Shea G. Leitch

Associate

Washington, D.C.


Read full biography at www.orrick.com
Shea Leitch is an Attorney in Orrick's Washington, D.C., office and a member of theCybersecurity & Data Privacy Group.

Shea's practice focuses on data privacy and cybersecurity. Shea also has experience in cutting-edge privacy litigation. Her clients are engaged in diverse industries including pharmaceuticals, technology, financial services, and industrial manufacturing and supply.

As a Certified Information Privacy Professional in both U.S. and European privacy law (CIPP/US and CIPP/E) and member of the International Association of Privacy Professionals (IAPP), Shea works with clients on compliance programs addressing multi-national rules, regulations, and best practices governing the collection, use, transfer and disclosure of personal information. She has also advised clients subject to regulatory investigations and litigation involving a spectrum of federal and state laws.  

Shea is an active member of the IAPP and the Sedona Conference Working Group 11 – Data Security and Privacy Liability. She is a contributing author to Orrick’s cybersecurity and data privacy blog: Trust Anchor. Shea also helped to draft commentary regarding the proposed amendments to the Federal Rules of Civil Procedure.

Array

Posts by: Shea G. Leitch

2016 Data Breach Legislation Roundup: What to Know Going Forward

2016 U.S. State Data Breach Legislation Roundup Data Breach Hacker Information Incursion Image of Confernce Table with Businessperson pointing to Data Breach on Screen

States were busy updating their data breach notification statutes in 2016. With 2016 in the rear view, let’s take a look back at the legislative changes that will impact corporate incident response processes and what those trends portend going forward.

Expanded Definition of “Personal Information”

Login Credentials. In 2016, Rhode Island, Nebraska and Illinois (effective January 2017), joined the ranks of states that include usernames (or email addresses) and passwords in the definition of “personal information” that triggers notification obligations. As of this writing, the following eight states may require notification when login credentials are compromised: California, Florida, Illinois, Nebraska, North Dakota, Nevada, Rhode Island and Wyoming.

READ MORE

Keep Reading: Standing Affirmed, but Barnes & Noble Data Breach Class Action Halted

It was about time for data breach defendants to get a win. The District Court for the Northern District of Illinois delivered one to Barnes & Noble in its long-running class action that stems from a breach suffered in 2012. Plaintiffs’ case was dismissed in its entirety on a motion to dismiss under Rule 12(b)(6). This development—just days after the Sixth Circuit in Nationwide had aligned itself with the Seventh Circuit’s Neiman Marcus and P.F. Chang’s decisions that found standing to sue for breach plaintiffs—shows that the legal battle over “harm” may start with standing, but goes nowhere absent alleged damages that tightly match the substantive elements of each claim.

READ MORE

Cybersecurity Whistleblowing Is Murkier Than You May Think

Emerging Issue of Cybersecurity Whistleblowing Corporate Counsel SEC Securities and Exchange Comission

In this Corporate Counsel article, Orrick attorneys Renee Phillips and Shea Leitch discuss the emerging issue of cybersecurity whistleblowing.  The authors discuss scenarios in which cybersecurity whistleblowers may step forward and how a company can best address complaints internally and mitigate the potential of regulatory scrutiny.  Click here to read the full article.

 

 

Data Breach Standing Goes Nationwide; Sixth Circuit Says Plaintiffs Have Standing to Sue

Data Breach Class Action Standing Galaria et al. v. Nationwide Mutual Insurance Company Sixth Circuit opinion

The Sixth Circuit joined the growing trend of appellate courts holding that plaintiffs had demonstrated standing for data breach class actions in Galaria et al. v. Nationwide Mutual Insurance Company.  In a recent order, the Sixth Circuit highlighted yet another fact that supports standing, that clients should consider in their post-breach response efforts:  a recommendation that consumers set up fraud alerts and place security freezes on credit reports, without an accompanying offer to pay for the security freeze itself.

READ MORE

European Parliament Passes Long-Anticipated Network and Information Security Directive

NIS Directive

On July 6, 2016, the European Parliament passed the Network and Information Security (“NIS”) Directive, over three years after the initial draft was proposed.  The Directive will enter into force in August 2016.  EU Member States will then have 21 months to transpose the Directive into their national laws and 6 additional months to identify the operators of certain essential services that are subject to the Directive’s requirements.

READ MORE

Avoiding The Risk Of Cybersecurity Whistleblowers

whistleblower

In this Law360 article, Orrick attorneys Renee Phillips, Aravind Swaminathan, and Shea Leitch explore the rise of the cybersecurity whistleblower.  The article examines the DOJ’s investigation, prompted by a cybersecurity whistleblower, into whether Tiversa Holding Corp. provided false information to the Federal Trade Commission about data breaches at companies that declined to purchase its data protection services.  Click here to read more about the growing trend of whistleblower-initiated regulatory investigations and what companies can do to protect themselves against this growing risk.

Tennessee Amends Breach Notice Statute and Sets Notice Deadline

data encryption

Tennessee recently amended its data breach notification law, and in doing so, it has joined the ranks of states like Florida, Ohio, and Wisconsin that require notification to residents of a data breach within a defined time period. When the law becomes effective on July 1, 2016, the statute will require notice to Tennessee residents within forty-five (45) days after discovery that personal information has been acquired by an “unauthorized person.” The original amendment required notice within fourteen (14) days, but the bill was subsequently amended  to expand the deadline to 45 days.

READ MORE

FTC Puts Teeth into Native Ads Guidance: Lord & Taylor Settles Deceptive Ad Claim

advertising

Last week, fashion retailer Lord & Taylor reached a settlement with the FTC over its allegedly deceptive advertising campaign, the first such action since the FTC released its Enforcement Policy Statement on Deceptively Formatted Advertisements and its companion guidance, Native Advertising: A Guide for Businesses, in December 2015.  Native Advertising is clearly on the FTC’s 2016 enforcement agenda.

READ MORE

CFPB Jumps Into Cyber Enforcement Pool

Financial Institutions

In a much anticipated move, on March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered the cybersecurity foray with its first enforcement action against Dwolla, Inc., an online payment processing start-up.  Pursuant to its authority under Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010, the CFPB fined Dwolla $100,000 and secured a five-year consent order imposing strict requirements on management and the Board of Directors.  This CFPB enforcement action offers important insights into the contours of “reasonable cybersecurity” for certain financial services entities, and important lessons for conducting cybersecurity risk assessments.  These issues dovetail with significant activity we recently reported on in the cybersecurity arena by the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the Federal Trade Commission (FTC), the Department of Health and Human Services’ Office of Civil Rights (HHS-OCR), and a host of other state and federal regulators.

READ MORE

Biometrics: A Fingerprint for Privacy Compliance, Part I

Biometrics

In just the last week, the New York State DMV announced an upgrade to facial recognition software to catch identity thieves trying to obtain fraudulent driver’s licenses, and the Scottish Professional Football League was denied a request for funding for facial recognition at stadiums to track unacceptable conduct. Use of technology and services that leverage biometrics – unique physical or behavioral characteristics about a person – is increasing, and privacy laws are hot on their trail with U.S. states starting to consider and enact laws restricting how companies can collect and use biometrics information, restricting how long the information can be retained, and specifying how it must be protected.  This post tells you the high points you need to know about U.S. biometrics privacy laws, and what to do to avoid being the next lawsuit target.  In a second, forthcoming post, we will focus on the current (and future) state of EU law, where there are already stringent restrictions on the collection, use and transfer or biometric information.

READ MORE