Cybersecurity

Parkview Health Decision Highlights Vicarious Data Breach Liability Risk in the United States

A recent decision in Indiana highlights the data security liability risks facing employers based on the actions of their employees, extending vicarious liability even to cases where the employees were acting wholly for personal purposes. In SoderVick v. Parkview Health Sys., Inc., the Court of Appeals of Indiana reversed summary judgment in favor of the defendant, reviving claims of respondeat superior against Parkview Health Systems, Inc. (“Parkview”) where the hospital’s employee texted personal health information to a third party. No. 19A-CT-2671, 2020 WL 2503923 (Ind. Ct. App. May 15, 2020). We recently noted a decision of the Supreme Court of the United Kingdom in WM Morrison Supermarks plc v. Various Claimants (“Morrison”) where the Court made the contrary determination, ruling that the large supermarket chain Morrison could not be held vicariously liable as a matter of law for the intentional acts of a rogue employee who posted the payroll data of Morrison employees on the Internet. But as we also explained, businesses that collect personal information should be cautious about reading too much into that ruling: while the Court allowed the appeal in favor of Morrison, the decision turned on the particular facts of the case (where the rogue employee actively tried to damage his employer). The Parkview Health decision further underscores this need for caution, especially with increased remote work due to COVID-19 where the risk of employers being sued over security breaches caused by their employees is, unfortunately, ever-increasing. READ MORE

Seventh Circuit Bolsters Article III Standing for Actions Under the Illinois Biometric Information Privacy Act

On May 5, 2020, the Seventh Circuit held in Bryant v. Compass Group USA, Inc. that a plaintiff who asserted a violation of the Illinois Biometric Information Privacy Act’s (“BIPA’s”) notice and consent requirements had Article III standing to pursue her claim in federal court. With respect to BIPA’s retention schedule posting requirement, however, the Seventh Circuit found that allegations of a statutory violation did not, on their own, suffice to confer Article III standing. This decision will make it easier for defendants to keep BIPA claims in federal court, and its standing analysis has significant implications for BIPA cases, as well as other privacy and data security cases more broadly.

READ MORE

Prison Time for Personal Use of Company Computers? Supreme Court Grants Cert to Decide Whether Noncompliance With a Company’s Terms of Use Constitutes a Violation of the Computer Fraud and Abuse Act

On Monday, April 20th, the Supreme Court accepted cert in Van Burien v. United States to (hopefully) resolve a longstanding circuit split regarding the Computer Fraud and Abuse Act (or CFAA):  Does an individual exceed authorized access when he or she accesses a computer contrary to a policy or agreement limiting access (i.e., accessing a computer for a purpose beyond those permitted by the company). READ MORE

How to Move to Remote Work and Comply with U.S. Privacy and Cybersecurity Laws

Cybercriminals are known to attack networks and individuals at inopportune times of crisis—and the coronavirus pandemic unfortunately presents just such an opportunity as millions are accessing corporate networks and databases from home. This past weekend New Jersey and Connecticut joined the growing list of jurisdictions (e.g., California, Delaware, Illinois, Louisiana, Ohio, and New York) to issue orders effectively requiring non-essential workers to avoid the workplace, and in some cases, to shelter-in-place. READ MORE

COVID-19 Impacts Cyber Vulnerability

On March 10, Orrick lawyers Shannon Yavorsky, Rebecca Harlow, Brett Cooper and Julie Totten recorded a discussion about COVID-19 operational issues associated with managing employees and businesses, including covering the topic of cyber vulnerability. The conversation shares insights into how COVID-19 is creating increased cybersecurity and privacy risks as companies prepare for the spread of the virus and are forced to adapt to a new way of doing business. This video is a segment from a one-hour CLE program entitled “The Early Legal Impact of COVID-19.” To view our video and the full length CLE click here. READ MORE

Contractors Scrambling to Scope New DoD Cyber Framework

On January 30, 2020, the U.S. Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”) framework (CMMC overview here; CMMC Version 1.0 and appendices here).  By 2026, DoD plans to require CMMC certification for all defense contracts.  For companies looking to play a role – any role – in the defense industry supply chain, now is the time to develop, assess, and augment cybersecurity practices.

READ MORE

Practical Tips for In-House Counsel From Recent Cybersecurity Decisions

The possibility of a cybersecurity incident—and ensuing litigation—is a fact of life for almost every business. Even companies that do not process or handle consumer information collect personal information about their employees that can be targeted by hackers or phishing scams or even inadvertently disclosed, exposing the company to potential liability.

While eliminating cybersecurity litigation risk entirely likely is not feasible, recent cases do highlight some steps that companies seeking to reduce potential exposure to cybersecurity litigation can take:

(1)  Recognize that pre-incident statements about the company’s cybersecurity measures can be used to sustain deception-related claims.

(2)  Assess the “reasonableness” of your cybersecurity, despite the difficulty of doing so.

(3)  Pay attention to how you structure cybersecurity initiatives to protect related documents and communications based on the attorney-client privilege and work product protection.

(4)  Recognize that your statements about a cybersecurity incident may be relied on by courts to sustain plaintiffs’ claims.

(5)  Consider arbitration clauses, but do so cautiously.

(6)  Consider opportunities to contractually allocate or disclaim liability. READ MORE

California Attorney General Releases Updated Drafts of Proposed CCPA Regulations

On February 7 and again on February 10, 2020, the California Attorney General Xavier Becerra released an updated draft of proposed regulations pursuant to the California Consumer Privacy Act of 2018 (“CCPA”).  The updated drafts feature significant changes, clarifications and reversals of policy from the original proposal.

The updated draft regulations—available here (clean) and here (redline to the original October 2019 Draft)—reflect input gathered during the public comment period and series of public hearings which concluded on December 6, 2019. The first draft of the proposed regulations, the public comments and the transcripts and audio of the public hearings are available on the Attorney General’s CCPA webpage.  The Attorney General also updated the online cache of documents and other information relied upon in preparing the revised draft regulations here.

READ MORE

FTC Rings in New Year with ‘Major Changes’ to Cybersecurity Orders and Throwback Reference to WISPs

Earlier this month, Andrew Smith, the FTC’s Director of the Bureau of Consumer Protection, announced that the Commission had made “three major changes” to its data security orders.[1] Citing recent hearings at the FTC, as well as the Commission’s defeat in the closely watched LabMD case,[2] Director Smith highlighted three key takeaways from seven consent orders announced against “an array of diverse companies.”[3]

READ MORE

The CCPA Is in Effect and It Is Not Too Late to Get Started in 2020

Happy New Year! At long last, the California Consumer Privacy Act of 2018 (“CCPA”) went into effect yesterday, January 1, 2020. For those who have not yet heard, the CCPA establishes a comprehensive legal framework to govern the collection and use of personal information, both online and offline, and provides unprecedented privacy rights to California consumers, in effect becoming the de facto national standard for U.S. privacy law. The law introduces new legal risks and considerations for companies that collect information from California consumers, due to the law’s expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, potential for statutory fines and, in the event of a security incident, the potential for consumer class action litigation. READ MORE