Privacy and Data Security

The U.S. Office of Personnel Management (“OPM”) made headlines when several hacks of confidential data came to light in 2015, intrusions that compromised the personal data of over 20 million individuals. On July 21, 2019, in AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), Nos. 17-5217, 17-5232, 2019 U.S. App. LEXIS 18609 (D.C. Cir. June 21, 2019), a divided panel of the United States Court of Appeals for the D.C. Circuit breathed new life into litigation stemming from those breaches and injected yet another piece into the growing puzzle surrounding constitutional standing in breach litigation. The case had previously been dismissed after a district court held that the plaintiffs lacked standing based on their failure to allege concrete injuries. In a divided opinion, the D.C. Circuit panel reversed, holding that the plaintiffs’ allegations of potential future harm were sufficient for the case to move forward.

As we’ve written about in the past, the SAFETY Act has the potential to help companies mitigate their risk from cyber-terrorism.  As previously noted, the statute has never been fully tested in courts, so the full contours of its protection remain uncertain. Nonetheless, the benefits of SAFETY Act approval may extend well beyond those mandated by Congress: to the right company, SAFETY Act approval could be a significant market differentiator and, in the right circumstances, could be a powerful tool in litigation even when the Act does not itself apply.

It’s been a tough week for the healthcare industry.

Just days after Quest Diagnostics reported a breach at a third-party vendor affecting approximately 11.9 million of its patients, LabCorp disclosed that a breach at the same vendor exposed the personal and financial data of 7.7 million of its customers.

Today, New York’s top financial regulator, the Department of Financial Services, announced the formation of a dedicated “Cybersecurity Division.” In a news release issued earlier today, the agency said the new division “will focus on protecting consumers and industries from cyber threats ….”

Last week President Trump issued an executive order targeted at improving the quality of the federal government’s cybersecurity workforce. The executive order—which acknowledges the shortage of qualified employees for cybersecurity jobs—would implement a number of steps to strengthen and expand cyber knowledge within the federal government.

The FBI’s Internet Crime Complaint Center, better known as IC3, released its 2018 Internet Crimes Report.  For those unfamiliar with the IC3, it was established by the FBI in May 2000 as a central repository for public complaints of internet-based crimes. Since its inception, IC3 has received more than 4 million complaints. To facilitate law enforcement efforts and promote public awareness, IC3 analyzes the complaints it receives and disseminates information to the public and law enforcement. Among other things, it identifies trending scams, refers scams that do not meet federal law enforcement thresholds to state and local law enforcement, and provides victim services. New in 2018, IC3 created the Recovery Asset Team to help victims of internet-facilitated schemes recover funds and the Victim Specialist-Internet Crime position to provide crisis intervention, needs assessments, and referrals.

The Securities and Exchange Commission is warning investment firms to step up their game when it comes to following the agency’s privacy rules. In a Risk Alert issued by the Office of Compliance Inspections and Examinations (OCIE), a laundry list of compliance “deficiencies or weaknesses” were identified in recent examinations of SEC-registered investment advisers and broker dealers.

In our third and final installment on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information,” we look at other sections of the CCPA that either limit the applicability of the law’s “personal information” definition or exclude information from coverage under the law.

Our three-part series on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information” is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part I, we explored the breadth of the definition. We now turn to the law’s two explicit exclusions from the definition of “personal information.” 

The California Consumer Privacy Act (CCPA) is set to become “operative” on January 1, 2020. As we have written in earlier blog posts, the CCPA is the most sweeping consumer privacy law in the country.

Companies from California to New York are already scrambling to comply with a growing patchwork of privacy laws covering both businesses and consumers.

When New York’s far-reaching cybersecurity law for financial institutions was enacted more than two years ago, some predicted it would serve as a national blueprint for future data security laws. Now, as the U.S. Federal Trade Commission considers changes to two privacy rules designed to safeguard customer information held by financial institutions, the proposed changes to one law – the Safeguards Rule – hue closely to a handful of requirements already in place in New York.

Before investing in a company, would you want to know whether the board of directors had cybersecurity expertise?

A bipartisan group of senators have proposed a bill, Senate Bill 592, that would require every public company to disclose the cybersecurity background of its directors, and, if none exists, explain why the company doesn’t believe it is necessary.

The use of biometric technology is fast becoming the next big thing in privacy litigation. There was last month’s decision by the Illinois Supreme Court that upheld a consumer’s right to sue companies for collecting biometric data – such as fingerprints and iris scans – without first disclosing how such information will be used. See our blog on that ruling here.

It’s been almost two years since New York’s top banking regulator implemented one of the nation’s most stringent cybersecurity regulations.  Since then, thousands of financial institutions have recruited chief information security officers, implemented cybersecurity programs, performed penetration testing, and imposed encryption requirements on their most sensitive information.

It’s a marathon month for the thousands of financial institutions and insurance companies covered by New York’s landmark cybersecurity regulation. In little more than a week, these businesses must file their second annual certification of compliance with the State’s Department of Financial Services. Two weeks later, they must also come into compliance with the regulation’s third-party vendor requirements, the final milestone in the two-year roll out of the cybersecurity regulation.

An obscure federal law called the SAFETY Act recently captured national headlines when MGM Resorts International invoked it in a series of pre-emptive, declaratory judgment law suits against the victims of the 2017 Harvest Festival Las Vegas shooting. MGM sued the victims in an effort to avoid liability in connection with the tragedy. MGM owns the Mandalay Bay hotel, where Stephen Paddock, from his 32nd floor suite, shot and killed 58 people and wounded hundreds more who were attending a music festival next door.

The New York Times featured an op-ed last week written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement.” In the op-ed, Mr. Newman discusses how the January 2019 settlement “marked the first time that shareholders have been awarded monetary damages in a derivative lawsuit related to a data breach.” Mr. Newman notes, “the settlement signals that director and officer liability for cybersecurity oversight is entering new and potentially perilous territory.”

To read the full article, click here.

With full implementation of New York’s groundbreaking cybersecurity regulation only six weeks away, the state’s top banking regulator took the opportunity to praise the many financial institutions that have adopted systems to better protect consumers from cybercrime.

Yesterday, a Superior Court judge in Santa Clara, California approved what is believed to be the first monetary award to a company in a data breach-related derivative lawsuit. Until now, such breach-related derivative cases have settled through a combination of governance changes and modest awards of attorney’s fees.

Yesterday, by e-mail and on its website, the California Department of Justice (DOJ) announced that it would hold “six statewide forums to collect feedback” in advance of the rulemaking process for the California Consumer Privacy Act (CCPA).  The announcement did not include proposed rules or regulations, which must be adopted by July 1, 2020.

With the New Year fast approaching, so begins the one-year countdown to the California Consumer Privacy Act, or CCPA, going into effect.

With the year quickly coming to a close, it’s time for organizations covered by New York’s Cybersecurity Regulation for Financial Service Companies to take stock of their compliance efforts before popping any champagne corks to usher in the New Year.

It’s been a busy year for the Cyber Unit at the Securities and Exchange Commission. During 2018, the SEC brought 20 stand-alone cases related to cybersecurity, and has 225 cyber-related investigations that it deems “ongoing.” That’s according to the enforcement division’s 2018 Annual Report.