One of the key decisions that needs to be made in the aftermath of a successful ransomware attack is whether or not the victim organization can or should pay the ransom. Of course, there are many considerations that go into such a decision – for example, whether the payment is legally permissible, the ease of system restoration absent paying the ransom, the harm that might result to the company or its consumers if systems cannot be timely restored, or whether there are reputational risks or ethical concerns, amongst many other considerations. Continue Reading
SolarWinds: A Lesson on How Companies Victimized by Data Breaches Can Quickly Become the Target of Litigation and Regulatory Investigations
In 2020, SolarWinds Corp., a company that provided information technology software to private and government entities, was the victim of a cybersecurity breach. Russian hackers are believed to have slipped malicious code into a SolarWinds software product called Orion, which was then used to infect, and in certain cases, compromise, SolarWinds customers. As a consequence, SolarWinds found itself the target of litigation, including a derivative suit before the Delaware Court of Chancery in Construction Industry Laborers Pension Fund v. Bingle. Continue Reading
Amazon’s Recent Acquisitions Highlight the Value of Consumer Data (and the Evolving Privacy Issues)
Roughly two weeks apart, on July 21, 2022 and August 5, 2022, respectively, Amazon made headlines for agreeing to acquire One Medical, “a human-centered and technology-powered primary care organization,” for approximately $3.9 billion and iRobot, a global consumer robot company, known for its creation of the Roomba vacuum, for approximately $1.7 billion. These proposed acquisitions have drawn the scrutiny of the Federal Trade Commission (FTC), which following President Biden’s 2021 Executive Order on antitrust and competition, has taken a more aggressive stance toward acquisitions by large technology companies in an effort to, in FTC Chair Lina Khan’s words, “prevent incumbents from unlawfully capturing control over emerging markets.” Continue Reading
EU-U.S. and UK-U.S. Data Transfer Deals Advance with White House Executive Order
A new legal mechanism to allow for transfers of personal data between the EU and the U.S. is now advancing after an October 7th, 2022 Executive Order was issued by U.S. President Biden (the “Executive Order”). The new mechanism is referred to as the EU-U.S. Data Privacy Framework (the “Framework”) and is intended to replace the now-defunct EU-U.S. Privacy Shield mechanism. Specifically, the Executive Order provides data protections that enables the potential creation of the Framework, which first debuted in a joint press conference in March 2022. Similar progress has also been made on an equivalent data transfer arrangement between the UK and U.S. governments. If realized and implemented, the Framework has the potential to lower legal barriers for personal data transfers between the EU and the UK, and the U.S. Continue Reading
Held to Ransom: How Cyberattacks Can Become a Legal and Regulatory Odyssey for a Private Investment Fund
Where business-critical information or platforms are at stake, many commercial parties will seriously consider immediately paying the ransom hoping to regain control of operations, secure client data and avoid continued business disruption and negative publicity. However, businesses may wish to pause. Cyberattacks, by their very nature, know no borders and nor therefore should a private fund’s response.
In the first of this two-part series for Cybersecurity Law Report, Proskauer outlines immediate incident response steps and analyses whether to pay a ransom, from U.S., U.K. and E.U. perspectives.
Happy “Labor …” More Privacy Rights for Employees: California Legislature Closes Session Without Extending Employee and B2B Data Exemptions Under the CCPA
As summer nears its end, uncertainty and complexity lie ahead for many companies as they evaluate how to operationalize compliance with the California Privacy Rights Act (CPRA), existing California employment laws and potentially the passage of a federal privacy law, the American Data Protection and Privacy Act, H.R. 8152 (ADPPA), that may preempt some but not all rights under the CCPA and the CPRA. To increase the headache for companies doing business in California, two business friendly exemptions are set to expire at the end of the year.
On August 31, 2022, the final day of the 2022 California legislative session, the legislature failed to extend exemptions that would have excluded certain employee and human resource (HR) related personal information collected within the business context from the scope of the California Consumer Privacy Act (CCPA) when the CRPA amendments to the CCPA go into effect on January 1, 2023. It should also be noted that similar CCPA exemptions for personal information collected in the course of certain business-to-business (B2B) transactions or communications were not extended. Thus, on January 1, 2023, the current CCPA exemptions for HR and B2B information will sunset and the CPRA will go into effect without such exemptions that businesses have relied upon for the last several years, making California the first state to have a comprehensive data privacy law covering HR data. In short, beginning next year, employers will have to honor the host of data privacy rights under the CCPA not only for consumer data, but also for HR data concerning employees, job applicants and independent contractors (unless another exception within the CCPA applies).
Message Sent! California Attorney General Announces $1.2 Million CCPA Settlement with Retailer and Its Focus on the Sale of Customer Information
On August 24, 2022, California Attorney General (AG) Rob Bonta announced a settlement with beauty products retailer, Sephora USA, Inc. (“Sephora”), resolving claims that Sephora violated the California Consumer Privacy Act (CCPA) for, among other things, failing to disclose to consumers that it was selling their personal information (including precise location data) and failing to honor opt-out requests via global privacy controls (GPC) broadcasted from users’ web browsers. The proposed settlement has been submitted to a California state court for approval. Continue Reading
