The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Judicial Decisions

  • From Vol. 4 No.16 (Jun. 13, 2018)

    The Devil Is in the Details: LabMD Imposes Limitations on the FTC’s Enforcement Authority

    In a closely watched data security case with significant implications for all enforcement actions, the United States Court of Appeals for the Eleventh Circuit struck down an FTC cease-and-desist order as impermissibly vague, providing a setback for FTC enforcement efforts. In this guest article, Buckley Sandler attorneys Elizabeth McGinn, Sasha Leonhardt and A.J. Dhaliwal explain the background of LabMD, Inc. v. FTC and the Eleventh Circuit’s decision, and provide lessons for companies examining their cybersecurity protections and data breach response programs. See “Lessons and Trends From FTC’s 2017 Privacy and Data Security Update: Enforcement Actions (Part One of Two)” (Jan. 31, 2018); Part Two (Feb. 14, 2018).

    Read Full Article …
  • From Vol. 4 No.11 (May 9, 2018)

    The Right to Be Forgotten: English High Court Details When Google Must Delist Links to Crimes

    Information about a person’s criminal history remains online long after many serve their time. But in what circumstances must a search engine comply with an individual’s demand to delist those links? That was the central question in the closely watched case of NT1 & NT2 v. Google LLC, the first consideration of the “right to be forgotten” by English courts. Decided on the cusp of the GDPR’s effective date, the High Court used a balancing test from the E.U.’s 2014 Google Spain case. Kelly Hagedorn, a partner in Jenner & Block’s London office, told The Cybersecurity Law Report that the decision was “a very carefully reasoned judgment” that, even in the new regime of the GDPR, would be “a useful reference point for those considering the balancing of the right to erasure and the right to freedom of speech.” See “The GDPR’s Data Subject Rights and Why They Matter” (Feb. 28, 2018).

    Read Full Article …
  • From Vol. 4 No.7 (Apr. 11, 2018)

    Breaking the Cloud: CLOUD Act Brings Data Held Overseas Under U.S. Jurisdiction

    On the heels of Supreme Court oral arguments in a case that brought the data issues of international law enforcement front and center, Congress passed the CLOUD Act, a major step by the U.S. in extending the reach of law enforcement where electronic content is concerned. The law is controversial, but its significance is not in dispute – “it purports to resolve the question of whether and how the federal government can compel service providers that are within the jurisdiction of the U.S. courts to produce data stored abroad,” Paul Hastings partner Behnam Dayanim told The Cybersecurity Law Report. In this article, we analyze the law and its implications. See “Managing Data Privacy Across Multiple Jurisdictions” (Nov. 8, 2017); and “Navigating Data Privacy Laws in Cross-Border Investigations” (Dec. 14, 2016).

    Read Full Article …
  • From Vol. 4 No.7 (Apr. 11, 2018)

    Virtual Currencies Ruled Commodities Under the Commodities Exchange Act by District Court

    Virtual currencies are rapidly developing and regulators are trying to keep up to prevent fraud and abuse. Multiple regulatory entities have moved to oversee this uncharted territory. A federal district court recently concluded the CFTC has authority, concurrent with other entities, over fraudulent conduct involving virtual currencies, reasoning that virtual currencies are commodities as defined by the Commodities Exchange Act. This article details the facts and circumstances leading up to the enforcement action and the Court’s reasoning. See also “Virtual Currencies Present Significant Risk and Opportunity, Demanding Focus From Regulators, According to CFTC Chair” (Feb. 14, 2018).

    Read Full Article …
  • From Vol. 4 No.1 (Jan. 17, 2018)

    A Wake-Up Call: Data Breach Standing Is Getting Easier

    A year’s worth of federal appellate decisions that considered the standing issue following Spokeo demonstrate that plaintiffs have become increasingly more successful at persuading federal judges that they had pled a constitutional injury. This is a dramatic reversal in the trajectory of federal jurisprudence on “standing” in data breach cases and should be a wake-up call to companies that collect personal information from consumers, Boies Schiller Flexner attorneys Travis LeBlanc and Jon R. Knight argue. In this guest article, they analyze important standing decisions to date and provide advice to companies and their counsel on preparing for data breach litigation in 2018. See also “Third and Seventh Circuits Shed New Light on Spokeo Standing Analysis” (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Protecting Attorney-Client Privilege and Attorney Work Product While Cooperating With the Government: Implications for Collateral Litigation (Part Three of Three)

    Collateral litigation can arise when a company is conducting an internal investigation and cooperating with the government. Litigants seeking internal investigation documents in discovery may argue, among other things, that the privilege and work product protection were waived, perhaps as a result of the company’s cooperation with the government. Parts one and two of this three-part guest article series by Eric J. Gorman and Brooke A. Winterhalter, Skadden partner and associate, respectively, addressed ways for investigating companies to establish and preserve the attorney-client privilege and attorney work product protection during internal investigations and government cooperation. This third and final installment in the series analyzes strategies and legal arguments that companies may wish to consider as they seek to shield investigation materials shared with the government from third-party discovery requests in collateral litigation. See also “Attorney-Consultant Privilege? Key Considerations for Invoking the Kovel Doctrine (Part One of Two)” (Nov. 16, 2016); Part Two (Nov. 30, 2016); “Target Privilege Decision Delivers Guidance for Post-Data Breach Internal Investigations” (Nov. 11, 2015); and “Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two)” (Jun. 17, 2015); Part Two (Jul. 1, 2015).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Defense and Plaintiff Perspectives on How to Survive Data Privacy Collateral Litigation

    While the risks of data privacy and data breach litigation are substantial, the legal standards are in flux and may depend on the court and jurisdiction in which the case lies. Lawyers are struggling to keep up, with courts issuing potentially disruptive decisions on a near-monthly basis. During a recent PLI panel, plaintiffs’ lawyer Daniel Girard of Girard Gibbs, discussed the evolving landscape and its strategic implications with Robert Herrington, a Greenberg Traurig shareholder. The types of successful data privacy cases are shifting and each stage of litigation presents companies with strategic choices. The contrasting perspectives provide guidance to both plaintiffs and defendants as they weigh such choices throughout collateral data breach litigation. See also  “Minimizing Class Action Risk in Breach Response” (Jun. 8, 2016). 

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    Third and Seventh Circuits Shed New Light on Spokeo Standing Analysis

    After the Supreme Court’s 2016 Spokeo decision opened the possibility for statutory violations to form the basis for standing in data privacy cases even without a concrete harm, lower courts have offered their own interpretations highlighting the tension in the Spokeo holding. The Seventh Circuit and Third Circuit appellate courts recently came to different conclusions looking at claims of violations of different statutes, shedding new light on the issue. This article explores and explains these decisions. See also “Spokeo’s Impact on Data Breach Cases: The Class Action Floodgates Have Not Been Opened, But the Door Has Not Been Locked” (May 25, 2016).

    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    Eighth Circuit Sides With Defendants As the Spokeo Standing Battle Continues 

    In the aftermath of Spokeo, courts have had to wrestle with the notion of “concreteness” and the other facets of the standing doctrine in the statutory context. In Braitberg v. Charter Communications, Inc., the Eighth Circuit recently weighed in, finding standing cannot arise from a mere statutory violation alone without a consequent concrete harm. However, Spokeo still arguably leaves the door open for a plaintiff-friendly Article III analysis in the data privacy context or where the lawsuit stems from a hacking incident, Deborah Renner, a partner at BakerHostetler, says in a guest article. She examines the current state of Article III standing decisions in the context of the Eighth Circuit’s most recent pronouncement and discusses some of the most recent arguments likely to stand up on both sides of the bar. See “Making Sense of Conflicting Standing Decisions in Data Breach Cases” (Mar. 30, 2016).

    Read Full Article …
  • From Vol. 2 No.18 (Sep. 7, 2016)

    What Cyber Insurance Cases Teach About Picking the Best Policy (Part One of Two)

    As cybersecurity-related insurance claims proliferate and litigation ensues, more jurisprudence in the area is being developed to guide companies as they purchase policies. Companies looking to purchase or amend their coverage can learn from examples of how other claims have fared under judicial scrutiny. This first part of our article series covering a recent Knowledge Group webinar includes the panelists’ discussion of the current cyber insurance market and the issue of publication under CGL policies. The speakers also analyze recent cases to extract the questions companies should be asking insurers about key policy definitions and exclusions. The second article will focus on lessons from the recent Cottage Health  case and discuss coverage considerations for physical damage. See also “Building a Strong Cyber Insurance Policy to Weather the Potential Storm” Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.18 (Sep. 7, 2016)

    Lessons From Consumer Challenges to Email Review Practices

    In three recent cases in front of the same judge, consumers asserting privacy concerns have taken different approaches to challenging how internet giants Google and Yahoo review emails. After class certification was denied in a case against Google, another group of plaintiffs brought a case seeking injunctive relief against Yahoo and a separate group sought permissive joinder on a large scale in a new action against Google. Most recently, in the third case, the same judge granted Google’s motion to sever an attempt to join more than 800 individual plaintiffs. Collectively, the results of these actions emphasize the importance of proper disclosures and illustrate the efficacy of the defense strategy of emphasizing individualized questions of consent. See “Federal Judge Offers Advice on Litigating Data Privacy, Security Breach and TCPA Class Action Suits” (Apr. 27, 2016).

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Second Circuit Quashes Warrant for Microsoft to Produce Email Content Stored Overseas 

    A federal appeals court recently ruled that the U.S. government could not force a company to turn over third-party communications content stored outside the country. The Second Circuit Court of Appeals agreed with Microsoft that a request to produce customer content held in Ireland was beyond the scope of the Stored Communications Act. “It’s an extremely significant decision [that the Act] does not authorize a U.S. district court to issue a search warrant to seize data being held by ISPs or remote computing services (cloud services) outside the territorial U.S.,” Edward McAndrew, a partner at Ballard Spahr, told The Cybersecurity Law Report. “It is the first ruling of its kind on that issue from a U.S. Court of Appeals.” We analyze the case and its implications. See also “Prosecuting Borderless Cyber Crime Through Proactive Law Enforcement and Private Sector Cooperation” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 2 No.13 (Jun. 22, 2016)

    Cyber Insurance Challenges Highlighted by Court’s Denial of P.F. Chang’s Claim

    How far will cyber insurance coverage stretch when there is a breach? Courts are starting to answer this question as cyber insurance policies get tested with breaches. While these policies are marketed as “a panacea for all cybersecurity-related woes,” when policyholders face significant losses, the insurers “hire high-powered lawyers” to avoid paying claims, Scott Godes, a partner at Barnes & Thornburg, told The Cybersecurity Law Report. We analyze the recent district court ruling that a cyber insurance policy fails to cover liabilities to credit card issuers arising from a popular restaurant’s data breach. See also “Building a Strong Cyber Insurance Policy to Weather the Potential Storm”: Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    When Do Consumers Have Standing to Sue Over Data Breaches?

    When a company is hacked, civil litigation often follows, and the types of claims brought against hacked companies – like in the recent P.F. Chang’s case – include a host of traditional common law and statutory claims. None of these claims can succeed, however, unless plaintiffs can establish standing. This threshold issue has plagued plaintiffs in data breach cases, but a federal appeals court recently ruled in their favor by reversing the dismissal of a class action. In a guest article, Thomas Rohback and Patricia Carreiro, a partner and associate, respectively, of Axinn, Veltrop & Harkrider, analyze the progeny of standing outcomes in data breach cases, including the Lewert v. P.F. Chang’s holding, and examine what this issue and others might look like in future data breach class actions. See also “Making Sense of Conflicting Standing Decisions in Data Breach Cases” (Mar. 30, 2016).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Don’t Overlook Commercial General Liability Insurance to Defend a Data Breach

    Even though cyber insurance is becoming more readily available in many cases, companies whose data is hacked should not overlook the possible supplemental coverage provided by their existing commercial general liability insurance, which may cover the cost of defending the litigation that inevitably arises as a result. Some recent decisions appear to hold that CGL insurance does not obligate the carrier to provide such defense costs. However, in a recent case involving Travelers Indemnity Company, the Fourth Circuit upheld a lower court decision requiring the CGL carrier to provide a defense following a data breach. In a guest article, Richard A. Blunk, managing director and general counsel of Thermopylae Ventures, LLC, analyzes Travelers and a related line of cases to examine the possibility of whether other existing insurance coverage may provide data breach litigation defense costs as part of a coordinated corporate risk program. See also “Building a Strong Cyber Insurance Policy to Weather the Potential Storm” Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.7 (Mar. 30, 2016)

    Making Sense of Conflicting Standing Decisions in Data Breach Cases

    Does a data breach constitute a case or controversy for purposes of Article III standing? This is a threshold question that could dramatically change the course for data breach cases, yet the answer remains uncertain. If a court does not find standing, the proposed class cannot seek relief in court and plaintiffs’ relief would be limited to statutory damages and/or penalties imposed, for example, under various state data breach laws. In 2013, the United States Supreme Court’s decision in Clapper v. Amnesty International USA was widely seen to shut the courthouse door on data breach class actions. In 2015, however, some significant case law at the circuit court level called this belief into question. In a guest article, Christina H. Bost Seaton, a partner at FisherBroyles, surveys these developments and a case that could potentially change the landscape.

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Building a Strong Cyber Insurance Policy to Weather the Potential Storm (Part Two of Two)

    The enormous liability and costs that cyber incidents generate make cyber insurance a new reality in corporate risk management plans across industries.  This article, the second article in the series, explores policy exclusions and pitfalls to watch out for, including lessons from recent cyber insurance coverage litigation and steps companies can take to increase the likelihood of insurance coverage under their cyber policy.  Part one in the series covered navigating the placement proces –  having the proper individuals involved, finding the right insurer and securing the best policy for your company.  See also “Analyzing the Cyber Insurance Market, Choosing the Right Policy and Avoiding Policy Traps,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part Two of Two)

    There are several steps companies can take before and after a data breach to best position themselves for the litigation likely to follow.  In this second installment of our coverage of a recent Mintz Levin webinar, partners Kevin McGinty and Mark Robinson explore best practices for internal investigations and common defenses in data breach class actions.  The first article featured insight from partner Meredith Leary on how companies can put themselves in the best position now to defend their actions post-breach and Robinson’s list of threshold questions that companies can ask themselves at the outset of a data breach internal investigation.

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    FTC Loses Its First Data Security Case 

    In the FTC’s first loss in a data breach security case, and the first such case to reach a full adjudication, an administrative law judge dismissed the agency’s complaint against LabMD, Inc. regarding two alleged cybersecurity incidents at LabMD.  The ALJ held, in a lengthy Initial Decision, that the FTC did not meet its burden on the first prong of the three-part test in Section 5(n) of the FTC Act – that LabMD’s conduct caused, or is likely to cause, substantial consumer injury.  Phyllis Marcus, counsel at Hunton & Williams, said the ALJ was “holding the FTC Complaint Counsel, rightfully so, to the fire.  Bald allegations of substantial injury or likelihood of substantial injury” to support an unfairness claim will no longer be sufficient if the case stands.  See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity,” The Cybersecurity Law Report, Vol. 1, No. 8 (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    How to Reduce Cybersecurity Risks of Bring Your Own Device Policies (Part Two of Two)

    The now-common practice of employees bringing their own devices into the office offers companies savings, but use of these devices comes with complex risks that must be addressed.  Part one of our two-part series discussed these risks and recommended BYOD policies and training to mitigate the risks.  This second article in the series explores how mobile device management programs and proper protocols for outgoing employees and lost devices can further reduce BYOD risks.  It also explains how BYOD policies can impact litigation, and even result in significant sanctions. 

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    Target Privilege Decision Delivers Guidance for Post-Data Breach Internal Investigations

    In a ruling that may clarify how companies should conduct breach responses to preserve privilege, on October 23, 2015, a federal district court in Minnesota found that certain documents created during Target’s internal investigation of its 2013 payment card breach were protected by the attorney-client privilege and work product doctrine.  The Target case “is one of the first cases we are seeing in the data breach context where the privilege issue has been tested,” Michelle A. Kisloff, a partner at Hogan Lovells, said.  The Court’s denial of class plaintiffs’ motion to compel production of these documents recognized “that data breach victims have a legitimate need to perform an investigation in the aftermath of a breach in which communications are protected by the attorney-client privilege,” Michael Gottlieb, a partner at Bois, Schiller & Flexner, told The Cybersecurity Law Report.  See also “Preserving Privilege Before and After a Cybersecurity Incident (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 6 (Jun. 17, 2015); Part Two, Vol. 1, No. 7 (Jul. 1, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    Liability Lessons from Data Breach Enforcement Actions

    Inadequate cybersecurity measures can expose companies not only to data breach incidents, but to liability from multiple fronts, including state attorneys general, the FTC and civil litigants.  In a recent panel at the Practising Law Institute, Michael Vatis, a Steptoe & Johnson partner, and KamberLaw partner David Stampley discussed the dynamic enforcement and judicial climate in this space, distilling actionable takeaways from recent settlements with state attorneys general, FTC actions including Wyndham, and evolving consumer litigation jurisprudence.  The enforcement actions and litigations are instructive for companies seeking to fortify their internal information security and data privacy efforts and guard against the risk of liability in the event of a breach.  See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015). 

    Read Full Article …
  • From Vol. 1 No.15 (Oct. 28, 2015)

    Federal Courts Offer a Modern Interpretation of the VHS-Era Video Privacy Protection Act

    When does the 1988 Video Privacy Protection Act, which limits what companies can do with personal information about video consumption, apply to companies that post videos online?  The Eleventh Circuit and a New York district court recently dismissed complaints challenging the VPPA – passed in 1988 and designed to protect the privacy of individuals’ VHS rental preferences – narrowing the scope of the Act in the process.  Ellis v. The Cartoon Network, Inc. (11th Cir. Oct. 9, 2015) and Robinson v. Disney Online (S.D.N.Y. Oct. 20, 2015) both dealt with free smartphone apps, and questions regarding who is a “subscriber” and what “personally identifiable information” means under the statute.  Simon J. Frankel, a partner at Covington & Burling, told The Cybersecurity Law Report that “courts are really struggling with how the statute, not written for this context, applies in this context and [they are] trying to draw where the limits are.”  See also “The Tension Between Interest-Based Advertising and Data Privacy,” The Cybersecurity Law Report, Vol. 1, No. 12 (Sep. 16, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    Dangerous Harbor: Analyzing the European Court of Justice Ruling

    An Austrian graduate student’s lawsuit against Facebook has resulted in the invalidation of a 15-year old data privacy treaty relied upon by thousands of multi-national companies.  On October 6, 2015, the Court of Justice of the European Union (ECJ), the highest court in the E.U., held that the Safe Harbor framework that allowed companies to transfer personal data from the E.U. to the U.S., including data for cross-border investigations and discovery, is invalid.  The ECJ found that the U.S. does not ensure adequate protection for personal data, primarily because of the access rights that the ECJ said U.S. agencies have.  Although the ruling is immediate, the “sky is not falling,” said Harriet Pearson, a partner at Hogan Lovells.  On October 16, 2015, a group of E.U. member state privacy regulators, the Article 29 Working Party, called for renewed negotiations on a treaty and recommended interim actions for companies.  There will need to be a “transition to a more complex and perhaps a more work-intensive compliance strategy than Safe Harbor had previously afforded companies,” Pearson said.  See also “ECJ Hearing on Safe Harbor Challenges How U.S. Companies Handle European Data,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    Protecting the Crown Jewels Using People, Processes and Technology 

    Guarding against a cybersecurity breach is no longer just a technology issue – heightened encryption and firewall technology is not a panacea for all potential cyber threats.  Instead, adequate countermeasures against cybersecurity threats today require companies to also look to their people and their processes.  During a recent webinar, Pamela Passman and Allen N. Dixon, compliance and IP protection experts at CREATe.org, discussed the current cyber threat landscape, along with practical ways businesses deploy people, processes and technology to get ahead of cyber risks and successfully prevent or neutralize internal and external threats across their entire organization.  The panelists provided steps companies can take to identify and protect their most important corporate assets and address risks from insiders, competitors and third parties by effectively training, managing and monitoring their people, processes and technology.  See also “Strategies for Preventing and Handling Cybersecurity Threats from Employees,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015). 

    Read Full Article …
  • From Vol. 1 No.12 (Sep. 16, 2015)

    Privacy and Cybersecurity in Canada: Legal Risk Update

    Privacy and cybersecurity considerations are currently a key focus of private and public sector organizations, governments and individuals worldwide.  Canada is no exception.  In fact, although Canada has long been considered a global leader in striking a reasonable balance between the protection of privacy and needs of organizations, in recent years Canada has seen the emergence of unprecedented legal risks in respect of privacy and cybersecurity matters. As Alex Cameron, a partner at Fasken Martineau, explains in a guest article, organizations doing business in Canada (or that process information about Canadians) should take note of the dramatic increase in privacy litigation and class actions in Canada, and the recent introduction of mandatory breach notification, reporting and recordkeeping in Canada.  Cameron explains the developments and summarizes recent cases.  See also “Canada’s Digital Privacy Act: What Businesses Need to Know,” The Cybersecurity Law Report, Vol. 1, No. 9 (Jul. 29, 2015).

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    In the Wyndham Case, the Third Circuit Gives the FTC a Green Light to Regulate Cybersecurity Practices

    The Wyndham decision makes clear that there is a “‘top cop’ regulatory agency looking over privacy and security practices of private business: the Federal Trade Commission,” Cynthia Larose, a member of Mintz Levin, told The Cybersecurity Law Report.  On August 24, 2015, the Third Circuit denied Wyndham’s motion to dismiss an FTC complaint against it and held that the FTC can pursue Wyndham for allegedly weak data security practices that led to three breaches.  “The FTC is here to stay in the data privacy and security space,” Michael Gottlieb, a partner at Boies, Schiller & Flexner, said.  We examine the decision and its implications.  See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity,” The Cybersecurity Law Report, Vol. 1, No. 8 (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    Seventh Circuit Reopens a Door for Plaintiffs in Data Breach Class Actions

    The Seventh Circuit recently revived a prominent data breach class action by reversing the lower court’s dismissal, and in doing so gave similarly situated plaintiffs ammunition to argue that they have standing.  In Remijas v. Neiman Marcus Group LLC, the Court found that class action plaintiffs satisfied the Article III standing requirements for injury, a hurdle that many similar plaintiffs have failed to clear.  The decision contains lessons for both plaintiffs and defendants in future data breach class actions.  See also “Lessons from the 2013 Target Data Breach: What Future Resolutions of Large-Scale Data Breaches May Look Like,” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Preserving Privilege Before and After a Cybersecurity Incident (Part Two of Two)

    With the looming threats of post-breach litigation and regulatory enforcement actions, preserving privilege in connection with a company’s cybersecurity efforts – both before and after an incident – is critical to encouraging openness in assessing and addressing a company’s vulnerabilities.  Unless companies take the proper steps, however, communications and other documentation that could have been protected by the attorney-client and work product privileges will be open to discovery.  The first part of The Cybersecurity Law Report’s series on preserving privilege addressed pre-incident response planning and testing activities.  This article, the second part of the series, addresses how to retain privilege during post-incident response efforts. 

    Read Full Article …