Photo of Sean C. Griffin

Sean C. Griffin is a Member in the Washington, D.C. office of Dykema. Sean focuses his practice on commercial litigation, with a specialty in cases involving allegations of breach of contract or fraud. His experience includes litigating cases in federal and state courts and arbitration panels around the country. He also responds to subpoenas investigating violations of federal or state laws, including the False Claims Act, the U.S. Foreign Corrupt Practices Act (FCPA), and securities laws. Additionally, he assists clients with data security and responding to data breaches and is an IAPP Certified Information Privacy Professional (CIPP/US).

After graduating from Columbia University School of Law, Sean clerked for the U.S. District Court for the District of Maryland. After his clerkship, he worked as a trial attorney at the U.S. Department of Justice, Civil Division, where he handled commercial litigation trials and appeals as well as government contract and construction litigation.

On January 27, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a statement designed “to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency.” Companies regulated by the SEC, or organizations that work with companies the SEC regulates, should review OCIE’s observations of best practices and consider whether they are meeting OCIE’s expectations.

OCIE’s observations fall into several categories.

Governance and Risk Management. As OCIE notes, “[e]ffective cybersecurity programs start with the right tone at the top . . . .” OCIE also notes that effective programs include, among other things, (i) a risk assessment of cybersecurity threats; (ii) written cybersecurity policies and procedures to address said risks; and (iii) implementation and enforcement of those policies, including testing and monitoring and continuous evaluation of those policies.
Continue Reading

On February 20, the United States District Court for the District of Columbia ruled that a law firm must defend against a malpractice claim grounded in a data breach it suffered during a cyberattack.

In this case, the plaintiff, Guo Wengui, alleged that he was a well-known Chinese dissident who had exposed systemic corruption and widespread human rights abuses by the Communist Party of China (“CCP”), China’s ruling political party. Following this exposure, the plaintiff alleged, persecution from the Chinese government drove him to seek political asylum in the United States. The plaintiff further alleged that the Chinese government continued its persecution of him even after his arrival in the United States. This persecution allegedly involved the coordination of a “malicious negative propaganda campaign” against him, including the coordination of a demonstration outside his home.
Continue Reading

The United States District Court for the District of Maryland recently held that an insurer must cover an insured’s costs to replace its computer systems following a ransomware attack. The case, National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, Civ. No. SAG-18-2138 (D. Md. January 23, 2020), contains lessons for business and insurance companies going forward.

Plaintiff, an embroidery and screen printing business, obtained a businessowner’s insurance policy from the defendant, State Auto. The policy provided that State Auto “will pay for direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss. The policy defined “covered Property” to include “Electronic Media and Records (Including Software).” It further defined “Electronic Media and Records” to include “electronic data processing, recording or storage media [and] data stored on such media.” 
Continue Reading

In a ruling with implications for data privacy litigation nationwide, the Ninth Circuit recently stayed its decision allowing a biometric privacy class-action suit to proceed against Facebook, thus permitting the social media company to appeal the decision to the Supreme Court. The outcome of Facebook’s appeal could affect the law of standing with respect to data privacy litigation.

The lawsuit arose from Facebook’s “Tag Suggestions” feature, which used facial recognition technology to match known user faces to unknown faces in uploaded pictures. If the technology recognized a match, then Facebook would notify the person who uploaded the picture and suggest that the uploader “tag” the person recognized. If the uploader followed the suggestion, Facebook would link the recognized person to the picture. Facebook enabled this feature by default, although users could opt out. 
Continue Reading

Following a security incident involving its website’s chat function, Delta filed suit in the Southern District of New York against its tech vendor, [24]7.ai. Delta alleged fraud, negligence and breach of contract. A consumer class action lawsuit had already been filed against Delta in the Northern District of Georgia, related to the same incident.

According to the Complaint, on March 28, 2018, Delta was notified by [24]7.ai that a security incident had potentially compromised personally identifying information and payment card data of up to 825,000 of Delta’s customers. Delta alleges that “at least one third-party attacker gained access to Defendants’ computer networks and modified the source code of Defendants’ chat services software to enable the attacker to ‘scrape’ PII and payment card data from individuals using websites of Defendants’ clients, including Delta’s website…” Delta engaged a forensics team and began working with federal law enforcement upon receiving notice from [24]7.ai. Delta then publicly announced the breach, notified its customers, launched free credit monitoring services, and filed a lawsuit against [24]7.ai. Delta is seeking reimbursement of all breach-related costs. 
Continue Reading

Utah enacted a sweeping data privacy law that affects how employers and corporations respond to police demands for data. With this new law, Utah becomes the first state to protect electronic information individuals disclose to third parties.

Utah’s law requires a search warrant for a law enforcement agency conducting a criminal investigation or prosecution to obtain (i) location information, stored data, or transmitted data of an electronic device or (ii) electronic information or data transmitted by the owner of the electronic information or data to a remote computing processing center. The law further provides that any use of the information gathered must be related to the subject or objective of the warrant. 
Continue Reading