Last week, the European Commission unveiled the latest documentation related to the EU-U.S. Privacy Shield intended to restore trust in transatlantic data transfer and establish a mechanism for U.S. companies to once again transfer data from the EU with confidence. We wrote last month about the initial announcement of the Privacy Shield but expressed caution about whether the European Union and the United States would be able to iron out the details of the complicated agreement before the February 29, 2016 deadline set by the Article 29 Working Party (“WP29”).  But it appears that the two sides were able to make significant progress in the month of February, and the European Commission released more than 120 pages of documentation setting forth the new Privacy Shield requirements.

There are many details in the documentation released last week, but following are the key points:

  • Participating organizations will be required to follow rules related to consent, relevance, proportionality, access and correction.
  • Arbitration will be available for disputes.
  • Participating organizations will be required to provide additional information to data subjects at the point of consent.
  • Participating organizations must implement stronger controls on data transfers to third-party data processors and controllers.
  • Participating organizations must commit to address EU member complaints “expeditiously” through the FTC.
  • The FTC will verify self-certification.

It remains to be seen whether this will be enough to satisfy key stakeholders in the EU.  WP39 has announced that it will provide its opinion on the level of protection afforded by the Privacy Shield on April 13, 2016.  We will continue to monitor these developments and keep you apprised.

In a February 19th speech at the annual SEC Speaks conference, Stephanie Avakian, Deputy Director of the SEC’s Division of Enforcement, explained what the SEC expects of entities that experience a cyber intrusion and how the SEC decides whether to investigate such entities.

With respect to responding to cyber intrusion, the SEC’s stated expectations are high level and axiomatic. Entities are expected to (1) assess the situation, (2) address the problem and (3) minimize the damage. Ms. Avakian emphasized the importance of quickly involving authorities such as the FBI or Department of Homeland Security.

Ms. Avakian also expressed awareness of the practical impediments to self-reporting cyber intrusions to the SEC. Specifically, entities may be hesitant to do so for fear of triggering an investigation and enforcement action regarding their policies/procedures and implementation thereof. To assuage this concern, Ms. Avakian noted that the SEC’s goals in the cybersecurity area are to prevent hacking, protect customer data and ensure the smooth operation of America’s financial system. In other words, the SEC—at least from a priority standpoint—is on the same side as the entities that may fall prey to a cyber intrusion. In the case of registrants, when investigating cyber intrusions the SEC will focus on whether a registrant had policies and procedures reasonably designed to protect customer data and related remediation action plans. In the case of public companies, the SEC is not looking to second-guess good-faith decisions regarding data privacy, and would likely not bring an enforcement action against a cyber intrusion victim absent a “significant” disclosure issue. Ms. Avakian also pointed out that entities who self-disclose cyber intrusions will be rewarded with cooperation credit.   Continue Reading SEC Speaks: How the SEC Decides Whether to Investigate Breached Entities

Politicians in both the European Union and United States touted Tuesday’s agreement on a new “Privacy Shield” for EU-U.S. data transfers as a resolution to the data transfer quagmire that has faced companies since the EU-U.S. Safe Harbor was invalidated in October. While this new deal is a promising step in the right direction for companies that transfer data from the EU to the United States, there are still many questions about exactly what the requirements of the new Privacy Shield will be, how an American company can ensure compliance with those requirements and (perhaps most importantly) whether the European Court of Justice will validate the new rules.

Indeed, the deal heralded by politicians on both sides of the Atlantic appears to be only a high-level agreement—they expect to document the actual terms over the next few weeks (the Article 29 Working Party (WP29), the body made up of representatives of individual European Member States’ data protection authorities, has called for it to be fully documented by the end of February). Thus, we anticipate quite a bit more negotiation on the precise scope and language of the requirements. Meanwhile, WP29, which had been assessing data transfer mechanisms like standard contractual clauses and model contracts for possible flaws that would lead to enforcement actions, announced that it will not take enforcement actions based on its concerns about these mechanisms while it awaits the details of the new transfer deal. Continue Reading Privacy Shield Offers Hope on EU-U.S. Data Transfer—For Now

In a well-reasoned and encouraging decision to Internet businesses, the Northern District of Illinois recently found that even operating one of the largest, most popular websites in the world is not enough to create personal jurisdiction everywhere the site can be accessed. See Gullen v. Facebook, Inc., Case No. 15-cv-07681 (Jan. 21, 2016 N.D. Ill.). The court relied heavily on the Supreme Court’s decision in Walden v. Fiore, 134 S. Ct. 1115 (2014), and the Seventh Circuit’s decision in Advanced Tactical Ordnance Sys. LLC v. Real Action Paintball, LLC, 751 F.3d 796 (7th Cir. 2014), to hold that the Northern District of Illinois lacked specific personal jurisdiction over defendant Facebook.

The plaintiff in Gullen alleged that Facebook had unlawfully obtained and stored his biometric information without authorization. Id. At 2. To support personal jurisdiction, the plaintiff argued that Facebook was registered to do business in Illinois, had a sales and advertising office in Illinois, and “target[s] its facial recognition technology to millions of users who are residents of Illinois.” Id. at 3-4. The court found these alleged contacts insufficient to confer specific personal jurisdiction because the plaintiff had not connected the allegedly wrongful conduct to the Illinois business registration or office and had tacitly admitted that Facebook’s alleged collection of biometric information was not targeted at Illinois residents but instead applied to Facebook users generally. Id. “[T]he Seventh Circuit has rejected the notion that an online merchant’s operation of an interactive site is sufficient to confer specific jurisdiction on it in every state from which the site can be accessed. . . . Because plaintiff does not allege that Facebook targets its alleged biometric collection activities at Illinois residents, the fact that its site is accessible to Illinois residents does not confer specific jurisdiction over Facebook.” Id. at 4-5.

Facebook is, of course, a global social media presence with substantial connections to Illinois. Nevertheless, the court emphasized that the contacts must be contacts that the defendant (not the plaintiff or a third party) created. Id. at 3 (“We have consistently rejected attempts to satisfy the defendant-focused ‘minimum contacts’ inquiry by demonstrating contacts between the plaintiff (or third parties) and the forum State.”). The court found there was no personal jurisdiction because “plaintiff does not, and could not plausibly, allege that Facebook knew an Illinois resident would upload a photo of him and tag his name to it, thereby (allegedly) giving Facebook access to plaintiff’s biometric information.” Id. at 5.

In light of Walden, Advanced Tactical and Gullen, defendants in cases arising from alleged online conduct should carefully consider challenging personal jurisdiction. If a site like Facebook with “millions” of in-state contacts is not subject to personal jurisdiction, many other Internet companies should be able to successfully challenge personal jurisdiction based on the rationale laid out in these decisions.

Brokers around the globe are proselytizing about insurance for cyber risks. They say gaps in typical business coverages leave companies exposed to high costs and potentially extraordinary liability without coverage specifically tailored to cyber risks (including, but not necessarily limited to, data breach). And these brokers are right. The brokers, however, are sometimes wrong in encouraging their clients to opt into cyber coverage policies that are far less than ideal.

Recently, a client asked me to review various cyber coverage options presented to it by its broker. The broker had told the client that the cheapest option was, fortunately from the broker’s perspective, the best option. But as I reviewed the various cyber coverage forms, I was reminded that you often get what you pay for. Continue Reading Holy Cr*p! I Have an Insurance Gap for My Cyber Attack?

In 2014, we saw some of the largest, most expensive and most highly publicized data breaches in history. Unfortunately, the early forecast for 2015 does not appear to be any better. According to Experian’s 2015 Data Breach Industry Forecast, the risk of experiencing a data breach is higher than ever (almost half of all organizations have suffered at least one security incident in the last 12 months). In the Information Age, it has become increasingly clear that the question is when, not if, a company will have a cybersecurity incident. 

Speaking in June 2014 at a cyber risk conference at the New York Stock Exchange, SEC Commissioner Luis Aguilar emphasized the critical role that directors and officers must play in cybersecurity matters:

Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s oversight responsibilities. . . . [B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility do so at their own peril.

So what should directors and offers do to avoid becoming the “next Target” or the “next Home Depot?”  Continue Reading Directors and Officers Ignoring Cybersecurity “Do So at Their Own Peril”