Photo of Sean C. Griffin

Sean C. Griffin is a Member in the Washington, D.C. office of Dykema. Sean focuses his practice on commercial litigation, with a specialty in cases involving allegations of breach of contract or fraud. His experience includes litigating cases in federal and state courts and arbitration panels around the country. He also responds to subpoenas investigating violations of federal or state laws, including the False Claims Act, the U.S. Foreign Corrupt Practices Act (FCPA), and securities laws. Additionally, he assists clients with data security and responding to data breaches and is an IAPP Certified Information Privacy Professional (CIPP/US).

After graduating from Columbia University School of Law, Sean clerked for the U.S. District Court for the District of Maryland. After his clerkship, he worked as a trial attorney at the U.S. Department of Justice, Civil Division, where he handled commercial litigation trials and appeals as well as government contract and construction litigation.

After the Fourth Circuit held that a commercial general liability (“CGL”) policy could cover a data incident in 2016, confusion arose as to whether CGL policies would continue to cover data breaches. A recent California lawsuit by the smart-TV maker Vizio against two of its insurance companies shows that this confusion also arises when an insured invokes CGL policies to cover litigation arising from alleged data misuse.

The smart-TV maker Vizio has faced multiple proposed class actions arising from the alleged sharing of its customers’ viewing data with third parties. Vizio recently reached a $17 million settlement to resolve multidistrict litigation (MDL) on behalf of 16 million Vizio owners alleging the sale of their data without their consent.
Continue Reading Somebody’s Watching Me: A Recent Smart-TV Lawsuit Seeks Insurance Coverage for Privacy Litigation

Recently, this blog warned about Advanced Persistent Threats (APTs)—state-sponsored hackers that attack U.S. companies in the hopes of sowing political, technological, or financial disruption. In particular, we warned that healthcare companies were a favorite APT target, as foreign governments sought to extract data relating to healthcare research.

Security officials in the United States, the United Kingdom, and Canada recently announced that a Russian APT called APT29 is targeting organizations involved in national and international COVID-19 responses. According to U.S. intelligence services, APT29 is part of the SVR, Russia’s CIA equivalent, and UK officials also blame it for attacks against the 2016 presidential election.


Continue Reading Recent Russian Cyberattacks Against Coronavirus Researchers and Other Industries Provides a Lesson on Cyber Preparedness

On March 26, 2020, the District of Colombia enacted Act 23-268, known as the “Security Breach Protection Amendment Act of 2020.” Acting as an amendment of Section 28 of Chapter 38 of the District of Columbia Code, the Act: (1) expands the definition of “personal information,” (2) amends breach notification requirements, (3) adds new security requirements; and (4) expands the Act’s enforcement.

1. Definition of “Personal Information”

Under the Act, “personal information” now includes an individual’s name combined with one of the following data elements:
Continue Reading District of Columbia Amended Privacy Law Creates New Requirements

On the list of concerns recently expressed about police conduct, data privacy ranks relatively low. However, a recent privacy leak by the New York Police Department’s union has shown how data privacy concerns can arise in any situation.

On May 30, the NYPD union tweeted a picture of a computer screen showing recent NYPD arrests relating to the recent civil disturbances following the widely publicized deaths of George Floyd, Breonna Taylor, and others. New York mayor Bill de Blasio’s daughter, Chiara, appeared on the report. The unredacted screenshot showed her name, her birth date, and her driver’s license information—the last being considered personally identifiable information under New York law. Twitter removed the post as a violation of its rules and suspended the union’s account.
Continue Reading Government Data Leaks May Have Broad Data Privacy Implications

Data security is not just hackers in cyberspace. It also exists in the physical world, and some of it relates to pedestrian but necessary security protocols for nuts-and-bolts objects. A recent report of a data leak shows how focusing exclusively on active systems can lead to unexpected and potentially problematic results.

In the story linked above, a manufacturer of connected vehicles replaced a number of its data storage appliances. A white-hat hacker reported that he had purchased four of the replaced units from eBay and found that they still contained the customers’ personal data, including the owners’ home and work locations, all saved wifi passwords, calendar entries from the customers’ phones, call lists and address books from paired phones, and Netflix and other stored session cookies. This incident follows a report from white-hat hackers last year who discovered drivers’ personal information in the electronic systems of salvaged vehicles.
Continue Reading Data Security: What Happens at the End of the Road?

Recently, we cautioned companies to ensure that their workers’ mobile phones remain secure. On April 23, news about a possible security vulnerability in Apple’s iPhone mail system lends this recommendation additional urgency.

ZecOps, a San Francisco-based mobile security firm, claims to have discovered a hack targeting iPhones’ native email program. This hack is called a “zero click” attack, because unlike a typical “phishing” exploit, which requires the victim to click on a link in an email or text message, a “zero click” exploit can execute without the victim’s action or knowledge. According to ZecOps, the vulnerability enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory. The attackers can trigger the vulnerability before the entire email is downloaded, so the email content will not necessarily remain on the device. In other words, the perpetrators can send an email containing malicious code, and that code can then set off a chain reaction, or an “exploit chain” that overcomes the phone’s defenses and erases its tracks along the way. Such an attack can be nearly impossible to detect.
Continue Reading iPhone Hack Highlights Home Office Data Security Risks

Most companies that can do so have sent their employees home to work, which means that many employees have brought their home to work. Businesses have transitioned from maintaining a centralized workplace with a standardized data security protocol managed by knowledgeable IT personnel to a decentralized system of home offices with uneven or unenforced data security policies, largely managed by end users with minimal or no technological expertise.

Consequently, companies have been forced to introduce into their system the very vulnerabilities that they normally spend substantial time and money trying to eliminate. These vulnerabilities present a compliance issue for companies legally required to keep certain information confidential–such as health providers, law firms, or defense contractors–and for those otherwise subject to regulatory oversight. A confidentiality breach therefore presents a legal risk as well as a business risk, so companies must address squarely the data security implications of a home-based workforce.
Continue Reading Working From Home Data Security Tips, Part 2

The videoconference platform Zoom has seen a surge in users since the coronavirus pandemic. Teleworkers are relying increasingly on Zoom for virtual meetings, and as a HIPAA-compliant videoconferencing program, Zoom for Healthcare has gained popularity among healthcare providers in particular. New York’s Attorney General has asked Zoom to explain its privacy policies, and additional scrutiny is likely to follow.

Hackers have noticed. Since the beginning of the year, reports show 1,700 registrations including the word “Zoom,” with 4 percent containing suspicious characteristics. A click on a fake Zoom invitation could install InstallCorePUA, which opens the door to malicious software installations.
Continue Reading Working From Home Data Security Risks

On January 27, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a statement designed “to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency.” Companies regulated by the SEC, or organizations that work with companies the SEC regulates, should review OCIE’s observations of best practices and consider whether they are meeting OCIE’s expectations.

OCIE’s observations fall into several categories.

Governance and Risk Management. As OCIE notes, “[e]ffective cybersecurity programs start with the right tone at the top . . . .” OCIE also notes that effective programs include, among other things, (i) a risk assessment of cybersecurity threats; (ii) written cybersecurity policies and procedures to address said risks; and (iii) implementation and enforcement of those policies, including testing and monitoring and continuous evaluation of those policies.
Continue Reading SEC Issues Statement on Cybersecurity and Operational Resiliency