On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts. Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine. Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report. This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation. Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report
Last month, the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) warned financial services companies, and particularly smaller firms, of a substantial increase in attempted cyberattacks since the start of the COVID-19 pandemic. In particular, cyber-attacks targeted at bank employees rose in the first quarter of 2020. As of early April, FS-ISAC had also identified over 1,500 fraudulent or phishing websites designed to look like pandemic-related lending or financial support programs to deceive visitors into disclosing sensitive personal information. Continue Reading FS-ISAC Warns that Cyberattacks Against Financial Services Firms Increased Substantially in Response to COVID-19 Mitigation Efforts
On May 5, 2020, the Seventh Circuit Court of Appeals held that a plaintiff has standing to assert a claim under the Illinois Biometric Information Privacy Act (BIPA) even without alleging any economic loss or data breach. The court’s decision in Bryant v. Compass Group USA, Inc., held that merely alleging a failure to receive adequate disclosure or provide informed consent is sufficient to state a claim, potentially establishing in the Seventh Circuit a low bar for making claims under BIPA and other state statutes modeled off of it. Continue Reading The Seventh Circuit Holds That Lack of Disclosure and Informed Consent Under Biometric Information Privacy Act Satisfies Article III Standing Requirement
On May 4, 2020 the European Data Protection Board (“EDPB”) updated the guidelines on consent under the EU General Data Protection Regulation 2016/679 (the “GDPR”). The guidelines were originally published by the Article 29 Working Party on April 10, 2018 and later endorsed by the EDPB. The full text of the updated EDPB guidelines can be read here. Continue Reading Cookie Walls and Scrolling Don’t Make the Grade – EDPB Clarifies Guidance on Consent Under GDPR
On April 28, 2020, the Belgian data protection authority (the Gegevensbeschermingsautoriteit / Autorité de protection des données, the “Belgian DPA”), handed down a decision imposing a €50,000 fine on Proximus, Belgium’s largest telecommunications operator, on the ground that Proximus had failed to protect its data protection officer (“DPO”) from conflicts of interests in violation of article 38(6) of the GDPR.
In the case at hand, the Belgian DPA ruled that the conflict arose from the fact that Proximus’ DPO also fulfilled the function of director of audit, risk and compliance. The Belgian DPA discovered this when investigating the company’s organisational measures relating to the security of its data processing operations after Proximus duly self-reported a personal data breach in accordance with the GDPR. Interestingly, the breach itself did not give rise to a sanction.
The Belgian DPA’s decision expressly states that it is intended to be dissuasive. As such, it sends a message to all companies subject to the GDPR that their DPO’s strategic role should not be undermined, but rather should be at the core of their organisational structure. While non-binding guidance already existed concerning the risks of conflicts of interest arising from part-time DPO arrangements, this sanction is, to our knowledge, among the first of its kind since the GDPR became applicable. It will no doubt be invoked as a precedent by DPOs across the EU when seeking additional autonomy and responsibility, and by data protection authorities in other member states following the lead of the Belgian DPA.
Summarised below are the practical takeaways from this decision to assist organisations and DPOs in complying with their obligations under the GDPR:
- Avoid “self-monitoring” situations that lead to conflicts of interests. The ruling does not preclude DPOs from having a diverse range of backgrounds, splitting time between the DPO role and other functions, and belonging to various departments within an organisation, e.g., the compliance, audit, risk, legal, HR, or IT departments. However, according to the Belgian DPA, a DPO may not have significant operational responsibility for data processing activities carried out by those departments while also advising on, and supervising, such data processing as DPO. Putting the DPO in such a “self-monitoring” position would give rise to potential conflicts of interests that are prohibited by the GDPR. In addition, such situations also have the potential to compromise the confidentiality obligations of the DPO in further violation of the GDPR. Ultimately, the “conflict of interest” test will need to be applied on a case-by-case basis, by asking the question: “Is the DPO in charge of carrying out certain data processing activities that he/she should also be monitoring for GDPR compliance?”
- Where a DPO has multiple functions, “firewall” the DPO from determining the purposes and means of data processing. Organisations that choose to give a part-time DPO other significant operational responsibilities within a department will require a degree of creativity and self-discipline to guarantee his/her independence. A DPO would need to be suitably “firewalled” from determining the purposes and means of the data processing carried out by that department. It is therefore advisable to adopt internal rules and policies to prevent conflicts of interests of the DPO and record evidence that the DPO’s independence is actually respected in practice in the event of an investigation by the data protection authority.
- While the DPO should remain an advisor and supervisor, he/she must play an active and early role in data processing operations. Separation between the DPO’s role and operational responsibility does not imply that the DPO should remain passive when advising on the data processing operations carried out by the company. The DPO must be properly involved and consulted in data protection matters and procedures at an early stage. While the Belgian DPA ruled that Proximus had not violated that rule, it emphasized the role of the DPO in implementing the “privacy by design” principle set out in article 25 of the GDPR. For example, the DPO should be immediately involved in the risk assessment and management of personal data breaches. When a data protection impact assessment (“DPIA”) is carried out, the DPO should be consulted and involved and not merely informed of the results. It would therefore be advisable to make that clear in the company’s relevant written policies and procedures.
- Beware the unintended fallouts from personal data breach notifications. Personal data breaches are typical triggers for data protection authority investigations as they must be self-reported to data protection authorities if they are likely to result in a risk to the data subjects, which and may lead to investigations revealing possible flaws in an organisation’s technical or organisational measures. Such investigations may lead to fines for violations of GDPR that are not directly linked to the breach. Companies should be prepared by maintaining high standards of internal compliance, including by giving the DPO its proper role within the organisation but also by ensuring accountability, good record keeping, and clear policies and procedures.
- Regulators may apply higher standards to large organisations. The foregoing principles apply regardless of whether the company was under an obligation to appoint a DPO in accordance with the GDPR or national law, or has voluntarily appointed one. However, the size and nature of operations of the company will, in practice, be taken into account when assessing whether the DPO has the required skills, knowledge, expertise, and independence to exercise his or her function. In its decision, the Belgian DPA highlighted the role of Proximus as Belgium’s largest telecommunications operator, processing the personal data of millions of users on a daily basis. A large group with a data-heavy business will therefore likely be subject to higher scrutiny than a small or medium-size undertaking.
- Data protection authorities may adopt a stronger stance following the Proximus decision. The €50,000 fine issued by the Belgian DPA may appear relatively modest in comparison to the Proximus group’s reported consolidated worldwide turnover of €5.6 billion. Nevertheless, it is, to date, the largest fine issued by the Belgian DPA, which expressly stressed that its purpose was to be dissuasive. The Belgian DPA fully investigated and sanctioned the positioning of the DPO within the organisation, calling Proximus “grossly negligent” in that regard. This alone is noteworthy and the prospect of having its organisational structure challenged and publicly criticized by a data protection authority should be deterrence enough for many other similarly-situated companies.
 Article 38(6) of the GDPR provides that “[t]he data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.” Proximus announced that it will not appeal and that it will comply with the decision by reforming its DPO position.
 A “personal data breach” is defined in article 4(12) of the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised. disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Unless it is “unlikely to result in a risk to the rights and freedoms of natural persons,” it must be reported to the competent data protection authority within 72 hours after the company has been informed of the breach in accordance with article 33(1) of the GDPR.
 This emphasis is noteworthy as all individual fines imposed by data protection authorities in the European Union must, in any event, “be effective, proportionate and dissuasive” in accordance with article 83(1) of the GDPR.
 In particular, the Article 29 Working Party Guidelines on Data Protection Officers of December 13, 2016, last revised on April 5, 2017 (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612048, the “WP Guidelines”), the essence of which was adopted by the UK’s Information Commissioner (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/), the French Commission Nationale de l’Informatique et des Libertés (https://www.cnil.fr/fr/devenir-delegue-la-protection-des-donnees#DPO4) and many other data protection authorities.
 In Germany, the Bavarian DPA levied a fine against a company in 2016 under the pre-GDPR rules for that reason. In that case, the company had appointed the IT manager as DPO. The Bavarian DPA found that such a prominent position with operative responsibility for data processing lead to the DPO effectively controlling himself contrary to the requirement of the DPO as an independent function (see https://www.lda.bayern.de/media/pm/pm2016_08.pdf — in German).
 The Belgian DPA referred to the WP Guidelines, which state that: “The absence of conflict of interests is closely linked to the requirement to act in an independent manner. Although DPOs are allowed to have other functions, they can only be entrusted with other tasks and duties provided that these do not give rise to conflicts of interests. This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.”
 Article 38(5) of the GDPR provides that “[t]he data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.”
 This is consistent with the WP Guidelines, which state that: “As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.”
 Article 38(1) of the GDPR provides that “[t]he controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.”
 The Belgian DPA again referred to the WP Guidelines: “It is crucial that the DPO, or his/her team, is involved from the earliest stage possible in all issues relating to data protection. […] Ensuring that the DPO is informed and consulted at the outset will facilitate compliance with the GDPR, promote a privacy by design approach and should therefore be standard procedure within the organisation’s governance. In addition, it is important that the DPO be seen as a discussion partner within the organisation and that he or she be part of the relevant working groups dealing with data processing activities within the organisation.”
 The consolidated net revenue of the Proximus group consolidated annual accounts for the financial year ended December 31, 2019, is available at https://www.proximus.com/annualreport2019.html. It appears, however, that the Belgian DPA used the net revenue of the Proximus NV/SA legal entity in Belgium as a starting point, which amounted to €3.8 billion.
As many organisations adjust their business operations as a result of the COVID-19 pandemic, network and data security are in the spotlight. The significant increase in remote working, brings unique challenges and organisations must remain mindful of their legal obligations to keep personal data secure. In particular, the EU General Data Protection Regulation (“GDPR”) imposes a general obligation upon data controllers and processors to ensure the security of data processing against accidental or unlawful loss, damage, destruction, alteration or disclosure.
Controllers and processors must have in place appropriate technical and organisational measures to ensure a level of security for personal data that is commensurate to the risk associated with data processing. This is not a static analysis, but something to be kept under review as circumstances change. The mass shift to remote working has inevitably changed the risk profile of certain data processing activities. Set out below is a summary of important considerations from a data security standpoint, taking into account the GDPR’s requirements as well as guidance from data protection supervisory authorities in the UK, France, Belgium, Germany and Italy. Continue Reading COVID-19 Remote Working – GDPR Data Security Checklist
Earlier this year, the Cybersecurity Unit (“CsU”) of the Computer Crime and Intellectual Property Section of the United States Department of Justice released guidance for the private sector entitled “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources.” The Guidance (available here) is intended to aid private actors to assess the potential legal exposure under federal criminal law as a result of engaging in common cyber intelligence-gathering activities on the dark web. Focusing on activity on TOR-based Dark Markets, i.e., “online forums in which computer crimes are discussed and planned and stolen data is bought and sold,” CsU offers practical tips and best practices for legitimate private actors to reduce the risk of liability and other negative repercussions under federal law. Continue Reading DOJ Issues Guidance on Private Sector Intelligence Gathering Activities on the Dark Web
On April 15, 2020, the U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation issued an advisory alert providing guidance on the North Korean cyber threat and steps to mitigate that threat (the “Alert”). The U.S. Government has repeatedly warned the private sector that North Korea, formally known as the Democratic People’s Republic of Korea (“DPRK”), routinely engages in malicious cyber activities and has specifically targeted financial institutions.
This Alert serves as a reminder, especially during this pandemic as businesses go remote and virtual to an unprecedented degree, that the cyber threat, including from the DPRK, remains a critical risk for all companies. Financial institutions in particular, a traditional target of North Korean cyber activity, should take steps to ensure they are protecting themselves from and responding effectively to malicious cyber intrusions. Continue Reading CISA Alert: North Korean Cyber Threat Poses Increased Risk for Financial Institutions
The UK Supreme Court, in a unanimous decision delivered on April 1, has overturned the decision of the Court of Appeal which had found that Morrisons Supermarkets plc (“Morrisons”) could be held vicariously liable for the unauthorized actions of an employee who had deliberately leaked the personal data of thousands of Morrisons’ employees online. In its judgment, the Supreme Court explained that the Court of Appeal had “misunderstood the principles governing vicarious liability”. For more information on the background of this case and the High Court and Court of Appeal judgments, please see our article here. The full text of the Supreme Court judgment can be read here. Continue Reading Relief for Employers as Supreme Court Rules no Liability in Morrisons Data Breach Case
The emergence of online, non-traditional financial service platforms creates additional avenues for terrorist groups to receive and transfer funds outside of the traditional banking system. One consequence of this trend is the potential for increased litigation against these providers under U.S. statutes that create civil liability for provision of material support to terrorists: the Anti-Terrorism Act (the “ATA”), 18 U.S.C. § 2333(a), and the Justice Against Sponsors of Terrorism Act (“JASTA”), 18 U.S.C. § 2333(d)(2).
Civil claims for damages under the ATA and JASTA have historically been brought against large banks for providing financial services to entities with alleged terrorist links. Typically in such cases, victims of a terrorist attack and/or their family members allege that the bank supported the attack by processing U.S. dollar denominated transactions to an entity with links to terrorism (often through a chain of intermediaries). In recent years, the range of entities against which ATA and JASTA claims have been brought has increasingly expanded to include companies outside of the banking sector, such as pharmaceutical companies, government contractors, and social media platforms. As terrorist groups increase their use of non-traditional financial service platforms, cryptocurrency exchanges, decentralized fintech platforms, and other similar businesses may begin to face ATA and JASTA claims. Continue Reading Online Financial Service Companies: The Anti-Terrorism Act’s Next Frontier