Category: Global/Transborder Privacy
Government Warns of New Cyber Threats Targeting U.S. Businesses
The Cybersecurity and Infrastructure Security Agency (CISA) teamed up with the Federal Bureau of Investigation (FBI) to issue a joint warning of cyber-attacks emanating from Iran and targeting U.S. federal agencies and businesses. These hackers target vulnerabilities in virtual private networks (VPNs), which organizations use to allow remote network access. Once the hackers gain access through a VPN, they export data, sell access to the network, and have the ability to install ransomware. This is just the latest example of criminals exploiting vulnerabilities associated with the current remote working environment.
COVID-19 Cyber Risks Continue to Grow
As we previously detailed, the coronavirus pandemic has expanded opportunities for nefarious actors to exploit the digital vulnerabilities of individuals, local governments, industries, organizations, and essential services as they rapidly adapt to the public health crisis. Recent reports have confirmed that attacks and cyber scams associated with the pandemic are in fact on the rise.
Ninth Circuit Gives Google Reprieve to Resolve Overseas Warrant Dispute
A federal appeals court is giving Google and the Justice Department more time to work out their differences in a standoff over whether the tech giant must hand over customer emails stored outside of the United States.
Microsoft Joins Government’s Request to Render Fight over Access to Data Stored Abroad Moot
Yesterday, we reported that the Department of Justice has asked the U.S. Supreme Court to remand its dispute with Microsoft Corp. concerning access to customer emails stored abroad to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot. The government argued that the newly enacted “CLOUD” Act clarifies prior law and makes clear that information stored abroad can, under certain circumstances, be subject to a domestic warrant. The government added that it obtained a new warrant for Microsoft to turn over the requested information in the days following the CLOUD Act’s passage.
Government Urges High Court to Moot Microsoft Email Case
We’ve written several times about the landmark dispute between the U.S. government and Microsoft Corp. over access to a customer’s emails stored in Ireland. Now, a month after the U.S. Supreme Court heard oral argument on the government’s appeal, the Justice Department has asked the Court to remand the case to the U.S. Court of Appeals for the Second Circuit with instructions to dismiss it as moot.
Google Puts Its SCA Warrant Appeal on Hold as High Court Prepares to Hear Microsoft Case
The fight over the privacy of electronic communications and the government’s ability to reach emails stored abroad in criminal investigations has finally moved to the U.S. Supreme Court.
Court Rejects DOJ’s Depiction of Google as “Willful and Contemptuous” Tactics in Ongoing Battle over SCA Search Warrant
A federal judge in California has agreed to hold Google in contempt for not following his order to turn over data stored overseas. The order is largely symbolic, however, since a contempt order is required for Google to appeal the ruling.
Justices to Hear DOJ Appeal on Microsoft Ruling: Is Email Stored Abroad Subject to a U.S. Warrant?
The Supreme Court is poised to finally answer the question that’s been plaguing federal courts across the country: must U.S. tech companies comply with warrants issued under the Stored Communications Act (“SCA”) that demand information from customer accounts that is stored on servers in a foreign country?
Justice Department Accuses Google of “Alarming” Tactics in Fight over SCA Search Warrant
The ongoing dispute between the government and Google concerning the company’s refusal to hand over customer data stored on foreign servers has taken an odd twist. Now, the Justice Department is demanding that Google be sanctioned for not abiding by the court’s most recent decision—ordering it to produce data associated with 22 email accounts—and calling Google’s conduct “a willful and contemptuous disregard of various court orders.” The case is In the Matter of the Search of Content that Is Stored at Premises Controlled by Google, No. 16-mc-80263 (N.D. Cal.).
Judge Sides with Government over Google in the Latest Battle Rematch over the Territorial Reach of the SCA
Another federal judge has rejected the U.S. Court of Appeals for the Second Circuit’s interpretation of the Stored Communications Act (SCA), and has ordered Google to hand over customer email traffic—wherever located—to U.S. law enforcement. More than a year ago, the Second Circuit held that Microsoft Corp. was not required to produce customer emails stored on foreign servers in response to an SCA warrant. Since then, the Second Circuit’s ruling has been rejected by three different federal courts around the country.
Another Rematch Between Tech Companies and the Government over the Territorial Reach of the Stored Communications Act
Lawyers for the tech community are gearing up for argument next month in the U.S. District Court in San Francisco, seeking to overturn another magistrate’s order that requires digital information stored outside of the U.S. to be turned over in response to a U.S. search warrant.
Digital Divide Deepens: Tech Community Backs Second Circuit in Clash with Magistrates over Reach of U.S. Warrants
The technology community took aim at a recent federal magistrate’s ruling that ordered Google Inc. to comply with search warrants seeking customer emails stored on servers abroad, calling the decision “an impermissible extraterritorial application of U.S. law.” In rejecting a recent federal appeals court decision in a similar case in favor of Microsoft Corp., U.S. Magistrate Thomas J. Reuter in Philadelphia ruled that transferring emails from a foreign server to the U.S. was not tantamount to a seizure beyond American borders. The technology companies urged the court to reject the “fiction that such a foreign search and seizure is a domestic act….”
Ajit Pai and the FCC’s Role in ISP Privacy Regulation under President Trump
On January 23, 2017, President Donald Trump named Ajit Pai as Chairman of the Federal Communications Commission (FCC). In his previous role as the senior Republican on the FCC under President Barack Obama, Mr. Pai was an outspoken critic of the agency’s decision to assert jurisdiction over Internet Service Providers (“ISPs”) and its rules governing broadband privacy. Pai’s appointment suggests that significant changes may be on the horizon.
Second Circuit Court of Appeals Denies Rehearing in Microsoft Case
Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland. That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.
SEC Reportedly Wants To Know What Took Yahoo! So Long To Disclose Massive Data Breaches
The U.S. Securities and Exchange Commission is reportedly looking into whether two data breaches at Yahoo!, Inc. should have been disclosed earlier. In a front page article today, the Wall Street Journal reported that “people familiar with the matter” say the SEC is investigating whether Yahoo!’s disclosures complied with the securities laws.
What A Breach: More Than 1 Billion Yahoo! User Accounts Compromised
On Wednesday, Yahoo! disclosed that more than 1 billion of its users’ personal information was exposed in a newly discovered cyber-attack, making it the largest data breach reported to date. The breach apparently took place in August of 2013.
Wake-Up Call: Law Firms in the Cybersecurity Crosshairs
Last week marked the first time a U.S. law firm was publicly named in a class action data security lawsuit. Originally filed in April 2016, the class action complaint in Shore v. Johnson & Bell, Ltd., 16-cv-4363 (N.D. Ill.), was unsealed last week after months of back-and-forth over whether the alleged security flaws had been patched. The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of “systematically exposing confidential client information and storing client data without adequate security.” The lawsuit makes no claim that any client information has been stolen or misused. Even so, the filing of this complaint amplifies the risks already facing law firms – including reputational – at a time when data security is a top concern for law firms and their clients.
China’s Controversial New Cybersecurity Law
Earlier today, the Chinese government in Beijing approved a sweeping new cybersecurity law aimed at centralizing control over computer networks operating within China’s borders. An unofficial English translation of the newly-enacted law is available here.
Feds Propose Enhanced Cyber Standards for Nation’s Largest Banks and Their Boards
Bank regulators are continuing to demand more accountability from corporate leaders when it comes to compliance with cybersecurity safeguards.
U.S. Senators Want Answers: Yahoo’s Unacceptable Delay In Data Breach Announcement
The aftermath of Yahoo’s data breach has raised a number of questions from customers, law enforcement, and most recently six U.S. Senators.
Aftermath of the Yahoo Breach: M&A Risk and Cybersecurity
In the midst of its acquisition by Verizon Communications Inc., Yahoo Inc. disclosed what looks like one of the largest reported thefts of user information in U.S. history.
International Cyber Recommendations for the Financial Market: Collaboration is the Name of the Game
On June 29, 2016, the Bank for International Settlements’ (BIS) Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO) issued “Guidance on cyber resilience for financial market infrastructures” (Cyber Guidance), the first set of concrete recommendations following the 2012 CPMI-IOSCO Principles for Financial Market Infrastructure (PFMI).
Cyber Attacks on Vulnerable Financial Institutions Linked to North Korea
Has North Korea struck again? Do its recent attacks signal a shift from those motivated by political retribution to those motivated by financial gain? What does this mean for financial institutions?
US Regulators Investigate Chinese Steelmakers for Hacking Trade Secrets
The U.S. International Trade Commission (“ITC”) last week launched an investigation into United States Steel Corporation’s (“U.S. Steel”) complaint that Chinese hackers stole trade secret information—including proprietary methods for making lightweight steel—on behalf of Chinese steel producers.
European Parliament: Proposed Privacy Shield Must Be Strengthened
We have previously written about the ongoing debate regarding the proposed EU-U.S. Privacy Shield. The European Parliament has now added its voice to those who say that the current proposal is inadequate.
What’s Next for the EU-U.S. Privacy Shield?
With European regulators continuing to debate the current proposal for the EU-U.S. Privacy Shield, the fate of the new trans-Atlantic data framework is becoming murkier by the day. Rapprochement may still be a possibility, but over the past week, we have seen parties on both sides preparing for an extended fight. The Privacy Shield is one of the most significant issues in global cybersecurity today.
Federal Appeals Court Set to Issue One of the Most Important Privacy Rulings in a Generation
For months, the technology and business communities have been waiting anxiously for a Federal appeals court ruling on whether American companies can be forced to turn over customer information to U.S. law enforcement when that information is stored on servers abroad. It’s the result of a legal appeal filed last year by Microsoft Corporation that was argued before the U.S. Court of Appeals for the Second Circuit more than seven months ago.
EU Regulators Decline to Support Privacy Shield Agreement
In the latest twist in the ongoing saga of the EU-U.S. Privacy Shield data transfer agreement, EU data protection authorities (commonly known as the Article 29 Working Party) stated on Wednesday that it would not affirm the adequacy of the Privacy Shield deal.
Government Seeks Civil Forfeiture of Funds Stolen in Business E-Mail Fraud
On April 14, 2016, the U.S. Attorney for the Southern District of New York filed a civil forfeiture action seeking to recover nearly $100 million stolen from an unidentified U.S. company through a form of wire fraud or Automated Clearing House (“ACH”) fraud.
Lessons from the Bangladesh Central Bank Heist
By now, you’ve probably heard about the massive cyber attack that hit Bangladesh’s central bank last month, resulting in the loss of $81 million through fraudulent transfers to accounts in the Philippines. Although the size and scale of this cyber heist was unprecedented, cybercrime targeting ACH (Automated Clearing House) financial transactions is nothing new. Financially motivated hackers regularly target ACH systems.
U.S. v. Microsoft - What you need to know about one of the most important privacy cases of the decade
The U.S. Court of Appeals for the Second Circuit has in its hands one of the most closely-watched privacy cases in recent memory. U.S. v. Microsoft addresses an issue of critical importance to U.S. businesses — whether companies must comply with orders from the U.S. government to turn over electronic data, even when that data is stored on a server outside of the U.S. A ruling is expected any day.
EU Commission and United States Agree on New “Privacy Shield” for Trans-Atlantic Data Flow
U.S. and European Commission officials announced on Tuesday that they have reached an agreement in principle on a new EU-U.S. Privacy Shield to permit the flow of data between Europe and the United States. The new deal follows on the heels of reports Monday evening that U.S. and European officials were continuing to negotiate a replacement for the now-defunct Safe Harbor Framework, after officials failed to reach an agreement by the January 31st deadline.
U.S. and European Officials Fail to Reach Agreement for New Data Transfer Deal
American and European officials failed to meet the January 31st deadline for a new agreement on the transfer of data between the United States and Europe, disappointing hopes that the two sides would broker a deal to replace the now-invalidated U.S.-EU Safe Harbor Framework.
Safe Harbor Framework For Data Transfers Between U.S. and EU Invalidated
Earlier today, the Court of Justice of the European Union (CJEU) issued a decision in Maximillian Schrems v Data Protection Commissioner, declaring invalid the EU-U.S. Safe Harbor framework that provided a mechanism for businesses to transfer personal data of European citizens to the United States.
Experian Data Breach: Regulatory War or Peace?
Following yesterday’s news that Experian Plc, the world’s largest consumer credit monitoring firm, suffered a massive data breach, exposing the personal information of some 15 million people, the post-breach fall out has already started. The Connecticut Attorney General’s office has announced that is launching an investigation into the breach.
Department of Homeland Security: “The C-Suite and Cybersecurity”
Federal and state cybersecurity agencies teamed up last week for a two-day summit focused on the evolving nature of cybersecurity threats to New Jersey businesses. The event was sponsored by the U.S. Department of Homeland Security’s (“DHS”) Critical Infrastructure Cybersecurity Voluntary Program and The New Jersey Office of Homeland Security and Preparedness.
Second Circuit Hears Argument in Microsoft Appeal: How Far Does a U.S. Warrant Reach?
In a 90-minute hearing earlier today, Microsoft Corp. asked the Second Circuit Court of Appeals to reverse a district court decision forcing the technology giant to turn over customer email traffic residing on a server in Ireland. American companies with data centers located outside the U.S., as well as privacy advocates and media organizations are closely watching this case. During the argument, the Court acknowledged that the “implications of its ruling would be broad.”
Upcoming Oral Argument in US v. Microsoft: Does a U.S. Warrant Apply to Email Stored on a Foreign Server?
On September 9th, the Second Circuit Court of Appeals will hear a case with global business, technology, and legal implications. The case, United States v. Microsoft, presents a deceptively simple question: What’s a multinational company to do when it receives a U.S. court order to turn over customer emails that are stored on a server in a foreign country and that may be subject to different data privacy laws?
Welcome to Our Blog
We are pleased to announce the launch of Data Security Law Blog, Patterson Belknap’s newest resource for the latest news, analysis and thought leadership in the critical area of privacy and cybersecurity law.