Companies have good reasons to limit business-related communications to devices and applications (“apps”) controlled by the company, and to avoid having sensitive company information on the personal devices and apps of employees:

  • Security: The company does not control the cybersecurity and privacy on employees’ personal apps on personal devices,
Read More

Some of the most significant recent cyber breaches originated at vendors.  We have previously discussed the importance of effective oversight of third parties because vendor breaches can lead to regulatory actions for companies.  Indeed, recent regulatory guidance provides that vendor diligence is an essential part of any cybersecurity program.  This … Read More

In early August, the City of Atlanta reported that the costs associated with its SamSam ransomware infection could reach $17 million, and the FBI has estimated the number of ransomware attacks may be as high as 4,000 per day. To help address the complex issue of when organizations … Read More

There are many good reasons why companies are increasingly migrating parts of the information technology to cloud service providers (“CSPs”), including lower overhead costs, greater data accessibility and mobility, and more efficient disaster-recovery response.  For cybersecurity, cloud solutions offer companies many benefits, such as full-time data security monitoring and data … Read More

In February, we wrote about how the road for plaintiffs in cyber breach class actions may be getting smoother.  Since then, the U.S. Supreme Court has continued to avoid the issue of standing in data breach cases (declining to take up the issue in CareFirst, Inc. v. AttiasRead More

We have written here before about the challenges and benefits of getting rid of old data.  As we have noted, in light of recent legal, regulatory, and technological developments, companies should reevaluate their long-term data management planning.  Last week, the New York Department of Financial Services (“NYDFS”) issued a reminderRead More

Appropriate cybersecurity disclosures can reduce risk of class action securities cases following a data breach.  We have written recently on the rise of these class action securities cases, including the Intel case and the Yahoo! $80 million settlement.  We have also been closely watching the Equifax case.  The recently … Read More

The recent convictions of two traders for using hacked press releases and the settlement of SEC insider trading charges against a former Equifax manager highlight the significant insider trading risks companies face when dealing with a cyber event.  These risks come in two forms.

First, there is the risk that … Read More

On June 6, 2018, the Eleventh Circuit vacated a cease and desist order issued by the FTC against LabMD as unenforceably vague.  The FTC’s Order, which resulted from a finding that LabMD had failed to maintain an adequate cybersecurity program, directed LabMD to “establish and implement, and thereafter maintain, … Read More

In the lead-up to the EU’s General Data Protection Regulation (“GDPR”) becoming effective on May 25, little attention was paid in the U.S. to the private right of action that the GDPR creates. But so far, private actors have filed approximately 24 cross-border GDPR complaints with EU regulators.

At least … Read More