On October 31, 2017, the New York and Vermont Attorneys General announced a settlement with Hilton Domestic Operating Company, Inc., to settle allegations that the company lacked reasonable data security and waited too long to report a pair of 2015 data breaches, which exposed over 350,000 credit card numbers.
Continue Reading Hilton Agrees to Settle Data Breach-Related Claims by NY and VT Attorneys General

On August 1, 2017, a unanimous three-judge panel for the D.C. Circuit reversed the dismissal of a putative data breach class action against health insurer CareFirst, finding the risk of future injury was not too speculative to establish injury in fact under Article III.
Continue Reading D.C. Circuit’s Article III Standing Decision Deepens Appellate Disagreement

On May 26, 2017, Alcoa Community Federal Credit Union, on behalf of itself, credit unions, banks and other financial institutions, filed a nationwide class action against Chipotle Mexican Grill, Inc. arising from a breach of customer payment card data.
Continue Reading Chipotle Payment Card Data Breach: Financial Institutions File Leapfrog Suit

On May 23, 2017, Target reached a settlement with the Attorneys’ General of 47 states and the District of Columbia to resolve the states’ investigation of Target’s 2013 data breach.
Continue Reading Target and State Attorneys General Resolve Investigation with Largest Multi-State Breach Settlement to Date

Recently, the U.S. District Court for the Northern District of Georgia dismissed a shareholder derivative lawsuit against Home Depot Inc. (“Home Depot”) arising over claims that Home Depot’s directors and officers (the “Defendants”) acted in bad faith and violated their duties of care and loyalty by disregarding their oversight duties in connection with a 2014 data breach. The case is In re Home Depot Inc. S’holder Derivative Litig., N.D. Ga., No. 1:15-CV-2999-TWT.
Continue Reading Home Depot Prevails in Shareholder Derivative Lawsuit Over 2014 Data Breach

On November 7, 2016, Adobe Systems Inc. entered into an assurance of voluntary compliance with 15 state Attorneys General to settle allegations that the company lacked proper measures to protect its systems from a 2013 cyber attack that resulted in the theft of the personal information of millions of customers.
Continue Reading Adobe Settles Multistate Data Breach Enforcement Action

The PCI Security Standards Council recently published a set of enhanced validation procedures designed to provide greater assurance that certain entities are maintaining compliance with the PCI Data Security Standard effectively and on a continuing basis. In addition, on July 1, 2015, PCI Data Security Standard Version 3.0 is being retired and the controls previously designated by Version 3.0 as best practices will become mandatory.
Continue Reading PCI Security Standards Council Releases Enhanced Validation Requirements for Designated Entities as PCI DSS Version 3.0 Set to Retire