Data Security Law Blog is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law.

Recent Blog Posts

  • A Closer Look: SEC’s Edgar Hacking Case Last month, the U.S. Securities and Exchange Commission charged nine defendants with hacking into the agency’s EDGAR system – the online platform used by public companies for making their public filings – and stealing material nonpublic information to use for illegal trading purposes. While the charges are new, the insider trading scheme goes back years and underscores the challenges faced by U.S. law enforcement and regulatory authorities in pursuing foreign nationals who violate U.S. securities laws. According to a 43-page... More
  • New York’s DFS Cyber Deadlines Loom It’s a marathon month for the thousands of financial institutions and insurance companies covered by New York’s landmark cybersecurity regulation. In little more than a week, these businesses must file their second annual certification of compliance with the State’s Department of Financial Services. Two weeks later, they must also come into compliance with the regulation’s third-party vendor requirements, the final milestone in the two-year roll out of the cybersecurity regulation. Late last week, outgoing DFS Superintendent Maria T. Vullo issued... More
  • Trade Off Between Privacy and Convenience: Germany’s New Digital Mail Service In a country renowned for protecting the privacy of its citizens, Germany has undertaken a pilot program that does just the opposite. In a trade off between privacy and convenience, German residents can now enroll in a digital service where their mail is emailed to them anywhere in the world. Germany’s national postal service, Deutsche Post, is offering an e-scan service on a trial basis. With the customer’s consent, the German postal service opens the customer’s mail, scans it and... More
  • A Shield From Cyber Liability: Integrating SAFETY Act Protections Into Institutional Cyber Governance   An obscure federal law called the SAFETY Act recently captured national headlines when MGM Resorts International invoked it in a series of pre-emptive, declaratory judgment law suits against the victims of the 2017 Route 91 Harvest Festival shooting in Las Vegas. MGM sued the victims in an effort to avoid liability in connection with the tragedy. MGM owns the Mandalay Bay hotel, where Stephen Paddock, from his 32nd floor suite, shot and killed 58 people and wounded hundreds more... More
  • The New York Times Features Op-Ed by Craig Newman: “Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement” The New York Times featured an op-ed last week written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement.” In the op-ed, Mr. Newman discusses how the January 2019 settlement “marked the first time that shareholders have been awarded monetary damages in a derivative lawsuit related to a data breach.” Mr. Newman notes, “the settlement signals that director and officer liability for cybersecurity oversight is entering new and potentially perilous... More
  • Illinois Biometric Law: Scanning Fingerprints Can Get You Sued   In a ruling with wide-spread implications, the Illinois Supreme Court on Friday upheld a consumer’s right to sue companies for collecting biometric data – such as finger prints and iris scans – without disclosing how such information will be used. The ruling came after a lawsuit was filed by the family of a teenager whose finger prints were collected in 2014 when he purchased a season pass to a Six Flags Entertainment Corp. amusement park. The complaint alleged that... More
  • HHS Releases New Cybersecurity Guidance In a four-part publication, a Task Force that included the Department of Health and Human Services (HHS) and private sector industry leaders released guidance for the healthcare industry on cybersecurity best practices. The guidance, Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, focuses on healthcare providers, payors and pharmaceutical companies. This post takes an in-depth look at the guidance. Developing HICP The Cybersecurity Act of 2015 required HHS, in collaboration with healthcare industry stakeholders, to “establish a... More
  • DFS Superintendent Vullo Reflects on NYS Cyber Regulation: Two Years Later With full implementation of New York’s groundbreaking cybersecurity regulation only six weeks away, the state’s top banking regulator took the opportunity to praise the many financial institutions that have adopted systems to better protect consumers from cybercrime. In a four-page letter posted on the DFS website, Superintendent Maria T. Vullo said that, during the prior year, her agency and the financial services industry had worked “collectively [and] enhanced the financial services industry’s cybersecurity protections for New York, providing national standards... More
  • PayPal Shareholders’ Data Breach Stock-Drop Suit Dismissed Among other things, 2018 was the year of the shareholder data breach stock-drop lawsuit. As we’ve previously reported, it was the year that shareholders began routinely suing companies after an announcement of a data breach, seeking damages for a hit to the company’s stock price.  Now, in one of the first substantive decisions issued by a court in a breach-related stock drop suit, a federal judge in California dismissed the case without prejudice and has signaled that shareholders face an... More
  • Directors and Officers Settle Over Yahoo Hack: A New Chapter in Derivative Litigation?   Yesterday, a Superior Court judge in Santa Clara, California approved what is believed to be the first monetary award to a company in a data breach-related derivative lawsuit. Until now, such breach-related derivative cases have settled through a combination of governance changes and modest awards of attorney’s fees. But the former officers and directors of Yahoo! Inc. agreed to pay $29 million to settle charges that they breached their fiduciary duties in the handling of customer data during a series... More