The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Data Breach Litigation

  • From Vol. 4 No.42 (Dec. 12, 2018)

    Understanding the Potential Implications of Pennsylvania’s Newly Recognized Common Law Duty to Protect Personal Information

    The negligent failure to implement reasonable data security is now a viable claim according to Pennsylvania’s Supreme Court, which recently recognized a common law duty to protect personal information. The court did not see itself creating a new duty, but articulating one that already existed, Ed McAndrew, partner at Ballard Spahr, told The Cybersecurity Law Report. Because the decision “doesn’t place guardrails around the legal reasoning,” it could “certainly expand quickly beyond the employer-employee relationship.” In this article, we explore the potentially broad impact of this decision in both scope and geography. See also “Synthesizing New York and Colorado’s Trailblazing Data Security Regulations for Financial Firms” (Jul. 12, 2017); and “What to Expect From California’s Expansive Privacy Legislation” (Jul. 18, 2018).

    Read Full Article …
  • From Vol. 4 No.30 (Sep. 19, 2018)

    Ohio Adopts Pioneering Cybersecurity Safe Harbor for Companies

    Organizations struggle to understand how the government will view their security programs, and what liability they will have after a data security incident. In the absence of U.S. federal regulation, more states are taking legislative action to provide some clarity. The recently signed Ohio Data Protection Act, which comes into effect on November 2, 2018, will create a safe harbor for covered entities that implement a cybersecurity program in accordance with the act’s requirements. Organizations will be able to use the safe harbor as an affirmative defense in post-breach litigation. The Act is likely to benefit businesses that qualify for the safe harbor, but its greatest significance, said Jason Wool, a counsel at ZwillGen, is that it may be “indicative of a future trend in which states – and maybe even the federal government – will provide meaningful incentives to companies for the implementation of cybersecurity frameworks and standards on a voluntary basis.” See also “Colorado’s Revised Cybersecurity Law Clarifies and Strengthens Existing Requirements,” (Sep. 12, 2018); and “Analyzing New and Amended State Breach Notification Laws” (Jun. 6, 2018).

    Read Full Article …
  • From Vol. 4 No.30 (Sep. 19, 2018)

    Measures for Resolving Business Disputes Over Data Privacy and Security

    Data breach incidents often result in finger-pointing: Whose fault was it? Who should have discovered it sooner? Who will be paying for the cleanup of the problem? Should tensions escalate as businesses attempt to answer those very questions, a company may well be tempted to resolve the matter in court. But that may not be the best possible venue for complicated technical issues and sometimes conflicting legal requirements to be resolved. In a recent Practising Law Institute presentation, panelists discussed the delicate considerations associated with B2B data incident disputes, including unwanted publicity and undesirable precedents, the viability of alternative approaches to dispute resolution and how to avoid being caught up in a legal quagmire. The Cybersecurity Law Report shares pertinent insights from the experts. See also “How to Maximize a Cybersecurity Budget in a Time of Change” (Aug. 22, 2018), “How Small Businesses Can Maximize Cybersecurity Protections and Prioritize Their Spending” (Jul. 12, 2017) and “Managing Risk for the Internet of Things in the Current Regulatory Landscape” (May 11, 2016).

    Read Full Article …
  • From Vol. 4 No.15 (Jun. 6, 2018)

    Analyzing New and Amended State Breach Notification Laws

    With the recent adoption of statutes by Alabama and South Dakota this year, all 50 states have breach notification laws integrating notification procedures. Arizona, Colorado and Oregon have also recently revised and strengthened their existing data breach notification laws. This article details the provisions of the new statutes and amendments, with insights from McGuireWoods partner Janet P. Peyton. See “Synthesizing Breach Notification Laws in the U.S. and Across the Globe” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    Dynamic Regulations and Shareholder Actions Guide the Board’s Shifting Role in Cyber (Part Two of Two)

    As large-scale data breaches become regular occurrences, and new regulations are implemented, shareholder derivative suits are increasingly being used by investors seeking to be made whole after data breaches. Boards of directors need to take note and understand the increasing costs and risks these suits pose. In this second part of a guest article series, Shearman & Sterling attorneys Jeewon Kim Serrato, Marc Elzweig and David Lee draw on the recent cases examined in part one and identify five lessons that boards may learn from these suits – lessons that are applicable to companies seeking to assess litigation risks related to data breaches and that also provide a practical starting point for managing cybersecurity risks in general. See “Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations” (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    NY AG and HHS Flex Regulatory Muscles in Recent Protected Health Information Breach Settlements

    Recent enforcement actions against Aetna Inc. and Fresenius Medical Care Holdings, Inc. resulted in respondents agreeing to pay significant fines and to update their policies, procedure and training. These cases, brought by the Office of the Attorney General of the State of New York and the Office for Civil Rights of the U.S. Department of Health & Human Services, are an important reminder that human error is often a significant factor in data breaches and that physical security is a critical component of data privacy. In addition, the Aetna action is the most recent example of New York's active cybersecurity efforts. "New York has been on the leading edge of data security regulation. . . The Attorney General [] has been proactive," Patterson Belknap partner Craig A. Newman told The Cybersecurity Law Report. "It's fair to say that cyber is at the top of the state's regulatory agenda." We detail the breaches and settlement terms. See also “Takeaways From State AGs’ Record-Breaking Target Data Breach Settlement” (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.2 (Jan. 31, 2018)

    Dynamic Regulations and Shareholder Actions Guide the Board’s Shifting Role in Cyber (Part One of Two)

    Post-breach litigation can be costly and the rise of one type in particular shareholder derivative suits filed against boards of directors of companies that have suffered data breaches merits further attention. Regulatory changes, including the GDPR, may make such suits more frequent in addition to creating other data breach response expenses. Boards of directors need to take note and understand these increasing costs and risks. In part one of this guest article series, Jeewon Kim Serrato, David Lee and Marc Elzweig, attorneys at Shearman & Sterling, review the evolving understanding of the board of directors’ responsibility for cybersecurity and consider several shareholder derivative suits filed in the wake of data breaches as case studies. In part two, they will consider some of the lessons that boards may learn from these suits. See “Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations” (Aug. 3, 2016).

    Read Full Article …
  • From Vol. 4 No.1 (Jan. 17, 2018)

    A Wake-Up Call: Data Breach Standing Is Getting Easier

    A year’s worth of federal appellate decisions that considered the standing issue following Spokeo demonstrate that plaintiffs have become increasingly more successful at persuading federal judges that they had pled a constitutional injury. This is a dramatic reversal in the trajectory of federal jurisprudence on “standing” in data breach cases and should be a wake-up call to companies that collect personal information from consumers, Boies Schiller Flexner attorneys Travis LeBlanc and Jon R. Knight argue. In this guest article, they analyze important standing decisions to date and provide advice to companies and their counsel on preparing for data breach litigation in 2018. See also “Third and Seventh Circuits Shed New Light on Spokeo Standing Analysis” (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.11 (May 31, 2017)

    Takeaways From State AGs’ Record-Breaking Target Data Breach Settlement

    In the largest multistate data breach settlement to date, Target Corporation recently agreed to pay $18.5 million, develop and implement an information security program and retain a third party to assess and report on the program. Target has now spent more than $200 million responding to the fallout from its 2013 holiday-season data breach. This settlement, along with the Safetech settlement in NY, is a clear indication that the state AGs are determined to have a say on best cybersecurity practices, experts told The Cybersecurity Law Report. This article addresses Target’s handling of the breach and its aftermath and offers compliance takeaways for other companies. See also “Lessons From the 2013 Target Data Breach: What Future Resolutions of Large-Scale Data Breaches May Look Like” (May 6, 2015).

    Read Full Article …
  • From Vol. 3 No.8 (Apr. 19, 2017)

    The Wisdom of Planning Ahead: The Duty to Preserve Backup Tapes, Mobile Devices and Instant Messages

    The complexities and pace of litigations and investigations often require companies to respond to competing demands quickly. Sometimes, in the heat of the battle and faced with extensive discovery demands and requests, parties fail to satisfy their obligation to preserve relevant material. In this guest article, Covington & Burling attorneys provide an overview of the duty to preserve and set forth issues to consider when accounting for this duty, particularly as it relates to backup systems, mobile devices and instant messaging. See also “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation” (Part One of Two)” (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 3 No.8 (Apr. 19, 2017)

    How to Walk the Tightrope of Cooperation and Privilege When Facing Government Investigations and Parallel Litigation

    Companies and their counsel walk a delicate tightrope when undergoing simultaneous government investigations and civil lawsuits over data breaches – balancing competing interests, processes and incentives. A recent Practising Law Institute panel, which included attorneys from Wyndham Hotel Group, Dentons, Crowell & Moring and Troutman Sanders eMerge, provided insight and advice about handling the challenge of responding to related requests under different rules with different strategies. See also our three-part series on protecting attorney-client privilege and attorney work product while cooperating with the government: “Establishing Privilege and Work Product in an Investigation” (Feb. 8, 2017); “Strategies to Minimize Risks During Cooperation” (Feb. 22, 2017); and “Implications for Collateral Litigation” (Mar. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Third and Seventh Circuits Shed New Light on Spokeo Standing Analysis

    After the Supreme Court’s 2016 Spokeo decision opened the possibility for statutory violations to form the basis for standing in data privacy cases even without a concrete harm, lower courts have offered their own interpretations highlighting the tension in the Spokeo holding. The Seventh Circuit and Third Circuit appellate courts recently came to different conclusions looking at claims of violations of different statutes, shedding new light on the issue. This article explores and explains these decisions. See also “Spokeo’s Impact on Data Breach Cases: The Class Action Floodgates Have Not Been Opened, But the Door Has Not Been Locked” (May 25, 2016).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    How the Financial Services Industry Can Handle Cybersecurity Threats, Acquisition Diligence and Breach Response

    The financial services sector is often praised as having some of the most mature cybersecurity practices, but it also holds especially sensitive data and is one of the most common targets for malicious hackers. Asset managers in particular are confronted with general cybersecurity risks while navigating industry nuances. At a recent panel hosted by Major, Lindsey & Africa, Debevoise partners Luke Dembosky and Jim Pastore, both former federal prosecutors, addressed emerging cybersecurity threats, risks from vendors, potential breaches in a pre-acquisition and post-acquisition context, breach response and special considerations for breaches of investor or consumer data. Much of the advice is relevant to all companies grappling with data security risks and breach consequences. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    Eighth Circuit Sides With Defendants As the Spokeo Standing Battle Continues 

    In the aftermath of Spokeo, courts have had to wrestle with the notion of “concreteness” and the other facets of the standing doctrine in the statutory context. In Braitberg v. Charter Communications, Inc., the Eighth Circuit recently weighed in, finding standing cannot arise from a mere statutory violation alone without a consequent concrete harm. However, Spokeo still arguably leaves the door open for a plaintiff-friendly Article III analysis in the data privacy context or where the lawsuit stems from a hacking incident, Deborah Renner, a partner at BakerHostetler, says in a guest article. She examines the current state of Article III standing decisions in the context of the Eighth Circuit’s most recent pronouncement and discusses some of the most recent arguments likely to stand up on both sides of the bar. See “Making Sense of Conflicting Standing Decisions in Data Breach Cases” (Mar. 30, 2016).

    Read Full Article …
  • From Vol. 2 No.17 (Aug. 24, 2016)

    Takeaways From the FTC’s Revival of the LabMD Action 

    What constitutes privacy harm? What are reasonable data security practices? Companies and regulators struggle to pin down these pressing questions while technology keeps moving the baseline. In the first data security case litigated before the FTC, the agency provided some answers, finding that the data security practices of LabMD were unfair under the FTC Act. The FTC disagreed with the Administrative Law Judge, who held in November 2015 that the FTC had not shown that LabMD’s conduct caused, or is likely to cause, substantial consumer injury. “The bottom line significance for companies is that you have to have reasonable security at the outset,” Phyllis Marcus, Hunton & Williams counsel, said. “Everything else flows from that. It matters much less what happens to a document once it’s breached or leaked and what actual consumer harm may be down the road than what the security measures were at the outset.” For a discussion of ALJ’s November decision, see “FTC Loses Its First Data Security Case” (Nov. 25, 2015). 

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations

    Publicly traded companies face an array of cyber-related decisions beyond how to best secure their data – chief among them are when and to whom to disclose cyber risks, how to handle shareholder litigation that follows a breach and what type of insurance policy to choose to mitigate post-breach costs. At a recent seminar hosted by the Practising Law Institute, speakers from Labaton Sucharow, BitSight Technologies and Beecher Carlson addressed considerations for making disclosures to investors both prior to and following data breaches, elements of a securities fraud case and the scope of possible insurance coverage to mitigate losses following a breach. See also “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation” Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Minimizing Class Action Risk in Breach Response

    Cybersecurity programs today must take into consideration the risk of class action litigation and include measures to mitigate those risks. David Lashway, a partner and global cybersecurity practice lead at Baker & McKenzie, spoke with The Cybersecurity Law Report in advance of ALM’s Mid-Year Cybersecurity and Data Protection Legal Summit on June 15, 2016, at the Harvard Club in New York City, where he will participate as a panelist. An event discount code is available to CSLR readers inside the article. In our interview, Lashway addresses mitigating litigation risk following a data security incident, takeaways from recent cases such as Target and Sony and class action litigation trends. See also “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation”: Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    Spokeo’s Impact on Data Breach Cases: The Class Action Floodgates Have Not Been Opened, But the Door Has Not Been Locked

    The U.S. Supreme Court’s highly anticipated decision in Spokeo, Inc. v. Robins makes a significant mark on the landscape of data breach cases addressing the threshold Article III standing issue. In this guest article, Thomas Rohback and Patricia Carreiro, a partner and associate, respectively, at Axinn, Veltrop & Harkrider LLP, examine the significance and implications of the May 16, 2016 decision and analyze the floodgate of cases in the past week where both plaintiffs and defendants have run to the court in reliance upon Spokeo. See also “When Do Consumers Have Standing to Sue Over Data Breaches?” (May 11, 2016).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    When Do Consumers Have Standing to Sue Over Data Breaches?

    When a company is hacked, civil litigation often follows, and the types of claims brought against hacked companies – like in the recent P.F. Chang’s case – include a host of traditional common law and statutory claims. None of these claims can succeed, however, unless plaintiffs can establish standing. This threshold issue has plagued plaintiffs in data breach cases, but a federal appeals court recently ruled in their favor by reversing the dismissal of a class action. In a guest article, Thomas Rohback and Patricia Carreiro, a partner and associate, respectively, of Axinn, Veltrop & Harkrider, analyze the progeny of standing outcomes in data breach cases, including the Lewert v. P.F. Chang’s holding, and examine what this issue and others might look like in future data breach class actions. See also “Making Sense of Conflicting Standing Decisions in Data Breach Cases” (Mar. 30, 2016).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Federal Judge Offers Advice on Litigating Data Privacy, Security Breach and TCPA Class Action Suits

    What is the best way to explain technology to judges and juries? What questions can lawyers expect at the first case management conference? At a recent Practising Law Institute program, Chief Magistrate Judge Joseph C. Spero of the Northern District of California answered these and other questions lawyers face, offering advice on topics such as the best way to approach discovery issues and how to handle settlements in data breach, data privacy and TCPA class action cases. Ian C. Ballon, a partner at Greenberg Traurig, moderated the discussion. See also “In-House and Outside Counsel Offer Strategies for Navigating the TCPA, Avoiding Litigation and Responding to Breaches” (Mar. 30, 2016).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Regulators Speak Candidly About Cybersecurity Trends, Priorities and Coordination

    Understanding the regulators’ priorities and concerns can help a company work effectively with them to investigate and respond to cybersecurity incidents. In a recent panel at the ABA National Institute on Cybersecurity Litigation, authorities from the DOJ, the SEC, the FCC and the Connecticut Attorney General’s office weighed in about the cyber threat landscape, their agencies’ enforcement priorities, strategies for collaboration (including when and how information shared with the government will remain confidential) and effective incident response. See also “Private and Public Sector Perspectives on Producing Data to the Government” (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Picking up the Pieces After a Cyber Attack and Understanding Sources of Liability

    The expanding range of cyber threats companies face are forcing them to consider how best to anticipate, prevent and manage cyber attacks. In a recent PLI program, Brian E. Finch, a partner at Pillsbury Winthrop Shaw Pittman, discussed the changing landscape of cyber threats, sources of liability for a company and strategies to manage cybersecurity risk and related litigation, including a list of post-breach do’s and don’ts. See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    Making Sense of Conflicting Standing Decisions in Data Breach Cases

    Does a data breach constitute a case or controversy for purposes of Article III standing? This is a threshold question that could dramatically change the course for data breach cases, yet the answer remains uncertain. If a court does not find standing, the proposed class cannot seek relief in court and plaintiffs’ relief would be limited to statutory damages and/or penalties imposed, for example, under various state data breach laws. In 2013, the United States Supreme Court’s decision in Clapper v. Amnesty International USA was widely seen to shut the courthouse door on data breach class actions. In 2015, however, some significant case law at the circuit court level called this belief into question. In a guest article, Christina H. Bost Seaton, a partner at FisherBroyles, surveys these developments and a case that could potentially change the landscape.

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part Two of Two) 

    Through engagement, risk assessment, and continual review of cybersecurity risks and solutions, directors can both mitigate their own liability as well as the data security and litigation risks threatening the company. Part two of our two-part series on the board’s critical role in cybersecurity and data privacy issues addresses: how the board can follow up on management presentations; steps it should take after a breach; recent post-breach derivative suit caselaw; and how the board, in-house counsel and management can ensure a strong defense to such derivative actions. Part one provided best practices for management and in-house counsel to educate the board and keep the directors updated on cyber-related issues. See also “The Multifaceted Role of In-House Counsel in Cybersecurity” (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part Two of Two)

    There are several steps companies can take before and after a data breach to best position themselves for the litigation likely to follow.  In this second installment of our coverage of a recent Mintz Levin webinar, partners Kevin McGinty and Mark Robinson explore best practices for internal investigations and common defenses in data breach class actions.  The first article featured insight from partner Meredith Leary on how companies can put themselves in the best position now to defend their actions post-breach and Robinson’s list of threshold questions that companies can ask themselves at the outset of a data breach internal investigation.

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part One of Two)

    In addition to the direct consequences of a data security incident, many companies that suffer data breaches must face lawsuits.  In a recent webinar, Mintz Levin members Meredith Leary, Kevin McGinty and Mark Robinson discussed the various types of data security litigation and gave advice on how companies can best prepare for the likelihood of a lawsuit after a data breach.  This article, the first in a two-part series, features their insight on how companies can put themselves in the best position now to defend their actions later.  The panelists also identified threshold questions that companies can ask themselves during an internal investigation following a data breach.  In the second article, they further explore best practices for internal investigations and common defenses in data breach class actions.  See also “Liability Lessons from Data Breach Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 16 (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    Target Privilege Decision Delivers Guidance for Post-Data Breach Internal Investigations

    In a ruling that may clarify how companies should conduct breach responses to preserve privilege, on October 23, 2015, a federal district court in Minnesota found that certain documents created during Target’s internal investigation of its 2013 payment card breach were protected by the attorney-client privilege and work product doctrine.  The Target case “is one of the first cases we are seeing in the data breach context where the privilege issue has been tested,” Michelle A. Kisloff, a partner at Hogan Lovells, said.  The Court’s denial of class plaintiffs’ motion to compel production of these documents recognized “that data breach victims have a legitimate need to perform an investigation in the aftermath of a breach in which communications are protected by the attorney-client privilege,” Michael Gottlieb, a partner at Bois, Schiller & Flexner, told The Cybersecurity Law Report.  See also “Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 6 (Jun. 17, 2015); Part Two, Vol. 1, No. 7 (Jul. 1, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    Liability Lessons from Data Breach Enforcement Actions

    Inadequate cybersecurity measures can expose companies not only to data breach incidents, but to liability from multiple fronts, including state attorneys general, the FTC and civil litigants.  In a recent panel at the Practising Law Institute, Michael Vatis, a Steptoe & Johnson partner, and KamberLaw partner David Stampley discussed the dynamic enforcement and judicial climate in this space, distilling actionable takeaways from recent settlements with state attorneys general, FTC actions including Wyndham, and evolving consumer litigation jurisprudence.  The enforcement actions and litigations are instructive for companies seeking to fortify their internal information security and data privacy efforts and guard against the risk of liability in the event of a breach.  See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015). 

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    Learning from the Target Data Breach About Effective Third-Party Risk Management (Part Two of Two)

    Third-party relationships are integral to companies of all sizes, and bring with them increasingly sophisticated cybersecurity risk, as highlighted by the Target data breach.  In our continued coverage of a recent third-party risk management webinar, Mintz Levin attorneys Cynthia Larose and Peter Day provide concrete strategies for implementing and monitoring a third-party risk management program that protects data from third-party security breaches.  In part one, they discussed lessons from Target’s breach, and business and regulatory justifications for a strong third-party risk management program.  See also “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.12 (Sep. 16, 2015)

    Privacy and Cybersecurity in Canada: Legal Risk Update

    Privacy and cybersecurity considerations are currently a key focus of private and public sector organizations, governments and individuals worldwide.  Canada is no exception.  In fact, although Canada has long been considered a global leader in striking a reasonable balance between the protection of privacy and needs of organizations, in recent years Canada has seen the emergence of unprecedented legal risks in respect of privacy and cybersecurity matters. As Alex Cameron, a partner at Fasken Martineau, explains in a guest article, organizations doing business in Canada (or that process information about Canadians) should take note of the dramatic increase in privacy litigation and class actions in Canada, and the recent introduction of mandatory breach notification, reporting and recordkeeping in Canada.  Cameron explains the developments and summarizes recent cases.  See also “Canada’s Digital Privacy Act: What Businesses Need to Know,” The Cybersecurity Law Report, Vol. 1, No. 9 (Jul. 29, 2015).

    Read Full Article …
  • From Vol. 1 No.12 (Sep. 16, 2015)

    Learning from the Target Data Breach About Effective Third-Party Risk Management  (Part One of Two)

    Companies and law firms are increasingly partnering with vendors and other third parties to outsource formerly in-house functions in order to reduce operating costs and increase focus on core businesses.  But, as Mintz Levin attorneys Cynthia Larose and Peter Day said during a recent webinar, the potential consequences of failing to adequately manage the risks associated with giving third parties access to highly confidential systems and information can be disastrous, as evidenced by the 2013 Target data breach.  In part one of our two-part article series, Larose and Day discuss lessons from Target’s breach and business and regulatory justifications for a strong third-party risk management (TPRM) program.  In part two, they will detail strategies for implementing and monitoring a TPRM program that protects companies’ data – and their clients’ and customers’ data – from third-party security breaches.  See “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    Analyzing and Complying with Cyber Law from Different Vantage Points (Part Two of Two)

    As breaches proliferate, civil litigations related to breaches have too – and some of them can become “bet the company” cases.  In our continued coverage of a recent conference hosted by Georgetown Law’s Cybersecurity Law Institute, panelists discuss the compliance lessons from shareholder derivative suits and class actions that have followed breaches, as well as how companies should use government cybersecurity guidance in their programs.  The moderator and panelists come to cybersecurity and data privacy with different perspectives – the panel included plaintiffs’ counsel from Edelson PC; principal for reliability and cybersecurity for Southern California Edison; in-house counsel at IT company CACI International; and defense counsel from Alston & Bird.  The first article of this two-part series contained the panelists’ insights on the sources of liability for companies, best practices when collecting personal data and takeaways from government enforcement actions.

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    Seventh Circuit Reopens a Door for Plaintiffs in Data Breach Class Actions

    The Seventh Circuit recently revived a prominent data breach class action by reversing the lower court’s dismissal, and in doing so gave similarly situated plaintiffs ammunition to argue that they have standing.  In Remijas v. Neiman Marcus Group LLC, the Court found that class action plaintiffs satisfied the Article III standing requirements for injury, a hurdle that many similar plaintiffs have failed to clear.  The decision contains lessons for both plaintiffs and defendants in future data breach class actions.  See also “Lessons from the 2013 Target Data Breach: What Future Resolutions of Large-Scale Data Breaches May Look Like,” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    Analyzing and Complying with Cyber Law from Different Vantage Points (Part One of Two)

    Cybersecurity and privacy issues have catapulted to the forefront of current hot-button legal topics, and companies are taking steps to prevent breaches and satisfy regulators, panelists said at a recent conference hosted by Georgetown Law’s Cybersecurity Law Institute.  The moderator and panelists come to cybersecurity and data privacy with different perspectives – plaintiffs’ counsel from Edelson PC; principal for reliability and cybersecurity for Southern California Edison; in-house counsel at IT company CACI International; and defense counsel from Alston & Bird.  In a panel examining emerging law on corporate cyber liability, they shared their insights on the sources of liability for companies, best practices when collecting personal data, the compliance lessons from government enforcement actions, as well as from shareholder derivative suits and class actions that have followed breaches.  Part two of this article series will cover their considerations for settling cybersecurity liability cases.

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    Lessons from the 2013 Target Data Breach: What Future Resolutions of Large-Scale Data Breaches May Look Like

    The legal fallout from the massive Target data breach that compromised the credit card and personal information of up to 110 million customers has been significant.  Target was named in over 50 class action lawsuits, filed both by consumers whose information was compromised and financial institutions that issued at least 40 million compromised cards.  In a guest article, Debevoise & Plimpton attorneys Jeremy Feigelson, David A. O’Neil, Jim Pastore and Megan K. Bannigan detail the two settlements Target has announced, and discuss how those settlements provide insight on the form future large-scale data breach settlements could take.

    Read Full Article …