On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1]  Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine.  Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report.  This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation.
Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report

The UK Supreme Court, in a unanimous decision delivered on April 1,[1] has overturned the decision of the Court of Appeal which had found that Morrisons Supermarkets plc (“Morrisons”) could be held vicariously liable for the unauthorized actions of an employee who had deliberately leaked the personal data of thousands of Morrisons’ employees online. In its judgment, the Supreme Court explained that the Court of Appeal had “misunderstood the principles governing vicarious liability”.[2] For more information on the background of this case and the High Court and Court of Appeal judgments, please see our article here. The full text of the Supreme Court judgment can be read here.
Continue Reading Relief for Employers as Supreme Court Rules no Liability in Morrisons Data Breach Case

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2020”.

According to a 2019 survey, Chief Legal Officers ranked data breaches as the most important issue keeping them “up at night.” Cybersecurity also remained top of mind for boards and other corporate

On Tuesday, November 12, 2019, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced a proposed settlement with InfoTrax Systems, L.C. (“InfoTrax”), a third-party service provider, regarding multiple data security failures.  As a result of these security shortcomings, a hacker accessed about one million consumers’ sensitive personal information after more than twenty intrusions into InfoTrax’s network.  This settlement marks one of the first instances in which the FTC has alleged a violation of the FTC Act predicated solely upon the failure to maintain reasonable security measures by a third-party service provider.  The settlement is also notable for a Commissioner’s concurring statement criticizing the settlement’s standard twenty-year term.
Continue Reading Latest FTC Data Privacy Settlement May Signal More Direct Approach to Regulating Data Security

On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”), which expands data breach notification obligations under New York law and for the first time imposes affirmative cybersecurity obligations on covered entities.

The Act makes five principal changes

On 9 July, the UK Information Commissioner’s Office (“ICO”) issued a notice of its intention to fine Marriott International, Inc. (“Marriott”) £99,200,396 for alleged infringements of the EU General Data Protection Regulation ( “GDPR”) in connection with a cybersecurity incident notified to the ICO by Marriott in November 2018. The ICO’s public statement followed Marriott’s disclosure of the ICO’s intention to the US Securities and Exchange Commission (“SEC”) and comes just one day after the ICO published its notice of intention to fine British Airways £183.4 million (see our previous blog post here). The proposed fines, if enforced by the ICO, will be the two highest fines levied under the GDPR, to date.

Continue Reading UK Regulator Intends to Fine Marriott £99 Million for Personal Data Breach, Spotlighting M&A Cybersecurity Diligence

The UK Information Commissioner’s Office (“ICO”) has issued a notice of intention to fine British Airways following an extensive investigation into the British Airways cybersecurity incident (notified by British Airways to the ICO in September 2018).  The fine of £183.4 million relates to various alleged infringements of the EU General Data Protection Regulation (“GDPR”).
Continue Reading UK Data Protection Regulator Issues Notice of Intention to Fine British Airways £183.4 Million for Personal Data Breach

Potentially signaling an expansion of the scope of constitutional standing in data breach cases, a district court in the Northern District of California recently held that the exposure of users’ non-sensitive, publicly available personal information may be sufficient to establish an injury-in-fact.[1]
Continue Reading District Court Finds Allegations That Data Breach Exposed Publicly Available and Non-Sensitive Personal Information Sufficient for Article III Standing

In the past year, members of the U.S. Congress and Senate on both sides of the aisle have proposed data privacy bills that would impose nationwide standards on companies who collect and/or share consumers’ personal information. Currently, all 50 states have separate, but often overlapping, data privacy regimes—each subjecting companies to various combinations of recordkeeping standards, data sharing restrictions, and data breach reporting requirements—creating a patchwork of state laws that can generate substantial uncertainty for corporations.
Continue Reading Legislators Propose Differing Approaches to Federalizing Corporate Responsibility for Data Breaches

In 2018, data privacy and cyber breaches made headlines throughout the year.

Major companies continued to suffer data breaches, highlighting the risks and potential costs of cyber incidents across industries.  At the same time, a growing and overlapping thicket of data security and privacy regulations—within the U.S., European Union, Latin America, and elsewhere—continued to increase