Cybersecurity and Legal Due Diligence Considerations in M&A Transactions

By: Joshua Mooney, Lori Smith and Jeremy Miller

When prospective buyers conduct legal due diligence in merger and acquisition transactions the main focus is typically on the traditional items, such as financials, debt instruments, major contracts and other key metrics customarily analyzed. These items, among others, remain critical to evaluating a business. However, with technology continuing to advance at an exponential rate and hackers successfully breaching company information systems more frequently, as seen with Target, Equifax and many others, it is critical that prospective buyers thoroughly consider the risks associated with the target’s cybersecurity practices or lack thereof. …

Announced GDPR Fine Against Marriott Raises Reporting and Coverage Implications

By: Joshua Mooney and Andrew Lipton

Last week on July 9, 2019, the United Kingdom’s Information Commission Office (ICO) announced its intention to fine Marriott International £99.3 million (about $124 million), or 2.5% of Marriott’s worldwide annual revenue, in connection with the Starwood Customer loyalty program. Last November, Marriott announced a breach of the Starwood brand reservation database, potentially compromising the accounts of approximately 500 million guests. The compromise reportedly first took place in 2014 before Marriott had acquired Starwood in 2016. According to the ICO’s statement, the breach involved a variety of personal data found in approximately 339 million guest records, including 30 million records relating to residents of 31 countries in the European Economic Area (EEA) and 7 million records relating to UK residents.[1]

A Warning to Law Firms and Litigants: Unlawful Disclosure of PHI in Litigation Can Lead to Trouble

By: Joshua A. Mooney

The handling of sensitive data with appropriate care in litigation is a critical aspect of legal practice. Recent ABA Formal Opinions 477 and 483 discuss requirements for securing protected client information and lawyers’ obligations after a cyberattack. Conduct during litigation is no different. Unless stated otherwise by statute, the context of litigation does not effect a person’s legal duties when handling sensitive data. In Menorah Park Ctr. for Senior Living v. Rolston, 2019 Ohio App. LEXIS 2175 (May 30, 2019 Ohio Ct. App.), a plaintiff of a small-claims matter is learning this lesson the hard way.

The FTC Wants More Power to Investigate Corporate Data Privacy Violations: Will Cyber Insurance Cover the Costs of a Company’s Response?

On May 8, 2019, all five commissioners of the U.S. Federal Trade Commission (FTC) testified before a congressional hearing on data privacy regulation and enforcement. At the hearing, the FTC commissioners testified that the FTC seeks enhanced powers to investigate and prosecute privacy violations by large companies. According to the commissioners, fines are not enough. As FTC Commissioner Rohit Chopra noted during the testimony, “[the FTC] cannot change behavior without finding out who at the top caused those problems.” The clear takeaway from this testimony? Companies that collect, process and store personal data from their customers should prepare themselves for an increase in data privacy-related investigations, especially coming from the FTC.

Invasion of Privacy Exclusion in a Claims-Made Policy and Looking Ahead to Data Privacy Litigation

By: Joshua A. Mooney and Timothy A. Carroll

This week in Horn v. Liberty Insurance Underwriters, Inc., 2019 U.S. Dist. LEXIS 90194 (S.D. Fla. May 30, 2019), the Florida district court held that an invasion of privacy exclusion under a claims-made policy prohibited coverage for an underlying Telephone Consumer Protection Act (TCPA) lawsuit. The decision is of interest because of the court’s reasoning, and as it may foreshadow the direction of coverage litigation as more and more data privacy (as opposed to data security) laws and regulations are passed and enforced.

Possible and Significant Changes Coming to the CCPA

By: Joshua Mooney

Enacted in June 2018, the California Consumer Privacy Act (CCPA) has been criticized for its broad scope, the burdens it would impose on businesses, and its textual ambiguities. The legislation arose from a controversial privacy ballot to expand California consumer privacy rights through amendments to the California Constitution. To avoid the ballot’s effect, the CCPA was hastily written and enacted – approximately one week from drafting to reaching the Governor’s desk – to appease the ballot’s backers. Now that approximately eight months remain before the CCPA takes effect (January 1, 2020), some changes appear to be coming to address some of the raised concerns.

Higher Ed Falls Victim to New Data Breach

By: Linda Perkins

On April 2, 2019, The Georgia Institute of Technology (Georgia Tech) announced that it had sustained a data breach when one of its central databases was accessed by an unknown outsider through a web application, thereby exposing the personal information of up to 1.3 million current and former faculty members, students, staff and student applicants. Local news organizations report that information security officials at the university are continuing to investigate the incident to determine the extent to which its systems were compromised and to identify those individuals whose information was compromised. …

Data Protection Laws: Following GDPR Enactment, US States Take Action

By: Sedgwick Jeanite

The European Union’s General Data Protection Regulation (GDPR) governs the processing of “personal data.” Having an arguable extra-jurisdictional reach, it is perhaps the most significant change in the EU’s data protection regime in the last 20 years, and its effect has been widespread. Since May 2018, several U.S. States have proposed or enacted their own data protection laws, some of which have consumer rights and requirements that mirror rights and requirements found in GDPR. The most notable legislation is the California Consumer Privacy Act of 2018 (CCPA). Much already has been written on the legislation. Since then, several other states have proposed similar laws. Most bills have been introduced within the last few months, and are as follows: …

PCI SSC Issues New Standards for Payment Software

By: Michael Jervis

The Payment Card Industry Security Standards Council (PCI SSC) has issued a new Software Security Framework for secure payment software. The new framework includes both a Secure Software Standard and Secure Software Life Cycle (SLC). A key aspect of the framework focuses on the SLC, which makes security a consideration at all stages of payment software development, rather than simply during the testing phase at the end of the software lifecycle. The new standards result from the work of a Software Security Task Force and request for comment periods reaching out to industry stakeholders. …

The $29 Million Yahoo Derivative Data Breach Settlement: What Next?

By: Sedgwick Jeanite and Meryl Breeden

On January 4, 2019 a federal district court in California approved a $29 million settlement in a shareholder derivative lawsuit against former Yahoo directors and officers regarding high-profile data breaches at Yahoo between 2013 and 2016. The settlement is a noteworthy departure from other breach-related derivative suits – which have been largely unsuccessful. As the number of data breach derivative lawsuits against directors and officers continues to increase, the relatively large size of this settlement may create valuation expectations that will drive up the settlement costs of other pending and future data breach-related derivative cases.