The Supreme Court has declined, for now, to decide when attorney-client privilege will apply to communications viewed by courts as made for both legal and other purposes.  In October 2022, the Court granted certiorari in In re Grand Jury, No. 21-1397, and heard argument on January 9, 2023.  In a surprise decision on January 23, 2023, however, it dismissed the appeal, holding that review of the lower court’s decision was “improvidently granted.”

On June 24, 2022, the New York Department of Financial Services (“DFS”) announced a cybersecurity settlement with Carnival Corporation d/b/a Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Line, and Costa Cruise Lines (collectively, the “Carnival Companies”), after finding several violations of the New York State’s first-in-the nation Cybersecurity Regulation (23 NYCRR Part 500, hereinafter the “Regulations”).  The settlement, memorialized in a consent order, provides that the Carnival Companies must pay a $5 million penalty. Notably, also in connection with the settlement, the Carnival Companies agreed to surrender their New York State insurance licenses.  The story serves as a cautionary tale—a cybersecurity event that catches DFS’s attention might lead DFS to discover several underlying and unreported violations of the Regulations during its investigation into that event.

As we have written previously, preserving privilege of forensic analyses can be critically important in the aftermath of a data breach.  Questions of privilege and work-product protection routinely arise in post-breach litigation, especially concerning forensic investigation reports. Plaintiffs target these materials in discovery because they often provide a roadmap to the attack and include details regarding the victim business’s defenses and internal steps taken in response to a breach. Over the years, courts have grappled with these issues and reached varying results. In their recent article in the Cybersecurity Law Report, Alejandro Cruz and Elana Stern consider the case law to offer five analytical themes, as well practical guidance that may help maximize the protection afforded to post-breach forensic analyses in follow-on litigation.

In a significant development in anti-hacking criminal enforcement, the Department of Justice last week released new guidance for charging violations of the Computer Fraud and Abuse Act (“CFAA”), the nation’s premier computer crime law. Coming on the heels of a series of closely-watched legal decisions, including the Supreme Court’s 2021 decision in Van Buren v. United States, No. 19-783, the guidance clarifies the Department’s priorities for CFAA-related criminal prosecutions and seeks to create nationwide uniformity in charging decisions. In the newly-released policy, the Department makes clear its position that CFAA prosecutions should focus on unauthorized cyber intrusions made in bad faith—rather than hyper-technical or hypothetical violations of the law.

Utah is poised to become the latest state to jump on the privacy bandwagon. Last week, the Utah Consumer Privacy Act (“UCPA”) passed both houses of the state legislature. Once Governor Spencer Cox signs the bill, Utah will become the fourth state—after California, Virginia, and Colorado—to enact comprehensive privacy legislation. In fact, the UCPA seems to borrow heavily from its predecessors, and in particular is very similar to Virginia’s Consumer Data Privacy Act (“VCDPA”). Businesses serving customers in Utah will need to plan to comply with the law by December 21, 2023.

Throughout the COVID-19 crisis, we have focused on the significant uptick in ransomware attacks.  Government agencies such as OFAC, CISA, and New York’s DFS have updated their guidance on how to prepare for and respond to such attacks and provided tools to help stop ransomware attacks.  Cybersecurity also continues to be a major focus of private enterprise.  Despite businesses and government agencies’ increased attention to ransomware, however, 2021 is shaping up to be the most profitable year for data-nappers yet.  In fact, according to a recent report by OFAC, ransomware payments in 2021 are on track to exceed the total amount paid over the previous ten years combined. 

As we have previously reported, there has been a major uptick over the past few years—and particularly during the COVID-19 pandemic—in ransomware attacks. These attacks consist of an intrusion by a cybercriminal into the victim’s computers or network, followed by deployment of malware that encrypts the victim’s files, preventing access until a payment is made.  More recently, these ransomware attacks also include exfiltration of data as a way to generate even more leverage over the victim.  The incentives for victims of ransomware attacks to pay the ransom are substantial:  the need to stop the attack, regain access to their data, restore business functions, and ensure that any stolen data is destroyed and not sold or exploited by bad actors make these attacks existential events.  On the other hand, making these ransomware payments brings its own risks.  This includes substantial regulatory risk as those payments may run afoul of the U.S. Treasury Department’s Office of Foreign Asset Control (“OFAC”) guidance—since the payments may be made to parties who are on OFAC’s black list.  Although there have not yet been any OFAC enforcement actions against those who have made ransomware payments, companies should be aware of the risk of going forward with a ransom payment.

A little over two weeks ago, T-Mobile became the latest victim of a cyberattack when more than 50 million of their customers’ data was stolen.  In the ensuing weeks, three class action suits have been filed against the telephone carrier alleging a range of violations.  Included in two of them are alleged violations of the California Consumer Privacy Act, one of them includes alleged violations of the Washington State Consumer Protection Act, and the third fails to allege any violations of state data security laws.  Three House Representatives pointed to the breach as a reminder as to why there needs to be a national privacy and data security law.  One such bill is the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act.

On June 25, the Supreme Court held in a 5-4 decision that Article III prohibits certification of a class and a damages award where the majority of class members lack actual injury.  In TransUnion v. Ramirez, the Ninth Circuit Court of Appeals had previously concluded that a class of over 8,000 individuals who could prove violations of the Fair Credit Reporting Act—and had actually proved them at trial—had standing to pursue damages at trial, even if they had not demonstrated that they had suffered concrete harm.  The Ninth Circuit reasoned that violations placed the class members at sufficient risk of harm to confer standing.  The Supreme Court reversed, and in so doing, reinforced its earlier holdings that Article III compels each plaintiff to show concrete harm.

The federal government has been grappling with a holistic response to the massive uptick in destructive ransomware attacks that have bombarded the country in recent years.  As part of that response, the Cybersecurity and Infrastructure Security Agency (CISA) recently launched a “Stop Ransomware” website, which is aimed at helping private and public entities test and improve their cybersecurity.  Among other key features of this effort is a self-assessment tool allowing organizations to test their cybersecurity based on government and industry recommendations and standards.  This is a potentially useful addition to any organization’s cyber preparedness toolkit.  They may also become another benchmark against which the “reasonableness” of any company’s data security protections are measured when facing private claims or regulatory scrutiny after a ransomware attack.

Earlier this year, New York City passed a law restricting the collection and/or use of biometric technology by certain businesses.  The new law goes into effect July 9, meaning applicable businesses have a couple more weeks to prepare themselves for its requirements.  Businesses need only look to similar laws in other states, particularly Illinois, for a glimpse at the litigation that may come should they fail to abide by the new law’s provisions.

On April 14, 2021, the New York Department of Financial Services (“DFS”) announced a cybersecurity settlement with insurance company National Securities Corporation, which suffered four separate breaches, two of which went unreported in violation of 23 NYCRR § 500.17(a). The settlement not only includes a monetary penalty but also mandates increased training and implementation of security tools, and underscores the urgency of addressing cybersecurity threats and DFS’s increasing enforcement activity for non-compliance with its cyber regulations.

With a dizzying array of state privacy laws on the horizon, the prospect of a federal solution has come into sharp focus.  Rather than a patchwork of regional legislation, a comprehensive national framework would potentially govern the precautions that companies must take when electronically collecting, using and storing customers’ personal information, regardless of where in the country the company—or the consumer—is located.  That is the current situation in the European Union under the General Data Protection Regulation (GDPR), and has been for many years.  It might one day be the case in the United States as well, if advocates of omnibus federal data privacy legislation have their way.  

In the wake of a data breach, counsel will often require the assistance of a forensic firm in order to provide legal advice to their client.  The forensic analysis—which is often memorialized in a report to counsel—is crucial for counsel in understanding what occurred and formulating legal strategy relating to potential litigation and breach notification issues.  For the same reasons, details of those forensic analyses and any related investigative reports are very likely to be the subject of a discovery request from plaintiffs if and when litigation ensues.  Indeed, the requests for such reports are frequently a flashpoint in litigation that can determine the strength or weakness of the plaintiff’s case.  Defendants typically object to producing these reports on the grounds that they fall under the attorney-client privilege and work-product protection.

In a win for data privacy defendants, Walmart secured a ruling that favors a narrow interpretation of the California Consumer Privacy Act (CCPA).  In Gardiner v. Walmart Inc. et al, 4:20-cv-04618-JSW, a Walmart customer, Lavarious Gardiner, sued the retail company under the CCPA for failing to implement and maintain reasonable and appropriate security procedures and practices to protect information he gave to Walmart to create an account on the company’s website. As a result of an alleged, undisclosed data breach, Gardiner claimed that his personal information had been subject to unauthorized exfiltration on Walmart’s website, and sold on the dark web, exposing him to purportedly ongoing risk of financial fraud and identity theft. Gardiner’s complaint also included a summary of the results of a security scan of the Walmart website, which purported to show vulnerabilities in that website.  Moreover, in a somewhat unusual twist, Gardiner claimed that he had in his possession “communications with the hackers which state that the accounts they are selling are real accounts that belong to Walmart customers.”  Despite the allegations in the complaint, Walmart had never disclosed any breach and the complaint did not allege when any such breach occurred. Gardiner also brought claims for negligence, breach of contract, and violations of the UCL, all of which were dismissed for failure to plead cognizable injury

The question of standing has proven to be a tricky one in data breach litigation.  (See our prior coverage here and here).  Last week a federal district court in Maryland rejected a proposed class action brought by Marriott guests related to a data breach suffered by the hotel chain in early 2020, finding that the plaintiffs did not have Article III standing because they could not trace any alleged injury to particular actions or inactions by Marriott.  This decision is an important reminder that the fact of a breach is not itself sufficient to confer standing, even where personal data is improperly accessed. In other words, even though a company that had your data suffered a data breach, you may not have been injured by its actions.

As the national landscape of data privacy laws evolves, New York may be poised to follow California in passing legislation that creates new data rights for New York consumers.  New York is no stranger to this field.  The New York Department of Financial Services’ cybersecurity regulation was the first of its kind in the nation, aimed specifically at the banking and insurance industries.  The Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act continued the trend beyond the financial services industry, heightening breach disclosure requirements and imposing enhanced rules for businesses holding the personal data of New York residents.  And New York’s Governor, Andrew Cuomo, recently proposed a 2021 budget bill that contemplates a comprehensive data privacy law, the New York Data Accountability and Transparency Act (“NYDAT”), which would vastly expand the scope of New York’s privacy protections, creating an East Coast analogue to California’s CCPA.

On December 13, the software and service provider SolarWinds announced that its Orion software platform had been the target of a sophisticated cyber attack that may have resulted in malicious code being pushed to as many as 18,000 customers.  The SolarWinds software is used by many corporate and not-for-profit entities of all sizes to monitor the health of their IT networks.  Although the details of this breach are still unfolding, based on the information currently available, Orion users who updated their software between March and June of this year are potentially affected.

As we previously described and as reflected in the rapidly increasing number of cyber-attacks since its start, the COVID-19 pandemic has triggered a shift in working practices that hackers and other bad actors are using to their advantage.  Recent studies show a 273% percent rise in large-scale data breaches in the first quarter of 2020, compared to prior-year statistics, and a 109% year-over-year increase in ransomware attacks in the United States through the first half of 2020.  This post will focus specifically on ransomware attacks targeting researchers working on a COVID-19 vaccine and how these attacks have evolved since the start of the pandemic.