Data Security Law Blog is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law.

Recent Blog Posts

  • DFS Issues Compliance Certificate “Reminder” Last week, the New York Department of Financial Services (DFS) sent notices to companies that had not yet certified their compliance with the DFS Cybersecurity Regulation. DFS not-so-gently reminds companies to submit a Notice of Exemption or a Certificate of Compliance. A copy of that notice is now available online.   Even for those companies that have already certified their compliance, the notice provides some interesting information. For example: DFS explains that persons or companies that “hold more than one... More
  • Monday Briefing: Hacks, Public Companies and the SEC With the U.S. Securities and Exchange Commission’s updated cybersecurity guidance hot off the press, let’s start the week by taking a look at public company cyberattack reporting statistics. In 2017, there were 4,732 cyberattacks on American businesses, according to the Privacy Rights Clearinghouse. That figure includes private companies so it’s only a rough guidepost for the overall magnitude of last year’s breaches. During the same time, only 24 public companies reported data breaches to the SEC, according to Audit... More
  • The Equifax Breach Continues to Rage Six months after a massive data breach at credit reporting company Equifax, Inc. handed hackers the personal information of nearly 150 million Americans, the fallout continues. Equifax first disclosed in September that hackers used a flaw in its website software to extract the personal information of as many as 145.5 million people. The stolen data included names, Social Security numbers, birth dates, addresses, and driver’s license numbers. In just the first two months following the breach, Equifax incurred $87.5 million... More
  • Facebook Loses Second Attempt to Dismiss Biometric Data Class Action Last week, a federal district judge in California shot down Facebook, Inc.’s second attempt to dismiss a putative class action alleging that its facial recognition software violates the Illinois Biometric Privacy Act (BIPA). The court found that plaintiffs had standing to proceed under the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robbins because the alleged BIPA violation was sufficient to give rise to a “concrete injury” for purposes of bringing suit. Plaintiffs, who are Illinois residents, originally brought three... More
  • The New York Times Features Op-Ed by Craig Newman: “Can the United States Search Data Overseas?” On February 27, 2018, The New York Times featured an op-ed written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Can the United States Search Data Overseas?” Mr. Newman discusses the critical question in United States v Microsoft, which is pending before the Supreme Court:  should the U.S. law enforcement have access to emails stored outside the country? He argues that the fundamental problem of storing data across borders will not be solved by this case, and that legislative... More
  • The Next Big Thing: Data Breach Securities Class Action Litigation Shareholders may have found a new hook for data security lawsuits. Over the past year, plaintiffs have filed nine federal class action securities fraud lawsuits against public companies after data security incidents, according to a recent Bloomberg Law study. And in each case, the company’s stock dropped after the disclosure of either a data breach or alleged data security vulnerability. The study did not find any data security related class actions filed in 2016. In earlier data breaches, it was... More
  • The DFS Effect: Cyber Meets Sarbanes Oxley Today, financial institutions with ties to New York are spending their Valentine’s Day learning how to use the New York State Department of Financial Services (DFS) web portal. Almost a year ago, the DFS unveiled one of the most aggressive efforts in the nation to crack down on cybercrime in the banking and insurance industries. And by tomorrow, more than 3,000 firms are required to file through the agency’s online portal their first ever compliance certificate, swearing that their organization... More
  • Education Department Toughens Tone on Cyber and Threatens to Pull Funding for Non-Compliance Recently-issued guidance from the U.S. Department of Education (ED) threatens to “yank” Title IV funding for post-secondary institutions lacking appropriate data security safeguards. The guidance comes as the risk of educational data breaches has intensified, as we have previously reported. The stakes are even higher now that ED has put Title IV recipients on notice that, beginning in fiscal year 2018, they may be subject to compliance audits regarding their data security programs. Tiina Rodrigue, Senior Advisor for Cybersecurity,... More
  • “Legally Reprehensible”: Senate Chastises Uber’s Conduct in 2016 Data Breach On Tuesday, a Senate subcommittee grilled Uber’s Chief Information Security Officer, John Flynn, over a 2016 data breach that affected nearly 57 million drivers and riders. At the hearing, Uber faced backlash from lawmakers for its “morally wrong and legally reprehensible” conduct that “violated not only the law but the norm of what should be expected.” As we previously reported, Uber was the target of the high-profile data theft in late 2016, but did not disclose the incident until... More
  • A (Secondary) Education in Data Security On January 18, 2018, the New York State Education Department (“NYSED”) announced that one of its vendors, Questar Assessment, experienced a data breach resulting in the unauthorized disclosure of personal information from students in five different New York schools. While the data breach reportedly affected only a small number of students that had registered for online testing in spring 2017, it nonetheless exposed sensitive personally identifiable information from those students.  And despite its narrow scope, this breach potentially threatens public... More