Cybersecurity

Subscribe to Cybersecurity

In a highly-anticipated landmark judgment handed down on July 16, 2020, the Court of Justice of the European Union (the “CJEU”) in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”, summarised in part 3. below and the full text of which can be accessed here) has:

  • invalidated the European Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Data Protection Shield (the “EU-US Privacy Shield”) for transfer of personal data from the EU to entities certified under the mechanism located in the United States;
  • upheld the European Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established outside the EU (the “SCCs”); and
  • reminded that a transfer of data based on SCCs may be challenged before the competent supervisory authority, which has to “suspend or prohibit”, on a case-by-case basis, any such transfer when, in its view, the SCCs “are not or cannot be complied with.”


Continue Reading Schrems II: The CJEU Declares EU-U.S. Privacy Shield Invalid, Upholds the SCCs And Calls On 27 Supervisory Authorities to Ensure Their Compliance

On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts.[1]  Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine.  Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report.  This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation.
Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report

Last month, the Financial Services Information Sharing and Analysis Center[1] (“FS-ISAC”) warned financial services companies, and particularly smaller firms, of a substantial increase in attempted cyberattacks since the start of the COVID-19 pandemic.  In particular, cyber-attacks targeted at bank employees rose in the first quarter of 2020.  As of early April, FS-ISAC had also identified over 1,500 fraudulent or phishing websites designed to look like pandemic-related lending or financial support programs to deceive visitors into disclosing sensitive personal information.
Continue Reading FS-ISAC Warns that Cyberattacks Against Financial Services Firms Increased Substantially in Response to COVID-19 Mitigation Efforts

On May 5, 2020, the Seventh Circuit Court of Appeals held that a plaintiff has standing to assert a claim under the Illinois Biometric Information Privacy Act (BIPA) even without alleging any economic loss or data breach.  The court’s decision in Bryant v. Compass Group USA, Inc.,[1] held that merely alleging a failure to receive adequate disclosure or provide informed consent is sufficient to state a claim, potentially establishing in the Seventh Circuit a low bar for making claims under BIPA and other state statutes modeled off of it.
Continue Reading The Seventh Circuit Holds That Lack of Disclosure and Informed Consent Under Biometric Information Privacy Act Satisfies Article III Standing Requirement

On May 4, 2020 the European Data Protection Board (“EDPB”) updated the guidelines on consent under the EU General Data Protection Regulation 2016/679 (the “GDPR”). The guidelines were originally published by the Article 29 Working Party on April 10, 2018 and later endorsed by the EDPB.[1] The full text of the updated EDPB guidelines can be read here.
Continue Reading Cookie Walls and Scrolling Don’t Make the Grade – EDPB Clarifies Guidance on Consent Under GDPR

As many organisations adjust their business operations as a result of the COVID-19 pandemic, network and data security are in the spotlight.  The significant increase in remote working, brings unique challenges and organisations must remain mindful of their legal obligations to keep personal data secure.  In particular, the EU General Data Protection Regulation (“GDPR”) imposes a general obligation upon data controllers and processors to ensure the security of data processing against accidental or unlawful loss, damage, destruction, alteration or disclosure.

Controllers and processors must have in place appropriate technical and organisational measures to ensure a level of security for personal data that is commensurate to the risk associated with data processing.  This is not a static analysis, but something to be kept under review as circumstances change.  The mass shift to remote working has inevitably changed the risk profile of certain data processing activities.  Set out below is a summary of important considerations from a data security standpoint, taking into account the GDPR’s requirements as well as guidance from data protection supervisory authorities in the UK, France, Belgium, Germany and Italy.
Continue Reading COVID-19 Remote Working – GDPR Data Security Checklist

Earlier this year, the Cybersecurity Unit (“CsU”) of the Computer Crime and Intellectual Property Section of the United States Department of Justice released guidance for the private sector entitled “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources.”  The Guidance (available here) is intended to aid private actors to assess the potential legal exposure under federal criminal law as a result of engaging in common cyber intelligence-gathering activities on the dark web.  Focusing on activity on TOR-based Dark Markets, i.e., “online forums in which computer crimes are discussed and planned and stolen data is bought and sold,” CsU offers practical tips and best practices for legitimate private actors to reduce the risk of liability and other negative repercussions under federal law.[1]
Continue Reading DOJ Issues Guidance on Private Sector Intelligence Gathering Activities on the Dark Web

On April 15, 2020, the U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation issued an advisory alert providing guidance on the North Korean cyber threat and steps to mitigate that threat (the “Alert”).[1]  The U.S. Government has repeatedly warned the private sector that North Korea, formally known as the Democratic People’s Republic of Korea (“DPRK”), routinely engages in malicious cyber activities and has specifically targeted financial institutions.

This Alert serves as a reminder, especially during this pandemic as businesses go remote and virtual to an unprecedented degree, that the cyber threat, including from the DPRK, remains a critical risk for all companies.  Financial institutions in particular, a traditional target of North Korean cyber activity, should take steps to ensure they are protecting themselves from and responding effectively to malicious cyber intrusions.
Continue Reading CISA Alert: North Korean Cyber Threat Poses Increased Risk for Financial Institutions

The UK Supreme Court, in a unanimous decision delivered on April 1,[1] has overturned the decision of the Court of Appeal which had found that Morrisons Supermarkets plc (“Morrisons”) could be held vicariously liable for the unauthorized actions of an employee who had deliberately leaked the personal data of thousands of Morrisons’ employees online. In its judgment, the Supreme Court explained that the Court of Appeal had “misunderstood the principles governing vicarious liability”.[2] For more information on the background of this case and the High Court and Court of Appeal judgments, please see our article here. The full text of the Supreme Court judgment can be read here.
Continue Reading Relief for Employers as Supreme Court Rules no Liability in Morrisons Data Breach Case

The emergence of online, non-traditional financial service platforms creates additional avenues for terrorist groups to receive and transfer funds outside of the traditional banking system.  One consequence of this trend is the potential for increased litigation against these providers under U.S. statutes that create civil liability for provision of material support to terrorists: the Anti-Terrorism Act (the “ATA”), 18 U.S.C. § 2333(a), and the Justice Against Sponsors of Terrorism Act (“JASTA”), 18 U.S.C. § 2333(d)(2).

Civil claims for damages under the ATA and JASTA have historically been brought against large banks for providing financial services to entities with alleged terrorist links.  Typically in such cases, victims of a terrorist attack and/or their family members allege that the bank supported the attack by processing U.S. dollar denominated transactions to an entity with links to terrorism (often through a chain of intermediaries).  In recent years, the range of entities against which ATA and JASTA claims have been brought has increasingly expanded to include companies outside of the banking sector, such as pharmaceutical companies, government contractors, and social media platforms.  As terrorist groups increase their use of non-traditional financial service platforms, cryptocurrency exchanges, decentralized fintech platforms, and other similar businesses may begin to face ATA and JASTA claims.
Continue Reading Online Financial Service Companies:  The Anti-Terrorism Act’s Next Frontier