Cleary Cybersecurity and Privacy Watch

Global Legal Developments related to Cybersecurity Incidents, Cyber Corporate Governance and Regulation Issues, and Privacy and Data Protection Laws

Blog Authors

AB C D E F G H I J K L M NOPQR STUV WXY Z

Latest from Cleary Cybersecurity and Privacy Watch

July 2019 Privacy and Cybersecurity Enforcement: Lessons for Management and Directors

By Jonathan S. Kolodner, Pamela L. Marcogliese, Alexis Collins, Rahul Mukhi & Anne Titus Hilby on August 5, 2019

In late July 2019, U.S. federal and state regulators announced three headline‑grabbing data privacy and cybersecurity enforcement actions against Equifax and Facebook. Although coverage of these cases has focused largely on their striking financial penalties, as important are the terms the settlements imposed on the companies’ operations as well as their officers, directors, and compliance professionals—and what they signal about potential future enforcement activity to come.…

Cleary Cybersecurity and Privacy Watch

CJEU Judgment in the Fashion ID Case: The Role as Controller Under EU Data Protection Law of the Website Operator that Features a Facebook ‘Like’ Button

By Natascha Gerlach, Andrea Mantovani & Eva Reggiani on August 2, 2019

On July 29, 2019, the Court of Justice of the European Union (“CJEU”) issued its judgment in Case C-40/17 (Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV). This is a landmark decision regarding the assessment of who has the responsibility for complying with data protection legislation in the context of embedding third-party features that regularly takes place on websites. The CJEU adopted a broad view of the situations in which a “joint controllership”…

Cleary Cybersecurity and Privacy Watch

New York Passes Expansive New Cybersecurity Law

By Jonathan S. Kolodner, Rahul Mukhi & Russell Mawn on July 29, 2019

On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”), which expands data breach notification obligations under New York law and for the first time imposes affirmative cybersecurity obligations on covered entities. The Act makes five principal changes to existing New York law: Expanding the law’s jurisdiction to entities that maintain private information of New York residents, regardless…

Cleary Cybersecurity and Privacy Watch

UK Regulator Intends to Fine Marriott £99 Million for Personal Data Breach, Spotlighting M&A Cybersecurity Diligence

By Daniel Ilan, Natalie Farmer & Tom Wales on July 11, 2019

On 9 July, the UK Information Commissioner’s Office (“ICO”) issued a notice of its intention to fine Marriott International, Inc. (“Marriott”) £99,200,396 for alleged infringements of the EU General Data Protection Regulation ( “GDPR”) in connection with a cybersecurity incident notified to the ICO by Marriott in November 2018. The ICO’s public statement followed Marriott’s disclosure of the ICO’s intention to the US Securities and Exchange Commission (“SEC”) and comes just one day after the…

Cleary Cybersecurity and Privacy Watch

The DASHBOARD Act – Proposed New Law Would Force Large Technology Companies to Disclose the Value of Users’ Data

By Alexis Collins, Jane C. Rosen & Natalie Farmer on July 9, 2019

On June 24th, Senators Mark Warner (D-VA) and Josh Hawley (R-MO) introduced a bill that would require large technology companies to regularly disclose to their users and the Securities and Exchange Commission (SEC) the value of the user data they collect and monetize. The bipartisan bill, cited as the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, is intended to capture major online platforms such as Amazon, Facebook, Google and…

Cleary Cybersecurity and Privacy Watch

UK Data Protection Regulator Issues Notice of Intention to Fine British Airways £183.4 Million for Personal Data Breach

By Natalie Farmer on July 8, 2019

The UK Information Commissioner’s Office (“ICO”) has issued a notice of intention to fine British Airways following an extensive investigation into the British Airways cybersecurity incident (notified by British Airways to the ICO in September 2018). The fine of £183.4 million relates to various alleged infringements of the EU General Data Protection Regulation (“GDPR”).…

Cleary Cybersecurity and Privacy Watch

District Court Finds Allegations That Data Breach Exposed Publicly Available and Non-Sensitive Personal Information Sufficient for Article III Standing

By Alexis Collins, Phillip L. Hurst & Miranda Gonzalez on July 1, 2019

Potentially signaling an expansion of the scope of constitutional standing in data breach cases, a district court in the Northern District of California recently held that the exposure of users’ non-sensitive, publicly available personal information may be sufficient to establish an injury-in-fact.[1]…

Cleary Cybersecurity and Privacy Watch

Legislators Propose Differing Approaches to Federalizing Corporate Responsibility for Data Breaches

By Rahul Mukhi, Alexis Collins & Russell Mawn on June 20, 2019

In the past year, members of the U.S. Congress and Senate on both sides of the aisle have proposed data privacy bills that would impose nationwide standards on companies who collect and/or share consumers’ personal information. Currently, all 50 states have separate, but often overlapping, data privacy regimes—each subjecting companies to various combinations of recordkeeping standards, data sharing restrictions, and data breach reporting requirements—creating a patchwork of state laws that can generate substantial uncertainty for…

Cleary Cybersecurity and Privacy Watch

Data Transfer Mechanisms to be Reviewed by CJEU After Irish Supreme Court Dismisses Facebook Appeal

By Natalie Farmer & Sienna Smallman on June 12, 2019

On 31 May 2019, the Supreme Court of Ireland dismissed Facebook’s appeal of the Irish High Court decision to refer questions regarding, among other things, the adequacy of the EU-U.S. Privacy Shield and the European Commission’s Standard Contractual Clauses to the Court of Justice of the EU (the “CJEU”). The CJEU will hear the case (C-311/18) on 9 July 2019.…

Cleary Cybersecurity and Privacy Watch

FTC Commissioners Continue Calls for National Data Privacy and Security Legislation

By Alexis Collins, Phillip L. Hurst & Tamara Wiesebron on May 29, 2019

On May 8, 2019, Commissioners from Federal Trade Commission repeated their calls for federal data privacy legislation enforceable by the FTC at a hearing by the House Committee on Energy & Commerce titled “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.”…

Cleary Cybersecurity and Privacy Watch

Global Legal Developments related to Cybersecurity Incidents, Cyber Corporate Governance and Regulation Issues, and Privacy and Data Protection Laws

Blog Authors

July 2019 Privacy and Cybersecurity Enforcement: Lessons for Management and Directors

CJEU Judgment in the Fashion ID Case: The Role as Controller Under EU Data Protection Law of the Website Operator that Features a Facebook ‘Like’ Button

New York Passes Expansive New Cybersecurity Law

UK Regulator Intends to Fine Marriott £99 Million for Personal Data Breach, Spotlighting M&A Cybersecurity Diligence

The DASHBOARD Act – Proposed New Law Would Force Large Technology Companies to Disclose the Value of Users’ Data

UK Data Protection Regulator Issues Notice of Intention to Fine British Airways £183.4 Million for Personal Data Breach

District Court Finds Allegations That Data Breach Exposed Publicly Available and Non-Sensitive Personal Information Sufficient for Article III Standing

Legislators Propose Differing Approaches to Federalizing Corporate Responsibility for Data Breaches

Data Transfer Mechanisms to be Reviewed by CJEU After Irish Supreme Court Dismisses Facebook Appeal

FTC Commissioners Continue Calls for National Data Privacy and Security Legislation

Company

Support

New to the Network