In early August, the City of Atlanta reported that the costs associated with its SamSam ransomware infection could reach $17 million, and the FBI has estimated the number of ransomware attacks may be as high as 4,000 per day. To help address the complex issue of when organizations
Continue Reading

There are many good reasons why companies are increasingly migrating parts of the information technology to cloud service providers (“CSPs”), including lower overhead costs, greater data accessibility and mobility, and more efficient disaster-recovery response.  For cybersecurity, cloud solutions offer companies many benefits, such as full-time data security monitoring and data
Continue Reading

In February, we wrote about how the road for plaintiffs in cyber breach class actions may be getting smoother.  Since then, the U.S. Supreme Court has continued to avoid the issue of standing in data breach cases (declining to take up the issue in CareFirst, Inc. v. Attias
Continue Reading

We have written here before about the challenges and benefits of getting rid of old data.  As we have noted, in light of recent legal, regulatory, and technological developments, companies should reevaluate their long-term data management planning.  Last week, the New York Department of Financial Services (“NYDFS”) issued a reminder
Continue Reading

Appropriate cybersecurity disclosures can reduce risk of class action securities cases following a data breach.  We have written recently on the rise of these class action securities cases, including the Intel case and the Yahoo! $80 million settlement.  We have also been closely watching the Equifax case.  The recently
Continue Reading

The recent convictions of two traders for using hacked press releases and the settlement of SEC insider trading charges against a former Equifax manager highlight the significant insider trading risks companies face when dealing with a cyber event.  These risks come in two forms.

First, there is the risk that
Continue Reading

On June 6, 2018, the Eleventh Circuit vacated a cease and desist order issued by the FTC against LabMD as unenforceably vague.  The FTC’s Order, which resulted from a finding that LabMD had failed to maintain an adequate cybersecurity program, directed LabMD to “establish and implement, and thereafter maintain,
Continue Reading

In the lead-up to the EU’s General Data Protection Regulation (“GDPR”) becoming effective on May 25, little attention was paid in the U.S. to the private right of action that the GDPR creates. But so far, private actors have filed approximately 24 cross-border GDPR complaints with EU regulators.

At least
Continue Reading

We had previously predicted that the Equifax data breach could lead to increased state-level cybersecurity enforcement. On June 27, the NYDFS announced that Equifax has agreed to take corrective action for its 2017 data breach, as set forth in a consent order reached with the NYDFS and seven other
Continue Reading

For years, the default setting at many companies was to keep electronic data indefinitely. Storage is cheap, there are legal risks associated with deleting data, and you never know when an email from 10 years ago is going to become important. Some companies have document management policies, but often they
Continue Reading