Class Action Litigation Trends: A How-To Guide

Class Action Litigation Trends: A How-To Guide

There is a great deal of misunderstanding concerning data security breach-related class actions. In large part the media and the legal media have exaggerated the quantity (and success) of class action litigation. …

class action lit

 

Data Breach Notification Laws: A How-To Guide

Data Breach Notification Law: A How-To Guide

Although Congress has attempted to agree on federal data breach notification legislation, there is no national data breach notification law that applies to most companies. Instead, 48 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving personal information. The only states without such laws are Alabama and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data breach not

Credit Monitoring Services: A How-To Guide

Credit Monitoring Services: A How-To Guide

Organizations are not, generally, required to offer services to consumers whose information was involved in a breach.1 Nonetheless, many organizations choose to offer credit reports (i.e., a list of the open credit accounts associated with a consumer), credit monitoring (i.e., monitoring a consumer’s credit report for suspicious activity), identity restoration services (i.e., helping a consumer restore their credit or close fraudulently opened accounts), and/or identity theft insurance (i.e., defending a consumer if a creditor attempts to collect upon a fraudulently opened account and reimbursing a consumer for any lost funds). In addition, if you do offer one of these services a 2014 California statute and a 2015 Connecticut law prohibits you from charging the consumer for them. …

credit monitoring

Selecting a Forensic Investigator: A How-To Guide

Many competent IT departments lack the expertise, hardware, or software to preserve evidence in a forensically sound manner and to thoroughly investigate a security incident. In-house counsel needs to be able to recognize such a deficiency quickly – and before evidence is lost or inadvertently destroyed – and retain external resources to help collect and preserve electronic evidence and investigate the incident. …

Forensic

Wire Transfer Fraud: A How-To Guide

Wire Transfer Fraud: A How-To Guide

Businesses are increasingly falling victim to wire fraud scams – sometimes referred to as “man-in-the-email” or “business email compromise” scams. Although there are multiple variants, a common situation involves an attacker gaining access to the email system of a company, or the company’s vendor, and monitoring email traffic about an upcoming transaction. When it comes time to submit an invoice or a payment, the attacker impersonates one of the parties and sends wire instructions asking that payment be sent to the attacker’s bank account. …

Wire transfer

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification in the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data breachhhh

Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. In the United States, incident response plans are commonplace. Since 2005, the federal banking agencies have interpreted the Gramm-Leach-Bliley Act as requiring financial institutions to create procedures for handling data security incidents.1 Although there is no federal statute that requires the majority of other types of organizations to create an incident response plan, state data safeguards and data breach notification statutes provide incentives for many other organizations to craft response plans. …

Response plans

Class Action Litigation Trends

Class Action Litigation Trends

There is a great deal of misunderstanding concerning data security breach-related class actions. In large part the media and the legal media have exaggerated the quantity (and success) of class action litigation. The following provides an overview of the risks associated with lawsuits following data security breaches. …

class-action

Guidelines for Retaining a Forensic Investigator

Guidelines for Retaining a Forensic Investigator

Many competent IT departments lack the expertise, hardware, or software to preserve evidence in a forensically sound manner and to thoroughly investigate a security incident. In-house counsel needs to be able to recognize such a deficiency quickly – and before evidence is lost or inadvertently destroyed – and retain external resources to help collect and preserve electronic evidence and investigate the incident…

guidelines-for-retaining-a-forensic-investigator1

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …data-breach-eu-us-comp

Bryan Cave Data Security Breach Handbook 2016

Bryan Cave Data Security Breach Handbook 2016

Since the first publication of this handbook in 2014, the legal ramifications for mishandling a data security incident have become more severe.  In the United States, the number of federal and state laws that claim to regulate data security has mushroomed.  The European Union has also enacted a new General Data Protection Regulation which will extend the United States framework for responding to data breaches across the EU, but with significantly enhanced penalties.  This handbook provides a basic framework to assist in-house legal departments with handling a security incident. …hanbook-2016

 

Data Breach Handbook for the Restaurant Industry

Data Breach Handbook for the Restaurant Industry

Although statistics vary, in 2015 there were approximately 3,930 incidents involving data loss and, according to one watchdog group, those incidents impacted over 736 million consumer records. Many of those data security breaches involved nationwide restaurant chains. According to one study, the Food and Beverage industry was the victim of 10% of all security compromises and data breaches in 2015, ranking third behind Retail and Hospitality. This handbook provides a basic framework to assist in-house legal departments with handling a security incident keeping the industry in mind. …

restaurant-handbook

 

Data Security Breach Handbook for Hotels, Venues, & the Hospitality Industry

Media reports about data security breaches have become an almost daily occurrence. Increased publicity reflects the simple fact that data breaches have grown in frequency and scope. According to one study, the hospitality industry was the victim of 14% of all security compromises and data breaches in 2015, ranking second only to the broader retail industry. This handbook provides a basic framework to assist in-house legal departments with handling a security incident keeping the industry in mind. …

data-breach-handbook-hotels

 

 

 

Valdetero Discusses Data Privacy at CLE by the Sea

July 2016

On July 12, Chicago Partner Jena Valdetero discussed issues that all businesses face with regard to protecting their own data, the data of their clients, and their proprietary information at CLE by the Sea in Coronado, Calif. The three-day conference, organized by the State Bar of Arizona, provided attendees with a year’s worth of MCLE credit hour requirements. Valdetero’s panel provided practical guidance on what lawyers should discuss with clients as to what they can and should be doing to protect their business data. The panel was moderated by Phoenix Partner Bob Shely.

Jena received excellent ratings on the seminar evaluation form. One of the comments on the evaluation forms said: “Jena was great! … Jena’s contributions tied the relevance of their input to law, clients and litigation.”

Data Privacy Lawyers in ‘Journal of Consumer & Commercial Law’

June 2016

The Journal of Consumer & Commercial Law republished Bryan Cave’s 2016 Data Breach Litigation Report, written by Boulder Partner David Zetoony, Chicago Partner Jena Valdetero and Associate Joy Anderson. The report offers a comprehensive analysis of class action lawsuits involving data security breaches filed in United States district courts. Click here to view the republished report in the journal’s Summer 2016 issue.

A Side-By-Side Comparison of “Privacy Shield” and the Controller-Controller Model Clauses

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed, and traditionally the EU does not consider the laws of the United States as “adequate” unless a company (1) enters into EU Commission preapproved model contractual clauses with the data recipient, (2) sends data to a corporate affiliate in the US that is under the scope of “Binding Corporate Rules,” or (3) entered the EU-US Safe Harbor Framework.

Most data controllers that were based in the US complied with the Directive by entering the pre-approved controller-controller model clauses or the EU-US Safe Harbor Framework. In October of 2015, the EU-US Safe Harbor Framework was invalidated by the European Court of Justice. As a result, many of the companies that had relied upon the Safe Harbor switched to the controller-controller model clauses; the use of those clauses became far and away the most popular way to comply with the Directive if you were a data controller.

On July 12, 2016, the EU formally approved a new mechanism for transferring data to the United States called the “Privacy Shield.” Although you can find a full discussion of the history, and implementation, of Privacy Shield here, the best way for a company to understand Privacy Shield (and decide if it wants to use it going forward) is to do a side-by-side comparison of the Privacy Shield against the mechanism that it currently uses, used, or is considering. Our series of side-by-side comparisons has already included a Privacy Shield/Safe Harbor side-by-side comparison and a Privacy Shield/Controller-Processor Clauses side-by-side comparison.

Click here to view the side-by-side comparison of the Privacy Shield and the Controller-Controller Model Clauses.

contro-control

A Side-By-Side Comparison of “Privacy Shield” and the Controller-Processor Model Clauses

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed, and traditionally the EU does not consider the laws of the United States as “adequate” unless a company (1) enters into EU Commission preapproved model contractual clauses with the data recipient, (2) sends data to a corporate affliate in the US that is under the scope of “Binding Corporate Rules,” or (3) entered the EU-US Safe Harbor Framework.

Most data processors (e.g., service providers) that were based in the US complied with the Directive by entering the pre-approved controller-processor model clause or the EU-US Safe Harbor Framework. In October of 2015, the EU-US Safe Harbor Framework was invalidated by the European Court of Justice. As a result, many of the companies that had relied upon the Safe Harbor switched to the controller-processor model clauses; the use of those clauses became far and away the most popular way to comply with the Directive.

On July 12, 2016, the EU formally approved a new mechanism for transferring data to the United States called the “Privacy Shield.” Although you can find a full discussion of the history, and implementation, of Privacy Shield here, the best way for a company to understand Privacy Shield (and decide if it wants to use it going forward) is to do a side-byside comparison of the Privacy Shield against the mechanism that it currently uses, used, or is considering. Our series of side-by-side comparisons started with a Privacy Shield/Safe Harbor comparison published here.

Click here to view the side-by-side comparison of the Privacy Shield and the Controller-Processor Model Clauses.

comparison2

Data Breach Litigation Report in ‘Wall Street Journal,’ ‘Dow Jones’

June 2016

Bryan Cave’s 2016 Data Breach Litigation Report was cited June 26 by The Wall Street Journal and Dow Jones in articles about whether hacked companies should have to compensate exposed customers. “Overall, only 5% of data breaches in the U.S. have led to lawsuits, but the highest-profile cyberattacks can spawn more than a hundred suits, according to a study by law firm Bryan Cave LLP,” The Wall Street Journal article stated. Bryan Cave’s 2016 Data Breach Litigation Report was written by Boulder Partner David Zetoony, Chicago Partner Jena Valdetero and Associate Joy Anderson. The report offers a comprehensive analysis of class action lawsuits involving data security breaches filed in U.S. district courts. Click here to view the original report.

How to Evaluate a Credit Monitoring Service (2016)

Organizations are not, generally, required to offer services to consumers whose information was involved in a breach.1 Nonetheless, many organizations choose to offer credit reports (i.e., a list of the open credit accounts associated with a consumer), credit monitoring (i.e., monitoring a consumer’s credit report for suspicious activity), identity restoration services (i.e., helping a consumer restore their credit or close fraudulently opened accounts), and/or identity theft insurance (i.e., defending a consumer if a creditor attempts to collect upon a fraudulently opened account and reimbursing a consumer for any lost funds). In addition, if you do offer one of these services, a 2014 California statute and a 2015 Connecticut law prohibits you from charging the consumer for them.….creditmonitor

Snapshot of Bryan Cave’s 2016 Data Breach Litigation Report

Bryan Cave LLP began its survey of data breach class action litigation four years ago. We are proud that our annual survey has become the leading authority on data breach class action litigation and is widely cited throughout the data security community. Click here to view an infographic containing select key findings from our report.

Click here to read the full text of the 2016 Data Breach Litigation Report.

snapshot

How to Avoid or Respond to Wire Transfer Fraud (2016)

Businesses are increasingly falling victim to wire fraud scams – sometimes referred to as “man-in-the-email” or “business email compromise” scams. Although there are multiple variants, a common situation involves an attacker gaining access to the email system of a company, or the company’s vendor, and monitoring email traffic about an upcoming transaction. When it comes time to submit an invoice or a payment, the attacker impersonates one of the parties and sends wire instructions asking that payment be sent to the attacker’s bank account….

wiretransferfraud

Valdetero Quoted in ‘Law360’

April 2016

Chicago Partner Jena Valdetero was quoted April 19 by Law360 regarding ways that general counsel can stave off future data breach litigation. Valdetero, who is co-leader of Bryan Cave’s Data Breach Response Team, explained the importance of having a lawyer on a company’s data breach response team. “Bring in the law department, if you have one, or outside breach counsel who’s experienced with this type of work because you’ll want to conduct your investigation to the extent possible under attorney-client privilege,” Valdetero says. The article also quoted Bryan Cave’s 2016 Data Breach Litigation Report, authored by Boulder Partner David Zetoony, Chicago Associate Joy Anderson and Valdetero.

2016 Data Breach Litigation Report

Data security breaches – and data security breach litigation – dominated the headlines in 2015 and continue to do so in 2016. Continuous widely publicized breaches have led to 30,000 articles a month being published that reference data breach litigation. Law firms have collectively published more than 156,000 articles on the topic.

While data breach litigation is an important topic for the general public, and remains one of the top concerns of general counsel, CEOs, and boards alike, there remains a great deal of misinformation reported by the media, the legal press, and law firms. At best this is due to a lack of knowledge and understanding concerning data breach litigation; at worst some reports border on sensationalism or fearmongering.

Bryan Cave LLP began its survey of data breach class action litigation four years ago to rectify the information gap and to provide our clients, as well as the broader legal, forensic, insurance, and security communities with reliable and accurate information concerning data breach litigation risk. We are proud that our annual survey has become the leading authority on data breach class action litigation and is widely cited throughout the data security community…. dblitreport2

 

How to Select a Qualified Security Assessor (“QSA”)

Retailers that accept credit cards are typically required by the payment card brands to show that they are in compliance with the Payment Card Industry Data Security Standards or “PCI DSS” at least once a year. How a retailer is permitted to show compliance depends in part on whether the retailer has a history of data security issues (e.g., have they suffered a breach) and the quantity of credit cards that the retailer transacts each year. Typically retailers that have either had a data security breach, or transact large quantities of credit cards, are required to retain a Qualified Security Assessor or “QSA” to conduct an audit and to provide an independent report showing whether the retailer is in compliance with the PCI DSS. Retailers that have not experienced a data breach and transact relatively few cards are often permitted to self-certify their compliance with the PCI DSS….qsa

Valdetero Presents at ACC Data Privacy Program

Aug. 17-18, 2016

Chicago Partner Jena Valdetero participated in panel discussions Aug. 17 and 18 hosted by the Association of Corporate Counsel Chicago and Jordan Lawrence: Assessing Your Data Security & Privacy Risks: Pragmatic Advice for Mitigating & Managing Liabilities. Bryan Cave co-sponsored the events, and the Aug. 18 event was held in Bryan Cave’s Chicago office. Valdetero heads up the firm’s data breach response team, with a specific focus on counseling, compliance, and litigation. She is a member of the International Association of Privacy Professionals.

Wire Transfer Fraud At A Glance (2015)

Businesses are increasingly falling victim to wire fraud scams – sometimes referred to as “man-in-the-email” or “business email compromise” scams.  Although there are multiple variants, a common situation involves an attacker gaining access to the email system of a company, or the company’s vendor, and monitoring email traffic about an upcoming transaction . . . Wire Transfer Fraud At A Glance

 

Data Breach Investigations: Ethical Considerations for In-House Counsel when Publicly Reporting a Security Incident

December 3, 2015

Data security and data privacy issues have risen with extraordinary speed to become “top ten” priorities for boards of both public and private companies alike. Yet board members and executives often find themselves ill-equipped to assess and address their quickly expanding responsibilities in these areas. Join Jason Haislmaier of Bryan Cave LLP for a discussion of the growing legal, regulatory, and shareholder requirements and expectations regarding data security and privacy confronted by board members and executives. More than just another rundown of why board members and executives should be concerned with data security and privacy issues, this presentation also provides strategies and practices for both advising and supporting board members and executives in these quickly expanding areas.

Trends in Data Breach Litigation At A Glance (2015)

While General Counsel cite class action fears as one of their top concerns following a data breach, there is a great deal of misunderstanding concernign the nature of data security breach class action litigation . . . Data Security Breach Litigation Trends - At A Glance

Forensic Investigators At a Glance (2015)

Forensic_Investigator_At A Glance

Many competent IT departments lack the expertise, hardware, or software to preserve evidence in a forensically sound manner and to thoroughly investigate a security incident. In-house counsel needs to be able to recognize such a deficiency quickly — and before evidence is lost or inadvertently destroyed — and retain external resources to help collect and preserve electronic evidence and investigate the incident. . .

 

Webinar: Understanding Data Security Litigation: A guide for In-house counsel

October 6, 2015

This program provides an overview of the types of legal and regulatory claims a company may be faced with in the wake of a data breach. In-house counsel should walk away understanding the potential exposure faced by their companies and strategies for defeating such claims.  Click here to register for the live program, or to access a recording.

Breach Notification Laws At A Glance (2015)

Breach Notification Laws

Although Congress has attempted to agree on federal data breach legislation, there is no national data breach notification law that applies to most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving certain types of personally identifiable information (“PII”). . .

Data Class Action Litigation At A Glance (2015)

Class Action Litigation (2)

According to FBI Director James Corney “there are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”  It is no wonder that management is increasingly concerned about the risks that flow from a data breach, especially the risk that their company will face a class action lawsuit. . .

 

Webinar: Data Breach Investigations: Ethical Considerations for In-House Counsel

February 10, 2015

Data Breach InvestegationsData security breaches are now unavoidable. The question is whether in-house counsel are prepared to deal with a breach when it occurs. In addition to the legal and practical questions that arise from a data breach, in-house counsel must often navigate several ethical dilemmas. David Zetoony, Jena M. Valdetero and Jennifer Mammen discuss ethical issues that typically arise when investigating a security incident. These include coordinating an incident response, interactions with employees that may be responsible for causing a security incident, and managing external resources such as forensic investigators and outside counsel. The program focuses on issues of confidentiality and conflicts. Specific ethical rules, cases, opinions to be discussed include: ABA Model Rules (e.g., Confidentiality of Information (1.6), Conflict of Interest (1.7), Organization as client (1.13), Duties to prospective client (1.18), Advisor (2.1), Lawyer as witness (3.7), Truthfulness in statements to others (4.1)); Upjohn; and various state bar ethics opinions.

Speakers

Jena Valdetero

David Zetoony

Jennifer Mammen

Webinar: PCI Data Breach Preparedness

January 27, 2015
PCI Data BreachThe Bryan Cave Payments Team along with special guest speaker Andi Baritrichi, the principal in charge of Verizon’s PCI Practice, hosted a webinar that focused on PCI data breaches.

Speakers

Courtney Stout

Jena Valdetero

Credit Monitoring Services At a Glance (2015)

CreditMonitoringServicesJPG_1

Companies are not required to offer services to consumers whose information was involved in a breach. Nonetheless, many organizations choose to offer credit reports, credit monitoring, identity restoration services, and/or identity theft insurance.  If you do offer one of these services a 2014 California statute prohibits you from charging the consumer for them. . .

 

Data Breach Handbook

Handbook

Media reports about data security breaches have become an almost daily occurrence. Increased publicity reflects the simple fact that data breaches have grown in frequency and scope. Although statistics vary, last year there were approximately 1,465 incidents involving data loss. . .

Valdetero, Zetoony to Chair Regional Networks of Privacy Professionals

January 2015

David Zetoony and Jena Valdetero have been selected to lead local chapters of the International Association of Privacy Professionals (IAPP). Zetoony, who recently relocated from Washington, D.C., to Colorado, will co-chair the IAPP’s Colorado regional network, while Valdetero will co-chair the Illinois regional network. Both will serve a two-year term, beginning January 2015. Click here to read more.