On October 16, 2017, the U.S. Supreme Court agreed to review a highly publicized Second Circuit decision, which held that the federal government cannot use warrants issued under the Stored Communications Act to seize customer emails stored exclusively on foreign servers.  Under the decision, Microsoft was permitted to refrain from producing emails stored on a Microsoft server in Ireland to the Justice Department.  The Justice Department had sought a court order for the production of such emails in connection with a 2013 narcotics trafficking investigation.  The Supreme Court’s opinion is expected by June 2018 and will have far-reaching implications for law enforcement’s ability to obtain electronic evidence stored outside of the U.S.

The Second Circuit’s decision in Microsoft Corp. v. United States can be accessed here.

On October 11, 2017, President Trump nominated Kirstjen Nielsen, the current White House Deputy Chief of Staff, to be Secretary of the Department of Homeland Security (“DHS”).  Ms. Nielsen has significant cybersecurity experience, including through her prior roles at the Center for Cyber and Homeland Security at George Washington University and the National Cybersecurity Center.  Ms. Nielsen’s background could mean that DHS will take a more active role in cybersecurity matters under her expected leadership.  To read an article Ms. Nielsen previously wrote on systemic cyber risk click here.

On October 9, 2017, the City of London announced a plan to build a new centralized court that will hear a range of criminal and civil cases, but will be primarily focused on fraud, economic crime, and cyber-crime.  The proposal comes as the Financial Conduct Authority increases its focus on cyberattacks on U.K. financial institutions, which have increased rapidly from five (5) in 2014 to eighty-nine (89) in 2016.  The proposal also signals that, post-Brexit, London will seek to maintain its status as a hub for doing business and resolving commercial disputes.  According to Catherine McGuinness, Policy Chairman for the City of London, the proposal will allow London to continue to “set the highest legal standards domestically and internationally.”

 The City of London’s announcement can be accessed here.

In his remarks yesterday at the Cambridge Cyber Summit, Deputy Attorney General Rod J. Rosenstein discussed the ever-growing threat posed by cyber criminals, the DOJ’s recent successes in combating cyber threats, and how private corporations and law enforcement can collaborate in the battle against cybercrime. Continue Reading Deputy AG Rosenstein Addresses Public-Private Collaboration on Cybersecurity

As the implementation of China’s first comprehensive cybersecurity law (the “CCL”) progresses, concern is mounting in the international business community regarding the law’s expansive scope, prescriptive requirements and lack of clarity on a range of critical issues. Vocalizing such concern, on September 25, 2017, the United States government asked China to halt its implementation of the CCL and highlighted potential issues with the CCL to members of the World Trade Organization. Since the CCL’s passage, several regulations have been released by the principal agency responsible for its implementation that were intended to implement the provisions of the CCL, but in some cases appear to have further expanded its scope while leaving some critical questions unanswered. In the face of such uncertainties, foreign companies operating in China are advised to familiarize themselves with the requirements of the CCL and its implementation rules and adopt measures to enhance their preparedness for the full implementation of the CCL.

Click here, to continue reading.

For additional coverage of topics related to international trade and sanctions, we invite you to subscribe to our International Trade and Sanctions Watch blog, here.

As the Equifax breach litigation gets underway, several recent decisions have widened a split on when and under what conditions customers or other affected individuals may bring claims against a company that suffers a data breach. Late last month, a D.C. federal judge dismissed a lawsuit based on the massive breach at the U.S. Office of Personnel Management (“OPM”), ruling that the theft of data alone was not enough to establish standing. The Court of Appeals for the Eighth Circuit issued a similar recent ruling, holding that plaintiffs suing the grocery retail company SuperValu had not shown that they were at greater risk of identity theft as a result of a data breach at the company and they therefore lacked standing. In contrast to these decisions, a California federal judge allowed claims to proceed against Yahoo! based on the allegation that the customer-plaintiffs alleged a risk of future identify theft and loss of value of their personal identification information. The differing interpretations of the standing requirements in data breach cases will no doubt continue to be vigorously litigated and may ultimately need to be resolved by the Supreme Court.

Click here, to continue reading.

Yesterday, Yahoo announced that the data breach it suffered in August 2013 was much broader than previously believed, affecting all three billion of its users.  This announcement comes on the heels of a federal judge refusing to dismiss a consumer class action against the company.  Our recent memorandum discussing that decision and other recent decisions involving data breach claims can be found here.

Additional information about the breach can be found on Yahoo’s public Q&A website on the topic: https://yahoo.com/security-update.

On September 20, 2017, SEC Chairman Clayton issued a statement after reports circulated that the SEC’s EDGAR filing system had been hacked.  Chairman Clayton disclosed that the SEC learned in August 2017 that a breach previously detected in 2016 may have resulted in illicit trading based on the hacked information.  The SEC’s statement sought to assure the market that the SEC was taking seriously the cybersecurity risks to its own systems.  This comes on the heels of the SEC stating that cybersecurity was one of its top enforcement priorities with respect to regulated entities.  In his statement discussing the SEC’s own breach, Chairman Clayton said: “We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

Click here for the full statement.

Several regulators have promptly announced investigations into the circumstances surrounding the Equifax breach. The New York Attorney General was the first to announce his office was launching an inquiry.  Since then, the FTC announced it was also conducting an investigation and the Massachusetts Attorney General brought an enforcement suit against Equifax alleging that the company knew about the vulnerabilities but failed to secure its systems.  It is almost a near certainty that more regulators have or will open their own inquiries as more becomes known about the Equifax breach in the coming weeks and months.

New York Governor Andrew Cuomo announced that in response to the Equifax breach he was proposing a new NY Department of Financial Services (“DFS”) regulation that would give DFS oversight over credit reporting agencies for the first time.  To date, DFS’s cybersecurity regulations, some of the toughest in the country, have applied to financial institutions and insurance companies.  Under the proposed regulation, all consumer credit reporting agencies that operate in New York would be required to register annually with DFS beginning on or before February 1, 2018 and by February 1 of each successive year for the calendar year thereafter.  The registration form would include an agency’s officers or directors who will be responsible for compliance with DFS’s regulations.

Click here for the full statement and the proposed regulation.