Privacy & Cybersecurity

Today, in Commonwealth v. Gelfgatt, No. SJC-11358 (Mass. June 25, 2014), a divided Massachusetts Supreme Judicial Court held that under certain circumstances, a court may compel a criminal defendant to provide the password to encrypted digital evidence seized by the government without violating either the Fifth Amendment or Article Twelve of the Massachusetts Declaration of Rights.

DC Update from Politico Morning Tech
"DATA BREACH DRAFT DELAYED - The thorny issue of FTC enforcement has slowed efforts to release a draft of Rep. Lee Terry's data breach bill, according to sources close to the process.

Last week, the HHS Office of Civil Rights (OCR) released two reports required by the Health Information Technology for Economic and Clinical Health (HITECH) Act: (i) the Annual Report to Congress on Breaches of Unsecured Protected Information (Breach Report); and (ii) the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance (Compliance Report).

Just a little over a month after settling charges of false promises of disappearing user messages (among other things) with the Federal Trade Commission (“FTC”), mobile app developer Snapchat, Inc. (“Snapchat” or “Company”) announced that on June 12th  the Company entered into an agreement with the Office of Maryland Attorney General Douglas Gansler to resolve similar claims of consumer deception as well as additional allegations of failure to comply with the Children’s Online Privacy Protection Act (“COPPA”) and its implementing rule (as amended, the “COPPA Rule”).

There are only a handful of decisions addressing whether a commercial general liability (CGL) policy provides coverage for lawsuits brought against retailers allegedly collecting their customers’  ZIP code information. Thus, when a decision is issued in this area, particularly a decision denying coverage, it is noteworthy.

What's that old saying ... "a day late and a dollar short?" Here is our Privacy Monday roundup ... on Tuesday.

SEC Commissioner Luis Aguilar recently spoke at the New York Stock Exchange Conference “Cyber Risks and the Boardroom.” In his speech, Commissioner Aguilar emphasized the importance of cybersecurity and how fast the need for cybersecurity has grown in such a short time period, pointing out that U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful cyber-attacks they incurred per week.

Welcome to another week, and our Privacy Monday look at top issues.
California Attorney General Puts the Focus on the Consumer

Attorney-client privilege, and how to ensure that advice and counsel to their clients is covered by the privilege, is always a top-of-mind issue for in-house counsel, particularly with respect to compliance questions. The privacy office does not always report into the legal department in all companies.

The most common defense against class actions for data breach has itself been breached in a ruling last week by the West Virginia Supreme Court.

The first Monday in June is also the first Monday of meteorological summer -and a welcome sight after a brutally-long winter for many of our readers.  So, here's to a happy Summer!

On December 20, 2000, in his statement regarding the signing of the National Moment of Remembrance Act, President Clinton said: “While these heroes should be honored every day for their profound contribution to securing our Nation's freedom, they and their families should be especially honored on Memorial Day.

 (LONDON) Google – along with the rest of us – is still considering the implications of the European Court of Justice’s May 13, 2014 decision that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant or accurate. 

In the largest Health Insurance Portability and Accountability Act (HIPAA) settlement to date, two New York hospitals have agreed to pay $4.8 million to settle allegations that they failed to secure thousands of patients’ electronic protected health information (ePHI) held on their shared network.

The United States Senate Permanent Subcommittee on Investigations recently released a report outlining six findings concerning online advertising risks to consumers’ personal information and four recommendations on how to protect consumers from these hidden hazards.

Mergers are never simple, but the acquisition of consumer products and technology requires the purchasing entity to consider a number of questions and issues beyond the standard concerns related to executive pay, corporate valuations and per share prices. 

As a country we are quickly approaching a time in which most adults will be disqualified from being elected to public office because of something they posted on their social media account while growing up.

Another busy week in the privacy/security world.  We have some bits and bytes to start your week:
Verizon 2014 Data Breach Investigation Report - Something Old, Something New

As we previously noted, recent SEC actions on the topic of cybersecurity indicates increased SEC focus and likely heralds the coming of enforcement actions against public companies for cyber breaches. On the front end, companies can mitigate their risk by ensuring their cyber preparedness in the event of an attack, which, increasingly,  appear to be all but inevitable.

One of the biggest gaps in coverage in D&O coverage today is the lack of meaningful coverage for investigations.  Although at first glance the policy language may look like it provides sufficient coverage, the reality is that the way most policies are written, it is almost impossible to trigger coverage in an SEC or Department of Justice investigation simply because the policy language does not match up to the reality of how those investigations are conducted.