Recent cyber security and data privacy developments
July 2019 | EXPERT BRIEFING | RISK MANAGEMENT
Data privacy and cyber security continues to make headlines. Companies are continually being targeted by cyber criminals, ranging from lone hackers to state-sponsored hacking organisations, highlighting the risks and potential costs of cyber incidents across industries. At the same time, a growing and overlapping thicket of data security and privacy regulations, within the US and around the world, has continued to increase compliance costs and regulatory risks. This article surveys the significant cyber security and data privacy developments of 2018 and early 2019, and highlights some key takeaways and areas to watch going forward.
Major cyber attacks
Hackers have targeted a wide array of industries and have successfully gained access to large amounts of personal identifying information (PII), including payment account information. Marriott International suffered the most significant breach of 2018. The company disclosed that approximately 383 million guests’ personal information was compromised when the database of Starwood Hotels was breached. Companies in the retail industry, including Under Amour, Saks and Lord & Taylor, also suffered significant breaches of their user data last year. The airline industry was also a frequent target, as Cathay Pacific, British Airways and Delta were targeted for their customers’ personal information. Businesses and governments also continue to be targeted by ransomware attacks, with debilitating effects on operations, as recently illustrated by the attack on one of the world’s largest aluminium producers, Norsk Hydro.
2018 also saw a number of significant US enforcement actions relating to cyber security and data privacy, at both the state and federal level. Uber, Equifax and Altaba (formerly Yahoo) were among companies that entered into costly settlements with state enforcement officers or the US Securities and Exchange Commission (SEC). In particular, Altaba agreed to pay $35m to settle allegations that Yahoo failed to timely disclose a 2014 breach in its securities filings.
In addition to bringing several enforcement actions, the SEC also issued several cyber security-related guidance documents, including updated cyber security disclosure guidance, and a Report of Investigation highlighting that public companies should implement sufficient internal controls to prevent and detect cyber-related frauds.
US legislative activity
All 50 US states and the District of Columbia have now enacted data breach notification laws. The California Consumer Privacy Act (CCPA), the most comprehensive data privacy law to date in the US, was introduced in 2018, giving California consumers broad rights to their personal information, and other states are considering similar statutes.
The patchwork of state laws and negative public sentiment about data sharing practices has led to increased support for some form of federal privacy legislation. Industry groups, including leading tech firms, have publicly advocated for a federal law that pre-empts the patchwork of state law requirements, but such pre-emption is opposed by state authorities. Multiple bills have been introduced recently, including the Consumer Data Protection Act, which is modelled on the European Union’s (EU’s) General Data Protection Regulation (GDPR), and which provides for prison sentences for misrepresentations by executives. It remains to be seen whether there will be any progress toward the passage of federal legislation in the future.
US court decisions
US courts have grappled with the issues raised by data breach litigation, often in the form of class actions following the announcement of a significant cyber incident. Proof of injury and Article III standing issues continue to be front and centre in data breach cases, although the Supreme Court has declined to review the standing issue in the data breach context, despite ongoing disagreements among circuit courts. 2018 also saw some of the first court decisions that focused on the merits of data breach claims at the pleading stage. Many of the decisions turned on the applicable state law, such as the pleading standards for damages, further underscoring the disparate set of obligations and liabilities companies may have across the 50 US states.
GDPR and related international developments
Cyber security and data privacy developments have been just as fast-paced outside of the US. The GDPR became fully applicable in May 2018 and represents the biggest change to EU data protection law in more than 20 years. The GDPR has an extraterritorial reach, imposes various new obligations upon organisations, and gives enhanced enforcement powers to Member States’ data protection supervisory authorities. In particular, supervisory authorities may levy fines of up to the higher of €20m or 4 percent of annual global revenue.
EU enforcement actions
Over the last year, data protection supervisory authorities have continued to take enforcement actions for breaches of the previous European data protection regime, although the basis for enforcement actions is shifting to the GDPR. Under the previous regime, the UK Information Commissioner’s Office (ICO) levied the maximum fine of £500,000 against Equifax for its 2017 data breach, and fined Uber £385,000 for failing to protect customers’ personal information relating to a 2016 cyber attack.
With respect to the GDPR, the German data protection authority imposed one of the first monetary fines under the law against Knuddels GmbH & Co KG, following a security breach which resulted in the theft of approximately 330,000 users’ information. In January 2019, the French supervisory authority issued its first GDPR-based fine of €50m against Google for its personalised advertising practices, alleging violations for a lack of transparency and proper information for data subjects.
Other international developments
Several other countries have implemented, or are considering implementing, national data protection laws, often with parallels to the GDPR. Brazil’s new data protection law includes significant new data protection rules and transfer limitations similar to the GDPR, including data breach notification requirements and penalties of up to 2 percent of turnover in Brazil, up to approximately US$12m per violation. In addition, Canada’s new Personal Information Protection and Electronic Documents Act requires entities affected by data breaches to report to the Canadian Office of the Privacy Commissioner, notify the affected individuals as soon as feasible, and imposes recordkeeping obligations for companies.
In Asia, China has adopted multiple new standards and draft or final regulations related to cyber security, including the national standard on protection of personal information, which became effective in May 2018. India is considering a new Personal Data Protection Bill, which is also modelled on the GDPR, with data localisation requirements, and will reportedly be high on the legislative agenda following the country’s recent elections.
Takeaways and looking ahead
The breaches disclosed and other developments in 2018 and early 2019 reinforce the importance of several issues in mitigating cyber risk.
Timely investigation and disclosure continues to be critical. While a number of companies were criticised for their tardiness in identifying the affected data and making subsequent disclosures, Under Amour made a disclosure four days after learning of its breach, which may have mitigated any reputational harm. Prompt disclosure has to be carefully managed, given the risks of disclosing inaccurate or incomplete information, which continues to present challenges. Uber’s recent settlement with the Federal Trade Commission (FTC) over its alleged failure to timely disclose the compromise of certain consumer and driver information by a ransomware hacker, also underscores the fact that companies must be scrupulous in meeting their disclosure obligations, even if they believe the threat has been neutralised.
Cyber diligence in M&A transactions is essential. Marriott apparently inherited a compromised database when it merged with Starwood. Cyber diligence in M&A, including of a target’s information security systems and any past breaches, has become standard practice. Understanding and following best practices for diligence and contractual protections is more important than ever.
Third-party vendors remain an area of high risk. The breach of Delta’s customer information took place at one of its vendors, which allegedly did not inform Delta of the breach for several months. Conducting cyber diligence of vendors and negotiating contractual notification and indemnification obligations in the event of an incident are critical aspects of managing cyber security risk given the potential exposure.
Companies must be vigilant about protecting privilege. In United Shore Fin. Servs., LLC, the Sixth Circuit required a company to turn over materials relating to a privileged forensic data breach investigation because, the court concluded, the company had implicitly waived privilege when it asserted an affirmative defence based on the investigative conclusions. In order to maximise privilege over a data breach investigation, companies should ensure that forensic investigators are retained and supervised by outside counsel and that any forensic conclusions are maintained confidentially, and should guard against any implicit waiver when defending litigation.
Companies must position themselves to adapt quickly. Legal requirements are multiplying and regulatory expectations are evolving rapidly. Companies must be forward thinking about their approach to data privacy in order to avoid constant and costly change and to identify cost-effective ways to minimise fragmentation due to multiple legal regimes. Particularly with the CCPA soon becoming effective alongside the GDPR, new requirements pending in other important jurisdictions, and regulatory focus on privacy and data security, global companies must be strategic and agile enough to stay on top of, and ideally ahead of, changing requirements.
Over the coming months, we expect legislative, regulatory and enforcement activity related to data privacy and cyber security to continue at a rapid pace, while data continues to become even more central to much of the economy. Areas to watch include: (i) the FTC seeking to take a more active role in the privacy space, including efforts to use its enforcement actions to impose particularised data security requirements; (ii) the continued proliferation of data privacy and cyber security requirements around the world, including the potential for federal privacy legislation in the US, with conditional support from private industry; (iii) intense negotiations between privacy advocates and industry over the implementation of California’s CCPA; (iv) increasing US litigation risk following a data breach, particularly with the potential ability of plaintiffs to forum shop for hospitable jurisdictions following a nationwide breach, and continued enforcement risk with respect to compliance with breach notification requirements; (v) more GDPR enforcement activity, including potentially actions relying on the GDPR’s extra-territorial reach; and (vi) shifting norms and expectations of regulators and other enforcement authorities with respect to customer consent and uses of customer data.
In summary, while cyber security and data privacy issues have made headlines and demanded the attention of boards and senior management over the last year, we expect the coming months to be just as eventful.
Jonathan S. Kolodner, Katherine Mooney Carroll and Rahul Mukhi are partners at Cleary Gottlieb Steen & Hamilton. Mr Kolodner can be contacted on +1 (212) 225 2690 or by email: firstname.lastname@example.org. Ms Carroll can be contacted on +1 (202) 974 1584 or by email: email@example.com. Mr Mukhi can be contacted on +1 (212) 225 2912 or by email: firstname.lastname@example.org.
© Financier Worldwide
Jonathan S. Kolodner, Katherine Mooney Carroll and Rahul Mukhi
Cleary Gottlieb Steen & Hamilton