On February 4, 2021, the Eleventh Circuit affirmed the dismissal of a customer’s proposed class action lawsuit against a Florida-based fast-food chain, PDQ, over a data breach. The three-judge panel rejected the argument that an increased risk of identity theft was a concrete injury sufficient to confer Article III standing,

As the D.C. District Court in Wengui v. Clark Hill recently commented, “[m]alicious cyberattacks have unfortunately become a routine part of our modern digital world. So have the lawsuits that follow them….” The court’s decision in that case has added another data point to developing jurisprudence of the cyberattack landscape

As reported last week, a state-sponsored hacker may have breached multiple U.S. government networks through a widely-used software product offered by SolarWinds. The compromised product, known as Orion, helps organizations manage their networks, servers, and networked devices. The hacker concealed malware inside a software update that, when installed, allowed the hacker to perform reconnaissance, elevate user privileges, move laterally into other environments and compromise the organization’s data.

In recent years, Ransomware has evolved from merely encrypting files/disabling networks in solicitation of ransom, to sophisticated attacks that often involve actual data access, theft and sometimes, the threat of publication. These sophisticated malware attacks frequently destroy backups and provide criminals even more leverage over their victims, coercing them to

Qualifying businesses have another year to complying with certain, major provisions of the CCPA. The CCPA, or the California Consumer Privacy Act of 2018, is a California law that gives California consumers, defined broadly to encompass all California residents, certain rights with respect to their personal information. Namely, it gives consumers the right to know about the personal information that businesses collect about them; the right to know what businesses do with that information; and, the right opt out of the sale of certain personal information if a business sells that personal information. In turn, qualifying businesses that do business in California must institute certain policies, practices, and methods that allow consumers to effectuate those rights.

On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield, ruling, among other things, that U.S. domestic law governing law enforcement access to transferred data does not satisfy the GDPR’s requirements because, as the Court stated, U.S. surveillance programs are not limited to “what is strictly necessary to achieve the legitimate objective in question”. In a separate portion of the opinion, however, the CJEU upheld as valid Commission Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries. This is the second ruling (known commonly as “Schrems II”) by the CJEU overturning an established mechanism to transfer personal data from the EU to the U.S. Indeed, only five years ago the CJEU issued its “Schrems I” decision invalidating the long-standing EU-U.S. Safe Harbor, which had been a method to transfer data across the Atlantic without running afoul of the EU Data Protection Directive, a predecessor of the GDPR.