We had previously predicted that the Equifax data breach could lead to increased state-level cybersecurity enforcement. On June 27, the NYDFS announced that Equifax has agreed to take corrective action for its 2017 data breach, as set forth in a consent order reached with the NYDFS and seven other
Continue Reading

One of many difficult decisions that companies face following a cyber breach is whether to disclose it to law enforcement.  There are several advantages to involving the FBI in a breach response: they may (1) have seen this kind of hack before; (2) know the malware or persons involved; (3)
Continue Reading

Plaintiffs in data breach cases have tried many theories of recovery, including negligence, negligence per se, violations of state data protection statutes, violations of the Fair Credit Reporting Act, breach of fiduciary duty, and violations of the constitutional right to privacy, with mixed results.

Courts have rejected many of these
Continue Reading

The $1 million fine that was recently levied against Yes Bank shows the increasing risks of failing to provide timely breach notification.  On October 23, 2017, the Reserve Bank of India (“RBI”) announced that it was fining India’s Yes Bank $1 million USD for failing to comply with RBI’s breach
Continue Reading

Regulators in almost every U.S. state have the authority to enforce cybersecurity compliance under their state’s laws, but until recently, they have rarely exercised this power, leaving enforcement mostly to federal agencies like the FTC.  With the recent Equifax breach, this appears to be changing.

The Massachusetts Attorney General filed
Continue Reading