7th Circuit Revives P.F. Chang’s Data Breach Class Action Suit

Antony P. Kim, Aravind Swaminathan, Emily Tabatabai and Sam CasticPosted on April 21, 2016

Last week, the Seventh Circuit revived a data breach class action against P.F. Chang’s restaurant in an important opinion that continues a plaintiff-friendly trend that began with the court’s opinion in the Neiman Marcus case that we previously reported on here. The court used statements that P.F. Chang’s made in response to the breach and protective remediation measures it implemented to draw inferences that customers were at a risk of identity theft and harm, and then used those inferences to find that plaintiffs had standing to proceed with their litigation. The case raises new issues that organizations should consider in crafting post-breach communications, and important takeaway lessons that may help increase the likelihood of obtaining dismissal of data breach class actions at the pleadings stage.

O’ Really, Canada? Data Breach Log Rules Underway

Russell Cohen, Mark Mermelstein and Mona AmerPosted on April 18, 2016

In June 2015, Canada made significant amendments to its data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). These amendments to PIPEDA will require businesses to inform the Canadian Privacy Commissioner of certain data breaches, provide notice to affected individuals and maintain a log of any breaches of their cybersecurity safeguards. Regulations implementing the amendments are being developed and we expect, with a new government in place, to see something soon.

Two Years to Get Ready – GDPR Adopted

Christian Schröder, Antony P. Kim and Aravind SwaminathanPosted on April 15, 2016

After 4 years of negotiation, today the European Parliament adopted the General Data Protection Regulation (“GDPR“). In doing so, it signaled the end of the EU approval process and put businesses on alert that they now have two years to prepare for compliance.

The finalization of the GDPR has implications not only in the EU but globally. Businesses around the world that wish to operate in the EU, provide services and goods to residents in the EU, or monitor the behavior of residents in the EU, will need to comply with the new laws.

The GDPR builds on existing EU privacy laws but includes significant changes which increase the protections already afforded to personal data.

Fourth Circuit Finds Potential Coverage For Data Leak As Publication Under CGL Policy

Russell Cohen and Darren S. TeshimaPosted on April 14, 2016

This week, a Fourth Circuit panel in an unpublished decision validated arguments long made by policyholders: that commercial general liability policies may provide coverage for certain data breach liabilities. In this case, Travelers Indemnity Company v. Portal Healthcare Solutions, the appellate court affirmed the district court’s 2014 ruling that an insurer had the duty to defend a company that provides electronic medical record management services in a class action alleging that the company made patients’ confidential records publicly accessible by posting the records to an unsecured public website.

EU-US Privacy Shield may not be up after all

Christian SchröderPosted on April 13, 2016

Bad news for companies relying on transatlantic data flows as, once again, the transfer of personal data from Europe to the United States is called into question by the Article 29 Working Party (the “Working Party”), an influential committee of the EU privacy regulators. Ever since the EU-U.S. Safe Harbor Framework was declared invalid by the Court of Justice of the European Union in October 2015, companies have had to find alternative ways to legally transfer personal data. On 29 February 2016, the EU Commission proposed the “EU-U.S. Privacy Shield” as a replacement to the Safe Harbor Framework and a potential solution.

More Guidelines on Data Privacy Compliant Use and Monitoring of Internet and Emails in the Workplace in Germany

Christian Schröder and Clarissa OttoPosted on April 13, 2016

Recently, the Berlin-Brandenburg Regional Labor Court ruled on the rights of an employer to check browsing history without the employee’s consent.

Orrick’s German employment team published a client newsletter about this judgment which can also be found here.

Tennessee Amends Breach Notice Statute and Sets Notice Deadline

Emily Tabatabai, Aravind Swaminathan and Antony P. KimPosted on April 4, 2016

Tennessee recently amended its data breach notification law, and in doing so, it has joined the ranks of states like Florida, Ohio, and Wisconsin that require notification to residents of a data breach within a defined time period. When the law becomes effective on July 1, 2016, the statute will require notice to Tennessee residents within forty-five (45) days after discovery that personal information has been acquired by an “unauthorized person.” The original amendment required notice within fourteen (14) days, but the bill was subsequently amended to expand the deadline to 45 days.

Is Cyberinsurance the Chicken or the Egg?

Russell Cohen, Antony P. Kim and Aravind SwaminathanPosted on March 28, 2016

The insurance industry has been making the case to Congress that cyberinsurance can be a path to good security practices, encouraging different groups inside an organization to better communicate with one another. The process of investigating, applying for and being approved for cyberinsurance may indeed prompt important discussions inside organizations about cybersecurity. And it may be a subject that prompts board-level discussion of cyber preparedness. But in our view, relying on cyberinsurance as the spark for those conversations is the tail wagging the dog or the chicken not the egg or the egg not the chicken.

FTC Puts Teeth into Native Ads Guidance: Lord & Taylor Settles Deceptive Ad Claim

Emily TabatabaiPosted on March 24, 2016

Last week, fashion retailer Lord & Taylor reached a settlement with the FTC over its allegedly deceptive advertising campaign, the first such action since the FTC released its Enforcement Policy Statement on Deceptively Formatted Advertisements and its companion guidance, Native Advertising: A Guide for Businesses, in December 2015. Native Advertising is clearly on the FTC’s 2016 enforcement agenda.

Internet Providers on Notice: Draft Privacy Regulations Coming Soon

Sam Castic, Emily Tabatabai, Aravind Swaminathan and Antony P. KimPosted on March 15, 2016

This month, the Federal Communications Commission (FCC) will consider issuing a Notice of Proposed Rulemaking (NPRM) for privacy regulations that will apply to broadband providers. The goals and objectives of the proposed regulations, which will be offered by FCC Chairman Wheeler, are outlined in a short document that the FCC released. The proposed regulations will likely contain strict privacy requirements that broadband providers have never before been subject to under federal law.

Trust Anchor