The Securities and Exchange Commission’s (“SEC”) recent $1 million settlement with Morgan Stanley Smith Barney LLC (“MSSB”) marked a turning point in the agency’s focus on cybersecurity issues, an area that the agency has proclaimed a top enforcement priority in recent years. The MSSB settlement addressed various cybersecurity deficiencies that led to the misappropriation of sensitive data for approximately 730,000 customer accounts.
1. Illinois and Texas recently enacted laws regulating the collection and use of biometric information (e., information based on an individual’s biometric identifiers, such as iris scans, fingerprints, voiceprints, or facial geometry) and a number of other states, including New York and California, are considering adopting such statutes. The Illinois Biometric Information Privacy Act (“BIPA”) permits private rights of action and provides for statutory damages ranging from $1,000 to $5,000 per violation. The Texas analog, entitled Capture or Use of Biometric Identifier (“CUBI”), is enforceable only by the state attorney general and permits civil penalties up to $25,000 per violation.
Earlier this week, the FTC and FCC announced “parallel” investigations into how carriers and mobile device makers release information on vulnerabilities, and how and when mobile security patches are distributed. The regulators, who have publicly jockeyed for position on privacy and cybersecurity matters in the past year, appear to have reached a truce of sorts, allowing each agency to examine industry players within its core jurisdiction.
In a news conference today President Obama addressed rules and proposed regulations announced Thursday intended to help the U.S. fight tax evasion and other crimes connected to anonymous offshore companies and accounts. The announcements come after a month of intense review by the administration following the first release of the so-called Panama Papers, millions of documents stolen or leaked from Panamanian law firm Mossack, Fonseca. The papers have revealed a who’s who of international politicians, business leaders, sports figures and celebrities involved with financial transactions accomplished through anonymous shell corporations.
On April 6, 2016, National Telecommunications and Information Administration (NTIA) issued a federal notice to request public comment on the benefits, challenges, and potential roles for the government in fostering the advancement of the Internet of Things (IoT). (RFC at http://www.ntia.doc.gov/files/ntia/publications/fr_rfc_iot_04062016.pdf).
Comments are due on May 23, 2016.
In Campbell-Ewald v. Gomez, 136 S. Ct. 663 (Jan. 20, 2016), the Supreme Court resolved a split among courts and held that an unaccepted settlement offer of complete individual relief does not moot the plaintiff’s lawsuit. However, the Court expressly left open the question of “whether the result would be different if a defendant deposits the full amount of the plaintiff’s individual claim in an account payable to the plaintiff, and then the court enters judgment for the plaintiff in that amount.” 136 S. Ct. at 672. Continue Reading
On July 20, 2015, the Seventh Circuit issued its opinion in Remijas v. Neiman Marcus Group, 794 F. 3d 688 (7th Circ. 2015), which immediately became the low-water mark for Article III standing in data breach cases. In short, Remijas became the first Circuit decision to expressly and expansively recognize that risk of future injury and time and money spent protecting against identity theft as a result of a data breach were sufficient to confer Article III standing.
For years, litigants have battled over whether a defendant’s offer of judgment, which completely satisfies the plaintiff’s individual claim, can moot a class action. In Campbell-Ewald v. Gomez, 136 S. Ct. 663 (2016), the U.S. Supreme Court recently held that no case is mooted when a plaintiff refuses to accept an offer of judgment. The Supreme Court, however, left open the question of what happens when a defendant follows through with its offer by tendering complete individual relief, depositing the monetary relief with the court, and moving for entry of judgment. Continue Reading
Big name companies, government agencies and individuals are all falling victim to “ransomware” attacks in record and still-rising numbers. Recently, Hollywood Presbyterian Hospital’s communications capabilities were disabled for 10 days before the hospital paid a ransom of 40 bitcoins – about $17,000 – and regained access to its system. And this week Medstar Health, a system of ten major hospitals in the Washington, DC area, reportedly suffered a similar attack. All this activity has led experts to label 2016 as “the year of ransomware.” And this new form of cyberattack requires a different approach to cybersecurity and incident recovery than your data breach prevention plan. Continue Reading
On February 29, 2016, the European Commission and United States released the terms of the much-anticipated renewed framework for the transfer, sharing, and processing of European individuals’ data to the United States. The framework replaces the “Safe Harbour” mechanism, which enabled U.S. companies to transfer data from the EU to the United States by self-certifying that their practices ensured an adequate level of protection for personal data under the EU Data Protection Directive. In October, the “Safe Harbour” framework was declared invalid by the European Court of Justice in the Schrems decision covered earlier in this blog. Continue Reading