Last week, the Second Circuit affirmed the dismissal for lack of Article III standing a proposed class action against a health services provider that mistakenly disclosed personally identifiable information (“PII”). In its opinion, the Second Circuit held that plaintiffs may establish Article III standing based on an increased risk of identity theft or fraud following an unauthorized disclosure of their data, but that the standard was not met based on the facts presented. The decision, which is the first time the Second Circuit has explicitly adopted this standard, has potentially important implications going forward for data breach cases.
On April 28, 2021, the U.S. Federal Trade Commission (“FTC”) published a blog post reminding corporate boards of directors of their responsibility to oversee data security issues and ensure that consumer and employee data are protected. The FTC’s post is a continuation of its efforts to “elevate data security considerations to the C-Suite and Board level.”
By way of background, the FTC noted that it has continued to challenge companies’ data security practices on the grounds of allegedly deceptive or unfair conduct. The Commission is also actively reviewing certain data security rules targeted at safeguarding health records and consumer information held by financial institutions.
Last month, the Virginia Consumer Data Protection Act was signed into law, making Virginia the second state in the nation to enact comprehensive data privacy legislation. The Act resembles and adopts some terms from the California Consumer Privacy Act (“CCPA”); the California Privacy Rights Act of 2020, which amends and expands the CCPA; and the European Union’s General Data Protection Regulation (“GDPR”). However, the Act contains a number of distinctive provisions, compliance with which will require covered entities to adjust their privacy policies and practices, even if they are already CCPA and GDPR compliant, rendering the existing patchwork of state and national privacy laws even more complex.
Please click here to read our full alert memorandum summarizing key elements of the Act and highlighting key similarities and differences with the CCPA and GDPR.
On 11 February 2021, the Abu Dhabi Global Market (“ADGM”), Abu Dhabi’s financial free zone, enacted the new Data Protection Regulations 2021 (the “Regulations”), replacing the Data Protection Regulations 2015 in their entirety and bringing the ADGM regime closer to the European Union’s data protection regime under the General Data Protection Regulation (“GDPR”).
Our alert memo, published at the end of 2020 following the ADGM’s opening of a public consultation period on the draft Data Protection Regulations 2020 (the “Draft Regulations”), provides an overview of the key features of the Draft Regulations, areas of overlap with the GDPR, as well as certain proposed departures from the GDPR that will need to be monitored by organisations doing business in both the ADGM and the European Union.
The Regulations are applicable to those processing personal data where a controller or processor has been established in the ADGM, regardless of whether the processing actually takes place in the ADGM or not.
We set out below an update to our alert memo, highlighting the few notable additions/amendments to the Draft Regulations as compared with the final Regulations published on 11 February 2021.
Last month, the United States District Court for the Southern District of New York granted a motion to dismiss in In re Fed Ex Corp. Securities Litigation, a putative class action securities fraud case filed against FedEx following numerous disclosures in 2017 and 2018 regarding the impact of a Russian cyberattack on its recently acquired subsidiary, TNT Express Services B.V (“TNT”). The court held that the complaint failed to adequately plead that FedEx had made any material misrepresentations or had the requisite scienter. FedEx’s successful defense against the lawsuit highlights the importance for companies to consider their disclosure obligations following a cyber-incident and carefully tailor their disclosures to account for their risks and accurately reflect the consequences of the incident. Continue Reading District Court Dismisses Securities Fraud Claim Against FedEx Concerning Disclosures About NotPetya Cyberattack
Last month, the Eleventh Circuit Court of Appeals dismissed claims brought in a putative class action seeking damages for disclosure of credit card information in a data breach resulting from a cyberattack. In I Tan Tsao v. Captiva MVP Restaurant Partners, LLC., the court held that the named plaintiff could not establish standing to sue based on allegations that the data breach created a “continuing increased risk of harm from identity theft and identity fraud” or that the plaintiff took affirmative steps to mitigate such potential harm.  This decision follows the reasoning set forth in the court’s recent en banc decision in Muransky v. Godiva Chocolatier, Inc, in which similar allegations were rejected as insufficient to support standing in a case seeking statutory damages from technical violations of the Fair and Accurate Credit Transactions Act, and adds to the circuit split on the issue. Continue Reading 11th Circuit Rejects Standing Based on Heightened Risk of Identity Theft in Data Breach Suit
On February 18, 2021, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) announced a $507,375 settlement with BitPay, Inc. (BitPay), a payment processor for merchants accepting digital currency as payment for goods and services, for 2,102 apparent violations of multiple sanctions programs between 2013 and 2018. The settlement highlights that financial service providers facilitating digital currency transactions must not only establish sanctions compliance programs to screen their own customers but also must monitor third-party non-customer transaction information. Continue Reading OFAC Settles with Digital Currency Payment Processor for Sanctions Violations
On March 3, 2021, the U.S. Securities and Exchange Commission (“SEC”) Division of Examinations (the “Division”)—formerly the Office of Compliance Inspections and Examinations—released its 2021 Examination Priorities (“2021 Priorities”). The 2021 Priorities generally retain perennial risk areas as the Division’s core focus, but do include several new and emerging risk areas reflecting broader policy shifts under new SEC leadership.
The 2021 Priorities include: retail investors; information security and operational resilience; financial technology (“Fintech”), including digital assets; anti-money laundering; transition from the London Inter‑Bank Offered Rate (“LIBOR”); several areas covering registered investment advisers and investment companies; market infrastructure; and oversight of the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board programs and policies. Although not formal priorities, the Division will also focus on climate-related risks and environmental, social and governance (“ESG”) matters in light of recent market developments and broader attention in these areas. Continue Reading Turning the Page: Highlights of the SEC’s Division of Examination’s 2021 Priorities
After what appears to be a period of relative leniency in 2018/19, enforcement actions for violations of the EU General Data Protection Regulation (“GDPR”) have since intensified. In 2020, according to publically available information, supervisory authorities across the EU and the UK Information Commissioner’s Office (“ICO”) have issued over EUR 170 million worth of fines combined, with six of the top ten individual fines imposed being issued in 2020. Continue Reading Ready to Pounce: Regulators Are Intensifying GDPR Enforcement
In a decision with potentially far-reaching implications, Alasaad v. Mayorkas, Nos. 20-1077, 20-1081, 2021 WL 521570 (1st Cir. Feb. 9, 2021), the First Circuit recently rejected First and Fourth Amendment challenges to the U.S. government agency policies governing border searches of electronic devices. These policies permit so-called “basic” manual searches of electronic devices without any articulable suspicion, requiring reasonable suspicion only when officers perform “advanced” searches that use external equipment to review, copy, or analyze a device. The First Circuit held that even these “advanced” searches require neither probable cause nor a warrant, and it split with the Ninth Circuit in holding that searches need not be limited to searches for contraband, but may also be used to search for evidence of contraband or evidence of other illegal activity. This decision implicates several takeaways for company executives entering and leaving the United States, particularly if they or their employers are under active investigation. In-house counsel in particular should consider the implications of the decision given obligations of lawyers to protect the confidentiality of attorney-client privileged information.