Photo of Blaine C. Kimrey

For years, we were able to tell most clients experiencing a potential data security incident that they likely had at least 30 days to notify any third parties about the incident – if they concluded it was a breach.  There were, of course, exceptions in certain regulated industries, but most companies fell within the scope of the general state data breach notification statutes, none of which required a response sooner than 30 days. And for many years, we didn’t have to worry about more urgent deadlines created by federal authorities. Continue Reading Breach Response: Is 72 hours the new 30 days?

Last week, a sharply divided U.S. Securities and Exchange Commission (“SEC”) significantly increased reporting requirements on public companies by adopting a Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule (the “Rule”)[1] that requires, among many other things, reporting of “cybersecurity incidents” within only four business days of a “materiality” determination (subject to limited exceptions involving national security or public safety, as determined by the U.S. Attorney General).  As justification for this extremely short reporting period, the SEC cited the 72-hour “discovery” and 24-hour ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  But there is a critical distinction: The CIRCIA reporting requirements are confidential, whereas the reporting requirements under the Rule are public.  Why does that matter?  Among other reasons, a requirement for rapid public reporting may well lead to more cybersecurity incident class actions (whether meritorious or not).Continue Reading Cybersecurity Sheriffs Continue to Multiply and Crack Down – New SEC Rule Amps Up Public Company Pressure

Phone and gavelThe first half of 2021 saw one of the most significant TCPA rulings in many years as Facebook v. Duguid, 141 S. Ct. 1163 (2021), appeared to settle the long-debated question of what constitutes an automatic telephone dialing system (“ATDS”).  But while the Supreme Court’s April ruling was extremely positive for the TCPA defense bar, it by no means brought an end to TCPA claims.  Significant cases have continued to yield decisions, including cases that have sought to interpret Facebook.  And the state of Florida stepped into the abyss in passing a “mini-TCPA” statute that went into effect earlier this month that regulates telemarketing at the state level, with a much broader definition of the relevant technology.  Thus, the TCPA (and related statute) litigation landscape, while upended to some degree, remains unsettled, and we’ll continue to provide our insights.  We summarize here developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: TCPA cases in a post-Facebook world (TCPA Case Update Vol. 15)

The European Union’s General Data Protection Regulation (“GDPR”) is well known as the toughest privacy and security law in the world, as it has a wide reach and imposes heavy fines against those who violate its privacy and security standards (which are quite broad). The impact of the GDPR has already been felt in the United States since it went into effect in 2018, and now U.S. lawmakers in numerous states are moving to enact similar legislations. The California Consumer Protection Act (“CCPA”) was the first instance of the GDPR’s impact in the United States, as California put in place a statute and regulations that mirrored the GDPR in several respects. Now Virginia has set in motion what could be a year-long string of states enacting similar legislation. In particular, Washington and New York have proposed legislation following the framework of the CCPA. This article will compare the CCPA to the newly enacted and proposed privacy laws in the United States.
Continue Reading GDPR in the USA? New State Legislation Is Making This Closer to Reality

Phone and gavelOne of the few things that hasn’t changed significantly since our last TCPA update is, well, the TCPA. We have a new year, a new President and multiple new COVID vaccines.  And after the December oral argument in Facebook v. Duguid before the Supreme Court, 2021 could be the year when we receive clarity on the critical TCPA question of what constitutes an automatic telephone dialing system (“ATDS”).  Indeed, the argument seemed positive for the TCPA defense bar, with Justices Alito and Thomas chafing at the anachronistic nature of the statute and Justices Sotomayor and Gorsuch expressing concerns about the idea that every cellphone user could be subject to civil liability.  But for now, the TCPA litigation landscape remains the same bizarre, often inconsistent quagmire that it always has been.  We’ll continue to be your guide through the morass, and we summarize here developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: New Year, Same TCPA – For Now (TCPA Case Update Vol. 14)

Phone and gavelMany had hoped that the summer of 2020 might bring the end of the TCPA as we know it, by way of the Supreme Court’s decision in Barr v. American Association of Political Consultants.  Of course, that’s not how things played out. The government-backed debt exception is dead, but the rest of the TCPA is still very much alive.  And while the pace of litigation has slowed because of the ongoing COVID-19 pandemic, TCPA decisions continue to roll in and there have been new developments before the FCC.  We reviewed the TCPA cases published and other developments since our last update and compiled the most noteworthy items, listed below by issue category in alphabetical order.
Continue Reading TCPA Turnstile: No summer vacation for the TCPA defense bar (TCPA Case Update Vol. 13)

Phone and gavelUndoubtedly, the biggest TCPA development in the last month was the recent Supreme Court oral argument in Barr v. American Association of Political Consultants Inc., Case No. 19-631, which has the potential to upend TCPA jurisprudence as we know it.  While we wait for a Supreme Court decision, the oral argument made a few things clear:
Continue Reading TCPA Turnstile: As we wait for a ruling in Barr, new case law abounds (TCPA Case Update Vol. 12)

“Should we do a Zoom?” It has taken little more than a month for the Zoom video conference platform to take its place among the likes of Google, Kleenex and Xerox as brand names synonymous with the product or service being offered. But with that name recognition comes scrutiny, and Zoom is getting plenty. The privacy and security issues associated with Zoom have been well-documented. As a result, Zoom is now facing class action lawsuits from both shareholders and users. And the use of Zoom (and other platforms) can raise ethics issues for lawyers.Continue Reading Zooming into New Privacy Issues

Phone and gavelWe’re a quarter of the way through 2020 — even if March may have seemed liked several years unto itself — and it is shaping up to be another big year for TCPA litigation.  We’ve gone through the dozens of TCPA decisions published this year and identified the five most notable cases and storylines that we will be following closely for the rest of 2020.
Continue Reading Five Key TCPA cases to Know as We Enter the Second Quarter of 2020 (TCPA Case Update Vol. 11)

Smart companies have been worried about data security for years—no one wants to be in the headlines as the next big company to have a breach, the next corporation to face a class action lawsuit or the next business facing federal or state regulatory scrutiny.  It’s only heightened in recent years as companies faced new regulations imposed by the GDPR and the CCPA.  Well, things are not getting any better in 2020—now an increasing number of municipalities are getting in on the act.

San Francisco was the first city to have this awakening in 2017. In response to the Equifax data breach on September 7, 2017, San Francisco filed claims against Equifax under California’s Unfair Competition Law (UCL).  A few months later, Los Angeles brought a similar lawsuit against Uber claiming that the company paid hackers to delete stolen data and failed to notify consumers of the breach in violation of the UCL.  But most state statutes do not give cities standing to bring lawsuits.Continue Reading Parking Tickets, Jaywalking, and Cybersecurity Breaches at Multinational Companies: City ordinances are coming off the streets and into the server room