Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

Subscribe to all posts by Jeffrey L. Poston

No Summer Vacation for Government as New Cybersecurity Legislation Passes

Posted in Cybersecurity / Data Security
The federal government has kept busy this summer by issuing multiple regulations impacting government contractors’ cybersecurity.  First, the Department of Defense released the 2019 National Defense Authorization Act (NDAA), which included notable cybersecurity provisions involving foreign ownership and Controlled Unclassified Information (CUI), among others.  Second, Congress passed the NIST Small Business Cybersecurity Act requiring the National Institute of Standards… Continue Reading

Political Data Firm Improperly Accessed Facebook Users’ Data

Posted in Cybersecurity / Data Security
Facebook faces government investigations on both sides of the Atlantic after recent revelations that Cambridge Analytica, a British political data firm with ties to President Trump’s 2016 campaign, collected and used the personal information of more than 50 million Facebook users in a manner that violates Facebook’s stated policy regarding access, disclosure, and use of… Continue Reading

Ninth Circuit Revives Data Breach Class Action, Finds Risk of Identity Theft Without Actual Harm Sufficient to Establish Standing

Posted in Uncategorized
Last week, the U.S. Court of Appeals for the Ninth Circuit revived a class action lawsuit related to a 2012 data breach, determining that the future risk of identity theft suffices to establish Article III standing, even where there has been no actual harm. At issue in the case, In re, was whether the… Continue Reading

D.C. Circuit: Alleged theft of healthcare subscriber information satisfies Article III harm standard under Spokeo

Posted in Data Breach, Insurance, Litigation
The U.S. Court of Appeals for the D.C. Circuit has now weighed in on whether plaintiffs can bring a putative class action arising from an alleged data breach in lieu of allegations of actual misuse of compromised data.  Emphasizing the “low bar to establish [] standing at the pleading stage,” the D.C. Circuit reversed a… Continue Reading

FTC Submits Public Comment to Working Group Tasked with Developing Guidance on IoT Security, Upgradability, and Patching

Posted in Cybersecurity / Data Security, Data Breach, Internet of Things
On June 19, 2017, the Federal Trade Commission (FTC) issued a public comment regarding the National Telecommunications & Information Administration’s (NTIA) draft guidance titled Communicating IoT Device Security Update Capability to Improve Transparency for Customers.  In commenting on the guidance, the FTC acknowledged the benefits of and challenges to IoT device security, and encouraged manufacturers… Continue Reading

Judge Approves Neiman Marcus Data Breach Settlement

Posted in Cybersecurity / Data Security, Data Breach
Last week, an Illinois judge preliminarily approved a $1.6 million settlement between Neiman Marcus and a class of customers affected by a 2013 data breach. The settlement, which the parties agreed to in March, covers U.S. residents whose credit card or debit card was used between July 16, 2013 and January 10, 2014 at any… Continue Reading

Data Breach Class Action Dismissed for Not Establishing Economic Injury

Posted in Data Breach, Litigation
Earlier this week, a federal Illinois court dismissed a class action against book retailer Barnes & Noble that alleged breach of contract, invasion of privacy, and violations of state consumer fraud and breach reporting laws. The case, dismissed for failing to establish economic harm, marks another data point in demarcating actionable data breaches and highlights… Continue Reading

Supreme Court to Hear Major Cellphone Privacy Case

Posted in Admissibility, Litigation, Privacy
Yesterday, the Supreme Court announced that it will hear a case with significant ramifications for privacy in the digital age. The case involves a man convicted of armed robbery based in part on cellphone location data obtained without a probable cause warrant. The conviction was appealed at the Sixth Circuit Court of Appeals, which held… Continue Reading

The PRC Cybersecurity Law Takes Effect

Posted in Cybersecurity / Data Security, Government Regulations & FISMA
The first comprehensive data protection framework in China’s history, the PRC Cybersecurity Law, takes effect today, June 1, 2017, despite concerns from businesses around the world about the law’s stringency and scope. The law will carry with it the authority to impose fines up to approximately $145,000.00 per violation in addition to various administrative and… Continue Reading

CFAA Conviction for Accessing and Damaging Former Employer’s Computer System

Posted in Cybersecurity / Data Security
Last week, a federal court sentenced a former systems administrator convicted of accessing his former employer’s computer network and uploading malicious code designed to disrupt and damage the company’s manufacturing operations. Brian P. Johnson worked for years as an information technology specialist and systems administrator at Georgia-Pacific’s Port Hudson, LA facility.  In February 2014, Georgia-Pacific… Continue Reading

2nd Circuit: Government Cannot Force Companies to Hand Over Communications Data Stored Overseas

Posted in Accessibility, Criminal Law, Government Agencies, Information Management, Privacy, Transnational Discovery
The Second Circuit today issued a much-anticipated ruling holding that U.S. firms are not required to turn over user data stored overseas, even in the face of a government warrant.  This decision arose from Microsoft’s December 2014 appeal of a civil contempt ruling against the tech giant for refusing to turn over the personal data… Continue Reading

Supreme Court to Consider Congressionally-Conferred Privacy Breach Standing

Posted in Data Breach, Government Regulations & FISMA, Information Management, Privacy, Social Media
One year ago, data broker Spokeo, Inc. asked the Supreme Court to reconsider the Ninth Circuit’s revival of a putative class action against it for willfully violating the Fair Credit Reporting Act (“FCRA”) by publishing personal information without notice.  This week, the Court heeded that request, granting certiorari.  In doing so, it has paved the… Continue Reading

Privacy Takes Center Stage for Private and Public Sectors Alike

Posted in Cloud Computing, Cybersecurity / Data Security, Data Breach, Privacy, Rules
Over the past year, privacy concerns have played an increasingly critical role in influencing how government and the private sector think about information collection, use, and disclosure. With the rapid pace of technological advancements – and the complex issues that accompany developments such as the Internet of Things, cloud technology, and “big data” analytics –… Continue Reading

Florida Continues Trend to Strengthen Breach Laws

Posted in Cybersecurity / Data Security, Data Breach, Government Agencies, Government Regulations & FISMA, Public Sectors
On June 20, 2014, Florida enacted the Florida Information Protection Act of 2014 (FIPA) to strengthen its data breach notification law. The amendments, which take effect July 1, will make Florida one of the strictest jurisdictions for reporting deadlines (which shortens to 30 days) and the types of information that trigger notification obligations (Which now… Continue Reading

Wyndham Decision Upholds FTC Authority to Regulate Data Security

Posted in Cybersecurity / Data Security, Government Agencies
In a much-anticipated decision, the U.S. District Court for the District of New Jersey upheld the FTC’s authority to regulate data security practices by denying Wyndham Worldwide Corporation’s motion to dismiss challenging the FTC’s authority to pursue unfair and deceptive trade practices claims arising from a cyber breach. The complaint against Wyndham asserts that Wyndham’s… Continue Reading

Another University Data Breach Adds to Growing Trend

Posted in Cybersecurity / Data Security, Data Breach
The University of Maryland announced on February 19th that it is the most recent university to fall victim to a data breach. According to the University’s President, UM was the target of a “sophisticated” computer attack that exposed the personally identifiable information (PII) of over 300,000 individuals. Specifically, the hack targeted records that relate to the University’s… Continue Reading

Guess What? You’re Now Subject to HIPAA (Yes, You!): The Broad Reach of HIPAA over Business Associates

Posted in Cybersecurity / Data Security, Government Regulations & FISMA, Privacy
With the HIPAA Final Rule now in place, business associates as well as subcontractors must comply with the entire Security Rule (among other aspects of HIPAA) and face direct liability for the failure to do so. Some entities may be surprised to learn they are subject to HIPAA given the recently expanded definition of “business… Continue Reading

Data Breach Class Action Against Barnes & Noble Dismissed for Lack of Standing

Posted in Cybersecurity / Data Security, Data Breach, Privacy
On September 3, 2013, the U.S. District Court for the Northern District of Illinois dismissed a class action complaint against Barnes & Noble seeking damages based on a data security incident, finding that the plaintiffs lacked standing to bring the claims. This decision reaffirms that retailers may be able to avoid damages for data breaches… Continue Reading

Massachusetts Court Broadly Interprets “Personal Identification Information” to Include Zip Codes, Holds Identity Theft Unnecessary to Sustain Private Cause of Action

Posted in Cybersecurity / Data Security, Privacy
A Massachusetts federal court (“federal court”) certified several privacy related questions of first impression to the Massachusetts State Supreme Judicial Court (“State court”) to clarify the scope of state law. In response, the State court broadly construed “personal identification information” (“PII”) and held that collecting customer zip codes during credit card transactions violates Massachusetts privacy… Continue Reading

Allegation of Data Breach Alone Insufficient to Sustain Claim Based on Inadequate Cybersecurity

Posted in Cybersecurity / Data Security, Data Breach, Information Management, Privacy
On March 6, 2013, the United States District Court for the Northern District of California held that a putative class of LinkedIn premium users lacked standing to pursue state law unfair competition, breach of contract, and negligence claims resulting from a hacking incident. The court dismissed the complaint, concluding that the plaintiffs failed to establish… Continue Reading

HIPAA Final Rule Applicable to Cloud Providers and Data Vendors

Posted in Cloud Computing, Cybersecurity / Data Security, Government Regulations & FISMA, Information Management, Privacy
The Health Insurance Portability and Accountability Act (HIPAA) final rule published on January 25, 2013 contains important changes that affect data management organizations, such as cloud providers. In many cases, entities that have access to health information will be considered “Business Associates.” Such entities would therefore be required to comply with HIPAA’s extensive security provisions… Continue Reading