Facebook Moves to Dismiss Derivative Action Arising Out of Cambridge Analytica Scandal

On September 28, 2018, Facebook and its board of directors moved to dismiss a derivative action filed by Karen Sbriglio, a Facebook investor, alleging breach of a fiduciary duty.  The lawsuit, filed after revelations of the Cambridge Analytica scandal, claims the failure of Facebook’s leadership and governance in permitting the misappropriation of Facebook users’ data subjected it to public scrutiny, billions of dollars of lost market value, and significant fines and costs.  The basis of Facebook’s motion was that the company’s board, rather than…
Continue reading...

Long-struggling ‘Google Plus’ Social Network to be Shutdown after Security Breach Affects 500,000

On Monday, October 8, 2018 Google disclosed a security breach it discovered months ago that put at risk the personal data of hundreds of thousands of Google Plus users. In March, Google discovered, and fixed, the bug that allowed outside software developers to gain access to personal information on Google Plus users, including names, email addresses, ages, occupations and relationship status. The company’s decision to not immediately report the software bug has some concerned that Google cannot be relied on to protect privacy. Google…
Continue reading...

SEC’s First Cybersecurity Enforcement Has Many Lessons

The Securities and Exchange Commission recently announced its first ever cyber-related enforcement action in a case that all companies should look at as a refresher on cybersecurity hygiene. In the Matter of Voya Financial Advisors, Inc. was brought against the publicly traded company that manages over $500 billion after a security breach through several of its brokers acting as independent contractors for the company. These brokers typically accessed Voya clients’ PII through a password protected web portal while using their own IT equipment and networks.…
Continue reading...

The GDPR Question and Answer Guide

Attorneys in Goldberg Segalla’s Cybersecurity and Data Privacy, Global Insurance Services, and other practice groups have fielded countless questions from clients and colleagues curious (or concerned) about the European Union’s (EU) General Data Protection Regulation (GDPR), the landmark legislation governing data protection and privacy for all individuals within the European Union, as well as the export of all data from the EU and European Economic Area (EEA). Here, we answer the most frequently asked questions pertaining to the GDPR’s who, what, when, where, how, and…
Continue reading...

Fourth Circuit Weighs in on the Evolving Law of Standing in Data Breach Litigation to Hold that Misuse of Stolen Data Confers Standing

While data breach lawyers wait for the U.S. Supreme Court to more clearly define when a hack confers standing on the individual whose personally identifying information (PII) is stolen, the Circuit Courts of Appeals continue to choose sides over a useful standard. On June 12, 2018, the Fourth Circuit weighed in to hold that the individual has standing when the data is actually misused, such as when the hackers open fraudulent credit cards with the stolen PII, and the individual spends time and resources on…
Continue reading...

New York Cybersecurity Regulations Extended to Credit Reporting Agencies

This week, Governor Cuomo has directed the Department of Financial Services to issue a final regulation requiring credit reporting agencies to comply with cybersecurity regulations applied to financial service companies, previously adopted in 23 NYCRR 500, et seq. The new regulation, 23 NYCRR 201, et seq., obligates credit agencies reporting on 1,000 or more New York consumers to register annually with the DFS, and, beginning November 1, 2018, to comply the previously adopted standards, including adoption of a cybersecurity program and CISO, and other controls.…
Continue reading...

Supreme Court Recognizes Expectation of Privacy Regarding Cellphone Location Data

On Friday, June 22, 2018, in a 5-4 split, the Supreme Court in Carpenter v. United Statesheld that the government usually needs a warrant to access an individual’s historical cellphone location data held by third-party carriers. The court rejected the government’s argument that an individual does not have a legitimate expectation of privacy under the Fourth Amendment concerning the location data that third-party carriers collect and keep.  This data, essentially logs of the location of cellphone towers used to route calls to and…
Continue reading...

Newsflash: Internet-Connected Devices Are Not Private

Last week, Amazon confirmed that it’s Alexa-powered Echo device may, in fact, listen in on private conversations, whether or not the device had been intentionally activated by a user. In this “extremely rare occurrence,” a couple’s private conversation was not only recorded, but was sent to a random number in the user’s address book without their permission. Earlier this year, users also reported “unexpected and unwarranted bursts of robotic laughter,” which many found to be extremely “creepy,” and which Amazon characterized as the…
Continue reading...

Data Breach Settlement Highlights Need for Proactive Management of Data Security Threats

Lincare Inc. recently agreed to settle a class action lawsuit for $875,000. The class plaintiffs consisted of employees whose personal information was compromised in 2017. The breach involved a business email compromise scam. The settlement amount is not the only cost to the company and in fact may cost less than implementing remedial measures (credit/identity monitoring) and IT reforms to prevent such an incident from happening in the future. For example, the settlement terms dictate that an additional two years of free credit and identity…
Continue reading...

Chili’s Carefully Announces Limited Data Breach

On May 11, 2018, Chili’s Grill & Bar learned that “some of [their] guest’s payment card information was compromised at certain Chili’s restaurants” as the result of a “data incident,” according to a press release on the company’s website. Preliminary investigations suggest malware was used to gather payment card information for purchases between March and April 2018. While such data incidents are increasingly common, Chili’s press release is notable for two reasons. Firstly, The release, presented as a letter to “valued guests,” provided…
Continue reading...