Data Security Law Blog is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law.

Recent Blog Posts

  • New York Gets Ready to Jump on the Biometric Bandwagon Companies that do business in New York or with New Yorkers could soon face an onslaught of biometric privacy-related litigation, courtesy of New York Assembly Bill 27, the Biometric Privacy Act (“BPA”). Currently pending before the legislature, the bill is modeled on Illinois’ Biometric Information Privacy Act (“BIPA”) and, like that law, would impose a set of rules businesses must follow when collecting biometric information. Critically, the BPA would create a private right of action for those “aggrieved” by violations... More
  • Recent Developments in the State Data-Privacy Landscape:  Is Federal Involvement the Best Way Forward? With a dizzying array of state privacy laws on the horizon, the prospect of a federal solution has come into sharp focus.  Rather than a patchwork of regional legislation, a comprehensive national framework would potentially govern the precautions that companies must take when electronically collecting, using and storing customers’ personal information, regardless of where in the country the company—or the consumer—is located.  That is the current situation in the European Union under the General Data Protection Regulation (GDPR), and has... More
  • Beeple, Top Shots, and the Blockchain of Collectibles: Securing the Value of an Original Digital Asset For this post, we welcome guest contributor Anne-Laure Alléhaut from the firm’s Art and Museum Law practice group.  Ms. Alléhaut, former Senior Vice President and Associate General Counsel of Sotheby’s, Inc., concentrates her practice on all aspects of art law, working with artists, private collectors, museums, galleries, dealers, and advisors, including with respect to digital media and non-fungible tokens. A cryptocurrency entrepreneur recently paid $69.3 million for Beeple’s Everydays: The First 5,000 Days at a Christie’s auction.  That record-breaking... More
  • NIST Publishes Key Practices in Cyber Supply Chain Risk Management The recent SolarWinds attack alerted the world to the risk of a cyber supply chain attack—an attack through or on your company’s vendors or suppliers. It is increasingly clear that even if you take all the right steps to secure your own computer systems, your company—and your company’s data—is only as secure as the weakest link among your suppliers. This risk includes attacks that might infect your computer systems, as well as the risk that your suppliers’ businesses will be... More
  • Supreme Court Mulls Class Action Standing in TransUnion v. Ramirez On Tuesday, the United States Supreme Court heard oral argument in TransUnion LLC v. Sergio L. Ramirez, No. 20-297, focusing on whether a class of individuals who experience a risk of harm that never materializes have standing to sue.  Although the case itself does not involve a data breach, the Court’s answer to the standing question could have significant implications for the viability of data breach class action lawsuits moving forward.  Back in 2016, the Court held in Spokeo... More
  • Forensic Analysis and Privilege in the Wake of a Data Breach In the wake of a data breach, counsel will often require the assistance of a forensic firm in order to provide legal advice to their client.  The forensic analysis—which is often memorialized in a report to counsel—is crucial for counsel in understanding what occurred and formulating legal strategy relating to potential litigation and breach notification issues.  For the same reasons, details of those forensic analyses and any related investigative reports are very likely to be the subject of a discovery... More
  • California Privacy Rights Act: The Five Biggest Changes You Need to Know Now Last November, California voters approved Proposition 24, enacting the California Privacy Rights Act (“CPRA”). The CPRA amends the California Consumer Privacy Act (“CCPA”), which was already the most sweeping consumer data protection law in the U.S. Wondering what you should know about California’s new Privacy Rights Act? We dug into the new law and identified the five biggest changes. Among the most important changes—which take effect on January 1, 2023 (but apply to data collected beginning January 1, 2022)—are: ... More
  • Win for Walmart as District Court Gives Strict Reading to CCPA In a win for data privacy defendants, Walmart secured a ruling that favors a narrow interpretation of the California Consumer Privacy Act (CCPA).  In Gardiner v. Walmart Inc. et al, 4:20-cv-04618-JSW, a Walmart customer, Lavarious Gardiner, sued the retail company under the CCPA for failing to implement and maintain reasonable and appropriate security procedures and practices to protect information he gave to Walmart to create an account on the company’s website. As a result of an alleged, undisclosed data breach,... More
  • New York DFS Fines Mortgage Lender in Cybersecurity Enforcement Action New York’s Department of Financial Services (“DFS”) announced on Wednesday, March 3, 2021, that an independent mortgage lender, Residential Mortgage Services Inc. (“RMS”), has agreed to pay a $1.5 million fine to the agency in a settlement resulting from violations of its Cybersecurity Regulation. This is just the second enforcement action brought by DFS under the Cybersecurity Regulation, which was the first of its kind nationally. RMS experienced a cyber incident in March, 2019, when an intruder gained access to... More
  • Judge Finds No Article III Standing in Proposed Class Action Against Marriott The question of standing has proven to be a tricky one in data breach litigation.  (See our prior coverage here and here).  Last week a federal district court in Maryland rejected a proposed class action brought by Marriott guests related to a data breach suffered by the hotel chain in early 2020, finding that the plaintiffs did not have Article III standing because they could not trace any alleged injury to particular actions or inactions by Marriott.  This decision is... More