Last week, the Second Circuit affirmed the dismissal for lack of Article III standing a proposed class action against a health services provider that mistakenly disclosed personally identifiable information (“PII”).  In its opinion, the Second Circuit held that plaintiffs may establish Article III standing based on an increased risk of identity theft or fraud following an unauthorized disclosure of their data, but that the standard was not met based on the facts presented.  The decision, which is the first time the Second Circuit has explicitly adopted this standard, has potentially important implications going forward for data breach cases.

Continue Reading Second Circuit Articulates Injury Standard in Data Breach Suits

On April 28, 2021, the U.S. Federal Trade Commission (“FTC”) published a blog post reminding corporate boards of directors of their responsibility to oversee data security issues and ensure that consumer and employee data are protected.  The FTC’s post is a continuation of its efforts to “elevate data security considerations to the C-Suite and Board level.”

By way of background, the FTC noted that it has continued to challenge companies’ data security practices on the grounds of allegedly deceptive or unfair conduct.  The Commission is also actively reviewing certain data security rules targeted at safeguarding health records and consumer information held by financial institutions.


Continue Reading FTC to Corporate Boards: Mind Your Data Security

Last month, the Virginia Consumer Data Protection Act was signed into law, making Virginia the second state in the nation to enact comprehensive data privacy legislation.  The Act resembles and adopts some terms from the California Consumer Privacy Act (“CCPA”); the California Privacy Rights Act of 2020, which amends and expands the CCPA; and the

On 11 February 2021, the Abu Dhabi Global Market (“ADGM”), Abu Dhabi’s financial free zone, enacted the new Data Protection Regulations 2021 (the “Regulations”), replacing the Data Protection Regulations 2015 in their entirety and bringing the ADGM regime closer to the European Union’s data protection regime under the General Data Protection Regulation (“GDPR”).

Our alert memo, published at the end of 2020 following the ADGM’s opening of a public consultation period on the draft Data Protection Regulations 2020 (the “Draft Regulations”), provides an overview of the key features of the Draft Regulations, areas of overlap with the GDPR, as well as certain proposed departures from the GDPR that will need to be monitored by organisations doing business in both the ADGM and the European Union.

The Regulations are applicable to those processing personal data where a controller or processor has been established in the ADGM, regardless of whether the processing actually takes place in the ADGM or not.

We set out below an update to our alert memo, highlighting the few notable additions/amendments to the Draft Regulations as compared with the final Regulations published on 11 February 2021.


Continue Reading ADGM enacts new Data protection Regulations 2021

Last month, the United States District Court for the Southern District of New York granted a motion to dismiss in In re Fed Ex Corp. Securities Litigation, a putative class action securities fraud case filed against FedEx following numerous disclosures in 2017 and 2018 regarding the impact of a Russian cyberattack on its recently acquired subsidiary, TNT Express Services B.V (“TNT”).[1]  The court held that the complaint failed to adequately plead that FedEx had made any material misrepresentations or had the requisite scienter.  FedEx’s successful defense against the lawsuit highlights the importance for companies to consider their disclosure obligations following a cyber-incident and carefully tailor their disclosures to account for their risks and accurately reflect the consequences of the incident.
Continue Reading District Court Dismisses Securities Fraud Claim Against FedEx Concerning Disclosures About NotPetya Cyberattack

Last month, the Eleventh Circuit Court of Appeals dismissed claims brought in a putative class action seeking damages for disclosure of credit card information in a data breach resulting from a cyberattack.  In I Tan Tsao v. Captiva MVP Restaurant Partners, LLC., the court held that the named plaintiff could not establish standing to sue based on allegations that the data breach created a “continuing increased risk of harm from identity theft and identity fraud” or that the plaintiff took affirmative steps to mitigate such potential harm. [1]  This decision follows the reasoning set forth in the court’s recent en banc decision in Muransky v. Godiva Chocolatier, Inc, in which similar allegations were rejected as insufficient to support standing in a case seeking statutory damages from technical violations of the Fair and Accurate Credit Transactions Act, and adds to the circuit split on the issue.[2]
Continue Reading 11th Circuit Rejects Standing Based on Heightened Risk of Identity Theft in Data Breach Suit

On February 18, 2021, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) announced a $507,375 settlement with BitPay, Inc. (BitPay), a payment processor for merchants accepting digital currency as payment for goods and services, for 2,102 apparent violations of multiple sanctions programs between 2013 and 2018.[1] The settlement highlights that financial service providers facilitating digital currency transactions must not only establish sanctions compliance programs to screen their own customers but also must monitor third-party non-customer transaction information.
Continue Reading OFAC Settles with Digital Currency Payment Processor for Sanctions Violations

In a decision with potentially far-reaching implications, Alasaad v. Mayorkas, Nos. 20-1077, 20-1081, 2021 WL 521570 (1st Cir. Feb. 9, 2021), the First Circuit recently rejected First and Fourth Amendment challenges to the U.S. government agency policies governing border searches of electronic devices. These policies permit so-called “basic” manual searches of electronic devices without any articulable suspicion, requiring reasonable suspicion only when officers perform “advanced” searches that use external equipment to review, copy, or analyze a device.  The First Circuit held that even these “advanced” searches require neither probable cause nor a warrant, and it split with the Ninth Circuit in holding that searches need not be limited to searches for contraband, but may also be used to search for evidence of contraband or evidence of other illegal activity. This decision implicates several takeaways for company executives entering and leaving the United States, particularly if they or their employers are under active investigation.  In-house counsel in particular should consider the implications of the decision given obligations of lawyers to protect the confidentiality of attorney-client privileged information.

Continue Reading First Circuit Upholds Border Searches of Electronic Devices Without Probable Cause

Recently, the New York Department of Financial Services (“DFS”) issued two memoranda addressing the ongoing increase in cyberattacks.  The first recent guidance provides best practices for insurance entities with regard to cyber insurance.[1]  The second guidance deals with the surge in benefits fraud that has been ongoing since the beginning of the COVID-19 pandemic, with directions on how regulated entities can best secure data.[2]
Continue Reading New York Department of Financial Services Issues New Guidance on Cyber Threats

On January 12, 2021, the United States District Court for the Central District of California granted Marriott’s motion to dismiss in Arifur Rahman v. Marriott International, Inc. et al[1], a class action filed against the company following its disclosure of a data breach in March 2020.  The court held that Plaintiff lacked standing to sue, breathing life into a defense that has been unsuccessful in several recent cases.

Background

The litigation against Marriott stemmed from its announcement that two employees of a Marriott franchise in Russia accessed personal information of 5.2 million guests.  The company further acknowledged that the compromised information included names, addresses, emails, phone numbers, and other personal details such as birth dates.  In April 2020, Plaintiff Arifur Rahman (“Plaintiff”), on behalf of a class, alleged six causes of action against Marriott International (“Defendant”): (1) negligence; (2) violation of the California Consumer Privacy Act; (3) breach of contract; (4) breach of implied contract; (5) unjust enrichment; and (6) violation of the California Unfair Competition Law.
Continue Reading The Central District Court of California Grants Marriott International’s Motion to Dismiss in Data Breach Suit