Browse¶

Done¶

Case write-ups that are complete and proofread.

Year	Case	Regime	Incident type
No cases yet.

Cases with full write-ups; proofreading in progress.

Year	Case	Regime	Incident type
2019	Capital One (2019) — Cloud Breach, Regulatory Enforcement, and Class Settlement	Bank regulator enforcement (OCC/Federal Reserve), Civil class action, CFAA (criminal)	Cloud misconfiguration, SSRF / metadata service abuse (reported), Data exfiltration
2022	FTC v. Drizly, LLC (2022) — Credential Stuffing and Reasonable Security	FTC Section 5 (Unfairness)	Credential stuffing, Account takeover, Excessive data retention

Cases planned next; write-ups in progress.

Year	Case	Regime	Incident type
2006	ChoicePoint, Inc. — FTC enforcement, stipulated judgment	FTC Section 5, FCRA	Data broker breach, inadequate access controls and customer vetting
2020	In the Matter of Zoom Video Communications, Inc.	FTC Section 5 (Deception, Unfairness)	Misrepresentation of encryption (e.g., "end-to-end"); unencrypted storage of recordings; undisclosed software installation; inadequate security program

The following are planned. Same chronological order and columns as above.

Year	Case	Regime	Incident type
2014	In re Target Corp. Customer Data Security Breach Litigation	Consumer and financial-institution class litigation (D. Minn. / 8th Cir.)	Payment card breach, POS intrusion; standing and breach-cost theories
2015	FTC v. Wyndham Worldwide Corp.	FTC Section 5 (Unfairness) — appellate	Repeated intrusions; weak passwords, segmentation, clear-text card data
2018	In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc.	SEC disclosure enforcement	Delayed and inadequate cyber-incident disclosure; disclosure controls
2020	In re Equifax Inc. Customer Data Security Breach Litigation	MDL and FTC/CFPB/state regulatory settlement	Unpatched vulnerability; credit bureau data breach; consumer redress
2021	Firemen’s Retirement System of St. Louis v. Sorenson (Marriott)	Delaware Chancery — board oversight / derivative	Starwood reservation database breach; acquisition diligence, Caremark
2024	SEC v. SolarWinds Corp. and Timothy G. Brown	SEC securities and cyber-disclosure (S.D.N.Y.; dismissed 2025)	Supply chain (SUNBURST); security statements and disclosure theories

Link	Description
Regimes	Legal and regulatory regime: FTC Section 5, SEC disclosure, bank regulators, HIPAA, GLBA, CFAA, state privacy, and others.
Incident types	What happened technically: credential stuffing, cloud misconfiguration, ransomware, third-party breach, and more.
Legal issues	Legal doctrine: unfairness, deception, materiality, standing, duty of care, remedies, and related concepts.