Sara A. Arrow

Sara A. Arrow, Associate

Data Security Law Blog

Visit the Full Blog

DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.

DOJ Issues New Guidance for Charging CFAA Cases

by Sara A. Arrow and Michael F. Buchanan on May 23, 2022

In a significant development in anti-hacking criminal enforcement, the Department of Justice last week released new guidance for charging violations of the Computer Fraud and Abuse Act (“CFAA”), the nation’s premier computer crime law. Coming on the heels of a series of closely-watched legal decisions, including the Supreme Court’s 2021 decision in Van Buren v. United States, No. 19-783, the guidance clarifies the Department’s priorities for CFAA-related criminal prosecutions and seeks to create nationwide uniformity in charging decisions. In the newly-released policy, the Department makes clear its position that CFAA prosecutions should focus on unauthorized cyber intrusions made in bad faith—rather than hyper-technical or hypothetical violations of the law.

Go

Supreme Court Hears Oral Argument in Landmark CFAA Case

by Sara A. Arrow and Michael F. Buchanan on December 4, 2020

The United States Supreme Court heard oral argument on Monday in Van Buren v. United States, No. 19-783, a landmark case involving a key provision of the Computer Fraud and Abuse Act (“CFAA”).  At issue was whether a person who is authorized to access information on a computer for certain purposes violates CFAA if that person accesses the same information for unauthorized reasons.  The Court’s decision has the potential to resolve an important circuit split on the interpretation of CFAA and to define the contours of a hotly debated anti-hacking statute that applies to both criminal prosecutions and civil actions.

Go

Capital One to Pay $80 Million Fine for 2019 Data Security Hack

by Sara A. Arrow and Alejandro H. Cruz on August 14, 2020

As we previously reported, Capital One Financial Corporation announced in July 2019 a major data security breach when an individual gained unauthorized access to personal information about Capital One credit card customers.  According to the Office of the Comptroller of the Currency (“OCC”), which regulates large U.S. banks, Capital One has now agreed to pay an $80 million fine to resolve claims related to the incident.

Go

COVID-19 Cybersecurity Threats Spiral as Businesses Implement Prophylactic Security Measures

by Sara A. Arrow on April 1, 2020

As businesses increasingly shift to remote working environments, the COVID-19 public health pandemic presents new cybersecurity challenges each day.  As we discussed in our earlier post, hackers are actively targeting companies’ cloud-based remote connectivity, lack of multi-factor authentication, and potentially insecure digital infrastructure to exploit lax cyber-hygiene.  As companies struggle to maintain business continuity, the need for robust cyber security measures is more pressing than ever.

Go

SEC’s Proposed Revisions to Regulation S-K Will Minimally Impact Cybersecurity Disclosure Requirements

by Sara A. Arrow on September 23, 2019

It has been thirty years since the Securities and Exchange Commission (the “SEC”) significantly revised Regulation S-K, which sets forth reporting requirements for public companies. The SEC is now taking a fresh look at the rules, proposing for public comment amendments to modernize the description of business, legal proceedings, and risk factor disclosures that public companies must make. This represents a good opportunity to revisit key disclosure requirements—including Items 503(c) (now Item 105), 101, and 103—that are the subject of the revised guidance and that potentially impact reporting obligations associated with cybersecurity.

Go

Part II: Hidden Costs of Bug Bounty Programs

by Sara A. Arrow on September 17, 2018

Many big data and technology companies consider “bug bounty” programs – incentive-based initiatives that reward “ethical” hackers who report data security bugs or vulnerabilities – attractive and cost-effective tools for weeding out security flaws.

Go

Bug Bounty Programs: What Every Organization Needs to Know

by Sara A. Arrow on June 13, 2018

More and more companies are paying up – and paying more – to so-called “ethical” hackers who report data security bugs or vulnerabilities for a bounty.

A report released last week by Bugcrowd, a crowdsourced cybersecurity firm, says that companies are now dolling out more than ever in bug bounties. But what are bug bounty programs, and why should companies care?

Go

Former Equifax Exec Charged with Insider Trading: Underscores Need for Trading Halt Plans

by Sara A. Arrow on March 19, 2018

The Equifax hack has taken another twist – one that raises questions that every public company should consider.

Last week, federal prosecutors charged Equifax’s former Chief Information Officer, Jun Ying, with insider trading for allegedly dumping nearly $1 million in stock before the massive Equifax breach went public. He also faces civil charges filed by the U.S. Security and Exchange Commission (SEC).

Go

Education Department Toughens Tone on Cyber and Threatens to Pull Funding for Non-Compliance

by Sara A. Arrow on February 13, 2018

Recently-issued guidance from the U.S. Department of Education (ED) threatens to “yank” Title IV funding for post-secondary institutions lacking appropriate data security safeguards. The guidance comes as the risk of educational data breaches has intensified, as we have previously reported. The stakes are even higher now that ED has put Title IV recipients on notice that, beginning in fiscal year 2018, they may be subject to compliance audits regarding their data security programs.

Go