On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System (Board) announced a final rule requiring banking organizations to notify their primary regulator of certain significant computer-security incidents as soon as possible and no later than 36 hours after they occur.[1] The rule separately requires bank service providers to notify their bank customers if they experience a cyber incident that causes, or is reasonably likely to cause, a material disruption of services that lasts for four or more hours.
Continue Reading Banking Regulators Approve Final Rule Establishing Cyber Incident Notification Requirements
The Centennial State Claims a New Number: Colorado to Become Third State in the U.S. to Enact Comprehensive “Privacy Act”
Colorado is set to become the third state in the nation to enact comprehensive privacy legislation with the passing of SB 21-190, more commonly known as the Colorado Privacy Act (“ColoPA” or the “Act”). Governor Jared Polis is expected to sign the ColoPA into law in the coming days, after which
Second Circuit Articulates Injury Standard in Data Breach Suits
Last week, the Second Circuit affirmed the dismissal for lack of Article III standing a proposed class action against a health services provider that mistakenly disclosed personally identifiable information (“PII”). In its opinion, the Second Circuit held that plaintiffs may establish Article III standing based on an increased risk of identity theft or fraud following an unauthorized disclosure of their data, but that the standard was not met based on the facts presented. The decision, which is the first time the Second Circuit has explicitly adopted this standard, has potentially important implications going forward for data breach cases.
Continue Reading Second Circuit Articulates Injury Standard in Data Breach Suits
FTC to Corporate Boards: Mind Your Data Security
On April 28, 2021, the U.S. Federal Trade Commission (“FTC”) published a blog post reminding corporate boards of directors of their responsibility to oversee data security issues and ensure that consumer and employee data are protected. The FTC’s post is a continuation of its efforts to “elevate data security considerations to the C-Suite and Board level.”
By way of background, the FTC noted that it has continued to challenge companies’ data security practices on the grounds of allegedly deceptive or unfair conduct. The Commission is also actively reviewing certain data security rules targeted at safeguarding health records and consumer information held by financial institutions.Continue Reading FTC to Corporate Boards: Mind Your Data Security
The “New” Dominion of Privacy Law: Virginia Becomes Second State to Pass Comprehensive Consumer Data Privacy Act
Last month, the Virginia Consumer Data Protection Act was signed into law, making Virginia the second state in the nation to enact comprehensive data privacy legislation. The Act resembles and adopts some terms from the California Consumer Privacy Act (“CCPA”); the California Privacy Rights Act of 2020, which amends and expands the CCPA; and the
First Circuit Upholds Border Searches of Electronic Devices Without Probable Cause
In a decision with potentially far-reaching implications, Alasaad v. Mayorkas, Nos. 20-1077, 20-1081, 2021 WL 521570 (1st Cir. Feb. 9, 2021), the First Circuit recently rejected First and Fourth Amendment challenges to the U.S. government agency policies governing border searches of electronic devices. These policies permit so-called “basic” manual searches of electronic devices without any articulable suspicion, requiring reasonable suspicion only when officers perform “advanced” searches that use external equipment to review, copy, or analyze a device. The First Circuit held that even these “advanced” searches require neither probable cause nor a warrant, and it split with the Ninth Circuit in holding that searches need not be limited to searches for contraband, but may also be used to search for evidence of contraband or evidence of other illegal activity. This decision implicates several takeaways for company executives entering and leaving the United States, particularly if they or their employers are under active investigation. In-house counsel in particular should consider the implications of the decision given obligations of lawyers to protect the confidentiality of attorney-client privileged information.
Continue Reading First Circuit Upholds Border Searches of Electronic Devices Without Probable Cause
New York Department of Financial Services Issues New Guidance on Cyber Threats
Recently, the New York Department of Financial Services (“DFS”) issued two memoranda addressing the ongoing increase in cyberattacks. The first recent guidance provides best practices for insurance entities with regard to cyber insurance.[1] The second guidance deals with the surge in benefits fraud that has been ongoing since the beginning of the COVID-19 pandemic, with directions on how regulated entities can best secure data.[2]
Continue Reading New York Department of Financial Services Issues New Guidance on Cyber Threats
D.C. District Court Rejects Privilege Claim for Post-Data Breach Forensic Report
Last month, in Guo Wengui v. Clark Hill, PLC, the United States District Court for the District of Columbia granted Plaintiff’s motion to compel production of Defendant’s third-party forensic investigation report following a cybersecurity incident.[1] The court held that the forensic report was not covered by the attorney-client privilege or the work product doctrine, providing a cautionary tale for companies conducting post-breach investigations.
Continue Reading D.C. District Court Rejects Privilege Claim for Post-Data Breach Forensic Report
The Central District Court of California Grants Marriott International’s Motion to Dismiss in Data Breach Suit
On January 12, 2021, the United States District Court for the Central District of California granted Marriott’s motion to dismiss in Arifur Rahman v. Marriott International, Inc. et al[1], a class action filed against the company following its disclosure of a data breach in March 2020. The court held that Plaintiff lacked standing to sue, breathing life into a defense that has been unsuccessful in several recent cases.
Background
The litigation against Marriott stemmed from its announcement that two employees of a Marriott franchise in Russia accessed personal information of 5.2 million guests. The company further acknowledged that the compromised information included names, addresses, emails, phone numbers, and other personal details such as birth dates. In April 2020, Plaintiff Arifur Rahman (“Plaintiff”), on behalf of a class, alleged six causes of action against Marriott International (“Defendant”): (1) negligence; (2) violation of the California Consumer Privacy Act; (3) breach of contract; (4) breach of implied contract; (5) unjust enrichment; and (6) violation of the California Unfair Competition Law.
Continue Reading The Central District Court of California Grants Marriott International’s Motion to Dismiss in Data Breach Suit
2020 Cybersecurity and Privacy Developments: A Year in Review
Cybersecurity and data privacy, topics that were already top of mind for companies at the start of 2020, were pushed even further to the forefront due to the COVID-19 pandemic, significant data security enforcement actions, and the SolarWinds breach discovered in December.
The increased prevalence of remote work made it all the more critical for