Photo of Sean C. Griffin

Sean C. Griffin is a Member in the Washington, D.C. office of Dykema. Sean focuses his practice on commercial litigation, with a specialty in cases involving allegations of breach of contract or fraud. His experience includes litigating cases in federal and state courts and arbitration panels around the country. He also responds to subpoenas investigating violations of federal or state laws, including the False Claims Act, the U.S. Foreign Corrupt Practices Act (FCPA), and securities laws. Additionally, he assists clients with data security and responding to data breaches and is an IAPP Certified Information Privacy Professional (CIPP/US).

After graduating from Columbia University School of Law, Sean clerked for the U.S. District Court for the District of Maryland. After his clerkship, he worked as a trial attorney at the U.S. Department of Justice, Civil Division, where he handled commercial litigation trials and appeals as well as government contract and construction litigation.

Data security is not just hackers in cyberspace. It also exists in the physical world, and some of it relates to pedestrian but necessary security protocols for nuts-and-bolts objects. A recent report of a data leak shows how focusing exclusively on active systems can lead to unexpected and potentially problematic results.

In the story linked above, a manufacturer of connected vehicles replaced a number of its data storage appliances. A white-hat hacker reported that he had purchased four of the replaced units from eBay and found that they still contained the customers’ personal data, including the owners’ home and work locations, all saved wifi passwords, calendar entries from the customers’ phones, call lists and address books from paired phones, and Netflix and other stored session cookies. This incident follows a report from white-hat hackers last year who discovered drivers’ personal information in the electronic systems of salvaged vehicles.
Continue Reading Data Security: What Happens at the End of the Road?

Recently, we cautioned companies to ensure that their workers’ mobile phones remain secure. On April 23, news about a possible security vulnerability in Apple’s iPhone mail system lends this recommendation additional urgency.

ZecOps, a San Francisco-based mobile security firm, claims to have discovered a hack targeting iPhones’ native email program. This hack is called a “zero click” attack, because unlike a typical “phishing” exploit, which requires the victim to click on a link in an email or text message, a “zero click” exploit can execute without the victim’s action or knowledge. According to ZecOps, the vulnerability enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory. The attackers can trigger the vulnerability before the entire email is downloaded, so the email content will not necessarily remain on the device. In other words, the perpetrators can send an email containing malicious code, and that code can then set off a chain reaction, or an “exploit chain” that overcomes the phone’s defenses and erases its tracks along the way. Such an attack can be nearly impossible to detect.
Continue Reading iPhone Hack Highlights Home Office Data Security Risks

Most companies that can do so have sent their employees home to work, which means that many employees have brought their home to work. Businesses have transitioned from maintaining a centralized workplace with a standardized data security protocol managed by knowledgeable IT personnel to a decentralized system of home offices with uneven or unenforced data security policies, largely managed by end users with minimal or no technological expertise.

Consequently, companies have been forced to introduce into their system the very vulnerabilities that they normally spend substantial time and money trying to eliminate. These vulnerabilities present a compliance issue for companies legally required to keep certain information confidential–such as health providers, law firms, or defense contractors–and for those otherwise subject to regulatory oversight. A confidentiality breach therefore presents a legal risk as well as a business risk, so companies must address squarely the data security implications of a home-based workforce.
Continue Reading Working From Home Data Security Tips, Part 2

The videoconference platform Zoom has seen a surge in users since the coronavirus pandemic. Teleworkers are relying increasingly on Zoom for virtual meetings, and as a HIPAA-compliant videoconferencing program, Zoom for Healthcare has gained popularity among healthcare providers in particular. New York’s Attorney General has asked Zoom to explain its privacy policies, and additional scrutiny is likely to follow.

Hackers have noticed. Since the beginning of the year, reports show 1,700 registrations including the word “Zoom,” with 4 percent containing suspicious characteristics. A click on a fake Zoom invitation could install InstallCorePUA, which opens the door to malicious software installations.
Continue Reading Working From Home Data Security Risks

On January 27, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a statement designed “to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency.” Companies regulated by the SEC, or organizations that work with companies the SEC regulates, should review OCIE’s observations of best practices and consider whether they are meeting OCIE’s expectations.

OCIE’s observations fall into several categories.

Governance and Risk Management. As OCIE notes, “[e]ffective cybersecurity programs start with the right tone at the top . . . .” OCIE also notes that effective programs include, among other things, (i) a risk assessment of cybersecurity threats; (ii) written cybersecurity policies and procedures to address said risks; and (iii) implementation and enforcement of those policies, including testing and monitoring and continuous evaluation of those policies.
Continue Reading SEC Issues Statement on Cybersecurity and Operational Resiliency

On February 20, the United States District Court for the District of Columbia ruled that a law firm must defend against a malpractice claim grounded in a data breach it suffered during a cyberattack.

In this case, the plaintiff, Guo Wengui, alleged that he was a well-known Chinese dissident who had exposed systemic corruption and widespread human rights abuses by the Communist Party of China (“CCP”), China’s ruling political party. Following this exposure, the plaintiff alleged, persecution from the Chinese government drove him to seek political asylum in the United States. The plaintiff further alleged that the Chinese government continued its persecution of him even after his arrival in the United States. This persecution allegedly involved the coordination of a “malicious negative propaganda campaign” against him, including the coordination of a demonstration outside his home.
Continue Reading Law Firm Malpractice Decision Teaches Cybersecurity Lessons

The United States District Court for the District of Maryland recently held that an insurer must cover an insured’s costs to replace its computer systems following a ransomware attack. The case, National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, Civ. No. SAG-18-2138 (D. Md. January 23, 2020), contains lessons for business and insurance companies going forward.

Plaintiff, an embroidery and screen printing business, obtained a businessowner’s insurance policy from the defendant, State Auto. The policy provided that State Auto “will pay for direct physical loss of or damage to Covered Property at the premises described in the Declarations caused by or resulting from any Covered Cause of Loss. The policy defined “covered Property” to include “Electronic Media and Records (Including Software).” It further defined “Electronic Media and Records” to include “electronic data processing, recording or storage media [and] data stored on such media.” 
Continue Reading Maryland Court Orders Insurance Company to Pay Ransomware Damages Under Businessowner’s Policy

In a ruling with implications for data privacy litigation nationwide, the Ninth Circuit recently stayed its decision allowing a biometric privacy class-action suit to proceed against Facebook, thus permitting the social media company to appeal the decision to the Supreme Court. The outcome of Facebook’s appeal could affect the law of standing with respect to data privacy litigation.

The lawsuit arose from Facebook’s “Tag Suggestions” feature, which used facial recognition technology to match known user faces to unknown faces in uploaded pictures. If the technology recognized a match, then Facebook would notify the person who uploaded the picture and suggest that the uploader “tag” the person recognized. If the uploader followed the suggestion, Facebook would link the recognized person to the picture. Facebook enabled this feature by default, although users could opt out. 
Continue Reading Facebook Seeks Post-Spokeo Review of Biometric Privacy Class Action

Following a security incident involving its website’s chat function, Delta filed suit in the Southern District of New York against its tech vendor, [24]7.ai. Delta alleged fraud, negligence and breach of contract. A consumer class action lawsuit had already been filed against Delta in the Northern District of Georgia, related to the same incident.

According to the Complaint, on March 28, 2018, Delta was notified by [24]7.ai that a security incident had potentially compromised personally identifying information and payment card data of up to 825,000 of Delta’s customers. Delta alleges that “at least one third-party attacker gained access to Defendants’ computer networks and modified the source code of Defendants’ chat services software to enable the attacker to ‘scrape’ PII and payment card data from individuals using websites of Defendants’ clients, including Delta’s website…” Delta engaged a forensics team and began working with federal law enforcement upon receiving notice from [24]7.ai. Delta then publicly announced the breach, notified its customers, launched free credit monitoring services, and filed a lawsuit against [24]7.ai. Delta is seeking reimbursement of all breach-related costs. 
Continue Reading Delta Airlines Sues Vendor for Data Breach