Today, the Information Commissioner’s Office (“ICO”), the UK data protection authority, released for public comment its draft “Regulatory Action Policy,” a document in which the ICO seeks to set forth its objectives in taking regulatory action, present its new investigatory and enforcement powers, and explain how it aims to use them. The comment period will close on June 28, 2018.

With three weeks remaining until the General Data Protection Regulation (the “GDPR”) (Regulation (EU) 2016/679) takes effect, this draft document provides organizations with a much needed insight into how the ICO plans to proceed in the age of new data protection compliance realities. In addition to the GDPR, the ICO will be enforcing the upcoming update to UK’s national data protection law, the UK Data Protection Act 2018 (the “DPA”), which is still working its way through Parliament, but should be in place by May 25, 2018, as well as other established data protection legislation.

The “Regulatory Action Policy” explains that ICO will have the power to issue “urgent” information notices that will require a response within 24 hours, take notice recipients who fail to comply to court on contempt charges, inspect and assess compliance without notice, administer fines by way of penalty notices, and prosecute criminal offences in court. The ICO’s powers to prosecute failures to provide information and its ability to go to court to request a warrant to search premises will come from the DPA, not GDPR.

The DPA also will permit the ICO to issue “assessment notices” to data controllers and processors to allow the ICO to investigate whether the controller or processor is compliant with data protection legislation. The notice may require the organization to give the ICO access to premises and specified documentation and equipment. An “urgent” assessment notice may require access to non-domestic premises on less than 7 days’ notice, which in effect will allow the ICO to carry out a no-notice inspection. An organization that receives an “urgent” information notice, assessment notice, or enforcement notice may petition the court to overturn the urgency of that notice. Under the DPA, destruction or falsification of information the ICO is pursuing in its notice constitutes a criminal offence. However, similarly to the U.S. evidence spoliation principles, it appears that loss of information through routine operation of automated processes may be a defense to criminal charges.

Continue Reading UK’s ICO Explains Its Data Protection Enforcement Powers

By now, most litigators should know that they have an affirmative duty to advise their clients about the duty to preserve potentially relevant documents.  Despite this, the United States District Court for the Southern District of New York recently denied an attorney defendant’s motion for summary judgment in part because the record was not clear as to whether the attorney defendant fulfilled its obligations with respect to the duty to preserve.

Industrial Quick Search, Inc., Michael Meiresonne, and Meiresonne & Associates (collectively “Plaintiffs”) sued their law firm Miller, Rosado & Alogis, LLP (“Defendants”) for malpractice.  Neil Miller and Chris Rosado, named partners of the firm, were also individually named as Defendants.  Defendants represented Plaintiffs in an underlying copyright infringement lawsuit in which default judgement was entered against Plaintiffs for misappropriating confidential information, plagiarizing copyrighted material, and for deliberately destroying potentially relevant documents. Continue Reading FAILURE TO ADEQUATELY ADVISE CLIENTS ON THEIR PRESERVATION OBLIGATIONS CAN BE CONSIDERED MALPRACTICE

Eleven years into the court order levied on the NSA to preserve backup tapes containing data about the NSA surveillance efforts, it’s come to light that the NSA failed to take adequate steps to ensure the data was not deleted.  Tapes containing data between 2001-2007 were deleted in 2009, 2011, and 2016, showing a systemic problem with proper data preservation.  For an agency that arguably “saves everything,” this news is rather comical.   The NSA’s deputy director of capabilities apologized for the failure in an October declaration, while another NSA official claimed the tapes were deleted during “housecleaning efforts aimed at making space for incoming information.”  Oddly enough, there was no explanation as to why live incoming information would have been put on backup tapes, adding to the mystery of the real cause of the tape destruction.  Thus far, there have been no discussions of sanctions and no requests on U.S. District Court Judge Jeffrey White to do so, at least yet.  The NSA isn’t in a great position, however, since in May 2014, an NSA official assured the court that the data on the tapes was safe.  The NSA now claims they are using “extraordinary” effort to try and recover the lost data.  However, anyone familiar with how tape rotation works should understand it’s quite likely that the tapes were overwritten with new data, effectively making the old data permanently unreadable.  The facts seem to point to a clear case of spoliation, and this time, it’s by one of the U.S. Government agencies that possessed data storage capabilities unsurpassed by any in the world.

Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Seyfarth’s eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners are pleased to announce the release of Data Privacy & Protection in the EU-U.S.: What Companies Need to Know Now, which describes GDPR’s unique legal structure and remedies, and includes tips and strategies in light of the future passage of the GDPR.

How to Get Your Desktop Guide:

To request the Data Privacy & Protection in the EU-U.S. Desktop Guide as a pdf or hard copy, please click the button below:

GDPR Webinar Series

Throughout August and October of 2017, Seyfarth Shaw’s attorneys provided high-level discussions on risk assessment tools and remediation strategies to help companies prepare and reduce the cost of EU GDPR compliance. Each segment is one hour long and can be accessed on-demand at Seyfarth’s Carpe Datum Law Blog and The Global Privacy Watch Blog.

For updates and insight on GDPR, we invite you to click here to subscribe to Seyfarth’s Carpe Datum Law Blog and here to subscribe to Seyfarth’s The Global Privacy Watch Blog.

A trial court opinion involving allegations of spoliation of text messages on a mobile phone in the Southern District of New York has gotten attention because of the application of legal preservation standards.  Ronnie Van Zant, Inc. v. Pyle 2017 BL 3018, S.D.N.Y. 17 Civ. 3360 (RWS), 8/23/17) is an interesting read, not just because it involves odd characters, intrigue and drama surrounding one of the greatest Southern Rock bands of all time.  It also includes some instructive information about the application of the “practical ability” test for preservation, and the uphill battle for witnesses who lose credibility in testimony about what they did and did not do in a preservation effort.

Not long after the tragic plane crash that resulted in the deaths of Lynyrd Skynyrd lead singer Ronnie Van Zandt and his co-founding band member Steven Gaines,  Artimus Pyle, the former drummer, entered an agreement with the surviving heirs and other members of the band.  The agreement involved promises to never perform as “Lynyrd Skynyrd,” or to generally profit from the name of the band or the tragic deaths of Van Zant or Gaines without approval of the original parties to the agreement.  Their dramatically named “blood oath” agreement was more concretely memorialized in a Consent Order in 1988, following other litigation, which Pyle signed.

Over 20 years after the 1988 Consent Order, the drama that spawned the litigation began in a story that sounds like it came from a Netflix mini-series.  A film director named Jared Cohn, who worked under contract for an independent record label-turned movie producer, Cleopatra Records, Inc. (“Cleopatra”) reached out to Pyle about making a movie centered around the band and Pyle’s life in it.  Cohn was hired by the founder and co-owner of Cleopatra Records, Brian Perera, who is another interesting character in his own right. Pyle met and consulted with Perera on multiple occasions about ideas for a film generally depicting his life and the plane crash, which Pyle survived.  In their first conversations, Pyle did not mention the 1988 Consent Order, but the Order eventually was delivered to Cleopatra.  The copy of the Order was also eventually followed by a “cease and desist” letter and other correspondence from the Plaintiffs’ counsel.  All the while, Cleopatra’s movie production work continued. Continue Reading Spoliation and Southern Rock

Seyfarth eDiscovery Partner Richard Lutkus, along with William Lederer from Relativity and Patrick Zeller of Gilead Sciences, Inc., will host a panel discussion titled “Brave New Words: Cloud Data Collection, Processing, and Hosting” at this year’s RelativityFest on October 24, 2017.

This session will provide attendees with information about new data collection methods with tools like Heureka and Harvester, along with considerations for working with RelativityOne, data privacy, and security. Additionally, best practices surrounding the General Data Privacy Regulation (GDPR), international data transfer with EU entities, secure management of hosting (wiping cloud data) and SSD wiping technologies will be discussed.

RelativityFest is an annual conference designed to educate and connect the e-discovery community. The three-day festival in Chicago will feature panel discussions, hands-on labs, and breakout sessions to discuss best practices. For more information, or to register to attend, please visit https://relativityfest.com/.

Seyfarth eDiscovery attorneys Jason Priebe and Natalya Northrip will present “A Practical Roadmap for EU Data Protection and Cross-Border Discovery” at this year’s RelativityFest on October 24, 2017.

This presentation will provide attendees with practical tips for leveraging the new Sedona International Principles to help in your compliance with stringent GDPR requirements, and in seeking immediate help under the EU-U.S. Privacy Shield.

RelativityFest is an annual conference designed to educate and connect the eDiscovery community. The three-day festival will feature panel discussions, hands-on labs, and breakout sessions to discuss best practices for eDiscovery, Information Governance, and Data Privacy. For more information, or to register to attend, please visit https://relativityfest.com/.

When you bring to mind someone “hacking” a computer one of the images that likely comes up is a screen of complex code designed to crack through your security technology.  Whereas there is a technological element to every security incident, the issue usually starts with a simple mistake made by one person.   Hackers understand that it is far easier to trick a person into providing a password, executing malicious software, or entering information into a fake website, than cracking an encrypted network — and hackers prey on the fact that you think “nobody is targeting me.”

Below are some guidelines to help keep you and your technology safe on the network.

General Best Practices

Let’s start with some general guidelines on things you should never do with regards to your computer or your online accounts.

First, never share your personal information with any individual or website unless you are certain you know with whom you are dealing.  Hackers often will call their target (you) pretending to be a service desk technician or someone you would trust.  The hacker than asks you to provide personal information such as passwords, login ids, computer names, etc.; which all can be used to compromise your accounts.  The best thing to do in this case, unless you are expecting someone from your IT department to call you, is to politely end the conversation and call the service desk back on a number provided to you by your company.  Note, this type of attack also applies to websites. Technology exists for hackers to quickly set up “spoofed” websites, or websites designed to look and act the same as legitimate sites with which you are familiar.  In effect this is the same approach as pretending to be a legitimate IT employee; however, here the hacker entices you to enter information (username and password) into a bogus site in an attempt to steal the information.  Be wary of links to sites that are sent to you through untrusted sources or email.  If you encounter a site that doesn’t quite look right or isn’t responding the way you expect it to, don’t use the site.  Try to access the site through a familiar link.

Second, whether or not you have a Bring-Your-Own-Device (“BYOD”) program at work chances are you will at some point be using a mobile device to conduct to conduct business.  Don’t feel that your mobile phone is invulnerable to being compromised. (Every networked device — Apple, Microsoft, Android, Linux, etc. — can be compromised)  Mobile hacking is one of the fastest growing areas for exploiting individuals and companies.  This is largely because people do not typically have security programs — such as anti-virus software — on their mobile device.  Additionally, people often connect their mobile devices to public networks, like those available at coffee shops, hotels, etc. — these networks are not secure.  Your best defense against having your mobile device hacked is to install a decent security app and be sure to turn off the Wi-Fi, Bluetooth, and Hotspot settings when they are not in use.   Also, try to only install apps from companies you recognize.  Further, mobile banking and purchasing apps make life easy, but if you don’t have security software — or if you are conducting a larger transaction — you may want to do it on your computer.

Next, If your computer’s security software pops up a security warning, pay attention to it.   Often times we are in a hurry and tend to click through these types of warnings, but that is a mistake.  The warning is there for a purpose whether it is a flag indicating that a website is potentially dangerous or a notice that your computer has detected malware.  When you see a warning it is best to stop what you are doing, close down any open websites, and call your help desk.  You may also want to scan the computer with your security software.  However, be careful of “security warnings” that pop-up from websites.  If the warning does not look like the warnings you are used to, and does not indicate the name of your security software, it may be a malicious attempt to compromise your computer.

Finally, don’t plug USB drives into your computer unless you know where it comes from and where it has been.  Rouge USB drives are a method by which hackers get malicious programs onto your computer.  The drive may contain an enticing file that when clicked, loads a virus onto your computer, or in some cases the drive may load the malware simply by being plugged into your USB port.  So, if you find a USB lying around it is best to turn it into IT, or throw it away. Continue Reading Cyber Security Best Practices

Is your organization ready for the new EU General Data Protection Regulation?

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance.

What Are the Specific GDPR Provisions Effective May 25, 2018 and What Organizations Need to Prepare Now for Compliance
Webinar
September 20, 2017
12:00 p.m. – 1:00 p.m. Central Time
Presenters
Jason Priebe, Partner, Seyfarth Shaw LLP
Natalya Northrip, Counsel, Seyfarth Shaw LLP
Scott Carlson, Partner, Seyfarth Shaw LLP

What GDPR Requirements Will Be Associated With the Most Significant Sanctions?
Webinar
October 5, 2017
12:00 p.m. – 1:00 p.m. Central Time
Presenters
John P. Tomaszewski, Senior Counsel, Seyfarth Shaw LLP
Jason Priebe, Partner, Seyfarth Shaw LLP
M. James Daley, Senior Counsel, Seyfarth Shaw LLP

Is Your Organization Preparing for May 25, 2018 GDPR compliance?
Webinar
October 19, 2017
12:00 p.m. – 1:00 p.m. Central Time
Presenters
M. James Daley, Senior Counsel, Seyfarth Shaw LLP
Kathleen McConnell, Senior Counsel, Seyfarth Shaw LLP
John P. Tomaszewski, Senior Counsel, Seyfarth Shaw LLP

Register here.

The use of open file sharing platforms in business continues to increase in 2017; Dropbox alone has over 200,000 active business accounts. Unfortunately, the convenience of these platforms and the increase in use by businesses attracts the attention of hackers a well.  File sharing platforms and accounts have a high “hack value” — the overall value of the accounts on the dark web — due to the relative ease with which account can be obtained and the sensitivity of the information stored on these platforms. The risk associated with the use of file share platforms is twofold.  First, company supported file share is attractive to attackers because it is guaranteed to contain sensitive information.  Second, file share platforms available to employees outside of the company — e.g. the employee Google Drive account — may be used to store company information, but likely do not use the same security standards as those enforced by the company. Attacks on file share platforms are also very real.  In August of 2016 Dropbox forced users to reset their passwords based on a breach — 60 million account credentials compromised — that had been discovered but was executed four years earlier in 2012.

Thus, it is important that businesses educate their employees on the risks of sharing information on these platforms and apply strict administrative and technical safeguards mitigate the risk of attack.

Common File Share Attack Approach

The most common approach attackers use to compromise file share platforms is phishing. Phishing is a technique by which the attackers sends out a legitimate looking (albeit fake) email which entices the employee to click on a link and provide information — such as login credentials — which goes directly to the attacker. Alternatively, the phishing attack may convince the employee to download an infected file to the same ends.  Once the attacker has compromised the file share, he or she can either steal information directly, escalate privileges to access more information, obtain additional account credentials, or sell the information on the dark web.  Access to the file share can also be used to perform a Denial of Service (“DoS”) attack by downloading or uploading large volumes of data thus congesting the network and preventing legitimate use.

Despite Google’s perceived safety, two major phishing attacks have been reported on Google accounts in the last two years. In late 2016, over a million google accounts were compromised by a malware attack known as Gooligan, designed to steal credentials allowing access to the victims Google services. Gooligan infected an estimated 13,000 devices per day during its lifecycle.  Again in early 2017, Google accounts were targeted with a message requesting the user to download a file.  When the user selected the link to download the file a face service that looked like a legitimate google service would request access to the users Gmail account.

Mitigating Risk

Businesses can mitigate the risk of file share attacks by implementing strict policies and sanctions regarding their use.  For example, all non-business file share sites can be blocked on the company’s network. Strict policies and monitoring should be in place to gain access to file share sites and employee accounts with such access should be closely monitored. Businesses should also implement test “phishing campaigns” — sending out company controlled phishing emails — to educate employees on what these email look like and how to avoid them.  Phishing tests also help businesses understand their risks by monitoring the number of employees who click on the bogus links. Whereas businesses have less control over employees loading data on to personal file share accounts, strict sanctions should be in place regarding this activity and employees should be aware of these sanctions.