Data Security Law Blog is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law.

Recent Blog Posts

  • A Closer Look at the CCPA’s Private Right of Action and Statutory Damages The California Consumer Privacy Act (CCPA) has significantly altered the potential consequences of a data breach under California law by permitting California consumers to bring civil suits for statutory damages, Cal. Civ. Code § 1798.150(a)(1), and to seek statutory damages of between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” Id. § 1798.150(a)(1)(A). The ability to seek statutory damages is in addition to injunctive or declaratory relief. Id. § 1798.150(a)(1)(B),(C). While consumers already... More
  • New York’s SHIELD Act Is Signed Into Law Last Thursday, Governor Cuomo signed New York’s latest data security bill – the Stop Hacks and Improve Electronic Data Security, or “SHIELD” Act.  The Act, which we have followed on this blog since November 2017, imposes new notification obligations on businesses managing private data when a security breach occurs.  Capital One’s recent breach underscores the significance of the changing regulatory landscape, as both businesses and the government attempt to navigate and protect against large-scale cybersecurity attacks, and the importance of... More
  • An Old Hack Comes Back to Haunt (Newly-Public) Slack Last Thursday, Slack Technologies, Inc. (Slack) announced that it would reset passwords for a number of accounts compromised by a security breach that occurred more than four years ago, in March 2015. Slack—a fast-growing messaging service that launched in 2014 and went public last month—provided little explanation for its delay in action and minimized the scope of the incident, claiming that it only affected a small percentage of current Slack users. The narrow scope and timing of Slack’s disclosure raise... More
  • D.C. Circuit Breathes New Life into OPM Data Breach Litigation The U.S. Office of Personnel Management (“OPM”) made headlines when several hacks of confidential data came to light in 2015, intrusions that compromised the personal data of over 20 million individuals. On July 21, 2019, in AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), Nos. 17-5217, 17-5232, (D.C. Cir. June 21, 2019), a divided panel of the United States Court of Appeals for the D.C. Circuit breathed new life into litigation stemming from those breaches... More
  • New York’s SHIELD Act Heads to the Governor’s Desk The New York State Senate recently passed The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, leaving only the Governor’s signature as the final step to the SHIELD Act becoming the country’s newest—and one of the most stringent—breach notification laws.  Given Governor Cuomo’s previous support for robust cybersecurity protections, New York may soon join a growing number of states beefing up their notification statutes. We previously looked at the SHIELD Act’s original draft, including a... More
  • A Shield From Cyber Liability: Beyond the Statute As we’ve written about in the past, the SAFETY Act has the potential to help companies mitigate their risk from cyber-terrorism.  As previously noted, the statute has never been fully tested in courts, so the full contours of its protection remain uncertain. Nonetheless, the benefits of SAFETY Act approval may extend well beyond those mandated by Congress: to the right company, SAFETY Act approval could be a significant market differentiator and, in the right circumstances, could be a powerful... More
  • Patterson Belknap Mourns the Loss of Partner Craig A. Newman Patterson Belknap Webb & Tyler LLP is deeply saddened to announce the passing of our partner and friend Craig A. Newman, the founding editor of the Data Security Law Blog. Craig was a litigation partner with Patterson Belknap from 2015 to 2019 and served as chair of the Firm’s Privacy & Data Security practice. He was a source of wisdom, warmth and humor, and will be missed. More information can be found on the Firm’s website here.... More
  • Millions of Patient Records Exposed in Breach at Medical Testing Giants’ Third-Party Vendor It’s been a tough week for the healthcare industry. Just days after Quest Diagnostics reported a breach at a third-party vendor affecting approximately 11.9 million of its patients, LabCorp disclosed that a breach at the same vendor exposed the personal and financial data of 7.7 million of its customers. Customer data for both entities was exposed in a breach at third-party bill collections agency, American Medical Collection Agency (AMCA), when an unauthorized user gained access to patient records from August... More
  • Illinois to Require Attorney General Notification under New Breach Amendment Illinois is set to become the 29th state that will require data breaches affecting more than 500 residents to be reported to the state’s attorney general. The proposed amendment to the state’s Personal Information Protection Act – which currently only requires notice to the affected residents – provides that, when more than 500 Illinois residents are affected by a “single breach of the security system,” notice must also be given to the Illinois Attorney General “in the most expedient time... More
  • New York Launches Cybersecurity Unit Today, New York’s top financial regulator, the Department of Financial Services, announced the formation of a dedicated “Cybersecurity Division.” In a news release issued earlier today, the agency said the new division “will focus on protecting consumers and industries from cyber threats ….” Linda A. Lacewell, the agency’s acting Superintendent, explained that “[i]ncreasingly today, counterterrorism is about cybersecurity, our biggest threat and biggest challenge …” In addition, she said that "[a]s technology changes the financial services industry, regulation must evolve... More