Photo of Alexis Collins

Alexis Collins’ practice focuses on litigation, including criminal and regulatory enforcement matters and complex civil and antitrust litigation.

On the heels of the European Union’s implementation of the General Data Protection Regulation (“GDPR”) and public outcry over the Cambridge Analytica scandal, on June 28, 2018, California enacted the most comprehensive data privacy law to date in the United States. The California Consumer Privacy Act of 2018 (the “CCPA”) was hastily passed by the California legislature to secure the withdrawal of an even more far-reaching measure that had qualified for the November ballot. Legislative amendments to the law are expected before it goes into effect on January 1, 2020.

The CCPA requires covered businesses to comply with requirements that give California consumers broad rights to know what personal information has been collected about them, the sources for the information, the purpose of collecting it, and whether it is sold or otherwise disclosed to third parties. It also gives consumers the right to access personal information about them held by covered businesses, to require deletion of the information and/or to prevent its sale to third parties. Other key provisions limit the ability of a covered business to discriminate against consumers who exercise their rights under the statute by charging them higher prices or delivering lower quality products or services.  The rights provided under the CCPA are similar in many respects to those afforded EU residents under the GDPR, but there are distinctions in approach on some key issues.

Please click here to read the full alert memorandum.

On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators.[1] The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions.  The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers.  Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.”

Continue Reading State Regulators Reach Settlement With Equifax in Connection With Massive Data Breach

On June 22, 2018, the United States Supreme Court decided Carpenter v. United States, in which it held that the government must generally obtain a search warrant supported by probable cause before acquiring more than seven days of historical cell-site location information (“CSLI”) from a service provider. Noting “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection,” the Court held that an individual “maintains a legitimate expectation of privacy in the record of his physical movements captured through CSLI” that warrants Fourth Amendment protection. While the Court sought to construe its decision narrowly, the reasoning of the majority and Justice Gorsuch in his dissent raise significant questions about whether and to what extent individuals may have a reasonable expectation of privacy or possessory interest in other sensitive personal data held by third parties beyond the CSLI at issue in Carpenter.

Please click here to read the full alert memorandum.

In recent years, the Federal Trade Commission (“FTC”) has taken the lead among federal agencies in regulating the cybersecurity practices of companies that handle consumer personal information.  The FTC has entered into numerous consent orders and other settlements with regulated companies that broadly require implementation and maintenance of information security programs that are “reasonably designed” to protect security and confidentiality of consumer information.  A federal appeals court has now cast doubt on the viability of such orders.  In a ruling issued on June 6, 2018, the Eleventh Circuit vacated a cease-and-desist order against LabMD, Inc. (“LabMD”) as unenforceable because it found that the order commanded an overhaul of the company’s data security program without providing a reasonably definite standard by which a court could determine compliance. Continue Reading Eleventh Circuit Vacates FTC Order Mandating Implementation of Cybersecurity Program

On April 18, 2018, government officials and cyber industry experts gathered in Washington, D.C., for the 2018 Incident Response Forum addressing legal and compliance challenges that arise following a data breach.  At the conference, representatives from the SEC, DOJ, FTC, and other federal and state enforcement agencies discussed their top data breach-related concerns and enforcement priorities.  Representatives spoke in their own capacity and were not making official agency statements, but their opinions can provide useful insight into agencies’ decision making processes and substantive views. Continue Reading Regulators and Law Enforcement Discuss Cyber Enforcement Priorities and Urge Cooperation Following Data Breaches

On April 12, 2018, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced an agreement with Uber Technologies, Inc., to expand an August 2017 settlement regarding a 2014 data breach to include new violations arising from a second data breach that Uber discovered in 2016 but did not publicly disclose for over one year.  The revised settlement order imposes new notification, reporting, and records retention obligations on Uber for up to 20 years regarding third-party audits of its privacy program, future data breaches involving personal data, and its bug bounty program.  The proposed settlement order will be open for public comment for 30 days, after which time the Commission is likely to make the order final.

In August 2017, Uber entered into a consent agreement with the FTC related to a data breach that occurred three years before.  The complaint resolved by the 2017 settlement order alleged that, in May 2014, an intruder used an access key publicly posted on the website GitHub to access sensitive personal information of Uber drivers (who the FTC treats as consumers) that Uber stored with a cloud provider.  This information allegedly included unencrypted names, driver’s license numbers, bank account and routing numbers, and Social Security numbers.  The FTC alleged that Uber had failed to (1) “implement reasonable access controls” to safeguard personal data of drivers and riders stored in the cloud, (2) implement reasonable security training and guidance, (3) maintain a written security program, and (4) encrypt certain information stored with the cloud provider.  The complaint charged that Uber’s representations about the security of, and internal monitoring and auditing regarding access to, consumers’ personal information were false or misleading in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

In the 2018 complaint, the FTC alleges that Uber contemporaneously discovered a second data breach that had occurred in the fall of 2016—during the midst of the FTC’s nonpublic investigation into the 2014 breach.  According to the complaint, intruders used an access key that had been posted to a private repository associated with GitHub to download unencrypted files containing personal data of U.S. riders and drivers, including approximately “25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s license numbers.” Continue Reading Revised FTC-Uber data breach settlement to include second breach, criticize ‘bug bounty’ payment

In an indictment unsealed on March 23, 2018, the Department of Justice (DOJ) brought criminal charges against nine Iranian nationals affiliated with the Mabna Institute in Iran, alleging computer intrusion, fraud, and aggravated identity theft.[1]  Prosecutors charged the defendants with conspiring to steal a massive amount of intellectual property from universities, private companies, and government institutions worldwide, obtaining more than 31 terabytes of data.  The defendants allegedly acted on behalf of the Islamic Revolutionary Guard Corps (IRGC), which is an arm of the Iranian government whose responsibilities include foreign operations and intelligence gathering.  In addition to the announced charges, the nine defendants and the Mabna Institute were also designated for sanctions by the Treasury Department, Office of Foreign Asset Control, pursuant to Executive Order 13694 “Blocking the Property of certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”[2] Continue Reading Department of Justice Indicts Iranian Hackers, Revealing Significant Data Breach and Targeting of Intellectual Property of Private Companies and Educational Institutions

In the first criminal charges brought in connection with the Equifax data breach, the United States Attorney for the Northern District of Georgia announced yesterday the indictment of Jun Ying, a former Chief Information Officer of a U.S. business division of Equifax, on charges of insider trading in violation of federal securities laws.  At the same time, the SEC announced parallel civil charges against Ying.  Both the indictment and the SEC complaint allege that Ying was not specifically informed that Equifax had been breached, but, as a result of his position, was made aware of enough confidential information to—according to his own contemporaneous text messages—“put 2 and 2 together” to infer that “[w]e may be the one breached.”  After deducing this material information, Ying allegedly conducted internet research on the 2015 data breach of Experian, another major credit bureau, and its negative impact on Experian’s stock price.  Immediately following his internet search, Ying allegedly exercised all of his vested stock options and sold those Equifax shares for a total of $950,000 in proceeds, avoiding more than $117,000 in losses that he would have incurred had he still been holding the shares at the time the data breach was publicly announced more than a week later.  The SEC is seeking disgorgement of an amount equal to the losses Ying allegedly avoided, civil monetary penalties, an order barring Ying from ever serving as an officer or director of a public company, and an injunction enjoining Ying from further violating the federal securities laws.  The indictment charges Ying with two counts of criminal securities fraud, which, if he is convicted, carry a maximum sentence of 45 years.  Continue Reading DOJ And SEC Charge Former Equifax Executive With Insider Trading

Cyberattacks have increased in scope and severity over the past few years, including the widespread WannaCry ransomware attacks and the Equifax breach in which the personal data of over 140 million people may have been stolen.  Due to the increasing number of breaches and the difficulties that law enforcement faces in responding to these events in a timely manner, a bill has been proposed in the U.S. Congress that seeks to empower private actors to use cyber defensive measures outside the boundaries of their networks.  Rep. Tom Graves (R-Ga.) introduced the Active Cyber Defense Certainty Act (the “Act”) to protect from criminal prosecution companies who use certain countermeasures against cyber intrusions.[1]  Whether or not this legislation is ultimately adopted, it highlights some of the unique difficulties in effectively addressing cybercrime and the ongoing efforts by the government to enlist the aid of the private sector. Continue Reading The Active Cyber Defense Act: Congress Considers Authorizing Companies to Use Offensive Measures Against Cybercriminals