Data

Announced GDPR Fine Against Marriott Raises Reporting and Coverage Implications

By: Joshua Mooney and Andrew Lipton

Last week on July 9, 2019, the United Kingdom’s Information Commission Office (ICO) announced its intention to fine Marriott International £99.3 million (about $124 million), or 2.5% of Marriott’s worldwide annual revenue, in connection with the Starwood Customer loyalty program. Last November, Marriott announced a breach of the Starwood brand reservation database, potentially compromising the accounts of approximately 500 million guests. The compromise reportedly first took place in 2014 before Marriott had acquired Starwood in 2016. According to the ICO’s statement, the breach involved a variety of personal data found in approximately 339 million guest records, including 30 million records relating to residents of 31 countries in the European Economic Area (EEA) and 7 million records relating to UK residents.[1]

A Warning to Law Firms and Litigants: Unlawful Disclosure of PHI in Litigation Can Lead to Trouble

By: Joshua A. Mooney

The handling of sensitive data with appropriate care in litigation is a critical aspect of legal practice. Recent ABA Formal Opinions 477 and 483 discuss requirements for securing protected client information and lawyers’ obligations after a cyberattack. Conduct during litigation is no different. Unless stated otherwise by statute, the context of litigation does not effect a person’s legal duties when handling sensitive data. In Menorah Park Ctr. for Senior Living v. Rolston, 2019 Ohio App. LEXIS 2175 (May 30, 2019 Ohio Ct. App.), a plaintiff of a small-claims matter is learning this lesson the hard way.

The FTC Wants More Power to Investigate Corporate Data Privacy Violations: Will Cyber Insurance Cover the Costs of a Company’s Response?

On May 8, 2019, all five commissioners of the U.S. Federal Trade Commission (FTC) testified before a congressional hearing on data privacy regulation and enforcement. At the hearing, the FTC commissioners testified that the FTC seeks enhanced powers to investigate and prosecute privacy violations by large companies. According to the commissioners, fines are not enough. As FTC Commissioner Rohit Chopra noted during the testimony, “[the FTC] cannot change behavior without finding out who at the top caused those problems.” The clear takeaway from this testimony? Companies that collect, process and store personal data from their customers should prepare themselves for an increase in data privacy-related investigations, especially coming from the FTC.

Invasion of Privacy Exclusion in a Claims-Made Policy and Looking Ahead to Data Privacy Litigation

By: Joshua A. Mooney and Timothy A. Carroll

This week in Horn v. Liberty Insurance Underwriters, Inc., 2019 U.S. Dist. LEXIS 90194 (S.D. Fla. May 30, 2019), the Florida district court held that an invasion of privacy exclusion under a claims-made policy prohibited coverage for an underlying Telephone Consumer Protection Act (TCPA) lawsuit. The decision is of interest because of the court’s reasoning, and as it may foreshadow the direction of coverage litigation as more and more data privacy (as opposed to data security) laws and regulations are passed and enforced.

Data Protection Laws: Following GDPR Enactment, US States Take Action

By: Sedgwick Jeanite

The European Union’s General Data Protection Regulation (GDPR) governs the processing of “personal data.” Having an arguable extra-jurisdictional reach, it is perhaps the most significant change in the EU’s data protection regime in the last 20 years, and its effect has been widespread. Since May 2018, several U.S. States have proposed or enacted their own data protection laws, some of which have consumer rights and requirements that mirror rights and requirements found in GDPR. The most notable legislation is the California Consumer Privacy Act of 2018 (CCPA). Much already has been written on the legislation. Since then, several other states have proposed similar laws. Most bills have been introduced within the last few months, and are as follows: …

The $29 Million Yahoo Derivative Data Breach Settlement: What Next?

By: Sedgwick Jeanite and Meryl Breeden

On January 4, 2019 a federal district court in California approved a $29 million settlement in a shareholder derivative lawsuit against former Yahoo directors and officers regarding high-profile data breaches at Yahoo between 2013 and 2016. The settlement is a noteworthy departure from other breach-related derivative suits – which have been largely unsuccessful. As the number of data breach derivative lawsuits against directors and officers continues to increase, the relatively large size of this settlement may create valuation expectations that will drive up the settlement costs of other pending and future data breach-related derivative cases.

Amendments to Massachusetts Data Breach Law Impose New Requirements

By: Michael Jervis

Effective April 11, 2019, new amendments to Massachusetts’s Data Breach Notification Act go into effect. The amendments impose additional requirements on covered companies that sustain a data breach involving personal data of Massachusetts residents. The new requirements are:

Five Quick Thoughts on Dittman

By: Joshua Mooney

Recently, the Supreme Court of Pennsylvania issued a landmark decision in Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018) in which employers now have an independent duty to protect employee data from cyberattacks. The case was explained in an alert published last week. Here are five quick thoughts on the decision: …

Marriott’s Starwood Data Breach Could Expose 500 Million Customers

By: Andrew Lipton

On November 30, 2018 Marriott International announced that hackers gained “unauthorized access” to the Starwood brand reservation database, potentially compromising the accounts of approximately 500 million guests. According to company officials, the hackers “copied and encrypted [guests’] information, and took steps toward removing it” beginning in 2014. This information included names, phone numbers, email addresses, passport numbers, dates of birth and guest’s travel itinerary information. Marriott allegedly discovered the data breach last week. …

Security of Critical Infrastructure Relies on Businesses to Build Resilience

By: Linda Perkins

The U.S. Department of Homeland Security (DHS) recently made “strengthening risk management and prioritization of cyber and physical threats and hazards” a national priority. Similarly, this week’s theme for National Cyber Security Awareness Month is “Safeguarding the Nation’s Critical Infrastructure” and, looking ahead, the DHS has designated November as Critical Infrastructure Security and Resilience Month. By doing so, the DHS hopes to engage and educate public and private sector partners and raise awareness about the pressing need to secure the range of systems and resources that underpin everyday life in the U.S. Businesses can address many of these recommendations on their own, but others may be better informed after consultation with counsel to make sure certain risks are properly assessed and responsibly mitigated based upon the individual business environment. …