In a decision with potentially far-reaching implications, Alasaad v. Mayorkas, Nos. 20-1077, 20-1081, 2021 WL 521570 (1st Cir. Feb. 9, 2021), the First Circuit recently rejected First and Fourth Amendment challenges to the U.S. government agency policies governing border searches of electronic devices. These policies permit so-called “basic” manual searches of electronic devices without any articulable suspicion, requiring reasonable suspicion only when officers perform “advanced” searches that use external equipment to review, copy, or analyze a device. The First Circuit held that even these “advanced” searches require neither probable cause nor a warrant, and it split with the Ninth Circuit in holding that searches need not be limited to searches for contraband, but may also be used to search for evidence of contraband or evidence of other illegal activity. This decision implicates several takeaways for company executives entering and leaving the United States, particularly if they or their employers are under active investigation. In-house counsel in particular should consider the implications of the decision given obligations of lawyers to protect the confidentiality of attorney-client privileged information.
Continue Reading First Circuit Upholds Border Searches of Electronic Devices Without Probable Cause
New York Department of Financial Services Issues New Guidance on Cyber Threats
Recently, the New York Department of Financial Services (“DFS”) issued two memoranda addressing the ongoing increase in cyberattacks. The first recent guidance provides best practices for insurance entities with regard to cyber insurance.[1] The second guidance deals with the surge in benefits fraud that has been ongoing since the beginning of the COVID-19 pandemic, with directions on how regulated entities can best secure data.[2]
Continue Reading New York Department of Financial Services Issues New Guidance on Cyber Threats
D.C. District Court Rejects Privilege Claim for Post-Data Breach Forensic Report
Last month, in Guo Wengui v. Clark Hill, PLC, the United States District Court for the District of Columbia granted Plaintiff’s motion to compel production of Defendant’s third-party forensic investigation report following a cybersecurity incident.[1] The court held that the forensic report was not covered by the attorney-client privilege or the work product doctrine, providing a cautionary tale for companies conducting post-breach investigations.
Continue Reading D.C. District Court Rejects Privilege Claim for Post-Data Breach Forensic Report
The Central District Court of California Grants Marriott International’s Motion to Dismiss in Data Breach Suit
On January 12, 2021, the United States District Court for the Central District of California granted Marriott’s motion to dismiss in Arifur Rahman v. Marriott International, Inc. et al[1], a class action filed against the company following its disclosure of a data breach in March 2020. The court held that Plaintiff lacked standing to sue, breathing life into a defense that has been unsuccessful in several recent cases.
Background
The litigation against Marriott stemmed from its announcement that two employees of a Marriott franchise in Russia accessed personal information of 5.2 million guests. The company further acknowledged that the compromised information included names, addresses, emails, phone numbers, and other personal details such as birth dates. In April 2020, Plaintiff Arifur Rahman (“Plaintiff”), on behalf of a class, alleged six causes of action against Marriott International (“Defendant”): (1) negligence; (2) violation of the California Consumer Privacy Act; (3) breach of contract; (4) breach of implied contract; (5) unjust enrichment; and (6) violation of the California Unfair Competition Law.
Continue Reading The Central District Court of California Grants Marriott International’s Motion to Dismiss in Data Breach Suit
2020 Cybersecurity and Privacy Developments: A Year in Review
Cybersecurity and data privacy, topics that were already top of mind for companies at the start of 2020, were pushed even further to the forefront due to the COVID-19 pandemic, significant data security enforcement actions, and the SolarWinds breach discovered in December.
The increased prevalence of remote work made it all the more critical for
Cybersecurity: Another Year of Intrusions and Regulation Punctuated by a Pandemic
The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2021”.
Cybersecurity, a topic that was already top of mind for boards and corporate stakeholders at the start of the year, was pushed even further to the fore in the wake of the
New York Lawmakers Introduce Biometric Privacy Bill with Private Right of Action
On January 6, 2021, a bipartisan group of state legislators introduced the “Biometric Privacy Act,” (Assembly Bill 27), which would make New York only the second state with a private right of action against entities that improperly use or retain biometric information. This is the third time that New York lawmakers have proposed such a bill.
The bill would protect individuals’ biometric identifiers, defined as fingerprints, voiceprints, retina or iris scans, and scans of face or hand geometry, as well as information based on such identifiers used to identify an individual.[1]
Under the bill, private entities in possession of biometric identifiers or information would need to develop and comply with publicly available written policies establishing retention schedules and guidelines for permanently destroying the identifiers or information when the initial purpose for collecting or obtaining them has been satisfied or within three years of the individual’s last interaction with the entity, whichever occurs first. Private entities would also be required to store, transmit, and protect from disclosure all biometric identifiers and information using the reasonable standard of care in their industry, and in a manner that is the same as or more protective than the manner in which they store, transmit, and protect other confidential and sensitive information.
Continue Reading New York Lawmakers Introduce Biometric Privacy Bill with Private Right of Action
DOJ Charges Former Uber Executive for Alleged Role in Attempted Cover-Up of 2016 Data Breach
On August 20, 2020, the Department of Justice (“DOJ”) announced that it had charged Joseph Sullivan, the former Chief Security Officer (“CSO”) of Uber Technologies Inc. (“Uber”), with obstruction of justice and misprision of a felony for allegedly attempting to cover up Uber’s 2016 data incident during the course of an investigation by the Federal Trade Commission (“FTC”).
Continue Reading DOJ Charges Former Uber Executive for Alleged Role in Attempted Cover-Up of 2016 Data Breach
OCC Imposes $80 Million Penalty in Connection with Bank Data Breach
In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020. The actions follow a 2019 cyber-attack against Capital One. The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company. The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security.
Continue Reading OCC Imposes $80 Million Penalty in Connection with Bank Data Breach
Federal Court Compels Production of Data Breach Forensic Investigation Report
On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1] Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine. Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report. This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation.
Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report