Data Security Law Blog

DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.

Forensic Analysis and Privilege in the Wake of a Data Breach

by Michael F. Buchanan, Alejandro H. Cruz, Maren J. Messing and Peter A. Nelson on March 24, 2021

In the wake of a data breach, counsel will often require the assistance of a forensic firm in order to provide legal advice to their client. The forensic analysis—which is often memorialized in a report to counsel—is crucial for counsel in understanding what occurred and formulating legal strategy relating to potential litigation and breach notification issues. For the same reasons, details of those forensic analyses and any related investigative reports are very likely to be the subject of a discovery request from plaintiffs if and when litigation ensues. Indeed, the requests for such reports are frequently a flashpoint in litigation that can determine the strength or weakness of the plaintiff’s case. Defendants typically object to producing these reports on the grounds that they fall under the attorney-client privilege and work-product protection.

Win for Walmart as District Court Gives Strict Reading to CCPA

by Lauren E. Richardson, Maren J. Messing and Michael F. Buchanan on March 18, 2021

In a win for data privacy defendants, Walmart secured a ruling that favors a narrow interpretation of the California Consumer Privacy Act (CCPA). In Gardiner v. Walmart Inc. et al, 4:20-cv-04618-JSW, a Walmart customer, Lavarious Gardiner, sued the retail company under the CCPA for failing to implement and maintain reasonable and appropriate security procedures and practices to protect information he gave to Walmart to create an account on the company’s website. As a result of an alleged, undisclosed data breach, Gardiner claimed that his personal information had been subject to unauthorized exfiltration on Walmart’s website, and sold on the dark web, exposing him to purportedly ongoing risk of financial fraud and identity theft. Gardiner’s complaint also included a summary of the results of a security scan of the Walmart website, which purported to show vulnerabilities in that website. Moreover, in a somewhat unusual twist, Gardiner claimed that he had in his possession “communications with the hackers which state that the accounts they are selling are real accounts that belong to Walmart customers.” Despite the allegations in the complaint, Walmart had never disclosed any breach and the complaint did not allege when any such breach occurred. Gardiner also brought claims for negligence, breach of contract, and violations of the UCL, all of which were dismissed for failure to plead cognizable injury

Judge Finds No Article III Standing in Proposed Class Action Against Marriott

by Maren J. Messing on March 11, 2021

The question of standing has proven to be a tricky one in data breach litigation. (See our prior coverage here and here). Last week a federal district court in Maryland rejected a proposed class action brought by Marriott guests related to a data breach suffered by the hotel chain in early 2020, finding that the plaintiffs did not have Article III standing because they could not trace any alleged injury to particular actions or inactions by Marriott. This decision is an important reminder that the fact of a breach is not itself sufficient to confer standing, even where personal data is improperly accessed. In other words, even though a company that had your data suffered a data breach, you may not have been injured by its actions.

Hack of IT Service Provider May Affect Thousands of Private Businesses

by Michael F. Buchanan, Alejandro H. Cruz, Maren J. Messing, Peter A. Nelson and Maxwell K. Weiss on December 16, 2020

On December 13, the software and service provider SolarWinds announced that its Orion software platform had been the target of a sophisticated cyber attack that may have resulted in malicious code being pushed to as many as 18,000 customers. The SolarWinds software is used by many corporate and not-for-profit entities of all sizes to monitor the health of their IT networks. Although the details of this breach are still unfolding, based on the information currently available, Orion users who updated their software between March and June of this year are potentially affected.

ABA Provides Guidance for Law Firm Data Breaches

by Maren J. Messing on November 14, 2018

Lawyers don’t get a free pass when it comes to data security. In fact, ethical rules impose a series of obligations on lawyers when they or their firms are subject to a data breach.

In a significant ethics opinion issued last month, Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility provides a detailed roadmap to a lawyer’s obligations to current and former clients when they learn that they – or their firm – have been the subject of a data breach.

Bull or Bear? How the Market Reacts to Data Breach News

by Maren J. Messing on October 31, 2018

Last week, Cathay Pacific Airlines Ltd., the Hong Kong-based international airline, disclosed that a hacker had broken into its computer system and accessed personal information for as many as 9.4 million travelers, representing the world’s largest reported airline data breach to date. Following the announcement, the airline’s shares sank the lowest that they’ve been in almost 9 years – tumbling nearly 7% and losing more than $200 million of in market value.

Uber’s Latest Headache

by Maren J. Messing on April 18, 2018

An expanded settlement by the Federal Trade Commission with ride-sharing giant Uber Technologies should serve as a lesson to other businesses about what happens when a company fails to disclose a data breach during an ongoing agency investigation.

Countdown to the First Annual New York DFS Cyber Regulation Certification

by Maren J. Messing on January 16, 2018

On February 15th, organizations subject to the New York Department of Financial Services Cybersecurity Regulation are required to submit their first annual certification attesting to their compliance with the state’s new data security requirements.

Government Warns of Threat Activity Targeting Critical Infrastructure through Third-Party Access

by Maren J. Messing on October 25, 2017

A cloak of secrecy usually covers covert government activities when it comes to the latest cyber threats and intelligence. But in a rare public warning, the U.S. government has warned that hackers are targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.

Follow the Money and Beware the Extra “L”: First Department Sustains Claims against Fund Administrator After Hackers Grab Millions

by Maren J. Messing on July 27, 2017

A legal feud is underway between the world’s biggest hedge fund administrator and a former client over an email scam that resulted in hackers stealing millions in client funds. And not surprisingly, the time-honored tradition of finger pointing is on full display as each party accuses the other of employing sub-par internal controls and lackluster cybersecurity standards.

Post-Spokeo Standing: An Evolving Landscape

by Maren J. Messing and Peter A. Nelson on September 6, 2016

Several recent federal court decisions have added guidance on the still-unsettled question of when a plaintiff has Article III standing to sue based on a data breach or other data security or privacy event. These cases—Attias v. CareFirst, Inc. (D.D.C.), Wood v. J. Choo USA, Inc. (S.D. Fla.), and Guarisma v. Microsoft (S.D. Fla.)—offer somewhat mixed guidance for defendants in class action privacy-related lawsuits looking to use a standing challenge as a quick escape.

FTC: Data Security Primer for Small Businesses and Start-ups

by Maren J. Messing on May 12, 2016

The Federal Trade Commission will host a one day-conference in Chicago at Northwestern’s Pritzker School of Law on June 15, 2016. This event will be the fourth of the FTC’s Start with Security Events nationwide, which build on its publication of the same title Start with Security: A Guide for Business, released last June.

FDIC & Cyber: Words of Warning to Financial Institutions and their Boards

by Maren J. Messing on February 22, 2016

Financial institutions sit atop a wealth of personal information – not to mention money. In an interconnected world in which sensitive customer information is stored on servers and in the cloud – and online and mobile banking have become the norm – the Federal Deposit Insurance Corporation (FDIC) is the latest federal regulator to warn financial institutions to make cybersecurity a top priority.

Bennek v. Home Depot and the future of Cybersecurity-related Derivative Suits

by Maren J. Messing and James Zucker on September 22, 2015

On September 2, 2015, a Home Depot shareholder sued Home Depot and twelve of its officers and directors, claiming that the Company and the directors and officers knowingly failed to ensure that Home Depot reasonably protected its customers’ personal and financial information.