Orrick partners Emily Tabatabai, Tony Kim and Jennifer Martin authored this article for Corporate Counsel on the sweeping implications for businesses of California’s newly-enacted privacy law. Members of our global Cybersecurity, Privacy and Data Innovation Practice, Emily, Tony and Jennifer outline the reasons the new law will have “a significant impact on core business operations.”
Are you ready for the CCPA? Take Orrick’s CCPA Readiness Assessment.
- Assess your company against CCPA provisions.
- Receive a complimentary report summarizing the likely key impacts.
- Use the report to development to develop your CCPA project plan.
Given the explosive growth in the connectivity of every day “things,” several government agencies are focused on how best to support innovation and the benefits of an increasingly connected, data driven society, while weighing options for mitigating the cybersecurity and privacy risks relating to the Internet of Things. The pace of development with respect to connected cars and autonomous vehicles has drawn particular attention. READ MORE
(Editors’ note: Thanks to Orrick trainee associate, Arne Senger, for his help with this blog post.)
With its recent ruling in Bărbulescu v. Romania (application no. 61496/08), the Grand Chamber of the European Court of Human Rights (ECHR) made a decision of enormous impact for employers in Europe. The decision makes clear that even when private use of business resources is prohibited, employers do not have unlimited access to all communications that occur on corporate systems.
Companies should carefully review their policies to ensure that they can access their corporate IT equipment, at least to the extent permitted by European data privacy law. READ MORE
Today, Orrick announced the launch of our automated General Data Protection Regulation (GDPR) Readiness Assessment Tool, which makes the EU’s new, complex, data privacy law, the GDPR, more accessible. The free tool is available to all organizations and allows businesses to stress test their compliance against the upcoming GDPR. It segments the GDPR into 14 workable themes and guides the user through a series of dynamic questions relating to each theme. Upon completion of the assessment, the tool provides a complimentary tailored report summarizing the likely key impacts of the GDPR for an organization. READ MORE
The number of decisions considering claims for insurance coverage resulting from Business Email Compromise (“BEC”) scams has been increasing, providing policyholders with some hope, and some clarity, in this muddy area. (Here and here).
Policyholders got a recent win when a federal court in New York found in Medidata Solutions, Inc. that a data-services provider’s commercial crime policy covered an almost $5 million loss suffered as a result of a BEC scam. The Court in Medidata found coverage under the insured’s computer fraud and funds transfer rider, reasoning that “fraudulent access to a computer system” extends to email spoofing. Parting company with the Fifth Circuit in Apache , the Court in Medidata recognized that such spoofing can be a legal cause of the insured’s loss. And even though an authorized employee willingly initiated the transfer, the funds were not transferred with Medidata’s “knowledge or consent.”
Despite recent wins, there remains enough uncertainty in the coverage landscape (here and here) that we suspect insurers will continue their full-on fight against coverage for these losses. To help policyholders prepare for battle, here are five things you can do NOW to maximize insurance coverage for losses from a BEC scam. READ MORE
Insurers’ recalcitrance to providing coverage for the “Business E-mail Compromise” (BEC) scam is a topic we’ve frequently discussed. On Monday, the Ninth Circuit heard oral argument in a BEC coverage action, Taylor & Lieberman v. Federal Insurance Company.
The fraudster in that case sent spoofed e-mails in 2012 to an accounting firm purporting to be from one of the firm’s clients. At the “client’s” request, the accounting firm executed two wire transfers from the client’s bank account, over which the firm had power of attorney, in amounts just under $100,000 each to banks in Malaysia and Singapore. The firm finally detected the scheme when it called the client for confirmation after receiving a third e-mail requesting another transfer of $128,000 to Malaysia. The accounting firm was able to recover most of the first wire transfer but nothing from the second, resulting in a $100,000 loss to the client’s account, which the firm restored.
Shortly after the new year, the Federal Trade Commission filed suit in the Northern District of California against D-Link Corporation, a Taiwan-based maker of wireless routers, Internet Protocol (IP) cameras, and software used in consumer electronics (such as baby monitors). The complaint alleges that D-Link failed to reasonably secure its products from hackers. Notably, the FTC has not alleged that D‑Link products were exploited by hackers or that a data breach or cyberattack resulted from any alleged security vulnerabilities. Rather, the action is based squarely on security vulnerabilities that “potentially compromis[ed] sensitive consumer information, including live video and audio feeds from D-Link IP cameras” and marketing statements made by D-Link that touted the products’ security features.
January 10, 2017 marked another important step towards reform of the EU data protection framework, with the release of the EU Commission’s proposals for a new Regulation governing privacy and electronic communications.
The main aims of the draft Regulation are to update the ePrivacy Directive to reflect new technologies and to better align it with GDPR. In addition to taking effect on the same day as the GDPR (25th May, 2018), penalties for non-compliance envisaged by the draft Regulation are the same as the GDPR, (i.e. potentially fines of €20m or 4% of annual global turnover, whichever is higher).
Companies required to appoint a data protection officer (“DPO” ) in Europe should carefully consider which candidate is best to select for the job. A company established in Bavaria, Germany, was recently fined by the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht, “BayLDA“) for appointing a DPO who at the same time held an operational position as an IT manager. The appointment was deemed to create a conflict of interests between the two functions. This decision could potentially influence the interpretation of the upcoming EU General Data Protection Regulation (“GDPR“) and thus influence the appointment of DPOs by international companies.