Photo of Jeffrey L. Poston

Jeffrey L. Poston

Subscribe to Jeffrey L. Poston's Posts

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years of experience leading investigations and litigation for corporate clients, Jeff counsels and defends clients in complex data protection matters involving class-actions and regulatory enforcement actions, as well as commercial disputes. Jeff also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Contact:Read more about Jeffrey L. Poston

The University of Maryland announced on February 19th that it is the most recent university to fall victim to a data breach. According to the University’s President, UM was the target of a “sophisticated” computer attack that exposed the personally identifiable information (PII) of over 300,000 individuals. Specifically, the hack targeted records that relate to the University’s student identification (ID) system and thus compromised the PII of various students and staff who had been issued a University ID since 1998. The compromised PII includes names, Social Security numbers, dates of birth, and University ID numbers.

The compromised records were maintained by the school’s IT Department and protected by “sophisticated, multi-layered security defenses” that the hackers were nonetheless able to bypass. This reflects the painful reality that data breaches are often a matter of when, not if, especially for universities.
Continue Reading Another University Data Breach Adds to Growing Trend

With the HIPAA Final Rule now in place, business associates as well as subcontractors must comply with the entire Security Rule (among other aspects of HIPAA) and face direct liability for the failure to do so. Some entities may be surprised to learn they are subject to HIPAA given the recently expanded definition of “business

On September 3, 2013, the U.S. District Court for the Northern District of Illinois dismissed a class action complaint against Barnes & Noble seeking damages based on a data security incident, finding that the plaintiffs lacked standing to bring the claims. This decision reaffirms that retailers may be able to avoid damages for data breaches where the plaintiffs cannot allege or establish actual damages.

In October 2012, Barnes & Noble notified the public, through a press release and a notice on its website, that it had discovered hackers were stealing credit and debit card information from its PIN pad devices at 63 stores across the country. The hackers obtained the data by tampering with the PIN pad devices used to process transactions. Barnes & Noble made the announcement approximately six (6) weeks after it discovered the fraudulent activity. Barnes & Noble did not directly notify individual customers.
Continue Reading Data Breach Class Action Against Barnes & Noble Dismissed for Lack of Standing

A Massachusetts federal court (“federal court”) certified several privacy related questions of first impression to the Massachusetts State Supreme Judicial Court (“State court”) to clarify the scope of state law. In response, the State court broadly construed “personal identification information” (“PII”) and held that collecting customer zip codes during credit card transactions violates Massachusetts privacy laws (G.L. c. 93 § 105(a)). The State court also held that plaintiffs can maintain a private action for such a violation even absent any claim of resulting identity theft. This decision has significant implications for any national or local retailer that conducts business in Massachusetts. The case is Tyler v. Michaels Stores, Inc., — N.E. 2d —, 2013 WL 854097 (Mass. Mar. 11, 2013).
Continue Reading Massachusetts Court Broadly Interprets “Personal Identification Information” to Include Zip Codes, Holds Identity Theft Unnecessary to Sustain Private Cause of Action

On March 6, 2013, the United States District Court for the Northern District of California held that a putative class of LinkedIn premium users lacked standing to pursue state law unfair competition, breach of contract, and negligence claims resulting from a hacking incident. The court dismissed the complaint, concluding that the plaintiffs failed to establish any legally cognizable injury and any causation between the alleged incident and any alleged economic harm. The case is In re LinkedIn User Privacy Litigation (N.D. Cal. Mar. 6, 2013).

LinkedIn, the online community for professional networking, offers both free and premium paid accounts to consumers. The Privacy Policy applicable to both types of accounts provides that user information will be protected with “industry standard protocols and technology,” but notes that it provides no guarantee that LinkedIn’s security will be able to prevent all security breaches. On June 6, 2012, hackers infiltrated LinkedIn’s computer systems and posted 6.5 million user passwords and email addresses. LinkedIn subsequently updated its password encryption method to prevent future breaches.
Continue Reading Allegation of Data Breach Alone Insufficient to Sustain Claim Based on Inadequate Cybersecurity

The Health Insurance Portability and Accountability Act (HIPAA) final rule published on January 25, 2013 contains important changes that affect data management organizations, such as cloud providers. In many cases, entities that have access to health information will be considered “Business Associates.” Such entities would therefore be required to comply with HIPAA’s extensive security provisions within the next six months and could face significant liability for the failure to do so. This may be particularly troublesome for cloud providers and e-discovery vendors because such requirements and potential liability may apply even where vendors do not actively solicit health information.
Continue Reading HIPAA Final Rule Applicable to Cloud Providers and Data Vendors