Data Security Law Blog

Visit the Full Blog

DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.

Inside the Stanford Breach: Exposed Records Lead to Financial Aid Scandal

A cybersecurity vulnerability at Stanford University exposed thousands of sensitive files containing details of sexual assault investigations and disciplinary actions. The story of what happened—and why it should be an object lesson for higher education. The second of a three-part series.

Go

Privilege Waiver: Is Your File-Sharing Site a Public Park Bench?

While courts and the Federal Rules of Evidence take an increasingly pragmatic approach to the question of when inadvertent disclosure of privileged information results in waiver, a recent federal magistrate’s ruling serves as a potent warning that use of a file-sharing site – without sufficient safeguards – may constitute a waiver. Harleysville Insurance Co. v. Holding Funeral Home, Inc., No. 1:15-cv-00057 (W.D. Va. Feb. 9, 2017) is the first published decision to find that the use of a file-sharing site to exchange potentially privileged information constituted a waiver of the attorney-client privilege and work product protection—because the company failed to password protect its transmission.

Go

Ajit Pai and the FCC’s Role in ISP Privacy Regulation under President Trump

On January 23, 2017, President Donald Trump named Ajit Pai as Chairman of the Federal Communications Commission (FCC).  In his previous role as the senior Republican on the FCC under President Barack Obama, Mr. Pai was an outspoken critic of the agency’s decision to assert jurisdiction over Internet Service Providers (“ISPs”) and its rules governing broadband privacy.  Pai’s appointment suggests that significant changes may be on the horizon.

Go

“Life is Short. Have an Affair.” And Then Settle With the FTC.

Yesterday, the Federal Trade Commission (“FTC”) announced a settlement with the owners of “dating site” AshleyMadison.com, arising from a July 2015 data breach that received broad media coverage.  According to a proposed order filed in the District Court for the District of Columbia, the operators of the website are also simultaneously settling with thirteen states—including New York—and the District of Columbia.

Go

Wake-Up Call: Law Firms in the Cybersecurity Crosshairs

Last week marked the first time a U.S. law firm was publicly named in a class action data security lawsuit.  Originally filed in April 2016, the class action complaint in Shore v. Johnson & Bell, Ltd., 16-cv-4363 (N.D. Ill.), was unsealed last week after months of back-and-forth over whether the alleged security flaws had been patched.  The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of “systematically exposing confidential client information and storing client data without adequate security.”  The lawsuit makes no claim that any client information has been stolen or misused.  Even so, the filing of this complaint amplifies the risks already facing law firms – including reputational – at a time when data security is a top concern for law firms and their clients.

Go

China’s Controversial New Cybersecurity Law

Earlier today, the Chinese government in Beijing approved a sweeping new cybersecurity law aimed at centralizing control over computer networks operating within China’s borders.  An unofficial English translation of the newly-enacted law is available here

Go

Post-Spokeo Standing: An Evolving Landscape

Several recent federal court decisions have added guidance on the still-unsettled question of when a plaintiff has Article III standing to sue based on a data breach or other data security or privacy event.  These cases—Attias v. CareFirst, Inc. (D.D.C.), Wood v. J. Choo USA, Inc. (S.D. Fla.), and Guarisma v. Microsoft (S.D. Fla.)—offer somewhat mixed guidance for defendants in class action privacy-related lawsuits looking to use a standing challenge as a quick escape.

Go

Lessons from LinkedIn: Privacy and Data Security Representations in the M&A Context

Microsoft’s blockbuster acquisition of LinkedIn earlier this month—a deal where concerns for privacy and data security loomed large—provides a glimpse into the growing trend of including separate privacy and data security representations in merger and acquisition agreements.  Because the trend is so recent, there is no consensus or standard practice at this point for drafting these representations.  The LinkedIn privacy and data security representation is a good example of the evolving nature of these representations.

Go

Come Back With a Warrant: Proposed Rule Change Expands the Government’s Ability to Access Electronically Stored Information in Criminal Investigations

On April 28, 2016 the United States Supreme Court proposed a modification to Federal Rule of Criminal Procedure 41 that significantly alters the manner in which the government can obtain search warrants to access computer systems and electronically stored information that will no doubt have an effect on hackers and hacking victims alike. The modification will go into effect on December 1, 2016, barring Congressional intervention.

Go

EU Regulators Decline to Support Privacy Shield Agreement

In the latest twist in the ongoing saga of the EU-U.S. Privacy Shield data transfer agreement, EU data protection authorities (commonly known as the Article 29 Working Party) stated on Wednesday that it would not affirm the adequacy of the Privacy Shield deal.

Go

DHS Warns of New Ransomware Threats

The Department of Homeland Security (“DHS”) recently issued a joint alert with the Canadian Cyber Incident Response Centre warning of two new ransomware threats behind recent well-publicized attacks against healthcare companies.

Go

Government Seeks Civil Forfeiture of Funds Stolen in Business E-Mail Fraud

On April 14, 2016, the U.S. Attorney for the Southern District of New York filed a civil forfeiture action seeking to recover nearly $100 million stolen from an unidentified U.S. company through a form of wire fraud or Automated Clearing House (“ACH”) fraud.

Go

CFPB’s First Data Security Consent Order: No Breach Required

On March 2, the Consumer Financial Protection Bureau (“CFPB”) issued its first Consent Order against a company for flawed data security practices in violation of the Consumer Protection Act’s prohibition on unfair, deceptive, or abusive acts or practices concerning a consumer financial product or service.  The Order signals the CFPB’s decision to prioritize data security issues, its willingness to pursue companies even before a breach occurs, and its scrutiny of companies’ representations about their data security practices.  The Order also provides some guidance as to the types of data security policies and practices the CPFB considers important.

Go

The CFTC Proposes Enhanced Cybersecurity Testing Rules

On February 22, 2016, the Commodity Futures Trading Commission (“CFTC”) closed the public comment period on its recently proposed enhanced cybersecurity rules for derivatives clearing house organizations, trading platforms, designated contract markets, and swap data repositories.

Go

U.S. and European Officials Fail to Reach Agreement for New Data Transfer Deal

American and European officials failed to meet the January 31st deadline for a new agreement on the transfer of data between the United States and Europe, disappointing hopes that the two sides would broker a deal to replace the now-invalidated U.S.-EU Safe Harbor Framework.

Go

EU Commission and United States Agree on New “Privacy Shield” for Trans-Atlantic Data Flow

U.S. and European Commission officials announced on Tuesday that they have reached an agreement in principle on a new EU-U.S. Privacy Shield to permit the flow of data between Europe and the United States.  The new deal follows on the heels of reports Monday evening that U.S. and European officials were continuing to negotiate a replacement for the now-defunct Safe Harbor Framework, after officials failed to reach an agreement by the January 31st deadline.

Go