Browse¶

Done¶

Case write-ups that are complete and proofread.

Year	Case	Regime	Incident type
No cases yet.

Cases with full write-ups; proofreading in progress.

Year	Case	Regime	Incident type
2019	Capital One (2019) — Cloud Breach, Regulatory Enforcement, and Class Settlement	Bank regulator enforcement (OCC/Federal Reserve), Civil class action, CFAA (criminal)	Cloud misconfiguration, SSRF / metadata service abuse (reported), Data exfiltration

Cases planned next; write-ups in progress.

Year	Case	Regime	Incident type
2022	FTC v. Drizly, LLC (2022) — Credential Stuffing and Reasonable Security	FTC Section 5 (Unfairness)	Credential stuffing, Account takeover, Excessive data retention

Cases from the curated starter set; full write-ups are planned. Same chronological order and columns as above.

Year	Case	Regime	Incident type
2006	ChoicePoint, Inc. — FTC enforcement, stipulated judgment	FTC Section 5, FCRA	Data broker breach, inadequate access controls and customer vetting
2014	In re Target Corp. Customer Data Security Breach Litigation	Consumer and financial-institution class litigation (D. Minn. / 8th Cir.)	Payment card breach, POS intrusion; standing and breach-cost theories
2015	FTC v. Wyndham Worldwide Corp.	FTC Section 5 (Unfairness) — appellate	Repeated intrusions; weak passwords, segmentation, clear-text card data
2018	In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc.	SEC disclosure enforcement	Delayed and inadequate cyber-incident disclosure; disclosure controls
2020	In re Equifax Inc. Customer Data Security Breach Litigation	MDL and FTC/CFPB/state regulatory settlement	Unpatched vulnerability; credit bureau data breach; consumer redress
2021	Firemen’s Retirement System of St. Louis v. Sorenson (Marriott)	Delaware Chancery — board oversight / derivative	Starwood reservation database breach; acquisition diligence, Caremark
2022	In re Capital One Consumer Data Security Breach Litigation	Consumer MDL, OCC/Federal Reserve enforcement	Cloud misconfiguration, SSRF; technology-risk and cloud governance
2024	SEC v. SolarWinds Corp. and Timothy G. Brown	SEC securities and cyber-disclosure (S.D.N.Y.; dismissed 2025)	Supply chain (SUNBURST); security statements and disclosure theories

Link	Description
Regimes	Legal and regulatory regime: FTC Section 5, SEC disclosure, bank regulators, HIPAA, GLBA, CFAA, state privacy, and others.
Incident types	What happened technically: credential stuffing, cloud misconfiguration, ransomware, third-party breach, and more.
Legal issues	Legal doctrine: unfairness, deception, materiality, standing, duty of care, remedies, and related concepts.