Insights

On Thursday, July 18, 2024, Judge Paul Engelmayer, U.S. District Judge for the Southern District of New York, dismissed the bulk of the Securities and Exchange Commission’s (SEC’s) landmark civil securities law claims against SolarWinds and its Chief Information Security Officer (CISO) Timothy Brown.  The Court dismissed all allegations based on SolarWinds’ public disclosures made after SolarWinds became a victim of the well-publicized SUNBURST cybersecurity attack, and also dismissed the SEC’s claims relating to SolarWinds’ internal accounting controls and disclosure controls and procedures.  However, the Court declined to dismiss claims of securities fraud against SolarWinds and its CISO based on SolarWinds’ pre-SUNBURST disclosures, finding that the SEC had properly pleaded that the company’s publicly-posted “Security Statement” was materially false and misleading. 

On January 11, 2024, the Federal Trade Commission (“FTC”) published in the Federal Register a Notice of Proposed Rulemaking (“NPRM”) to modify the Children’s Online Privacy Protection Rule (“COPPA Rule”), a set of regulations implementing the Children’s Online Privacy Protection Act (“COPPA”) statute. Overall, the NPRM seeks to strengthen and clarify the COPPA Rule in response to technological advances and changes in the way children interact with online offerings. In particular, the NPRM follows a public comment period in which the FTC noted novel issues affecting the COPPA Rule, including the educational technology sector, voice-enabled connected devices, and platforms directed to general audiences that host third-party content directed to children. Comments on the NPRM are due on March 11, 2024.

On July 24, 2023, an en banc Eleventh Circuit joined the majority of circuits to find that just one text is sufficient to establish standing to bring a Telephone Consumer Protection Act (“TCPA”) claim. The decision, Drazen v. Pinto, --- F.4th ---, 2023 WL 4699939 (11th Cir. July 24, 2023), not only undoes the panel’s original holding, but also reverses course from the Eleventh Circuit’s prior decision in Salcedo v. Hanna, 936 F.3d 1162 (11th Cir. 2019), which held that a Plaintiff who received a single text message did not have TCPA standing.  

On 16 July 2020, we started one of our Client Alerts as follows:

On February 2, 2023, the Illinois Supreme Court ruled that all Biometric Information Privacy Act (“BIPA”) claims are uniformly subject to a five-year statute of limitations, expanding liability for businesses collecting biometric information.[1]In Tims v. Black Horse Carriers, Inc., the court found that a longer, uniform statute of limitations for all claims under BIPA best fulfilled the legislative intent to hold private entities accountable and provide redress for data subjects.[2]The Tims decision partially reversed an appellate court’s interlocutory decision that applied a one-year statute of limitations to some sections of BIPA, while applying a five-year statute of limitations to others.[3]This highly anticipated decision will allow companies to understand and manage their liability risk and will also likely fuel the growth of future BIPA lawsuits. 

On April 21, Canada, Singapore, Japan, the U.S., the Republic of Korea, Chinese Taipei, and the Philippines released a joint declaration announcing the creation of a Global Cross-Border Privacy Rules (CBPR) Forum. This global CBPR Forum, which is drawn from the Asia-Pacific Economic Cooperation (APEC) forum’s existing CBPR and Privacy Recognition for Processors (PRP) Systems, will allow for the expansion of the CBPR system beyond APEC’s twenty-one economies into a truly international framework.

After the SolarWinds Supply Chain Attack in late 2020 became public, the value of SolarWinds stock on the public market decreased in one week from almost $25 per share to less than $15 per share—a substantial decline of approximately 40%.

On December 17, 2021, the Cybersecurity and Infrastructure Security Agency (“CISA”) issued Emergency Directive 22-02 (the “Directive”) instructing civilian federal agencies to mitigate a series of vulnerabilities in Apache Log4j, a Java-based logging library, by 5 p.m. EST on December 23 and to provide a report to CISA about vulnerable applications by December 28.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an updated advisory on potential sanctions risks for companies that facilitate ransomware payments in response to cyberattacks, guidance on preventative measures companies can implement to mitigate such risks, and criteria that OFAC will consider as mitigating factors in any potential enforcement action. OFAC also announced that it has added SUEX OTC, S.R.O. (“SUEX”), a Russian virtual currency exchange, to its Specially Designated Nationals and Blocked Persons List (the “SDN List”), as a result of its role in facilitating ransomware payments. This represents OFAC’s first-ever designation of a virtual currency exchange.

On Friday, President Biden signed the Executive Order on Promoting Competition in the American Economy (“Executive Order”). The Executive Order includes 72 initiatives by more than a dozen federal agencies to address perceived competition issues across the economy, and establishes a White House Competition Council to monitor progress on facilitating and implementing these initiatives. The Executive Order announces a policy of increased antitrust enforcement -- “especially as these issues arise” in labor markets, agricultural markets, Internet platform industries, healthcare markets, repair markets, and U.S. markets directly affected by foreign cartel activity. 

On June 25, 2021, the U.S. Supreme Court reversed a Ninth Circuit decision in TransUnion LLC v. Ramirez, which affirmed a class action award of approximately $40 million in statutory and punitive damages to a class of 8,185 individuals against TransUnion for alleged violations of the Fair Credit Reporting Act (FCRA). In TransUnion, the Court affirmed and strengthened its recent decision in Spokeo, Inc. v. Robins, a case which also involved an alleged violation of the FCRA, in which the Court held that mere procedural violations of a statute do not confer Article III standing.  Applying those principles, the Court held that 6,332 of the putative class members did not have standing to bring a suit for damages against TransUnion because they failed to demonstrate that they suffered a concrete harm as a result of TransUnion’s decision to place an Office of Foreign Assets Control (OFAC) Alert on their credit files indicating that the plaintiffs’ names were a potential match to OFAC’s list of terrorists, drug traffickers, and other serious criminals. Given that the plaintiffs’ claims were largely based on a specific provision of the FCRA requiring consumer reporting agencies to “follow reasonable procedures to assure maximum possible accuracy” in consumer reports, this decision not only creates an additional obstacle for class action plaintiffs attempting to enforce federal statutes, but it also calls into question Congress’s ability to establish causes of action for procedural violations.

On the 28 June 2021, the European Union (EU) adopted two adequacy decisions which permit the free flow of personal data from the EU and the European Economic Area (EEA) to the UK. The adequacy decisions are given under the EU General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), and include the EU’s assessment of the UK’s data protection standards. The decisions are necessary because EU data protection law limits transfers to a third country (the UK became a third country as a result of Brexit), and under the EU – UK Trade Cooperation Agreement the transition period was due to expire on the 30 June 2021.

Senator Maggie Hassan (N.H.-D): “My question is, in your planning, did you have a plan for cybersecurity response that included guidance about ransomware?”

As recently as six months ago, ransomware was the domain of CISOs (chief information security officers) and cybersecurity lawyers. But in the wake of high-profile attacks by Russian-based cybercriminals on Colonial Pipeline, operator of the country’s largest refined fuel pipeline, and JBS Foods, the world’s largest meat processor, ransomware jumped to the top of the agenda for President Biden’s meeting with Russian President Vladimir Putin this week. These high-profile incidents have shown that ransomware attacks are a significant business/operational and legal risk for global companies. Colonial Pipeline paid $5 million to resolve its attack, JBS $11 million, and the group responsible for an attack on Acer is demanding $50 million.

On June 4, 2021, the European Commission (EC) issued its long-awaited updated standard contractual clauses (SCCs).  The publication of the SCCs is an important moment for the global business community because they allow companies to meet the requirements of the European General Data Protection Regulation (GDPR) when transferring personal data from the European Union (EU) to non-EU countries.

The Institute for Security and Technology (IST) recently released recommendations aimed at combating the growing threat of ransomware, proposing a comprehensive framework focused on regulatory and diplomatic ideas designed to disrupt the threat, and to assist organizations prepare for and respond to ransomware attacks. Ransomware crimes pose significant legal challenges that continue to evolve alongside the threat itself, as efforts to combat ransomware attacks, such as those proposed by the IST, are developed and implemented. Organizations should remain mindful of this quickly-evolving legal landscape.

Earlier this month, in Facebook, Inc. v. Duguid, the Supreme Court held that to be considered an “automatic telephone dialing system” (or “autodialer”) for purposes of the Telephone Consumer Protection Act (“TCPA”), a device must have the capacity to either (1) store a phone number using a random or sequential number generator, or (2) produce a phone number using a random or sequential number generator. In so ruling, the Supreme Court overturned the Ninth Circuit’s holding that an autodialer need only have the capacity to “store numbers to be called” and “to dial such numbers automatically,” resolving a contentious circuit split on the scope of the term autodialer.

The Virginia Consumer Data Protection Act (CDPA) has become the next major U.S. state privacy law, after being signed into law by Virginia Governor Ralph Northam on Tuesday, March 2, 2021. The new law amends Title 59.1 of the Code of Virginia with a new chapter 52 (creating Code of Virginia sections 59.1-571 through 59.1-581).

On Thursday, February 4, the 11th Circuit held that a plaintiff cannot establish Article III standing to sue based on an increased risk of identity theft. The 11th Circuit joins the 2d, 3d, 4th, and 8th Circuit’s in rejecting standing based on such allegations. However, the 6th, 7th, 9th, and D.C. Circuit have all held to the contrary that a plaintiff can establish Article III standing when the defendant’s conduct has increased the risk of identity theft. The circuit split augurs U.S. Supreme Court intervention on this question in the coming years, if not sooner.

In a ruling issued last week, the Federal Communications Commission (FCC) overturned precedent from 2016, ruling that federal, state, and local government contractors are subject to the Telephone Consumer Protection Act (TCPA) and therefore cannot make TCPA-prohibited robocalls on behalf of the government.