In the wake of a data breach, counsel will often require the assistance of a forensic firm in order to provide legal advice to their client. The forensic analysis—which is often memorialized in a report to counsel—is crucial for counsel in understanding what occurred and formulating legal strategy relating to potential litigation and breach notification issues. For the same reasons, details of those forensic analyses and any related investigative reports are very likely to be the subject of a discovery request from plaintiffs if and when litigation ensues. Indeed, the requests for such reports are frequently a flashpoint in litigation that can determine the strength or weakness of the plaintiff’s case. Defendants typically object to producing these reports on the grounds that they fall under the attorney-client privilege and work-product protection.
Data Security Law BlogVisit the Full Blog
DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.
In a win for data privacy defendants, Walmart secured a ruling that favors a narrow interpretation of the California Consumer Privacy Act (CCPA). In Gardiner v. Walmart Inc. et al, 4:20-cv-04618-JSW, a Walmart customer, Lavarious Gardiner, sued the retail company under the CCPA for failing to implement and maintain reasonable and appropriate security procedures and practices to protect information he gave to Walmart to create an account on the company’s website. As a result of an alleged, undisclosed data breach, Gardiner claimed that his personal information had been subject to unauthorized exfiltration on Walmart’s website, and sold on the dark web, exposing him to purportedly ongoing risk of financial fraud and identity theft. Gardiner’s complaint also included a summary of the results of a security scan of the Walmart website, which purported to show vulnerabilities in that website. Moreover, in a somewhat unusual twist, Gardiner claimed that he had in his possession “communications with the hackers which state that the accounts they are selling are real accounts that belong to Walmart customers.” Despite the allegations in the complaint, Walmart had never disclosed any breach and the complaint did not allege when any such breach occurred. Gardiner also brought claims for negligence, breach of contract, and violations of the UCL, all of which were dismissed for failure to plead cognizable injury
The question of standing has proven to be a tricky one in data breach litigation. (See our prior coverage here and here). Last week a federal district court in Maryland rejected a proposed class action brought by Marriott guests related to a data breach suffered by the hotel chain in early 2020, finding that the plaintiffs did not have Article III standing because they could not trace any alleged injury to particular actions or inactions by Marriott. This decision is an important reminder that the fact of a breach is not itself sufficient to confer standing, even where personal data is improperly accessed. In other words, even though a company that had your data suffered a data breach, you may not have been injured by its actions.
On December 13, the software and service provider SolarWinds announced that its Orion software platform had been the target of a sophisticated cyber attack that may have resulted in malicious code being pushed to as many as 18,000 customers. The SolarWinds software is used by many corporate and not-for-profit entities of all sizes to monitor the health of their IT networks. Although the details of this breach are still unfolding, based on the information currently available, Orion users who updated their software between March and June of this year are potentially affected.
Lawyers don’t get a free pass when it comes to data security. In fact, ethical rules impose a series of obligations on lawyers when they or their firms are subject to a data breach.
In a significant ethics opinion issued last month, Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility provides a detailed roadmap to a lawyer’s obligations to current and former clients when they learn that they – or their firm – have been the subject of a data breach.
Last week, Cathay Pacific Airlines Ltd., the Hong Kong-based international airline, disclosed that a hacker had broken into its computer system and accessed personal information for as many as 9.4 million travelers, representing the world’s largest reported airline data breach to date. Following the announcement, the airline’s shares sank the lowest that they’ve been in almost 9 years – tumbling nearly 7% and losing more than $200 million of in market value.
An expanded settlement by the Federal Trade Commission with ride-sharing giant Uber Technologies should serve as a lesson to other businesses about what happens when a company fails to disclose a data breach during an ongoing agency investigation.
On February 15th, organizations subject to the New York Department of Financial Services Cybersecurity Regulation are required to submit their first annual certification attesting to their compliance with the state’s new data security requirements.
A cloak of secrecy usually covers covert government activities when it comes to the latest cyber threats and intelligence. But in a rare public warning, the U.S. government has warned that hackers are targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.
Follow the Money and Beware the Extra “L”: First Department Sustains Claims against Fund Administrator After Hackers Grab Millions
A legal feud is underway between the world’s biggest hedge fund administrator and a former client over an email scam that resulted in hackers stealing millions in client funds. And not surprisingly, the time-honored tradition of finger pointing is on full display as each party accuses the other of employing sub-par internal controls and lackluster cybersecurity standards.
Several recent federal court decisions have added guidance on the still-unsettled question of when a plaintiff has Article III standing to sue based on a data breach or other data security or privacy event. These cases—Attias v. CareFirst, Inc. (D.D.C.), Wood v. J. Choo USA, Inc. (S.D. Fla.), and Guarisma v. Microsoft (S.D. Fla.)—offer somewhat mixed guidance for defendants in class action privacy-related lawsuits looking to use a standing challenge as a quick escape.
The Federal Trade Commission will host a one day-conference in Chicago at Northwestern’s Pritzker School of Law on June 15, 2016. This event will be the fourth of the FTC’s Start with Security Events nationwide, which build on its publication of the same title Start with Security: A Guide for Business, released last June.
Financial institutions sit atop a wealth of personal information – not to mention money. In an interconnected world in which sensitive customer information is stored on servers and in the cloud – and online and mobile banking have become the norm – the Federal Deposit Insurance Corporation (FDIC) is the latest federal regulator to warn financial institutions to make cybersecurity a top priority.
On September 2, 2015, a Home Depot shareholder sued Home Depot and twelve of its officers and directors, claiming that the Company and the directors and officers knowingly failed to ensure that Home Depot reasonably protected its customers’ personal and financial information.