Technology

New York’s Attorney General Letitia James recently secured a $1.9 million settlement from online retailer Zoetop Business Company, Ltd. to settle allegations that Zoetop had improperly handled a 2018 data breach and subsequent consumer notification. The scrutiny given to Zoetop provides insights into the NYAG’s expectations around breach investigations and response.
Continue Reading Lessons From New York AG Scrutiny of Breach Investigation and Response

We have previously posted about the SEC lawsuit against LBRY. In that post, we noted that while the crypto community is rightfully focused on the Ripple case to see how the SEC will fare in court on enforcements alleging cryptocurrency offerings are a security, a lesser-known case may provide clarity first. And today that came to be. The federal district court in the LBRY case granted summary judgment in favor of the SEC. In so ruling, the Court found no reasonable trier of fact could reject the SEC’s contention that LBRY offered LBC as a security, and LBRY does not
Continue Reading Federal Court Rules LBRY Offered Security and Rejects Arguments SEC Did Not Provide Fair Notice

The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security measures stemming from the company’s alleged failure to devote sufficient resources or attention to data security.
Continue Reading FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations

We previously blogged about the NFT insider trading case against Nathaniel Chastain. He was charged with wire fraud and money laundering in connection with a scheme to commit “insider trading” in Non-Fungible Tokens (“NFTs”) by using confidential information about what NFTs were going to be featured on a marketplace homepage for his personal financial gain. Despite referring to this case as insider trading, there was no allegation that the NFTs at issue were securities. This caused many in the NFT community to question whether this activity could be illegal if the NFTs were not securities. In fact, there was a
Continue Reading NFT Insider Trading Charge Doesn’t Require the NFT To Be a Security

In a recent settlement with the New York Department of Financial Services, EyeMed Vision Care LLC agreed to pay a $4.5 million penalty and undertake remedial measures to increase its cybersecurity. This includes undertaking an action plan based on a comprehensive risk assessment, subject to the review and approval of NYFSD.
Continue Reading NYDFS’s $4.5 Million EyeMed Cyber Settlement Reminder To Industry

The White House recently hosted a group of industry and government partners to discuss the development and implementation of an Internet of Things (IoT) labeling program. This program would develop a common label to help consumers easily recognize which devices meet the highest cybersecurity standards to protect against vulnerabilities. 
Continue Reading White House Aims for Spring 2023 Rollout of Internet of Things Labeling Program

On October 18, the CFPB sued a software company for utilizing their online payment platform to enroll unknowing consumers into annual subscriptions through deceptive acts and “dark pattern” techniques in violation of the CFPA and EFTA. Among other things, the complaint alleges that the company encouraged consumers to unknowingly enroll in free trials and converted the free trials into annual subscriptions through a “negative option” renewal policy (our sister blog covered “negative option” marketing in a previous post here). During this process, the company allegedly collected consumers’ registration information and consumer payments data (e.g., credit or debit card number) so
Continue Reading CFPB Sues Payment Platform Over Dark Patterns

The ICO, Britain’s privacy authority, recently issued reprimands to seven organizations citing multiple failures of the organizations to respond to data subject access requests either within the statutory time frame or at all. Recognized as one of the fundamental rights under numerous data protection laws, data or subject access requests (“DSARs”) provide a mechanism by which a consumer can request that an organization explain what personal information it has about that consumer, and how such information is used and shared. This requirement exists under UK GDPR, mirroring the GDPR requirement.

Organizations generally have thirty to forty-five days to respond to a
Continue Reading UK Reprimands Companies For Failing to Keep Up with Access Requests

Companies who participate in the AdTech and digital advertising eco-system are very familiar with the Interactive Advertising Bureau and its form advertiser agreements. Those agreements can help streamline negotiations, presenting the parties with, essentially, a pre-negotiated approach to common issues. When CCPA was passed, IAB updated its form to address that law and address consumer notice and consent. With the upcoming laws in California, Colorado, Connecticut, Utah and Vermont, the document is now outdated.
Continue Reading IAB Steps In State Signal Morass

The talk of “opt-out preference signals” or global privacy controls (GPC) has been increasing as companies dig into the forthcoming requirements under US “comprehensive” privacy laws. What is an opt-out preference signal? An “opt-out preference signal” also known colloquially as ”GPC,” is a signal sent by a platform or technology on behalf of a consumer that communicates the consumer’s choice to opt out of sale or sharing. Below, we summarize how each of the states treats this requirement.
Continue Reading Comparing and Contrasting the Opt Out Preference Signal Across States

On September 26, 2022, New York Attorney General Letitia James (the “NYAG”) took definitive action in the wake of her warning last year that crypto lending platforms must register with her office or face legal action, filing a complaint against Nexo Inc. and Nexo Capital, Inc. (collectively “Nexo”) alleging that Nexo violated New York’s Martin Act and Executive Law by acting as an unregistered securities and/or commodities broker-dealer within the state. Specifically, the complaint alleges that Nexo improperly offered and sold securities and commodities by allowing users to purchase, sell, deposit, trade, borrow against, and earn interest on virtual currency,
Continue Reading NYAG Delivers on Promise to Rein In Unregistered Crypto Lending with New Suit

President Biden signed a new executive order on Friday, with a framework that seeks to replace the existing Privacy Shield program. That program was found to be an invalid mechanism for transferring personal data between the EU and the US in 2020 (the Schrems II decision). Since then, companies have struggled to establish an appropriate mechanism for transfer of information from the EU to the US.
Continue Reading EU To Review New EU-US Data Transfers Framework