Latest Articles

Company response to major data breach results in first-of-its-kind fine for improper disclosure to investors On April 24, 2018, U.S. Securities and Exchange Commission (SEC) and Altaba Inc., (formerly known as Yahoo! Inc.) agreed to settle SEC Division of Enforcement charges stemming from the compromise of 3 billion Yahoo accounts that occurred in 2013 and 2014, but were not disclosed until 2016.[1] The 2014 incident was attributed to Russian hackers by the U.S. government…
The General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. It will attempt to standardize data protection law throughout the European Union. The GDPR will not be fully harmonized since the law has more than 70 opening clauses that will leave room for the EU Member States’ legislators to implement (stricter, less strict, or more detailed) rules. Reed Smith, along with partner law firms from every EU Member State, has drafted…
Nearly every state in the United States requires notification when certain personal information is lost, stolen, or misused. However, the many state laws vary in subtle but crucial respects, making it difficult to get to a bottom line quickly. Reed Smith’s Information Technology, Privacy & Data Security practice is thrilled to release a first-of-its-kind tool designed to help companies clarify their notification strategy in response to a data loss incident. Breach RespondeRS guides companies through…
The federal judiciary derives its power from Article III of the United States Constitution. That power is limited to deciding “Cases” and “Controversies,” Art. III, section 2. In the case of Spokeo v. Robins, the United States Supreme Court considered whether a plaintiff presents such a “case” or “controversy” where he only alleged a violation of a consumer protection statute, but did not allege any additional harm. The statute in question was the Fair Credit Reporting Act (“FCRA”).…
The European Commission has published its draft adequacy decision on the EU-U.S. Privacy Shield, the proposed data transfer framework that would replace the defunct Safe Harbor program. The draft adequacy decision formally supports the view that the proposed EU-U.S. Privacy Shield will ensure an adequate level of protection for the transfer of personal data from the EU to U.S. companies which enlist in the new program. The draft decision also provides full details of the…
In the latest step toward finalising a replacement for the defunct Safe Harbor program, the European Commission has published its draft adequacy decision, formally supporting its view that the proposed EU-U.S. Privacy Shield will ensure an adequate level of protection for the transfer of personal data from the EU to U.S. companies which enlist in the program. It also introduces a range of enhanced rights and redress mechanisms for EU citizens. Once finalised, an adequacy…
In December 2015, the Federal Trade Commission (FTC) settled a drawn-out civil action it brought against Wyndham Worldwide Corporation (Wyndham) for multiple data breaches involving cardholder data (i.e., information on credit and debit cards). In a departure from dozens of prior FTC settlements that mandated broad security measures for all consumer data, the Wyndham consent order was limited in scope to cardholder data, and required compliance with the Payment Card Industry Data Security Standard (PCI…
Higher education institutions are increasingly targets of data breaches due to the vast amount of private information, including educational, medical and employee data, they maintain.  It is no longer a question of if a data breach will occur, but when.  Academic institutions can take certain measures to minimize exposure in the event of a breach, including: Implement privacy and security policies and procedures that are known and adhered to by the institution Prepare a corrective…
Before September 15, 2015, no federal court had certified a class action to litigate security breach claims. But now U.S. District Court Judge Paul A. Magnuson, overseeing the In re: Target Corporation Customer MDL, has certified as a class: All entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013. This certified class representatives will litigate…
Reed Smith LLP’s Information Technology, Privacy & Data Security Group has been named the “Data Protection and Privacy: 2015 Firm of the Year” by The Legal 500 United States. Over the past decade, the group has developed into a think-tank for the firm’s clients, linking experienced cybersecurity and privacy professionals with veteran intellectual property litigators, top tier information governance advisors, technology contracting specialists, and others with a similarly data-oriented perspective. In the last two years…