Data Security Law Blog

DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.

Hack of IT Service Provider May Affect Thousands of Private Businesses

by Michael F. Buchanan, Alejandro H. Cruz, Maren J. Messing, Peter A. Nelson and Maxwell K. Weiss on December 16, 2020

On December 13, the software and service provider SolarWinds announced that its Orion software platform had been the target of a sophisticated cyber attack that may have resulted in malicious code being pushed to as many as 18,000 customers. The SolarWinds software is used by many corporate and not-for-profit entities of all sizes to monitor the health of their IT networks. Although the details of this breach are still unfolding, based on the information currently available, Orion users who updated their software between March and June of this year are potentially affected.

ABA Provides Guidance for Law Firm Data Breaches

by Maren J. Messing on November 14, 2018

Lawyers don’t get a free pass when it comes to data security. In fact, ethical rules impose a series of obligations on lawyers when they or their firms are subject to a data breach.

In a significant ethics opinion issued last month, Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility provides a detailed roadmap to a lawyer’s obligations to current and former clients when they learn that they – or their firm – have been the subject of a data breach.

Bull or Bear? How the Market Reacts to Data Breach News

by Maren J. Messing on October 31, 2018

Last week, Cathay Pacific Airlines Ltd., the Hong Kong-based international airline, disclosed that a hacker had broken into its computer system and accessed personal information for as many as 9.4 million travelers, representing the world’s largest reported airline data breach to date. Following the announcement, the airline’s shares sank the lowest that they’ve been in almost 9 years – tumbling nearly 7% and losing more than $200 million of in market value.

Uber’s Latest Headache

by Maren J. Messing on April 18, 2018

An expanded settlement by the Federal Trade Commission with ride-sharing giant Uber Technologies should serve as a lesson to other businesses about what happens when a company fails to disclose a data breach during an ongoing agency investigation.

Countdown to the First Annual New York DFS Cyber Regulation Certification

by Maren J. Messing on January 16, 2018

On February 15th, organizations subject to the New York Department of Financial Services Cybersecurity Regulation are required to submit their first annual certification attesting to their compliance with the state’s new data security requirements.

Government Warns of Threat Activity Targeting Critical Infrastructure through Third-Party Access

by Maren J. Messing on October 25, 2017

A cloak of secrecy usually covers covert government activities when it comes to the latest cyber threats and intelligence. But in a rare public warning, the U.S. government has warned that hackers are targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.

Follow the Money and Beware the Extra “L”: First Department Sustains Claims against Fund Administrator After Hackers Grab Millions

by Maren J. Messing on July 27, 2017

A legal feud is underway between the world’s biggest hedge fund administrator and a former client over an email scam that resulted in hackers stealing millions in client funds. And not surprisingly, the time-honored tradition of finger pointing is on full display as each party accuses the other of employing sub-par internal controls and lackluster cybersecurity standards.

Post-Spokeo Standing: An Evolving Landscape

by Maren J. Messing and Peter A. Nelson on September 6, 2016

Several recent federal court decisions have added guidance on the still-unsettled question of when a plaintiff has Article III standing to sue based on a data breach or other data security or privacy event. These cases—Attias v. CareFirst, Inc. (D.D.C.), Wood v. J. Choo USA, Inc. (S.D. Fla.), and Guarisma v. Microsoft (S.D. Fla.)—offer somewhat mixed guidance for defendants in class action privacy-related lawsuits looking to use a standing challenge as a quick escape.

FTC: Data Security Primer for Small Businesses and Start-ups

by Maren J. Messing on May 12, 2016

The Federal Trade Commission will host a one day-conference in Chicago at Northwestern’s Pritzker School of Law on June 15, 2016. This event will be the fourth of the FTC’s Start with Security Events nationwide, which build on its publication of the same title Start with Security: A Guide for Business, released last June.

FDIC & Cyber: Words of Warning to Financial Institutions and their Boards

by Maren J. Messing on February 22, 2016

Financial institutions sit atop a wealth of personal information – not to mention money. In an interconnected world in which sensitive customer information is stored on servers and in the cloud – and online and mobile banking have become the norm – the Federal Deposit Insurance Corporation (FDIC) is the latest federal regulator to warn financial institutions to make cybersecurity a top priority.

Bennek v. Home Depot and the future of Cybersecurity-related Derivative Suits

by Maren J. Messing and James Zucker on September 22, 2015

On September 2, 2015, a Home Depot shareholder sued Home Depot and twelve of its officers and directors, claiming that the Company and the directors and officers knowingly failed to ensure that Home Depot reasonably protected its customers’ personal and financial information.