Cyber SecurityThe recent High Court case of London Borough of Lambeth v A.M. offers a salutary lesson in the importance of properly redacting documents. This issue comes up more than you’d think – and certainly more than it should.

You’ll recall that, in the spirit of transparency, the European Commission recently publicized a heavily redacted version of its AstraZeneca COVID-19 vaccine contract. The problem was that the Commission had been too transparent – literally. All of the redacted content in the contract could be viewed by simply using the bookmark tool in Adobe Acrobat’s Reader. Redactio ad absurdum. Continue Reading When [Blank] Goes Wrong

On January 12, 2021, the U.S. District Court for the District of Columbia granted a motion to compel production of allegedly privileged cybersecurity documents in Guo Wengui v. Clark Hill, PLC, 1:19-cv-03195.  In doing so, the Court determined that the Defendant’s cybersecurity assessment was neither covered by work product protection nor attorney client privilege because the Defendant law firm would have investigated the breach in the same way as a business function.

Continue Reading DC District Court Requires Production of Cybersecurity Assessment Prepared at Direction of Outside Counsel

Since passage of the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), many states have proposed data protection bills that have floundered in the legislative process. Virginia, previously a dark horse in the race amongst US states to pass data protection legislation, is now poised to take the lead with the Virginia Consumer Data Protection Act (“CDPA”). Unlike bills that have repeatedly stalled in key states like Washington, the CDPA has progressed swiftly and easily in this now “trifecta Blue” Virginia, with the Virginia Senate passing a version of the bill on February 3, less than a week after the House passed a near-identical companion bill. If the governor signs the CDPA into law, the CDPA will take effect January 1, 2023, simultaneously with the CPRA.

Continue Reading Virginia Poised to Join California with Comprehensive Data Protection Framework

Cyber SecurityAs we stand at the beginning of 2021 and a new presidential administration, we look back on the year behind us. Hindsight is always 2020, and 2020 may be best viewed in hindsight.  We saw rapid changes in the privacy space, prompted in part by the global COVID-19 response. Infrastructure and services across multiple sectors continue to rely on data and digital platforms to function. Five prominent developments shaped the data privacy environment in 2020.

Continue Reading Privacy Year in Review: 2020’s Hottest Topics

GDPROrganizations which fail to implement appropriate technical and organizational security measures to protect personal data and suffer personal data breaches as a result, increasingly may find themselves facing the double whammy of both enforcement action by the UK Information Commissioner’s Office (ICO), (which can include significant financial penalties) and potentially also group-style legal actions brought by data subjects.

British Airways, which suffered a cyber incident that is believed to have started in June 2018 and led to a personal data breach involving almost 500,000 of its customers, has found itself on the receiving end of such an action.
Continue Reading UK Group-Style Data Breach Actions Continue

On December 8, 2020, the Supreme Court heard oral argument to consider the TCPA’s definition of an “automatic telephone dialer system” (ATDS) in Facebook, Inc. v. Duguid, Noah et al., Dkt. 19-511. The Supreme Court is tasked with interpreting the scope of liability under the TCPA, and its resolution may bring much needed clarity to companies struggling with the meaning of that definition, particularly in light of a current split among circuits on the question and the D.C. Circuit’s 2018 decision, ACA International v. Federal Trade Commission striking down the FCC’s own interpretation. Because the TCPA imposes significant statutory penalties for calling or sending text messages using an ATDS to cellphones in violation of the act, clarification of the meaning of an ATDS may help companies mitigate their risks and curtail potential TCPA class action lawsuits.

Continue Reading Supreme Court Reviews Definition of Auto-Dialer Under TCPA To Clarify Circuit Split

Many of the key policy debates that we expected to happen in 2020 seemed to be essentially frozen for the year as we all responded to the horrors of COVID and the seismic political shifts across the globe. So what does this new year hold for us? We hope for a return to normalcy as vaccinations spread across the globe, a new Administration takes the reins in DC, and the UK continues to negotiate the terms of a new relationship with the EU. Here are some of key areas in privacy and data protection where we anticipate potential developments in 2021. Continue Reading 21 Privacy and Cybersecurity Issues for 2021

Digital LockOn Friday, December 4, 2020, H.R. 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, was signed into law. The bipartisan bill was sponsored by Senators Mark Warner (D-VA) and Cory Gardner (R-CO) in the Senate and Representatives Robin Kelly (D-IL), and Will Hurd (R-TX) in the House. The new law will require IoT devices “owned or controlled” by the federal government to meet minimum security standards that address network vulnerabilities, and it may have significant implications for government contractors. It was introduced in response to a series of distributed denial of service (DDoS) attacks in 2016, in which the Mirai malware variant was used to compromise tens of thousands of IoT devices, causing a severe disruption in commercial web services.

Continue Reading Meet the US’s New Federal IoT Cybersecurity Law

remote workOn November 30, 2020, the Supreme Court held oral argument in Van Buren v. United States to determine the scope of criminal liability under the Federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030.  The court’s decision may resolve a circuit split and have far-reaching implications for the scope of civil and criminal liability under the CFAA.  The key point of dispute under the CFAA is whether a person “exceeds authorized access” of a computer (1) only by accessing the computer as an unauthorized person, or (2) more broadly by using the computer for unpermitted uses, even when otherwise permitted to access the computer.  The First, Fifth, Seventh, and Eleventh Circuits have broadly interpreted “exceeds authorized access” to cover access that takes place for an improper purpose, whereas the Second, Fourth, and Ninth Circuits have narrowly interpreted unauthorized access to require a lack of any authorization.  For example, under the broad interpretation at dispute before the Supreme Court, an employee who is authorized to access a work computer to carry out certain tasks for employment may still be liable under the CFAA if the employee uses the office computer to download confidential information for non-employment purposes.

Continue Reading Supreme Court Hears Oral Argument to Address Circuit Split under the CFAA

Article29On 17 December 2020, the UK Information Commissioner’s Office (ICO) published its new Data Sharing Code of Practice, as required under the Data Protection Act 2018 (DPA18).

The new Code provides practical guidance for controllers that share personal data with other controllers on how to ensure that data sharing complies with applicable data protection requirements. The new Code is a statutory code and updates the ICO’s previous data sharing code, which was published in 2011. The ICO has also instigated a new data sharing information hub which provides further support for organizations involved in data sharing. Continue Reading UK Information Commissioner Publishes New Data Sharing Code of Practice