OFAC Updates Advisory on Enforcement Risks Relating to Agreeing to Pay Ransomware

First Post in a Two-Part Series on Recent OFAC Designations

On September 21, 2021 OFAC issued its first sanctions designation against a virtual currency exchange by designating the virtual currency exchange, SUEX OTC, S.R.O. (SUEX) “for its part in facilitating financial transactions for

In a long awaited opinion, the Supreme Court recently resolved a circuit split regarding the proper interpretation of a statute implicated in many post-employment disputes. Since its enactment, federal courts of appeal have been divided over the proper interpretation of the phrase “exceeds authorized access” under the Computer Fraud and Abuse Act (“CFAA”), a primarily criminal statute that also includes a civil cause of action where an individual accesses a protected computer without authorization or exceeds authorized access. Some courts have held that the “exceeds authorized access” requirement only applies where the individual was authorized to access the computer itself but not the particular files or information that are the subject of the dispute.
Continue Reading  Supreme Court Limits the Scope of Computer Fraud and Abuse Act

As people across the country and world try to figure out how to protect themselves against the spread of coronavirus, hackers are working hard to spread their own viruses.  Indeed, various cybersecurity firms have reported that the amount of malicious emails containing the word “coronavirus” has significantly increased since the end of January.

Many of

The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.

Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010.
Continue Reading  The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)

Lyft recently confirmed that it is investigating whether its employees were accessing its customer database without appropriate authorization to obtain personal information, including rides taken by Facebook CEO Mark Zuckerberg. The investigation was announced less than six months after Uber entered into a Federal Trade Commission (FTC) consent order to resolve allegations of similar behavior by its own employees.

The investigation demonstrates the importance of revisiting internal compliance measures in the wake of legal developments that may be relevant to a particular company or industry. Companies need to maintain comprehensive privacy programs to ensure the confidentiality of the personal information that they collect.  Such programs should include, at a minimum:
Continue Reading  Lyft Employees Demonstrate Need for Privacy Compliance Management

Consumers are not the only ones suing retailers for payment card data breaches. The U.S. District Court for the Western District of Washington recently denied, in large part, a motion to dismiss a data breach class action brought by Veridian Credit Union, on behalf of itself and other financial institutions, against Eddie Bauer, LLC. The class action relates to a January 2016 payment card data breach that allegedly impacted “every Eddie Bauer store in the United States and Canada.”

The court dismissed Veridian’s negligence per se claim, but allowed Veridian’s negligence and state statutory claims to proceed. The court’s analysis of choice of law and negligence issues is worth a read.
Continue Reading  Federal Court Allows Credit Union Data Breach Class Action to Proceed Against Eddie Bauer