In 2020, SolarWinds Corp., a company that provided information technology software to private and government entities, was the victim of a cybersecurity breach. Russian hackers are believed to have slipped malicious code into a SolarWinds software product called Orion, which was then used to infect, and in certain cases, compromise
Privacy Litigation
Held to Ransom: How Cyberattacks Can Become a Legal and Regulatory Odyssey for a Private Investment Fund
Where business-critical information or platforms are at stake, many commercial parties will seriously consider immediately paying the ransom hoping to regain control of operations, secure client data and avoid continued business disruption and negative publicity. However, businesses may wish to pause. Cyberattacks, by their very nature, know no borders and…
Message Sent! California Attorney General Announces $1.2 Million CCPA Settlement with Retailer and Its Focus on the Sale of Customer Information
On August 24, 2022, California Attorney General (AG) Rob Bonta announced a settlement with beauty products retailer, Sephora USA, Inc. (“Sephora”), resolving claims that Sephora violated the California Consumer Privacy Act (CCPA) for, among other things, failing to disclose to consumers that it was selling their personal information (including precise…
DOJ’s Civil Cyber-Fraud Initiative Secures More Than $9 Million in Two False Claims Act Settlements for Alleged Cybersecurity Violations
Last fall, the United States Department of Justice (“DOJ”) launched its Civil Cyber-Fraud Initiative (“CCFI”) as part of its effort to “combat new and emerging cyber threats to the security of sensitive information and critical systems.” Led by the Civil Fraud Section of DOJ’s Commercial Litigation Branch, the CCFI leverages…
UK Supreme Court Landmark Decision Limits Data Privacy Class Actions in the UK
The UK Supreme Court handed down its much-anticipated decision in the Lloyd v Google LLC [2021] UKSC 50 case on 10 November 2021 restricting claimants’ ability to bring data privacy class actions in the UK under the (now repealed) Data Protection Act 1998 (DPA 1998). This decision will be persuasive (though not binding) with respect to similar class actions brought under the (in-force) UK General Data Protection Regulation and the Data Protection Act 2018 (collectively, the UK GDPR). This decision will not directly impact litigation brought under the EU General Data Protection Regulation in EU member states.
Litigation Update on Illinois’ Biometric Information Privacy Act
Earlier this year, we reported on the potential breeding ground for litigation under Illinois’ Biometric Information Privacy Act (“BIPA”). A recent decision from an Illinois state appellate panel on the different limitations periods that apply to BIPA provides guidance for companies faced with a BIPA lawsuit and the arguments they…
Litigation Breeding Ground: Illinois’ Biometric Information Privacy Act
Illinois’ Biometric Information Privacy Act (“BIPA”) is alive and well as a potential breeding ground for litigation for tech companies. In the last month, two settlements have been announced in class actions where the plaintiffs alleged violations of BIPA in the U.S. District Court for the Northern District of Illinois. These settlements show that companies collecting biometrics should take care to ensure that their practices do not run afoul of BIPA’s requirements.
Circuit Split Deepens as Eleventh Circuit Rejects “Risk of Identity Theft” Theory of Standing in Data Breach Suit
On February 4, 2021, the Eleventh Circuit affirmed the dismissal of a customer’s proposed class action lawsuit against a Florida-based fast-food chain, PDQ, over a data breach. The three-judge panel rejected the argument that an increased risk of identity theft was a concrete injury sufficient to confer Article III standing,…