Romaine Marshall helps clients protect their data, businesses, and reputations from cybersecurity and privacy incidents.
As a cybersecurity and privacy lawyer, he works with clients to properly secure and use electronic data, develop industry-specific cybersecurity programs, conduct risk assessments and internal privacy audits, and respond to regulatory investigations. He has represented clients in more than 100 incidents involving data breaches, ransomware, malware attacks, security misconfigurations, wire fraud, software vulnerabilities, social engineering, and other exploits.
Digital transformation, the process of leveraging technology, people and processes to innovate, requires an “all-in, ongoing commitment to improvement.” But the main drivers of digital transformation – data and profits – don’t always mesh seamlessly. As shown by recent class actions filed against Blackbaud and Morgan Stanley, and a settlement with the New York Attorney General … Continue Reading
Digital transformation refers to the process of leveraging technology, people and processes to innovate or stay competitive. The main driver of this process is often data. For a vivid illustration see Data Never Sleeps, an infographic released by Domo, a leading business analytics company. While executing digital transformation the right way can lead to great … Continue Reading
March 2020 will long be remembered as the month and year of en masse shutdowns. But the pandemic has done little if anything to slow new cybersecurity and data privacy laws. As highlighted below, regulations for one have been submitted (CA), another has gone into effect (NY), and yet another has been proposed (CA). California … Continue Reading
By Romaine Marshall and Jose Abarca on Posted in Data Breach
Last July, Capital One announced that an outside individual gained unauthorized access to information belonging to 100 million individuals in the United States and approximately six million in Canada. Within days, lawsuits were filed nationwide asserting an assortment of claims relating to the data breach. Last week, in a class action filed in Virginia a … Continue Reading
A “novel” virus is one that has not been previously identified, according to the Centers for Disease Control and Prevention. In 2000, like the COVID-19 virus that was officially named on February 11, 2020, the ILOVEYOU virus became a global pandemic for data systems. Within days, millions of computers were infected as the virus compromised … Continue Reading
As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has … Continue Reading
Last year the FTC mandated what an organization’s written cybersecurity program should include to avoid being deemed “unfair and deceptive” to consumers, and this year California consumers whose personal information is compromised may file lawsuits against organizations that failed to implement “reasonable security.” But several states provide legal safe harbors to organizations with written cybersecurity programs. … Continue Reading
As states fill the legal void for consumer privacy rights, a new federal standard has emerged to assist companies with their compliance efforts. The National Institute of Standards and Technology (“NIST”) Privacy Framework (“PF”) was released last month to help organizations manage the risks associated with their data processing activities. What the PF Does The … Continue Reading
Under the California Consumer Privacy Act, any California consumer whose personal information is compromised “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices … may institute a civil action.” Consumers can initiate this private right of action right now, whereas other consumer rights can only … Continue Reading
On January 1, 2020, if your company sells goods or services to California consumers and meets certain criteria, the agreements you have with companies that handle personal information on your behalf should be analyzed and, if necessary, updated just as your privacy notices should be updated. Examples of companies that handle personal information on a … Continue Reading
For Cybersecurity and Privacy, “What Are the Industry Standards? Are We Meeting Them?” These are questions the FTC Chairman, Joseph Simons, strongly suggested a CEO must ask before a data breach occurs to avoid the prospect of personal liability. These questions and statements by other commissioners emphasizing the FTC’s role – to bring about a … Continue Reading
What the FTC Wants, the FTC (Mostly) Gets In recent weeks the Federal Trade Commission has been on a tear. As one example, on July 22 it announced a $700 million settlement with Equifax for “the 2017 data breach that jeopardized the personal data of a staggering 147 million people.” But it is a decision … Continue Reading