The UK Information Commissioner’s Office (ICO) has provided Facebook with a Notice of Intent to issue a monetary penalty against the social media platform for its lack of transparency and failure to maintain the security of its users’ personal data in relation to the Cambridge Analytica scandal. The ICO’s fine is the maximum possible under the Data Protection Act 1998 (the UK implementing legislation for the former EU data protection regime under the Data Protection Directive). Facebook will have the opportunity to make representations to the ICO before the ICO’s decision is finalised.

Continue Reading UK Data Protection Regulator Set to Levy Maximum Fine on Facebook in Cambridge Analytica Case

In the first criminal charges brought in connection with the Equifax data breach, the United States Attorney for the Northern District of Georgia announced yesterday the indictment of Jun Ying, a former Chief Information Officer of a U.S. business division of Equifax, on charges of insider trading in violation of federal securities laws.  At the same time, the SEC announced parallel civil charges against Ying.  Both the indictment and the SEC complaint allege that Ying was not specifically informed that Equifax had been breached, but, as a result of his position, was made aware of enough confidential information to—according to his own contemporaneous text messages—“put 2 and 2 together” to infer that “[w]e may be the one breached.”  After deducing this material information, Ying allegedly conducted internet research on the 2015 data breach of Experian, another major credit bureau, and its negative impact on Experian’s stock price.  Immediately following his internet search, Ying allegedly exercised all of his vested stock options and sold those Equifax shares for a total of $950,000 in proceeds, avoiding more than $117,000 in losses that he would have incurred had he still been holding the shares at the time the data breach was publicly announced more than a week later.  The SEC is seeking disgorgement of an amount equal to the losses Ying allegedly avoided, civil monetary penalties, an order barring Ying from ever serving as an officer or director of a public company, and an injunction enjoining Ying from further violating the federal securities laws.  The indictment charges Ying with two counts of criminal securities fraud, which, if he is convicted, carry a maximum sentence of 45 years.  Continue Reading DOJ And SEC Charge Former Equifax Executive With Insider Trading

A recent decision by an intermediate Illinois appellate court, Rosenbach v. Six Flags Entm’t Corp.,[1] suggests that state courts—which are not bound by federal Article III standing limitations in entertaining suits—will not necessarily provide a more plaintiff-friendly forum for data privacy suits than their federal counterparts.

Earlier this month, we wrote about the Second Circuit’s summary order in Vigil v. Take-Two Interactive Software, Inc.[2]  There, the court affirmed the dismissal of a class action lawsuit brought in the Southern District of New York under the Illinois Biometric Information Privacy Act[3] (“BIPA”) for want of Article III standing because the plaintiffs had failed to allege an injury-in-fact, but remanded the case with instructions to amend the judgment and enter a dismissal without prejudice.[4]  The district court had ruled that the BIPA’s limitation of the private right of action to a “person aggrieved by a violation” meant that the plaintiffs’ failure to allege an injury-in-fact was also fatal to their claims as a matter of state law, meaning that the case should be dismissed with prejudice for failure to state a claim.[5]  The Second Circuit vacated that portion of the ruling on jurisdictional grounds, which left the door open for the plaintiffs to attempt to bring their claims in state court without any allegation of actual harm. Continue Reading Illinois Appellate Court Holds That Mere Technical Violations Of Data Privacy Statute Are Insufficient To State A Claim

In late November, the Second Circuit issued a summary order in Vigil v. Take-Two Interactive Software, Inc,[1] which affirmed the dismissal of a class action lawsuit brought in the Southern District of New York under the Illinois Biometric Information Privacy Act (“BIPA”) for lack of standing.[2]  In doing so, the court followed established Second Circuit precedent and highlighted the continuing difficulties plaintiffs face in establishing standing for certain technical violations of data privacy statutes, when those violations are unaccompanied by allegations of a breach or likelihood of improper access.  The case also serves as a reminder that as states pass statutes covering new types of technology and data, companies will need to remain vigilant in protecting a wider range of information than before. Continue Reading Second Circuit Issues Order Affirming Dismissal of Data Privacy Class Action Suit

On October 16, 2017, the U.S. Supreme Court agreed to review a highly publicized Second Circuit decision, which held that the federal government cannot use warrants issued under the Stored Communications Act to seize customer emails stored exclusively on foreign servers.  Under the decision, Microsoft was permitted to refrain from producing emails stored on a Microsoft server in Ireland to the Justice Department.  The Justice Department had sought a court order for the production of such emails in connection with a 2013 narcotics trafficking investigation.  The Supreme Court’s opinion is expected by June 2018 and will have far-reaching implications for law enforcement’s ability to obtain electronic evidence stored outside of the U.S.

The Second Circuit’s decision in Microsoft Corp. v. United States can be accessed here.

As the Equifax breach litigation gets underway, several recent decisions have widened a split on when and under what conditions customers or other affected individuals may bring claims against a company that suffers a data breach. Late last month, a D.C. federal judge dismissed a lawsuit based on the massive breach at the U.S. Office of Personnel Management (“OPM”), ruling that the theft of data alone was not enough to establish standing. The Court of Appeals for the Eighth Circuit issued a similar recent ruling, holding that plaintiffs suing the grocery retail company SuperValu had not shown that they were at greater risk of identity theft as a result of a data breach at the company and they therefore lacked standing. In contrast to these decisions, a California federal judge allowed claims to proceed against Yahoo! based on the allegation that the customer-plaintiffs alleged a risk of future identify theft and loss of value of their personal identification information. The differing interpretations of the standing requirements in data breach cases will no doubt continue to be vigorously litigated and may ultimately need to be resolved by the Supreme Court.

Click here, to continue reading.

Late last month, Target Corporation reached an $18.5 million settlement with the Attorneys General of 47 states and the District of Columbia, resolving the AGs’ investigation into Target’s 2013 data security breach.

Target’s recent settlement, when viewed in conjunction with other recent developments, provides a roadmap for prophylactic measures that companies may implement to limit the likelihood that cyber criminals will successfully obtain sensitive data and potentially limit liability if such an attack occurs.

Click here, to continue reading.