Privacy and Data Security

In the latest installment of what has become a quickening trend, a New York federal court recently dismissed another yet putative FACTA class action for lack of Article III standing. On her fourth (and final) attempt, the court in the case (Fullwood v. Wolfgang’s Steakhouse, Inc.) held the plaintiff once again failed to plead a concrete injury against a New York City steakhouse that provided her with a receipt displaying the full expiration date of her credit card in 2013.
Continue Reading New York Court Scraps Another FACTA Receipt Class Action for Lack of Standing

Following up on our last post about Cyber Awareness, we now focus on cybersecurity in the workplace. All organizations – large and small, for-profit and non-profit – need to be vigilant about cybersecurity. According to one analysis, 918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017, or about 10 million records a day, a 164% increase. Another study found that since 2013, a sample of company breaches had led to over $52 billion in shareholder losses.
Continue Reading Lessons Learned from Cyber Awareness Month – Part Two

Employees of Peacock Foods, an Illinois-based food product manufacturer, recently filed a lawsuit against their employer for alleged violations of Illinois’ Biometric Information Privacy Act. Under BIPA, companies that collect biometric information must inter alia have a written retention policy (that they follow). As part of the policy, the law states that they must delete biometric information after they no long need it, or three years after the last transaction with the individual. Companies also need consent to collect the information under the Illinois law, cannot sell information, and if shared must get consent for such sharing.
Continue Reading Employees Sue for Fingerprint Use

On June 5, the Supreme Court agreed to review a case addressing an individual’s expectation of privacy in his or her historical cellphone location records. This case may well change the way we approach individual privacy in the digital age – not only with regard to cell phone records, but also information relating to email and internet activity, among other things.
Continue Reading The Supreme Court Reenters the Fray on Privacy

This is not a drill.

Companies and law enforcement agencies around the world have been left scrambling after the world’s most prolific ransomware attack hit over 500,000 computers in 150 countries over a span of only 4 days. The ransomware – called WannaCry, WCry, WannaCrypt, or WannaDecryptor – infects vulnerable computers and encrypts all of the data. The owner or user of the computer is then faced with an ominous screen, displaying a countdown timer and demand that a ransom of $300 be paid in bitcoin before the owner can regain access to the encrypted data. The price demanded increases over time until the end of the countdown, when the files are permanently destroyed. To date, the total amount of ransom paid by companies is reported to be less than $60,000, indicating that companies are opting to let their files be destroyed and to rely instead on backups rather than pay the attackers. Nevertheless, the total disruption costs to businesses is expected to range from the hundreds of millions to the billions of dollars.
Continue Reading WannaCry Ransomware Alert

Enforcement of the Digital Advertising Alliance “Application of the Principles of Transparency and Control to Data Used Across Devices” (DAA Cross-Device Principles) officially began on February 1, just a week after the FTC issued a staff report discussing the application of the FTC Online Behavioral Advertising Principles in the context of “Cross Device Tracking” and suggesting that the DAA Cross-Device Principles, while commendable, could be stronger.
Continue Reading FTC / DAA Extend Data Privacy Focus to Cross-Device Tracking

1. Illinois and Texas recently enacted laws regulating the collection and use of biometric information (e., information based on an individual’s biometric identifiers, such as iris scans, fingerprints, voiceprints, or facial geometry) and a number of other states, including New York and California, are considering adopting such statutes. The Illinois Biometric Information Privacy Act (“BIPA”) permits private rights of action and provides for statutory damages ranging from $1,000 to $5,000 per violation. The Texas analog, entitled Capture or Use of Biometric Identifier (“CUBI”), is enforceable only by the state attorney general and permits civil penalties up to $25,000 per violation.
Continue Reading Six Things You Need to Know Before Collecting Biometric Information

On July 20, 2015, the Seventh Circuit issued its opinion in Remijas v. Neiman Marcus Group, 794 F. 3d 688 (7th Circ. 2015), which immediately became the low-water mark for Article III standing in data breach cases.  In short, Remijas became the first Circuit decision to expressly and expansively recognize that risk of future injury and time and money spent protecting against identity theft as a result of a data breach were sufficient to confer Article III standing.
Continue Reading Back at it Again (with the Standing Opinions): Seventh Circuit Reiterates Article III Standing in Data Breach Class Actions

Big name companies, government agencies and individuals are all falling victim to “ransomware” attacks in record and still-rising numbers. Recently, Hollywood Presbyterian Hospital’s communications capabilities were disabled for 10 days before the hospital paid a ransom of 40 bitcoins – about $17,000 – and regained access to its system. And this week Medstar Health, a system of ten major hospitals in the Washington, DC area, reportedly suffered a similar attack. All this activity has led experts to label 2016 as “the year of ransomware.”  And this new form of cyberattack requires a different approach to cybersecurity and incident recovery than your data breach prevention plan.
Continue Reading Be Alert: Ransomware Attacks on the Rise