Data Security Law Blog is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law.

Recent Blog Posts

  • Ransomware’s Exponential Growth Echoes the History of Hijackings Throughout the COVID-19 crisis, we have focused on the significant uptick in ransomware attacks.  Government agencies such as OFAC, CISA, and New York’s DFS have updated their guidance on how to prepare for and respond to such attacks and provided tools to help stop ransomware attacks.  Cybersecurity also continues to be a major focus of private enterprise.  Despite businesses and government agencies’ increased attention to ransomware, however, 2021 is shaping up to be the most profitable year for... More
  • DFS Issues New Guidance Regarding Cybersecurity Regulation and the Adoption of an Affiliate’s Cybersecurity Program On October 22, 2021, the New York State Department of Financial Services (“DFS”) issued new Guidance regarding a Covered Entity’s compliance with New York’s Cybersecurity Regulation where the Covered Entity relies on the cybersecurity programs of an Affiliate.[1]  The Guidance provides much-needed clarity on a topic that impacts many entities subject to the DFS Regulation. Background: New York’s Cybersecurity Regulation Starting in 2017, DFS set down certain minimum cybersecurity standards for New York’s financial services industry; the standards are referred... More
  • OFAC Ransomware Guidance: Prepare, Report, and (Preferably) Don’t Pay the Ransom! As we have previously reported, there has been a major uptick over the past few years—and particularly during the COVID-19 pandemic—in ransomware attacks. These attacks consist of an intrusion by a cybercriminal into the victim’s computers or network, followed by deployment of malware that encrypts the victim’s files, preventing access until a payment is made.  More recently, these ransomware attacks also include exfiltration of data as a way to generate even more leverage over the victim.  The incentives for victims... More
  • SEC Continues Pursuit of Cybersecurity Enforcement Last month, we wrote about three actions taken by the SEC signaling a renewed interest in cybersecurity disclosure enforcement.  In keeping with this theme, the SEC announced a number of significant new cybersecurity actions just last week.  On August 30, the SEC disclosed enforcement actions against eight brokerage firms for failing to implement adequate cybersecurity policies and procedures, as required by the SEC’s “Safeguards Rule.”  All eight firms agreed to settle with the SEC and will collectively pay hundreds of... More
  • Massive T-Mobile Data Breach Reignites Calls for National Privacy and Data Security Law A little over two weeks ago, T-Mobile became the latest victim of a cyberattack when more than 50 million of their customers’ data was stolen.  In the ensuing weeks, three class action suits have been filed against the telephone carrier alleging a range of violations.  Included in two of them are alleged violations of the California Consumer Privacy Act, one of them includes alleged violations of the Washington State Consumer Protection Act, and the third fails to allege any violations... More
  • Another Court Says Data Breach Investigation Report Is Fair Game In a recent ruling with important consequences for data breach litigation, a federal court in Pennsylvania ruled that Rutter’s—a Pennsylvania convenience store chain that suffered a data breach—must disclose the investigative report it commissioned from a third-party after the breach. This is a recurring issue in data breach litigation and one that has far-reaching implications for how companies respond to data breaches or other security incidents.  This is also the latest entry in an evolving, and not entirely consistent, line... More
  • Supreme Court Clarifies Standing Requirements – Implications for Class Action Defendants in Data Security, Privacy, and False Advertising Cases On June 25, the Supreme Court held in a 5-4 decision that Article III prohibits certification of a class and a damages award where the majority of class members lack actual injury.  In TransUnion v. Ramirez, the Ninth Circuit Court of Appeals had previously concluded that a class of over 8,000 individuals who could prove violations of the Fair Credit Reporting Act—and had actually proved them at trial—had standing to pursue damages at trial, even if they had not demonstrated... More
  • SEC Signals Renewed Interest in Cybersecurity Disclosure Enforcement The SEC is ramping up its cybersecurity disclosure enforcement.  While the agency had made significant efforts relating to cybersecurity disclosure previously, there has been surprisingly little SEC activity in this area since 2018—even though the last three years has seen an explosion of high-profile data security incidents.  That changed in June of this year, however, with the SEC taking three major actions that demonstrate a renewed interest in such enforcement.  First, the SEC announced its intention to issue a new... More
  • Are You Ready for Ransomware? CISA Launches New “Stop Ransomware” Website Aimed at Testing Your Cybersecurity Preparedness The federal government has been grappling with a holistic response to the massive uptick in destructive ransomware attacks that have bombarded the country in recent years.  As part of that response, the Cybersecurity and Infrastructure Security Agency (CISA) recently launched a “Stop Ransomware” website, which is aimed at helping private and public entities test and improve their cybersecurity.  Among other key features of this effort is a self-assessment tool allowing organizations to test their cybersecurity based on government and industry... More
  • Taking the Ransom Out of Ransomware? Debate on Ransomware Payments Picks Up The price tags of several high-profile ransomware attacks have made headlines over the past couple of months.  Colonial Pipeline, which supplies roughly 45% of the fuel for the East Coast, paid a $4.4 million ransom to hackers (though the FBI reportedly recovered some $2.3 million of it back).  JBS USA, a major meat processing company, paid $11 million.  With hackers making millions of dollars through single attacks, a debate has arisen about what to do, if anything, about ransomware payments. ... More