Privacy and Data Security

In a recent ruling with important consequences for data breach litigation, a federal court in Pennsylvania ruled that Rutter’s—a Pennsylvania convenience store chain that suffered a data breach—must disclose the investigative report it commissioned from a third-party after the breach. This is a recurring issue in data breach litigation and one that has far-reaching implications for how companies respond to data breaches or other security incidents.  This is also the latest entry in an evolving, and not entirely consistent, line of cases that are broadly chipping away at the attorney-client privilege and the work-product doctrine protections companies argue should apply to their investigative reports.

The SEC is ramping up its cybersecurity disclosure enforcement.  While the agency had made significant efforts relating to cybersecurity disclosure previously, there has been surprisingly little SEC activity in this area since 2018—even though the last three years has seen an explosion of high-profile data security incidents.  That changed in June of this year, however, with the SEC taking three major actions that demonstrate a renewed interest in such enforcement.  First, the SEC announced its intention to issue a new rule regulating cybersecurity risk governance disclosure.  Second, it announced its first charges and settlement for cybersecurity disclosure violations since 2018.  And third, it revealed a significant cybersecurity disclosure investigation relating to the recent SolarWinds supply-chain attack.  In light of these developments, now would be a good time for issuers and registered entities to review the SEC’s expectations for cybersecurity disclosure, and implement any necessary changes to their respective policies and procedures, and disclosure practices.

On June 3, 2021, the United States Supreme Court issued a 6-3 opinion in Van Buren v. United States, No. 19-783, resolving the circuit split regarding what it means to “exceed[] authorization” for purposes of the Computer Fraud and Abuse Act (the “CFAA”).  The Court held that only those who obtain information from particular areas of the computer which they are not authorized to access can be said to “exceed authorization,” and the statute does not—as the government had argued—cover behavior, like Van Buren’s, where a person accesses information which he is authorized to access but does so for improper purposes. 

Is there standing to bring a lawsuit when an employee’s personal information is mistakenly circulated to all employees at the company?  A recent decision addressed exactly this question. In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021), the Second Circuit affirmed the district court in finding that the harm plaintiffs alleged (an increased risk of identity theft) was too speculative and remote to satisfy the injury-in-fact requirement of Article III standing.  However, the court did not completely shut the door on this theory of harm, holding that an “increased risk” of identity theft could, under certain circumstances, qualify as an injury-in-fact for purposes of Article III standing. In doing so, the Second Circuit aligned with a number of its sister circuits which had previously recognized the potential validity of this approach.

Companies that do business in New York or with New Yorkers could soon face an onslaught of biometric privacy-related litigation, courtesy of New York Assembly Bill 27, the Biometric Privacy Act (“BPA”). Currently pending before the legislature, the bill is modeled on Illinois’ Biometric Information Privacy Act (“BIPA”) and, like that law, would impose a set of rules businesses must follow when collecting biometric information. Critically, the BPA would create a private right of action for those “aggrieved” by violations of the law.

A cryptocurrency entrepreneur recently paid $69.3 million for Beeple’s Everydays: The First 5,000 Days at a Christie’s auction.  That record-breaking price purchased a work of art that can be seen only on a computer and the image of which, in large part, is available for use and enjoyment by anyone with an internet connection because the work is a non-fungible token, or NFT.  NFTs have quickly caught the attention of the art world and beyond, touching the mainstream with the NBA Top Shot craze and its $250 million plus marketplace for visual highlights of NBA games.  The company behind NBA Top Shot, Dapper Labs, recently raised $250 million at a $2 billion valuation.  And the larger market for NFTs has grown from $42 million in 2017 to $338 million by the end of 2020.  But for intangible assets whose value is largely driven by the creation of an original work only in cyberspace, owners and investors need to think carefully about what they own and how to protect their digital acquisitions.

In the wake of a data breach, counsel will often require the assistance of a forensic firm in order to provide legal advice to their client.  The forensic analysis—which is often memorialized in a report to counsel—is crucial for counsel in understanding what occurred and formulating legal strategy relating to potential litigation and breach notification issues.  For the same reasons, details of those forensic analyses and any related investigative reports are very likely to be the subject of a discovery request from plaintiffs if and when litigation ensues.  Indeed, the requests for such reports are frequently a flashpoint in litigation that can determine the strength or weakness of the plaintiff’s case.  Defendants typically object to producing these reports on the grounds that they fall under the attorney-client privilege and work-product protection.

New York’s Department of Financial Services (“DFS”) announced on Wednesday, March 3, 2021, that an independent mortgage lender, Residential Mortgage Services Inc. (“RMS”), has agreed to pay a $1.5 million fine to the agency in a settlement resulting from violations of its Cybersecurity Regulation. This is just the second enforcement action brought by DFS under the Cybersecurity Regulation, which was the first of its kind nationally.

On Tuesday, March 2, 2021, Virginia became the second U.S. state to enact a broad data privacy regime after Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law. Virginia follows California, which became the first state to pass a comprehensive data privacy law, the California Consumer Privacy Act (CCPA), in June 2018. The CCPA became operative January 1, 2020 after several amendments necessary for its implementation, which we previously covered here and here.  (California is set to enact another privacy law entitled the California Privacy Rights Act (CPRA) - to update the CCPA in November 2020.)  There is also a raft of other state privacy laws in the pipeline, and Virginia’s new law aligns with a trend toward states ratcheting up broadly applicable privacy-related legal obligations.

On December 13, the software and service provider SolarWinds announced that its Orion software platform had been the target of a sophisticated cyber attack that may have resulted in malicious code being pushed to as many as 18,000 customers.  The SolarWinds software is used by many corporate and not-for-profit entities of all sizes to monitor the health of their IT networks.  Although the details of this breach are still unfolding, based on the information currently available, Orion users who updated their software between March and June of this year are potentially affected.

The United States Supreme Court heard oral argument on Monday in Van Buren v. United States, No. 19-783, a landmark case involving a key provision of the Computer Fraud and Abuse Act (“CFAA”).  At issue was whether a person who is authorized to access information on a computer for certain purposes violates CFAA if that person accesses the same information for unauthorized reasons.  The Court’s decision has the potential to resolve an important circuit split on the interpretation of CFAA and to define the contours of a hotly debated anti-hacking statute that applies to both criminal prosecutions and civil actions.

The Cybersecurity and Infrastructure Security Agency (CISA) teamed up with the Federal Bureau of Investigation (FBI) to issue a joint warning of cyber-attacks emanating from Iran and targeting U.S. federal agencies and businesses.  These hackers target vulnerabilities in virtual private networks (VPNs), which organizations use to allow remote network access.  Once the hackers gain access through a VPN, they export data, sell access to the network, and have the ability to install ransomware.  This is just the latest example of criminals exploiting vulnerabilities associated with the current remote working environment.

As we previously reported, Capital One Financial Corporation announced in July 2019 a major data security breach when an individual gained unauthorized access to personal information about Capital One credit card customers.  According to the Office of the Comptroller of the Currency (“OCC”), which regulates large U.S. banks, Capital One has now agreed to pay an $80 million fine to resolve claims related to the incident.

Well before the California Attorney General’s power to enforce the California Consumer Privacy Act (CCPA) commenced on July 1, 2020, as we have recently reported, private plaintiffs had already jumped into the fray, suing companies like Zoom and Houseparty for alleged violations of the CCPA. We noted that if one of these private lawsuits were to survive a motion to dismiss, it could lead to a substantial increase in class action litigation under the CCPA. Another putative class action under the CCPA that was filed on June 11, 2020 against Minted, Inc.—the popular online stationery, art, and home décor company—joins the growing list of private CCPA lawsuits and adds another wrinkle to this new area of law.

Last week, a magistrate judge in the Eastern District of Virginia held that a breach report prepared by Mandiant (a digital forensics investigator, among other things) in response to the Capital One data breach was not protected by the attorney work product doctrine. 

As we previously detailed, the coronavirus pandemic has expanded opportunities for nefarious actors to exploit the digital vulnerabilities of individuals, local governments, industries, organizations, and essential services as they rapidly adapt to the public health crisis. Recent reports have confirmed that attacks and cyber scams associated with the pandemic are in fact on the rise.

On March 21, 2020—just as the COVID-19 crisis began upending our way of life—New York State’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act went into effect fully.  The SHIELD Act, which amends New York’s 2005 breach notification law to “keep pace with current technology,” was signed into law on July 25, 2019 by Governor Andrew Cuomo.  The first phase of the Act went into effect in October 2019, and its second phase took effect last month.

In recent weeks, we have seen growing threats to cybersecurity and privacy from malicious actors seeking to exploit the COVID-19 pandemic. As companies transition their employees to remote working and focus their efforts on core business continuity, hackers are actively targeting companies’ cloud-based remote connectivity, lack of multi-factor authentication, and potentially insecure digital infrastructure to exploit vulnerabilities. The need for robust cybersecurity measures is more pressing than ever, and governmental organizations are issuing calls to action.

On March 17, 2020, a group of thirty-two trade associations and two corporations formally requested that the California Attorney General (AG) delay enforcement of the California Consumer Privacy Act (CCPA) until January 2, 2021, due to the ongoing COVID-19 pandemic. The trade associations represent leading companies in a wide range of industries, including healthcare and pharmaceuticals, transportation, logistics, advertising, insurance, entertainment, real estate, banking and finance, and technology.