Illinois Supreme Court Clarifies Statute of Limitations for Illinois Biometric Privacy Act Claims: Five Years
Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute.1
Uber Data Breach Results in Corporate Cooperation and Executive Conviction
On October 5, 2022, a federal jury in the Northern District of California convicted former Uber Chief Security Officer Joseph Sullivan of obstructing a federal proceeding and misprision of a felony for his role in deceiving management and the federal government to cover up a 2016 data breach that exposed personally identifiable information (“PII”) of approximately 57 million users, including approximately 600,000 drivers’ license numbers, of the ride-hailing service. Sullivan, a former federal prosecutor, appears to be the first corporate executive criminally prosecuted—let alone convicted—for his response to a data security incident perpetrated by criminals. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge.
Caremark’s Comeback Includes Potential Director Liability in Connection With Data Breaches
A Caremark-based claim against a board of directors alleging a failure to monitor corporate operations has been said to be “the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” or at least to withstand a motion to dismiss. Yet, Caremark has taken on renewed importance — as noted by this blog — following recent high-profile successes on duty-to-oversee claims, most notably in Marchand v. Barnhill in 2019 and In re Boeing in September 2021, and recent shareholder lawsuits alleging that data breach- and cybersecurity-related failures would have been preventable were it not for oversight failures by corporate officers and directors, are being plead asserting Caremark claims. (more…)
DOJ Deploys the FCA on Cybersecurity Fraud
This article originally appeared in Law360 on November 3, 2021.
Sidley lawyers Brenna Jenny and Sujit Raman recently published an article in Law360 entitled How To Minimize FCA Cyber Fraud Enforcement Risk, which analyzes the implications of DOJ’s recent formation of a Civil Cyber-Fraud Initiative to use the FCA to pursue cybersecurity-related fraud. Although the Initiative focuses generally on government contractors and grant recipients—and does not, by its terms, impose any new cybersecurity requirements—the project promises in particular to attract whistleblowers in the defense industry, as recent years have witnessed high-profile FCA cases implicating alleged cybersecurity non-compliance in that sector. The healthcare industry may also see a marked increase in cybersecurity-related qui tams, especially in light of a recent Department of Health and Human Services Office of Inspector General report taking the Centers for Medicare & Medicaid Services to task for failing to hold hospitals accountable for the cybersecurity of their networked devices. Healthcare providers and medical device manufacturers, in addition to other government contractors and grantees, would do well to heed DOJ’s warning that “cybersecurity failures…are prime candidates for potential False Claims Act enforcement.”
How Artificial Intelligence Manufacturers Can Protect Themselves Against Future Negligence Claims
Innovative medical devices have changed the healthcare landscape and will continue making dramatic improvements in patient care. Nevertheless, the growth of such devices will inevitably lead to increased litigation over their alleged failures. All companies developing healthcare tech therefore need to consider measures to protect themselves against potential claims. (more…)
Swiss Data Protection Authority Concludes Swiss-US Privacy Shield No Longer Valid for Swiss-US Transfers
Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”), the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) concluded in a position paper published on 8 September that the Swiss-US Privacy Shield no longer provides a valid mechanism for the transfer of personal data from Switzerland to the US.