Photo of Sean C. Griffin

Sean C. Griffin is a Member in the Washington, D.C. office of Dykema. Sean focuses his practice on commercial litigation, with a specialty in cases involving allegations of breach of contract or fraud. His experience includes litigating cases in federal and state courts and arbitration panels around the country. He also responds to subpoenas investigating violations of federal or state laws, including the False Claims Act, the U.S. Foreign Corrupt Practices Act (FCPA), and securities laws. Additionally, he assists clients with data security and responding to data breaches and is an IAPP Certified Information Privacy Professional (CIPP/US).

After graduating from Columbia University School of Law, Sean clerked for the U.S. District Court for the District of Maryland. After his clerkship, he worked as a trial attorney at the U.S. Department of Justice, Civil Division, where he handled commercial litigation trials and appeals as well as government contract and construction litigation.

The Federal Trade Commission’s increased activity in the data security arena continues, as the FTC has ordered nine social media and video streaming companies—including Facebook, Twitter, TikTok, and Reddit—to provide data on their data privacy practices. The orders seek to discover on (i) how these companies collect, use and present personal information, (ii) their advertising, (iii) their user engagement practices, and (iv) how their practices affect children and teenagers.

In issuing the orders, the FTC focused on social media’s monetization of users’ activities and “the industry’s increasing intrusion into our private lives.” In a joint statement, the FTC wrote:
Continue Reading FTC Launches Investigation Into Facebook, Twitter, and Other Social Media Sites

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint warning that malicious cyber actors are targeting kindergarten through twelfth-grade (K-12) educational institutions. These actors are initiating ransomware attacks, data thefts, and general disruption of distance learning efforts. The agencies expect these attacks to continue through the 2020-21 academic year.

Among other things, cyber actors have launched ransomware attacks against school computer systems, rendering them inaccessible for distance learning and other basic functions. They have also stolen and threatened to leak confidential student data and personal information unless the institutions paid a ransom. In August and September 2020, 57 percent of ransomware incidents reported to MS-ISAC involved K-12 school, compare to 28 percent of such incidents from January through July.
Continue Reading Cyber Actors Hit K-12 Distance Learning Efforts With Ransomware and Phishing Attacks

On November 9, the FTC announced a settlement of its complaint against Zoom Video Communications, Inc. The complaint charged Zoom with deceptive and unfair privacy and security practices, including claiming that it offered end-to-end encryption.

The end-to-end encryption claim has garnered the most attention. As the complaint states, Zoom represented that it offered end-to-end encryption. Instead, as this blog has previously explained, Zoom offered transport encryption, which meant that the Zoom service itself could access the unencrypted video and audio content of meetings. This meant that the confidentiality of recorded Zoom meetings depended entirely upon Zoom servers’ security from hackers—a particular concern for some users given that Zoom has servers in China. (As of October 26, Zoom began offering true end-to-end encryption as a technical preview, meaning that the company is proactively seeking feedback from its users.)
Continue Reading FTC Settles Complaint Against Zoom Regarding End-to-End Encryption

“This article was originally published with Security Toolbox on September 15, 2020. You can view the original content, here.”

Domestic and international politics have invaded the field of data security, and the COVID-19 pandemic has only added to this invasion. Shane O’Donnell a partner & Chief Audit Executive at The Mako Group and Sean Griffin, a member at Dykema explains how security leaders can safeguard their crucial IT infrastructure in this new era of data security and navigate foreign and domestic politically motivated leaks.

Like it or not, domestic and international politics have invaded the field of data security.  Of course, COVID-19 has assisted this invasion, but other political factors from the upcoming US election to this summer’s Black Lives Matter protests have played a part. Data security professionals must therefore keep an eye not only on their IT infrastructure but the practical consequences of recent political actions.
Continue Reading Political Cost of Data Leaks: Data Security in the Crosshairs

Months ago, the Firewall warned that cybercriminals were taking advantage of the anxiety and insecurity from COVID-19 to promulgate phishing schemes, malware, and other schemes.  Interpol recently released a report (click here to download PDF from Interpol) warning of these dangers and other cybercriminal activity that exploits the current COVID-19 environment. As the Firewall advised in April, Interpol’s report notes that cybercriminals are taking advantage of the increased security vulnerabilities arising from the sudden shift to remote work.

Interpol groups the recent COVID-related cybercriminal activity into five categories.
Continue Reading COVID-19 Increases Data Security Threats, Interpol Warns

After the Fourth Circuit held that a commercial general liability (“CGL”) policy could cover a data incident in 2016, confusion arose as to whether CGL policies would continue to cover data breaches. A recent California lawsuit by the smart-TV maker Vizio against two of its insurance companies shows that this confusion also arises when an insured invokes CGL policies to cover litigation arising from alleged data misuse.

The smart-TV maker Vizio has faced multiple proposed class actions arising from the alleged sharing of its customers’ viewing data with third parties. Vizio recently reached a $17 million settlement to resolve multidistrict litigation (MDL) on behalf of 16 million Vizio owners alleging the sale of their data without their consent.
Continue Reading Somebody’s Watching Me: A Recent Smart-TV Lawsuit Seeks Insurance Coverage for Privacy Litigation

Recently, this blog warned about Advanced Persistent Threats (APTs)—state-sponsored hackers that attack U.S. companies in the hopes of sowing political, technological, or financial disruption. In particular, we warned that healthcare companies were a favorite APT target, as foreign governments sought to extract data relating to healthcare research.

Security officials in the United States, the United Kingdom, and Canada recently announced that a Russian APT called APT29 is targeting organizations involved in national and international COVID-19 responses. According to U.S. intelligence services, APT29 is part of the SVR, Russia’s CIA equivalent, and UK officials also blame it for attacks against the 2016 presidential election.


Continue Reading Recent Russian Cyberattacks Against Coronavirus Researchers and Other Industries Provides a Lesson on Cyber Preparedness

On March 26, 2020, the District of Colombia enacted Act 23-268, known as the “Security Breach Protection Amendment Act of 2020.” Acting as an amendment of Section 28 of Chapter 38 of the District of Columbia Code, the Act: (1) expands the definition of “personal information,” (2) amends breach notification requirements, (3) adds new security requirements; and (4) expands the Act’s enforcement.

1. Definition of “Personal Information”

Under the Act, “personal information” now includes an individual’s name combined with one of the following data elements:
Continue Reading District of Columbia Amended Privacy Law Creates New Requirements

On the list of concerns recently expressed about police conduct, data privacy ranks relatively low. However, a recent privacy leak by the New York Police Department’s union has shown how data privacy concerns can arise in any situation.

On May 30, the NYPD union tweeted a picture of a computer screen showing recent NYPD arrests relating to the recent civil disturbances following the widely publicized deaths of George Floyd, Breonna Taylor, and others. New York mayor Bill de Blasio’s daughter, Chiara, appeared on the report. The unredacted screenshot showed her name, her birth date, and her driver’s license information—the last being considered personally identifiable information under New York law. Twitter removed the post as a violation of its rules and suspended the union’s account.
Continue Reading Government Data Leaks May Have Broad Data Privacy Implications

Data security is not just hackers in cyberspace. It also exists in the physical world, and some of it relates to pedestrian but necessary security protocols for nuts-and-bolts objects. A recent report of a data leak shows how focusing exclusively on active systems can lead to unexpected and potentially problematic results.

In the story linked above, a manufacturer of connected vehicles replaced a number of its data storage appliances. A white-hat hacker reported that he had purchased four of the replaced units from eBay and found that they still contained the customers’ personal data, including the owners’ home and work locations, all saved wifi passwords, calendar entries from the customers’ phones, call lists and address books from paired phones, and Netflix and other stored session cookies. This incident follows a report from white-hat hackers last year who discovered drivers’ personal information in the electronic systems of salvaged vehicles.
Continue Reading Data Security: What Happens at the End of the Road?