For the first time, the U.S. Supreme Court has agreed to review the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States, No. 19-783. A federal circuit split exists on the issue of whether the statute can only be used against hackers and unauthorized users of electronic systems, or also against authorized users who use the information for unauthorized purposes. In the context of data breaches, companies sometimes look to interpretations of the meaning of “authorization” in CFAA cases to analyze whether notification obligations may exist.
Continue Reading SCOTUS Review of CFAA May Impact Analysis in Data Breach Notification Obligations

During their COVID-19 preparations, companies are dusting off -and deploying- their business continuity plans. Also worth revisiting are incident response plans. Teams working remotely, if faced with a data breach, will still face privilege issues. For this reason simply moving to asynchronous forms of communication (email, chat, etc.) may not suffice, or may increase legal risk and exposure. Teams will thus need to be prepared for coming together virtually. Turning on the camera to converse remotely with video can be an impactful and important way to effectively handle a breach situation. To prepare, here are three key questions companies can consider:
Continue Reading Turn on the Camera Part Two: Are You Prepared to Handle a Breach Remotely and Do You Know Your Legal Security Obligations?

Businesses collecting personal information from New York residents will soon be expected to apply enhanced data security requirements. The New York SHIELD Act, signed into law in July 2019, expanded breach notice requirements in October 2019. Now, On March 21, 2020, the remaining provisions related to data security will also come into effect. As we wrote previously, businesses subject to the law must implement data security programs that include at least the following:
Continue Reading NY SHIELD Act Data Security Requirements Effective This Month

Massachusetts’ breach notice law has been amended, requiring companies who suffer a data breach to provide more information to the Attorney General about the incident. The law will go into effect in a month, on April 11, 2019. As most know, already under MA’s breach notice law, companies that suffer a breach that impacted Massachusetts individuals are obligated to tell the MA AG. As part of that notice, they needed to explain the nature of the breach, number of residents impacted, and mitigation steps taken. Now, the MA AG will also need to be told if the company has a written information security program, as well as greater detail about the breach itself. These details include the person responsible for the breach of security, if known, as well as the name and title of the person reporting the breach and relationship to the entity that was breached. A sample copy of the notice sent to consumers also needs to be provided to the MA AG. That sample notice will be posted on the MA AG website within one day of receipt, provided that doing so does not “impede an active investigation” by either the MA AG or other law enforcement agency. The law also provides additional requirements on the AG to post information to its website about breaches.
Continue Reading US State Breach Law Modifications Begin in 2019 with Massachusetts

Colorado’s governor recently signed into law an update to the state’s breach notice law.  As we reported yesterday the new law takes effect on September 1, 2018. As amended, the definition of “personal information” now also includes student, military or passport identification numbers, medical information, health insurance identification numbers, biometric data, and a resident’s username or email address (in combination with passwords or security questions). The law now calls for companies to conduct investigations when they become aware that a breach may have occurred (rather than when they become aware of a breach). Also modified is the window that companies have to provide notice, joining Florida in requiring notice within 30 days (as compared to the current “without unreasonable delay”).
Continue Reading Colorado Enacts Stringent Data Breach Notification Law

Louisiana has joined the growing list of states updating their data breach notification law in 2018.  Others include, as we have reported, Arizona and Oregon. The law has now been amended to include biometric information, state ID number, and passport number in the definition of personal information. It also adds a 60-day notice timeline from “the discovery of the breach.” If the 60-day timeline is not met because of a law enforcement request or because it takes longer to find out the scope of the breach and restore company’s systems, the law requires that the company explain the delay to the state Attorney General. The law now also permits companies not to notify if, after a reasonable investigation, they determine that “there is no likelihood of harm to the residents of this state.” Companies must keep a written record – for five years – of breaches it did not report.  This record must be given to the AG, if requested, within 60 days. The amendments to the Louisiana law go into effect on August 1st, 2018.
Continue Reading Louisiana Joins the Breach Notice Update Law Fray

As we wrote yesterday, the CIO of Equifax is currently facing civil and criminal liability following trading he made after his employer suffered a major cybersecurity breach. As we indicated in our prior blog post, the SEC has filed a complaint alleging liability because he independently figured out that his employer was the victim of a breach and traded on that information.
Continue Reading You Might Be an Inside Trader If: Insider Trading and Data Breaches Part II

Earlier this year, the SEC released cybersecurity guidance addressing, among other things, the risk of insider trading in the event of a data breach.  The insider trading risk includes risk that the intruder will trade on stolen information and risk that insiders will trade on the knowledge of the breach itself.  In this manner, the SEC has added itself to the ever-growing pool of potential regulatory enforcers who may be quick to act in the event of a data breach.


Continue Reading You Might Be an Inside Trader If…: Insider Trading and Breaches Part I

New York Attorney General, Eric. T. Schneiderman, stated in a recent press release that 9.2 million New Yorkers had their personal data compromised in 2017. Such data compromises were mainly due to large scale data hacks, such as the Equifax and Game Stop hacks. According to the NYAG office’s report, 1,583 data breaches were reported to the NYAG in 2017. This was quadruple the number from 2016. While hacking was the most likely culprit the AG indicated, a large number of breaches resulted from negligence.
Continue Reading NY Issues Data Breach Report

Oregon’s governor recently passed into law S 1551. The bill amends the state’s existing breach notice law. The revision goes into effect in June. It adds to the definition of personal information that which would permit access to a financial account. It now also places the duty to notify not only on entities that own or license information and use it in the course of their business, but also on those that “otherwise possess” information and use it in the course of their business. Notice also has to be made if an entity [i.e. Entity A] “receive notice of a breach . . . from another person that maintains or otherwise possesses personal information” on Entity A’s behalf.
Continue Reading Oregon Updates Its Data Breach Notification Law