Just when we thought we had an remote understanding on how the California Consumer Privacy Act (“CCPA”) would work from an enforcement and penalty perspective, Senate Bill 561 was introduced on February 22. The bill has the full support of Attorney General Xavier Becerra and appears to be heading for a vote; the odds are favoring passage.

It is not surprising that the Attorney General supports the proposed changes because they remove some of the biggest headaches for enforcement and administration. These include elimination of the Attorney General’s obligation to provide guidance to businesses, upon request, about how to comply with the CCPA, and removal of a 30-day cure period before enforcement actions can begin.

In addition to relieving the Attorney General’s administration and enforcement constraints, SB 561 contains a more drastic and significant change. By the removal of one short sentence, SB 561 expands the individual cause of action for statutory damages beyond narrowly defined data breach situations (unauthorized access and exfiltration, theft, or disclosure of their non-encrypted or non-redacted personal information) and throws open the doors. Under the proposed version, any consumer with a claim that his or her CCPA rights are violated (presumably in any manner) may bring a civil suit and claim statutory damages of up to $750 per incident. This change, combined with the ability for claims to be pursued on class-wide basis, could be a potential bonanza for plaintiffs’ attorneys.

The proposed revision keeps the 30-day cure period for individual claims, although the grace period is removed for the Attorney General’s enforcement actions.  This is some small relief for individual claims, although it is still difficult to imagine how a business could “cure” a data breach or other incident violation, such as a failure to respond to a consumer request in the proscribed period of time. It is conceivable that the 30 day cure could provide some defense against de minimis technical violations, like the failure to provide appropriate notification language, disclosures, or contact information for consumers. Arguably, even the failure to provide an adequate response to a cure notice (“an express written statement that the violations have been cured and that no further violations shall occur…”) could itself raise a claim for statutory damages.

From a business and commercial compliance standpoint, it is starting to appear that the stakes will be even higher on January 1, 2020.

Every day all over the world, companies fall victim to cybersecurity attacks.  It’s nearly a constant these days.  Many of these attacks are preventable with the right amount of attention to detail in system setup and hardening.  The three common themes in postmortem examination of all of these attacks boil down to 1) human error; 2) configuration error; 3) failing to proactively defend.  In this series of six posts, we will dive into each attack’s anatomy, the attack vector, and the ways companies can attempt to avoid being victim to them.  In the last post, guest bloggers from G2 Insurance will walk through how insurance companies react to claims, what to watch out for in your policies, and appropriate coverage levels for cyber insurance based on their experience handling claims.

#1  Email Spoofing and Wire Fraud

This attack is essentially a wire instruction interception/redirection or wholly fake request for a transfer.  This is an event that comes up daily or at least weekly in any cybersecurity professional’s world.  This attack typically plays out with a threat actor masquerading as a legitimate authority within a company, typically someone in the C-suite or Director level.  To make it successful, the recipient of the wire transfer request has to believe it’s legitimately originating from one of those authoritative people.

One way attackers do this is using actual stolen credentials.  Despite the flood of data security breaches and database hacks, people unfortunately still use weak passwords and also re-use passwords.  We have seen dozens of instances of successful credential attacks where the attacker used publicly available database leak information to gain unauthorized access to corporate accounts.  The approach goes like this: an attacker harvests information regarding corporate leadership from various data sources about companies (LinkedIn, Dunn & Bradstreet, Bloomberg, Google Finance) and chooses a few people to target.  They then cross-reference those names to leaked credential databases, often times hosted on Darkweb sites, IRC chat rooms, or other forums dedicated to hacking.  If the attacker is able to find other accounts belonging to their targets that have been compromised and have a password, they can try that password, and tens of thousands of variations of it, to attack the corporate account of their victim.

Continue Reading Top Five Most Common Cybersecurity Attacks and How to Prevent Them – Part 1: Email Spoofing and Wire Fraud

California, home to more than 40 million people and the 5th largest economy in the world, has passed the California Consumer Privacy Act (CCPA), its omnibus consumer privacy law. The law creates sweeping new requirements concerning the collection, maintenance, and tracking of information for both employees or customers who are residents of California. Many aspects of the implementation and enforcement are still being finalized by the California Attorney General. However, companies with employees or customers in California need to take stock of the information they are processing that could qualify as “personal information” for California residents, and they need to begin establishing mechanisms for compliance before the end of 2019. Continue Reading The California Consumer Privacy Act of 2018: What Businesses Need to Know Now

This weekend, Google was fined 50 million euros (over $55 million) by France’s Data Privacy Authority,  CNIL, for breaching Europe’s (fairly) new General Data Protection Regulation.

GDPR lays the framework for the legal processing of personal data, requiring that companies  have a lawful basis for processing a user’s personal information.  This lawful basis can result from the user’s genuine consent prior to collecting personal information; processing necessary for the performance of a contract, compliance with a legal obligation, to protect the vital interests of a data subject or natural person, for the performance of a task in the public’s interest, or for the purpose of the legitimate interests of a controller or third party.

The GDPR went into effect on May 25, 2018.  Shortly after its enactment, two privacy rights groups, noyb (Max Schrems’ brainchild) and La Quadrature du Net (LQDN) filed complaints against Google with the CNIL. The noyb complaint was filed on May 25, the same day the Regulation took effect.  Continue Reading Google First “Tech Giant” to be Fined for Violating GDPR

On January 4, 2019, the California Court of Appeal, First Appellate District issued an opinion reminding us that under California law, tax returns are privileged and improper disclosure of them can even potentially rise to tortious invasion of privacy claims in overturning a demurrer as to that claim. Strawn v. Morris, Polich & Purdy, LLP, No. A150562, 2019 Cal. App. LEXIS 9 (Ct. App. Jan. 4, 2019).

Federal and state tax returns have been held to be privileged from disclosure under California law. Id at *13; Wilson v. Superior Court, 63 Cal. App. 3rd 825, 828 (1976); Webb v. Standard Oil Co., 49 Cal. 2nd 509, 512-513 (1957).  As highlighted by the opinion, the purpose of the privilege “is to encourage voluntary filing of tax returns and truthful reporting of income, and thus to facilitate tax collection.” Strawn at *13; Weingarten v. Superior Court, 102 Cal. App. 4th 268, 274 (2002); Webb at 513.  Continue Reading The Privileged Nature of Tax Returns in California

Prevention, Crisis Management, and Mitigating Personal Liability

Thursday, January 31, 2019
8:00 a.m. – 8:30 a.m. Breakfast & Registration
8:30 a.m. – 10:30 a.m. Program

Seyfarth Shaw LLP New York Office
The New York Times Building
620 Eighth Avenue
New York, NY 10018

Seyfarth Attorneys:

Kevin Lesinski
Richard Lutkus
Gregory Markel
William Prickett

There is no cost to attend but registration is required and seating is limited.

This program will provide Boards, C-Suites and General Counsels with best practice strategies for avoiding unauthorized breaches of electronic data; managing them if they occur; and addressing personal liability risks for Boards and executives. The Distinguished Speakers are experienced cyber security experts from Seyfarth Shaw, KPMG, law enforcement, and current directors.

Best Practices for Avoiding and Managing Threats

Cybersecurity experts and industry professionals will share their views on these questions:

  • What are your top lessons learned from investigating cyber breach incidents?
  • What are the most important considerations when developing an overall incident response plan?

Potential Liability Risk for the Board 

Securities litigators will emphasize the importance of having a clear plan and robust escalation processes to respond quickly and effectively when an incident occurs. Critical issues to be discussed include:

  • Fiduciary duties and director liability
  • Cyber risk landscape and regulatory environment
  • Role of information governance in minimizing damages from cyberattacks
  • Cyber risk assessment and implementation of defensive technology
  • Insurance coverage and other risk mitigation strategies

Two hours of New York CLE credits are approved.

If you have any questions, please contact Morgan Coury at mcoury@seyfarth.com and reference this event.

Seyfarth Shaw Partner Jason Priebe was recently interviewed by C4CM regarding his tips for records retention.  This thoughtful discussion covered not only record retention policies, but information governance, risk, and potential costs resulting from the increasing volume of data produced during litigation.  Jason also provided practical steps to formulate a record retention policy when one is not in place.  To learn more, read the full interview here.

November 16, 2018 – President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018, which establishes the Cybersecurity and Infrastructure Security Agency (“CISA”) at the Department of Homeland Security (DHS).  The law reorganizes DHS’ National Protection and Programs Directorate (NPPD) into an agency that will focus on cybersecurity threats.

With its promotion to the rank of federal agency, CISA is now on the same level as the Federal Emergency Management Agency (FEMA) and the Secret Service, but still under the DHS’ oversight. The new agency is expected to improve the cybersecurity defenses across other US federal agencies, coordinate cybersecurity programs with states, and bolster the government’s overall cybersecurity protections.

It was also announced that Christopher C. Krebs would serve as CISA’s first director.  Mr. Krebs had served as the Under Secretary of the NPPD, the predecessor of CISA.  On the day President Trump signed the bill into law, Mr. Krebs tweeted that “The cybersecurity threat is constantly evolving and this reorganization positions us [CISA] to better defend America’s infrastructure from digital and physical threats.”  Mr. Krebs added that the new agency would be better able to “accomplish its cybersecurity mission by making it easier to recruit cybersecurity professionals.”

CISA unveiled its new logo on November 28, 2018.  With the rise of cybersecurity threats across the country, it is likely that the logo will become a familiar face to many Americans in the coming years.

Seyfarth Synopsis: Please join us at our Chicago Willis Tower office on Thursday, December 6th, for breakfast along with a Seyfarth Legal Forum and Continuing Legal Education (CLE): 2018 Highlights and a Look Ahead to 2019.

About the Program

Providing our clients with a multidisciplinary overview of Legal Hot Button issues and Best Practice.  Featuring:

  • Biometric Information Privacy Act: What a long, strange year it’s been (and there’s more on the way!)
  • Legalize it: will Illinois go from medical to recreational marijuana and what would that mean to the real estate industry?
  • Affordable Care Act Update & Enforcement Activities, 401(k) Student Loan Repayment Arrangements, Socially Responsible Investments, and HIPAA Privacy & Security Audits
  • Mergers and Acquisitions: Current State of the Market and Post-Merger Integration Strategies
  • The “Cloud”…is in a building?: Data Centers are the newest, and maybe most important, type of real estate
  • Latest Developments in Pregnancy Accommodation (Illinois’ New Lactation Law and Nationwide Trends)
  • Litigation Hot Topics for 2019, including: Developments in trade secret and non-compete law; New laws affecting threshold issues such as forum selection and choice of law; Frontloaded discovery in federal court: Mandatory Initial Discovery Pilot Programs; Best practices for protecting the attorney-client privilege for in-house counsel
  • Welcome to the Future: It arrived yesterday – The intersection of Technology and Legal Services
  • Bots, bits and bytes… Artificial Intelligence and its leading role in recent legal projects

The program will feature a panel of Seyfarth Chicago subject matter experts — with an eye toward preparing for the developments in the coming year. Our overview will be targeted at highlighting issues for the General Counsel, Chief Information Officer, Chief Human Resource Officer, and other members of their teams.

The program will consist of an engaging ninety minute presentation with speakers from each of Seyfarth Chicago’s practice groups: Benefits, Corporate, Labor & Employment, Litigation, and Real Estate, as well as an exciting presentation on the use of technology in law. Then, we will offer 30 minute break-out sessions on hot topics warranting a deeper dive that companies are facing when looking at their legal compliance needs. The break-out sessions will address Privacy/Data Security, Managing in the #metoo Environment, and Blockchain/Cryptocurrency in business.

The program is on Thursday, December 6, 2018, at 8:00 a.m. – 8:30 a.m., for breakfast and registration, 8:30 a.m. – 10:00 a.m., for the panel presentations, and 10:00 a.m. – 10:30 a.m., for the breakout sessions.  Our offices are at 233 S. Wacker Drive, Suite 8000, in Chicago, IL.

While there is no cost to attend, registration is required and space is limited.  If you have any questions, please contact Fiona Carlon at fcarlon@seyfarth.com and reference this event.

Also, for those that need the credits, note that Seyfarth Shaw LLP is an approved provider of Illinois CLE credit. This seminar is approved for 1.5 hours of CLE credit CA, IL, NY, NJ and TX. CLE Credit is pending for GA and VA. HR professionals: please note that the HR Certification Institute accepts CLE credit toward recertification.

The European Data Protection Board (EDPB) recently issued a report after their November 16, 2018 plenary session.  The statement covered a range of topics being discussed by the Board, but no substantive publications.  The EDPB is charged with ensuring that GDPR is applied consistently across the EU and that there is consistent enforcement by DPAs across the Union.  The Board is also tasked with issuing guidelines on the interpretation the GDPR (formerly the charge of the Article 29 Working Party), and making binding decisions about cross-border disputes.  The Board is made up of the head DPA or representatives from each member country.

An EU-Japan adequacy finding appears to be extremely close, and the Board announced they are at work on guidelines about the intersection between Clinical Trials Regulation and the GDPR for medical device and pharmaceutical companies.  There have now been four “plenary meetings” of the EDPB.  Some may consider no action on the part of the Board a good thing, but there are some significant concepts which eventually need clarification, including a formal process and procedure on appeals of DPA enforcement and fines, and modernization of the outdated Model Contractual Clauses, among other things.  The essential message from the EDPB continues to be “stay tuned,” and seems likely that no real substantive publications will come through until early 2019.

The complete press release from the EDPB can be found here.