Last month, the Eleventh Circuit Court of Appeals dismissed claims brought in a putative class action seeking damages for disclosure of credit card information in a data breach resulting from a cyberattack. In I Tan Tsao v. Captiva MVP Restaurant Partners, LLC., the court held that the named plaintiff could not establish standing to sue based on allegations that the data breach created a “continuing increased risk of harm from identity theft and identity fraud” or that the plaintiff took affirmative steps to mitigate such potential harm.  This decision follows the reasoning set forth in the court’s recent en banc decision in Muransky v. Godiva Chocolatier, Inc, in which similar allegations were rejected as insufficient to support standing in a case seeking statutory damages from technical violations of the Fair and Accurate Credit Transactions Act, and adds to the circuit split on the issue. Continue Reading 11th Circuit Rejects Standing Based on Heightened Risk of Identity Theft in Data Breach Suit
On February 18, 2021, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) announced a $507,375 settlement with BitPay, Inc. (BitPay), a payment processor for merchants accepting digital currency as payment for goods and services, for 2,102 apparent violations of multiple sanctions programs between 2013 and 2018. The settlement highlights that financial service providers facilitating digital currency transactions must not only establish sanctions compliance programs to screen their own customers but also must monitor third-party non-customer transaction information. Continue Reading OFAC Settles with Digital Currency Payment Processor for Sanctions Violations
On March 3, 2021, the U.S. Securities and Exchange Commission (“SEC”) Division of Examinations (the “Division”)—formerly the Office of Compliance Inspections and Examinations—released its 2021 Examination Priorities (“2021 Priorities”). The 2021 Priorities generally retain perennial risk areas as the Division’s core focus, but do include several new and emerging risk areas reflecting broader policy shifts under new SEC leadership.
The 2021 Priorities include: retail investors; information security and operational resilience; financial technology (“Fintech”), including digital assets; anti-money laundering; transition from the London Inter‑Bank Offered Rate (“LIBOR”); several areas covering registered investment advisers and investment companies; market infrastructure; and oversight of the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board programs and policies. Although not formal priorities, the Division will also focus on climate-related risks and environmental, social and governance (“ESG”) matters in light of recent market developments and broader attention in these areas. Continue Reading Turning the Page: Highlights of the SEC’s Division of Examination’s 2021 Priorities
After what appears to be a period of relative leniency in 2018/19, enforcement actions for violations of the EU General Data Protection Regulation (“GDPR”) have since intensified. In 2020, according to publically available information, supervisory authorities across the EU and the UK Information Commissioner’s Office (“ICO”) have issued over EUR 170 million worth of fines combined, with six of the top ten individual fines imposed being issued in 2020. Continue Reading Ready to Pounce: Regulators Are Intensifying GDPR Enforcement
In a decision with potentially far-reaching implications, Alasaad v. Mayorkas, Nos. 20-1077, 20-1081, 2021 WL 521570 (1st Cir. Feb. 9, 2021), the First Circuit recently rejected First and Fourth Amendment challenges to the U.S. government agency policies governing border searches of electronic devices. These policies permit so-called “basic” manual searches of electronic devices without any articulable suspicion, requiring reasonable suspicion only when officers perform “advanced” searches that use external equipment to review, copy, or analyze a device. The First Circuit held that even these “advanced” searches require neither probable cause nor a warrant, and it split with the Ninth Circuit in holding that searches need not be limited to searches for contraband, but may also be used to search for evidence of contraband or evidence of other illegal activity. This decision implicates several takeaways for company executives entering and leaving the United States, particularly if they or their employers are under active investigation. In-house counsel in particular should consider the implications of the decision given obligations of lawyers to protect the confidentiality of attorney-client privileged information.
Recently, the New York Department of Financial Services (“DFS”) issued two memoranda addressing the ongoing increase in cyberattacks. The first recent guidance provides best practices for insurance entities with regard to cyber insurance. The second guidance deals with the surge in benefits fraud that has been ongoing since the beginning of the COVID-19 pandemic, with directions on how regulated entities can best secure data. Continue Reading New York Department of Financial Services Issues New Guidance on Cyber Threats
Last month, in Guo Wengui v. Clark Hill, PLC, the United States District Court for the District of Columbia granted Plaintiff’s motion to compel production of Defendant’s third-party forensic investigation report following a cybersecurity incident. The court held that the forensic report was not covered by the attorney-client privilege or the work product doctrine, providing a cautionary tale for companies conducting post-breach investigations. Continue Reading D.C. District Court Rejects Privilege Claim for Post-Data Breach Forensic Report
On January 12, 2021, the United States District Court for the Central District of California granted Marriott’s motion to dismiss in Arifur Rahman v. Marriott International, Inc. et al, a class action filed against the company following its disclosure of a data breach in March 2020. The court held that Plaintiff lacked standing to sue, breathing life into a defense that has been unsuccessful in several recent cases.
The litigation against Marriott stemmed from its announcement that two employees of a Marriott franchise in Russia accessed personal information of 5.2 million guests. The company further acknowledged that the compromised information included names, addresses, emails, phone numbers, and other personal details such as birth dates. In April 2020, Plaintiff Arifur Rahman (“Plaintiff”), on behalf of a class, alleged six causes of action against Marriott International (“Defendant”): (1) negligence; (2) violation of the California Consumer Privacy Act; (3) breach of contract; (4) breach of implied contract; (5) unjust enrichment; and (6) violation of the California Unfair Competition Law. Continue Reading The Central District Court of California Grants Marriott International’s Motion to Dismiss in Data Breach Suit
Cybersecurity and data privacy, topics that were already top of mind for companies at the start of 2020, were pushed even further to the forefront due to the COVID-19 pandemic, significant data security enforcement actions, and the SolarWinds breach discovered in December.
The increased prevalence of remote work made it all the more critical for companies to manage cybersecurity risk. In a recent survey of business and technology executives, 96% of respondents said that they will shift their cybersecurity strategy due to COVID-19 and 50% say that they are more likely to consider cybersecurity in every business decision (up from 25% last year). While cyber and privacy risks were continuing to grow, 2020 also saw new legislation and regulations that increased both the cost and complexity of compliance and the penalties for failing to do so. And, on top of everything, cyber and privacy enforcement and litigation, already at high levels, were more active than ever.
In this Year in Review, we highlight the most significant cybersecurity and privacy developments of 2020 and predict key challenges and areas of focus for the coming year.
The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2021”.
Cybersecurity, a topic that was already top of mind for boards and corporate stakeholders at the start of the year, was pushed even further to the fore in the wake of the COVID-19 pandemic. The increased prevalence of remote working made it all the more critical for companies to manage cybersecurity risk. In a recent survey of business and technology executives, 96% of respondents said that they will shift their cybersecurity strategy due to COVID-19, and 50% say that they will consider cybersecurity in every business decision (up from 25% last year). Boards in turn will take on an increasing role in managing oversight of this high-stakes issue.