roles in a series of major ransomware attacks that started in 2016 and lasted almost three years. The attacks crippled schools, hospitals, the private sector, and government agencies, causing tens of millions of dollars in damage.
MGM Resorts International has hit the pause button in its gambit to shield itself from liability stemming from the October 2017 shooting at the Mandalay Bay Hotel in Las Vegas.
As we reported previously, MGM has brought more than a dozen declaratory judgment lawsuits against the victims in the deadliest mass shooting in modern U.S. history, arguing that claims against the casino giant are barred by federal law. MGM has released a statement saying it hopes to avoid years of litigation by exploring potential settlement options, and adding that “years of protracted litigation is in no one’s best interest.”
Memories of the massacre of dozens of concertgoers at a Las Vegas music festival last year are unlikely to fade soon. In the deadliest shooting in U.S. history, Stephen Paddock killed 58 people and wounded hundreds from his perch within the Mandalay Bay hotel, owned by MGM Resorts International.
A legal battle is now underway over liability for the shooting and the first ever legal test of a little known federal law – the Support Antiterrorism by Fostering Effective Technologies Act of 2002 or SAFETY Act – will start later this month in a San Francisco courtroom. The SAFETY Act was enacted after the Sept. 11th terrorist attacks to provide different levels of legal protection for companies that developed antiterrorism technologies – including cybersecurity technologies and programs – and then passed a rigorous process administered by the U.S. Department of Homeland Security.
For thousands of financial institutions and insurance companies covered by New York DFS’s sweeping data security regulation, the countdown to yet another deadline has begun. Those companies will remember last August, when DFS’s first transition period ended, and the same companies know that they had to first certify their compliance with the regulation to DFS only months ago, in February.
Many believe that blockchain technology will revolutionize the way humans interact, in business and beyond. Though cryptocurrency is the topic du jour, blockchains can do much more than just enable digital currencies: they can be used to transform the way we store and manage many kinds of data, from real property and voting records to intellectual property licenses and medical information, and more. If blockchain is mainstreamed, courts will inevitably be faced with disputes arising out of the differences between blockchain and current methods of managing transactional data.
Six months after a massive data breach at credit reporting company Equifax, Inc. handed hackers the personal information of nearly 150 million Americans, the fallout continues. Equifax first disclosed in September that hackers used a flaw in its website software to extract the personal information of as many as 145.5 million people. The stolen data included names, Social Security numbers, birth dates, addresses, and driver’s license numbers. In just the first two months following the breach, Equifax incurred $87.5 million of expenses, and that number is now expected to grow to $439 million by the end of 2018, making this, potentially, the most expensive reported data breach to date.
With new developments regarding Uber Technologies Inc.’s 2016 data breach coming out almost daily, lawsuits against the company continue to pile-up. We previously reported that within days of Uber disclosing the data theft and its subsequent payment of $100,000 to the hackers ostensibly to delete the data, regulators from around the globe, including the U.S., EU, Mexico, Canada, Australia, and the Philippines, began investigations. As of this morning, Uber has already been hit with at least four class action lawsuits alleging that Uber failed to protect consumer data and notify consumers in a timely manner as required by various state laws, as well as lawsuits by the City of Chicago and the State of Washington.
Last year was the first that national banks and federal savings associations subject to supervision by the Office of the Comptroller of the Currency (“OCC”) were armed with a sense of the agency’s regulatory expectations when it came to cybersecurity.
This is our final installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation. In this installment, we provide an overview of the regulation’s impact on third-party vendors and business partners, including law firms.
This is our second installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation. In this installment, we provide an overview of the regulation’s impact on corporate governance and the scope of liability for corporate boards.
This is the first installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation. The Patterson Belknap Privacy and Data Security Team has studied the regulation, its legislative and regulatory underpinnings, and practical consequences.
Boards of directors remain increasingly exposed to the threat of liability arising from data breaches and other cyber-incidents.
On the Move and At Risk: Safeguards for Mitigating Mobile Device Vulnerabilities While Traveling Overseas
Employees use their smartphones as a key tool for accessing information during a work day – especially when outside the office and traveling on business. While smartphones, tablets, laptops and other devices may increase productivity by facilitating work flow and communications, a wireless mobile device and related data may be exploited by cybercriminals, and this risk increases significantly when overseas. Organizations often overlook this increased vulnerability to business, customer, and client data when personnel use their mobile devices to conduct business while travelling outside the United States. Organizations can mitigate the risk of compromising confidential information, intellectual property, and other sensitive data by adopting best practices for personnel travelling in other countries.
Not surprisingly, cybersecurity remains a top examination priority for the Comptroller of the Currency (“OCC”). And that means national banks and federal savings associations – and their leadership teams – should be prepared for “heightened” focus by OCC examiners in critical areas of cybersecurity risk including banks’ third-party and vendor relationships.
Last month, the Federal Trade Commission’s Chief Administrative Law Judge dismissed the Commission’s long-running data security case against LabMD because it failed to prove that there was an actual or reasonably imminent threat of injury to consumers. In the matter of LabMD, Dkt. No. 9357, Initial Decision (Nov. 13, 2015). The issue of consumer “injury” has loomed large in the world of data privacy litigation since private plaintiffs began bringing class action lawsuits arising from data breaches. Whether those cases are brought by individuals in their own name or on behalf of a putative class, courts have struggled with the question of what constitutes injury sufficient to successfully prosecute a claim.
With last week’s ruling by the Third Circuit Court of Appeals in FTC v. Wyndham Worldwide Corp. solidifying the Federal Trade Commission’s authority to enforce data security practices, organizations that use online computers to store customer information should take notice. Since 2005, the FTC has stepped up its enforcement efforts and has entered into more than 50 consent decrees relating to cybersecurity matters.