The UK Information Commissioner’s Office (ICO) has provided Facebook with a Notice of Intent to issue a monetary penalty against the social media platform for its lack of transparency and failure to maintain the security of its users’ personal data in relation to the Cambridge Analytica scandal. The ICO’s fine is the maximum possible under the Data Protection Act 1998 (the UK implementing legislation for the former EU data protection regime under the Data Protection Directive). Facebook will have the opportunity to make representations to the ICO before the ICO’s decision is finalised.
The nature of any injury suffered by individuals from a cyber incident continues to be a major issue in data breach litigation. As we have previously discussed, the Supreme Court has thus far declined to address the issue of Article III standing in the data breach context, resulting in an ongoing circuit split on whether data theft is by itself sufficient to satisfy Article III’s injury requirements. Two federal Courts of Appeals recently grappled with injury requirements in the data breach context. Continue Reading Fourth Circuit and Eighth Circuit Address Injury in Data Breach Cases
On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators. The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions. The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers. Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.”
On June 22, 2018, the United States Supreme Court decided Carpenter v. United States, in which it held that the government must generally obtain a search warrant supported by probable cause before acquiring more than seven days of historical cell-site location information (“CSLI”) from a service provider. Noting “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection,” the Court held that an individual “maintains a legitimate expectation of privacy in the record of his physical movements captured through CSLI” that warrants Fourth Amendment protection. While the Court sought to construe its decision narrowly, the reasoning of the majority and Justice Gorsuch in his dissent raise significant questions about whether and to what extent individuals may have a reasonable expectation of privacy or possessory interest in other sensitive personal data held by third parties beyond the CSLI at issue in Carpenter.
Please click here to read the full alert memorandum.
In recent years, the Federal Trade Commission (“FTC”) has taken the lead among federal agencies in regulating the cybersecurity practices of companies that handle consumer personal information. The FTC has entered into numerous consent orders and other settlements with regulated companies that broadly require implementation and maintenance of information security programs that are “reasonably designed” to protect security and confidentiality of consumer information. A federal appeals court has now cast doubt on the viability of such orders. In a ruling issued on June 6, 2018, the Eleventh Circuit vacated a cease-and-desist order against LabMD, Inc. (“LabMD”) as unenforceable because it found that the order commanded an overhaul of the company’s data security program without providing a reasonably definite standard by which a court could determine compliance. Continue Reading Eleventh Circuit Vacates FTC Order Mandating Implementation of Cybersecurity Program
The consequences of a cybersecurity incident can be severe. The economic loss associated with an incident can often be compounded by reputational damage, loss of trade secrets, destruction of assets, operational impairment, lost revenue following the announcement of the cybersecurity incident and the expense of implementing remedial measures. The timing and content of any public communication about a suspected or confirmed cybersecurity incident can exacerbate this loss and have a significant impact on the trading price of the issuer’s securities. The disclosure considerations become even more complex when a company is subject to overlapping, and potentially conflicting, regulatory obligations in multiple jurisdictions, including the United States and the European Union (“EU”). This issue is now at the forefront with the EU’s new data security and privacy regime, the General Data Protection Regulation (“GDPR”), which became effective on May 25, 2018.
Last month, the Brazilian National Monetary Council (the “CMN”) issued Resolution No. 4,658 (the “Resolution”), which establishes new cybersecurity requirements covering institutions regulated by the Brazilian Central Bank (Banco Central do Brasil). The Resolution requires covered financial institutions to have cybersecurity policies in place by May 6, 2019, and be fully compliant with the regulation by December 31, 2021. Notably, the Resolution’s requirements cover third-party service providers that contract with covered institutions, including those located outside of Brazil. Continue Reading Brazil Issues new Cybersecurity Regulation for Regulated Financial Institutions
A recent FTC settlement highlights the need for companies to oversee their service providers, with respect to both collection of personal information and data security practices.
On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database. The case represents the first time a public company has been charged by the SEC for failing to adequately disclose a cyber breach, an area that is expected to face continued heightened scrutiny as enforcement authorities and the public are increasingly focused on the actions taken by companies in response to such incidents. Altaba’s settlement with the SEC, coming on the heels of its agreement to pay $80 million to civil class action plaintiffs alleging similar disclosure violations, underscores the increasing potential legal exposure for companies based on failing to properly disclose cybersecurity risks and incidents.
Please click here to read the full alert memorandum.
On April 11, 2018, the Seventh Circuit reversed a district court’s dismissal, for failure to state a claim, of plaintiffs’ proposed class action arising out of a 2012 data breach affecting Barnes & Noble. In so holding, the court reaffirmed its view that allegations of data theft with a substantial risk of future harm are sufficient to assert an “injury” under Article III, even in the absence of allegations that the risk actually materialized. The Seventh Circuit further found that such injury may also satisfy the requisite damages allegations under federal pleading requirements. Continue Reading Seventh Circuit Expands Jurisprudence in Data Breach Cases