Data Security Law Blog is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law.

Recent Blog Posts

  • The Next Big Thing: Data Breach Securities Class Action Litigation Shareholders may have found a new hook for data security lawsuits. Over the past year, plaintiffs have filed nine federal class action securities fraud lawsuits against public companies after data security incidents, according to a recent Bloomberg Law study. And in each case, the company’s stock dropped after the disclosure of either a data breach or alleged data security vulnerability. The study did not find any data security related class actions filed in 2016. In earlier data breaches, it was... More
  • The DFS Effect: Cyber Meets Sarbanes Oxley Today, financial institutions with ties to New York are spending their Valentine’s Day learning how to use the New York State Department of Financial Services (DFS) web portal. Almost a year ago, the DFS unveiled one of the most aggressive efforts in the nation to crack down on cybercrime in the banking and insurance industries. And by tomorrow, more than 3,000 firms are required to file through the agency’s online portal their first ever compliance certificate, swearing that their organization... More
  • Education Department Toughens Tone on Cyber and Threatens to Pull Funding for Non-Compliance Recently-issued guidance from the U.S. Department of Education (ED) threatens to “yank” Title IV funding for post-secondary institutions lacking appropriate data security safeguards. The guidance comes as the risk of educational data breaches has intensified, as we have previously reported. The stakes are even higher now that ED has put Title IV recipients on notice that, beginning in fiscal year 2018, they may be subject to compliance audits regarding their data security programs. Tiina Rodrigue, Senior Advisor for Cybersecurity,... More
  • “Legally Reprehensible”: Senate Chastises Uber’s Conduct in 2016 Data Breach On Tuesday, a Senate subcommittee grilled Uber’s Chief Information Security Officer, John Flynn, over a 2016 data breach that affected nearly 57 million drivers and riders. At the hearing, Uber faced backlash from lawmakers for its “morally wrong and legally reprehensible” conduct that “violated not only the law but the norm of what should be expected.” As we previously reported, Uber was the target of the high-profile data theft in late 2016, but did not disclose the incident until... More
  • A (Secondary) Education in Data Security On January 18, 2018, the New York State Education Department (“NYSED”) announced that one of its vendors, Questar Assessment, experienced a data breach resulting in the unauthorized disclosure of personal information from students in five different New York schools. While the data breach reportedly affected only a small number of students that had registered for online testing in spring 2017, it nonetheless exposed sensitive personally identifiable information from those students.  And despite its narrow scope, this breach potentially threatens public... More
  • U.S. Supreme Court Watch: Whether to Resolve Circuit Split on Standing for Data Breach Plaintiffs At its first conference this month, the U.S. Supreme Court will consider whether to weigh in on a Circuit split over standing to sue in the aftermath of a data breach.  In CareFirst, Inc. v. Attias, No. 17-641, CareFirst is petitioning the Court to review a decision from a federal appeals court in the District of Columbia which held that the healthcare plan’s customers had standing to sue for a data breach.  This blog covered the DC Circuit’s decision in... More
  • More State Data Security Regulation: North Carolina Bill Penalizes Unreasonable Data Security Practices and Requires Rapid Notification In a post-Equifax environment, state-level data security regulation is on the rise.  And in many instances, state regulatory regimes are getting tougher. The most recent state to step up is North Carolina, which could quickly rival New York in imposing the strictest data security regulations in the country. The North Carolina bill—called “The Act to Strengthen Identity Theft Protections”—would penalize businesses that suffer breaches if they failed to maintain reasonable data security procedures and practices, as well as require rapid... More
  • Insurers: Are You Ready for More Cybersecurity Regulation? The National Association of Insurance Commissioners Model Law At the end of last year, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law.  The “purpose and intent” of the law is to “establish[]  standards for data security and investigation and notification of data security applicable to insurance providers.”   The “NAIC Model Law” is just that: a model.  State legislators (or insurance commissioners) must approve and adopt the NAIC proposal.  And, of course, each state is free to re-tool the Model Law as it... More
  • DFS Filing “Reminder” as Deadline Looms For the several thousand financial institutions and insurance companies covered by New York’s landmark data security regulation, the first certification of compliance must be filed with the State’s Department of Financial Services in less than a month. Yesterday, DFS Superintendent Maria T. Vullo issued a “reminder” that the certification must be filed via the DFS cybersecurity portal on or before February 15, 2018. “The DFS compliance certificate is a critical governance pillar for the cybersecurity program of all DFS regulated... More
  • Excellus Court Reverses Prior Decision: Risk of Future Identity Theft Suffices to Convey Standing in Data Breach Case A federal judge in New York has reinstated claims brought against a healthcare provider by customers whose personal information was exposed in the 2015 data breach of Excellus BlueCross Blue Shield.  The breach affected the information of as many as 10.5 million individuals. Last week, U.S. District Judge Elizabeth A. Wolford granted plaintiffs’ motion for reconsideration and reversed her prior partial grant of a motion to dismiss, finding that the U.S. Court of Appeals for the Second Circuit was likely... More