• Save
Privacy, Cybersecurity and California Litigation Trends
Upcoming SlideShare
Loading in...5

Privacy, Cybersecurity and California Litigation Trends






Total Views
Views on SlideShare
Embed Views



3 Embeds 145

http://www.dentons.com 93
http://www.project-trio.com 51
http://phase2.dentons.com 1


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Privacy, Cybersecurity and California Litigation Trends Privacy, Cybersecurity and California Litigation Trends Presentation Transcript

  • CLE Seminar for In-House Counsel January 8, 2014 San Francisco, CA Privacy, Cybersecurity and California Litigation Trends Privacy Developments and Crisis Management: Incident Response and Beyond Andy Roth Steven Velkei Partner, New York +1 212 768 6804 andy.roth@dentons.com Partner, Los Angeles +1 213 892 5007 steven.velkei@dentons.com
  • Locations 20 Privacy and Cybersecurity Partners and lawyers in 79 locations within 52 countries around the world.
  • Expanding Global Footprint… Key Canada United States Europe Central and Eastern Europe Africa Middle East l Offices l Calgary  Atlanta l Barcelona l Bratislava u Accra l  Associate offices l Edmonton  Boston l Berlin l Bucharest u Algiers Amman  Facilities l Montréal l Chicago l Brussels l Budapest u Bissau u u Associate firms l Ottawa l Dallas l Frankfurt l Istanbul u Bujumbura l l Toronto l Kansas City l Madrid l Prague l Cairo l Dubai l Vancouver l Los Angeles l Paris l Warsaw u Cape Town  Kuwait City  Miami u Zurich u Casablanca l Manama  New Orleans l Muscat l New York l Phoenix l San Francisco + Special alliance firms l l l Beijing l Hong Kong Beirut l Shanghai Doha l Singapore Riyadh Kampala u St. Louis Johannesburg u Silicon Valley l Dar Es Salaam u Short Hills l u Abu Dhabi Kigali + Lagos u Luanda u Lusaka u Maputo u Nairobi u Nouakchott Kyiv u Port Louis l Moscow u Praia l St. Petersburg u u Washington, DC United Kingdom l l London Milton Keynes Russia and CIS l Central Asia l Asia Pacific Almaty u Ashgabat São Tomé l Baku Tripoli l Tashkent
  • Intensifying Legal/Regulatory Scrutiny There is a complex and growing web of hundreds of detailed Privacy and Security requirements at the state, federal, international and selfregulatory levels. Companies could be exposed to liability from: • • • • • • • California or other State Attorneys General Federal Trade Commission Department of Justice International Data Protection Authorities Self Regulatory Enforcement Actions Consumer Class Action Litigations Litigation with Business Partners
  • Recent Privacy Developments • New California Privacy Laws • CalOPPA expansion - disclosure of how your website responds to Do Not Track signals and whether third parties can track users on your site • Social Media Eraser - minors under 18 have the right to remove content they posted • Expansion of Data Breach Notification - first state to include loss of usernames and passwords in breach notification statute • California has traditionally been a bellwether for state privacy legislation. Other states may follow suit with these or variations of these statutes
  • Privacy and Security a National Focus Privacy issues have become highly politicized Recent surveys show increasing domestic and international worries regarding issues around the privacy and security of personal information “Surveying the Digital Future” 2,000 households across United States [2013] “Online Privacy Survey” 10,354 people across Nine Counties [2013] • 52% agreed we are “in the era of Big Brother” • 79% concerned about privacy online • 57% worried about companies observing online activity - up from 48% one year earlier • 65% want national regulators to do more to force Google to comply with privacy regs
  • Even The Best are Challenged Right Now The New York Times had its Symantec security systems breached by Chinese hackers, setting off a media and political firestorm. Symantec issued a formal public apology, saying that security based on known fraud signatures is inadequate to face the Advanced Persistent Threat of new, disguised and resilient malware. 1/16/2014Month Day Year 7
  • Higher Risk of Regulatory Action than Private Litigation • Regulators in California are highly politicized and setting markers around these issues • Regulators appear unconstrained by the absence of harm • Access by regulators to statutory penalties unavailable to private litigants - Can dwarf any related civil liability by using per breach/exposure calculation methodologies - e.g., California Ins. Code 790.03 – up to $10,000 per violation - e.g., California Bus. & Prof. Code 17206 & 22575 – up to $2,500 per violation • Vaguely defined standards that maximize regulator flexibility. e.g., prohibitions against “unfair trade practices.”
  • Active enforcement by California AG • AG created the first “Privacy Enforcement and Protection Unit” in July 2012 • OPPA is the only state law requires company to prominently notify users of their mobile apps by what personally identifiable information is being collected and how it will be used - AG Released “Recommendations for the Mobile Ecosystem” in 2013 • Brought highly publicized action against Delta Airlines seeking billions of dollars in penalties associated with the placement of its privacy policy for its mobile app.
  • Do-Not-Track Law (AB 370) Amends CalOPPA • Takes effect January 1, 2014 • Has national applicability since it applies to any website service or mobile app that collects Personally Identifiable Information (“PII”) from California residents. • Requires website operators to disclose in their privacy policies how they respond to browser "do not track" signals or similar mechanisms. • Requires operators to disclose whether other parties may collect PII about an individual consumer's online activities. • No private right of action. • Penalty includes up to $2,500 per violation under UCL.
  • California AG Setting Standard of “Best Practices” Not Compliance • First took this approach upon passage of OPPA by issuance of its “Recommendations for the Mobile Ecosystem” in 2013 • California AG announced a “Joint Statement of Principles” with which platform and web site providers were encouraged to agree - Ensures that privacy policies provide notice of data collection and comply with the California Online Privacy Protection Act (Bus. Prof. Code 22575) - Several large companies have agreed: • Announced plan to offer “best practices” guideline for Do-Not-Track law sometime in January 2014.
  • California AG Setting Standard of “Best Practices” Not Compliance (cont) • Highlights of December 10 public stakeholder meeting hosted by Privacy Enforcement Unit: - Refused to provide guidance about what constitutes compliance with AB 370. - Recommended broader application beyond just online behavioral advertising to market research website analytics, website operations, fraud detection and prevention. California Department of Justice Privacy Enforcement and - Recommended including language explaining the Protection Unit effects of any opt-out options that consumers choose. - Eliminated 30 day grace period to companies with existing California OPPA privacy policies
  • Privacy and Security Civil Litigation -- Updates • Courts have generally taken a narrow view of privacy rights that confront litigants with the difficult burden of proving actual harm • Influence on Courts from Snowden publicity firestorm. Is it turning the tide? • Recent Federal Court Split on NSA Security: - Dec. 27 – S.D.N.Y. – found that NSA’s phone collection efforts were lawful - Dec. 16 – D.C. Dist. Ct. – found NSA phone collection efforts "almost Orwellian" and amounted to an "indiscriminate and arbitrary invasion"
  • Privacy and Security Civil Litigation • Split of Federal Court on Application of ECPA to Google - ECPA permits recovery of damages for the interception of PII that is not done in “the ordinary course of business” - Courts have split on whether the use of personal information for targeted advertising is in Google’s “ordinary course of business”: Dismissed In re Google Inc. Privacy Policy Litigation (N.D. Cal. Dec. 3, 2013) Denied Motion In re: Google Inc. Gmail Litigation (N.D. Cal. Sept. 26, 2013) To Dismiss
  • Continuing Tension Over Lack Of Clear Standards • Target - Numerous class action complaints filed in the wake of the scandal seek damages without specifying the allegedly negligent acts of Target causing data leaks. • Wyndham - Wyndham’s FTC sued Wyndham after hackers gained access to hotel guests’ computers - Alleged failure to police hotel Wifi connection constituted an “unfair” practice under Section 5 of the FTC Act 5. - Pending Motion to Dismiss challenges FTC’s ability to regulate Wifi privacy because of a lack of standards. • Sen. Robert Menendez recently held a press conference in a Target parking lot arguing that the FTC should have the authority to levy fines
  • California AG issued a Data Breach report in July 2013 • Showed 2.5 million Californians had personal information “put at risk” through an electronic data breach • Concluded “that 1.4 million Californians would have been protected if companies had encrypted data when moving or sending the data out of the company’s network” • Failed to detail any actual harm associated with a breach. Breach Magnitude Statistics Mean: 22,500 individuals per breach Median: 2,500 individuals per breach Five Breaches each involved data for 100,000+ individuals
  • Data Breach continues to be Top Exposure Limited public data, but what does exist indicates that both customer and employee data are at risk of data breach By Data Type By Industry Sector Source: “Data Breach Report, California Attorney General’, July 1, 2012
  • Failures types causing data breaches Doc ume nts 5% Item Type Har dwa re 17% Disp osal 2% Med ia 6% Insi ders 10% Access By Out “Phys ical” [Lost or Stolen Items] “Proc [VALUE] edura l” [Errors] [VALUE] Error Type Proc essi ng 16% Source: “Data Breach Report, California Attorney General, July 1, 2013 “Logic al” [Intentio nal Unautho rized Access… side rs 45%
  • California AG’s “Recommendations” • Companies and/or agencies should: 1. Encrypt digital personal information when moved from secure networks  AG is making unencrypted personal information breaches a priority 2. Review and tighten security controls on personal information. 3. Improve the readability of breach notices to potentially effected individuals 4. Offer mitigation products and/or provide information to victims of Social Security or driver’s license number breaches about security freeze options
  • Watch Out for Other Privacy Emergencies! Your organization may need to respond to other urgent and sensitive privacy and cybersecurity issues • Digital Advertising -- information was being collected/shared in contravention of user/customer disclosures • Sweepstakes -- identity/image of sweepstakes participant/winner disclosed in contravention of terms. • Social Media -- combines exposures addressed in Digital Advertising and Sweepstakes. Exposure can be amplified by social network effect of content at issue. • New Product Approval -- privacy and cybersecurity issues not properly vetted with key stakeholders before launch
  • Multi-stakeholder Coordination Always Required Consider conducting a RASCI exercise amongst stakeholders to align on roles and responsibilities: R: RESPONSBILE A: ACCOUNTABLE S: ESCALATED C: CONSULTED I: INFORMED
  • Sustainable Privacy Crisis Management The key to sustainability is process integrity! All Privacy Emergencies (or potential Emergencies) should flow through a Response Framework: a funnel that engages key stakeholders and ensures seamless end-to-end management of an issue. End-to-end management includes resolution, post-mortem and remediation, as well as ongoing monitoring and reporting. Legal plays a critical role in determining what actions must be taken in response to a Privacy Crisis, both in planning and in execution of a response plan.
  • Protecting the Company and Applying the Facts Data breach is an issue that every company deals with, many for both customer and employee information. Things to keep in mind: • Third-party forensics, if performed, should be engaged and directed through Counsel to preserve your ability to assert Privilege in subsequent litigation. • Understand that even if analyses are protectable, underlying facts will not be. • Determining data breach notification requirements is a very fact-specific exercise -- be careful not to make assumptions. All but a few states have enacted data breach notification legislation, but there is substantial diversity amongst and between them. -----> Make sure you are applying the right law to the right facts!
  • 10 Ways to Manage Crises to Positive Outcomes 1. Always consider the impact on an individual first, since customers drive shareholder value and brand equity. 2. Wherever possible, consider treating individuals within a category the same, even if not specifically legally required to do so. 3. Make sure there is executive sponsorship for your initiatives, including the ability to quickly escalate issues as appropriate. 4. Speak with a consistent voice internally and externally, making sure external statements are cleared by Public Affairs and Legal. 5. Understand and anticipate operational complexities and plan appropriately. 6. Ensure Customer Service is aligned and prepared to respond to questions and concerns. 7. Identify other places within the company which may also be impacted and remediate them. 8. Consider proactively reaching out to Regulators -- "relationship capital" is essential in limiting liability on issues. 9. Focus on clarity in communications internally -- take the emotion out. You are creating a roadmap for critical examination of your processes. 10. Constantly improve and refine your Response Framework based on results and feedback.
  • Questions and Answers Andy Roth Partner, New York Dentons US LLP +1 212 768 6804 Partner and Co-Chair, Global Privacy and Cybersecurity Practice Steven Velkei Partner, Los Angeles Dentons US LLP +1 213 892 5007 Litigation Partner steven.velkei@dentons.com andy.roth@dentons.com