Announced GDPR Fine Against Marriott Raises Reporting and Coverage Implications

By: Joshua Mooney and Andrew Lipton

Last week on July 9, 2019, the United Kingdom’s Information Commission Office (ICO) announced its intention to fine Marriott International £99.3 million (about $124 million), or 2.5% of Marriott’s worldwide annual revenue, in connection with the Starwood Customer loyalty program. Last November, Marriott announced a breach of the Starwood brand reservation database, potentially compromising the accounts of approximately 500 million guests. The compromise reportedly first took place in 2014 before Marriott had acquired Starwood in 2016. According to the ICO’s statement, the breach involved a variety of personal data found in approximately 339 million guest records, including 30 million records relating to residents of 31 countries in the European Economic Area (EEA) and 7 million records relating to UK residents.[1]

A Warning to Law Firms and Litigants: Unlawful Disclosure of PHI in Litigation Can Lead to Trouble

By: Joshua A. Mooney

The handling of sensitive data with appropriate care in litigation is a critical aspect of legal practice. Recent ABA Formal Opinions 477 and 483 discuss requirements for securing protected client information and lawyers’ obligations after a cyberattack. Conduct during litigation is no different. Unless stated otherwise by statute, the context of litigation does not effect a person’s legal duties when handling sensitive data. In Menorah Park Ctr. for Senior Living v. Rolston, 2019 Ohio App. LEXIS 2175 (May 30, 2019 Ohio Ct. App.), a plaintiff of a small-claims matter is learning this lesson the hard way.

The FTC Wants More Power to Investigate Corporate Data Privacy Violations: Will Cyber Insurance Cover the Costs of a Company’s Response?

On May 8, 2019, all five commissioners of the U.S. Federal Trade Commission (FTC) testified before a congressional hearing on data privacy regulation and enforcement. At the hearing, the FTC commissioners testified that the FTC seeks enhanced powers to investigate and prosecute privacy violations by large companies. According to the commissioners, fines are not enough. As FTC Commissioner Rohit Chopra noted during the testimony, “[the FTC] cannot change behavior without finding out who at the top caused those problems.” The clear takeaway from this testimony? Companies that collect, process and store personal data from their customers should prepare themselves for an increase in data privacy-related investigations, especially coming from the FTC.

Invasion of Privacy Exclusion in a Claims-Made Policy and Looking Ahead to Data Privacy Litigation

By: Joshua A. Mooney and Timothy A. Carroll

This week in Horn v. Liberty Insurance Underwriters, Inc., 2019 U.S. Dist. LEXIS 90194 (S.D. Fla. May 30, 2019), the Florida district court held that an invasion of privacy exclusion under a claims-made policy prohibited coverage for an underlying Telephone Consumer Protection Act (TCPA) lawsuit. The decision is of interest because of the court’s reasoning, and as it may foreshadow the direction of coverage litigation as more and more data privacy (as opposed to data security) laws and regulations are passed and enforced.

Possible and Significant Changes Coming to the CCPA

By: Joshua Mooney

Enacted in June 2018, the California Consumer Privacy Act (CCPA) has been criticized for its broad scope, the burdens it would impose on businesses, and its textual ambiguities. The legislation arose from a controversial privacy ballot to expand California consumer privacy rights through amendments to the California Constitution. To avoid the ballot’s effect, the CCPA was hastily written and enacted – approximately one week from drafting to reaching the Governor’s desk – to appease the ballot’s backers. Now that approximately eight months remain before the CCPA takes effect (January 1, 2020), some changes appear to be coming to address some of the raised concerns.

Data Protection Laws: Following GDPR Enactment, US States Take Action

By: Sedgwick Jeanite

The European Union’s General Data Protection Regulation (GDPR) governs the processing of “personal data.” Having an arguable extra-jurisdictional reach, it is perhaps the most significant change in the EU’s data protection regime in the last 20 years, and its effect has been widespread. Since May 2018, several U.S. States have proposed or enacted their own data protection laws, some of which have consumer rights and requirements that mirror rights and requirements found in GDPR. The most notable legislation is the California Consumer Privacy Act of 2018 (CCPA). Much already has been written on the legislation. Since then, several other states have proposed similar laws. Most bills have been introduced within the last few months, and are as follows: …

The $29 Million Yahoo Derivative Data Breach Settlement: What Next?

By: Sedgwick Jeanite and Meryl Breeden

On January 4, 2019 a federal district court in California approved a $29 million settlement in a shareholder derivative lawsuit against former Yahoo directors and officers regarding high-profile data breaches at Yahoo between 2013 and 2016. The settlement is a noteworthy departure from other breach-related derivative suits – which have been largely unsuccessful. As the number of data breach derivative lawsuits against directors and officers continues to increase, the relatively large size of this settlement may create valuation expectations that will drive up the settlement costs of other pending and future data breach-related derivative cases.

Best Practices For Personal Data Security #DataPrivacyDay

By: Linda Perkins

January 28 is Data Privacy Day, a designated day to remind consumers, businesses and government agencies worldwide of the importance of personal data security and the need to protect it. It is true that, in many respects, we live in a world that can be accurately described as “data insecure.” It is also true, however, that if we remind ourselves often enough that personal data security and privacy is a critical concern for everyone, then perhaps we will improve our chances of becoming a more “data secure” world for individual consumers and businesses alike.

Amendments to Massachusetts Data Breach Law Impose New Requirements

By: Michael Jervis

Effective April 11, 2019, new amendments to Massachusetts’s Data Breach Notification Act go into effect. The amendments impose additional requirements on covered companies that sustain a data breach involving personal data of Massachusetts residents. The new requirements are:

Five Quick Thoughts on Dittman

By: Joshua Mooney

Recently, the Supreme Court of Pennsylvania issued a landmark decision in Dittman v. UPMC, 2018 Pa. LEXIS 6051 (Pa. Nov. 21, 2018) in which employers now have an independent duty to protect employee data from cyberattacks. The case was explained in an alert published last week. Here are five quick thoughts on the decision: …