On Jan. 3, the United States Court of Appeals for the Sixth Circuit issued a decision that effectively required a company to turn over materials relating to a privileged forensic data breach investigation because, the court concluded, the company had implicitly waived privilege when it disclosed certain of the forensic firm’s conclusions in response to a discovery request. The Sixth Circuit’s decision emphasizes the need for caution by litigants wishing to raise a defense that relies on privileged investigations and reports, including third-party forensic reports, or otherwise disclosing the conclusions of such investigations and reports. (more…)
On January 8, the FTC announced a settlement with VTech (a maker of electronic children’s toys) for violations of COPPA, adding to the regulatory activity mounting in the last few years around the Internet of Toys. The company agreed to pay $650,000 to settle allegations that its Kid Connect app and its Learning Lodge platform collected personal information from almost 3,000,000 children without providing direct notice and obtaining their parent or guardian’s consent. (more…)
This past year was marked by ever more significant data breaches, growing cybersecurity regulatory requirements at the state and federal levels and continued challenges in harmonizing international privacy and cybersecurity regulations. We expect each of these trends to continue in 2018.
As we begin this New Year, here is list of the top 10 privacy and cybersecurity issues for 2018: (more…)
On 10 October 2017, Jamaica introduced into its House of Parliament a comprehensive Bill for privacy and data protection, entitled “An Act to Protect the Privacy of Certain Data and for Connected Matters.” The new law would cover personal data, including data in an “accessible record” such as a health record or an educational record. If passed, the new law will be named the “Data Protection Act, 2017.” (more…)
*Article first appeared in Corporate Board Member on November 7, 2017
At a time when a major cybersecurity incident can cost a company millions, it’s crucial that acquiring companies give cybersecurity the same level of scrutiny as they do more traditional risks and opportunities in the M&A due diligence process. Yet too many deals suffer from superficial consideration of these issues.
Why the disconnect? Unlike other areas where companies face legal and regulatory implications, in-house and outside legal teams often lack well-developed methods to analyze cybersecurity risks, too often considering them technical issues beneath the notice of the bankers and lawyers. In many cases, deal teams lack the skill sets to analyze the issues effectively and cannot even speak the language of the CIOs and CISOs well enough to spot “alternative facts.” Boards need to ensure that they or their advisers—preferably both—have sufficient skills to assess cybersecurity risks and ask the right questions. (more…)
*This post originally appeared in BNA’s Corporate Law & Accountability Report on November 6, 2017.
Cyberattacks and data breaches are increasingly the subject of front-page headlines and can have material effects on our personal lives. And yet, reports suggest that many corporate directors and managers remain relatively unaware of important cybersecurity issues, risks, and strategies that directly relate to their organizations.
For example: imagine that your company has fallen victim to a successful cyberattack and customer data was stolen. In the aftermath, the securities plaintiffs’ bar undoubtedly will be searching for stockholders to(among other things) pursue claims for violations of state and federal securities laws and/or for breaches of fiduciary duty against the company’s board. Are you, your colleagues, managers, and directors prepared to respond to and manage this type of incident and the subsequent litigation and regulatory investigations? Have you documented your diligence in governing cybersecurity risk? For many, the answer may be no.
This article discusses the scope of this problem, how it can directly impact you and your company, and steps you can take now to help prepare for the unknown. It is certainly true that even the best cybersecurity programs cannot guarantee deterrence of all attacks. But such programs unquestionably mitigate the risk of a breach, support organizational resilience, and help control the fallout should one occur.
The EU-U.S. Privacy Shield has survived its infancy, although the October 18, 2017 European Commission report on its first annual review of the functioning of the EU-U.S. Privacy Shield (the “Report”) leaves uncertainty as to the long-term future of EU-U.S. Privacy Shield if the U.S. is unwilling or unable to adopt further Commission “recommendations”. The Report details the Commission’s findings on the implementation and enforcement of the Privacy Shield during its first year of operation. (more…)
On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a cybersecurity Risk Alert summarizing its observations from its second cybersecurity survey of financial services firms. Overall, OCIE observed increased cybersecurity preparedness since its first 2014 “Cybersecurity 1” Initiative, but also the SEC noted a number of areas where compliance and oversight merit attention. Perhaps the most general observation from the “Cybersecurity 2” risk alert is that, while the OCIE noted that most firms now have written policies and procedures, the message was clear that simply having a generic policy is not adequate. Firms must instead have policies that are adapted to their actual operations as well as procedures that demonstrate the implementation of these policies and documented results of compliance with those procedures. (more…)
The D.C. Circuit recently widened a significant circuit split regarding standing in data breach cases by overturning a district court’s dismissal of a complaint for lack of standing. See Attias v. CareFirst, Inc., D.C. Cir. No. 16-7108.
Courts have long been occupied by the question of whether the mere fact of having personal information subject to unauthorized acquisition is, in itself, an injury sufficient for standing. Hopes were high that the Supreme Court would resolve the issue in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). In that case, the Supreme Court held that plaintiffs who allege violations of statutes that contain a private right of action and statutory damages must establish not only “invasion of a legally protected interest,” but also that they suffered a “concrete and particularized” harm, in order to satisfy Article III’s standing requirement. Defense counsel were cheered by the restatement of the law of standing, but plaintiffs have argued that Spokeo opened the door for even the most minor of statutory violations even in the absence of quantifiable damage. The Spokeo ruling has had substantial but unpredictable implications for data breach litigation. Federal courts of appeals have subsequently reached different conclusions about how Spokeo applies to allegations of an increased risk of identity theft following a data breach with several circuits overtly splitting over the issue. (more…)