Last week, the U.S. Securities and Exchange Commission (“SEC”) became the latest federal regulator to implement a data breach notification law. The commissioners unanimously voted to approve amendments to Regulation S-P (the “Final Rule”)—the regulation governing the use of consumers’ personal information and records—to require certain financial institutions to adopt and maintain data incident response procedures and to require notification to consumers of the potential compromise of their data within 30 days of discovery.Continue Reading SEC Joins Chorus of Regulators Requiring Data Breach Notifications
Data Breach
Breach Response: Is 72 hours the new 30 days?
For years, we were able to tell most clients experiencing a potential data security incident that they likely had at least 30 days to notify any third parties about the incident – if they concluded it was a breach. There were, of course, exceptions in certain regulated industries, but most companies fell within the scope of the general state data breach notification statutes, none of which required a response sooner than 30 days. And for many years, we didn’t have to worry about more urgent deadlines created by federal authorities. Continue Reading Breach Response: Is 72 hours the new 30 days?
Sweeping Data Breaches Under the Bug Bounty Rug: Verdict against former Uber chief security officer highlights the risk of personal criminal liability for executives
A recent criminal verdict against a former Uber executive highlights the serious potential risks associated with concealing data breaches and using “bug bounty” programs as a means to hide hacking by threat actors. In early October, former Uber chief security officer Joe Sullivan was convicted of federal charges by unanimous verdict after four days of deliberation. The charges stemmed from payments Sullivan authorized to two hackers who breached the company’s data in 2016. This conviction came as a surprise to many security professionals. Many anticipated his acquittal because Sullivan had kept Uber’s CEO and others who were not charged informed of his actions. However, highlighting the insufficiency of this approach, Sullivan was found guilty of obstructing justice for failing to inform the Federal Trade Commission of the breach and of actively hiding a felony.
Continue Reading Sweeping Data Breaches Under the Bug Bounty Rug: Verdict against former Uber chief security officer highlights the risk of personal criminal liability for executives
UK-US Data Transfers Post Brexit
The UK government’s reform of data protection laws and the mechanics of cross-border data transfers has accelerated in the first half of 2022.
Various European regulators, including the UK’s Information Commissioner’s Office (ICO) have expressed an intent to more closely monitor compliance with the data transfer rules and impose potentially significant fines where breaches are uncovered – capped in the UK at the higher of £17m or 4% of group worldwide turnover. US recipients of personal data gathered in the UK (whether from a group subsidiary or otherwise) should act now to assess their current compliance and plug any gaps.
In order for personal data gathered in the UK to be transferred, in a compliant manner, to the US a number of steps must be taken:Continue Reading UK-US Data Transfers Post Brexit
BIPA Bellwether: New U.S. Southern District of Illinois Decision Holds Labor Management Relations Act Preempts Employee BIPA Claims
Welcome back to Vedder Price’s BIPA Bellwether series. As with our TCPA Turnstile, we intend for the BIPA Bellwether to serve as a periodic report on latest developments.
Last week, the Southern District of Illinois decided to dismiss the lawsuit in Barton v. Swan Surfaces LLC, No. 20-CV-499-SPM, 2021 WL 793983 (S.D. Ill. Mar. 2, 2021). In doing so, the Southern District joined the U.S. Northern District’s trend of finding claims brought under the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14 et seq., to be preempted by the federal Labor Management Relations Act (“LMRA”), 29 U.S.C. § 185, when interpretation of a collective bargaining agreement is required. This growing trend suggests that Illinois federal courts are beginning to rein in the cottage industry among class action attorneys that BIPA has sparked.Continue Reading BIPA Bellwether: New U.S. Southern District of Illinois Decision Holds Labor Management Relations Act Preempts Employee BIPA Claims
Parking Tickets, Jaywalking, and Cybersecurity Breaches at Multinational Companies: City ordinances are coming off the streets and into the server room
Smart companies have been worried about data security for years—no one wants to be in the headlines as the next big company to have a breach, the next corporation to face a class action lawsuit or the next business facing federal or state regulatory scrutiny. It’s only heightened in recent years as companies faced new regulations imposed by the GDPR and the CCPA. Well, things are not getting any better in 2020—now an increasing number of municipalities are getting in on the act.
San Francisco was the first city to have this awakening in 2017. In response to the Equifax data breach on September 7, 2017, San Francisco filed claims against Equifax under California’s Unfair Competition Law (UCL). A few months later, Los Angeles brought a similar lawsuit against Uber claiming that the company paid hackers to delete stolen data and failed to notify consumers of the breach in violation of the UCL. But most state statutes do not give cities standing to bring lawsuits.Continue Reading Parking Tickets, Jaywalking, and Cybersecurity Breaches at Multinational Companies: City ordinances are coming off the streets and into the server room
SCOTUS Catapults Class Arbitration Onto the Endangered Species List
On April 24, 2019, the U.S. Supreme Court issued an important decision touching a number of hot button issues and litigation threats facing American businesses — including class actions, arbitration agreements and data privacy.
The case, Lamps Plus, Inc. v. Varela, 17-988, 2019 WL 1780275 (U.S. Apr. 24, 2019), stemmed from a data breach in which a hacker posing as a company official “tricked” a Lamps Plus employee into disclosing the tax information of approximately 1,300 workers. Among those 1,300 workers was Frank Varela, the named plaintiff. Id. at *2. Following the data breach, Mr. Varela became the victim of identity theft when a fraudulent federal income tax return was filed in his name.
Continue Reading SCOTUS Catapults Class Arbitration Onto the Endangered Species List
A Holiday Wish List for Privacy Litigators
As we speed past Thanksgiving and enter the holiday season, kids shouldn’t be the only ones putting together their wish lists. Here are some things that might not fit under a tree, but would certainly fill us with the joy of the season.
Continue Reading A Holiday Wish List for Privacy Litigators
California and GDPR “light”: A Match Made in Plaintiffs’ Lawyers’ Heaven?
Just when you thought it was safe to open your e-mail again without being inundated with updated privacy policies, here comes the California Consumer Privacy Act of 2018 (“CCPA”). The new law, which goes into effect on January 1, 2020, will expand the privacy rights of California residents and bring some of the EU’s widely discussed General Data Protection Regulation (“GDPR”) to the United States. There will be lots to talk about over the next year and a half as companies gear up for compliance, but here are some key features to be aware of:
Continue Reading California and GDPR “light”: A Match Made in Plaintiffs’ Lawyers’ Heaven?
100 Days Until GDPR … Are You Ready?
What Is GDPR?
The EU General Data Protection Regulation (GDPR),—described as “the most important change in data privacy regulation in 20 years”—becomes enforceable by law on May 25, 2018. After four years of preparation and debate, GDPR was approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. According to the EUGDPR.org, the overarching purpose of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Expected to comply are organizations located within the EU; that offer goods or services to, or monitor the behavior of, EU data subjects; and all companies processing and holding the personal data of data subjects residing in the EU.Continue Reading 100 Days Until GDPR … Are You Ready?