Ever since the Target and Home Depot breaches were traced to intrusions at their vendors, the management of cybersecurity at third-party vendors has been a focus of companies and regulators. The FTC has flagged the issue, as has the SEC. The DoD has imposed strict cybersecurity requirements for contractors that “flow down” to sub-contractors.

But despite an increasing focus on the full lifecycle of third-party risk management, vendor incidents continue to represent a high percentage of reported data breaches. According to a March 2016 Ponemon Institute report, 49 percent of survey respondents indicated that their organization experienced a data breach caused by a vendor.
Continue Reading Are You Prepared for Your Vendor’s Data Breach?

This post was also written by Joshua B. Marker and Tyler M. Layton.

In a significant victory, Delta Airlines’ demurrer to the enforcement action filed by the state of California was sustained without leave to amend. We previously wrote about the case here. California alleged that Delta’s mobile application was in violation of CalOPPA

This post was also written by Joshua B. Marker.

California continues to be among the most aggressive states in proposing legislation restricting disclosure of personal identifying information. Earlier this month, California Senate Majority Leader Ellen M. Corbett (D) introduced SB 501, known as the Social Networking Privacy Act, which would require social networking websites to

This post was also written by Frederick Lah.

A California state assemblyman proposed legislation this week attempting to require that online privacy policies be no more than 100 words. The legislation would also require that the privacy policy “be written in clear and concise language, be written at no greater than an 8th grade reading

This post was also written by Joshua Marker.

Following a year in which she repeatedly announced her intention to make mobile privacy a priority, California Attorney General Kamala Harris filed the first mobile privacy enforcement action against Delta Air Lines. The case, The People Of The State Of California v. Delta Air Lines, CGC-12-526741,

This post was also written by Chris Cwalina and Frederick Lah.

In VPR Internationale v. Does 1-1017 (C.D. Ill.), Judge Baker opined that Internet Protocol (“IP”) addresses do not — by themselves — qualify as personal information, capable of accurately identifying an individual. While this decision is a landmark ruling for the mass-BitTorrent lawsuits in that it may spell the end of the “pay-up-or-else-schemes”, it may have broader data privacy implications.

In VPR, plaintiff sought to sue over a thousand alleged copyright infringers. The plaintiff did not know the name of these Doe defendants. The plaintiff only knew the defendants by the IP address from which each defendant came. Plaintiff sought to subpoena the Internet Service Providers (ISPs) associated with each IP to learn the identity of each defendant. The court rejected this demand for expedited discovery.Continue Reading Judge Rules IP Address Does Not Identify User

This post was also written by Chris Cwalina and Amy Mushahwar.

We’ve been busy here in Washington with two seminal privacy reports released within a span of two weeks.  At Reed Smith, our interdisciplinary team of former government officials, former in-house attorneys, class action litigators and engineers (in the US and internationally) are reviewing the