In the last several years, substantial data breaches or hacker attacks in the U.S. have shown no signs of abating. Neither have the class actions that typically follow in their wake. Bradley Arant discusses litigation trends in data breach class actions. The video will touch on evolving issues in these cases, including recent loosening of consumer standing requirements (in cases after the Supreme Court’s Clapper decision), class certification and other issues raised in the Target litigation. We will also provide an overview of recent settlements of data breach class actions and what they might mean for later cases. The webinar will address several issues pending before the Supreme Court this term that could have significant impact, including whether a statutory violation without other injury confers Article III standing, and the extent to which statistical evidence can be used to justify class certification.
Bradley's panel reacts to and addresses a hypothetical cyber incident involving a widespread compromise of consumer healthcare and financial information. Amy Leopard (Healthcare), Mike Pennington (Litigation), John Goodman (Litigation), Elena Lovoy (Financial Services), and moderator Paige Boshell (Intellectual Property, Financial Services) will offer legal and practical strategies to proactively respond to and resolve a specified data breach. Highlights will include customer notice strategies, attorney-client privilege and litigation avoidance strategies, and coordination with third parties, including external PR and forensic investigators, vendors, regulators, and law enforcement.
Legal Issues Impacting Data Center Owners, Operators & Usersjyates
MMM’s goal is to work with data center owners, operators and users to identify key legal issues and their related claims, and to provide ways to minimize liability.
In the last several years, substantial data breaches or hacker attacks in the U.S. have shown no signs of abating. Neither have the class actions that typically follow in their wake. Bradley Arant discusses litigation trends in data breach class actions. The video will touch on evolving issues in these cases, including recent loosening of consumer standing requirements (in cases after the Supreme Court’s Clapper decision), class certification and other issues raised in the Target litigation. We will also provide an overview of recent settlements of data breach class actions and what they might mean for later cases. The webinar will address several issues pending before the Supreme Court this term that could have significant impact, including whether a statutory violation without other injury confers Article III standing, and the extent to which statistical evidence can be used to justify class certification.
Bradley's panel reacts to and addresses a hypothetical cyber incident involving a widespread compromise of consumer healthcare and financial information. Amy Leopard (Healthcare), Mike Pennington (Litigation), John Goodman (Litigation), Elena Lovoy (Financial Services), and moderator Paige Boshell (Intellectual Property, Financial Services) will offer legal and practical strategies to proactively respond to and resolve a specified data breach. Highlights will include customer notice strategies, attorney-client privilege and litigation avoidance strategies, and coordination with third parties, including external PR and forensic investigators, vendors, regulators, and law enforcement.
Legal Issues Impacting Data Center Owners, Operators & Usersjyates
MMM’s goal is to work with data center owners, operators and users to identify key legal issues and their related claims, and to provide ways to minimize liability.
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...Shawn Tuma
Presentation addresses issues in cybersecurity law of the evolving standards for data breach liability for companies as well as officers and directors. The event was sponsored by Above Security and the title of the event was Above Compliance – Navigating the Cybersecurity Landscape in Financial Services.
Cyber risk related to information security is growing. A potentially huge exposure for transportation companies is the personal data of their current and prospective drivers.
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
No matter what kind of law practice you have, you need to comply with privacy laws generally and lawyers' ethical duties with respect to privacy, specifically. In this presentation, legal ethics counsel Sarah Banola (Cooper, White and Cooper, LLP) and employment and privacy attorney Diana Maier (Law Offices of Diana Maier) deliver a primer on privacy law and teach you the key areas of privacy law and associated ethical obligations.
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...Shawn Tuma
This is a presentation by Shawn Tuma, an attorney in Plano, Texas who has expertise with the Computer Fraud and Abuse Act. Tuma provides an overview and update on recent cases and legal issues involving the Computer Fraud and Abuse Act -- otherwise known as the CFAA.
The Evolving Computer Fraud and Abuse ActShawn Tuma
The slides from Shawn Tuma's presentation to the Computer Law Section of the Dallas Bar Association entitled The Evolving Computer Fraud and Abuse Act. Dated April 23, 2012.
Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)Shawn Tuma
The slides are from a Continuing Legal Education seminar entitled "Computer Fraud and Abuse Act: A Lunch Sampler With A Little Something for Everyone"
I presented to the Dallas Bar Association on August 22, 2011.
If you have any questions please feel free to contact me at www.shawnetuma.com
Managing the Legal Concerns of Cloud ComputingAmy Larrimore
Presented at the 2013 Pennsylvania Bar Institute as an edition in an annual series on legal concerns around cloud computing ,. This one covers how technology overlaps and where the risk needs to be managed in between systems.
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-regulations-and-requirements-2021/
Above Compliance – Navigating the Cybersecurity Landscape and Officer & Direc...Shawn Tuma
Presentation addresses issues in cybersecurity law of the evolving standards for data breach liability for companies as well as officers and directors. The event was sponsored by Above Security and the title of the event was Above Compliance – Navigating the Cybersecurity Landscape in Financial Services.
Cyber risk related to information security is growing. A potentially huge exposure for transportation companies is the personal data of their current and prospective drivers.
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
No matter what kind of law practice you have, you need to comply with privacy laws generally and lawyers' ethical duties with respect to privacy, specifically. In this presentation, legal ethics counsel Sarah Banola (Cooper, White and Cooper, LLP) and employment and privacy attorney Diana Maier (Law Offices of Diana Maier) deliver a primer on privacy law and teach you the key areas of privacy law and associated ethical obligations.
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...Shawn Tuma
This is a presentation by Shawn Tuma, an attorney in Plano, Texas who has expertise with the Computer Fraud and Abuse Act. Tuma provides an overview and update on recent cases and legal issues involving the Computer Fraud and Abuse Act -- otherwise known as the CFAA.
The Evolving Computer Fraud and Abuse ActShawn Tuma
The slides from Shawn Tuma's presentation to the Computer Law Section of the Dallas Bar Association entitled The Evolving Computer Fraud and Abuse Act. Dated April 23, 2012.
Computer Fraud and Abuse Act CLE - Dallas Bar Ass'n (8.22.11)Shawn Tuma
The slides are from a Continuing Legal Education seminar entitled "Computer Fraud and Abuse Act: A Lunch Sampler With A Little Something for Everyone"
I presented to the Dallas Bar Association on August 22, 2011.
If you have any questions please feel free to contact me at www.shawnetuma.com
Managing the Legal Concerns of Cloud ComputingAmy Larrimore
Presented at the 2013 Pennsylvania Bar Institute as an edition in an annual series on legal concerns around cloud computing ,. This one covers how technology overlaps and where the risk needs to be managed in between systems.
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-regulations-and-requirements-2021/
The future will be Realtime & CollaborativeJoseph Gentle
These are the slides from a talk I gave at the JS summit in 2014. I gave some demos too which were very cool. Hopefully the video will be available at some point.
A Changing Paradigm: Is Your Content Strategy Keeping Up?Laura Blaydon
Technology’s continued evolution is changing customer expectations and needs, offering content strategists new opportunities and challenges in the race to win “share of mind.” To reach this empowered, digitally connected audience, content providers must offer information that’s timely, relevant and integrated into (and across) the products and tools consumers use every day.
Building Disciples in the Practice: Getting StartedAllan Carrington
These are the slides for the second webinar at the University of the Nations Leadership meeting being held in South Korea in March 2014. It is designed to introduce teachers to nine major technologies and/or pedagogies to help them with blended teaching and learning.
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsShawn Tuma
This presentation focused on cyber security protections for businesses and other law firm clients. Cybersecurity and data privacy attorney Shawn Tuma presented this continuing legal education session on March 10, 2017. It was delivered live at the TexasBarCLE presents the 8th Annual Course
Essentials of Business Law:Four Modules for a Robust Practice Cosponsored by the Business Law Section of the State Bar of Texas.
Cyber security legal and regulatory environment - Executive DiscussionJoe Nathans
What will you do when a breach occurs, and critical, confidential information has been publicly disclosed?
• FBI, Law Enforcement or Reporter Calls
• You become the Top News Story
• Investors need answers
• Regulatory Agencies are asking questions
• Your Customers, Suppliers, and Employees are affected, concerned, and need information
• The Breach becomes your only priority and you don’t know:
o What happened and what was disclosed?
o Who is responsible for resolution and who is on our team?
o What are our legal responsibilities?
o How will we manage the surge volume of communications, discovery and analysis?
o Who will pay?
The following presentation begins to address some of the legal and regulatory issues that are involved. The presentation is for discussion purposes only and should not be considered legal advice.
ACI’s lauded Cyber & Data Risk Insurance conference is the highest-level event that provides maximum opportunities to learn from and network with underwriters, brokers, claims managers and industry leaders, and helps you keep pace with the ever-changing cyber insurance market. It’s also the only conference that brings you regulatory and enforcement priorities straight from the federal and state government themselves.
Privacy rules matter—make sure your firm stays compliant.
While every lawyer knows the basic rules behind confidentiality and attorney-client privilege, the significance of privacy law is less well-known—and that lack of knowledge can impact your law firm. Emerging privacy rights and rights of action are impacting businesses of all types—including those in the legal profession. Local, national, and even international laws are making privacy the next frontier in data management for lawyers.
Are you prepared to adjust to the new demands of privacy for law firms, and move beyond confidentiality?
Join Joshua Lenon—an IAPP Certified Information Privacy Professional and Clio’s Lawyer in Residence and Data Protection Officer—as he explains how these privacy laws can impact law firms and what your firm should do to ensure compliance.
In this free 1-hour CLE-eligible webinar, you’ll learn:
Why law firm data must conform with emerging privacy regulations
The impact of clients’ compliance with privacy law on firm operations
Future privacy laws that may affect your law firm—no matter where you operate
https://www.clio.com/events/webinar-law-firm-privacy/
This course provides an overview of whistleblower protections for employees who blow the whistle on cybersecurity or data privacy concerns. And it offers practical tips and insights for practitioners on how to evaluate potential cybersecurity whistleblower claims and overlapping remedies to maximize damages. In addition, the course addresses the challenging issues that arise when a whistleblower simultaneously prosecutes both whistleblower retaliation and whistleblower rewards claims.
Legal vectors - Survey of Law, Regulation and Technology RiskWilliam Gamble
Survey of law, regulation and technology risk including new cyber security regulations, HIPAA, European Privacy GDPR, Internet of Things Liability, State Law
William Gamble
Cybersecurity Legal Issues: What You Really Need to KnowShawn Tuma
Presentation delivered at the Cybersecurity for the Board & C-Suite "What You Need to Know" Cyber Security Summit Sponsored by the Tarleton State University School of Criminology, Criminal Justice, and Strategic Studies' Institute for Homeland Security, Cybercrime and International Criminal Justice. Shawn Tuma, Cybersecurity & Data Privacy lawyer at Scheef & Stone, LLP in Frisco and Dallas, Texas.
The presentation date was September 13, 2016.
As a cybersecurity and privacy attorney, Shawn Tuma spends much of his time assisting clients proactively prepare for the legal aspects of cybersecurity incidents and respond to incidents when they occur. His work with management, legal, as well as the technology departments, and focus on the legal aspects of cybersecurity, gives him unique insight into how the non-technical areas of companies understand and evaluate cybersecurity.
In his presentation, Tuma will explain how, in his experience, the traditional fear, uncertainty, and doubt – the fear -- that has been used to “sell” cybersecurity has now gone too far and has created a feeling of hopelessness in many companies that has led many to simply quit trying. Instead of always focusing on the fear, he will explain how cybersecurity professionals should help empower companies to do what they can, even if they can’t do everything, so that they can at least improve their cybersecurity posture even if they can’t become “secure.”
Tuma will explain how recent legal and regulatory compliance developments encourage companies to take this approach by doing what is reasonable and provide specific action items that virtually all companies can implement to better themselves in this regard – especially if they find themselves in an incident response situation.
After completing this session, you will:
• Understand why cybersecurity is as much a legal issue as it is a business or technology issue.
• Understand how most legal and regulatory compliance actions support a “take reasonable measures” approach instead of a “strict liability” approach to companies’ pre-breach activities.
• Understand the need to, and how to, focus on the basics of risk and preparation for mitigating such risk.
• Understand the 2 primary legal and regulatory compliance areas that pose the most risk to companies and key action items that can help mitigate that risk.
• Know the 3 pre-breach must-haves for every company to have in place.
• Understand the importance of cybersecurity and privacy focused contractual agreements have on companies and how such agreements can be negotiated.
• Understand why selling the FUD impedes all of these objectives and harms companies’ cybersecurity posture more than it helps.
2016 was an important year for privacy on many fronts. From Privacy Shield to the imminent arrival of a new U.S. president; from Brexit to ongoing breach law developments; and from FCC changes for ISPs to the upcoming arrival of GDPR—there wasn’t a single dull moment. In this eLunch, Winston’s Privacy & Data Security Practice Chair Liisa Thomas and Partner Rob Newman looked back at 2016 and discussed what to expect in the privacy world in 2017 and beyond.
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to the Joint Meeting of ISACA and IIA North Texas on January 12, 2017.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
ASHWINI KUMAR UPADHYAY v/s Union of India.pptxshweeta209
transfer of the P.I.L filed by lawyer Ashwini Kumar Upadhyay in Delhi High Court to Supreme Court.
on the issue of UNIFORM MARRIAGE AGE of men and women.
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxOmGod1
Precedent, or stare decisis, is a cornerstone of common law systems where past judicial decisions guide future cases, ensuring consistency and predictability in the legal system. Binding precedents from higher courts must be followed by lower courts, while persuasive precedents may influence but are not obligatory. This principle promotes fairness and efficiency, allowing for the evolution of the law as higher courts can overrule outdated decisions. Despite criticisms of rigidity and complexity, precedent ensures similar cases are treated alike, balancing stability with flexibility in judicial decision-making.
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxOmGod1
Victims of crime have a range of rights designed to ensure their protection, support, and participation in the justice system. These rights include the right to be treated with dignity and respect, the right to be informed about the progress of their case, and the right to be heard during legal proceedings. Victims are entitled to protection from intimidation and harm, access to support services such as counseling and medical care, and the right to restitution from the offender. Additionally, many jurisdictions provide victims with the right to participate in parole hearings and the right to privacy to protect their personal information from public disclosure. These rights aim to acknowledge the impact of crime on victims and to provide them with the necessary resources and involvement in the judicial process.
WINDING UP of COMPANY, Modes of DissolutionKHURRAMWALI
Winding up, also known as liquidation, refers to the legal and financial process of dissolving a company. It involves ceasing operations, selling assets, settling debts, and ultimately removing the company from the official business registry.
Here's a breakdown of the key aspects of winding up:
Reasons for Winding Up:
Insolvency: This is the most common reason, where the company cannot pay its debts. Creditors may initiate a compulsory winding up to recover their dues.
Voluntary Closure: The owners may decide to close the company due to reasons like reaching business goals, facing losses, or merging with another company.
Deadlock: If shareholders or directors cannot agree on how to run the company, a court may order a winding up.
Types of Winding Up:
Voluntary Winding Up: This is initiated by the company's shareholders through a resolution passed by a majority vote. There are two main types:
Members' Voluntary Winding Up: The company is solvent (has enough assets to pay off its debts) and shareholders will receive any remaining assets after debts are settled.
Creditors' Voluntary Winding Up: The company is insolvent and creditors will be prioritized in receiving payment from the sale of assets.
Compulsory Winding Up: This is initiated by a court order, typically at the request of creditors, government agencies, or even by the company itself if it's insolvent.
Process of Winding Up:
Appointment of Liquidator: A qualified professional is appointed to oversee the winding-up process. They are responsible for selling assets, paying off debts, and distributing any remaining funds.
Cease Trading: The company stops its regular business operations.
Notification of Creditors: Creditors are informed about the winding up and invited to submit their claims.
Sale of Assets: The company's assets are sold to generate cash to pay off creditors.
Payment of Debts: Creditors are paid according to a set order of priority, with secured creditors receiving payment before unsecured creditors.
Distribution to Shareholders: If there are any remaining funds after all debts are settled, they are distributed to shareholders according to their ownership stake.
Dissolution: Once all claims are settled and distributions made, the company is officially dissolved and removed from the business register.
Impact of Winding Up:
Employees: Employees will likely lose their jobs during the winding-up process.
Creditors: Creditors may not recover their debts in full, especially if the company is insolvent.
Shareholders: Shareholders may not receive any payout if the company's debts exceed its assets.
Winding up is a complex legal and financial process that can have significant consequences for all parties involved. It's important to seek professional legal and financial advice when considering winding up a company.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
DNA Testing in Civil and Criminal Matters.pptxpatrons legal
Get insights into DNA testing and its application in civil and criminal matters. Find out how it contributes to fair and accurate legal proceedings. For more information: https://www.patronslegal.com/criminal-litigation.html
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
Introducing New Government Regulation on Toll Road.pdfAHRP Law Firm
For nearly two decades, Government Regulation Number 15 of 2005 on Toll Roads ("GR No. 15/2005") has served as the cornerstone of toll road legislation. However, with the emergence of various new developments and legal requirements, the Government has enacted Government Regulation Number 23 of 2024 on Toll Roads to replace GR No. 15/2005. This new regulation introduces several provisions impacting toll business entities and toll road users. Find out more out insights about this topic in our Legal Brief publication.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
ADR in criminal proceeding in Bangladesh with global perspective.
Cloud Security Law Issues--an Overview
1. CLOUD SECURITY LAW
MICHAEL KEELING, PE, ESQ.
KEELING LAW OFFICES, PC
PHOENIXANDCORONADO
Presented at
Cloud Security Alliance
Meeting
January 20, 2015
Phoenix
NOTE: Information contained in this
presentation is intended for informational
purposes ONLY. It is not intended to be, and
should not be construed as, legal advice to any
person or in connection with any transaction.
Always consult with an experienced attorney
before engaging in any transaction that might
involve the legal issues discussed herein.
2. Cloud Perspectives
Gartner sees
the cloud as a:
“style of computing
where scalable and
elastic IT-related
capabilities are
provided as a
service to
customers using
Internet
technologies.”
Government sees
Enforcement of specific statutes
HIPAA
CAN-SPAM (Commercial messaging)
GLB (Financial services)
COPPA (Children)
Compliance—Federal Guidelines
NIST
State Actions
State patchwork of statutes
Federal Trade Commission
Primary federal enforcer.
3. Percentage of Claims by Data Type
NetDiligence® 2013 Cyber Liability & Data
Breach Insurance Claims
4. Percentage of Claims by Business Sector
NetDiligence® 2013 Cyber Liability & Data
Breach Insurance Claims
5. Percentage of Claims by Cause of Loss
NetDiligence® 2013 Cyber Liability & Data
Breach Insurance Claims
6. State Regulatory Exposure
47 States require notice of security breaches
(not AL, NM, SD as of 1/1/2015)
After unauthorized access of PII/PHI
If unencrypted computerized PII/PHI
Many States
Require Notice to state attorney general, state
consumer protection agencies, and credit monitoring
agencies
Allow private right of action for violations
Encryption often a safe harbor
• Data-at-rest
• Data in transit
7. FTC Act
• Prohibits “unfair or deceptive practices in
or affecting commerce.”
• “Unfair” if …Practice
• Causes or is likely to cause substantial injury to consumers
• Cannot reasonably be avoided by consumers
• Is not outweighed by countervailing benefits to consumers or
to competition
• “deceptive” if … Practice, or Representation, or Omission
• Misleads or is likely to mislead consumers
• Based on Consumers’ interpretation under circumstances
• Is it material?
• No intent required (strict liability).
8. Liability Equals
Common Law 101
• Duty
• Breach
• Causation
• Injury/Harm
• Damages
• Defenses.
Federal Trade Commission
• No “unfair or deceptive
practices in or affecting
commerce.”
• Broad dragnet
• No Intent required
• No actual harm required.
9. Court Ruled FTC Can Enforce Breaches
As An Unfair Practice Under FTC Act
• FTC sued Wyndham Worldwide Corporation in 2012, alleging
• Violated FTC Act’s prohibition against unfair or deceptive acts or practices.
• Failure to maintain reasonable and appropriate data security for consumers’ sensitive
personal information”
• Wyndham, moved to dismiss, arguing
• FTC did not have authority to bring an “unfairness” claim involving data security.
• Court disagreed
• Finding specific data security legislation passed after FTC Act merely complemented
FTC’s unfairness authority—but did not preclude it.
• Wyndham also argued
• FTC had to publicize regulations to provide fair notice of its data security standards
• Court disagreed
• Court determined taking such publication was not the only way to do so.
• It noted FTC Act, Section 5 provides a three-part test
• Suggesting entities look to complaints, consent agreements and public statements
to figure out FTC’s standard for bringing an unfairness claim under the Act.
10. FTC—In Action
Practices FTC attacks as “deceptive”
Violating your published privacy policies
Failing to verify identity of persons to whom
confidential consumer information was disclosed
Downloading spyware/adware onto unsuspecting
users’ devices
Practices FTC attacks as “unfair”
Failing to implement reasonable safeguards to
protect privacy of consumer information
As compared to “developing” federal standards
FTC’s “yardstick” is a moving target.
11. FTC Suit—Snapchat Misleads By Claiming
Messages “Disappear Forever”
• FTC accused Snapchat of violating FTC Act, Section 5—barring deceptive
business practices.
• “if you make promises about privacy, you must honor those promises.”
• FTC alleged Snapchat messages are not ephemeral as promised
• Snapchat wrongly informed its users that their messages would vanish
• Company’s FAQ: “Is there any way to view an image after the time has expired? No, snaps
disappear after the timer runs out.”
• FTC interpreted as an absolute statement. Period.
• Snapchat deceived consumers about PII it collected and what it did with the PII.
• Snapchat users were likely attracted by promise that their messages would disappear.
• “Several methods exist by which a recipient can save both photo and video messages,
allowing access indefinitely.”
• Settlement
• Bars Snapchat from misrepresenting its privacy policies
• Requires Snapchat implement “a comprehensive privacy program”…monitored 20 yrs.
• Violations of settlement, liable for up to $16,000 per violation per day
12. FCC Expands Its Data Security
Regulatory Reach
• FCC $10 million fines, October 24, 2014
• TerraCom Inc. and YourTel America Inc.
• First time, but per FCC Enforcement Bureau Chief
• “it will not be the last”
• Allegedly the 2-companies
• collected consumer PII to demonstrate eligibility for FCC’s Lifeline program
• Stored-online unencrypted customer PII
• with no security safeguards
• Alleged failure is
• Violation under FCC ACT, Section 222(a), and
• Unjust and unreasonable practice in violation of Section 201(b)
• Section 503(b)(1)
• Empowers FCC to order forfeiture penalties for violations of the Act,
• But does not specify a base forfeiture per violation.
13. Security Breach Litigation
Breach of Contract/Implied Contact and Negligence
Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011)
Finding Implied contract duty by grocery store to protect customers’ data
Patco Construction Co. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012)
Holding defendant’s security procedures not commercially reasonable
Standing in Class Action Cases
Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008)
Finding standing where P’s information posted on municipal website, taken by
identity thief, causing actual financial loss traceable to D’s conduct
Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012)
Finding standing where plaintiffs were identity-theft victims
Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir. 2007)
Finding standing based on threat of future harm
Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010)
Finding standing where plaintiffs unencrypted PII stored on a stolen laptop
Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011)
Finding no standing in employee risk-of-identity theft suit alleging negligence and
breach of contract against a payroll processing firm.
14. Court Allows HIPAA “Standard of Care"
Negligence Claim
• Connecticut Supreme Court rules plaintiffs can sue for
negligence if a healthcare provider violates HIPAA privacy
regulations
• Emily Byrne vs. Avery Center for Obstetrics and Gynecology (2014)
• HIPAA does not provide for the “private right of action”
• In data-breach cases, plaintiffs argue
• healthcare provider, insurer or other covered entity (Business
Associates) did not meet the “standard of care” under HIPAA security
or privacy rule in protecting records
• and that failure to meet that standard of care was negligent.
• BUT—in negligence lawsuits, plaintiffs must show damages.
15. Defenses Shrinking
Krottner v. Starbucks Corp.
Increased risk of identity theft constitutes an injury-in-fact
Anderson v. Hannaford
Alleged fraud in population and money spent in mitigation
efforts sufficient (instead of time/effort)
ITERA (Identity Theft Enforcement and Restitution Act)
Pay an amount equal to Victims’ value of time reasonably spent
In re Hannaford Bros. Data Security Breach Litigation
Time equals money—if fraud; credit monitoring damages
ChoicePoint Data Breach Settlement
“Time they [victims] may have spent monitoring their credit or
taking other steps in response”
16. Director Liability Arising From Data Breach
Palkonv.Holmes,No.14-cv-01234(D.N.J.),WyndhamSHssuedD&O’s,claimingtheirfailuretoimplementadequateinformation-securitypoliciesallowed3databreaches
• Shareholder derivative actions
• Plaintiff is not required to prove damages resulting from theft of PII.
• Directors owe Duties Of Care (BJR) and Loyalty—including Duty of Oversight (No BJR)
• Did not implement reporting or information system or controls; or
• Implemented controls, BUT “consciously failed to monitor or oversee its operations.” Stone.
• After a data breach, claims against board probably will be
• Breach of Duty of Care and
• Breach of Duty Loyalty/Oversight
• Court “look[s] for evidence of whether a board has acted in a deliberate and knowledgeable way identifying and exploring
alternatives.” Citron v. Fairchild Camera
• Directors may rely on reports prepared by others, BUT MUST TAKE an active and direct role
• Board that fails to manage and monitor cybersecurity probably breaches its duties of care and oversight
• Protect Against Liability
• Board must become well-informed
• Board should appoint a committee responsible for privacy and security
• Recruit and hire at least one tech-savvy member
• Follow best industry practices
• Indemnification and Insurance
• Articles of incorporation—provision eliminating director personal-liability for monetary damages for breach of the
Duty of Care/Loyalty.
• D & O Policy—WITHOUT exclusions to liability resulting from a privacy breach
• Example Problem Exclusion: Insurer shall not be liable for Loss relating to a Claim made against an Insured:
• “for emotional distress of any person,
• or for injury from libel, slander, defamation or disparagement,
• or for injury from a violation of a person’s right of privacy.”
17. Strategies to Minimize Exposure
Review privacy/security policies and practices
Are you waking the talk?
If not—change it—ensure your policies never out-pace your practices
Make privacy/security policy a binding contract
Use arbitration provision in consumer contracts
Review third party contracts that collect/store/transport
PII/PHI
Add indemnification provisions in agreements
• Does your indemnifying contracting-party have adequate resources?
Review/add insurance
Evaluate credit card practices under state laws
Technology solutions—tied to policy elements
18. Audit Your Cloud
Service Provider Responsibilities
Service Level Agreements (SLAs)
Risk assessments
Performance and frequency
Where is the data?
Compliance
Right to Audit
Third-party Reviews
ISO 27001, etc.
Incident Response, Notification and Remediation
Legal and regulatory compliance
Exercising of response plans
Data Security
Encryption
Identity and Access Management
Who am I/What do I know/What do I have?
19. Prevent/Mitigate Litigation
End-User Measures:
• Encrypt data before sending to Cloud
• Industry-specific restrictive rules—on data
storage/transport
• Notify customer/client HOW data is stored as part of
contract governing basic relationship
• E.g., FINRA/securities and HIPAA/medical providers
• Sophisticated/often-changed pass-phrases
• Address Cloud storage issues
• Leak response plan
• Compliance
20. Post-Leak Litigation Prevention
• Immediate internal investigation
• Retain counsel – privilege/work product issues
• Interview key personnel
• Document actions taken
• Immediately and fully notify customers
• No cover up, minimization, or delayed reporting
• Include plan/potential compensation offer
• Establish customer hotline
21. QUESTIONS
Cloud Security Law
Michael Keeling, PE, Esq.
Keeling Law Offices, PC
Phoenix and Coronado, CA
www.keelinglawoffices.com
NOTE: Information contained in this
presentation is intended for informational
purposes ONLY. It is not intended to be, and
should not be construed as, legal advice to any
person or in connection with any transaction.
Always consult with an experienced attorney
before engaging in any transaction that might
involve the legal issues discussed herein.