Four years ago—in early February 2020—Blackbaud, a software company that provides tools to schools, healthcare providers, and non-profit organizations, fell victim to a ransomware attack. That attack, which compromised data from some 13,000 Blackbaud customers,...

We had long predicted that the CCPA’s introduction of statutory damages associated with certain data breaches would make California a popular venue for data breach class action lawsuits. Sure enough, litigants are now raising such...

Following a breach affecting 145 million consumers, the Federal Trade Commission has announced a settlement with Equifax for up to $700 million, the largest ever for a data breach. In the same action, Equifax also settled with...

New York has updated its breach notification and data security law, expanding the definition of a data breach and imposing detailed reasonable security requirements, among other changes. The amendment also adds a number of new...

Arkansas has updated its breach notification law to expand the definition of “personal information” and to require notifying the Arkansas Attorney General when a breach involves more than 1,000 individuals’ personal information. On April 15, 2019, Governor...

On May 7, 2019, Governor Jay Inslee signed a bill (HB 1071) that strengthens the state’s existing data breach notification law by expanding the definition of “personal information” and reducing the time an entity has to...

On April 24, 2019, the U.S. Supreme Court held in Lamps Plus v. Varela that under the Federal Arbitration Act (“FAA”), class arbitration is only permitted when explicitly provided for in arbitration agreements. The 5-4 decision...

Massachusetts has updated its breach notification law to require credit monitoring services and more prescriptive breach notices to regulators, as well as to strengthen rules for consumer reporting agencies. Governor Charlie Baker signed the legislation...

Ohio has become the first state to enact legislation providing liability protection for businesses that implement a written cybersecurity program that “reasonably conforms” to certain cybersecurity frameworks or laws to protect personal information. This approach...

Since at least fall of 2017, the Department of Education (“ED”) has expected institutions of higher education to report data breaches directly to the department on the same day a breach is discovered – or...