Data Security Law Blog

DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.

Are You Ready for Ransomware? CISA Launches New “Stop Ransomware” Website Aimed at Testing Your Cybersecurity Preparedness

by Peter A. Nelson and W. Scott Kim on August 2, 2021

The federal government has been grappling with a holistic response to the massive uptick in destructive ransomware attacks that have bombarded the country in recent years. As part of that response, the Cybersecurity and Infrastructure Security Agency (CISA) recently launched a “Stop Ransomware” website, which is aimed at helping private and public entities test and improve their cybersecurity. Among other key features of this effort is a self-assessment tool allowing organizations to test their cybersecurity based on government and industry recommendations and standards. This is a potentially useful addition to any organization’s cyber preparedness toolkit. They may also become another benchmark against which the “reasonableness” of any company’s data security protections are measured when facing private claims or regulatory scrutiny after a ransomware attack.

New York City Enacts A Biometric Privacy Law

by W. Scott Kim and Michael F. Buchanan on June 24, 2021

Earlier this year, New York City passed a law restricting the collection and/or use of biometric technology by certain businesses. The new law goes into effect July 9, meaning applicable businesses have a couple more weeks to prepare themselves for its requirements. Businesses need only look to similar laws in other states, particularly Illinois, for a glimpse at the litigation that may come should they fail to abide by the new law’s provisions.

Beeple, Top Shots, and the Blockchain of Collectibles: Securing the Value of an Original Digital Asset

by W. Scott Kim, Anne-Laure Alléhaut and Alejandro H. Cruz on April 5, 2021

A cryptocurrency entrepreneur recently paid $69.3 million for Beeple’s Everydays: The First 5,000 Days at a Christie’s auction. That record-breaking price purchased a work of art that can be seen only on a computer and the image of which, in large part, is available for use and enjoyment by anyone with an internet connection because the work is a non-fungible token, or NFT. NFTs have quickly caught the attention of the art world and beyond, touching the mainstream with the NBA Top Shot craze and its $250 million plus marketplace for visual highlights of NBA games. The company behind NBA Top Shot, Dapper Labs, recently raised $250 million at a $2 billion valuation. And the larger market for NFTs has grown from $42 million in 2017 to $338 million by the end of 2020. But for intangible assets whose value is largely driven by the creation of an original work only in cyberspace, owners and investors need to think carefully about what they own and how to protect their digital acquisitions.

Government Warns of New Cyber Threats Targeting U.S. Businesses

by Alejandro H. Cruz and W. Scott Kim on September 21, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) teamed up with the Federal Bureau of Investigation (FBI) to issue a joint warning of cyber-attacks emanating from Iran and targeting U.S. federal agencies and businesses. These hackers target vulnerabilities in virtual private networks (VPNs), which organizations use to allow remote network access. Once the hackers gain access through a VPN, they export data, sell access to the network, and have the ability to install ransomware. This is just the latest example of criminals exploiting vulnerabilities associated with the current remote working environment.

Privacy Suits Against Zoom and Houseparty Test the CCPA’s Private Right of Action

by W. Scott Kim, Jonathan (Yoni) Schenker and Alejandro H. Cruz on April 28, 2020

Over the past month, many have discovered video chat and conferencing apps such as Zoom and Houseparty, using them for both business and to keep connected to friends and family during this period of global social distancing. Increased usage of these apps has also resulted in close scrutiny of their privacy practices by the public and government authorities. Indeed, Zoom has been hit with eight class actions that were recently consolidated, while separate plaintiffs sued the owners of Houseparty. A core allegation among those suits is that, without notice or consent, these apps provided user data to third parties (e.g., Facebook). Both the Houseparty complaint and a majority of the Zoom complaints allege violations of the California Consumer Privacy Act (CCPA), making these cases among the first with the potential to test the contours of the nascent but expansive privacy law. If the CCPA claims in these suits survive, it could signal the beginning of a substantial increase in class actions claiming CCPA violations.

Court Approves Historic Equifax Data Breach Settlement

by W. Scott Kim and Michael F. Buchanan on January 27, 2020

The aftermath from one of the largest data breaches in U.S. history is nearing the end, as the presiding judge approved a proposed class action settlement resolving claims arising from Equifax’s September 2017 data breach. As previously reported, approximately 147.9 million U.S. consumers’ personal information was compromised by that breach.

Home Depot Joins Facebook and Others in Facing Suit for Scanning Faces

by W. Scott Kim and Michael F. Buchanan on September 16, 2019

This past week, The Home Depot, Inc. became the latest business hit with a class action lawsuit for their use of facial recognition security cameras allegedly in violation of the Illinois Biometric Information Privacy Act. If successful, Home Depot faces statutory damages of up to $5,000 for each time a shopper’s information was collected in violation of BIPA.

New York’s SHIELD Act Heads to the Governor’s Desk

by W. Scott Kim and Alejandro H. Cruz on July 9, 2019

The New York State Senate recently passed The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, leaving only the Governor’s signature as the final step to the SHIELD Act becoming the country’s newest—and one of the most stringent—breach notification laws. Given Governor Cuomo’s previous support for robust cybersecurity protections, New York may soon join a growing number of states beefing up their notification statutes.

Illinois Biometric Law: Scanning Fingerprints Can Get You Sued

by W. Scott Kim on January 28, 2019

In a ruling with wide-spread implications, the Illinois Supreme Court on Friday upheld a consumer’s right to sue companies for collecting biometric data – such as finger prints and iris scans – without disclosing how such information will be used.

Texting Clients and Using Social Media? SEC Issues Compliance Reminder to Investment Advisers

by W. Scott Kim on January 2, 2019

Investment advisers may want to think twice before texting clients any advice in the New Year.

In a recently issued Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) reminded investment advisers of their obligations under the Investment Advisers Act of 1940 (Advisers Act) when they or their personnel use electronic messaging for business-related communications.

Study Shows Banks Block 80% of Cyberattacks … But is that Enough?

by W. Scott Kim and Michael F. Buchanan on September 20, 2018

In Accenture’s 2018 State of Cyber Resilience for Banking & Capital Markets study, the consulting firm reported the rate at which cyber-attacks on banking and capital markets firms are successful dropped from 36 percent in 2017 to 15 percent in 2018. Despite the improvement, one in seven cyber-attacks remain successful – begging the broader question of what else, if anything, banks and capital market firms could be doing to protect themselves from attack?

Hospital Hit with $4.3 Million Fine for “Snail’s Pace” HIPAA Compliance

by W. Scott Kim on June 25, 2018

Healthcare organizations take note: not following your own data security rules can be costly, very costly. And the more time it takes to comply, the faster the fines stack up.

Wearable Technology Fits into Professional Sports

by W. Scott Kim and Peter A. Nelson on May 14, 2018

Professional athletes, teams, and leagues have embraced wearable technology. But as this new technology becomes ubiquitous, a new category of valuable—and personally sensitive—data has emerged, raising novel data security issues and incentives for would-be hackers.

Avatars, Facial Scans & Virtual Basketball: Second Circuit Tosses Biometric Privacy Case

by W. Scott Kim on December 14, 2017

A recent federal appellate ruling delivered a significant blow to invasion of privacy claims based on facial recognition technology used to scan users’ faces that are then put on their personalized players “in-game,” allowing them to play side-by-side with basketball stars in a popular video game.