The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Data Privacy Litigation

  • From Vol. 4 No.30 (Sep. 19, 2018)

    Ohio Adopts Pioneering Cybersecurity Safe Harbor for Companies

    Organizations struggle to understand how the government will view their security programs, and what liability they will have after a data security incident. In the absence of U.S. federal regulation, more states are taking legislative action to provide some clarity. The recently signed Ohio Data Protection Act, which comes into effect on November 2, 2018, will create a safe harbor for covered entities that implement a cybersecurity program in accordance with the act’s requirements. Organizations will be able to use the safe harbor as an affirmative defense in post-breach litigation. The Act is likely to benefit businesses that qualify for the safe harbor, but its greatest significance, said Jason Wool, a counsel at ZwillGen, is that it may be “indicative of a future trend in which states – and maybe even the federal government – will provide meaningful incentives to companies for the implementation of cybersecurity frameworks and standards on a voluntary basis.” See also “Colorado’s Revised Cybersecurity Law Clarifies and Strengthens Existing Requirements,” (Sep. 12, 2018); and “Analyzing New and Amended State Breach Notification Laws” (Jun. 6, 2018).

    Read Full Article …
  • From Vol. 4 No.15 (Jun. 6, 2018)

    Analyzing New and Amended State Breach Notification Laws

    With the recent adoption of statutes by Alabama and South Dakota this year, all 50 states have breach notification laws integrating notification procedures. Arizona, Colorado and Oregon have also recently revised and strengthened their existing data breach notification laws. This article details the provisions of the new statutes and amendments, with insights from McGuireWoods partner Janet P. Peyton. See “Synthesizing Breach Notification Laws in the U.S. and Across the Globe” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 4 No.11 (May 9, 2018)

    The Right to Be Forgotten: English High Court Details When Google Must Delist Links to Crimes

    Information about a person’s criminal history remains online long after many serve their time. But in what circumstances must a search engine comply with an individual’s demand to delist those links? That was the central question in the closely watched case of NT1 & NT2 v. Google LLC, the first consideration of the “right to be forgotten” by English courts. Decided on the cusp of the GDPR’s effective date, the High Court used a balancing test from the E.U.’s 2014 Google Spain case. Kelly Hagedorn, a partner in Jenner & Block’s London office, told The Cybersecurity Law Report that the decision was “a very carefully reasoned judgment” that, even in the new regime of the GDPR, would be “a useful reference point for those considering the balancing of the right to erasure and the right to freedom of speech.” See “The GDPR’s Data Subject Rights and Why They Matter” (Feb. 28, 2018).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    NY AG and HHS Flex Regulatory Muscles in Recent Protected Health Information Breach Settlements

    Recent enforcement actions against Aetna Inc. and Fresenius Medical Care Holdings, Inc. resulted in respondents agreeing to pay significant fines and to update their policies, procedure and training. These cases, brought by the Office of the Attorney General of the State of New York and the Office for Civil Rights of the U.S. Department of Health & Human Services, are an important reminder that human error is often a significant factor in data breaches and that physical security is a critical component of data privacy. In addition, the Aetna action is the most recent example of New York's active cybersecurity efforts. "New York has been on the leading edge of data security regulation. . . The Attorney General [] has been proactive," Patterson Belknap partner Craig A. Newman told The Cybersecurity Law Report. "It's fair to say that cyber is at the top of the state's regulatory agenda." We detail the breaches and settlement terms. See also “Takeaways From State AGs’ Record-Breaking Target Data Breach Settlement” (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.2 (Jan. 31, 2018)

    Biometric Data Protection Laws and Litigation Strategies (Part One of Two)

    Both the public and private sectors are increasingly using biometric identification as a security method, making it more important than ever to understand the wide range of relevant legal requirements and restrictions. During a recent WilmerHale webinar, firm attorneys Jonathan G. Cedarbaum and Arianna Evers analyzed the regulatory landscape related to the collection and use of biometric data. In the first installment of our two-part series, we cover their presentation on relevant state laws and notable cases, litigation strategies and defenses. Part two will cover applicable federal and international regulations. See also “Actions Under Biometric Privacy Laws Highlight Related Risks” (Dec. 6, 2017).

    Read Full Article …
  • From Vol. 3 No.24 (Dec. 6, 2017)

    Actions Under Biometric Privacy Laws Highlight Related Risks

    More and more companies are using biometric data internally and with consumer interactions. Biometric identifiers and the new technologies that use them offer exciting benefits. However, as new technology often does, biometrics presents both cybersecurity and data privacy concerns. Certain states have enacted legislation and plaintiffs have filed class-action lawsuits. This article explains the regulatory and litigation landscape, focusing on recent complaints and a federal appellate dismissal. See also our three-part series on unlocking encryption: “Navigating Encryption Options and Persuading Reluctant Organizations” (Aug. 9, 2017); “A CISO’s Perspective on Encryption As Only One Strategy” (Aug. 23, 2017); and “An Attorney Weighs in on Balancing Security and Practicality” (Sep. 13, 2017).

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    Reconciling Data Localization Laws and the Global Flow of Information

    Data localization is the most contentious issue for privacy regulators and the increasingly data-driven global business community, data privacy professionals said in Hong Kong at the Conference of Data Protection and Privacy Commissioners. Our sister publication PaRR provides insights from Apple and Microsoft executives, as well as Chinese data privacy experts, on the state of “data nationalism” in the global business place. See “The Sword of Damocles in the Information Age: How to Face the New Challenges Under the Chinese Cybersecurity Law” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    New Criteria for Employee Monitoring Practices in Light of ECHR Decision

    The Grand Chamber of the European Court of Human Rights has laid out new criteria for national courts to consider when evaluating whether companies have safeguarded employees’ right to privacy. The court sided with an employee who claimed his privacy rights were violated when his messages were recorded. In light of this decision, some companies operating in the 47 member states may want to revisit their policies on monitoring communications, experts told The Cybersecurity Law Report. We analyze the implications of the decision and how it aligns with other national laws. See “Effective and Compliant Employee Monitoring (Part One of Two)” (Apr. 5, 2017); Part Two (Apr. 19, 2017).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Defense and Plaintiff Perspectives on How to Survive Data Privacy Collateral Litigation

    While the risks of data privacy and data breach litigation are substantial, the legal standards are in flux and may depend on the court and jurisdiction in which the case lies. Lawyers are struggling to keep up, with courts issuing potentially disruptive decisions on a near-monthly basis. During a recent PLI panel, plaintiffs’ lawyer Daniel Girard of Girard Gibbs, discussed the evolving landscape and its strategic implications with Robert Herrington, a Greenberg Traurig shareholder. The types of successful data privacy cases are shifting and each stage of litigation presents companies with strategic choices. The contrasting perspectives provide guidance to both plaintiffs and defendants as they weigh such choices throughout collateral data breach litigation. See also  “Minimizing Class Action Risk in Breach Response” (Jun. 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Six State Secrets and Data Privacy Considerations in Chinese Internal Investigations 

    China’s state secrets law is the source of much angst for lawyers. While the concept of protecting state secrets is straightforward – and common to most countries – the breadth and ambiguity of China’s law, and the inconsistent way it is enforced, create unique data privacy challenges for companies operating in the PRC, especially when they are conducting internal investigations that require data to be transferred out of the country. This article, drawing on interviews with a number of attorneys practicing law on the ground in Asia, details six key considerations related to the state secrets laws for companies formulating sensible investigation strategies in China. For our companion article, see “Understanding the Far-Reaching Impact of Chinese State Secrets Laws on Data Flow” (Jul. 6, 2016). 

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    California Law Enforcement Faces Higher Bar in Acquiring Electronic Information

    California, looked to as a leader in privacy protections as well as breach notification requirements, has passed the California Electronic Communications Privacy Act (CalECPA), a new law that raises the bar for state law enforcement seeking electronic information.  Aravind Swaminathan and Marc Shapiro, Orrick partner and associate, respectively, told The Cybersecurity Law Report what CalECPA – which requires state law enforcement officials to secure a warrant before they can access electronic information – means for companies and individuals.  See also “Orrick Attorneys Explain California’s New Specific Standards for Breach Notification,” The Cybersecurity Law Report, Vol. 1, No. 15 (October 28, 2015).

    Read Full Article …
  • From Vol. 1 No.12 (Sep. 16, 2015)

    Privacy and Cybersecurity in Canada: Legal Risk Update

    Privacy and cybersecurity considerations are currently a key focus of private and public sector organizations, governments and individuals worldwide.  Canada is no exception.  In fact, although Canada has long been considered a global leader in striking a reasonable balance between the protection of privacy and needs of organizations, in recent years Canada has seen the emergence of unprecedented legal risks in respect of privacy and cybersecurity matters. As Alex Cameron, a partner at Fasken Martineau, explains in a guest article, organizations doing business in Canada (or that process information about Canadians) should take note of the dramatic increase in privacy litigation and class actions in Canada, and the recent introduction of mandatory breach notification, reporting and recordkeeping in Canada.  Cameron explains the developments and summarizes recent cases.  See also “Canada’s Digital Privacy Act: What Businesses Need to Know,” The Cybersecurity Law Report, Vol. 1, No. 9 (Jul. 29, 2015).

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    Analyzing and Complying with Cyber Law from Different Vantage Points (Part One of Two)

    Cybersecurity and privacy issues have catapulted to the forefront of current hot-button legal topics, and companies are taking steps to prevent breaches and satisfy regulators, panelists said at a recent conference hosted by Georgetown Law’s Cybersecurity Law Institute.  The moderator and panelists come to cybersecurity and data privacy with different perspectives – plaintiffs’ counsel from Edelson PC; principal for reliability and cybersecurity for Southern California Edison; in-house counsel at IT company CACI International; and defense counsel from Alston & Bird.  In a panel examining emerging law on corporate cyber liability, they shared their insights on the sources of liability for companies, best practices when collecting personal data, the compliance lessons from government enforcement actions, as well as from shareholder derivative suits and class actions that have followed breaches.  Part two of this article series will cover their considerations for settling cybersecurity liability cases.

    Read Full Article …