Cybersecurity

Latest FTC Data Privacy Settlement May Signal More Direct Approach to Regulating Data Security

By Jonathan S. Kolodner, Alexis Collins & Richard Cipolla on November 20, 2019

Posted in Breach Notifications, Cybersecurity, Enforcement, Privacy, Regulatory, United States

On Tuesday, November 12, 2019, the U.S. Federal Trade Commission (“FTC” or “Commission”) announced a proposed settlement with InfoTrax Systems, L.C. (“InfoTrax”), a third-party service provider, regarding multiple data security failures. As a result of these security shortcomings, a hacker accessed about one million consumers’ sensitive personal information after more than twenty intrusions into InfoTrax’s network. This settlement marks one of the first instances in which the FTC has alleged a violation of the FTC Act predicated solely upon the failure to maintain reasonable security measures by a third-party service provider. The settlement is also notable for a Commissioner’s concurring statement criticizing the settlement’s standard twenty-year term.…
Continue Reading

Be Prepared: How to Proactively Account for Data Privacy

By Cleary Gottlieb on November 14, 2019

Posted in Cybersecurity, Enforcement, Privacy

Have the right policies in place

– Ensure clear, readily accessible, and (where necessary) country-specific policies are in place indicating the permitted uses of company devices and other IT equipment, including messaging services. If you allow employees to use their own devices to perform work, make sure your policies adequately address issues of access in the context of investigations.…
Continue Reading

Incorporating Data Privacy Considerations Into Investigations

By Cleary Gottlieb on November 14, 2019

Posted in Cybersecurity, Enforcement, Privacy

Many investigations, particularly those that are cross-border in nature, are likely to present data privacy issues, and managing these issues is frequently a key consideration in an investigation. By keeping data privacy laws in mind as soon as an investigation starts, an organization will avoid the risk that it has failed to satisfy certain requirements, thereby exposing itself to the possibility of a fine or sanction from a regulator.…
Continue Reading

The CCPA Takes Shape with Proposed Regulations, as Companies are Encouraged to Comply by January 1

By Katherine Mooney Carroll, Jonathan S. Kolodner, Daniel Ilan, Rahul Mukhi, Alexis Collins, Jane C. Rosen & Michelle Butler on October 22, 2019

Posted in Cybersecurity, Enforcement, Privacy, United States

The final version of the California Consumer Privacy Act of 2018 is coming into view.

On October 10, California’s Attorney General released the long-anticipated draft regulations to implement the CCPA, and on October 12, the Governor signed into law five amendments to the CCPA passed during the 2019 legislative session. (We previously discussed the CCPA …

United Kingdom and United States Governments Sign First-Ever CLOUD Act Agreement

By Jonathan S. Kolodner, Nowell Bamberger, Rahul Mukhi, Alexis Collins & Kal Blassberger on October 16, 2019

Posted in Cybersecurity, DOJ Guidance, Privacy, United Kingdom, United States

On October 3, 2019, the governments of the United Kingdom and United States signed the first-ever executive agreement governing cross-border data requests (the “Agreement”) pursuant to the US Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”).^[1] As contemplated by the CLOUD Act, the Agreement provides a mechanism for the governments to access and share data stored abroad by electronic communications services providers (“CSP”) in their respective countries in a timely manner. The Agreement will enter into effect following a 180 day Congressional review period required by the CLOUD Act and a similar review by the UK Parliament. …
Continue Reading

RTBF Stops at the Border: CJEU Sides with Google on the Scope of De-Referencing

By Emmanuel Ronco, Natascha Gerlach, Christina Samaras & Edouard Burlet on October 15, 2019

Posted in Cybersecurity, European Union, Privacy

On September 24, 2019^[1], the Court of Justice of the European Union (the “CJEU”) handed down its much anticipated follow-on judgment^[2] in connection with an individual’s right to have links removed from search results displayed following a search of that individual’s name on Google’s search engine.

Building on its recognition of a “right to de-referencing” in its landmark 2014 Google Spain judgment^[3] (establishing the so-called “right to be forgotten” or “RTBF”), the CJEU now further clarified the territorial scope of such right, and limited the de-referencing obligation to Google’s search engine websites corresponding to EU Member States, as opposed to all domain name extensions (e.g., the obligation applies to domain names with top-level domain (“TLDs”) corresponding to EU Member States, such as “google.fr” for France or “google.be” for Belgium). The Court added that Google may need to use, “where necessary”, measures effectively preventing or seriously discouraging an internet user from accessing (on other versions of the search engine, which are not subject to the de-referencing obligation) the links at issue from an EU Member State. As a consequence, Google has no obligation to remove the links at issue on all Google websites worldwide (such as on “google.com”), but may need to implement sufficiently effective measures to prevent Internet users from accessing the links from the EU.…
Continue Reading

Before You Press Send: Protecting Privilege and Complying With Limitations on Data Dissemination When Responding to an Investigative Request

By Cleary Gottlieb on October 3, 2019

Posted in Cybersecurity, Enforcement, Privacy

One critical issue to consider in responding to an investigative request is whether by producing the requested data, the company will be waiving a privilege or violating legal confidentiality obligations, including data privacy restrictions.…
Continue Reading

California Consumer Privacy Act Amendments Offer Relief, but Challenges Remain

By Katherine Mooney Carroll, Jonathan S. Kolodner, Daniel Ilan, Rahul Mukhi, Alexis Collins, Jane C. Rosen & Whitney A. Lee on September 24, 2019

Posted in Cybersecurity, Privacy, United States

California’s 2019 legislative session has drawn to a close with passage of five amendments to the California Consumer Privacy Act (CCPA) during the final days of the session. Assuming that the bills are timely signed by the Governor before the October 13 deadline, businesses will finally have the complete version of the statute that will…

Katherine Mooney Carroll

Katherine Mooney Carroll’s practice focuses on advising U.S. and international financial institutions on U.S. regulatory matters, including recent reforms pursuant to the Dodd-Frank Act, regulatory aspects of bank M&A, cybersecurity and privacy matters, and compliance with U.S. sanctions and anti-money laundering laws.

View Latest Posts

Amélie Champsaur

Amélie Champsaur’s practice covers a broad range of financial regulatory, compliance and enforcement matters, at French and EU level.

View Latest Posts

Alexis Collins

Alexis Collins’ practice focuses on litigation, including criminal and regulatory enforcement matters and complex civil and antitrust litigation.

View Latest Posts

Christopher J. Cook

Christopher J. Cook’s practice focuses on international competition and antitrust law.

View Latest Posts

Roger A. Cooper

Roger Cooper’s practice focuses on complex civil litigation, with an emphasis on disputes arising out of securities, M&A and derivative transactions, as well as on corporate governance issues.

View Latest Posts

Francesco De Biasi

Francesco De Biasi’s practice primarily focuses on private enforcement and internal investigations of corporate wrongdoing, with a focus on the requirements under Legislative Decree 231/2001, as well as on corporate, civil, labor law and data protection matters related to white collar crimes.

View Latest Posts

Daniel Ilan

Daniel Ilan’s practice focuses on intellectual property law.

View Latest Posts

Jonathan Kelly

Jonathan Kelly’s practice focuses on substantial English and international commercial litigation and arbitration.

View Latest Posts

Joon H. Kim

Joon H. Kim’s practice focuses on white-collar criminal defense, internal corporate investigations, regulatory enforcement, and crisis management, as well as complex commercial litigation and arbitration.

View Latest Posts

Jonathan S. Kolodner

Jonathan S. Kolodner’s practice focuses on criminal, securities, and other enforcement and regulatory matters as well as on complex commercial litigation.

View Latest Posts

Michael H. Krimminger

Michael H. Krimminger’s practice focuses on U.S. and international banking and financial institutions.

View Latest Posts

Rahul Mukhi

Rahul Mukhi’s practice focuses on criminal, securities, and other enforcement and regulatory matters as well as on complex commercial litigation.

View Latest Posts

Emmanuel Ronco

Emmanuel Ronco’s practice focuses on intellectual property and technology matters, including in the context of corporate transactions such as mergers and acquisitions or joint ventures.

View Latest Posts

Rishi N. Zutshi

Rishi N. Zutshi’s practice focuses on commercial litigation and securities litigation, with extensive experience in disputes relating to complex financial instruments and derivatives.

View Latest Posts