Data Protection Law Compliance

Don’t store users’ passwords in cleartext. Really.

It’s not a good idea. Also, it may be deemed a ‘knowing violation’ of the EU General Data Protection Regulation (GDPR) requirement to
Continue Reading Storing Users’ Passwords in Cleartext May Be a ‘Knowing Violation’ of GDPR

The French data protection authority (CNIL) is placing Facebook’s EU-U.S. data transfer practices under new scrutiny over its use of the defunct Safe Harbor framework.

The agency issued a two-part
Continue Reading Facebook Runs Afoul of French Data Protection Authority

Businesses that relied previously on the EU’s Safe Harbor exception to transfer data from Israel to the United States have had that authorization revoked by the Israeli Law, Information and
Continue Reading EU Safe Harbor Invalidation Leads Israel to Rescind U.S. Data Transfer Authorization

This blog post is the sixth and final entry of a six-part series discussing the best practices relating to cyber security. The previous post discussed the individuals and organizations that should be notified once a cyberattack occurs. This post will focus on what a business should not do after a cyberattack. Key points include (1) not using the network, (2) not sharing information with unconfirmed parties, and (3) not attempting to retaliate against a different network.
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 6 of 6)

This blog post is the fifth entry of a six series discussing the best practices relating to cyber security. The previous post discussed the important steps that a business should take to preserve evidence and information once a cyberattack has been identified. This post will discuss the individuals and organizations that should be notified once a cyberattack occurs. The four most important groups to contact are (1) individuals within the business, (2) law enforcement officials, (3) The Department of Homeland Security, and (4) other possible victims.
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 5 of 6)

This blog post is the fourth entry of a seven-part series discussing the best practices relating to cyber security. The previous post discussed the initial steps that a business should take once a cyberattack has been identified. This post will discuss further steps that a business should take after an attack.
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 4 of 6)

This blog post is the third installment of a seven-part series discussing the best practices relating to cyber security. The first two blog posts discussed the best practices for preparing a business in case of a cyberattack. This post will discuss the initial steps that a business should take after a cyberattack occurs.
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 3 of 6)

On July 20, 2015, in Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015), the Seventh Circuit held that the United States District Court for the Northern
Continue Reading The Seventh Circuit Sides with Plaintiffs in Data Breach Litigation

As noted in Dittman et al. v. The University of Pittsburgh Medical Center, Case No. GD-14-003285, previously reported on here, Pennsylvania has firmly adopted the approach that the Risk of Harm is Not Enough in Data Breach Actions. Still, data breaches have become some of the most noteworthy headlines in recent news. An increase in litigation has brought with it efforts to shrink the case load through the Article III requirement of standing. This means that courts are finding that the plaintiffs have not sufficiently established a concrete injury in order to seek remedies from the court. One of the main issues with data breaches is that once the data has been extracted or accessed, it is not necessarily always true that tangible harm will follow. Due to that nature, the Third Circuit established that when it comes to data breach actions, simply the risk of future harm does not suffice to save the claim. The seminal case of Reilly v. Ceridian Corp. held that where no actual misuse is alleged, “allegations of hypothetical, future injury do not establish standing under Article III.” 664 F. 3d 38 at 41 (3rd Circuit 2011).
Continue Reading Pennsylvania Continues to Rely on Third Circuit Holding that the Risk of Harm is Not Enough in Data Breach Actions