Photo of Courtney M. Bowman

What would companies need to do to comply with the law?

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act imposes requirements in two areas: cybersecurity and data breach notification. The cybersecurity provisions of the proposed SHIELD Act would require companies to adopt “reasonable safe-guards to protect the security, confidentiality and integrity” of private information. The Act provides examples of appropriate administrative, technical, and physical safeguards, such as designating an employee to oversee the company’s data security program; identifying “reasonably foreseeable” risks to data security; selecting vendors that can maintain appropriate safeguards; detecting, preventing and responding to attacks and system failures; and preventing unauthorized access to private information. 

In November 2017, New York Attorney General Eric Schneiderman introduced the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (the “Act”) in the state’s Legislature. Companies – big and small – that collect information from New York residents should take note, as the Act could mean increased compliance costs, as well as potential enforcement actions for those that do not meet the Act’s requirements. This blog post provides a breakdown of the essential components of the SHIELD Act and information on how to comply with this potential new law.

In 2017, there are few words that make companies – and their counsel – shudder more than “data breach.” Recent high-profile breaches and the resulting litigation have shown that breaches can be embarrassing, harmful to a company’s brand, and extremely expensive to handle – both in terms of response costs and, potentially, damages paid to the affected individuals, third parties, and regulators. As headline-grabbing security incidents increasingly become a fact of life, litigators need to develop familiarity with the issues associated with data breaches so they can be prepared to walk their clients through the aftermath. This is the first in a series of blog posts about what commercial litigators need to know about data breaches.

global-privacy-3As explained in Part I and Part II of this series, U.S.-based commercial litigators should be aware that other countries’ privacy laws may affect their cases in unexpected ways. Perhaps the most likely stage for these issues to surface is during discovery, where materials of interest are located in another country, and that country’s privacy laws effectively prohibit counsel from removing those materials from the jurisdiction. This post provides an overview of some of the issues at the intersection of U.S. discovery practice and international privacy law.

spokeo-1 On May 16, 2016, the Supreme Court decided Spokeo, Inc. v. Robins, ruling that a plaintiff must sufficiently allege an injury that is both concrete and particularized in order to have Article III standing, and further that a “bare procedural violation” of a plaintiff’s statutory right may not be sufficiently “concrete” under this analysis. This ruling has the potential to affect class actions generally, but may prove especially influential in privacy and data security class actions.

global-privacy-4Although the volume of data that flows between the EU and the U.S. ensures that EU privacy law occupies most of the spotlight on the world stage, other countries have their own privacy laws worth noting as well.[1]

Different Types of Privacy Regimes

As a preliminary matter, it is important to keep in mind that most countries’ privacy regimes can be grouped into two categories: sectoral and comprehensive. As mentioned in the previous post, privacy law in the U.S. is sectoral, meaning that different laws and regulations govern data from one industry to the next. For example, the Health Insurance Portability and Accountability Act (HIPAA) includes a Privacy Rule and a Security Rule meant to protect people’s medical records; the Family Educational Rights and Privacy Act (FERPA) regulates the release of students’ educational records; and the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act applies to the financial industry. Further complicating matters is the fact that both the state and the federal governments may enact privacy laws, which has led to varying privacy-related requirements across the country. 

EULet’s say an American commercial litigator is working to defend a multinational client that has been sued in the U.S. The litigator may realize that he or she needs to collect emails or other documents from the client’s office in Germany, perhaps for discovery or investigation. However, the export of the data contained in those documents from Germany may, in certain circumstances, be illegal under German or EU privacy laws, and a lawyer unaware of the nature of these laws may find him- or herself in hot water.

Commercial litigators based in the U.S. often are surprised to learn that other countries’ privacy laws can present hurdles in their own domestic cases. However, the mere awareness that different jurisdictions take different approaches to can go a long way toward easing the headaches inflicted by these varying (and often confusing) legal regimes. This post covers the basics of privacy law in the EU, and future posts in this series will delve further into the complexities of international privacy law and how it affects U.S.-based litigators.