Photo of Nusra Ismail

Nusra Ismail

Subscribe to Nusra Ismail's Posts
Contact:Read more about Nusra Ismail

Faced with waves of consumer lawsuits targeting common website tools like browser cookies, tracking pixels, and live chat features, businesses are often frustrated by the outsized exposure posed by seemingly “no-injury” claims. (See, for example, last week’s post about CIPA claims.) The Ninth Circuit Court of Appeals recently provided some comfort by clarifying what a plaintiff must allege to show “concrete injury” as required for Article III standing. The court’s decision in Popa v. Microsoft Corp., No. 24-14, 2025 WL 2448824 (9th Cir. Aug. 26, 2025), strengthens defenses to online privacy claims—with broad application to other types of consumer claims as well—holding that standing requires more than just an alleged statutory violation.Continue Reading Popa v. Microsoft Corporation, et al.: Ninth Circuit Clarifies Article III Standing Requirements and Strengthens Defenses to Internet Privacy and Other Consumer Claims

Protection network security computer and safe your data concept. Laptop working develop coding program with key on keyboard
Protection network security computer and safe your data concept. Laptop working develop coding program with key on keyboard

Last week, the U.S. Securities and Exchange Commission (“SEC”) became the latest federal regulator to implement a data breach notification law. The commissioners unanimously voted to approve amendments to Regulation S-P (the “Final Rule”)—the regulation governing the use of consumers’ personal information and records—to require certain financial institutions to adopt and maintain data incident response procedures and to require notification to consumers of the potential compromise of their data within 30 days of discovery.Continue Reading SEC Joins Chorus of Regulators Requiring Data Breach Notifications

Last week, a sharply divided U.S. Securities and Exchange Commission (“SEC”) significantly increased reporting requirements on public companies by adopting a Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule (the “Rule”)[1] that requires, among many other things, reporting of “cybersecurity incidents” within only four business days of a “materiality” determination (subject to limited exceptions involving national security or public safety, as determined by the U.S. Attorney General).  As justification for this extremely short reporting period, the SEC cited the 72-hour “discovery” and 24-hour ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  But there is a critical distinction: The CIRCIA reporting requirements are confidential, whereas the reporting requirements under the Rule are public.  Why does that matter?  Among other reasons, a requirement for rapid public reporting may well lead to more cybersecurity incident class actions (whether meritorious or not).Continue Reading Cybersecurity Sheriffs Continue to Multiply and Crack Down – New SEC Rule Amps Up Public Company Pressure

Lock on Computer

Public companies may soon have another regulation to worry about when it comes to their cybersecurity regime.  Last week, citing the increase in cybersecurity incidents and the need for investors to be informed about cybersecurity risks in a timely matter, the Securities and Exchange Commission (SEC) proposed amendments to its rules that demand more of registrants when it comes to cybersecurity disclosures.Continue Reading SEC Proposes Mandatory Cybersecurity Disclosures