The Illinois Biometric Information Privacy Act (BIPA) has spawned hundreds of class action lawsuits and a raft of unresolved issues.  A core issue from a litigation perspective—as well as for companies bracing for potential lawsuits—is one of “standing,” and in particular, what BIPA claims can be brought by plaintiffs in what venues.

Continue Reading Beware BIPA Bifurcation: Plaintiffs’ New Gambit to Split BIPA Claims Between State and Federal Courts 

Virginia is now the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (“CDPA”) will come into effect January 1, 2023 (the same time as the modification to California’s Consumer Privacy Act (“CCPA”), namely the California Privacy Rights Act). Although this new Virginia law has been compared by many to California’s current CCPA and the EU’s GDPR, there are some differences. Businesses will find most of the differences a relief, although the law does introduce a few new concepts.
Continue Reading Virginia is for…Privacy: Comprehensive Law Passed, Effective January 2023

Cyberattacks have become big business from the standpoint of attackers.  Threat actors range well beyond cults of old, and now including sophisticated state actors, large businesses organized for the very purpose of cyber breach and theft, and complex threat networks that aggregate information formerly treated as innocuous.  This is a real risk for companies as we look forward to the remainder of 2021. At the same time, ransomware is changing the state of cyber insurance, with regulators across the globe entering the field to govern the conduct of attacked businesses in this climate. Regulations cover terms of ransom payments and subsequent obligations to persons whose information goes out the pipes.  For more on these risks, you can listen to the recent Nota Bene podcast episode (on Apple PodcastsGoogle PodcastsSpotify, or Stitcher) with Sheppard Mullin partners Kari Rollins and Michael Cohen.
Continue Reading Managing the World of Cybersecurity in a New Era

Many states require insurance providers that do business in their states to complete annual certifications of compliance.  As examples, the deadline in New Hampshire is coming up on March 1.  The deadline in Alabama, Connecticut, Delaware, Louisiana, Michigan, Mississippi, Ohio, and South Carolina was February 15.  (The deadline under new laws in Michigan and Virginia will be February 15 as well, starting in 2022 and 2023, respectively.)  The deadline in New York is April 15. 
Continue Reading Insurance Cybersecurity Certifications: A State Roundup

The FTC recently settled with Flo Health, Inc., a popular fertility-tracking app, based on promises made about how health data would be shared.  In its complaint, the FTC alleged that while Flo promised to keep users’ health data private and only use it to provide the app’s services to users, in fact, health information of over 100 million users was being shared with popular third party companies. Namely, third parties who provided marketing and analytics services to the app.
Continue Reading FTC Settles with Fertility Tracking App For Alleged Deceptive Data Sharing Practices

Artificial intelligence continues to be a focus and concern for businesses, regulators, and lawmakers alike. As we recently wrote, there was much activity and focus on artificial intelligence and the impact on privacy laws. In addition to legal developments, there have been advancements in AI business technologies by major multinational technology firms, something focused on this post in our sister Intellectual Property Law Blog. There has been an arms race underway by the world’s leading economies to win the estimated $13 Trillion of GDP this field stands to award the winner.  In a recent podcast episode, partners Siraj Husain and Michael P.A. Cohen discuss these developments, risks, and solutions that businesses are experiencing.
Continue Reading What to Watch in Artificial Intelligence in 2021

Many have been watching facial recognition law developments closely, and saw that Portland became the first US city to regulate the use of such technology by private entities operating “places of public accommodation” within the city. Of particular concern for the Portland city council was the use potentially discriminatory use of these technologies, and its impact on “children, Black, Indigenous and People of Color, people with disabilities, immigrants, refugees, and other marginalized communities and local businesses.”
Continue Reading Portland’s Facial Recognition Law: Impact on National Companies

Will HHS’ approach for imposing penalties in the aftermath of a data breach become a little clearer in 2021? This is a distinct possibility in the wake of a Fifth Circuit decision vacating penalties against MD Anderson Cancer Center. The hospital suffered three data breaches, leading HHS to impose over $4 million in civil penalties. That fine was reversed recently by the Fifth Circuit as arbitrary, capricious, and contrary to law.
Continue Reading What Does the Fifth Circuit’s Vacating of HHS HIPAA Fines Mean for Companies This Year?

A class action lawsuit filed against PayPal in connection with a breach it suffered in 2017 was dismissed recently because the plaintiffs did not adequately allege PayPal’s intent to deceive investors.  The litigation began after PayPal’s acquired TIO Networks Corporation, a smaller payment processor and platform.  Post-acquisition, PayPal announced that it had discovered “security vulnerabilities” in TIO’s operations and it thus suspended TIO’s operations.  At that point, TIO had not yet been integrated into PayPal’s platform.  PayPal confirmed that it was investigating TIO’s security measures with the help of outside assistance, and that PayPal customers’ data remained secure.  PayPal further confirmed that it was not aware of any breach of personal information maintained by TIO.  The following month, however, PayPal announced that a breach of personal information had in fact occurred.  Confidential information belonging to 1.6 million customers had been potentially compromised, causing PayPal’s stock price to drop by 5.75%.
Continue Reading Successful Dismissal of PayPal Class Action Over Breach Disclosures Serves as Risks Reminder