At the end of 2019, the Second Circuit finally weighed in on an issue that has divided federal courts considering applications for discovery pursuant to 28 U.S.C. § 1782, through which a litigant can obtain an order from a federal court for discovery to be used in a foreign proceeding. (You can read more about Section 1782 here and here). Federal courts have split over whether Section 1782 allows a party to obtain documents controlled by an entity in the United States but that are held overseas—for example, records held in the London office of a corporation headquartered in New York.1 In a pair of recent decisions, the Court of Appeals for the Second Circuit joined the Eleventh Circuit in holding that Section 1782 does permit discovery of documents held outside the United States and that are within the control of a US individual or entity. Continue Reading Second Circuit Weighs in on the Extraterritorial Application of 28 U.S.C. § 1782

At Seyfarth, I’m not just an attorney—I’m also an ethical hacker and digital forensic expert, and I’m proud to be one of several “attorneys who code” at Seyfarth. Here, we’re passionate about technology, and we routinely seek creative ways to leverage innovations that enhance client services.

I’ve found that one area where emerging technology can make an enormous impact is in the data breach notification assessment space. Specifically, I’ve found that artificial intelligence can power the evaluation of implicated data for personal information like PII and PHI to determine notice requirements in the various implied jurisdictions. While there are many ways to accomplish that evaluation, I wanted to share my experience partnering with Text IQ, a company that builds AI for sensitive information, to power a data breach response in a blind study alongside the traditional document review and coding approach. The result was reduced risk, quicker turnaround time, and cost reduction for Seyfarth’s client. Continue Reading Powering Data Breach Response with AI: A Case Study

In a much-anticipated opinion, Judge George B. Daniels of the United States District Court for the Southern District of New York recently affirmed the decision of a magistrate judge regarding the scope of discovery in aid of a foreign litigation pursuant to 28 U.S.C. § 1782.  (You can read more about Section 1782 and the magistrate judge’s underlying decision in our prior blog post, here).  Briefly, Magistrate Judge Gabriel W. Gorenstein grappled with an issue that has divided federal courts: whether Section 1782 can be used to compel the production of documents maintained outside the United States.[1]  Magistrate Judge Gorenstein held that the fact that documents were maintained overseas did not bar the discovery sought so long as the documents were within the control of a discovery target located in the U.S.—in this case, a New York-based law firm with a branch office in Russia.  Continue Reading New Decision Regarding Discovery in Aid of Foreign Litigation

This is what it sounds like, when sanctions are granted.

In March 2019, a federal judge in Minnesota sanctioned Defendants for their failure to preserve text messages in a copyright infringement suit brought in part by the estate of the late musician commonly known as “Prince”.

Representatives for Prince’s estate brought suit against Defendants George Ian Boxill, Rogue Music Alliance (“RMA”), Deliverance LLC (“Deliverance”), David Staley, Gabriel Solomon Wilson, and other parties alleging copyright infringement.  Plaintiffs filed suit for copyright infringement after learning that Defendants Boxill and RMA created Deliverance to market and release previously unreleased recordings that Prince created during recording sessions in 2006.  Defendant Boxill worked as Prince’s sound engineer during the 2006 recording sessions. Plaintiffs allege that a confidentiality agreement with Boxill placed ownership of the recordings solely on Prince.

Before releasing the music, Defendant Staley sent an email to Sensibility Music indicating that Defendant Boxill would indemnify RMA if Plaintiffs challenged the release. Shortly thereafter, Plaintiff’s estate sent a cease and desist letter, then filed suit.

The parties agreed to certain stipulations regarding discovery of ESI including taking “reasonable steps to preserve reasonably accessible sources of ESI.” The court did not enter an order concerning the stipulation but noted that it will enforce the agreement and warned that any non-compliance will be met with all available remedies, including sanctions. The Court also issued a pretrial scheduling order for both parties to preserve “all electronic documents that bear on any claims, defenses, or the subject matter of this lawsuit.” The court issued two additional pretrial scheduling orders each containing similar language to the first regarding preservation and warnings regarding consequences for violations. Continue Reading Court Sanctions Defendant for Failure to Preserve Text Messages in Copyright Infringement Suit Brought by Prince’s Estate

For Marvel Entertainment fans, this one’s for you: Step aside Nick Fury, New York has a new SHIELD.  New York state recently passed a new law extending protections against cyber-attacks for its residents with NY Senate Bill S5575B, also known as the “Stop Hacks and Improve Electronic Data Security Act” or SHIELD Act, for short.  This Act expands New York’s data breach notification statute in definition, notice, scope, and compliance requirements of any individual or business handling New York residents’ computerized private information.

The SHIELD Act first redefines “private information” to include username or e-mail address in combination with a password or security question and answer for online accounts as well as biometric information.  It also allows for reporting a breach if an account or credit card number alone (i.e. without an account access code or password) is compromised “if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password.”  Slightly more nuanced, it expands the definition of “breach of security of the system” to include an unauthorized access of private information as well as an unauthorized acquisition.  Addition of “access” means the statute will be triggered without an incident having to reach “acquisition,” a term more readily applicable in scenarios impacting control, possession and use of that private information. Continue Reading Look Out Marvel, There’s a NEW SHIELD in Town

Cross-posted from The Global Privacy Watch blog.

Attorney General Becerra’s office posted the long-awaited draft CCPA regulations a little before 2:00 pm (PST) October 10th. It was a bit of a curve ball, to be perfectly honest (considering the final swath of amendments to the CCPA are not even final until Governor Newsom signs them, or on October 13th). Tellingly, the California Administrative Procedure Act requires the California Department of Finance to approve “major regulations” (and they have 30 days to do that) prior to publication. Based on this, it would seem that these regulations were drafted prior to the amendments to the CCPA going through the legislature. This does not seem like an effective way to draft regulations, but hey, no one should tell the AG he shouldn’t jump the gun! They are now out there so, one reviews anyway.

Topping out at a modest 24 pages (the CCPA itself is 19 pages), the regulations are organized into seven articles. We’re directing our comments to the issues that pop out to us initially, and as always, we’ll post further observations as things progress. Continue Reading And the Wait for CCPA Rules is Over …. Kind Of

This month, the Federal Bureau of Investigation published information and guidance for organizations about ransomware attacks, along with some suggested preventative measures.  There is a section in the bulletin discussing whether victims should consider paying ransom to attackers.  According to the statement, the FBI “does not advocate paying a ransom, in part because it does not guarantee and organization will regain access to its data,” and paying ransoms emboldens criminals to target others.

Several of the suggested “best practices” are somewhat generalized, such as increased employee awareness about how ransomware is delivered, and basic security techniques (we would recommend adding anti-phishing training and tests to the list).  However, several others are more specific.  All of the measures listed should be considered as parts of a comprehensive standard information security program.

Among the list of the FBI’s “Cyber Defense Best Practices” recommended are: Continue Reading FBI Public Service Announcement on Ransomware

In our May blog post, we took issue with the broadcast statement that ‘consumer privacy law was sweeping the country and that other states were jumping on the California Consumer Privacy Law (CCPA) bandwagon to enact their own state law.’ The problem as we saw it, was that the truth behind these sensationalistic statements was a bit more nuanced than people were led to believe. Most states, we found, that introduced consumer privacy legislation simply did not follow through, either by outright killing the legislation (MS) or by taking a step back with a wait and see approach (see TX). Nevada, by contrast, did neither. Instead, its legislature enacted its own consumer privacy solution, through SB 220, or as we call it, ‘the limited privacy amendment.’ We’ve opted to discuss Nevada’s approach here primarily because of its more restrictive application online and because its October 1, 2019, operational date is a full three months before the CCPA becomes operational.

First, the limited privacy amendment is not the CCPA. Let’s make that perfectly clear. True, it was modeled on the opt-out section of the CCPA, but it isn’t a mirror copy as it amends existing law. There are three primary areas operators conducting business over the Internet need to be aware of, when evaluating compliance measures:   Continue Reading Nevada: Bucking the Wait and See Approach to Consumer Privacy Law

Those interested in keeping up with the latest news impacting the California Consumer Privacy Act have been heavily focused on AB 25, and its potential to exclude employees from the scope of the CCPA. In a marathon late-night session, the California Senate Judiciary Committee weighed in July 11 on various bills—including AB 25. An while AB 25 was part of the Committee debate, that amendment may actually make the bill less useful than first intended. Additionally, another bill made it out of committee which has the potential of a far greater impact than anyone seems to be noticing. Continue Reading CCPA Amendments: Again Employees and the Loyalty Program Change Nobody is Talking About

In just a few short months, on January 1, 2020, the California Consumer Privacy Act (CCPA) is set to go into effect, establishing new consumer privacy rights for California residents and imposing significant new duties and obligations on commercial businesses conducting business in the state of California. Consumer rights include the right to know what personal information a business is collecting, selling, and disclosing about them; the right to deletion; the right to opt-out of the sale of personal information; and the right not to be discriminated against (written as a business duty). These rights are intended to provide consumers with a level of control of their personal information and to establish transparency on the part of the businesses to comply with consumers’ exercise of their privacy rights. In addition, businesses are required to provide employee training; website notice of consumer rights and categories of personal information collected, sold, and disclosed; and to implement and maintain adequate security measures. The penalties of non-compliance can be severe, with avenues for both regulatory enforcement and private cause of action. Learn what the attorney general’s forthcoming regulations likely have in store for businesses and what your organization should be doing now to proactively prepare for the CCPA to ensure compliance.

Jason Priebe, John Tomaszewski, and Edward “Ted” Murphree, three of our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners, will present a series of three 1-hour CLE webinars. The presenters will provide high-level discussion on strategies for CCPA compliance.

CCPA Webinar Series Part 1: An Overview and What You Need to Know (Until It Changes)

Tuesday, July 9, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

CCPA Webinar Series Part 2: Business Obligations and Responsibilities (So Far As We Know Them–They Will Change)

Wednesday, July 17, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

CCPA Webinar Series Part 3: Enforcement and Compliance (Or What We Think Will Happen)

Thursday, August 1, 2019
1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific