DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.
The federal government’s record for effective cyber defenses of its own websites has not been stellar over the past few years. Federal government agencies ranging from the Office of Personnel Management to the National Archives have suffered data breaches, as have nearly a dozen other agencies.
In our third and final installment on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information,” we look at other sections of the CCPA that either limit the applicability of the law’s “personal information” definition or exclude information from coverage under the law.
When you think about reporting a healthcare data breach to authorities, family-owned furniture manufacturers nestled in the serenity of North Carolina aren’t exactly at the top of the list.
Our three-part series on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information” is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part I, we explored the breadth of the definition. We now turn to the law’s two explicit exclusions from the definition of “personal information.”
The incoming chief of New York’s top financial services regulator called cybersecurity “the number one threat facing all industries and governments globally” during a speech on Friday, April 12, 2019 at the Association of the Bar of the City of New York.
The nation’s top law enforcement agency is rebooting its cybercrime capabilities.
In an effort to keep up with the evolving threats against property, critical infrastructure and human life posed by cyber-attacks –especially those launched by foreign adversaries – the Federal Bureau of Investigation is seeking to reposition its priorities and fortify its capacity to fight cybercrime.
Companies from California to New York are already scrambling to comply with a growing patchwork of privacy laws covering both businesses and consumers.
Almost weekly, it seems there is another news article about a bug bounty program sponsored by a major corporation where an amateur hacker – often a teenager – is paid a sizeable sum of money for finding a bug in a company’s operating system or code. Often, these articles describe just how much money these teens make from bug bounty programs; one headline from March 12, 2019 describes how bug bounty programs have made “one teen a millionaire hacker.” In another from February 2019, Apple paid a 14-year-old hacker an undisclosed sum after he found a security flaw in FaceTime.
When New York’s far-reaching cybersecurity law for financial institutions was enacted more than two years ago, some predicted it would serve as a national blueprint for future data security laws. Now, as the U.S. Federal Trade Commission considers changes to two privacy rules designed to safeguard customer information held by financial institutions, the proposed changes to one law – the Safeguards Rule – hue closely to a handful of requirements already in place in New York.
When we hear about discovery abuses in litigation, we often think of overzealous lawyers using obstructionist tactics. Such behavior, however, rarely involves litigants “improperly accessing” the email communications of an adversary or accessing privileged attorney-client communications that disclose litigation strategies.
Before investing in a company, would you want to know whether the board of directors had cybersecurity expertise?
A bipartisan group of senators have proposed a bill, Senate Bill 592, that would require every public company to disclose the cybersecurity background of its directors, and, if none exists, explain why the company doesn’t believe it is necessary.
Many consumers have become painfully aware of the risks that data breaches pose in a digital world. And now, their legal claims may not be ultimately decided by a judge or jury but sent off to arbitration.
The use of biometric technology is fast becoming the next big thing in privacy litigation. There was last month’s decision by the Illinois Supreme Court that upheld a consumer’s right to sue companies for collecting biometric data – such as fingerprints and iris scans – without first disclosing how such information will be used. See our blog on that ruling here.
A recent report by the Government Accountability Office (GAO) is recommending that Congress adopt comprehensive federal data privacy legislation. The GAO’s proposal is, in part, meant to address limitations of the current privacy regulatory landscape, which is mostly piecemeal, industry-specific regulation at both the federal and state levels. The GAO’s 56-page report follows more than a year of interviews with officials from various federal agencies that have taken active roles in data security issues, including the Federal Trade Commission (FTC), Federal Communications Commission, and the Consumer Financial Protection Bureau, as well as stakeholders from industry and academia.
It’s been almost two years since New York’s top banking regulator implemented one of the nation’s most stringent cybersecurity regulations. Since then, thousands of financial institutions have recruited chief information security officers, implemented cybersecurity programs, performed penetration testing, and imposed encryption requirements on their most sensitive information.
Last month, the U.S. Securities and Exchange Commission charged nine defendants with hacking into the agency’s EDGAR system – the online platform used by public companies for making their public filings – and stealing material nonpublic information to use for illegal trading purposes.
It’s a marathon month for the thousands of financial institutions and insurance companies covered by New York’s landmark cybersecurity regulation. In little more than a week, these businesses must file their second annual certification of compliance with the State’s Department of Financial Services. Two weeks later, they must also come into compliance with the regulation’s third-party vendor requirements, the final milestone in the two-year roll out of the cybersecurity regulation.
In a country renowned for protecting the privacy of its citizens, Germany has undertaken a pilot that does just the opposite. In a trade off between privacy and convenience, German residents can enroll in a digital service where their mail is emailed to them anywhere in the world.
An obscure federal law called the SAFETY Act recently captured national headlines when MGM Resorts International invoked it in a series of pre-emptive, declaratory judgment law suits against the victims of the 2017 Harvest Festival Las Vegas shooting. MGM sued the victims in an effort to avoid liability in connection with the tragedy. MGM owns the Mandalay Bay hotel, where Stephen Paddock, from his 32nd floor suite, shot and killed 58 people and wounded hundreds more who were attending a music festival next door.
In a ruling with wide-spread implications, the Illinois Supreme Court on Friday upheld a consumer’s right to sue companies for collecting biometric data – such as finger prints and iris scans – without disclosing how such information will be used.
The New York Times featured an op-ed last week written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement.” In the op-ed, Mr. Newman discusses how the January 2019 settlement “marked the first time that shareholders have been awarded monetary damages in a derivative lawsuit related to a data breach.” Mr. Newman notes, “the settlement signals that director and officer liability for cybersecurity oversight is entering new and potentially perilous territory.”
To read the full article, click here.
In a four-part publication, a Task Force that included the Department of Health and Human Services (HHS) and private sector industry leaders released guidance for the healthcare industry on cybersecurity best practices. The guidance, Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, focuses on healthcare providers, payors and pharmaceutical companies.
With full implementation of New York’s groundbreaking cybersecurity regulation only six weeks away, the state’s top banking regulator took the opportunity to praise the many financial institutions that have adopted systems to better protect consumers from cybercrime.
Among other things, 2018 was the year of the shareholder data breach stock-drop lawsuit. As we’ve previously reported, it was the year that shareholders began routinely suing companies after an announcement of a data breach, seeking damages for a hit to the company’s stock price.
Yesterday, a Superior Court judge in Santa Clara, California approved what is believed to be the first monetary award to a company in a data breach-related derivative lawsuit. Until now, such breach-related derivative cases have settled through a combination of governance changes and modest awards of attorney’s fees.
Businesses covered by the recently enacted California Consumer Privacy Act of 2018 (CCPA) are scrambling to comply with the statute, which becomes “operative” on January 1, 2020, unless that date is changed by the California legislature. As we have noted in earlier blog posts, the CCPA is the most sweeping privacy law in the U.S. and has significant implications for any business that falls within its coverage.
Yesterday, by e-mail and on its website, the California Department of Justice (DOJ) announced that it would hold “six statewide forums to collect feedback” in advance of the rulemaking process for the California Consumer Privacy Act (CCPA). The announcement did not include proposed rules or regulations, which must be adopted by July 1, 2020.
Investment advisers may want to think twice before texting clients any advice in the New Year.
In a recently issued Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) reminded investment advisers of their obligations under the Investment Advisers Act of 1940 (Advisers Act) when they or their personnel use electronic messaging for business-related communications.
With the New Year fast approaching, so begins the one-year countdown to the California Consumer Privacy Act, or CCPA, going into effect.
Wire fraud committed by cybercriminals is not a new phenomenon. The FBI and other government agencies have regularly warned against wire fraud scams—called “business email compromises” or BECs—where criminals pose as vendors or company executives and use email to dupe company insiders into wiring money into bank accounts controlled by the perpetrators. And in some instances, the amounts involved are staggering.
With the year quickly coming to a close, it’s time for organizations covered by New York’s Cybersecurity Regulation for Financial Service Companies to take stock of their compliance efforts before popping any champagne corks to usher in the New Year.
Protecting children’s online privacy remains a point of focus for the New York Attorney General. That’s the upshot of the recent record-setting settlement with Oath Inc. – formerly AOL, Inc. – for violating the Children’s Online Privacy Protection Rule (COPPA).
It’s been a busy year for the Cyber Unit at the Securities and Exchange Commission. During 2018, the SEC brought 20 stand-alone cases related to cybersecurity, and has 225 cyber-related investigations that it deems “ongoing.” That’s according to the enforcement division’s 2018 Annual Report.
Cybersecurity has played an important role in the U.S. Securities and Exchange Commission’s regulatory agenda during the past year.
And it’s likely to become even more important in 2019.
Yesterday, the United States indicted two Iranian hackers for their roles in a series of major ransomware attacks that started in 2016 and lasted almost three years. The attacks crippled schools, hospitals, the private sector, and government agencies, causing tens of millions of dollars in damage.
The Pennsylvania Supreme Court handed the state’s employees a major legal victory last week when it decided that employers have an affirmative legal responsibility to protect the confidential information of its employees.
Here’s a striking fact. So far this year, there have been 316 healthcare data security breaches reported to the federal government. This statistic includes incidents reported by health plans, healthcare providers and healthcare clearing houses.
Lawyers don’t get a free pass when it comes to data security. In fact, ethical rules impose a series of obligations on lawyers when they or their firms are subject to a data breach.
In a significant ethics opinion issued last month, Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility provides a detailed roadmap to a lawyer’s obligations to current and former clients when they learn that they – or their firm – have been the subject of a data breach.
MGM Resorts International has hit the pause button in its gambit to shield itself from liability stemming from the October 2017 shooting at the Mandalay Bay Hotel in Las Vegas.
As we reported previously, MGM has brought more than a dozen declaratory judgment lawsuits against the victims in the deadliest mass shooting in modern U.S. history, arguing that claims against the casino giant are barred by federal law. MGM has released a statement saying it hopes to avoid years of litigation by exploring potential settlement options, and adding that “years of protracted litigation is in no one’s best interest.”
We’ve blogged previously about the patchwork of state data privacy laws, and the challenges it poses for multinational businesses. Now, U.S. companies need to beware of our neighbor to the north as well: Canada has enacted a new breach notification regulation that may have implications well beyond its geographical borders.
Starting today, Ohio businesses with written cybersecurity programs will be looking for a free pass if they are sued under state law over a data breach.
Ohio’s Data Protection Act (Senate Bill 220, Ohio Rev. Code § 1354.01, et seq.) goes into effect today, creating a safe harbor from tort liability for businesses that meet specific cybersecurity standards. The law won’t prevent litigation over a data breach, but provides an affirmative defense to companies hit with such claims if they have met the requirements of the new law. This includes adopting data security policies that conform to a number of existing industry standards including the NIST Cybersecurity Framework.
Last week, Cathay Pacific Airlines Ltd., the Hong Kong-based international airline, disclosed that a hacker had broken into its computer system and accessed personal information for as many as 9.4 million travelers, representing the world’s largest reported airline data breach to date. Following the announcement, the airline’s shares sank the lowest that they’ve been in almost 9 years – tumbling nearly 7% and losing more than $200 million of in market value.
Late last week, the Office of Civil Rights for the Department of Health and Human Services (OCR) announced a $16 million settlement with health-insurance company Anthem, Inc. The settlement amount is nearly three times larger than any prior settlement with the OCR.
The federal government’s top healthcare insurance agency has suffered an apparent data breach.
Late Friday, the U.S. Centers for Medicare and Medicaid Management (CMS) disclosed that 75,000 patient records had been compromised by hackers. Few other details have been released.
A recent data breach at Chegg Inc., the online educational technology company, serves as the most recent reminder that the education sector remains a target for hackers.
Last month, Chegg reported, on a Form 8-K disclosure filed with the Securities Exchange Commission, that it had experienced a security breach in which an “unauthorized party gained access to a Company database that hosts user data for chegg.com.”
The U.S. Securities & Exchange Commission has issued a stern warning to every financial firm and board of directors under its watchful eye: get your cybersecurity programs in shape or face the consequences.
And it’s doubtful the SEC’s admonition is limited to the financial sector.
This is the second post in our two-part series about DOJ’s revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” In the first installment, we looked at DOJ’s recommendations for preparedness. Today, we turn to the basics of data breach incident response and a list of DOJ’s “don’ts” when dealing with a hacker.
The Food and Drug Administration is stepping up its game with respect to the cybersecurity of medical devices.
On Monday, the agency announced its launch of a preparedness and response “playbook” to address threats to medical device cybersecurity. The move cited an uptick in cyber-attacks and the potential for bad actors to exploit medical devices.
The U.S. Department of Justice is increasing its outreach to the private sector on all things cyber.
Last week, the DOJ’s Criminal Division held a cybersecurity roundtable to discuss challenges in handling data breach investigations. As part of the roundtable discussion, the DOJ issued revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” The Best Practices guidance, summarized below, is the result of the DOJ’s outreach efforts concerning ways in which the government can work more effectively with the private sector to address cybersecurity challenges. The goal of the roundtable discussion, which started in 2015, is to foster and enhance cooperation between law enforcement and data breach victims, and to also encourage information sharing.
