Home > Insights > Blogs > Cybersecurity Bits and Bytes

Cybersecurity Bits and Bytes

Cybersecurity Bits and Bytes

(By accessing, browsing or using the pages below, you agree to the Blog Conditions of Use/Disclaimer available under "Links.")


Fifteen Attorneys General Ask Congress Not to Replace State Privacy Laws With Federal Law

Luke Sosnicki May 10, 2024
Padlock sitting on a motherboard

In a May 8, 2024 letter signed by the attorneys general of fourteen other states, California’s Attorney General Rob Bonta urged Congress not to pass a version of the American Privacy Rights Act (APRA) that would preempt state consumer privacy laws. A copy of the letter can be found here. READ MORE

BIPA Update: Illinois Is One Step Closer to Amending How Damages Accrue under BIPA!

The Illinois Senate recently passed legislation by a 46-13 vote that would significantly amend the Illinois Biometric Information Privacy Act (“BIPA”).[1] Senate Bill 2979 (“SB2979’), which Senate President Pro Tempore William Cunningham introduced, includes a significant benefit to corporations, employers, and other private entities in Illinois by clarifying that, in a case where the same violation occurs more than once, it would constitute only one violation for purposes of statutory damages.[2] Currently, courts have interpreted BIPA to permit for an accrual of claims for the same violation, which can lead to catastrophic-like damages. The bill now advances to the State’s House of Representatives for possible hearings and a vote. READ MORE

BIPA Update: Another Amendment Attempt for Illinois Privacy Law

In the Illinois Senate, a recently proposed Biometric Information Privacy Act (BIPA) amendment seeks to change how BIPA claims accrue, limiting the amount of damages available in instances where there are multiple violations. READ MORE

California AG Announces Second Settlement Under the California Consumer Privacy Act

Luke Sosnicki February 28, 2024

California Attorney General Rob Bonta announced a settlement between the State of California and DoorDash on February 21, 2024, regarding allegations that DoorDash violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) by selling its California customers’ personal information without providing notice or an opportunity to opt out. READ MORE

California Chamber Seeks State Supreme Court Review of Privacy Act Enforcement

Luke Sosnicki February 28, 2024

The California Chamber of Commerce filed a petition to the California Supreme Court on February 20, 2024, seeking review of a February 9, 2024 appellate decision that paved the way for the state’s privacy enforcement agency, the California Privacy Protection Agency (CPPA), to start enforcing the California Privacy Right Act’s updated regulations immediately. READ MORE

NY Department of Financial Services Updates Regulations on Cybersecurity

James Shreve December 5, 2023

The New York Department of Financial Services (NYDFS) finalized amendments to its cybersecurity regulations on November 1, 2023, marking a significant update in the state's approach to cyber threats. The process involved multiple stages, starting with a pre-proposal in July 2022, followed by two additional proposals in November 2022 and June 2023. The final version, which incorporated feedback from various stakeholders, introduced several key changes and clarifications from earlier drafts. READ MORE

FTC Issues Final Rule on New Breach Notice Requirement for Non-Bank Financial Institutions

James Shreve November 28, 2023
Cybersecurity_default blog

On October 27, 2023, the Federal Trade Commission (FTC) announced a significant amendment to the agency’s Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). This amendment, reflecting an increasingly strident stance by the FTC on cybersecurity topics, mandates that non-banking financial institutions report certain data breaches and security events. Interestingly, the prudential banking regulators introduced data breach notice requirements, using GLBA authority in 2005. READ MORE

CPPA’s Deputy Director of Enforcement Promises Vigorous Action by Expanded Enforcement Staff

A statue of Justice in front of the California flag

On Friday, July 14, the California Privacy Protection Agency (“CPPA”) Board held a public meeting to address a broad, fourteen-point agenda that ranged from updates on the Agency’s budget to the status of ongoing rulemaking to enforcement. READ MORE

BIPA litigation update: Cothron’s impact and employer BIPA defense affirmed

fingerprint scan

The Illinois Supreme Court’s most recent rulings have cut both ways while further clarifying the contours of litigating Illinois Biometric Information Privacy Act (“BIPA”) claims. On one hand, its decision in the Cothron v. White Castle System case seemingly continues its trend to expand theoretical BIPA liability by both greatly magnifying the scope of theoretical liquidated damages while spurring even more litigation. READ MORE

SEC releases long-awaited proposal to revise Regulation S-P

James Shreve May 2, 2023
Cybersecurity_default blog

On March 15th, the Securities and Exchange Commission (“SEC”) issued a proposed rule to revise Regulation S-P (“Proposed Regulation S-P”) which implements the privacy and security requirements of the Gramm-Leach-Bliley Act (“GLBA”) and certain other laws. The new proposed rule was issued almost exactly 15 years after the SEC issued proposed, but never finalized, revisions to Regulation S-P. On the same day, the SEC released a proposed cybersecurity risk proposed rule for several types of regulated securities entities (“Cyber Risk Proposal”). READ MORE

Blog Browse: FSA issues GLBA Safeguards Rule guidance

March 10, 2023
digital security concept

In February, the Federal Student Aid (FSA) office of the U.S. Department of Education issued Electronic Announcement General-23-09 on the updated and strengthened requirements of the Federal Trade Commission’s (FTC) Gramm-Leach-Bliley Act Safeguards Rule. The new Electronic Announcement summarizes many of the requirements added by the FTC in the Safeguards Rule, most of which become effective June 9, 2023. READ MORE

FTC issues fine to GoodRx over information sharing

pharmacist using mobile smart photo

The Federal Trade Commission (“FTC”) has kicked off what may be a new wave of digital health compliance enforcement. On February 1, 2023, the FTC announced its first enforcement action under the Health Breach Notification Rule. READ MORE

Transportation Security Administration releases security directive on railroad cybersecurity mitigation actions and testing

railroad food

On October 24, 2022, the Transportation Security Administration (“TSA”) released Security Directive 1580/82-2022-01 regarding “Rail Cybersecurity Mitigation Actions and Testing.” The directive is applicable to freight railroad carriers identified in 49 C.F.R. 1580.101 and other TSA-designated freight and passenger railroads. READ MORE

California issues first fine under CCPA


On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora resolving alleged violations of the California Consumer Privacy Act (CCPA). Although the CCPA has been in effect since January 2020, this marks the first time that an enforcement action under the statute has led to fines for a business. READ MORE

FTC solicits feedback on advance notice of proposed rulemaking related to commercial surveillance and data security practices


On August 22, 2022, the Federal Trade Commission (“FTC”) published an advance notice of proposed rulemaking (“ANPR”) that requests “public comment on the prevalence of commercial surveillance and data security practices that harm consumers. The ANPR contains 95 questions for consideration and comment. READ MORE

Utah and Connecticut enact comprehensive data privacy laws

data privacy

Connecticut and Utah both enacted comprehensive privacy laws this spring. On March 24, 2022, Utah became the fourth state to enact a comprehensive data privacy law when Governor Spencer Cox signed Senate Bill 227, known as the Utah Consumer Privacy Act (“UCPA”). Connecticut Governor Ned Lamont signed Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Privacy” on May 10. READ MORE

SEC proposes new cybersecurity requirements for public companies

James Shreve March 24, 2022

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. The proposed rules would require, among other things, periodic disclosures about a company's policies and procedures to identify and manage cybersecurity risks. READ MORE

Numerous privacy bills introduced in California legislature

Padlock sitting on a motherboard

Multiple privacy bills were introduced in California on or just before February 18, 2022, the last day for bills to be introduced in the legislature’s current session. READ MORE

Texas sues Meta for alleged violations of Texas biometric law


On Monday, February 14, 2022, the State of Texas by and through the Attorney General of Texas, Ken Paxton, filed suit against Meta Platforms, Inc. for alleged violations of the state’s biometric and deceptive trade practices laws. READ MORE

SEC announces proposed rule related to cybersecurity risk management for investment advisers

Cybersecurity_default blog

On February 9, 2022, the SEC announced proposed rules under the Investment Advisers Act of 1940 and the Investment Company Act of 1940. READ MORE

Federal Trade Commission publishes final updated Safeguards Rule


On October 27, 2021, the Federal Trade Commission (“FTC”) announced significant updates to the Safeguards Rule. The FTC asked for comments on the Rule in 2019, and held a public workshop on the Rule in 2020. The Final Rule was published in the Federal Register on December 9, 2021. The Rule is effective on January 10, 2022, however, most of the substantive provisions of the Rule take effect a year from the publication date. READ MORE

Computer-security incident notification requirement takes effect April 1, 2022

Illustration of files and a locked file folder

Banks and other companies that provide services to banks have just a few short months to prepare for a major new federal notification requirement should an institution experience a “computer-security incident.” What are the parameters of the upcoming requirement and what qualifies as a notification incident? READ MORE

Second Circuit rules that risk of future identity theft not enough to support standing in data breach class action


The Second Circuit recently joined a growing number of federal courts to decide when a data breach of personally identifiable information (“PII”) is actionable. According to the Second Circuit, plaintiffs do not have standing to bring a lawsuit when there is no allegation their PII was targeted or misused. READ MORE

CPPA invites comments on various privacy topics


The California Privacy Rights and Enforcement Act (“CPRA”), formerly known as Proposition 24, passed on November 3, 2020. The CPRA is intended to supplement privacy protections for Californians that were first established by the California Consumer Privacy Act (“CCPA”). READ MORE

The evolving standing doctrine in privacy litigation - Ramirez and beyond


The U.S. Supreme Court’s 5-4 decision in TransUnion LLC v. Ramirez may make the road to privacy class actions harder. But recent decisions in the wake of Ramirez suggest the full impact of the decision remains to be seen. READ MORE

Adrienne Harris nominated as Superintendent of the New York State Department of Financial Services

Financial figures and stock graphs

On August 31, 2021, New York Governor Kathy Hochul announced that Adrienne Harris has been nominated as the next Superintendent of the New York State Department of Financial Services. Ms. Harris began her career at Sullivan and Cromwell LLP and later worked for the United States Department of the Treasury under President Obama. READ MORE

Claims under CCPA survive motion to dismiss


On August 12, 2021, Judge Childs of the United States District Court for the District of South Carolina declined to dismiss claims against Blackbaud premised on California’s California Consumer Privacy Act (“CCPA”). The claims relate to a well-publicized ransomware attack on the company in early 2020. READ MORE

Connecticut enacts cybersecurity laws aimed at data breaches

Illustration of man using shield to protect computer

Connecticut Governor Ned Lamont approved two privacy and cybersecurity laws which take effect on October 1, 2021. Connecticut now offers protection to businesses that implement cybersecurity safeguards from punitive damages in tort lawsuits, while strengthening the state’s reporting requirements in the event of a data breach. READ MORE

Texas amends data breach notification law, creates public listing of data breaches

Elizabeth Casale August 16, 2021
Cybersecurity locks and data

On June 14, Texas Governor Greg Abbott signed House Bill 3746, which amends Texas’s data breach notification law. In doing so, Texas joins other states in requiring its attorney general to maintain a public listing of data breaches on its website. The amendments take effect September 1, 2021. READ MORE

Colorado enacts consumer privacy law, becoming third state to do so

Elizabeth Casale July 16, 2021
Padlock sitting on a motherboard

Colorado has enacted the nation’s third comprehensive consumer privacy law, after Governor Jared Polis signed Senate Bill 21-190 into law. The Colorado Senate voted 34-1 to send the privacy legislation to the governor’s desk, after the House approved the measure in a 57-7 vote. Colorado is the second state this year to pass a law making it easier for consumers to protect personal data online. READ MORE

New CCPA regulations announced shortly before new Attorney General named

Elizabeth Casale March 31, 2021

Former California Attorney General Xavier Becerra recently announced new regulations under the CCPA to “prohibit companies from burdening consumers with confusing language or unnecessary steps such as forcing them to click through multiple screens or listen to reasons why they shouldn’t opt out.” READ MORE

A wave of new state privacy legislation may be on the horizon

Elizabeth Casale March 12, 2021
A sunrise coming over the horizon above the United States

A number of states have proposed new privacy legislation this year, including Florida, Oklahoma and more. Virginia is now the second state in the U.S. to enact comprehensive privacy legislation. READ MORE

New York Assembly introduces the Biometric Privacy Act

Illustration of a computer with a lock and chain around it

New York’s proposed Biometric Privacy Act would require entities that possess biometric information or identifiers to obtain specific consumer consent for collecting, capturing, purchasing or trading such information, and would be privately-actionable as well. READ MORE

Maintaining privilege over forensic data-breach reports

James Shreve Luke Sosnicki December 18, 2020
Illustration of files and a locked file folder

In the new reality of transparent data collection, use, and security, companies may be forced to strike a careful balance between protecting their confidential and privileged information and complying with various laws requiring them to be transparent and to keep consumers informed. READ MORE

California Attorney General submits fourth set of CCPA modifications for review

James Shreve Luke Sosnicki December 16, 2020
A statue of Justice in front of the California flag

On December 10, the Attorney General of California released a fourth set of proposed modifications to the California Consumer Privacy Act. These new modification follow the Attorney General’s proposed regulations released on October 11, 2019, as well as the California Attorney General’s previous modifications on February 10 and March 11, 2020. READ MORE

California Privacy Rights Act passes

Elizabeth Casale November 6, 2020
California state capital building and California flag

California Proposition 24, the California Privacy Rights and Enforcement Act, passed on November 3, 2020. The CPRA amends and supplements some of the key provisions in California’s existing consumer privacy law, the California Consumer Privacy Act. READ MORE

Office of Administrative Law approves final CCPA regulations


On August 14, California Attorney General Xavier Becerra announced that the Office of Administrative Law had approved the regulations for the CCPA and filed the regulations with the California Secretary of State. The regulations take effect immediately. READ MORE

CJEU invalidates EU-US Privacy Shield

Illustration of cybersecurity for the EU

The Court of Justice of the European Union has invalidated Decision 2016/1250, which found that the EU-US Privacy Shield – a primary mechanism used by US companies to transfer personal data from the EU to the US – provided adequate protections for personal data. READ MORE

California Privacy Rights Act qualifies for November 2020 ballot

Illustration of voters submitting ballots

The California Privacy Rights Act of 2020 has officially qualified for this November’s ballot. If passed, some provisions of the law would take effect five days after the California Secretary of State files the statement of vote, but the CPRA would be effective January 1, 2023 with a July 1, 2023 enforcement date. READ MORE

California Attorney General submits final CCPA regulations for review

California state capital building and California flag

On June 1, California Attorney General Xavier Becerra submitted final CCPA regulations for review by the Office of Administrative Law. The final regulations are substantively the same as the second modified regulations that the AG released back in March, but the timing of the release creates new questions. READ MORE

Seventh Circuit rules that federal court has jurisdiction over claims brought under BIPA

An eye undergoing a biometric eye screening

On May 5, 2020, the Seventh Circuit held that a plaintiff who brought claims under the Illinois Biometric Information Privacy Act had suffered an injury-in-fact sufficient to confer Article III standing, and therefore her case could be heard in federal court. In doing so, the Seventh Circuit reversed the District Court’s prior order remanding the case back to state court. READ MORE

6 data security tips for working from home

A laptop sitting open on a desk in a home

In response to COVID-19, many companies have shifted their workforce to working remotely. This creates some entirely new security challenges. In the new remote work reality, company personnel may need to assume a more active role in securing data and information systems. READ MORE

In wake of COVID-19, California AG asked to delay enforcement of CCPA

Cybersecurity_default blog

On March 17, 2020, more than 30 trade groups and companies co-signed a letter to California Attorney General Xavier Becerra asking him to postpone the enforcement date for the California Consumer Privacy Act from July 1, 2020, to January 2, 2021. The letter cites the COVID-19 crisis and the CCPA’s implementing regulations still being developed as justification for the delay. READ MORE

California Attorney General releases second set of modifications to CCPA

A statue of Justice in front of the California flag

The California Attorney General released a new set of proposed modifications to the California Consumer Privacy Act, following the Attorney General’s proposed regulations released on October 10, 2019. The new modifications include some welcome changes for businesses and clarifying language for a number of the law’s sections. READ MORE

Clearview AI class-action may further test CCPA’s private right of action

A security camera outside on a pole

A class-action lawsuit against facial-recognition company Clearview AI alleges they unlawfully scraped biometric data from other websites and sold the resulting data to other entities. The case tests yet another provision of the CCPA relating to the law’s private right to action. READ MORE

Class-action case against Ring may test CCPA’s private right of action

A finger about to push the button on a doorbell video camera

A class-action lawsuit against Ring LLC alleging the plaintiffs’ rights to privacy were violated includes a cause of action under the CCPA, alleging plaintiffs were entitled to a CCPA notice informing them what information Ring was collecting and how it would be used. The case may lead to what could be the first judicial interpretation of the CCPA’s private right of action. READ MORE

California Attorney General releases modifications to proposed CCPA regulations

Luke Sosnicki James Shreve February 12, 2020

On February 7, California’s Attorney General released modified proposed regulations implementing the California Consumer Privacy Act. Many of the revisions can be reasonably interpreted to lessen the burden on businesses attempting to comply with the CCPA. READ MORE

Supreme Court denies cert for BIPA standing case, facilitating $550M settlement

Cybersecurity_default blog

The Supreme Court’s denial of Facebook’s petition for certiorari regarding standing and class certification issues in a suit under Illinois’ BIPA portends some similarly large privacy settlements in the coming years. Given BIPA’s broad scope, companies should familiarize themselves with the statute and consider their risks. READ MORE

Proposed federal privacy bills exceed even California’s CCPA requirements in some respects

Luke Sosnicki James Shreve December 23, 2019
U.S. capitol dome

Two recent online privacy bills introduced in the U.S. Senate highlight some of the key privacy and data security issues that Congress may tackle next year. While they share much in common, key differences between the two include whether a federal bill would be privately-actionable and if it preempts state laws. READ MORE

Blog Browse: Higher education should pay attention to the CCPA

College campus at night

The CCPA takes effect in less than a month. It will be the strictest privacy law in the country, and may be a model for other states as well. If they haven’t already, educational institutions—including both for-profit and non-profit schools—should take immediate steps to familiarize themselves with the statute and develop a plan to comply. READ MORE

CCPA: The next horizon for M&A deals in California and beyond

Jennifer Post Luke Sosnicki December 10, 2019
Padlock sitting on a motherboard

Recent polls suggest that many companies covered by the CCPA are not yet compliant, creating interesting issues and pitfalls for merger & acquisition deals beginning in 2020. With the CCPA taking effect on January 1, the implications for covered business and those acquiring or merging with them deserve careful consideration. READ MORE

What businesses need to know about the Attorney General’s proposed CCPA regulations

Luke Sosnicki James Shreve October 14, 2019
Illustration of man using shield to protect computer

On October 10, 2019, California’s Attorney General released its long-awaited draft regulations explaining how the state intends to enforce the requirements of the California Consumer Privacy Act. The regulations leave much to the best judgment of businesses that will be doing their best to comply and are in response to questions raised during the comment-gathering process. READ MORE

California ballot initiative would further strengthen the state’s consumer privacy laws

Illustration of a computer with a lock and chain around it

Before the CCPA has even gone into effect, privacy advocates have already introduced new legislation further tightening California’s consumer laws. The vast majority of the new initiative would impose additional requirements on companies that want to do business with California consumers. READ MORE

Examining the six amendments to the CCPA awaiting Governor Newsom’s signature

California state capital and state flag

Although the California Consumer Privacy Act will be effective in only a few short months, key amendments are still awaiting the Governor’s signature. Some of the amendments make exemptions from the CCPA, while others provide clarification of the Act’s terms. READ MORE

BIPA litigation offers no legislative reprieve to employers – yet

finger typing on keyboard

With no imminent legislative action curtailing the rush of BIPA litigation since Rosenbach v. Six Flags, it is critical that employers have the appropriate policies and procedures in place to comply with BIPA. This includes compliance requirements and best practices to avoid statutory penalties. READ MORE

Supreme Court challenges privacy litigants to demonstrate Article III standing

Matt Hafter March 29, 2019
U.S. Supreme Court

The United States Supreme Court has remanded Frank v. Gaos back to the District Court after wrestling with the continuing challenges of “standing” in internet privacy litigation. The decision may have lasting implications for cybersecurity litigation brought under Article III. READ MORE

‘Aggrieved Persons’ can bring suit under Biometric Information Privacy Act


The Illinois Supreme Court has decided individuals need not allege injury other than a violation of their rights to bring suit under the Illinois Biometric Information Privacy Act, leaving the door open for future individual suits and class actions. READ MORE

Pennsylvania Supreme Court provides new route for data security breach plaintiffs

Cybersecurity locks and data

A recent decision from the Supreme Court of Pennsylvania in Dittman v. UPMC may signal a significant change in fortunes for plaintiffs in data breach cases. Anyone storing or collecting data should be aware of the potential increase in security breach litigation in an employer/employee context. READ MORE

The potential cybersecurity crisis hiding in plain sight — at home

James Shreve December 19, 2018
Worker using computer at home

As more employees work remotely from home, the risk of a cyber breach stemming from a home network is increasing. With the immense repercussions of a breach at risk, companies should augment their cyber protection and breach response plans to include protections for home networks. READ MORE

NIST announces collaborative privacy framework initiative

James Shreve September 11, 2018
Cybersecurity_default blog

The framework is significant for several reasons and is intended to help organizations manage the data privacy risks they are now exposed to more than ever thanks to new technologies. READ MORE

CFPB final rule cuts costs and headaches from annual privacy notices

James Shreve August 21, 2018
Cybersecurity_default blog

The CFPB’s long-awaited final rule affecting when financial institutions need to send out annual privacy notices is here. Our Cybersecurity Bits & Bytes blog has a great summary of the new rule and how it could save significant time and money for regulated institutions. READ MORE

Seventh Circuit lets data breach suit proceed for credit monitoring and lost use of credit card damages

David Duffy April 19, 2018

In a blow to retailers and other businesses subjected to data breaches, the Seventh Circuit has reinstated a class action brought by consumers against Barnes & Noble arising from a 2012 breach. READ MORE

That’s all, folks! Alabama becomes 50th state with breach notification law

April 11, 2018

On March 28, 2018, Alabama Gov. Kay Ivey signed a bill that made Alabama the 50th and final state to enact a consumer data breach notification law. Prior to the signing, Alabama had been the last remaining state without such a law after South Dakota passed its data breach law last month. What do you need to know? READ MORE

South Dakota enacts its first data breach notification law, leaving Alabama the last holdout

April 2, 2018

On March 21, 2018, South Dakota’s Senate Bill 62 was signed into law, adding a 49th square to the nation’s patchwork of state data breach notification laws. South Dakota requires notification to an impacted individual – anyone whose personal information or “protected information” was accessed without authorization – within 60 days of discovery of a breach. READ MORE

SEC announces new interpretive guidance in cybersecurity

Jennifer Post March 8, 2018

In a February 21 Release, the U.S. Securities and Exchange Commission (SEC) announced new interpretive guidance for public companies regarding cybersecurity risk and incident disclosures. The new guidance (which expands on the 2011 statement from the SEC’s Division of Corporate Finance, which identified the cybersecurity risk—and consequence—disclosure obligations for public companies) introduces two new areas of focus which had not previously been addressed by the SEC. READ MORE

Beware this years’ taxpayer refund scams and data breaches: 8 steps recommended by the IRS

March 2, 2018
auditor reviewing financial documents with magnifying glass

The IRS is warning the public about the emerging scams this tax season, which includes cyber-attacks targeting tax preparers and businesses. The statement includes the steps to take if you or your clients' tax data or financial information has been compromised. READ MORE

4 ways to manage cybersecurity risks in business and transactions

Jennifer Post November 14, 2017
Cybersecurity_default blog

Addressing and managing operational cybersecurity risks is important not only to lessen the risks and fallout of a cyber-attack but also to demonstrate that your company has taken appropriate steps and implemented necessary procedures to protect itself and its financial or strategic partners. READ MORE

Bipartisan bills bolster cybersecurity protections for small business

October 20, 2017
Main street in small-town America

The increase in cybersecurity attacks on small businesses has gotten the attention of Congress. We take a look at the bipartisan bills aimed at bolstering cybersecurity protections for small business. READ MORE

7 things you might not know about cybersecurity insurance

October 18, 2017

If it isn’t already, cyber insurance should be top of mind for all industries and companies, regardless of size, as they find that they are increasingly vulnerable to a cyber attack and data breach. READ MORE

Illinois takes the lead on employee privacy: What employers need to know

September 22, 2017
finger typing on keyboard

Illinois is one of the states that has enacted a number of laws designed to protect the privacy of employee information. Businesses that wish to avoid fines and other sanctions should be aware of the protections afforded to employees under these laws. READ MORE

3 things your school should know about Missouri State Auditor’s emphasis of cybersecurity

June 23, 2017

Schools should take notice of the Missouri Auditors’ recommendations and carefully consider those recommendations when looking at their own cybersecurity programs. READ MORE

Yet another Target settlement highlights data breach costs

gavel with money

In what appears to be the closing act of the saga that is the Target data breach, on May 23 the retailer announced it had reached a historic $18.5 million settlement agreement with a coalition of 47 states’ attorneys general. It is almost certainly only a matter of time before the settlement is eclipsed by another major data breach. READ MORE

Executive order presents three-pronged approach to improving U.S. cybersecurity

May 26, 2017

The May 11 Executive Order is a strong effort toward upgrading and addressing the United States’ cybersecurity capabilities. But it remains to be seen what sort of commitment the efforts identified will receive from Congress, private enterprises, and the rest of the government. READ MORE

New York stiffens data protection regs

May 3, 2017
New York

The New York Department of Financial Services has created a new set of regulations designed to force certain regulated businesses to protect consumer and corporate financial information. READ MORE

Will September assessment scuttle EU-US Privacy Shield?

April 7, 2017

Many more eyes than normal will be on what would ordinarily be a nondescript policy review of a data transfer agreement in September as the EU and US meet to assess the EU-US Privacy Shield. READ MORE

Recent settlements highlight plaintiff pitfalls in data breach cases

gavel with money

This settlement is a potent reminder that a data breach’s greatest financial impact on the victim entity may arise from liabilities to financial institutions — although this comes with the considerable caveat that lost sales and consumer goodwill resulting from a data breach can be more difficult to measure. READ MORE

2nd Circuit hears data breach argument: Is fear of harm sufficient for Article III standing?

Ladder-iStock-495666802 Converted

Whether or not the 2nd Circuit follows the 7th Circuit’s lead will likely have far reaching consequences for the development of Article III standing jurisprudence in data breach cases. READ MORE

New Mexico comes late to data breach party, requires promptness

March 23, 2017
data protection

One of only a few states without its own data breach notification law, New Mexico is about to join the ranks of 47 states with such laws. HB15, awaiting the governor's signature, requires an expedient 45-calendar-day notification window. READ MORE

Did U.S. executive order signal trouble for EU citizen privacy rights?

February 13, 2017
Illustration of cybersecurity for the EU

President Trump’s efforts to withdraw privacy protections for non-U.S. citizens are coming in direct conflict with recent efforts by the European Union to strengthen privacy protections for its citizens, no matter where in the world they travel. READ MORE

Is breach mitigation the next wave of cybersecurity regulation?

February 9, 2017
data privacy

More and more, regulators are focusing their rulemaking power not just on how a company responds (or doesn’t respond) to a data breach, but the steps it took far in advance to prevent or mitigate such a breach. READ MORE

Swiss join the EU in reaching data transfer accord with the U.S.

January 19, 2017
Swiss flag with mountains

Like the EU-U.S. Privacy Shield, the U.S.-Swiss Privacy Shield provides U.S. companies with a single mechanism for complying with Swiss data protection and privacy laws when transferring data from Switzerland to the U.S. READ MORE

FINRA fines again target financial firms for failure to follow regs

January 4, 2017
Cybersecurity_default blog

FINRA has sent a clear message to member firms that it is very serious about enforcing its cybersecurity regulations. Requirements to protect personal information as well as to preserve necessary evidence are not being taken lightly by FINRA. READ MORE

Home Depot directors prevail in cybersecurity liability claim

Matt Hafter December 6, 2016
Exterior photo of a Home Depot

Just two weeks after we discussed an influential case that outlined the duty of oversight that directors of public and private Delaware corporations owe with regard to legal compliance risks like cybersecurity, a federal court issued an order that made the connection crystal clear. READ MORE

11th Circuit better defines FTC’s ‘Unfair’ standard – The details are in the damage

November 29, 2016
Cybersecurity_default blog

This holding limits the ability for the FTC enforce actions against entities who are involved in activities that only have distant chances of causing harm to consumers. READ MORE

FINRA forces firms into the weeds on security policies

November 21, 2016
illustration of person drowning in paperwork

A recent Letter of Consent issued by the SEC's Financial Industry Regulatory Authority (FINRA) contained some startling new requirements that, if enforced by FINRA, could place a significant burden on financial firms in regard to their privacy and cybersecurity policies. READ MORE

Cybersecurity liability: Delaware has good news for directors

Matt Hafter November 15, 2016
illustration of a businessman in front of a maze

In a new opinion, the Delaware Chancery Court has stated that the standards of “bad faith” that must exist in order for directors to be held liable for failing to exercise oversight with regard to the corporation’s compliance with law in a risky area. READ MORE

D.C. Court of Appeals checks, then balances CFPB’s power

November 7, 2016
business people on a balanced scale

A recent decision seriously challenges the CFPB’s executive power under Dodd-Frank. That challenge, in turn, raises questions about the ability of the CFPB to act as charged under Dodd-Frank. READ MORE

How to combat the risks of impersonation emails, imitative domains

Mark Sableman October 13, 2016

Companies are incurring significant damages from email spoofing, executive impersonation, and misuse of company trademarks and website content. Here are some steps to take before and after an attack. READ MORE

When smart goes bad: Why internet security does not just refer to computers

October 3, 2016
Cybersecurity_default blog

From smart thermostats that can be adjusted and set remotely to toasters and coffee makers that can be programmed to operate at specific times on specific days, smart devices are fast becoming a part of all of our lives. But are these smart devices and their connectivity secure? READ MORE

The serious security vulnerabilities of mobile devices

Mark Sableman September 28, 2016
illustration of a mobile device with a key "locked" into it

A new report from NIST highlights the many security threats associated with mobile devices. These threats are even more concerning for businesses whose employees use unsecured mobile devices to conduct business or send communications about proprietary or financial information. READ MORE

Don’t doubt the data breach: Massive Yahoo hack reminds us it’s not if, but when

September 22, 2016
cyber hacker with computer

Yahoo’s announcement that a hacker exposed the information of over 500 million of its users is a strong reminder to all companies the importance of a breach response plan. Here we outline some tips for key elements of such a plan. READ MORE

NIST and FAIR develop tool to merge cybersecurity risk standards

August 12, 2016

A set of joint resources from NIST and FAIR can help cybersecurity professionals to both prioritize risks in their organization and allocate security resources to the most critical areas of exposure. READ MORE

Is encryption the key to your data security?

August 9, 2016

Businesses must plan for the failure of technologies like firewalls, strong passwords, anti-malware, two-factor authentication and data sandboxing. In the event that unauthorized individuals gain access to sensitive data, businesses are increasingly turning to data encryption to safeguard the data itself. READ MORE

Can 3D printing technology be stolen by sound recorders?

August 2, 2016
3D Printer - Hand

There is little question that 3D printing is an important part of technology and manufacturing development. But a recent study may raise some concern over the security of that technology in an unexpected way. READ MORE

What you need to know about the new EU-U.S. data transfer pact

July 14, 2016
US EU flags

The U.S. and EU have negotiated a new pact that would allow for U.S. companies to collect and store personally identifying information about EU citizens and to protect those citizens’ privacy pursuant to EU standards. So what are the requirements of this new Privacy Shield and what do they mean for U.S. companies doing business with European customers? READ MORE

Illinois strengthens, expands scope of personal information protections

June 1, 2016
data privacy

With the passage of the Illinois Personal Information Protection Act (HB1260) last month, Illinois substantially broadened the definition of personally identifiable information, and imposed requirements on data collectors for the protection of Illinois residents’ information. READ MORE