Privacy

Subscribe to Privacy via RSS

We are delighted that Anthony M. Shults has rejoined Cleary Gottlieb as a senior attorney from the U.S. Department of Justice (DOJ), where he served as acting Deputy Assistant Attorney General and Senior Counsel in the Office of Legal Policy and as Attorney-Advisor in the National Security Division. He is based in our New York office and will focus on cybersecurity, data privacy, and emerging technologies, as well as securities, appellate, and complex commercial litigation.
Continue Reading Cleary Gottlieb Welcomes Back Anthony M. Shults, Former Acting Deputy Assistant Attorney General and Senior Counsel at the Department of Justice

On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System (Board) announced a final rule requiring banking organizations to notify their primary regulator of certain significant computer-security incidents as soon as possible and no later than 36 hours after they occur.[1]  The rule separately requires bank service providers to notify their bank customers if they experience a cyber incident that causes, or is reasonably likely to cause, a material disruption of services that lasts for four or more hours.
Continue Reading Banking Regulators Approve Final Rule Establishing Cyber Incident Notification Requirements

On 10 November 2021, the Supreme Court of the United Kingdom handed down its much-awaited judgment in the case of Lloyd v Google LLC [2021] UKSC 50.  The Supreme Court unanimously ruled that the claim, which is a representative action alleging breaches of the Data Protection Act 1998 (“DPA 1998”), could not proceed.

The Supreme

The past few years have brought monumental changes to how we handle international data transfers from the EU. Schrems I, GDPR, Schrems II, Brexit and now the new Standard Contractual Clauses, published in June, 2021.

Here we share our views on improvements and challenges this modernised version of the SCCs has brought and how it

Colorado is set to become the third state in the nation to enact comprehensive privacy legislation with the passing of SB 21-190, more commonly known as the Colorado Privacy Act (“ColoPA” or the “Act”). Governor Jared Polis is expected to sign the ColoPA into law in the coming days, after which

Recent developments in a lawsuit have illustrated the importance of maintaining sufficient data security measures and responding adequately to data breaches, which topics are addressed in Cleary Gottlieb’s Global Crisis Management Handbook in depth. A class-action lawsuit in the Northern District of California against Robinhood Financial, LLC, a securities trading platform, alleges that unauthorized users

Last month, the Virginia Consumer Data Protection Act was signed into law, making Virginia the second state in the nation to enact comprehensive data privacy legislation.  The Act resembles and adopts some terms from the California Consumer Privacy Act (“CCPA”); the California Privacy Rights Act of 2020, which amends and expands the CCPA; and the

On 11 February 2021, the Abu Dhabi Global Market (“ADGM”), Abu Dhabi’s financial free zone, enacted the new Data Protection Regulations 2021 (the “Regulations”), replacing the Data Protection Regulations 2015 in their entirety and bringing the ADGM regime closer to the European Union’s data protection regime under the General Data Protection Regulation (“GDPR”).

Our alert memo, published at the end of 2020 following the ADGM’s opening of a public consultation period on the draft Data Protection Regulations 2020 (the “Draft Regulations”), provides an overview of the key features of the Draft Regulations, areas of overlap with the GDPR, as well as certain proposed departures from the GDPR that will need to be monitored by organisations doing business in both the ADGM and the European Union.

The Regulations are applicable to those processing personal data where a controller or processor has been established in the ADGM, regardless of whether the processing actually takes place in the ADGM or not.

We set out below an update to our alert memo, highlighting the few notable additions/amendments to the Draft Regulations as compared with the final Regulations published on 11 February 2021.Continue Reading ADGM enacts new Data protection Regulations 2021

Last month, the United States District Court for the Southern District of New York granted a motion to dismiss in In re Fed Ex Corp. Securities Litigation, a putative class action securities fraud case filed against FedEx following numerous disclosures in 2017 and 2018 regarding the impact of a Russian cyberattack on its recently acquired subsidiary, TNT Express Services B.V (“TNT”).[1]  The court held that the complaint failed to adequately plead that FedEx had made any material misrepresentations or had the requisite scienter.  FedEx’s successful defense against the lawsuit highlights the importance for companies to consider their disclosure obligations following a cyber-incident and carefully tailor their disclosures to account for their risks and accurately reflect the consequences of the incident.
Continue Reading District Court Dismisses Securities Fraud Claim Against FedEx Concerning Disclosures About NotPetya Cyberattack

Last month, the Eleventh Circuit Court of Appeals dismissed claims brought in a putative class action seeking damages for disclosure of credit card information in a data breach resulting from a cyberattack.  In I Tan Tsao v. Captiva MVP Restaurant Partners, LLC., the court held that the named plaintiff could not establish standing to sue based on allegations that the data breach created a “continuing increased risk of harm from identity theft and identity fraud” or that the plaintiff took affirmative steps to mitigate such potential harm. [1]  This decision follows the reasoning set forth in the court’s recent en banc decision in Muransky v. Godiva Chocolatier, Inc, in which similar allegations were rejected as insufficient to support standing in a case seeking statutory damages from technical violations of the Fair and Accurate Credit Transactions Act, and adds to the circuit split on the issue.[2]
Continue Reading 11th Circuit Rejects Standing Based on Heightened Risk of Identity Theft in Data Breach Suit