According to the company’s December 9, 2015 press release (here), Wyndham Worldwide has reached a settlement with the Federal Trade Commission in the long-running and high-profile civil action the agency filed against the company and its affiliates in connection with data breaches at the company during the period 2008-2010. Under the terms of the settlement, the company has agreed to undertake certain measures and to continue to meet certain standards with respect to its customers’ payment card information. As the company said in its press release about the settlement, the company’s undertakings in the settlement set “a standard for what the government considers reasonable data security of payment card information.” The FTC’s December 9, 2015 press release about the settlement can be found here. The parties’ stipulated order for injunction, which is subject to court approval, can be found here.
Continue Reading Wyndham Worldwide Settles Data Breach-Related FTC Enforcement Action
Guest Post: SEC’s Regulatory Action Against R.T. Jones: Did the Other Cybersecurity Shoe Just Drop?
On September 22, 2015, in what has been described as the SEC’s first cybersecurity-related enforcement action, the SEC announced that it had entered a settlement St. Louis-based investment advisor R.T. Jones Capital Equities Management, Inc., based on charges that the company had failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients. A copy of the SEC’s order related to the settlement can be found here.
In the following guest post, David Wohl and Paul Ferrillo of the Weil Gotshal law firm take a look at the SEC’s settlement with R.T. Jones and examine the implications of the settlement, and of the recent guidance from SEC’s Office of Investor Education and Advocacy, for future regulatory action, from the SEC and other agencies. A version of the guest post previously was published as a Weil client alert.
I would like to thank David and Paul for their willingness to publish their article on this blog. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is David and Paul’s guest post.
****************************************
Just days after the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued its second round of cybersecurity guidance for its upcoming examinations of registered investment advisers and broker-dealers,[i] the SEC settled an administrative proceeding on cybersecurity issues arising out of a breach at a registered investment adviser, R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”).[ii] As a result of the settlement, R.T. Jones was censured and fined $75,000. On the heels of the recent OCIE guidance and following a year of major cybersecurity breaches (especially at financial institutions),[iii] this proceeding is instructive on a number of points, especially on the question “What happens when you don’t adopt policies and procedures to safeguard client data?”
Continue Reading Guest Post: SEC’s Regulatory Action Against R.T. Jones: Did the Other Cybersecurity Shoe Just Drop?
Guest Post: Coverage for Future Injuries: Is Your Cyber Policy Up To The Neiman Marcus Challenge?
As I discussed in a recent post, on July 20, 2015, the Seventh Circuit issued its opinion in the Neiman Marcus consumer data breach class action lawsuit. In its opinion (a copy of which can be found here), the appellate court ruled that the district court erred in concluding that the plaintiffs’ fear of future harm from the breach was insufficient to establish standing to pursue their claims. The court held that the impending injuries alleged were sufficient to support Article III standing.
In the following guest post, Micah Skidmore of the Haynes and Boone law firm takes a closer look at the decision and discusses some important insurance coverage issues that the court’s ruling about future injuries may present.
I would like to thank Micah for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Micah’s guest post.
**********************************
The recent Neiman Marcus decision from the Seventh Circuit has lowered the bar for plaintiffs suing in the wake of a data breach. In addition to actual injury, future “impending” injuries substantiated by an “objective,” “substantial risk of harm” and actual costs incurred to prevent or mitigate “imminent” harm are sufficient to support Article III standing. While the Neiman Marcus decision may provide some clarity regarding standards of pleading and liability (at least for plaintiffs), for those defendants reliant on network security/privacy liability insurance to protect against data breach claims, the opinion prompts an urgent question: does my policy cover liability for future injuries and preventive measures?
Continue Reading Guest Post: Coverage for Future Injuries: Is Your Cyber Policy Up To The Neiman Marcus Challenge?
O.K., This Is a Big Deal: 7th Cir. Reinstates Neiman Marcus Consumer Data Breach Class Action
In a ruling that could provide an important boost future consumer data breach class action litigation, the Seventh Circuit has reinstated the Neiman Marcus data breach lawsuit, ruling that the district court erred in concluding that the plaintiffs’ fear of future harm from the breach was insufficient to establish standing to pursue their claims. As Alison Frankel said about the appellate court’s ruling in her July 21, 2015 post on her On the Case blog entitled “The Seventh Circuit Just Made it A Lot Easier to Sue Over Data Breaches” (here), “this is a really consequential decision.” The Seventh Circuit’s July 20, 2015 opinion in the Neiman Marcus case can be found here.
Continue Reading O.K., This Is a Big Deal: 7th Cir. Reinstates Neiman Marcus Consumer Data Breach Class Action
Guest Post: Cybersecurity Enforcement: The FTC Is Out There
Along with the disruption and the reputational damage, a company experiencing a data breach can also find itself attracting the unwanted attention of regulators. Among the federal regulators that has proven to be active in data breach arena has been the Federal Trade Commission. In the following guest post, Robert Carangelo, Eric Hochstadt
Guest Post: The Key Players in Cybersecurity Investigations
One of the most immediate challenges when a company experiences a data breach is trying to figure out what has happened – how the breach occurred and how serious it is. Determining what has happened is also critical to re-establishing the company’s cybersecurity. In the following guest post Robert F. Carangelo and Paul A. Ferrillo
Target Directors and Officers Hit with Derivative Suits Based on Data Breach
I have frequently noted that among the many exposures a company experiencing a data breach could encounter is the possibility of a shareholder suit alleging that the company’s board breached their fiduciary duties by failing to take sufficient steps to protect the company from a breach and its consequences. This possibility has now been
Smaller Companies Should Consider Cyber-Liability Insurance
Smaller companies increasingly are the subject of data breaches and those smaller companies “are the number-one target of cyber-espionage attackers,” according to a recent study detailed in a April 24, 2013 CFO.com article entitled “Should You Consider Cyber Insurance?” (here). Smaller companies increasingly are the subject of cyber attacks due to “inadequate security