Illinois Supreme Court Image

Last Friday, the Illinois Supreme Court delivered the highly anticipated Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, opinion. Businesses and consumers alike watched for the Court’s opinion regarding whether mere technical violations of the Illinois Biometric Information Privacy Act (“BIPA”) gave plaintiffs the requisite standing to seek damages under the statute. The Court heard the case after the Second District Appellate Court of Illinois ruled that an individual was not a “person aggrieved” by a technical violation and several other courts, both state and federal were split over the issue.  Rosenbach v. Six Flags Entertainment, 2017 IL App (2d) 170317.  In a fairly short opinion, focusing on statutory construction and the common meaning of the word “aggrieved,” the Illinois Supreme Court reversed the Appellate Court.  2019 IL 123186, ¶ 1. The Illinois Supreme Court held that an individual was in fact an “aggrieved person” under the statute where they are unable to show actual damage, but there has been a violation of the statute. The Court held, where there is no actual harm, the individual is entitled to statutory relief for each violation. In short, a technical violation is a violation.  The Illinois Supreme Court took a strong stance in that individuals should not have to wait for actual harm with respect to their biometric information and that businesses would lack the requisite motivation to comply with statutes like BIPA without such an interpretation.  Continue Reading Illinois Supreme Court’s Rosenbach Ruling Likely to Expand BIPA Litigation

Biometric Security Image 17

Over the last several years, the emphasis on privacy and data protection has grown significantly. With the amount of data collected by companies and technology skyrocketing, the need to protect personal information has been at the forefront of states’ legislative agendas. While all 50 states now have breach notification statutes, states are now taking a closer look at issues such as tracking online behavior and the use of biometric data. What used to be futuristic props in sci-fi media, face and fingerprint scanners, are now part of everyday life and consumer transactions. Despite the increase in the use of biometric data, only three states, Washington, Texas and Illinois have passed legislation addressing biometric data. Continue Reading Illinois’ BIPA’s Rollercoaster Ride to the Illinois Supreme Court

SEC Image 22

In February of this year, the Securities Exchange Commission issued its updated Statement and Guidance on Public Company Cybersecurity Disclosures.  In April, the SEC issued an Order that, among other things, levied a $35 million fine against Yahoo! Inc. for failing to properly report a 2014 data breach.  These actions support the view that the SEC is consciously committing attention and resources to cybersecurity issues affecting public companies.

Here are some key takeaways from both the Guidance and from the Yahoo! Order:  Continue Reading SEC Takes Aim at Cybersecurity Disclosures

FinTech Data Security Image

Not long ago, financial technology (FinTech) startups were all seeking to disrupt the market for financial services and compete directly with financial institutions (FIs) for customers. But as these startups have grown into more mature companies, cooperation with FIs has come to replace disruption for many FinTech firms. These companies have realized that FIs can help scale their technology to larger bases of potential users, and can also help FinTechs raise capital by showing strong partnerships and FI distribution channels.

In turn, FIs now recognize that FinTech firms offer more than competition, representing potentially valuable partnerships with better technology and an improved user experience. By collaborating with FinTechs, FIs can improve product offerings and increase efficiency, all without the FIs committing significant resources to create new solutions themselves.  Continue Reading Access vs. Security: Takeaways For U.S. Financial Institutions from the European PSD2 Open API Framework

Data Breach Image

When a data breach occurs, the guilty party—a fraudster or criminal syndicate— is often nowhere to be found. Who bears the loss from a breach perpetrated by a fraudster: the consumer whose data was compromised, the financial institution where the data was used, or the business that failed to protect the data? Often, the loss initially falls on the financial institution through account or card agreement provisions or deadlines imposed by statutes or regulations. Can a financial institution recover these losses from a business with whom it has no contract? This depends on which law applies. Continue Reading Recovering Data Breach Losses from Non-Contractual Parties

California Flag Image 2

While U.S. companies focused on the imposition of burdensome data protection laws being implemented overseas, California was hard at work on revamping its own laws. As of June 25, 2018, the home of big technology, Silicon Valley, Facebook, and Google, was prepared to consider the California Consumer Personal Information Disclosure and Sale Initiative (“Initiative”) on the November 2018 ballot. The Initiative sought to enact a version of the California Consumer Privacy Act of 2018, requiring businesses to disclose, on a consumer’s demand, the personal information a business collects, the purpose for which it is used, and to whom it is sold or shared with. The Act also allows individuals to restrict the sharing of their information. Finally, the Act provides a simple path to recovery for violations. Although companies like Facebook and Google dropped their opposition to the Initiative, concerns remained among the business community, so California lawmakers stepped in. Continue Reading CLIENT ALERT: At Rocket Speed – The California Consumer Privacy Act of 2018 Signed into Law Yesterday

Cloud Security Image

Congress’ 2,000-page Omnibus Spending Bill slipped in a trap for the unwary: a radical expansion of the reach of the Stored Communications Act, 18 USC §§ 2701-2712. The “Clarifying Overseas Use of Data Act,” aptly shorthanded as the CLOUD Act, successfully mooted the issue presented in the United States v. Microsoft Corp. case recently dismissed by the United States Supreme Court by instituting a new framework for cross-border discovery in criminal actions. Under the previous version of the Stored Communications Act (SCA), it was necessary to have a Mutual Legal Assistance Treaty (MLAT), essentially a treaty negotiated by a foreign nation and ratified by the Senate. The CLOUD Act, passed on March 23, 2018, allows authorities to bypass MLATs and gives law enforcement the ability to directly compel production of materials by a party storing its data abroad, as well as allowing foreign governments to access data stored in the U.S.  Continue Reading A Storm Cloud on the Cross-Border Discovery Horizon

GDPR

In 2017, the Cayman Islands passed the Data Protection Law (“DPL”), which reads much like the upcoming European Union General Data Protection Regulation (“GDPR”) that goes into effect Mary 25, 2018. The DPL applies to entities falling within the definition of “data controller” who are established in the Islands or who process data in the Islands. The DPL divides data into two categories, personal data and sensitive data. Certain information is exempt from the application of the DPL, such as data processed in connection with a corporate finance service.[1] The DPL gives individuals the right to access their information, object to processing, and the right to request their information be corrected or erased.

Continue Reading Cayman Islands Seek to Supplement Its Data Protection Law

SEC

In light of the increasing significance of cybersecurity incidents, the Securities and Exchange Commission (SEC) recently found it necessary to provide further guidance with respect to cybersecurity disclosure requirements under the federal securities laws as they apply to public operating companies. On February 21, 2018, the SEC issued interpretive guidance on the cybersecurity disclosures of public companies through a Commission Statement and Guidance on Public Company Cybersecurity Disclosures (2018 Guidance). In its 2018 Guidance, the SEC emphasized the importance of disclosing material cybersecurity risks, even in cases where a company has not yet suffered a cyberattack. According to the SEC, public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a fulsome and timely fashion.

The 2018 Guidance expands the SEC’s 2011 guidance on cybersecurity disclosure obligations and highlights a public company’s disclosure requirements when considering their disclosure obligations surrounding cybersecurity risks and incidents. It also addresses the importance of cybersecurity policies and procedures related to disclosure controls and procedures and reminds companies of their obligation to prohibit insider trading on materially non-public information about threats and incidents. Continue Reading SEC Ratchets Up Cybersecurity Disclosure Requirements

shutterstock_703031881

U.S. Regulator Warns of “Evidence” of Global Cyber Assault Occurring Inside the U.S. and Steps Your Company Should Take Against a Ransomware Attack 

On Friday, May 12, 2017, Laura Wolf, Critical Infrastructure Protection Lead of the Department of Health and Human Services (HHS) issued a notification stating that: Continue Reading ALERT: Ransomware – a Global Wake-Up Call