On August 1, 2017, the United States Court of Appeals for the D.C. Circuit held that policyholders of the health insurer CareFirst had standing to sue the company after their information was compromised during a cyberattack.

Wading into a vigorously contested area between plaintiffs and companies that have suffered data breaches, the court held that the policyholders’ elevated risk of identity theft and medical fraud was a sufficient injury to bring suit—even without any evidence that plaintiffs had actually suffered such harm. In so holding, the D.C. Circuit came down on one side of a circuit split, which may ultimately need to be resolved by the Supreme Court.

Click here, to continue reading.

Late last month, Target Corporation reached an $18.5 million settlement with the Attorneys General of 47 states and the District of Columbia, resolving the AGs’ investigation into Target’s 2013 data security breach.

Target’s recent settlement, when viewed in conjunction with other recent developments, provides a roadmap for prophylactic measures that companies may implement to limit the likelihood that cyber criminals will successfully obtain sensitive data and potentially limit liability if such an attack occurs.

Click here, to continue reading.

From May 2018, organizations established or providing services in the EU will be subject to new national and EU-wide cybersecurity legislation, as regulators in EU Member States begin to apply both the General Data Protection Regulation and national legislation implementing the Network and Information Security Directive.

These new laws will significantly increase the territorial and sectoral scope of organizations subject to EU cybersecurity obligations and introduce strict data security and breach disclosure obligations with potentially severe penalties for non-compliance.

This tightening of the EU cybersecurity regime coincides with similar developments in other jurisdictions worldwide and reflects a global trend for legislators and regulators to require organizations to observe increasingly stringent cybersecurity practices.  This memorandum considers the key components of the new EU laws and outlines a number of recent cybersecurity developments in other key jurisdictions.

Click here, to continue reading.

On March 1, 2017, the New York Department of Financial Services’ Cybersecurity Regulations entered into effect.

The Regulations impose on financial institutions minimum cybersecurity standards that exceed existing federal standards and introduce new requirements, including obligations to critically evaluate cybersecurity practices, maintain detailed documentation demonstrating compliance and report cyber events to the New York Department of Financial Services.

Click here, to continue reading.

Cybersecurity and hacking incidents continued to dominate headlines in 2016—not only did they continue to impact corporations but they also played a role in the U.S presidential election. At the same time, various states have introduced, considered or adopted cyber-related legislation, including legislation applicable to certain industries that are more sensitive to cybersecurity breaches (e.g.,  New York proposed a cybersecurity regulation that applies to financial institutions licensed or regulated by the New York State Department of Financial Services). Federal agencies, including the U.S. Securities and Exchange Commission (“SEC”), the Federal Trade Commission and the U.S. Department of Justice (“DOJ”), are also playing key roles in regulating the area of cybersecurity. Continue Reading Recent Developments in Cybersecurity

On September 13, 2016, the New York Department of Financial Services issued the first comprehensive state regulatory proposal to address cybersecurity.

Under the proposed regulations, certain banks, insurers and other financial services institutions authorized to operate in New York will be required to assess their cybersecurity risks and establish and maintain a cybersecurity program designed to address such risks.  This alert memorandum covers the key obligations set forth in the state proposal and contrasts them with the obligations required under the federal Gramm-Leach-Bliley Act.

Click here, to continue reading.