Cyber Blog

Focused commentary on the latest in cybersecurity preparedness, regulatory compliance and incident response

The Cybersecurity Law Report recently published an article by Davis Polk titled Reducing Risk in the Dawn of Equifax and Other Cyber-Related Securities Fraud Class Actions.  The article analyzes the January 2019 decision in In re Equifax Securities Litigation and uses lessons from that case to examine strategies for minimizing risk of securities fraud class actions arising from data breaches. The article is reproduced in full below and is available at The Cybersecurity Law Report.  A…
Until recently, biometric privacy was a niche area of the law that had little application to most companies.  But with the rapid growth in commercial biometric data collection, including voice samples, fingerprints, retina scans, and facial geometry, as well as some recent developments in the applicable case law, it’s probably time for companies to start paying attention.  Indeed, one of our top privacy law predictions for 2019 was a judicial expansion of the notion of
2018 was another busy year for lawyers in the privacy/cybersecurity world – GDPR, CCPA, Marriott, New York Department of Financial Service’s cybersecurity rule deadlines, increased SEC enforcement, more data breach lawsuits, more companies doing table top exercises and risk assessments, etc. But 2019 is looking to be even busier. Below are our predictions for the Top 10 things that will keep us busy in 2019, and what companies should be preparing for: 1.  Consumer Consent…
Momentum is building for federal privacy legislation, with several different proposals circulating in Washington.  Ohio’s new cybersecurity law offers an interesting approach for incentivizing companies to protect their customers’ personal data. We have written previously on two competing models for cybersecurity regulation—“standards” versus “rules.”  The standards-based approach, historically employed by the FTC and certain state laws, imposes broad, flexible requirements that mandate that a company establish a “reasonable” or “industry standard” cybersecurity program,…
Momentum is building for federal data privacy legislation, in large part due to the passage of the California Consumer Privacy Act (CCPA) (which goes into effect in 2020) and other states enacting or considering their own consumer privacy laws.  These developments have businesses concerned that they will face a patchwork of inconsistent and onerous state privacy laws, which is currently the case with breach notification.  Many leading tech companies, trade groups, and the U.S. Chamber…
On November 1, Canada provided the U.S. with another model for a national breach law:  the Personal Information Protection and Electronic Documents Act (“PIPEDA”).  Under that law, companies are required to notify Canada’s Privacy Commissioner and affected individuals as soon as feasible if they experience “any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm…
A recent SEC Order should be a reminder to registered entities, including small- and medium-sized firms, that the SEC is monitoring the reasonableness of their cybersecurity policies and procedures, and that it may take action in the event of a breach, even in the absence of economic harm. The SEC’s $1 million settlement with broker-dealer and registered investment adviser Voya Financial Advisors Inc. followed the theft of personally identifiable information of thousands of Voya’s customers. …