On December 15, 2020, the Irish Data Protection Commission (DPC) announced the imposition under the General Data Protection Regulation (GDPR) of a €450,000 fine against the social media company Twitter for its delay in reporting to DPC a data breach the company sustained in late 2018. According to the DPC’s press release about the fine, the DPC’s inquiry concerning the Twitter data breach was the first to go through the GDPR “dispute resolution” process since the GDPR’s introduction and was also  the first decision in a “big tech” case in which all EU supervisory authorities were consulted as Concerned Supervisory Authorities. The DPC’s December 9, 2020 order can be found here. The DPC’s December 15, 2020 press release can be found here.
Continue Reading In First for U.S. Tech Firm, Twitter Hit with GDPR Fine

The Illinois Biometric Information Privacy Act (BIPA) has been on the books for more than a decade. However, as a result of a January 2019 decision by the Illinois Supreme Court, the statute’s requirements and potential liabilities have become a much more serious concern. Moreover, a number of states have passed or are considering legislation similar to or designed to address the same concerns as the Illinois BIPA. This kind of privacy legislation represents a significant potential corporate liability exposure. As discussed further below, biometric data privacy-related claims present some complicated insurance coverage issues.
Continue Reading The Complicated Threat of Biometric Data Privacy Class Actions

Libby Benet

In the current environment, most people are aware that there are serious pitfalls and problems involved with data security and privacy. However, business leaders may not always be aware of their legal and ethical duties for securing employee, customer, and partner information. In the following guest post, Libby Benet, JD, CIPP US, Principal Benet Consulting, takes a look at these issues, as well as the important differences between information security and privacy. I would like to thank Libby for allowing me to publish her article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Libby’s article.
Continue Reading Guest Post: Information Security and Privacy – What Business Leaders Need To Know

Earlier this year, after Facebook was sued in a securities class action following news that it had given access to personal user information to Cambridge Analytica, I questioned whether privacy issues might represent the next big corporate liability exposure. Among other things, in making this suggestion, I was taking into consideration that fact that the EU’s General Data Protection Regulation (GDPR) was about to go into effect. More recent developments confirm my view that privacy issues likely will represent an area of specific and growing concern and potential liability for companies, their management, and their boards.
Continue Reading California Enacts Sweeping Privacy Legislation

For some time, observers (including me) have been discussing the extent to which the rising numbers of corporate data breaches would translate into to D&O litigation. There of course have been some data breach-related D&O lawsuits;  indeed, plaintiffs’ lawyers have recently for the first time managed to secure some success with these kinds of suits – as discussed here, Yahoo recently settled a data breach related securities class action lawsuit for $80 million. In light of the Yahoo settlement, the possibility for further data breach-related D&O litigation seems likely. But as I was reading the complaint in a securities class action lawsuit filed earlier this week against Facebook, I began to think that a related but slightly different data security-related concern might actually present an even more significant risk of future D&O claims.
Continue Reading Do Privacy Issues Represent the Next Big D&O Liability Exposure?

sixth circuit sealOne of defendants’ most significant arguments in opposing data breach victims’ negligence and breach of privacy claims has been that the claimants that have not suffered actual fraud or identity theft can show no cognizable injury and therefore lack Article III standing to assert their claims. Appellate decisions in the Seventh and Ninth Circuit have previously taken a bite out of this defense, in rulings holding that the victims’ fear of future harm is sufficient to establish standing. Now the Sixth Circuit in a case involving alleged victims of a data breach at Nationwide Mutual Insurance Company has joined these other circuits, holding that the  claimants’ heightened risk for fraud and mitigation costs were sufficient to establish Article III standing. The Sixth Circuit’s September 12, 2016 opinion, which can be found here, represents the latest in a series of developments evincing courts’ increasing willingness to recognize fear of potential future harm as sufficient to establish standing, which in turn may make it easier for the plaintiffs’ claims in these kinds of data breach cases to go forward.
Continue Reading Sixth Circuit: Data Breach Victims’ Heightened Risk of Future Harm Establishes Article III Standing

Stark Photo
John Reed Stark

As I noted in a recent post, on June 8, 2016, the SEC, in what one commentator called “the most significant SEC cybersecurity-related action to date,” announced that Morgan Stanley Smith Barney LLC had agreed to pay a $1 million penalty to settle charges that as a result of its alleged failure to adopt written policies and procedures reasonably designed to protect customer data, some customer information was hacked and offered for sale online. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at the circumstances at the company that led to this enforcement action and reviews the important lessons that can be learned from what happened. A version of this article originally appeared on CybersecurityDocket. I would like to thank John for his willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s guest post.Continue Reading Guest Post: Key Takeaways From the SEC Morgan Stanley Cybersecurity Case

cfpbUntil now, the primary federal agency regulating data security has been the Federal Trade Commission. Indeed, in August 2015, the Third Circuit in the Wyndham Worldwide case affirmed the FTC’s regulatory enforcement authority against companies failing to take appropriate action to protect consumer financial information. However, other federal regulatory agencies are now increasing asserting their authority with respect to data security issues, including in particular, the Consumer Financial Protection Bureau (CFPB), which recently brought its first data security enforcement action. These developments underscore the fact that companies face a growing regulatory exposure relating to cybersecurity issues. The specific recent developments also highlight the expectations regulators are asserting with respect to board responsibility for cybersecurity issues and establish that companies can face data security enforcement action even if the companies have not themselves experienced a data breach.
Continue Reading Federal Agencies Joining the Data Security Enforcement Action Bandwagon

paul-cyber-book-250x324We are long past the point where cybersecurity can be treated like an emerging, obscure or peripheral issue. The fact is that cybersecurity is now an important concern for every organization and enterprise. For that reason, cybersecurity is also now an important concern for everyone responsible for protecting and guiding those organizations and enterprises, including in particular corporate directors and officers. In the current environment, there is no shortage of advice available for these corporate officials as they seek to understand and fulfill their responsibilities to their organizations. Indeed the sheer volume of information available can be confusing or even overwhelming. Fortunately, there is now a single volume guide available to help corporate directors address their organization’s cybersecurity exposures and needs. The new book by Paul Ferrillo of the Weil Gotshal law firm entitled “Navigating the Cybersecurity Storm: A Guide for Directors and Officers” (here) is a readable, well-organized, and helpful guide for any corporate official seeking to address their cybersecurity responsibilities.
Continue Reading Book Review: A Cybersecurity Guide for Corporate Directors and Officers

weilOn September 22, 2015, in what has been described as the SEC’s first cybersecurity-related enforcement action, the SEC announced that it had entered a settlement St. Louis-based investment advisor R.T. Jones Capital Equities Management, Inc., based on charges that the company had failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.  A copy of the SEC’s order related to the settlement can be found here.

In the following guest post, David Wohl and Paul Ferrillo of the Weil Gotshal law firm take a look at the SEC’s settlement with R.T. Jones and examine the implications of the settlement, and of the recent guidance from SEC’s Office of Investor Education and Advocacy, for future regulatory action, from the SEC and other agencies. A version of the guest post previously was published as a Weil client alert.

I would like to thank David and Paul for their willingness to publish their article on this blog. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is David and Paul’s guest post.


Just days after the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued its second round of cybersecurity guidance for its upcoming examinations of registered investment advisers and broker-dealers,[i] the SEC settled an administrative proceeding on cybersecurity issues arising out of a breach at a registered investment adviser, R.T. Jones Capital Equities Management, Inc.  (“R.T. Jones”).[ii]  As a result of the settlement, R.T. Jones was censured and fined $75,000.  On the heels of the recent OCIE guidance and following a year of major cybersecurity breaches (especially at financial institutions),[iii] this proceeding is instructive on a number of points, especially on the question “What happens when you don’t adopt policies and procedures to safeguard client data?”
Continue Reading Guest Post: SEC’s Regulatory Action Against R.T. Jones: Did the Other Cybersecurity Shoe Just Drop?