Anthem Settles Data Breach Litigation for Record-Setting $115M

Written by
Health insurance giant Anthem, Inc. agreed to the largest data breach settlement to-date last week, ending multi-district consumer litigation over a 2015 data breach for $115 million.  The data breach, which resulted from a hacker-orchestrated cyberattack following the theft of an employee password, exposed personally identifiable information (“PII”) and protected health information (“PHI”) of nearly 80 million people.  The stolen information included the names of current and former clients, dates of birth, addresses, social security numbers, and other medical information. The settlement [...] Read more

Alston & Bird Issues Cyber Alert on the New Chinese Cybersecurity Law and Regulations

Written by
On Monday, June 26, 2017, Alston & Bird’s Kim Peretti, Justin Hemmings, and Emily Poole issued an advisory on recent changes in Chinese Cybersecurity Law. The new law asserts greater control over all data collection and generation in China, as well as the processing of data from Chinese data subjects. While the law entered into force on June 1, 2017, there is still uncertainty as to how the law will be interpreted and enforced, including which companies are subject to the law. The Advisory explores the scope and requirements of the Cybersecurity Law and reasonable interpretations of the [...] Read more

Northern District of Illinois Dismisses Barnes & Noble Data Breach Lawsuit

Written by
Earlier this month, the United States District Court for the Northern District of Illinois entered an order dismissing with prejudice a putative class action concerning a security breach affecting PIN pad devices at numerous Barnes & Noble locations.  The lawsuit, In re Barnes & Noble Pin Pad Litigation, No. 12-cv-8617 (N.D. Ill.), was brought by consumers who had used credit and debit cards at Barnes & Noble during the time period of the breach. The operative complaint pleaded several causes of action against Barnes & Noble, including breach of implied contract and the violation [...] Read more

Data Monetization and State Privacy Laws

Written by
On June 8, magazine publisher Trusted Media Brands, Inc. settled a class action lawsuit for $8.2 million after purportedly disclosing the personal information and magazine choices of customers to third parties.  The lawsuit, Taylor v. Trusted Media Brands, Inc., No. 7:16-cv-01812 (S.D.N.Y. June 8, 2017), alleged that the publisher’s actions violated Michigan’s Video Rental Privacy Act (VRPA), demonstrating the sometimes hidden legal risks of data monetization. VRPA, inspired by the federal Video Privacy Protection Act, was passed in 1988 and applies to the purchase, rental, or borrowing [...] Read more

Fourth Circuit Court of Appeals Allows Wikimedia Upstream Suit to Proceed

Written by
On May 23, 2017, the Fourth Circuit Court of Appeals issued its opinion on Wikimedia foundation v. NSA/CSS. The Court vacated and remanded the NSA’s previously successful motion to dismiss Wikimedia’s Fourth and First Amendment claims against the NSA’s Upstream surveillance program, while a 2-1 majority upheld the dismissal of the eight other organizations joined as co-plaintiffs. The Court held that Wikimedia’s complaint contained sufficient factual allegations to determine Article III standing and that the District Court misapplied Clapper v. Amnesty International USA’s analysis of [...] Read more

Facebook Fined for WhatsApp Data Linking Fallout

Written by
On 18 May 2017, the European Commission (“Commission”) fined Facebook €110 million ($122 million) for misrepresentations made in its application for competition clearance of the company’s acquisition of WhatsApp. In its merger application, Facebook claimed that it would be unable to automatically match Facebook users’ accounts and WhatsApp users’ accounts for marketing and other purposes. However, in August 2016, WhatsApp introduced functionality enabling the linking of WhatsApp users’ phone numbers with Facebook users’ identities. This is the first time since the new Merger Regulation [...] Read more

Court Holds Forensic Investigator’s Report is Protected from Disclosure

Written by
Third-party forensic investigations performed at the direction of counsel are part-and-parcel of virtually every data breach.  There has been little case law, however, directly addressing the extent to which the attorney-client privilege and/or work product doctrine protects those forensic investigations from disclosure.  Last week, the Central District of California held that, under the specific facts at issue, that information is indeed protected by at least the attorney work product doctrine. In In re Experian Data Breach Litigation, 15-1592 (C.D. Cal. May 18, 2017), the Court considered [...] Read more

President Trump Signs Long-Awaited Cyber Executive Order

Written by
On May 11, 2017, President Trump signed a long-awaited executive order on cybersecurity (the “Order”).  The Order directs executive agencies to complete a risk management report based on the NIST Cybersecurity Framework (the “Framework”) and also requires the Department of Homeland Security (DHS) and other agencies to undertake activities in support of effective cybersecurity risk management for operators of critical infrastructure.  More generally, the Order directs several agencies to submit reports to the President on a varied set of cybersecurity-related topics.  These measures demonstrate [...] Read more

Outbreak of “WannaCry” and “Wanna Decryptor” Ransomware Affects Companies Across the Globe

Written by
On Friday, May 12, companies in countries across the globe witnessed an unprecedented malware outbreak as ransomware labeled “WannaCry” and “Wanna Decryptor” infected a large range of critical systems. The malware exploits a vulnerability in older versions of Microsoft’s Windows, locks the systems it infects, and threatens to delete files unless a bitcoin ransom is paid. What happened? An attacker or group of attackers unleashed a wave of ransomware infections beginning on Friday, May 12. More so than previous attacks, this outbreak resulted in substantial disruption to regular [...] Read more

Swire Discusses European Data Economy at European Political Strategy Centre Policy Hearing

Written by
Peter Swire, Alston & Bird Senior Counsel and Nancy J. and Lawrence P. Huang Professor of Law and Ethics at the Georgia Institute of Technology’s Scheller College of Business, recently participated in a policy hearing held by the European Political Strategy Centre, the in-house think tank of the European Commission. Swire joined five other experts in answering a series of questions posed by the Centre’s moderators on how Europe can build its data economy to compete globally, protect fundamental privacy rights, and guard against anti-competitive behavior. In his remarks, Swire pointed [...] Read more