Financial institutions are now required to notify the Federal Trade Commission about any security breach that involves the information of 500 customers or more. The breach must be reported no later than 30 days after it is discovered.

Joseph Sullivan, Uber’s beleaguered former Chief Information Security Officer, was back in the news last month when he appealed his 2023 conviction for his role in concealing a 2016 breach of Uber’s network and customer data. 

We’re thrilled to announce exciting new additions to the Constangy Cyber Team, with three new partners and a law clerk. Each new team member brings unique experience and skills to our offices in Philadelphia, Chicago, and New York.

New York’s Cybersecurity Regulation continues its phased roll-out on November 1, when licensed financial services companies face a host of new requirements aimed at bolstering breach readiness and improving their ability to recover from disastrous situations. Companies will be required to put in writing how they would address several common pressure points in the breach response and mitigation process – including how they plan to recover from backups if critical data is lost.

Data breaches have become a serious issue for businesses, leading to numerous putative class action lawsuits alleging that the defendants failed to prevent the unauthorized disclosure of personally identifiable information or protected health information of their employees or customers.

The NetDiligence Cyber Risk Summit, which was held September 30-October 2 in Philadelphia, featured panels focused on the latest developments and challenges in cyber risk. Speakers included insurance, legal, and technology experts from a wide variety of organizations in the cyber risk industry.

On October 1, Montana became the newest state with a comprehensive data privacy law, the Montana Consumer Data Privacy Act.

The Commonwealth of Pennsylvania has amended its Breach of Personal Information Notification Act. The amendments, available here 2024 Act 33 - PA General Assembly (state.pa.us), took effect last week, on September 26. The key provisions are as follows:

On April 24, the Federal Trade Commission announced that it had finalized changes to its Health Breach Notification Rule - to address emerging technologies.

Specifically, the Rule was broadened to (1) apply to entities not currently subject to the Health Insurance Portability and Accountability Act, (2) clarify what a breach of security is, (3) expand notification methods, (4) impose additional requirements for the content of notifications, and (5) amend the timeframe for issuing required notifications to the FTC.

Businesses continue to be subjected to a steady stream of consumer class action lawsuits alleging improper collection or disclosure of information from their websites. A variety of laws and legal claims are used to support the suits. Some lawsuits assert violation of laws that are not particularly cutting edge, such as the Video Privacy Protection Act, or cite to non-disclosed use of more modern technology such as tracking pixels. In many of the lawsuits, both types of claims are asserted.