Global Legal Developments related to Cybersecurity Incidents, Cyber Corporate Governance and Regulation Issues, and Privacy and Data Protection Laws
Over the last year, the existential risk posed by cyberattacks and data security vulnerabilities has become one of the top concerns for boards of directors, management, government agencies, and the public.
This memo surveys some of the key cybersecurity and data privacy developments of 2017, including the major data breaches and cyberattacks, regulatory and legislative actions, and notable settlements and court decisions, with an eye towards what may be in store in 2018.
The new mandatory personal data breach notification regime introduced by the GDPR should be a key area of focus for organizations seeking to put in place GDPR compliance programs. Personal data breaches are not only increasingly frequent and on the front pages, they are also one of the most likely causes of complaints being made by individuals against an organization and most likely subjects of investigation by data protection authorities (“DPAs”). Regardless of whether an organization is at fault in allowing a breach to occur, its response will materially affect the impact of the breach on data subjects, and therefore the potential consequences for the organization itself. Personal data breach management – of which breach notification forms a large part – should therefore be a priority area in any organization’s compliance efforts, including with respect to the GDPR. Continue Reading Notification of data breaches under the GDPR – 10 Frequently Asked Questions
On December 27, 2017, the New York Secretary of State sent a demand letter to Equifax Inc.’s interim CEO requesting additional information to aid the Division of Consumer Protection’s efforts “to investigate, mediate and/or mitigate identity theft complaints from consumers generally” as well as its investigation into the data breach disclosed by Equifax, Inc. on July 29, 2017, in which the personal data of approximately 143 million individuals (including 8.4 million New York residents) was compromised. The letter demands that Equifax, Inc. provide a direct contact to respond to consumer concerns and requests information in 10 categories, including (a) a summary of the credit reporting agency’s plan (if any) to make affected New York residents “whole” following the breach, (b) a copy of the forensic review prepared by the cybersecurity firm Mandiant, (c) New York-specific data for those consumers whose credit card details or dispute documents containing personally identifiable information were exposed in the breach and (d) the number of children 15 years old and younger affected by the breach, nationwide as well as within New York, and the “long-term protection response” (if any) created for such affected children. The demand was made pursuant to emergency regulations adopted by the Department of State in December 2017 that require credit reporting agencies to respond to requests made by the Division of Consumer Protection within 10 business days. A company spokesperson for Equifax, Inc. confirmed on January 4, 2018 that the credit reporting agency intends to respond to the demand letter within the required time period. This demand is the latest development in a plethora of investigations by various law enforcement agencies and regulators into the breach and follows requests for information from all 50 state attorneys general as well as a subpoena from the New York Department of Financial Services (“DFS”). Continue Reading New York Regulator Demands Additional Information from Equifax
A recent decision by an intermediate Illinois appellate court, Rosenbach v. Six Flags Entm’t Corp.,[1] suggests that state courts—which are not bound by federal Article III standing limitations in entertaining suits—will not necessarily provide a more plaintiff-friendly forum for data privacy suits than their federal counterparts.
Earlier this month, we wrote about the Second Circuit’s summary order in Vigil v. Take-Two Interactive Software, Inc.[2] There, the court affirmed the dismissal of a class action lawsuit brought in the Southern District of New York under the Illinois Biometric Information Privacy Act[3] (“BIPA”) for want of Article III standing because the plaintiffs had failed to allege an injury-in-fact, but remanded the case with instructions to amend the judgment and enter a dismissal without prejudice.[4] The district court had ruled that the BIPA’s limitation of the private right of action to a “person aggrieved by a violation” meant that the plaintiffs’ failure to allege an injury-in-fact was also fatal to their claims as a matter of state law, meaning that the case should be dismissed with prejudice for failure to state a claim.[5] The Second Circuit vacated that portion of the ruling on jurisdictional grounds, which left the door open for the plaintiffs to attempt to bring their claims in state court without any allegation of actual harm. Continue Reading Illinois Appellate Court Holds That Mere Technical Violations Of Data Privacy Statute Are Insufficient To State A Claim
In the wake of the high-profile breaches at Equifax and Uber, several constituencies have been making a sustained push for a federal data protection and breach statute. Last week, a broad coalition of bank, insurance and retail associations urged Congress to pass national legislation establishing uniform data protection and breach notification standards. In their letter, the organizations stressed that businesses and consumers would benefit from uniform requirements, in contrast to the current regime involving overlapping and sometimes differing State requirements. Among other things, the letter urged Congress to adopt legislation that imposed flexible and scalable standards for data protection depending on the size and nature of the company and exclusive enforcement of the new national standards by the FTC and state Attorneys General (other than entities subject to state insurance regulation or who comply with the Gramm-Leach-Bliley Act and HIPAA). Continue Reading 2018 Brings Continued Calls for a Federal Data Protection and Breach Statute
In late November, the Second Circuit issued a summary order in Vigil v. Take-Two Interactive Software, Inc,[1] which affirmed the dismissal of a class action lawsuit brought in the Southern District of New York under the Illinois Biometric Information Privacy Act (“BIPA”) for lack of standing.[2] In doing so, the court followed established Second Circuit precedent and highlighted the continuing difficulties plaintiffs face in establishing standing for certain technical violations of data privacy statutes, when those violations are unaccompanied by allegations of a breach or likelihood of improper access. The case also serves as a reminder that as states pass statutes covering new types of technology and data, companies will need to remain vigilant in protecting a wider range of information than before. Continue Reading Second Circuit Issues Order Affirming Dismissal of Data Privacy Class Action Suit
A recent enforcement action by the Massachusetts’s Attorney General Office (“Mass. AG”) serves as a stark reminder of how important it is to have robust data security policies and practices in all respects, including with respect to company equipment and locally stored data. Continue Reading Massachusetts Attorney General Settles For Data Breach Over Stolen Laptop—Sign of Increased Enforcement Scrutiny?
On November 28, 2017, Cleary Gottlieb, in partnership with K2 Intelligence and BlueVoyant, hosted an afternoon conference in New York on “Cybersecurity Lessons from the Boardroom and C-Suite to the Front Lines,” featuring data security experts, law enforcement, regulators, board members, and in-house counsel of global companies.
Click here for the key takeaways from the two plenary discussions and three break-out sessions.
On Monday, December 11, 2017, SEC Chairman Jay Clayton waded into the ongoing debate surrounding cryptocurrencies, initial coin offerings, and the regulation of both. In a statement urging potential investors to exercise caution and market professionals to focus on their responsibility to help protect investors, the Chairman warned of the susceptibility of the burgeoning crypto markets to manipulation and fraud. Continue Reading SEC Chairman Offers Views on Initial Coin Offerings
Since the adoption of the General Data Protection Regulation (GDPR) in 2016, considerable attention has focused on the vastly increased scope of potential administrative fines, and even more attention is being paid to the issue with the GDPR becoming effective on May 25, 2018. In this post, we summarize the key fining provisions, and analyze the recent relevant guidance on this issue from the Article 29 Working Party (an advisory group consisting of representatives from national data protection authorities together with the European Commission). Continue Reading Administrative Fines Under the GDPR
WE VALUE YOUR PRIVACY
This site uses cookies and full details are set out in our Cookie Policy. Essential Cookies are always on; to accept Analytics Cookies, click "I agree to all cookies." Learn more about cookies.
