Data Breach

Subscribe to Data Breach

A recent criminal verdict against a former Uber executive highlights the serious potential risks associated with concealing data breaches and using “bug bounty” programs as a means to hide hacking by threat actors. In early October, former Uber chief security officer Joe Sullivan was convicted of federal charges by unanimous verdict after four days of deliberation. The charges stemmed from payments Sullivan authorized to two hackers who breached the company’s data in 2016. This conviction came as a surprise to many security professionals. Many anticipated his acquittal because Sullivan had kept Uber’s CEO and others who were not charged informed of his actions. However, highlighting the insufficiency of this approach, Sullivan was found guilty of obstructing justice for failing to inform the Federal Trade Commission of the breach and of actively hiding a felony.

Continue Reading Sweeping Data Breaches Under the Bug Bounty Rug: Verdict against former Uber chief security officer highlights the risk of personal criminal liability for executives

The UK government’s reform of data protection laws and the mechanics of cross-border data transfers has accelerated in the first half of 2022.

Various European regulators, including the UK’s Information Commissioner’s Office (ICO) have expressed an intent to more closely monitor compliance with the data transfer rules and impose potentially significant fines where breaches are uncovered – capped in the UK at the higher of £17m or 4% of group worldwide turnover.  US recipients of personal data gathered in the UK (whether from a group subsidiary or otherwise) should act now to assess their current compliance and plug any gaps.

In order for personal data gathered in the UK to be transferred, in a compliant manner, to the US a number of steps must be taken:

Continue Reading UK-US Data Transfers Post Brexit

Welcome back to Vedder Price’s BIPA Bellwether series. As with our TCPA Turnstile, we intend for the BIPA Bellwether to serve as a periodic report on latest developments.

Last week, the Southern District of Illinois decided to dismiss the lawsuit in Barton v. Swan Surfaces LLC, No. 20-CV-499-SPM, 2021 WL 793983 (S.D. Ill. Mar. 2, 2021). In doing so, the Southern District joined the U.S. Northern District’s trend of finding claims brought under the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14 et seq., to be preempted by the federal Labor Management Relations Act (“LMRA”), 29 U.S.C. § 185, when interpretation of a collective bargaining agreement is required. This growing trend suggests that Illinois federal courts are beginning to rein in the cottage industry among class action attorneys that BIPA has sparked.

Continue Reading BIPA Bellwether: New U.S. Southern District of Illinois Decision Holds Labor Management Relations Act Preempts Employee BIPA Claims

Smart companies have been worried about data security for years—no one wants to be in the headlines as the next big company to have a breach, the next corporation to face a class action lawsuit or the next business facing federal or state regulatory scrutiny.  It’s only heightened in recent years as companies faced new regulations imposed by the GDPR and the CCPA.  Well, things are not getting any better in 2020—now an increasing number of municipalities are getting in on the act.

San Francisco was the first city to have this awakening in 2017. In response to the Equifax data breach on September 7, 2017, San Francisco filed claims against Equifax under California’s Unfair Competition Law (UCL).  A few months later, Los Angeles brought a similar lawsuit against Uber claiming that the company paid hackers to delete stolen data and failed to notify consumers of the breach in violation of the UCL.  But most state statutes do not give cities standing to bring lawsuits.

Continue Reading Parking Tickets, Jaywalking, and Cybersecurity Breaches at Multinational Companies: City ordinances are coming off the streets and into the server room

GavelOn April 24, 2019, the U.S. Supreme Court issued an important decision touching a number of hot button issues and litigation threats facing American businesses — including class actions, arbitration agreements and data privacy.

The case, Lamps Plus, Inc. v. Varela, 17-988, 2019 WL 1780275 (U.S. Apr. 24, 2019), stemmed from a data breach in which a hacker posing as a company official “tricked” a Lamps Plus employee into disclosing the tax information of approximately 1,300 workers.  Among those 1,300 workers was Frank Varela, the named plaintiff.  Id. at *2.  Following the data breach, Mr. Varela became the victim of identity theft when a fraudulent federal income tax return was filed in his name. 
Continue Reading SCOTUS Catapults Class Arbitration Onto the Endangered Species List

Match stick DeskJust when you thought it was safe to open your e-mail again without being inundated with updated privacy policies, here comes the California Consumer Privacy Act of 2018 (“CCPA”).  The new law, which goes into effect on January 1, 2020, will expand the privacy rights of California residents and bring some of the EU’s widely discussed General Data Protection Regulation (“GDPR”) to the United States.  There will be lots to talk about over the next year and a half as companies gear up for compliance, but here are some key features to be aware of:

Continue Reading California and GDPR “light”: A Match Made in Plaintiffs’ Lawyers’ Heaven?

GDPR CalendarWhat Is GDPR?
The EU General Data Protection Regulation (GDPR),—described as “the most important change in data privacy regulation in 20 years”—becomes enforceable by law on May 25, 2018. After four years of preparation and debate, GDPR was approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. According to the EUGDPR.org, the overarching purpose of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Expected to comply are organizations located within the EU; that offer goods or services to, or monitor the behavior of, EU data subjects; and all companies processing and holding the personal data of data subjects residing in the EU.

Continue Reading 100 Days Until GDPR … Are You Ready?

A North Carolina bill designed to strengthen the state’s data breach notification statute could radically change incident response.  Through the Act to Strengthen Identity Theft Protections, North Carolina could quickly become one of the strictest jurisdictions for data security in the country.  The text of the bill has not yet been made public, but a fact sheet released earlier this month indicates that North Carolina may take drastic steps to address the fact that 5.3 million North Carolinians were impacted by data breaches in 2017. 
Continue Reading Data Breach Notification Revisions in North Carolina Would Bring Radical Change

As 2017 comes to a close and companies look to planning initiatives for 2018, there is one date that should be front and center for privacy professionals: May 25, 2018. That is the date that the EU’s General Data Protection Regulation (GDPR) goes into effect, meaning that any company dealing with EU consumer data needs to have a plan in place.  The GDPR has been looming for almost two years now (since its adoption on April 27, 2016), so hopefully most companies impacted by the regulation have already begun to implement compliance mechanisms. But if not, it’s not too late.

We have written previously in this space about what the scope of the GDPR requirements. The question now is what companies covered by the GDPR should be doing as they head into 2018. Here are some critical steps to make sure you are on track to ensure GDPR compliance:

Continue Reading Getting Ready for GDPR Compliance in the New Year