The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Data Privacy Litigation

  • From Vol. 4 No.3 (Feb. 14, 2018)

    NY AG and HHS Flex Regulatory Muscles in Recent Protected Health Information Breach Settlements

    Recent enforcement actions against Aetna Inc. and Fresenius Medical Care Holdings, Inc. resulted in respondents agreeing to pay significant fines and to update their policies, procedure and training. These cases, brought by the Office of the Attorney General of the State of New York and the Office for Civil Rights of the U.S. Department of Health & Human Services, are an important reminder that human error is often a significant factor in data breaches and that physical security is a critical component of data privacy. In addition, the Aetna action is the most recent example of New York's active cybersecurity efforts. "New York has been on the leading edge of data security regulation. . . The Attorney General [] has been proactive," Patterson Belknap partner Craig A. Newman told The Cybersecurity Law Report. "It's fair to say that cyber is at the top of the state's regulatory agenda." We detail the breaches and settlement terms. See also “Takeaways From State AGs’ Record-Breaking Target Data Breach Settlement” (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.2 (Jan. 31, 2018)

    Biometric Data Protection Laws and Litigation Strategies (Part One of Two)

    Both the public and private sectors are increasingly using biometric identification as a security method, making it more important than ever to understand the wide range of relevant legal requirements and restrictions. During a recent WilmerHale webinar, firm attorneys Jonathan G. Cedarbaum and Arianna Evers analyzed the regulatory landscape related to the collection and use of biometric data. In the first installment of our two-part series, we cover their presentation on relevant state laws and notable cases, litigation strategies and defenses. Part two will cover applicable federal and international regulations. See also “Actions Under Biometric Privacy Laws Highlight Related Risks” (Dec. 6, 2017).

    Read Full Article …
  • From Vol. 3 No.24 (Dec. 6, 2017)

    Actions Under Biometric Privacy Laws Highlight Related Risks

    More and more companies are using biometric data internally and with consumer interactions. Biometric identifiers and the new technologies that use them offer exciting benefits. However, as new technology often does, biometrics presents both cybersecurity and data privacy concerns. Certain states have enacted legislation and plaintiffs have filed class-action lawsuits. This article explains the regulatory and litigation landscape, focusing on recent complaints and a federal appellate dismissal. See also our three-part series on unlocking encryption: “Navigating Encryption Options and Persuading Reluctant Organizations” (Aug. 9, 2017); “A CISO’s Perspective on Encryption As Only One Strategy” (Aug. 23, 2017); and “An Attorney Weighs in on Balancing Security and Practicality” (Sep. 13, 2017).

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    Reconciling Data Localization Laws and the Global Flow of Information

    Data localization is the most contentious issue for privacy regulators and the increasingly data-driven global business community, data privacy professionals said in Hong Kong at the Conference of Data Protection and Privacy Commissioners. Our sister publication PaRR provides insights from Apple and Microsoft executives, as well as Chinese data privacy experts, on the state of “data nationalism” in the global business place. See “The Sword of Damocles in the Information Age: How to Face the New Challenges Under the Chinese Cybersecurity Law” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    New Criteria for Employee Monitoring Practices in Light of ECHR Decision

    The Grand Chamber of the European Court of Human Rights has laid out new criteria for national courts to consider when evaluating whether companies have safeguarded employees’ right to privacy. The court sided with an employee who claimed his privacy rights were violated when his messages were recorded. In light of this decision, some companies operating in the 47 member states may want to revisit their policies on monitoring communications, experts told The Cybersecurity Law Report. We analyze the implications of the decision and how it aligns with other national laws. See “Effective and Compliant Employee Monitoring (Part One of Two)” (Apr. 5, 2017); Part Two (Apr. 19, 2017).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Defense and Plaintiff Perspectives on How to Survive Data Privacy Collateral Litigation

    While the risks of data privacy and data breach litigation are substantial, the legal standards are in flux and may depend on the court and jurisdiction in which the case lies. Lawyers are struggling to keep up, with courts issuing potentially disruptive decisions on a near-monthly basis. During a recent PLI panel, plaintiffs’ lawyer Daniel Girard of Girard Gibbs, discussed the evolving landscape and its strategic implications with Robert Herrington, a Greenberg Traurig shareholder. The types of successful data privacy cases are shifting and each stage of litigation presents companies with strategic choices. The contrasting perspectives provide guidance to both plaintiffs and defendants as they weigh such choices throughout collateral data breach litigation. See also  “Minimizing Class Action Risk in Breach Response” (Jun. 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Six State Secrets and Data Privacy Considerations in Chinese Internal Investigations 

    China’s state secrets law is the source of much angst for lawyers. While the concept of protecting state secrets is straightforward – and common to most countries – the breadth and ambiguity of China’s law, and the inconsistent way it is enforced, create unique data privacy challenges for companies operating in the PRC, especially when they are conducting internal investigations that require data to be transferred out of the country. This article, drawing on interviews with a number of attorneys practicing law on the ground in Asia, details six key considerations related to the state secrets laws for companies formulating sensible investigation strategies in China. For our companion article, see “Understanding the Far-Reaching Impact of Chinese State Secrets Laws on Data Flow” (Jul. 6, 2016). 

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    California Law Enforcement Faces Higher Bar in Acquiring Electronic Information

    California, looked to as a leader in privacy protections as well as breach notification requirements, has passed the California Electronic Communications Privacy Act (CalECPA), a new law that raises the bar for state law enforcement seeking electronic information.  Aravind Swaminathan and Marc Shapiro, Orrick partner and associate, respectively, told The Cybersecurity Law Report what CalECPA – which requires state law enforcement officials to secure a warrant before they can access electronic information – means for companies and individuals.  See also “Orrick Attorneys Explain California’s New Specific Standards for Breach Notification,” The Cybersecurity Law Report, Vol. 1, No. 15 (October 28, 2015).

    Read Full Article …
  • From Vol. 1 No.12 (Sep. 16, 2015)

    Privacy and Cybersecurity in Canada: Legal Risk Update

    Privacy and cybersecurity considerations are currently a key focus of private and public sector organizations, governments and individuals worldwide.  Canada is no exception.  In fact, although Canada has long been considered a global leader in striking a reasonable balance between the protection of privacy and needs of organizations, in recent years Canada has seen the emergence of unprecedented legal risks in respect of privacy and cybersecurity matters. As Alex Cameron, a partner at Fasken Martineau, explains in a guest article, organizations doing business in Canada (or that process information about Canadians) should take note of the dramatic increase in privacy litigation and class actions in Canada, and the recent introduction of mandatory breach notification, reporting and recordkeeping in Canada.  Cameron explains the developments and summarizes recent cases.  See also “Canada’s Digital Privacy Act: What Businesses Need to Know,” The Cybersecurity Law Report, Vol. 1, No. 9 (Jul. 29, 2015).

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    Analyzing and Complying with Cyber Law from Different Vantage Points (Part One of Two)

    Cybersecurity and privacy issues have catapulted to the forefront of current hot-button legal topics, and companies are taking steps to prevent breaches and satisfy regulators, panelists said at a recent conference hosted by Georgetown Law’s Cybersecurity Law Institute.  The moderator and panelists come to cybersecurity and data privacy with different perspectives – plaintiffs’ counsel from Edelson PC; principal for reliability and cybersecurity for Southern California Edison; in-house counsel at IT company CACI International; and defense counsel from Alston & Bird.  In a panel examining emerging law on corporate cyber liability, they shared their insights on the sources of liability for companies, best practices when collecting personal data, the compliance lessons from government enforcement actions, as well as from shareholder derivative suits and class actions that have followed breaches.  Part two of this article series will cover their considerations for settling cybersecurity liability cases.

    Read Full Article …