This is not a drill.

Companies and law enforcement agencies around the world have been left scrambling after the world’s most prolific ransomware attack hit over 500,000 computers in 150 countries over a span of only 4 days. The ransomware – called WannaCry, WCry, WannaCrypt, or WannaDecryptor – infects vulnerable computers and encrypts all of the data. The owner or user of the computer is then faced with an ominous screen, displaying a countdown timer and demand that a ransom of $300 be paid in bitcoin before the owner can regain access to the encrypted data. The price demanded increases over time until the end of the countdown, when the files are permanently destroyed. To date, the total amount of ransom paid by companies is reported to be less than $60,000, indicating that companies are opting to let their files be destroyed and to rely instead on backups rather than pay the attackers. Nevertheless, the total disruption costs to businesses is expected to range from the hundreds of millions to the billions of dollars.
Continue Reading WannaCry Ransomware Alert

Enforcement of the Digital Advertising Alliance “Application of the Principles of Transparency and Control to Data Used Across Devices” (DAA Cross-Device Principles) officially began on February 1, just a week after the FTC issued a staff report discussing the application of the FTC Online Behavioral Advertising Principles in the context of “Cross Device Tracking” and suggesting that the DAA Cross-Device Principles, while commendable, could be stronger.
Continue Reading FTC / DAA Extend Data Privacy Focus to Cross-Device Tracking

In a recent article in Entrepreneur, Sheppard Mullin partner Jonathan Meyer, a former Senate counsel to Vice President Biden and Deputy General Counsel at the Department of Homeland Security, points out that Congressional oversight of companies is likely to increase in the next two years, and that cybersecurity is among the hottest topics it is likely to focus on.  The public’s increasing attention to issues such as DDoS attacks, the vulnerability of the Internet of Things, and allegations of politically-motivated hacks from overseas will only increase this likelihood.  As always, companies should keep an eye on Capitol Hill, and be ready for what might come their way.
Continue Reading Congress Likely to Focus on Cybersecurity in the Private Sector

On July 20, 2015, the Seventh Circuit issued its opinion in Remijas v. Neiman Marcus Group, 794 F. 3d 688 (7th Circ. 2015), which immediately became the low-water mark for Article III standing in data breach cases.  In short, Remijas became the first Circuit decision to expressly and expansively recognize that risk of future injury and time and money spent protecting against identity theft as a result of a data breach were sufficient to confer Article III standing.
Continue Reading Back at it Again (with the Standing Opinions): Seventh Circuit Reiterates Article III Standing in Data Breach Class Actions

Big name companies, government agencies and individuals are all falling victim to “ransomware” attacks in record and still-rising numbers. Recently, Hollywood Presbyterian Hospital’s communications capabilities were disabled for 10 days before the hospital paid a ransom of 40 bitcoins – about $17,000 – and regained access to its system. And this week Medstar Health, a system of ten major hospitals in the Washington, DC area, reportedly suffered a similar attack. All this activity has led experts to label 2016 as “the year of ransomware.”  And this new form of cyberattack requires a different approach to cybersecurity and incident recovery than your data breach prevention plan.
Continue Reading Be Alert: Ransomware Attacks on the Rise

Over the last six months, at least four putative class actions have been filed under the Biometric Information Privacy Act (“BIPA”)—an obscure Illinois statute passed about seven years ago to regulate the collection and use of consumers’ biometric information.  In relevant part, the BIPA requires entities in possession of biometric information (i.e., retina scans, fingerprints, voiceprints, etc.) to retain a specific written policy governing data retention and to collect written consent from consumers before collecting biometric information.
Continue Reading Tag, You’re It: Biometric Information Privacy Act Class Action Against Shutterfly Moves Past 12(b)(6)

Yes. I just asked that.  For many, the response is likely “Yes!  Of course we are!  It’s *&^%$% cybersecurity – it’s complicated!”  To which I would respond “Touché.  It is…but it needn’t be overly complicated.”  So, of course, I set out to find a complicated way to simplify it.  And, in the spirit of National Cyber Security Awareness Month, I thought I would share two complicated ways to simplify your cybersecurity processes.
Continue Reading Are You Overcomplicating Your Cybersecurity Processes?

On October 2, 2015, Trump International Hotels became the latest in a growing line of data breach class action victims. Driscoll v. Trump International Hotels Management LLC, No. 15-cv-1089 (S.D. Ill.).  Indeed, the hospitality industry as a whole is seeing increased scrutiny from both plaintiffs’ attorneys and federal regulators.  Less than two months ago, the Third Circuit Court of Appeals affirmed the Federal Trade Commission’s broad authority to clamp down on the allegedly lax cybersecurity measures implemented by Wyndham Worldwide. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015)
Continue Reading Do as You Say (and as You Should Do): How the Hospitality Industry Can Brace for Data Privacy Actions

The Court of Justice of the European Union ruled this morning that the Safe Harbor regime, which enables transatlantic data transfers from the European Union to the United States, is invalid, thereby giving each national supervisory authority the chance to revisit the question of whether the U. S. provides an adequate level of protection for EU citizens’ data.  A copy of the decision be found here.
Continue Reading US Safe Harbor Regime Invalidated by Europe’s Highest Court

In 2014, the United States Court of Appeals for the Third Circuit ruling in FTC v. Wyndham Worldwide Corporation agreed to hear an immediate appeal on two issues: “whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.” On August 24, 2015 the Third Circuit affirmed the decision of the District Court and denied Wyndham’s motion to dismiss the complaint.
Continue Reading FTC v. Wyndham: The Third Circuit Recognizes FTC Authority to Regulate Commercial Cyber Security Practices