Jan. 20, 2021

Disputed Twitter Fine Offers Breach Response Lessons

Ireland’s Data Protection Commission recently issued its first GDPR fine against a big tech company, finding that Twitter had reported a breach late and inadequately documented its actions, including why it missed GDPR’s 72-hour deadline. Several other countries’ data protectors objected to Ireland’s fine amount and conclusions, eliciting a first-ever ruling from the European Data Protection Board to settle enforcement arguments between countries. In this article, we discuss with data protection leaders from Cordery Compliance, Ropes & Gray and Steptoe & Johnson key aspects of the ruling, what clarity it provides about the 72-hour deadline and other takeaways for companies. See “GDPR Enforcement Lessons and New ICO Guidance on COVID-19” (Apr. 22, 2020).

Privacy Resolutions for 2021

The start of the year presents an opportunity for organizations to assess the efficacy of their existing privacy and data security programs and the projects they should tackle in the coming months. The Cybersecurity Law Report spoke with multiple experts about where companies should direct their attention and resources and compiled the top themes for a two-part series. This second installment covers this year’s privacy priorities. Part one offered a dozen cybersecurity initiatives for 2021, including three action items tied to the fallout from the SolarWinds breach. See also “Ten Cyber and Privacy Resolutions for the New Year” (Jan. 9, 2019).

eDiscovery in Multi-Jurisdictional Investigations: Preparing to Play Multi-Level Chess

In recent years, there have been two converging trends in multi-jurisdictional corporate investigations: a greater willingness of enforcement authorities from multiple jurisdictions to coordinate enforcement and a significant increase in their willingness to use eDiscovery to assist in investigations. Combined, these two trends have made multinational internal corporate investigations similar to playing a multi-level game of chess – one wrong move can have serious consequences in multiple jurisdictions. In a guest article, Ben Barnett, Karen Coppens, Richard Hodge and Garbis Latifyan of Dechert lay out the key steps in the process and then identify six pitfalls to avoid when undertaking an integrated review plan for data in multiple jurisdictions. See “Advice on Incorporating Cybersecurity in eDiscovery” (May 31, 2017).