Cybersecurity, Information Governance, and Privacy

A federal court in Michigan recently ruled that out-of-state residents have standing to sue under the Michigan Personal Privacy Protection Act (PPPA). In Lin v. Crain Communications, Inc., Case No. 2:19-cv-11889 (E.D. Mich., June 25, 2019), Gary Lin, a Virginia resident, filed a putative class-action lawsuit against Crain Communications, Inc. (Crain), a Michigan-based publishing

At the Nationwide Multistate Licensing System (NMLS) Annual Conference, state financial regulators released an updated cybersecurity examination tool for nonbank financial company supervision. The tool is designed for state regulators to use in examinations, but “companies are encouraged to use it to assess their cybersecurity health between examinations.”

State regulators are continuing to find new

We have long predicted that just as other states followed California in passing breach notification laws, states would follow in California’s footsteps in regulating information privacy practices with the California Consumer Privacy Act of 2018 (CCPA), which was later amended by the California Privacy Rights Act of 2020 (CPRA).[1] The Virginia state legislature recently

On February 4, the New York Department of Financial Services (DFS) released the Cyber Insurance Risk Framework (Framework), which is considered the first guidance by a U.S. regulator on cyber insurance. The Framework is aimed at property and casualty insurers that provide cyber insurance, as well as other insurers that do not write specific cyber

The Eleventh Circuit affirmed a district court’s dismissal for lack of standing in a data incident case. The majority opinion, written by Senior Judge Gerald Bard Tjoflat and joined by Judge Adalberto Jordan and Senior Fourth Circuit Judge William Traxler sitting by designation, highlighted the disagreement among federal appellate courts about the type of harm

Last week, Judge Sue Myerscough declined to certify a class of employees whose personal information was disclosed when Driveline Retail Merchandising fell prey to a phishing scam. While nearly 16,000 employees were allegedly affected, “issues of causation and injury” were insufficiently common to satisfy the requirements for class certification.

The factual background will resonate with

In Wengui v. Clark Hill, PLC, Judge Boasberg of the District Court for the District of Columbia, granted the plaintiff’s motion to compel the defendant to produce a report and additional materials associated with a cyberattack. In its ruling, the court emphasized that materials that would otherwise be created in the ordinary course of

On January 11, the Federal Trade Commission (FTC) announced it has settled with a California-based photo app developer involving allegations that it was building and using its users’ photos and videos to create facial recognition technology without their express consent.

Facial recognition software is typically comprised of three steps: detection, mapping, and identification. During the

A federal court in California has ruled that the plaintiff in a putative class action alleging theft of non-sensitive personal information arising from a cybersecurity data breach lacks Article III standing to maintain his claims. In Rahman v. Marriott International, Inc., the Plaintiff asserted claims for violation of the California Consumer Privacy Act (“CCPA”),

Do you want a simple way to keep current on important privacy changes? Avoid sleepless nights wondering whether you missed a privacy speed bump or pothole between annual updates? Worry no longer. Troutman Pepper is pleased to offer More Privacy Please, a monthly newsletter recapping significant industry and legal developments, as well as trends