New cyber regulations, such as the California Consumer Privacy Act, have companies concerned about expanding potential liability. Companies fear that private rights of action are being created that will allow consumers to sue by alleging that the companies failed to protect their personal information. But attention should also be paid to plaintiffs’ recent successes in applying existing legal frameworks—such as basic tort law—to cyber cases. We have previously written about the use of state consumer protection acts to recover in data breach cases. Recently, plaintiffs have also made some significant inroads in bringing negligence actions against companies that have experienced cyber events.
On January 28, 2019, the U.S. District Court for the Northern District of Georgia issued a decision in the Equifax Consolidated Consumer Class Action, allowing the consumers’ negligence claims against Equifax to move forward. Judge Thrash found that the consumers had sufficiently alleged injuries resulting from the breach, pointing to the “unauthorized charges on their payment cards as a result of the Data Breach” as actual, concrete injuries that are legally cognizable under Georgia law. The Court rejected Equifax’s arguments that the consumer’s injuries should be attributed to the hackers and could have been caused by data breaches at other companies. The Court noted that allowing companies “to rely on other data breaches to defeat a causal connection would ‘create a perverse incentive for companies: so long as enough data breaches take place, individual companies will never be found liable.’” Critically, the Court found that, given the foreseeable risk of a data breach, Equifax owed consumers an independent legal duty of care to take reasonable measures to safeguard their personal information in Equifax’s custody. In doing so, the Court found that the economic loss doctrine was not a bar to the consumers’ recovery because Equifax owed an independent duty to safeguard personal information. Continue reading →
In the last few years, we have seen a dramatic increase in the purchase and sale of alternative data—a shorthand for big data sets, such as satellite images of parking lots, drug approvals, credit card purchases, cellphone data on retail foot traffic, and construction permits. According to alternativedata.org, the alternative data industry is projected to be worth $350 million in 2020. The recent announcement by Bloomberg LP that it is offering a product that will give clients access to large volumes of alternative data shows the widespread use of this information in making investment decisions, which is causing hedge fund managers and institutional investors to seek even more untapped alpha-generating data sets. Not surprisingly, all this activity is attracting increased regulatory scrutiny. Continue reading →
By Avi Gesser, David Popkin, and Michael Washington
Until recently, biometric privacy was a niche area of the law that had little application to most companies. But with the rapid growth in commercial biometric data collection, including voice samples, fingerprints, retina scans, and facial geometry, as well as some recent developments in the applicable case law, it’s probably time for companies to start paying attention. Indeed, one of our top privacy law predictions for 2019 was a judicial expansion of the notion of harm, which happened quicker than we anticipated in the context of gathering biometric data.
On January 25, 2019, the Illinois Supreme Court decided Rosenbach v. Six Flags EntertainmentCorporation, 2019 IL 123186 (PDF: 61.7 KB), unanimously finding that plaintiffs could bring a private cause of action for violations of the notice and consent requirements of the state’s biometric privacy law without any showing of harm. In Six Flags, a mother sued the owner of a theme park on behalf of her teenaged son after he was fingerprinted in connection with the purchase of a season pass to the park. Neither the son nor the mother consented in writing to the taking of the fingerprint or signed any written release. Further, the park did not provide any documentation about their retention schedule or guidelines for retaining and then destroying the data. The court found that individuals possess a right to privacy in and control over their biometric identifiers. Continue reading →
While the General Data Protection Regulation (GDPR) significantly expanded the powers of European national data protection authorities in 2018, legislative and enforcement developments in the United States over the last year showcased the growing role and importance of state attorneys general and other state regulators in the realm of cybersecurity and data privacy.
In 2018, California passed a data privacy law akin to the GDPR and enacted legislation addressing internet-based bot activity and security of devicesconnected to the Internet of Things. With passage of legislation in Alabama in March 2018, all 50 states now have data breach notification laws, with requirements as to notification content, timing, and recipients varying across jurisdictions. And prescriptive cybersecurity regulations promulgated by New York State’s Department of Financial Services continued to take effect in rolling fashion. Absent preemptive legislation at the federal level, where proposals are stalled in Congress, we can expect data protection and privacy laws and regulations to proliferate at the state level, as state legislatures and regulators vie for the mantle of lead cybersecurity enforcer. Continue reading →
Technology continues to have an enormous impact on financial services and the pace of change shows no signs of abating. Following the bold predictions we made last year, we highlight the five stand-out trends for fintech in 2019.
1. CRYPTO CRACKDOWN
There has been massive growth in the market for cryptoassets such as Bitcoin and tokens issued in initial coin offerings (ICOs), but market participants have faced uncertainty as to whether cryptoassets may be regulated financial products (and subject to scrutiny by regulatory authorities). Enforcement investigations globally have largely focused on issues of fraud, but now, there’s a renewed focus on guarding the regulatory perimeter (i.e. ensuring businesses carrying on regulated activities have the appropriate authorisation) . Disputes and enforcement cases are arriving in courts across the globe.
Financial firms play an integral role in preventing, identifying, investigating and reporting criminal activity, including terrorist financing, money laundering, and many other finance-related crimes. It is a critical role that depends on financial firms having the information they need to identify and report potentially suspicious activity and provide other relevant information to law enforcement. However, there are significant barriers to information sharing throughout the US anti-money laundering (“AML”) regime. These barriers limit the effectiveness of AML information sharing within a financial institution, among financial institutions, and between financial institutions and law enforcement.
Much has changed in the 17 years following the passage of the USA PATRIOT Act (“Patriot Act”), which, among other things, sought to enable greater information sharing among law enforcement, regulators and financial institutions regarding AML risks. Of note, Section 314(a) of the Patriot Act and its implementing regulations (“Section 314(a)”) enables federal, state, local and European Union law enforcement agencies to reach out to US financial institutions through the US Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) to locate accounts and transactions of persons that may be involved in terrorism or money laundering. Section 314(b) of the Patriot Act and its implementing regulations (“Section 314(b)”) provides a limited safe harbor for financial institutions to share information with one another in order to better identify and report potential money laundering or terrorist activities. Continue reading →
On December 28, 2018, a Task Group that includes U.S. Department of Health and Human Services (“HHS”) personnel and private-sector health care industry leaders published new guidance for health care organizations on cybersecurity best practices. The guidance—Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients—is voluntary and creates no legal obligations. It is targeted to health care providers, payors, pharmaceutical companies, and medical device manufacturers.
This publication is among the most comprehensive and detailed guidance now available to the health care industry on cybersecurity. While voluntary, the prescriptive advice and scalable tools in the new guidance may be a valuable resource for legal, compliance, IT, and information security professionals at health care organizations. Organizations that follow this guidance may decrease the likelihood that they will suffer a costly data breach, and in the event of a breach may be able to point to compliance with the guidance to show that they have implemented reasonable cybersecurity practices, thereby helping to defend against private lawsuits or government enforcement actions.
This alert briefly describes the background and key takeaways from the guidance. Gibson Dunn is available to answer any questions you may have about how this guidance applies to your organization, as well as any other topics related to cybersecurity or privacy in the health care industry. Continue reading →
2018 was another busy yearfor lawyers in the privacy/cybersecurity world – GDPR, CCPA, Marriott, New York Department of Financial Service’s cybersecurity rule deadlines, increased SEC enforcement, more data breach lawsuits, more companies doing table top exercises and risk assessments, etc. But 2019 is looking to be even busier. Below are our predictions for the Top 10 things that will keep us busy in 2019, and what companies should be preparing for: Continue reading →
The past year was a particularly significant one for the development of Chinese privacy law. During 2018, the Chinese government systematically established the country’s regulatory requirements for cybersecurity and data privacy and continued to implement the Cybersecurity Law, which took effect on June 1, 2017.
Multiple regulators, including the Ministry of Public Security (“MPS”), the Cyberspace Administration of China (“CAC”) and the Ministry of Industry and Information Technology (“MIIT”), released regulations and brought enforcement actions against companies in the past year. We expect the overall trend of heightened regulation and increased enforcement to continue in 2019. Continue reading →
The European Data Protection Board (“EDPB”)—a working group of representatives of the EU data protection authorities—has issued Guidelines (PDF: 255 KB) on the territorial scope of the EU General Data Protection Regulation (“GDPR”), which are open for comment until 18 January 2019. The Guidelines clarify one of the main areas of concern for non-EU companies: when will GDPR reach them?