Showing 10 posts in Cyber Risk & Liability.
Illinois Appellate Court Concludes that Actual Harm is not Required under Biometric Information Privacy Act
An Illinois appellate court’s recent opinion may very well open the flood gates for litigation arising out of alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”) by eliminating the need to allege actual harm to have standing to sue. Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175. More »
On September 26, 2018, Uber Technologies, Inc. (Uber) reached a joint settlement with all 50 states and Washington, D.C.’s attorney generals to pay a record breaking $148 million for its 2016 data breach and subsequent cover-up. More »
DATA BREACH LITIGATION UPDATE: District Court Judge Rejects Remijas Settlement and Decertifies Class
A judge for the U.S. District Court for the Northern District of Illinois has dealt the latest blow to a consumer class seeking recovery from Neiman Marcus following the 2013 exposure of credit card information, as the result of a data breach. On September 17, 2018, Judge Sharon Johnson Coleman decertified the class and rejected a $1.6 million settlement reached between the class and Neiman Marcus Group LLC. More »
The risk of a cyber-attack is not just a “big business” problem. Due to the media’s reporting, many organizations have the impression that large companies – such as Target and Experian – are the only victims of cyber hacks and breaches. This line of thinking, however, is inconsistent with industry data, which demonstrates that small and mid-size companies are, in fact, vulnerable to this risk.
Companies of all sizes, large and small, must ask themselves whether competitors are trying to steal their trade secrets, whether companies or others are interested in their intellectual property, and whether their business contracts make them a target for a security breach. The regulatory and litigation costs associated with a data breach are monumental and, in some cases – especially those involving small or mid-sized companies – can be catastrophic. It therefore behooves every company, regardless of size, to create an effective strategy for managing and minimizing the risk of a cyber event.
There is no cookie cutter approach to managing this risk, and a cyber risk management strategy must be tailored to a company’s specific needs. As discussed below, best practices provide that a company must assess and address its cyber risk, and engage in additional activities in order to effectively manage this risk. More »
The battle over standing in cyber-security litigation continues. . . .
The latest example appears to be related to a data-breach involving the Hudson Bay Company. Founded in 1670, the Hudson Bay Company is one of the oldest companies in North America. On April 1, 2018 it joined the ever growing list of corporations that have been victimized by cyber-security breaches. Specifically, the Hudson Bay Company, which is the corporate parent of luxury department stores Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor, posted a statement on its company web pages explaining that it had become aware of a data security issue involving customer payment data at certain North American stores. The statement goes on to inform customers that Hudson Bay Company is working with security investigators regarding the breach. On April 2nd, the statement was updated to reassure customers that there was no indication that social security numbers, drivers licenses numbers, and pins had been compromised, and that the company was conducting a diligent investigation to gain an understanding of the scope of the breach. More »
CYBER RISK CLIENT ALERT: The Circuit Split Continues When It Comes to Standing in Cybersecurity Litigation
U.S. Supreme Court Denies Cert in Recent Case in Which The D.C. Circuit Concluded That “Risk of Future Harm” Is Sufficient to Prove Standing
Federal Circuit Courts will remain split on what constitutes a “concrete injury” sufficient to establish standing in cybersecurity litigation after the Supreme Court recently denied certification of an appeal from the D.C. Circuit Court of Appeals in Attias v. CareFirst, Inc. On August 1, 2017, a three-judge panel in the D.C. Circuit issued a unanimous decision stating that the risk of future harm is sufficient to establish Article III standing in data breach cases. This decision serves as the latest ruling in a continued split among circuit courts across the nation. The District Court’s holding is now final, as the U.S. Supreme Court denied certification on February 20, 2018. More »
Last Friday, a “50-State” complaint was filed against credit reporting giant Equifax concerning an extensive data breach that occurred earlier this year, and which exposed the personal identification and financial information of more than 145 million Americans. This summer, hackers took advantage of a flaw in a software tool utilized by Equifax, and obtained enormous amounts of sensitive customer data. The company has since admitted that it knew about this flaw at least two months before the breach occurred, and at least three months before it alerted consumers of the breach. The lawsuit contends that Equifax failed to improve data safeguards while expanding into new business areas. The lawsuit also alleges that Equifax mishandled its response to the breach, and alleges violation of breach notification laws in states throughout the country. Plaintiffs’ class-action lawsuit seeks recovery of millions of dollars in compensatory damages, as well as punitive damages, disgorgement of profits and attorneys’ fees. More »
The risk of a cyber-attack is ubiquitous, and a cyber-event can result in legal and financial liabilities that can cripple an affected organization. Recognizing the ever growing threat of cyber-crime, the New York State Department of Financial Services (DFS) recently unveiled the Proposed Cybersecurity Requirements for Financial Services Companies, a proposed set of cybersecurity regulations for banks, insurers and financial institutions aimed to protect both institutions and individuals from cybersecurity events. Compliance with the regulations is mandatory. The regulations, which take effect January 1, 2017, seek to protect customer information as well as institutions’ information technology systems by requiring covered entities to assess their cyber risk, to implement programs and policies to address that risk, and to continually monitor these systems. This alert will cover the ins and outs of the new regulations including what you can do today. More »
On December 18, 2015, President Obama signed into law an omnibus spending package for 2016 that included the Cybersecurity Act of 2015 (known in former versions as the Cybersecurity Information Sharing Act). After years of trying to pass similar measures, the Cybersecurity Act of 2015 creates a framework designed to facilitate and encourage confidential sharing of information concerning cyber-threats between the federal government and the private sector.
Although it is effective immediately, the attorney general and the Department of Homeland Security (DHS) secretary must release written guidelines within 90 days. Below is brief summary of important aspects of the statute. More »
By now, most people have heard of the Target hack, which potentially compromised 40 million credit and debit card numbers as well as 70 million other records, including names, addresses, email addresses, and phone numbers of Target shoppers.i However, what many people do not know is how the retail giant was breached in such spectacular fashion (and the answer may surprise you). This breach highlights the critical importance of business vendor management. More »
- PROFESSIONAL LIABILITY CLIENT ALERT: Application of Judgmental Immunity in Illinois
- REAL ESTATE CLIENT ALERT: Michigan Court of Appeals Held That Non-Tenants May Not Sue Landlords Under Common Theories of Liability
- Illinois Appellate Court Concludes that Actual Harm is not Required under Biometric Information Privacy Act
- CYBER RISK CLIENT ALERT: What Companies can Learn from Uber’s Recent $148 Million Settlement
- DATA BREACH LITIGATION UPDATE: District Court Judge Rejects Remijas Settlement and Decertifies Class
- LIFE SCIENCES CLIENT ALERT: Artificial Intelligence, Healthcare, Life Science, and the Next Merger
- PROFESSIONAL LIABILITY CLIENT ALERT: Physicians Beware: New Jersey Supreme Court Erodes Self-Critical Analysis Privilege
- EMPLOYMENT LAW CLIENT ALERT: Tenth Circuit Rules Failure to File Discrimination Claim with EEOC No Longer Jurisdictional Bar
- EMPLOYMENT LAW: Can Employers Really Take a Deep Breath in the Wake of Epic Systems Corp. v. Lewis?
- LIFE SCIENCES CLIENT ALERT: Seventh Circuit Reverses $3 Million Judgment Against GlaxoSmithKline Citing Preemption
- Professional Liability
- Class Action
- Insurance & Reinsurance Litigation & Counseling
- Complex Commercial Litigation
- Insurance Coverage
- Cyber Risk & Liability
- Toxic Tort
- Professional Development
- Product Liability
- Construction Litigation & Counseling
- Employment Litigation & Counseling
- Discrimination, Harassment & Hostile Workplace Claims
- Social Media & Privacy
- Workers' Compensation
- Medical Negligence & Healthcare Liability
- Pharmaceutical & Medical Device Litigation