Data Security Law Blog is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law.

Recent Blog Posts

  • Are You Ready for Ransomware? CISA Launches New “Stop Ransomware” Website Aimed at Testing Your Cybersecurity Preparedness The federal government has been grappling with a holistic response to the massive uptick in destructive ransomware attacks that have bombarded the country in recent years.  As part of that response, the Cybersecurity and Infrastructure Security Agency (CISA) recently launched a “Stop Ransomware” website, which is aimed at helping private and public entities test and improve their cybersecurity.  Among other key features of this effort is a self-assessment tool allowing organizations to test their cybersecurity based on government and industry... More
  • Taking the Ransom Out of Ransomware? Debate on Ransomware Payments Picks Up The price tags of several high-profile ransomware attacks have made headlines over the past couple of months.  Colonial Pipeline, which supplies roughly 45% of the fuel for the East Coast, paid a $4.4 million ransom to hackers (though the FBI reportedly recovered some $2.3 million of it back).  JBS USA, a major meat processing company, paid $11 million.  With hackers making millions of dollars through single attacks, a debate has arisen about what to do, if anything, about ransomware payments. ... More
  • New York City Enacts A Biometric Privacy Law Earlier this year, New York City passed a law restricting the collection and/or use of biometric technology by certain businesses.  The new law goes into effect July 9, meaning applicable businesses have a couple more weeks to prepare themselves for its requirements.  Businesses need only look to similar laws in other states, particularly Illinois, for a glimpse at the litigation that may come should they fail to abide by the new law’s provisions. What entities are covered by the act?... More
  • Supreme Court Narrowly Interprets CFAA to Avoid Criminalizing “Commonplace Computer Activity” On June 3, 2021, the United States Supreme Court issued a 6-3 opinion in Van Buren v. United States, No. 19-783, resolving the circuit split regarding what it means to “exceed[] authorization” for purposes of the Computer Fraud and Abuse Act (the “CFAA”).  The Court held that only those who obtain information from particular areas of the computer which they are not authorized to access can be said to “exceed authorization,” and the statute does not—as the government had argued—cover... More
  • Biden Administration Sets Sights on Cybersecurity with Executive Order The Biden Administration is zeroing in on cybersecurity.  In the wake of a high-profile wave of cyberattacks, including the SolarWinds supply chain attack and the more recent Colonial Pipeline ransomware attack, President Biden has issued an Executive Order (“EO”) designed to strengthen the federal government’s cybersecurity defenses.  And for good reason.  The SolarWinds supply chain attack in particular raises significant national security concerns, as hackers were able to access several federal agencies, including the United States Departments of Homeland Security,... More
  • Second Circuit Affirms Dismissal of Class Action Based on Claimed “Increased Risk” of Harm Is there standing to bring a lawsuit when an employee’s personal information is mistakenly circulated to all employees at the company?  A recent decision addressed exactly this question. In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021), the Second Circuit affirmed the district court in finding that the harm plaintiffs alleged (an increased risk of identity theft) was too speculative and remote to satisfy the injury-in-fact requirement of Article III standing.  However,... More
  • New York DFS Announces Settlement With Insurance Company Under Cybersecurity Regulation On April 14, 2021, the New York Department of Financial Services (“DFS”) announced a cybersecurity settlement with insurance company National Securities Corporation, which suffered four separate breaches, two of which went unreported in violation of 23 NYCRR § 500.17(a). The settlement not only includes a monetary penalty but also mandates increased training and implementation of security tools, and underscores the urgency of addressing cybersecurity threats and DFS’s increasing enforcement activity for non-compliance with its cyber regulations. The settlement, one of a... More
  • New York Gets Ready to Jump on the Biometric Bandwagon Companies that do business in New York or with New Yorkers could soon face an onslaught of biometric privacy-related litigation, courtesy of New York Assembly Bill 27, the Biometric Privacy Act (“BPA”). Currently pending before the legislature, the bill is modeled on Illinois’ Biometric Information Privacy Act (“BIPA”) and, like that law, would impose a set of rules businesses must follow when collecting biometric information. Critically, the BPA would create a private right of action for those “aggrieved” by violations... More
  • Recent Developments in the State Data-Privacy Landscape:  Is Federal Involvement the Best Way Forward? With a dizzying array of state privacy laws on the horizon, the prospect of a federal solution has come into sharp focus.  Rather than a patchwork of regional legislation, a comprehensive national framework would potentially govern the precautions that companies must take when electronically collecting, using and storing customers’ personal information, regardless of where in the country the company—or the consumer—is located.  That is the current situation in the European Union under the General Data Protection Regulation (GDPR), and has... More
  • Beeple, Top Shots, and the Blockchain of Collectibles: Securing the Value of an Original Digital Asset For this post, we welcome guest contributor Anne-Laure Alléhaut from the firm’s Art and Museum Law practice group.  Ms. Alléhaut, former Senior Vice President and Associate General Counsel of Sotheby’s, Inc., concentrates her practice on all aspects of art law, working with artists, private collectors, museums, galleries, dealers, and advisors, including with respect to digital media and non-fungible tokens. A cryptocurrency entrepreneur recently paid $69.3 million for Beeple’s Everydays: The First 5,000 Days at a Christie’s auction.  That record-breaking... More