Data breaches and ransomware attacks are on the rise. On October 7, Oregon Attorney General Rosenblum announced an increase in data breaches reported to his office. The first nine months of 2021 involved 131 reported breaches, exceeding the 2020 total of 110. Financial Crimes Enforcement Network (FinCEN) also announced an increase in ransomware-related activities in
On September 13, the Federal Trade Commission (FTC) released a report to Congress that highlights the agency’s recent efforts to protect Americans’ privacy, announces the agency’s priorities for future data security and privacy protection efforts, and urges Congress to allocate more resources to the agency so it can expand its data security and privacy protection
On September 20, nine Democratic senators wrote a letter to the Federal Trade Commission (FTC), requesting that it create new rules to protect consumers’ personal data and privacy.
The senators played on FTC Chair Lina Khan’s aversion to Big Tech and aggressive antitrust agenda, which we discussed in a prior post, by stating that
Data brokers beware, the Securities Exchange Commission (SEC) has signaled increased scrutiny into the data and privacy practices of technology-enabled companies in the financial services industry. On September 14, the SEC announced that it settled a securities fraud investigation into private technology company App Annie, Inc. and its former CEO and Chairman Bertrand Schmidt, in
On July 19, and just over one year after his office began enforcing the California Consumer Privacy Act (CCPA), California Attorney General Rob Bonta announced that he is “seeing great progress” with CCPA enforcement, even while he urged Californians to take advantage of their new rights under the CCPA.
“Enforcement of the CCPA marks an
The Second Circuit recently issued a decision in McMorris v. Carlos Lopez & Associates, LLC, No. 19-4310, 2021 U.S. App. LEXIS 12328 (2nd Cir. Apr. 26, 2021), which clarifies the circumstances under which plaintiffs alleging an increased risk of future identity theft or fraud due to the exposure of their personal data can establish Article III standing. Notable for being the first Second Circuit decision to address privacy-related standing questions that had arguably created a circuit split, the court endorsed a three-factor framework that would reject a finding of Article III standing absent sufficient evidence of “increased risk” of future fraud or identity theft, but which left open the possibility that standing could still be established where plaintiffs allege a sufficient likelihood of misuse of their personal data.
A federal court in Michigan recently ruled that out-of-state residents have standing to sue under the Michigan Personal Privacy Protection Act (PPPA). In Lin v. Crain Communications, Inc., Case No. 2:19-cv-11889 (E.D. Mich., June 25, 2019), Gary Lin, a Virginia resident, filed a putative class-action lawsuit against Crain Communications, Inc. (Crain), a Michigan-based publishing
At the Nationwide Multistate Licensing System (NMLS) Annual Conference, state financial regulators released an updated cybersecurity examination tool for nonbank financial company supervision. The tool is designed for state regulators to use in examinations, but “companies are encouraged to use it to assess their cybersecurity health between examinations.”
State regulators are continuing to find new
We have long predicted that just as other states followed California in passing breach notification laws, states would follow in California’s footsteps in regulating information privacy practices with the California Consumer Privacy Act of 2018 (CCPA), which was later amended by the California Privacy Rights Act of 2020 (CPRA).[1] The Virginia state legislature recently
On February 4, the New York Department of Financial Services (DFS) released the Cyber Insurance Risk Framework (Framework), which is considered the first guidance by a U.S. regulator on cyber insurance. The Framework is aimed at property and casualty insurers that provide cyber insurance, as well as other insurers that do not write specific cyber