On January 1, 2021, Congress enacted the Corporate Transparency Act as part of the Anti-Money Laundering Act of 2020 to “better enable critical national security, intelligence, and law enforcement efforts to counter money laundering, the financing of terrorism, and other illicit activity.” FinCEN issued the final rule on Beneficial Ownership Information Reporting Requirements on September … Continue Reading
Judge Jeffrey White of the Northern District of California recently dismissed a putative class action lawsuit in which plaintiffs claimed they faced an imminent threat of future of harm in the form of identity theft and fraud because their personal information, specifically their driver’s license numbers, may have been compromised in a data breach. In … Continue Reading
One of the key decisions that needs to be made in the aftermath of a successful ransomware attack is whether or not the victim organization can or should pay the ransom. Of course, there are many considerations that go into such a decision – for example, whether the payment is legally permissible, the ease of … Continue Reading
In 2020, SolarWinds Corp., a company that provided information technology software to private and government entities, was the victim of a cybersecurity breach. Russian hackers are believed to have slipped malicious code into a SolarWinds software product called Orion, which was then used to infect, and in certain cases, compromise, SolarWinds customers. As a consequence, … Continue Reading
Where business-critical information or platforms are at stake, many commercial parties will seriously consider immediately paying the ransom hoping to regain control of operations, secure client data and avoid continued business disruption and negative publicity. However, businesses may wish to pause. Cyberattacks, by their very nature, know no borders and nor therefore should a private … Continue Reading
On August 24, 2022, California Attorney General (AG) Rob Bonta announced a settlement with beauty products retailer, Sephora USA, Inc. (“Sephora”), resolving claims that Sephora violated the California Consumer Privacy Act (CCPA) for, among other things, failing to disclose to consumers that it was selling their personal information (including precise location data) and failing to … Continue Reading
Last fall, the United States Department of Justice (“DOJ”) launched its Civil Cyber-Fraud Initiative (“CCFI”) as part of its effort to “combat new and emerging cyber threats to the security of sensitive information and critical systems.” Led by the Civil Fraud Section of DOJ’s Commercial Litigation Branch, the CCFI leverages the False Claims Act (“FCA”) … Continue Reading
The UK Supreme Court handed down its much-anticipated decision in the Lloyd v Google LLC [2021] UKSC 50 case on 10 November 2021 restricting claimants’ ability to bring data privacy class actions in the UK under the (now repealed) Data Protection Act 1998 (DPA 1998). This decision will be persuasive (though not binding) with respect … Continue Reading
Earlier this year, we reported on the potential breeding ground for litigation under Illinois’ Biometric Information Privacy Act (“BIPA”). A recent decision from an Illinois state appellate panel on the different limitations periods that apply to BIPA provides guidance for companies faced with a BIPA lawsuit and the arguments they can make on a motion to dismiss. … Continue Reading
Illinois’ Biometric Information Privacy Act (“BIPA”) is alive and well as a potential breeding ground for litigation for tech companies. In the last month, two settlements have been announced in class actions where the plaintiffs alleged violations of BIPA in the U.S. District Court for the Northern District of Illinois. These settlements show that companies … Continue Reading
On February 4, 2021, the Eleventh Circuit affirmed the dismissal of a customer’s proposed class action lawsuit against a Florida-based fast-food chain, PDQ, over a data breach. The three-judge panel rejected the argument that an increased risk of identity theft was a concrete injury sufficient to confer Article III standing, deepening a circuit split on this issue. … Continue Reading
As the D.C. District Court in Wengui v. Clark Hill recently commented, “[m]alicious cyberattacks have unfortunately become a routine part of our modern digital world. So have the lawsuits that follow them….” The court’s decision in that case has added another data point to developing jurisprudence of the cyberattack landscape, specifically concerning the discoverability of post-breach … Continue Reading
Qualifying businesses have another year to complying with certain, major provisions of the CCPA. The CCPA, or the California Consumer Privacy Act of 2018, is a California law that gives California consumers, defined broadly to encompass all California residents, certain rights with respect to their personal information. Namely, it gives consumers the right to know … Continue Reading
On June 1, 2020, the California Attorney General’s office released the third and final set of CCPA proposed regulations (available here). Below, we provide information about the final proposed regulations and enforcement actions.… Continue Reading
The CJEU (the European Union Court of Justice) has handed down a decision which makes clear that general and indiscriminate retention of electronic communications is unlawful. National legislation of each European Member State should ensure that mass surveillance only occurs where it is strictly necessary in order to combat serious crime as well as terrorism … Continue Reading
LabMD’s lack of data security measures resulted in the FTC Commission overturning an Administrative Law Judge (“ALJ”) decision that previously dismissed charges against the company in November. LabMD performed laboratory medical testing for over 750,000 patients since 2001, before going out of business in 2014, partly due to fighting this case. The FTC brought the … Continue Reading
On May 16, 2016, the Supreme Court decided Spokeo, Inc. v. Robins, ruling that a plaintiff must sufficiently allege an injury that is both concrete and particularized in order to have Article III standing, and further that a “bare procedural violation” of a plaintiff’s statutory right may not be sufficiently “concrete” under this analysis. This ruling … Continue Reading
Co-authored by Geoffrey Roche On March 10, 2016, the French data protection agency (« CNIL ») pronounced a €100.000 ($111,715) fine against Google Inc. for failure to comply with its formal injunction of May, 2015 ordering the company to extend delisting to all the search engine’s extensions.… Continue Reading
In a move that may strike fear into the hearts of mobile phone owners everywhere, the Sixth Circuit recently ruled that a person’s “pocket dials” – those inadvertent calls made from a person’s mobile phone, generally when the phone is in its owner’s pocket, and alternatively referred to as “butt dials” – may not be … Continue Reading
Finding that the Plaintiffs lacked Article III standing to pursue their case, Google, Inc. (“Google”) won dismissal of the Android users’ putative class action lawsuit after more than three years of litigation. In re Google Inc. Privacy Policy Litigation, No. 12-01382 (N.D. CA July 15, 2015). The Android users had claimed that Google violated its … Continue Reading
In City of Los Angeles v. Patel, the Supreme Court invalidated a Los Angeles law that allowed law enforcement officials to inspect hotel and motel guest registries at any time, without a warrant or administrative subpoena. The Court ruled that the law violated hotel owners’ Fourth Amendment rights because it “penalizes them for declining to … Continue Reading
A few months after the European Court of Justice ruled on May 13, 2014 that search engines are considered personal data controllers under the EU Data Protection Directive of 1995 and, as such, should provide data subjects with a right to be forgotten, a French Tribunal enforced this principle in X & Y v. Google … Continue Reading
On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with an out-of-state Rhode Island hospital, Women & Infants Hospital of Rhode Island (“WIH” or the “Hospital”), resolving a lawsuit against WIH for violations of federal and state information security and privacy laws involving the loss of over 12,000 Massachusetts residents’ sensitive patient … Continue Reading
After a decision denying class certification last week, claims by Hulu users that their personal information was improperly disclosed to Facebook are limited to the individual named plaintiffs (at least for now, as the decision was without prejudice). The plaintiffs alleged Hulu violated the federal Video Privacy Protection Act by configuring its website to include a … Continue Reading
This website uses third party cookies, over which we have no control. To deactivate the use of third party advertising cookies, you should alter the settings in your browser.