Data Security Law Blog

Visit the Full Blog

DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.

Microsoft Email Case Dismissed by Supreme Court

This morning, the long-running dispute between Microsoft Corp. and the U.S. government regarding data stored abroad was resolved by the United States Supreme Court. As we’ve previously discussed, the case posed the question: must U.S. companies comply with warrants issued under the Stored Communications Act (“SCA”) that demand data stored in a foreign country? Today, the Supreme Court concluded that newly enacted legislation had effectively ended the case, making the Court’s involvement unnecessary.

Go

Microsoft Joins Government’s Request to Render Fight over Access to Data Stored Abroad Moot

Yesterday, we reported that the Department of Justice has asked the U.S. Supreme Court to remand its dispute with Microsoft Corp. concerning access to customer emails stored abroad to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot.  The government argued that the newly enacted “CLOUD” Act clarifies prior law and makes clear that information stored abroad can, under certain circumstances, be subject to a domestic warrant.  The government added that it obtained a new warrant for Microsoft to turn over the requested information in the days following the CLOUD Act’s passage.

Go

Government Urges High Court to Moot Microsoft Email Case

We’ve written several times about the landmark dispute between the U.S. government and Microsoft Corp. over access to a customer’s emails stored in Ireland. Now, a month after the U.S. Supreme Court heard oral argument on the government’s appeal, the Justice Department has asked the Court to remand the case to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot.

Go

The Warning Behind the Numbers: New York’s 2017 Data Breach Report

On its face, last week’s report that the number of data breaches reported last year to New York’s Attorney General spiked to an all-time high of 1,583 – up 23 percent from 2016 – was not good news.

But behind the numbers are even more disturbing trends. Start with the fact that hacking – the handy work of outside intruders – was the leading cause of reported breaches last year, accounting for 44 percent of reported breaches. Hacking also accounted for nearly 95 percent of all personal information exposed. In second place was employee error or negligence, which represented 25 percent of last year’s reported breaches.

Go

Ninth Circuit Wades into Growing Debate over Data Breach Standing

Is the risk of future harm enough to satisfy Article III standing in a data breach suit? That’s the question courts of appeals around the country are wrestling with now – and reaching opposing results. The U.S. Court of Appeals for the Ninth Circuit is the latest to wade into this debate on data breach standing in its recent opinion, In re Zappos.Com, Inc., Customer Data Security Breach Litigation.

Go

Former Equifax Exec Charged with Insider Trading: Underscores Need for Trading Halt Plans

The Equifax hack has taken another twist – one that raises questions that every public company should consider.

Last week, federal prosecutors charged Equifax’s former Chief Information Officer, Jun Ying, with insider trading for allegedly dumping nearly $1 million in stock before the massive Equifax breach went public. He also faces civil charges filed by the U.S. Security and Exchange Commission (SEC).

Go

DFS Issues Compliance Certificate “Reminder”

Last week, the New York Department of Financial Services (DFS) sent notices to companies that had not yet certified their compliance with the DFS Cybersecurity Regulation. DFS not-so-gently reminds companies to submit a Notice of Exemption or a Certificate of Compliance. A copy of that notice is now available online.

Go

The Equifax Breach Continues to Rage

Six months after a massive data breach at credit reporting company Equifax, Inc. handed hackers the personal information of nearly 150 million Americans, the fallout continues. Equifax first disclosed in September that hackers used a flaw in its website software to extract the personal information of as many as 145.5 million people. The stolen data included names, Social Security numbers, birth dates, addresses, and driver’s license numbers. In just the first two months following the breach, Equifax incurred $87.5 million of expenses, and that number is now expected to grow to $439 million by the end of 2018, making this, potentially, the most expensive reported data breach to date.

Go

Facebook Loses Second Attempt to Dismiss Biometric Data Class Action

Last week, a federal district judge in California shot down Facebook, Inc.’s second attempt to dismiss a putative class action alleging that its facial recognition software violates the Illinois Biometric Privacy Act (BIPA). The court found that plaintiffs had standing to proceed under the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robbins because the alleged BIPA violation was sufficient to give rise to a “concrete injury” for purposes of bringing suit.

Go

The DFS Effect: Cyber Meets Sarbanes Oxley

Today, financial institutions with ties to New York are spending their Valentine’s Day learning how to use the New York State Department of Financial Services (DFS) web portal.

Almost a year ago, the DFS unveiled one of the most aggressive efforts in the nation to crack down on cybercrime in the banking and insurance industries. And by tomorrow, more than 3,000 firms are required to file through the agency’s online portal their first ever compliance certificate, swearing that their organization has satisfied the first phase of requirements under the state’s new cybersecurity regulation.

Go

Education Department Toughens Tone on Cyber and Threatens to Pull Funding for Non-Compliance

Recently-issued guidance from the U.S. Department of Education (ED) threatens to “yank” Title IV funding for post-secondary institutions lacking appropriate data security safeguards. The guidance comes as the risk of educational data breaches has intensified, as we have previously reported. The stakes are even higher now that ED has put Title IV recipients on notice that, beginning in fiscal year 2018, they may be subject to compliance audits regarding their data security programs.

Go

“Legally Reprehensible”: Senate Chastises Uber’s Conduct in 2016 Data Breach

On Tuesday, a Senate subcommittee grilled Uber’s Chief Information Security Officer, John Flynn, over a 2016 data breach that affected nearly 57 million drivers and riders. At the hearing, Uber faced backlash from lawmakers for its “morally wrong and legally reprehensible” conduct that “violated not only the law but the norm of what should be expected.”

Go

A Teachable Moment: Hospital Goes Public after Making Ransom Payment

It’s unusual for victims of ransomware to publicly acknowledge that they have paid hackers to go away. But a regional hospital in Indiana has made public its experience last week with a “sophisticated criminal group” as a teachable moment for other institutions faced with the vexing choice of whether to give in to the ransom demands of cybercriminals.

Go

Countdown to the First Annual New York DFS Cyber Regulation Certification

On February 15th, organizations subject to the New York Department of Financial Services Cybersecurity Regulation are required to submit their first annual certification attesting to their compliance with the state’s new data security requirements.

Go

Federal Appeals Court Slams Data Breach Privilege Claim

In the most recent object lesson in a data breach privilege case, a federal appeals court has ordered a Michigan-based mortgage lender to turn over privileged forensic investigatory documents after the investigator’s conclusions were revealed in discovery.

Go

Equifax Must Turn Over NY Breach Data This Week

New York State regulators won’t be letting Equifax, Inc. off-the-hook any time soon for last year’s massive data breach that affected more than 145 million Americans.

Go

Avatars, Facial Scans & Virtual Basketball: Second Circuit Tosses Biometric Privacy Case

A recent federal appellate ruling delivered a significant blow to invasion of privacy claims based on facial recognition technology used to scan users’ faces that are then put on their personalized players “in-game,” allowing them to play side-by-side with basketball stars in a popular video game.

Go

Inside the Stanford Breach: Exposed Records Lead to Financial Aid Scandal

A cybersecurity vulnerability at Stanford University exposed thousands of sensitive files containing details of sexual assault investigations and disciplinary actions. The story of what happened—and why it should be an object lesson for higher education. The second of a three-part series.

Go

Payment or Pillory: More Fallout from Uber’s Data Breach

With new developments regarding Uber Technologies Inc.’s 2016 data breach coming out almost daily, lawsuits against the company continue to pile-up. We previously reported that within days of Uber disclosing the data theft and its subsequent payment of $100,000 to the hackers ostensibly to delete the data, regulators from around the globe, including the U.S., EU, Mexico, Canada, Australia, and the Philippines, began investigations. As of this morning, Uber has already been hit with at least four class action lawsuits alleging that Uber failed to protect consumer data and notify consumers in a timely manner as required by various state laws, as well as lawsuits by the City of Chicago and the State of Washington.

Go

Inside the Stanford Breach: Sexual Assault, Disciplinary and Financial Data Exposed

A series of cybersecurity vulnerabilities at Stanford University exposed thousands of sensitive files containing details of sexual assault investigations, disciplinary actions and more. The details of what happened—and why it should be an object lesson for higher education. A special three-part blog series.

Go

Uber Breach

Uber Technologies, Inc., the latest victim of a high-profile data theft, is taking heat for its handling of the 2016 incident – first disclosed last week – in which account information for 57 million riders worldwide was stolen.  The theft was made public in a blog post written by the company’s new chief executive officer Dara Khosrowshahi.

Go

A Cautionary Tale: UK Intelligence Data Found on Thumb Drive in London Street

Not all cybersecurity risks are the stuff of super-secret code hacks or high-tech digital attacks. One of the biggest culprits: off-the-shelf thumb drives (also known as flash drives or memory sticks) that you can purchase online, at Walmart or at your local office supply shop. Lightweight and small enough to fit in your pocket, thumb drives can store massive amounts of data.

Go

Justice Department Accuses Google of “Alarming” Tactics in Fight over SCA Search Warrant

The ongoing dispute between the government and Google concerning the company’s refusal to hand over customer data stored on foreign servers has taken an odd twist.  Now, the Justice Department is demanding that Google be sanctioned for not abiding by the court’s most recent decision—ordering it to produce data associated with 22 email accounts—and calling Google’s conduct “a willful and contemptuous disregard of various court orders.”  The case is In the Matter of the Search of Content that Is Stored at Premises Controlled by Google, No. 16-mc-80263 (N.D. Cal.).

Go