Court Rulings

Announced GDPR Fine Against Marriott Raises Reporting and Coverage Implications

By: Joshua Mooney and Andrew Lipton

Last week on July 9, 2019, the United Kingdom’s Information Commission Office (ICO) announced its intention to fine Marriott International £99.3 million (about $124 million), or 2.5% of Marriott’s worldwide annual revenue, in connection with the Starwood Customer loyalty program. Last November, Marriott announced a breach of the Starwood brand reservation database, potentially compromising the accounts of approximately 500 million guests. The compromise reportedly first took place in 2014 before Marriott had acquired Starwood in 2016. According to the ICO’s statement, the breach involved a variety of personal data found in approximately 339 million guest records, including 30 million records relating to residents of 31 countries in the European Economic Area (EEA) and 7 million records relating to UK residents.[1]

A Warning to Law Firms and Litigants: Unlawful Disclosure of PHI in Litigation Can Lead to Trouble

By: Joshua A. Mooney

The handling of sensitive data with appropriate care in litigation is a critical aspect of legal practice. Recent ABA Formal Opinions 477 and 483 discuss requirements for securing protected client information and lawyers’ obligations after a cyberattack. Conduct during litigation is no different. Unless stated otherwise by statute, the context of litigation does not effect a person’s legal duties when handling sensitive data. In Menorah Park Ctr. for Senior Living v. Rolston, 2019 Ohio App. LEXIS 2175 (May 30, 2019 Ohio Ct. App.), a plaintiff of a small-claims matter is learning this lesson the hard way.

The FTC Wants More Power to Investigate Corporate Data Privacy Violations: Will Cyber Insurance Cover the Costs of a Company’s Response?

On May 8, 2019, all five commissioners of the U.S. Federal Trade Commission (FTC) testified before a congressional hearing on data privacy regulation and enforcement. At the hearing, the FTC commissioners testified that the FTC seeks enhanced powers to investigate and prosecute privacy violations by large companies. According to the commissioners, fines are not enough. As FTC Commissioner Rohit Chopra noted during the testimony, “[the FTC] cannot change behavior without finding out who at the top caused those problems.” The clear takeaway from this testimony? Companies that collect, process and store personal data from their customers should prepare themselves for an increase in data privacy-related investigations, especially coming from the FTC.

Invasion of Privacy Exclusion in a Claims-Made Policy and Looking Ahead to Data Privacy Litigation

By: Joshua A. Mooney and Timothy A. Carroll

This week in Horn v. Liberty Insurance Underwriters, Inc., 2019 U.S. Dist. LEXIS 90194 (S.D. Fla. May 30, 2019), the Florida district court held that an invasion of privacy exclusion under a claims-made policy prohibited coverage for an underlying Telephone Consumer Protection Act (TCPA) lawsuit. The decision is of interest because of the court’s reasoning, and as it may foreshadow the direction of coverage litigation as more and more data privacy (as opposed to data security) laws and regulations are passed and enforced.

Five Quick Thoughts on Dittman

By: Joshua Mooney

Recently, the Supreme Court of Pennsylvania issued a landmark decision in Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018) in which employers now have an independent duty to protect employee data from cyberattacks. The case was explained in an alert published last week. Here are five quick thoughts on the decision: …

Supreme Court Alert: The Government Must Obtain a Warrant for Cell-Site Records

By: Jay Shapiro

Earlier this morning, the Supreme Court of the United States issued its long-awaited ruling in Carpenter v. United States. The question answered by the Court was “whether the Government conducts a search under the Fourth Amendment when it accesses historical cell phone records that provide a comprehensive chronicle of the user’s past movements.” In its decision, the Court acknowledged that it was applying the Fourth Amendment “to a new phenomenon” – tracking a person’s past movements through the record of his cell phone signals. The Court found that the acquisition of this information required, in most instances, a warrant supported by probable cause. …

Cyber Law: Pennsylvania Supreme Court Watch

By: Josh Mooney and Kate Woods

The body of cybersecurity case law continues to grow. On April 10, 2018, the Pennsylvania Supreme Court is set to hear arguments regarding employers’ liability for data breaches in Dittman v. UPMC.

Specifically, Pennsylvania’s justices will consider and ultimately decide whether UPMC had a duty to safeguard its employees’ electronic information and whether the economic loss doctrine applies, thus barring recovery for purely economic losses. …

United States v. Microsoft Raises Significant Questions Regarding Application of the Stored Communications Act

By: Jay Shapiro and Sedgwick Jeanite

Justice Ginsburg: “In….1986, no one ever heard of clouds.”

On Tuesday, February 27, 2018, the US Supreme Court heard oral argument in connection with an ongoing dispute between the Department of Justice (DOJ) and Microsoft over data in the corporation’s datacenter in Ireland. At the core of the oral argument is the application of the Stored Communications Act (SCA), a law enacted in 1986 that regulates the US government’s ability to obtain emails and other communications from providers of electronic communication services or remote computing services. Microsoft has fought the government’s contention that a warrant obtained under the SCA can compel a US company to produce information under its control but stored outside the United States. …

Federal Judge Issues Opinion Concerning the Viability of Data Breach Claims

A federal judge in the Southern District of New York recently issued an opinion providing guidance concerning the viability of data breach claims, particularly in the context of a breach of employee information. Sackin v. Transperfect Global, Inc. involves a purported class action filed on behalf of Transperfect employees whose personally identifiable information (PII) was disclosed as a result of a cyber attack. In January 2017, a targeted phishing email was sent to a Transperfect employee designed to look like it had come from the company’s CEO, requesting payroll information regarding Transperfect employees. The Transperfect employee fell for the scheme and sent unencrypted PII to the attacker including names, addresses, Social Security Numbers, and bank account numbers for Transperfect employees. According to the complaint, the disclosure involved thousands of employees.

Anthem Settles Data Breach Class Action

Anthem, Inc., the nation’s largest health insurance company, has agreed to settle the class action litigation arising from its 2015 data breach for $115 million, eclipsing the amount of any previous data breach settlement. The lawsuit, filed in federal court in California, had survived two motions to dismiss. After extensive discovery, plaintiffs moved for class certification on March 10, 2017. …