Today, the FTC announced that Equifax, Inc. will pay at least $575 million (and potentially up to $700 million) as part of a proposed global settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories. Their complaint alleges that Equifax failed to take reasonable steps to

This last week saw significant compliance and enforcement activity with respect to both GDPR and the FTC.  Specifically, we saw two significant GDPR fines handed down by the UK Information Commissioner’s Office (ICO) against British Airways (approx. $230 million) and Marriott International (approx. $130 million).  In addition, Facebook settled with the FTC for the largest

*written with assistance from co-author and W&L law student, Isabella Gray.

On May 28, 2019, the Cyberspace Administration of China (“Cybersecurity Administration”) released a set of draft Measures for Data Security Management (the “Draft Measures”).  The Draft Measures provide articles governing how network operators, defined as someone who owns and administrates a network or a

In our Southeast Financial Litigation Monitor, our own Lindsey Catlett posts about a recent opinion in Southern Independent Bank vs. Fred’s Inc., in which the Middle District of Alabama denied class certification following a data breach which allegedly affected over 2,000 financial institutions across the country. Southern Independent, a community bank located in south

In an opinion issued today (January 25, 2019), the Illinois Supreme Court found that a Six Flags season pass holder can claim a violation of the state’s biometric privacy law by collecting the thumbprint of plaintiff Stacy Rosenbach’s son without permission, even without alleging any actual harm.  This is an important ruling that could impact

On January 21, 2019, the French Data Protection Authority, the Commission Nationale de L’Informatique et de Libertés (“CNIL”) announced a sanction of 50 million euros against Google.  On May 25 and 28, 2018, the CNIL received complaints from two different associations, asserting that Google did not have a valid legal basis for the processing of

The Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement providing guidance for financial institutions about the role of cyber insurance in risk management of informational technology systems. The FFIEC comprises the principals of the following: The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration,

Over a dozen lawsuits have been filed by users and investors against Facebook after it was revealed last month that Cambridge Analytica, a political research firm, obtained personal information on millions of Facebook users. Cambridge Analytica obtained the data through a personality test app linked to Facebook accounts. Many of the lawsuits claim the information

On Wednesday, March 28, 2018, the Alabama Data Breach Notification Act of 2018 (SB318) was signed into law by the Governor, making Alabama round out the roster of 50 states with data breach notification laws.  (South Dakota’s data breach notification was signed by its governor on March 21, 2018, making it the 49

A Berlin regional court recently ruled that Facebook’s use of personal data was illegal because the social media platform did not adequately secure the informed consent of its users. A German consumer rights group, the Federal of German Consumer Organisations (vzvb) said that Facebook’s default settings and some of its terms of service were in