How Cybersecurity Fits into Your Compliance and Ethics Program

“Cybersecurity wasn’t necessarily a significant issue for in-house counsel 10-15 years ago. But now, companies have so many more obligations regarding information security and data privacy than they did even a decade ago,” writes Theodore F. Claypoole in The National Law Review.

“Initially, cybersecurity was an issue primarily for regulated companies. Then, companies with widespread consumer contact found themselves having to meet greater regulatory burdens. Today, though, cybersecurity is an issue for virtually every company, and it is important those efforts fit into a corporate compliance and ethics program.”

Read the article.




Goodwin Procter Hit by Data Breach Through Vendor

“Goodwin Procter LLP suffered a data breach after a vendor that it uses for large file transfers was hacked, according to an internal memo obtained by news outlets,” reports Lawyer Monthly in their Legal News.

“The memo, circulated on Tuesday by managing partner Mark Battencourt, said Goodwin was notified of the security issue on 22 January and immediately stopped using the service. The firm also retained the services of a third-party forensic expert an launched an investigation into the breach.”

“‘Our investigation revealed a small percentage of our clients may have experienced unauthorized access to or acquisition of confidential material’ on 20 January, Battencourt said in the memo. ‘Clients whose data may have been directly impacted as a result of this matter have been notified, and we have also communicated the security incident to all firm clients.'”

“The investigation also revealed that ‘only a few Goodwin employees were affected’ by a breach, all of whom had also been notified. The memo added that none of the firm’s resources appeared to have been impacted other than the file transfer service.”

Read the article.




Zoom Reaches Settlement with FTC Over Misleading Security Practices

“The Federal Trade Commission reached a settlement with Zoom to resolve allegations that the company engaged in misleading security practices. The use of the videoconferencing platform skyrocketed during the pandemic, particularly in the healthcare and education sectors, which spotlighted its security risks,” reports Jessica Davis in Health IT Security’s Cybersecurity News.

“The settlement requires Zoom to establish and implement a comprehensive security program and prohibits the vendor from misrepresenting its privacy and security, as well as other ‘detailed and specific relief to protect its user base.'”

“The Commission’s complaint alleges that Zoom made misrepresentations regarding the strength of its security features and implemented a software update that circumvented a browser security feature,” according to the FTC majority statement. “The proposed order provides immediate and important relief to consumers, addressing this conduct.”

Read the article.




Privileged Cybersecurity Investigations – A Checklist for Contracting with Consultants

Your company may suffer a cybersecurity incident that warrants bringing in third-party forensics or other consultants to investigate and report on the cause or consequences of the cyber event or compromise. To seek to protect the third parties’ reports with the work product privilege (and, thus, to avoid having to disclose the reports in litigation) – and to try to side-step the unexpected failure to establish such protection that Capital One recently experienced (In re: Capital One Consumer Data Security Breach Litigation) – do (and don’t do) the following with respect to your contracts with these third parties:

Do have outside counsel be the entity contracting directly with the third party. Have outside counsel pay the third party’s fees, directly. Then, have outside counsel bill you for reimbursement of the fees paid.

Do contract under a specific statement of work or services description that is exclusive to the particular cyber incident.

Do state and expressly limit the purpose of the third party’s services and reports to anticipating litigation arising from the cyber incident. The purpose should not explicitly or implicitly include, for example, financial controls or reporting.

Do require that the third party’s report be in a form and of substance specific to the purpose of anticipating litigation. The report should not mirror what would be provided for reports for other purposes.

Do require the third party to issue formal and informal reports and updates only to the contracting outside counsel. Outside counsel, then, as necessary or appropriate, can distribute further the reports or updates, for example, to select internal stakeholders.

Don’t allow those who receive reports and updates from outside counsel to further distribute the reports or updates, whether internally or externally. Require recipients to explicitly agree to limited use and handling terms, before receiving reports or updates.

Don’t allocate the costs and fees for the third party’s services to any internal billing or cost center other than Legal’s. The costs and fees should be assigned to Legal’s budget. Categorize the costs and fees as “legal” costs and fees, not, for example, cybersecurity or business costs or fees.

And, in the contract with the third-party forensics firm or consultant, do include requirements that the third party conform to all of the applicable above do’s and don’t’s.

Importantly, these are only a few do’s and don’t’s that may help guide many companies to attempt to structure and implement contracts with third-party consultants so as to establish the work product privilege applicable to the third party’s reports. Each company, each cybersecurity incident, and applicable law can vary and be unique, so it is perhaps even more critical for the company to immediately involve inside (or outside) counsel to navigate these thorny issues.

Background – In re: Capital One Consumer Data Security Breach Litigation

The above do’s and don’t’s follow from the recent decision of the U.S. District Court for the Eastern District of Virginia in the above-referenced litigation. Capital One sought to avoid having to disclose the report issued by the cybersecurity forensics firm that it retained in wake of the March 2019 data security breach suffered by the financial company.

In affirming a magistrate judge’s order to compel Capital One to disclose the forensics report, the Virginia federal district court made several observations. Well before the breach (and not specific to the March breach), Capital One had retained the forensics firm under a general SOW, on a retainer basis, to provide a set number of service hours for any one of a broad range of incident response services that might be needed. After the security breach, although the bank’s outside counsel signed a letter agreement with the forensics firm for services with respect to the breach. The terms of the letter agreement provided for the same scope and kind of services, on the same terms and conditions, as the general SOW (except that the forensics firm would work at the direction of the outside counsel and provide the forensics report to the outside counsel).

For performing under the letter agreement, the consultant was first paid from the retainer already provided under the general SOW. Then, Capital One directly paid the balance of the consultant’s fees due under the letter agreement – with funds from Capital One’s internal general cybersecurity budget. Capital One (at least at first) internally identified the fees paid to the consultant as a “business critical” expense – not as a “legal” expense.

During the forensics firm’s investigation, it communicated directly with the bank’s external financial auditors, so that the auditor’s could assess whether the breach impacted the bank’s accounting controls. Many internal and external parties received a copy of the forensics report, but Capital One provided no explanation as to why these recipients received a copy of the report, as to whether the report was provided for business purposes, regulatory reasons, or specifically in anticipation of litigation, or as to any restrictions placed on the recipients’ use, reproduction, or further distribution of the report.

Both the magistrate judge and, on appeal, the district court judge who opined on the matter saw these above facts, among others, as support for finding that the forensic firm’s investigation report was not protected from disclosure by the work product privilege.




DOJ Reached $46M Settlement with 5Dimes for Illegal Sports Betting

“5Dimes and the U.S. Department of Justice reached a $46.8 million settlement of an investigation into illegal US sports betting operations, as well as money laundering and wire fraud,” reports Matthew Waters in Legal Sports Report.

“The company announced an intent to enter the US sports betting market following the deal, although state regulators likely will balk at the long list of criminal activity detailed in the settlement.”

“5D Holdings and owner Laura Varela will forfeit the illegally obtained gambling proceeds as part of a settlement with the US Attorney’s Office Eastern District of Pennsylvania into the criminal investigation of 5Dimes’ offshore operations in Costa Rica.”

Read the article.




Facebook Brings Suit against Developers of a Browser Extension That Harvested User Data

Facebook brought suit against two marketing analytics firms alleging the defendants developed and distributed malicious Chrome browser extensions that were essentially designed to scrape users’ data from various social media platforms … “(including Facebook and Instagram), all in contravention of Facebook and Instagram’s terms of service and commercial terms,” reports Jeffrey Neuburger in Proskauer.

“According to the Complaint, the defendants coaxed users to install their UpVoice and Ads Feed extensions by, among other things, offering gift cards in exchange for downloading and suggesting that users would become ‘panelists’ impacting marketing strategies of large companies.”

Read the article.




State Gets $1.9 Million as Share of Data Breach Settlement

“Kentucky will receive more than $1.9 million as its share of a settlement with a company over a data security breach that compromised the personal information of 78.8 million Americans,” reports Steve Rogers in WTVQ’s Local News.

“Anthem, Inc. agreed to pay $39.5 million to 43 states and the District of Columbia. Kentucky will receive $1,929,942.02. In addition to the payment, Anthem has also agreed to a series of data security and adequate governance provisions designed to strengthen its practices going forward, according to Attorney General Daniel Cameron, who announced the settlement.”

Read the article.




Fake Websites for Four Biglaw Firms Might Have Been Created to Get Deal Information

“Fake websites for four large law firms created in 2008 might have been part of an attempt to get insider information on pending Wall Street deals, according to newly declassified FBI documents,” reports Debra Cassens Weiss in ABA Journal’s Cybersecurity News.

“The targeted law firms were Greenberg Traurig; Sullivan & Cromwell; Wachtell, Lipton, Rosen & Katz; and Cravath, Swaine & Moore.”

“Sullivan & Cromwell told the FBI that it thought the scammer was trying to intercept email with information about mergers and acquisitions.”

Read the article.




Facebook’s $550 Million Settlement In Facial Recognition Case Is Not Enough

Lawyers for Facebook are “trying to convince a judge they should be allowed to settle a class action lawsuit that accuses the company of violating users’ privacy,” reports Bobby Allyn in NPR’s Technology.

“Facebook agreed earlier this year to pay $550 million to settle the case, which claims that the tech giant illegally used facial-recognition technology in its ‘tag suggestions’ service.”

“The deal was the largest-ever payout as the result of a class-action lawsuit alleging online privacy violations.”

“…under the settlement, people who have had their face data harvested in Illinois are expected to receive checks of just $150.”

“U.S. District Judge James Donato of California, who is overseeing the case, says that payout is woefully inadequate.”

Read the article.




Centre for Information Policy Leadership at Hunton Andrews Kurth Issues Report on Accountability in Data Privacy

To help businesses build effective privacy compliance programs that also enable responsible uses of data, the Centre for Information Policy Leadership at Hunton Andrews Kurth has issued a report on how leading companies have implemented robust privacy programs and accountability controls.

The report is the culmination of CIPL’s Accountability Mapping Project, launched in September 2019. It is based on interviews with numerous organizations with mature privacy programs and an analysis of their specific accountability practices. It provides examples of how organizations in different sectors and geographies, and of various sizes, implement effective data privacy management programs and how these programs map to the CIPL Accountability Framework, which was previously outlined here.

The COVID-19 crisis has highlighted the importance of implementing organizational accountability through data privacy and governance programs. This enables businesses and government agencies to effectively leverage personal data and modern technologies to address public health emergencies without undermining the privacy of individuals. With the acceleration of data-driven innovation and the digital transformation of society in the post-COVID world, corporate boards and senior leaders will be addressing data privacy as a business and trust imperative. This report provides practical examples of how leading organizations implement data privacy accountability measures and embed accountability into their organizational ethos.

“The findings of our report demonstrate that we are squarely moving into the era of data privacy accountability. Enlightened senior leaders in businesses and public bodies see accountability as a board-level business and data strategy issue, and a prerequisite for public trust and sustainable data uses,” CIPL President Bojana Bellamy said. “This report shows that accountability is scalable to both big and small organizations. It illustrates best-in-class practices and success stories to support the effectiveness of an accountability framework in promoting responsible data practices.”

CIPL has worked extensively on privacy accountability and has been advocating for the implementation of accountability principles by organizations around the world. Accountability is also being championed by visionary senior leaders and chief privacy officers in the world’s leading companies and has been encouraged by many forward-thinking data privacy regulators and lawmakers in the US, Canada, Europe, Asia-Pacific and Latin America. Additionally, many jurisdictions such as the European Union, Brazil, Singapore, India and Canada have incorporated, or are in the process of incorporating, accountability into their data protection laws.

Download the report.




Texas Courts Hit by Ransomware Attack

“Texas courts shut down websites and disabled servers late last week in response to a ransomware attack, the Office of Court Administration announced Monday,” reports Dave Boucher in The Dallas Morning News’ Courts.

System administrators discovered early Friday that hackers had taken over at least a portion of the statewide court network and demanded some form of ransom in return for restoring control. In a statement, the administration said the attack began “in the overnight hours” the same day it was discovered.

The state did not specify what exactly hackers requested or how they gained access to the system, and a spokeswoman did not return a phone call seeking comment. The court system is working with state law enforcement to investigate the breach and vowed not to pay any ransom.

The administration runs the information technology services for Texas appellate courts and state judicial agencies, including the Texas courts website.

Read the article.




Law Firm Representing Lady Gaga, Madonna, Bruce Springsteen, Others Suffers Major Data Breach

“Grubman Shire Meiselas & Sacks, a large media and entertainment law firm, appears to have been the victim of a cyberattack that resulted in the theft of an enormous batch of private information on dozens of celebrities, according to a data security researcher,” reports Todd Spangler and Shirley Halperin in Variety’s Digital News.

“The trove of data allegedly stolen from the New York-based firm by hackers — a total of 756 gigabytes — includes contracts, nondisclosure agreements, phone numbers and email addresses, and ‘personal correspondence,’ according to an image of the hackers’ post provided to Variety by Emsisoft, a cybersecurity software and consulting company specializing in ransomware.”

“The documents purportedly include information about multiple music and entertainment figures, including: Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s ‘Last Week Tonight With John Oliver,’ and Run DMC. Facebook also is on the hackers’ hit list.”

Read the article.




Ten Tips on Handling a Virtual Evidentiary Hearing Before a Regulatory Agency

“A virtual hearing can be challenging for any regulatory lawyer. It requires relying on technology more than ever to advocate for clients. It can feel like talking to an empty room, even if you’re on camera. Plus it requires attorneys to get results for our clients without the benefit of interpersonal contact with the judge, commissioners or staff. However, having survived my first virtual evidentiary hearing before a state energy commission in April 2020 – and with the benefit of hindsight – it’s like everything lawyers do for the first time in our practice: It’s a challenge until you do it. And like the first oral argument we made or the first hearing we ever litigated, we learn lessons and improve each time,” writes Tara S. Kaushik in Holland & Knight’s Insights.

“We will likely face more than a few virtual hearings given the current pandemic and shelter-in-place orders. Currently, many state regulatory agencies have postponed evidentiary hearings or scheduled briefs and telephonic oral arguments to narrow the issues requiring hearings. But that can only last so long, given that utilities, power grid operators, pipelines and other energy companies have to continue doing business as essential services.

The post provides some practical tips to manage the challenges of a virtual hearing.

Read the article.




Equifax To Pay Mass. $18.2 Million In Settlement, AG Healey Announces

“Equifax will pay Massachusetts $18.2 million and change its security practices as part of a settlement between the credit reporting agency and the state stemming from a major 2017 data breach, Attorney General Maura Healey announced Friday,” reports Chris Lisinski in WBUR’s Bostonomix.

“Healey sued Equifax shortly after the company’s alleged missteps exposed personal data, including Social Security numbers and driver’s license numbers, of 147 million Americans and 3 million Massachusetts residents. The attorney general said the company also failed to notify consumers in a timely manner once the breach occurred.”

“Her office reached its own settlement with Equifax about nine months after declining to join other states in July 2019 agreements, which the attorney general told reporters allowed Massachusetts to secure a larger payment and more strict conditions on the company.”

Read the article.




Protecting Your Sensitive Information While Using Virtual Meeting Platforms

“Over the last several weeks, virtual meetings have become the new normal for many businesses. Improvements in the technology now mean that virtual meetings have a similar look and feel as in-person meetings. However, there is a much greater risk to valuable information (personal and confidential) in a virtual meeting environment. Some of these risks are associated with the data that are collected and disclosed by the provider of the virtual meeting platform itself. Others arise from inadvertent disclosures or access to virtual meeting rooms by uninvited third parties. Therefore, it is important for organizations to have policies in place that address the need for enhanced cybersecurity and data protection,” warns Kevin Pomfret from Williams Mullen in JD Supra.

“Since Zoom seems to be one of the most popular virtual meeting tools, this alert will discuss how to address these risks on its platform. However, many of these same risks are also associated with other virtual meeting platforms. As a result, it is important to review user instructions, Terms and Conditions and Privacy Policies in order to identify and implement similar protective measures for other virtual meeting services.”

Read the article.




Jeep Drivers’ Claims Come to a Screeching Halt

“On March 27, 2020, a five-year legal battle between three certified classes of Jeep Cherokee drivers and Fiat Chrysler came to a sudden end, when a federal judge in the Southern District of Illinois held that allegations that the vehicles were vulnerable to cyber-attacks did not give plaintiffs standing to sue under Article III of the Constitution,” reports Melissa D. DiGrande in Proskauer’s Appellate.

“U.S. District Judge Staci M. Yandle—who was assigned to the case in April 2019, after Judge Michael Reagan retired—did not take lightly her decision to grant defendants’ motion to dismiss for lack of jurisdiction, given the lengthy history of the dispute. Discovery had been completed, experts had been retained, and several motions involving the same standing issues had already been resolved—in plaintiffs’ favor. But, as Judge Yandle explained, a federal court has ‘an independent obligation at each stage of the proceedings’ to ensure that it has subject matter jurisdiction over the litigation. Ultimately, defendants’ persistence paid off and resulted in the full dismissal of the claims, with prejudice.”

Read the article.




The Privatization of the Fourth Amendment?

“This year may prove to be one in which the concepts of privacy vis-à-vis the government and private concerns may converge,” warns Dante A. Stella in Dykema’s The Firewall.

“In 2018, the United States Supreme Court ruled in Carpenter v. United States, 138 S. Ct. 2206 (2018), that individuals have an expectation of privacy in cell-tower locations, and consequently, the government must obtain a warrant to retrieve that location data from a carrier. The 5-4 decision held that cell tower data is subject to Fourth Amendment protections because it implicates an individual’s “legitimate expectation of privacy in the record of his physical movements.” The Court also noted that the data is “detailed, encyclopedic, and effortlessly compiled,” id. at 2216, and that functioning in modern society does not allow people to simply opt-out of using mobile devices…”

Read the article.




INSIGHT: New DoD Cybersecurity Certification Holds Key to Contracts

“Cybersecurity attacks represent a real threat to our national security and the defense industrial base. To combat these threats, the Department of Defense recently released Cybersecurity Maturity Model Certification v1.0—a conspicuous change in how cybersecurity will be viewed in the performance of DoD government contracts.”

“Cybersecurity will no longer be viewed primarily as an element of contract performance. Rather, once CMMC is fully implemented, third-party certified and mature cybersecurity practices and processes will be foundational in contracting with the DoD—without the appropriate CMMC certification, contractors will not be considered for contract awards.”

Read the article.




Malpractice Suit for Document Hack That Exposed Client Info Can Proceed

“A prominent Chinese dissident may proceed with his malpractice case against a law firm based on allegations that the firm failed adequately to protect his personal data from hackers, a Washington, D.C. district court said in an opinion on February 20.  In his $50 million suit, the plaintiff, Guo Wengui, alleges that after he retained the firm, someone (assumed to be associated with the Chinese government) penetrated the firm’s computer servers, gained access to his confidential information and published it on the Internet,” reports Karen Rubin and Tom Zych in The Law for Lawyers Today’s Malpractice.

“The district court turned back the firm’s motion to dismiss and allowed most of Wengui’s claims to go forward.  The case bears watching as cyberattacks increasingly target law firms, and legal IT teams struggle to stay one step ahead of security threats.”

Read the article.




Practical Tips for In-House Counsel From Recent Cybersecurity Decisions

“The possibility of a cybersecurity incident—and ensuing litigation—is a fact of life for almost every business. Even companies that do not process or handle consumer information collect personal information about their employees that can be targeted by hackers or phishing scams or even inadvertently disclosed, exposing the company to potential liability,” warns Seth Harrington, Michelle Visser and David Cohen in Orrick’s blog.

“While eliminating cybersecurity litigation risk entirely likely is not feasible, recent cases do highlight some steps that companies seeking to reduce potential exposure to cybersecurity litigation can take:
(1)  Recognize that pre-incident statements about the company’s cybersecurity measures can be used to sustain deception-related claims.
(2)  Assess the “reasonableness” of your cybersecurity, despite the difficulty of doing so.
(3)  Pay attention to how you structure cybersecurity initiatives to protect related documents and communications based on the attorney-client privilege and work product protection.
(4)  Recognize that your statements about a cybersecurity incident may be relied on by courts to sustain plaintiffs’ claims.
(5)  Consider arbitration clauses, but do so cautiously.
(6)  Consider opportunities to contractually allocate or disclaim liability.”

Read the article.