176 Search Results

May 7, 2018 |
A Closer Look At Barnes & Noble Data Breach Ruling

Orange County partner Joshua Jessen and associate Ashley Van Zelst are the authors of “A Closer Look At Barnes & Noble Data Breach Ruling,” [PDF] published by Law360 on May 7, 2018.

April 17, 2018 |
Supreme Court Holds That Recent Legislation Moots Dispute Over Emails Stored Overseas

Click for PDF United States v. Microsoft Corp., No. 17-2 Decided April 17, 2018 Today, the Supreme Court held that Microsoft’s dispute with the federal government over the government’s attempts to access email stored oversees is moot. Background: The Stored Communications Act, 18 U.S.C. § 2701 et seq., authorizes the government to require an email provider to disclose the contents of emails (and certain other electronic data) within its control if the government obtains a warrant based on probable cause. In this case, the federal government obtained a warrant to obtain emails from an email account used in drug trafficking. The drug trafficking allegedly occurred in the United States, but the emails were stored on a data server in Ireland. Microsoft refused to provide the emails on the ground that the Stored Communications Act does not apply to emails stored overseas. Issue: Whether the Stored Communications Act requires an email provider to disclose to the government emails stored abroad. Court’s Holding: The case is moot. On March 23, 2018, the President signed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which amended the Stored Communications Act so that it now applies to emails stored abroad. The parties’ dispute under the old version of the law therefore was moot. “No live dispute remains between the parties over the issue with respect to which certiorari was granted.” Per Curiam What It Means: Given passage of the CLOUD Act, there was no longer any need for the Supreme Court to interpret the prior version of the Stored Communications Act. The CLOUD Act requires an email provider to disclose emails, so long as the statute’s procedures have been followed, regardless of whether those emails are “located within or outside of the United States.” CLOUD Act § 103(a)(1) (to be codified at 18 U.S.C. § 2713). But the CLOUD Act permits courts to exempt providers from disclosing emails of customers who are not U.S. Citizens or residents, if disclosure would risk violating the laws of certain foreign governments. CLOUD Act § 103(b) (to be codified at 18 U.S.C. § 2703(h)).   Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court.  Please feel free to contact the following practice leaders: Appellate and Constitutional Law Practice Caitlin J. Halligan +1 212.351.3909 challigan@gibsondunn.com Mark A. Perry +1 202.887.3667 mperry@gibsondunn.com Nicole A. Saharsky +1 202.887.3669 nsaharsky@gibsondunn.com Related Practice: White Collar Defense and Investigations Joel M. Cohen +1 212.351.2664 jcohen@gibsondunn.com Charles J. Stevens +1 415.393.8391 cstevens@gibsondunn.com F. Joseph Warin +1 202.887.3609 fwarin@gibsondunn.com Related Practice: Privacy, Cybersecurity and Consumer Protection Alexander H. Southwell +1 212.351.3981 asouthwell@gibsondunn.com   © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

April 12, 2018 |
Trump Administration Imposes Unprecedented Russia Sanctions

Click for PDF On April 6, 2018, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) significantly enhanced the impact of sanctions against Russia by blacklisting almost 40 Russian oligarchs, officials, and their affiliated companies pursuant to Obama-era sanctions, as modified by the Countering America’s Adversaries Through Sanctions Act (“CAATSA”) of 2017.  In announcing the sanctions, Treasury Secretary Steven Mnuchin cited Russia’s involvement in “a range of malign activity around the globe,” including the continued occupation of Crimea, instigation of violence in Ukraine, support of the Bashal al-Assad regime in Syria, attempts to subvert Western democracies, and malicious cyber activities.[1]  Russian stocks fell sharply in response to the new measures, and the ruble depreciated almost 5 percent against the dollar.[2] Although this is not the first time that the Trump administration imposed sanctions against Russia, it is the most significant action taken to date.  In June 2017, OFAC added 38 individuals and entities involved in the Ukraine conflict to OFAC’s list of Specially Designated Nationals (“SDNs”).[3]  The April 6 sanctions added seven Russian oligarchs and 12 companies they own or control, 17 senior Russian government officials, the primary state-owned Russian weapons trading company and its subsidiary, a Russian bank, to the SDN List.[4]  These designations include major, publicly-traded companies that have been listed on the London and Hong Kong exchanges and that have thousands of customers and tens of thousands of investors throughout the world. OFAC has never designated similar companies, and the potential challenges for global companies seeking to comply with OFAC measures are substantial.  An SDN designation prohibits U.S. persons—including U.S. companies, U.S. financial institutions, and their foreign branches—from engaging in any transactions with the designees or with entities in which they hold an aggregate ownership of 50 percent or more.  The designation of a small company in a regional market can be devastating for the company, but rarely would it impose meaningful collateral consequences on global markets or investors.  In this case, sanctions on companies such as EN+ and RUSAL (amongst others) have already impacted a substantial portion of a core global commodity (the aluminum market) while also preventing further trades in their shares, a move that could harm pension funds, mutual funds, and other investors that have long held stakes worth billions of dollars. To minimize the immediate disruptions, OFAC issued two time-limited general licenses (regulatory exemptions) permitting companies and individuals to undertake certain transactions to “wind down” business dealings related to the designated parties.[5]  However, our assessment is that disruptions are inevitable and the size of the sanctions targets in this case means that the general licenses will have potentially limited effect in reducing dislocations. Background OFAC’s April 6 designations mark a clear change in tone from the Trump administration, which had initially resisted imposing the full force of CAATSA’s sanctions.  For example, as we wrote in our 2017 Year-End Sanctions Update, CAATSA required the imposition of secondary sanctions on any person the President determined to have been engaging in “a significant transaction with a person that is part, or operates for or on behalf of, the defense or intelligence sectors of the Government Russia.”[6]  On the day such sanctions were to be imposed, State Department representatives provided classified briefings to Congressional leaders to explain their decision not to impose any such sanctions under CAATSA, namely because the Trump administration felt that CAATSA was already having an deterrent effect which removed any immediate need to impose sanctions.[7] Section 241 of CAATSA also required OFAC to publish a report on January 29, 2018 identifying “the most significant senior foreign political figures and oligarchs in the Russian Federation,”[8] (the “Section 241 List”).  The Treasury Department issued the report shortly before midnight on the due date, publicly naming 114 senior Russian political figures and 96 oligarchs.[9]  Although the report did not result in any sanctions or legal repercussions, the public naming of such persons did cause confusion for those who sought to engage with them in compliance with U.S. law.[10]  However, most observers were highly critical of the list, claiming that it demonstrated that the Trump administration was failing to adequately address Congressional intent to punish Moscow.  Interestingly, almost all of the oligarchs designated on April 6 originally appeared on the Section 241 List.[11] Designations Included among the list of sanctioned parties were seven Russian oligarchs designated for being a Russian government official or operating in the energy sector of the Russian Federation economy, and 12 companies they own or control.  In its press release, OFAC warned that the 12 companies identified as owned or controlled by the designated Russian oligarchs “should not be viewed as exhaustive, and the regulated community remains responsible for compliance with OFAC’s 50 percent rule.”  This rule extends U.S. sanctions prohibitions to entities owned 50 percent or more, even if those companies are not themselves listed by OFAC.  The opacity of ownership in the Russian economy makes the 50 percent rule very difficult to operationalize. In addition, OFAC designated 17 senior Russian government officials, a state-owned company and its subsidiary.  The sanctioned individuals and entities, as described by OFAC, are provided in the following table. SDN Description Designated Russian Oligarchs 1. Vladimir Bogdanov Bogdanov is the Director General and Vice Chairman of the Board of Directors of Surgutneftegaz, a vertically integrated oil company operating in Russia. OFAC imposed sectoral sanctions on Surgutneftegaz pursuant to Directive 4 issued under E.O. 13662 in September 2014. 2. Oleg Deripaska Deripaska has said that he does not separate himself from the Russian state.  He has also acknowledged possessing a Russian diplomatic passport, and claims to have represented the Russian government in other countries.  Deripaska has been investigated for money laundering, and has been accused of threatening the lives of business rivals, illegally wiretapping a government official, and taking part in extortion and racketeering.  There are also allegations that Deripaska bribed a government official, ordered the murder of a businessman, and had links to a Russian organized crime group. 3. Suleiman Kerimov Kerimov is a member of the Russian Federation Council.  On November 20, 2017, Kerimov was detained in France and held for two days. He is alleged to have brought hundreds of millions of euros into France – transporting as much as 20 million euros at a time in suitcases, in addition to conducting more conventional funds transfers – without reporting the money to French tax authorities.  Kerimov allegedly launders the funds through the purchase of villas.  Kerimov was also accused of failing to pay 400 million euros in taxes. 4. Kirill Shamalov Shamalov married Putin’s daughter Katerina Tikhonova in February 2013 and his fortunes drastically improved following the marriage; within 18 months, he acquired a large portion of shares of Sibur, a Russia-based company involved in oil and gas exploration, production, processing, and refining.  A year later, he was able to borrow more than one $1 billion through a loan from Gazprombank, a state-owned entity subject to sectoral sanctions pursuant to E.O. 13662.  That same year, long-time Putin associate Gennady Timchenko, who is himself designated pursuant to E.O. 13661, sold an additional 17 percent of Sibur’s shares to Shamalov.  Shortly thereafter, Kirill Shamalov joined the ranks of the billionaire elite around Putin. 5. Andrei Skoch Skoch is a deputy of the Russian Federation’s State Duma.  Skoch has longstanding ties to Russian organized criminal groups, including time spent leading one such enterprise. 6. Viktor Vekselberg Vekselberg is the founder and Chairman of the Board of Directors of the Renova Group.  The Renova Group is comprised of asset management companies and investment funds that own and manage assets in several sectors of the Russian economy, including energy.  In 2016, Russian prosecutors raided Renova’s offices and arrested two associates of Vekselberg, including the company’s chief managing director and another top executive, for bribing officials connected to a power generation project in Russia. Designated Oligarch-Owned Companies 7. B-Finance Ltd. British Virgin Islands company owned or controlled by, directly or indirectly, Oleg Deripaska. 8. Basic Element Limited Basic Element Limited is based in Jersey and is the private investment and management company for Deripaska’s various business interests. 9. EN+ Group Owned or controlled by, directly or indirectly, Oleg Deripaska, B-Finance Ltd., and Basic Element Limited.  EN+ Group is located in Jersey and is a leading international vertically integrated aluminum and power producer.  This is a publicly traded company that has been listed, inter alia, on the London Stock Exchange. 10. EuroSibEnergo Owned or controlled by, directly or indirectly, Oleg Deripaska and EN+ Group. EuroSibEnergo is one of the largest independent power companies in Russia, operating power plants across Russia and producing around nine percent of Russia’s total electricity. 11. United Company RUSAL PLC Owned or controlled by, directly or indirectly, EN+ Group.  United Company RUSAL PLC is based in Jersey and is one of the world’s largest aluminum producers, responsible for seven percent of global aluminum production.  This is a publicly traded company that has been listed, inter alia¸ on the Hong Kong Stock Exchange. 12. Russian Machines Owned or controlled by, directly or indirectly, Oleg Deripaska and Basic Element Limited.  Russian Machines was established to manage the machinery assets of Basic Element Limited. 13. GAZ Group Owned or controlled by, directly or indirectly, Oleg Deripaska and Russian Machines.  GAZ Group is Russia’s leading manufacturer of commercial vehicles. 14. Agroholding Kuban Owned or controlled by, directly or indirectly, Oleg Deripaska and Basic Element Limited. 15. Gazprom Burenie, OOO Owned or controlled by Igor Rotenberg.  Gazprom Burenie, OOO provides oil and gas exploration services in Russia. 16. NPV Engineering Open Joint Stock Company Owned or controlled by Igor Rotenberg.  NPV Engineering Open Joint Stock Company provides management and consulting services in Russia. 17. Ladoga Menedzhment, OOO Owned or controlled by Kirill Shamalov.  Ladoga Menedzhment, OOO is located in Russia and engaged in deposit banking. 18. Renova Group Owned or controlled by Viktor Vekselberg.  Renova Group, based in Russia, is comprised of investment funds and management companies operating in the energy sector, among others, in Russia’s economy. Designated Russian State-Owned Firms 19. Rosoboroneksport State-owned Russian weapons trading company with longstanding and ongoing ties to the Government of Syria, with billions of dollars’ worth of weapons sales over more than a decade.  Rosoboroneksport is being designated under E.O. 13582 for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, the Government of Syria. 20. Russian Financial Corporation Bank (RFC Bank) Owned by Rosoboroneksport.  RFC Bank incorporated is in Moscow, Russia and its operations include deposit banking activities. Designated Russian Government Officials 21. Andrey Akimov Chairman of the Management Board of state-owned Gazprombank 22. Mikhail Fradkov President of the Russian Institute for Strategic Studies (RISS), a major research and analytical center established by the President of the Russian Federation, which provides information support to the Presidential Administration, Federation Council, State Duma, and Security Council. 23. Sergey Fursenko Member of the board of directors of Gazprom Neft, a subsidiary of state-owned Gazprom 24. Oleg Govorun Head of the Presidential Directorate for Social and Economic Cooperation with the Commonwealth of Independent States Member Countries.  Govorun is being designated pursuant to E.O. 13661 for being an official of the Government of the Russian Federation. 25. Alexey Dyumin Governor of the Tula region of Russia.  He previously headed the Special Operations Forces, which played a key role in Russia’s purported annexation of Crimea. 26. Vladimir Kolokoltsev Minister of Internal Affairs and General Police of the Russian Federation 27. Konstantin Kosachev Chairperson of the Council of the Federation Committee on Foreign Affairs 28. Andrey Kostin President, Chairman of the Management Board, and Member of the Supervisory Council of state-owned VTB Bank 29. Alexey Miller Chairman of the Management Committee and Deputy Chairman of the Board of Directors of state-owned company Gazprom 30. Nikolai Patrushev Secretary of the Russian Federation Security Council 31. Vladislav Reznik Member of the Russian State Duma 32. Evgeniy Shkolov Aide to the President of the Russian Federation 33. Alexander Torshin State Secretary – Deputy Governor of the Central Bank of the Russian Federation 34. Vladimir Ustinov Plenipotentiary Envoy to Russia’s Southern Federal District 35. Timur Valiulin Head of the General Administration for Combatting Extremism within Russia’s Ministry of Interior 36. Alexander Zharov Head of Roskomnadzor (the Federal Service for the Supervision of Communications, Information Technology, and Mass Media) 37. Viktor Zolotov Director of the Federal Service of National Guard Troops and Commander of the National Guard Troops of the Russian Federation All assets subject to U.S. jurisdiction of the designated individuals and entities, and of any other entities blocked by operation of law as a result of their ownership by a sanctioned party, are frozen, and U.S. persons are generally prohibited from dealings with them.  OFAC’s Frequently Asked Questions (“FAQs”) make clear that if a blocked person owns less than 50 percent of a U.S. company, the U.S. company will not be blocked.  However, the U.S. company (1) must block all property and interests in property in which the blocked person has an interest and (2) cannot make any payments, dividends, or disbursement of profits to the blocked person and must place them in a blocked account at a U.S. financial institution.[12] Non-U.S. persons could face secondary sanctions for knowingly facilitating significant transactions for or on behalf of the designated individuals or entities.  CAATSA strengthened the secondary sanctions measures that could be used to target such persons, although such measures typically carry less risk because as a matter of implementation OFAC traditionally warns those who may be transacting with parties that could subject them to secondary sanctions and provides them with an opportunity to cure.  While this outreach and deterrence model of imposing secondary sanctions was developed under the Obama administration (and resulted in very few impositions of secondary sanctions), the Trump administration could theoretically change it and impose secondary sanctions without the traditional warning.  However, that appears unlikely and the Trump administration has indicated that it will continue to provide warnings before imposing secondary sanctions. Two CAATSA provisions bear particular note as they are implicated by Friday’s actions:  section 226, which authorizes sanctions on foreign financial institutions for facilitating a transaction on behalf of a Russian person on the SDN List, and section 228, which seeks to impose sanction on a person who “facilitates a significant transaction…for or on behalf of any person subject to sanctions imposed by the United States with respect to the Russian Federation.”[13]  OFAC has clarified that the section 228 provision extends to persons listed on either the SDN or the Sectoral Sanctions Identifications (“SSI”) List, as well as persons they may own or control pursuant to OFAC’s 50 percent rule.[14]  As we noted when CAATSA was passed, despite the mandatory nature of these sections, the President appears to retain the discretion to impose restrictions based upon whether he finds certain transaction significant or for other reasons.  With the increase in the SDN list to include major players in global commodities such as EN+ or RUSAL, more companies around the world that rely on these companies could find themselves at least theoretically at risk of being sanctioned themselves.  Companies should also consider this risk where there is reliance on material produced by any company in the Russian military establishment and sold by the Russian state arms company such as Rosoboronexport, which was also sanctioned. General Licenses In an effort to minimize the immediate disruptions to U.S. persons and global markets (especially given the sanctioning of major publicly traded corporations that have thousands of clients and investors throughout the world), OFAC issued General Licenses 12 and 13, permitting companies to undertake certain transactions and activities to “wind down” certain business dealings related to certain, listed designated parties.  These General Licenses only cover U.S. persons, which has led some non-U.S. companies to inquire whether their ability to wind down operations with respect to the SDN companies would place them at risk for secondary sanctions (as they would be engaging with sanctioned parties and perhaps trigger the CAATSA provisions above).  OFAC has noted in its FAQs that the U.S. Government would not find a transaction “significant” if a U.S. person would not need a specific license to undertake it.[15]  That is, it would seem that at least for the duration of the General Licenses a non-U.S. party can engage in similar wind down operations without risking secondary sanctions. General License 12, which expires June 5, 2018, authorizes U.S. persons to engage in transactions and activities with the 12 oligarch-owned designated entities that are “ordinarily incident and necessary to the maintenance or wind down of operations, contracts, or other agreements” related to these 12 entities (as well as those entities impacted by operation of OFAC’s 50 percent rule).  This is a broader wind down provision than OFAC has issued in the past in that it allows not just “wind down” activities but also non-defined “maintenance” activities.  Despite this breadth it is already uncertain how this General License will actually work in practice.  Permissible transactions and activities include importation from blocked entities and broader dealings with them.  However, no payments are allowed to be made to blocked entities–rather such payments can only be made to the blocked entities listed in General License 12 into blocked, interest-bearing accounts and reported to OFAC by June 18, 2018 (10 business days after the expiration of the license).[16]  It is not clear why a sanctioned party would wish to deliver goods and services to parties if the sanctioned party cannot be paid.  In line with the FAQ noted above, for non-U.S. companies it would seem that in order to avoid secondary sanctions implications the same restrictions would apply–that is, continued transactions are permitted on a wind down basis, but transfer of funds to the SDN companies could be viewed as “significant” or otherwise sanctionable. Recognizing how broad the sanctions are and how far they may implicate subsidiaries of SDN companies inside the United States, OFAC’s FAQs clarify that General License 12 generally permits the blocked entities listed to pay U.S. persons their salaries, pension payments, or other benefits due during the wind down period.  U.S. persons employed by entities that are not explicitly listed in General License 12—principally the designated Russian state-owned entities—do not have the benefit of this wind down period.  OFAC FAQs note that such U.S. persons may seek authorization from OFAC to maintain or wind down their relationships with any such blocked entity, but make clear that continued employment or board membership related to these entities is prohibited.[17]  The implications of these restrictions are significant where, as is the case with the blocked entities listed in General License 12, U.S. subsidiaries exist and U.S. persons are involved throughout company operations. General License 13, which expires May 7, 2018, similarly allows transactions and activities otherwise prohibited under the April 6 sanctions.  This license allows transactions and activities necessary to “divest or transfer debt, equity, or other holdings” in three designated Russia entities:  EN+ Group PLC, GAZ Group, and United Company RUSAL PLC.  Permitted transactions include facilitating, clearing, and settling transactions.  General License 13, however, does not permit any divestment or transfer to a blocked person, including the three entities listed in General License 13.[18]  As with General License 12, transactions permitted under General License 13 must be reported to OFAC within 10 business days after the expiration of the license. Once again, it is uncertain how the General License will work in practice.  Given the designations which have depressed the share prices of the sanctions parties it is unknown who might be willing to purchase the shares even if U.S. holders are permitted to sell them. Other Ramifications for Investors, Supply Chains, and Customers The April 6 sanctions raise other significant questions and practical challenges for U.S. and non-U.S. companies, with particular risks for investors as well as the manufacturers, suppliers, and customers of the SDN companies. Investors and fund managers will need to conduct significant diligence into the participants and ownership structures of their funds, including fund limited partners, to determine whether sanctioned persons or entities are involved.  Moreover, for those who have seen the value of any assets tied to these companies decline significantly, they are allowed to continue to try sell their assets to non-U.S. persons.  However, given the challenge in finding buyers and evidence that certain financial institutions and brokers are already refusing to engage in any trades (even during the wind down period), the investment community needs to potentially prepare for long-term holding of blocked assets (by setting up sequestered accounts). For those within the supply chains of sanctioned companies, from suppliers of commodities to finished goods, as well as customers of sanctioned companies, the concern will be to potentially replace key commercial relationships which will become increasingly difficult (if not prohibited) to maintain.  For companies that have relied on RUSAL, for example, as a source of aluminum or as a customer for their goods they will potentially need to find replacements.  While aluminum is not in short supply globally, in certain jurisdictions RUSAL has a commanding position and even a monopoly.  It is unclear how companies that seek to be compliant with OFAC regulations will navigate a world in which RUSAL has been a primary or secondary supplier (and there is no clear way to avoid such engagement so long as the company seeks to be active in that jurisdiction and in need of aluminum).  Moreover, it is not just U.S. person counterparties that are likely to be affected by prohibitions on dealing with sanctioned parties.  In line with the FAQ noted above, if non-U.S. companies were to make payments to the sanctioned companies for deliveries, these could be deemed “significant transactions” and could make the non-U.S. companies, themselves, the target of OFAC designations and/or secondary sanctions.  One option—reportedly pursued by one major trading company—is to declare force majeure on contracts with Rusal. As noted above, relief contemplated by General Licenses 12 and 13 may be operationally difficult to implement.  The sanctions apply to companies 50 percent owned or controlled by blocked parties.  Companies will need to undertake, under a short time line, significant due diligence to determine whether any such companies are involved in its operations.  The wind down process may be further complicated by any Russian response to the U.S. sanctions. What Happens Next? The April 6 sanctions are likely not the end of the story.  The next steps to watch include: 1.)    Potential Russian Retaliation:  During an address to the State Duma on April 11, Prime Minister Dmitry Medvedev said, for example, that Russia should consider targeting U.S. goods or goods produced in Russia by U.S. companies when considering a possible response.[19]  Any such measures could implicate further U.S. business dealings with Russian entities, including the blocked entities. 2.)    Changing Ownership and Structure of Sanctioned Parties:  Given that the sanctioned companies were listed due to their ownership/control by sanctioned persons (pursuant to the 50 percent rule) there have already been moves to dilute their ownership and thus potentially have the companies de-listed.  While possible, it is important to note that because the companies were explicitly listed by OFAC (and now appear on the SDN list), any reduction in ownership or control will not result in an automatic de-listing.  Rather, OFAC will need to process these changes and formally de-list the entities before they can be treated as non-sanctioned.  OFAC could opt not to de-list, or could decide to list the companies on other bases.  Regardless the process will undoubtedly take some time.  We note that at least one engineering firm whose stock was held by a designated entity has already obtained a license to complete the transfer of these shares; this is helpful precedent for any company impacted but only tangentially related to the designated entities.  Sanctioned entities have also changed their board membership in response to the U.S. sanctions.  On Monday, April 11, for example, the entire board at Renova Management AG, the Swiss subsidiary of the Renova Group, was dismissed after Renova Group’s designation.[20] 3.)    European Follow On Restrictions:  The shock of many of Europe’s major powers following the poisoning of Sergei and Yulia Skripal in Salisbury in early March and the resulting mass expulsion of Russian diplomats from European capitals suggests that sanctions may be next.  Core European U.S. allies were likely notified in advance of the April 6 measures.  In the run up to sanctions in 2014, Washington and Brussels worked very closely to institute parallel measures against Moscow.  While that unity has broken down under the Trump administration, especially since CAATSA was passed in August, it would appear as though some European sanctions are liking in the offing. 4.)    OFAC FAQs/Licenses and Potentially New Measures:  Due to the complexity of the April 6 measures, we expect that OFAC will issue additional FAQs and potentially revisions to General Licenses 12 and 13 (or new General Licenses) in the near term to clear up questions and further calibrate response.  Depending upon next steps from Russia and Europe we may see additional sanctions as well.  Secretary of State-designate Mike Pompeo’s statement that the United States “soft” policy toward Russia is over suggests as much.[21] Unfortunately, there is no clear path towards a de-escalation in Washington-Moscow tensions.  When the U.S. first issued sanctions against Russia in response to the Crimea incursion in 2014 the sanctions “off-ramp” was very clearly defined: if Russia altered its behavior in Crimea/Ukraine there was a way that sanctions could be removed.  Since 2014, as Secretary Mnuchin noted, Russia’s activities have exacerbated in scope and territory to include support for the Bashar regime in Syria, election meddling, cyber-attacks, and the nerve agent attack in the United Kingdom.  The breadth and boldness of this activity makes it even more unlikely that Russia will comply with the West’s wishes and thus even less likely that the sanctions would be removed or even reduced at any point in the near term.  For its part, bipartisan Congressional leadership expressed broad support for the Trump administration’s actions—however, Congress will likely demand more from the President in the near term.  Perhaps eager to placate Congress and dispel any notion that he is “soft” on Russia and buffeted by external circumstances ranging from any potential attack in Syria to the investigation by Robert Mueller, the President may impose still harsher measures on Moscow. [1]      Press Release, U.S. Department of the Treasury, Treasury Designates Russian Oligarchs, Officials, and Entities in Response to Worldwide Malign Activity (Apr. 6, 2018), available at https://home.treasury.gov/news/featured-stories/treasury-designates-russian-oligarchs-officials-and-entities-in-response-to. [2]      Natasha Turak, US sanctions are finally proving a ‘major game changer’ for Russia, CNBC, (Apr. 10, 2018) available at https://www.cnbc.com/2018/04/10/us-moscow-sanctions-finally-proving-a-major-game-changer-for-russia.html. [3]      Press Release, U.S. Dep’t of the Treasury, Treasury Designates Individuals and Entities Involved in the Ongoing Conflict in Ukraine (June 20, 2017), available at https://www.treasury.gov/press-center/press-releases/Pages/sm0114.aspx.  Designated persons and entities included separatists and their supporters; entities operating in and connected to the Russian annexation of Crimea; entities owned or controlled by, or which have provided support to, persons operating in the Russian arms or materiel sector; and Russian government officials. [4]      U.S. Department of the Treasury, supra, n. 1. [5]      Id. [6]      CAATSA, Title II, § 231 (a). Specifically, CAATSA Section 231(a) specified that the President shall impose five or more of the secondary sanctions described in Section 235 with respect to a person the President determines knowingly “engages in a significant transaction with a person that is part of, or operates for or on behalf of, the defense or intelligence sectors of the Government of the Russian Federation, including the Main Intelligence Agency of the General Staff of the Armed Forces of the Russian Federation or the Federal Security Service of the Russian Federation.”  The measures that could be imposed under Section 231 are discretionary in nature.  The language of the legislation is somewhat misleading in this regard.  Section 231 is written as a mandatory requirement—providing that the President “shall impose” various restrictions.  However, the legislation itself—and the October 27, 2017 guidance provided by the State Department—makes clear that secondary sanctions are only imposed after the President makes a determination that a party “knowingly” engaged in “significant” transactions with a listed party.  The terms “knowingly” and “significant” have imprecise meanings, even under the State Department guidance.  OFAC Ukraine-/Russia-related Sanctions FAQs (“OFAC FAQs”), OFAQ No. 545, available at https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_other.aspx#567. [7]      Press Release, U.S. Dep’t of State, Background Briefing on the Countering America’s Adversaries Through Sanctions Act (CAATSA) Section 231 (Jan. 30, 2018), available at https://www.state.gov/r/pa/prs/ps/2018/01/277775.htm. [8]      CAATSA, Title II, § 241. [9]      See U.S. Dep’t of the Treasury, Report to Congress Pursuant to Section 241 of the Countering America’s Adversaries Through Sanctions Act of 2017 Regarding Senior Foreign Political Figures and Oligarchs in the Russian Federation and Russian Parastatal Entities (Unclassified) (Jan. 29, 2018), available at https://www.scribd.com/document/370313106/2018-01-29-Treasury-Caatsa-241-Final. [10]     See, e.g., Press Release, U.S. Dep’t of the Treasury, Treasury Releases CAATSA Reports, Including on Senior Foreign Political Figures and Oligarchs in the Russian Federation (Jan. 29, 2018), available at https://home.treasury.gov/news/press-releases/sm0271. [11]     The one exception is Igor Rotenberg.  Although Igor Rotenberg did not appear on the Section 241 List, his father and uncle were included.  According to the April 6 OFAC announcement, Igor Rotenberg acquired significant assets from his father, Arkady Rotenberg, after OFAC designated the latter in March 2014.  Specifically Arkady Rotenberg sold Igor Rotenberg 79 percent of the Russian oil and gas drilling company Gazprom Burenie.  Igor Rotenberg’s uncle, Boris Rotenberg, owns 16 percent of the company.  Like his brother Arkady Rotenberg, Boris Rotenberg was designated in March 2014. [12]     OFAC FAQ No. 573. [13]     CAATSA, Title II, §228. [14]     OFAC FAQ No. 546.  In its implementing guidance, OFAC confirmed that Section 228 extends to SDNs and SSI entities but clarified that it would not deem a transaction “significant” if U.S. persons could engage in the transaction without the need for a specific license from OFAC.  In other words, only transactions prohibited by OFAC—specifically, transactions with SDNs and/or transactions with SSI entities that are prohibited by the sectoral sanctions—will “count” as significant for purposes of Section 228.  OFAC also noted that even a transaction with an SSI that involves prohibited debt or equity would not automatically be deemed “significant”—it would need to also involve “deceptive practices” and OFAC would assess this criteria on a “totality of the circumstances” basis. [15]     OFAC FAQ No. 574. [16]     General License 12; OFAC FAQ No. 569. [17]     See also OFAC FAQ Nos. 567-568. [18]     See also OFAC FAQ Nos. 570-571. [19]     Russia’s Renova says board at its Swiss subsidiary dismissed due to sanctions, Reuters (Apr. 11, 2018), available at https://uk.reuters.com/article/usa-russia-sanctions-renova/russias-renova-says-board-at-its-swiss-subsidiary-dismissed-due-to-sanctions-idUKR4N1NE02P. [20]     Russia ready to prop Up Deripaska’s Rusal as US sanctions bite, Financial Times (Apr. 11, 2018), available at https://www.ft.com/content/4904f6d4-3d97-11e8-b7e0-52972418fec4. [21]     Patricia Zengerle, Lesley Wroughton, As Pompeo signals hard Russia line, lawmakers want him to stand on his own, Reuters (Apr. 12, 2018), available at https://www.reuters.com/article/us-usa-trump-pompeo/as-pompeo-signals-hard-russia-line-lawmakers-want-him-to-stand-on-his-own-idUSKBN1HJ0HO. The following Gibson Dunn lawyers assisted in preparing this client update: Adam Smith, Judith Alison Lee, Christopher Timura, Stephanie Connor, and Courtney Brown. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments.  Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s International Trade Group: United States: Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, jalee@gibsondunn.com) Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, rkirk@gibsondunn.com) Jose W. Fernandez – New York (+1 212-351-2376, jfernandez@gibsondunn.com) Marcellus A. McRae – Los Angeles (+1 213-229-7675, mmcrae@gibsondunn.com) Daniel P. Chung – Washington, D.C. (+1 202-887-3729, dchung@gibsondunn.com) Adam M. Smith – Washington, D.C. (+1 202-887-3547, asmith@gibsondunn.com) Christopher T. Timura – Washington, D.C. (+1 202-887-3690, ctimura@gibsondunn.com) Stephanie L. Connor – Washington, D.C. (+1 202-955-8586, sconnor@gibsondunn.com) Kamola Kobildjanova – Palo Alto (+1 650-849-5291, kkobildjanova@gibsondunn.com) Courtney M. Brown – Washington, D.C. (+1 202-955-8685, cmbrown@gibsondunn.com) Laura R. Cole – Washington, D.C. (+1 202-887-3787, lcole@gibsondunn.com) Europe: Peter Alexiadis – Brussels (+32 2 554 72 00, palexiadis@gibsondunn.com) Attila Borsos – Brussels (+32 2 554 72 10, aborsos@gibsondunn.com) Patrick Doris – London (+44 (0)207 071 4276, pdoris@gibsondunn.com) Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) Mark Handley – London (+44 (0)207 071 4277, mhandley@gibsondunn.com) Benno Schwarz – Munich (+49 89 189 33 110, bschwarz@gibsondunn.com) Richard Roeder – Munich (+49 89 189 33-160, rroeder@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

March 7, 2018 |
The Convergence of Law and Cybersecurity

Washington, D.C. associate Melinda Biancuzzo is the co-author of “The Convergence of Law and Cybersecurity,” [PDF] published by Nuix on March 7, 2018.

January 30, 2018 |
Law360 Names Gibson Dunn Among its Privacy 2017 practice Groups of the Year

Law360 named Gibson Dunn one of its five Privacy Practice Groups of the Year [PDF] for 2017. Gibson Dunn was selected for being “a go-to firm for tech giants in behind-the-scenes cybersecurity matters”. The firm’s profile was published on January 30, 2018.

January 29, 2018 |
International Cybersecurity and Data Privacy Outlook and Review – 2018

Click for PDF In honor of Data Privacy Day—an international effort to raise awareness and promote privacy and data protection best practices—we recently offered Gibson Dunn’s sixth annual Cybersecurity and Data Privacy Outlook and Review.  This year again, in addition to that U.S.-focused report, we offer this separate International Outlook and Review. Like many recent years, 2017 saw significant developments in the evolution of the data protection and cybersecurity landscape outside the United States: Following the adoption of a General Data Protection Regulation governing the collection, processing and transfer of personal data in 2016 (“GDPR”),[1] several Member States of the European Union started to adapt their national legal frameworks in light of the future entry into application of the GDPR on 25 May 2018, and the Article 29 Working Party (“WP29”) provided details regarding the implementation thereof. The first proposals for an upcoming European regulation with respect to private life and the protection of personal data in electronic communications, intended to repeal the currently applicable legal framework, were made public (“ePrivacy Regulation”). The Member States of the European Union started working on the transposition into national law of the directive on the security of network and information systems (“NIS Directive”). The framework for international data transfers between the U.S. and the European Union—the Privacy Shield—was subjected to various legal challenges. We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review. Table of Contents __________________________________________ I.     European Union A.   Privacy Shield 1.    Reviews of the European Commission and the WP29 2.    Challenges to Privacy Shield B.   EU Data Protection Regulation and Reform 1.    GDPR 2.    Principal Elements of the GDPR 3.    National Data Protection Reforms Implementing the GDPR C.   EU Cyber Security Directive 1.    Digital Service Providers 2.    Member State Obligations 3.    Minimum Harmonization and Coordination Among EU Member States D.   Other EU Developments 1.    Reform of the ePrivacy Directive – the Draft EU ePrivacy Regulation 2.    CJEU Case Law 3.    Article 29 Working Party (WP29) Opinions II.   Asia-Pacific and Other Notable International Developments __________________________________________ I.     European Union A.     Privacy Shield On 12 July 2016, the European Commission formally approved the EU-U.S. Privacy Shield (“Privacy Shield”), a framework for navigating the transatlantic transfer of data from the EU to the United States.  The Privacy Shield replaces the EU-U.S. Safe Harbor framework, which was invalidated by the European Court of Justice (“ECJ”) on 6 October 2015 in Maximilian Schrems v. Data Protection Commissioner (the “Schrems” decision).[2]  We provided an in-depth discussion of the Schrems decision in a previous Outlook and Review.[3] 1.     Reviews of the European Commission and the WP29 Following the adoption of the Privacy Shield, the WP29—an advisory body that includes representatives from the data protection authorities of each EU Member State—stated that “the national representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective” during a joint annual review of the Privacy Shield mechanism.[4] The first review was conducted in mid-September 2017 by the European Commission and U.S. authorities.  The European Commission published its report on 18 October 2017.[5]  It concluded that the Privacy Shield continues to ensure an adequate level of protection, noting that various important structures and procedures have been put in place by U.S. authorities—namely, new redress possibilities for EU nationals, a complaint-handling and enforcement procedure, an increased level of cooperation with EU data protection authorities, and necessary safeguards for government access to personal data.  Overall, the European Commission determined that the framework, including the self-certification process, is functioning well, and the European Commission continues to support the Privacy Shield.  The European Commission did, however, make several recommendations to further improve the Privacy Shield’s functioning: More proactive and regular monitoring of companies’ compliance with their obligations under the Privacy Shield by the U.S. Department of Commerce, including the use of review questionnaires or annual compliance reports. Increased searches for and enforcement against companies that falsely claim to participate in the Privacy Shield by U.S. authorities. Raising awareness of how EU individuals can exercise their rights under the Privacy Shield, particularly how they can submit complaints. Closer cooperation between EU and U.S. authorities to achieve a consistent interpretation and to develop guidance for companies and enforcers. The appointment of a permanent Privacy Shield Ombudsman and the appointment of additional members to the Privacy and Civil Liberties Oversight Board (“PCLOB”). A codification of Presidential Policy Directive 28 (“PPD-28”), as part of the reauthorization and reform of Section 702 of the Foreign Intelligence Surveillance Act (“FISA”). It should be noted on this last point that on 19 January 2018 the United States renewed FISA Section 702 without enshrining the protections set forth in the PPD-28.[6]  It remains to be seen how this, and the success of efforts to follow up on the other recommendations, will affect the next annual review of the Privacy Shield in fall 2018. On 28 November 2017, the WP29 released its own opinion on the first annual joint review of the Privacy Shield mechanism.[7]  The WP29’s findings are quite different from the Commission’s, as the WP29 identified “significant concerns” with the Privacy Shield’s mechanisms as currently operated.  While the WP29 recognized the Privacy Shield as an improvement compared to the invalidated Safe Harbor mechanism, and welcomed the increased transparency of the U.S. government and legislator regarding the use of their surveillance powers, the WP29 set forth several recommendations, namely: U.S. authorities should provide more guidance on the principles of the Privacy Shield, particularly regarding transfers, available rights, and recourses and remedies, to make it easier for companies to interpret their obligations and individuals to exercise their rights. More oversight by U.S. authorities concerning compliance with Privacy Shield principles—for instance, compliance with limits on monitoring—and more proactive supervision of the participating organizations. Distinguishing the status of processors and controllers established in the U.S., as the opinion notes there is currently no differentiation made during the application process between the two. Increasing the level of protection concerning profiling data or automated decision-making by creating specific rules to provide sufficient safeguards. Avoiding exceptions for the processing of Human Resources (“HR”) data, as according to the WP29 the U.S. Department of Commerce considers HR data too narrowly, allowing for the transfer of some HR data as commercial data. Shoring up safeguards against the access of data by U.S. public authorities. Addressing the lack of a permanent and independent Ombudsman and the several vacancies on the PCLOB. The WP29 warned that should their concerns fail to be addressed, the group would then take appropriate actions, including challenging the Privacy Shield before national courts.  The WP29 therefore called on the European Commission and U.S. authorities to resume discussions, and to set up an action plan to demonstrate that these concerns will be addressed. 2.     Challenges to Privacy Shield Advocacy groups have already filed challenges to the Privacy Shield.  Specifically, in October 2016 Digital Rights Ireland (“DRI”) filed a challenge with a Luxembourg-based General Court, a lower court of the ECJ, to annul the European Commission’s 12 July 2016 Adequacy Decision, which approved and adopted the Privacy Shield.[8]  However, this action was dismissed by the General Court of the European Union on 22 November 2017.[9]  The European judges held that DRI neither had an interest in bringing proceedings in its own name nor had standing to act in the name of its members and supporters or on behalf of the general public. This is not the only challenge to the Privacy Shield, however:  In 2016, a French privacy advocacy group also challenged the Adequacy Decision in a legal action to the ECJ, claiming that the U.S. Ombudsman redress mechanism is not sufficiently independent and effective and therefore the Adequacy Decision must be annulled.[10]  This case remains ongoing.[11] B.     EU Data Protection Regulation and Reform 1.     GDPR On 15 December 2015, the European Commission, the European Parliament, and the European Council agreed to an EU data protection reform to boost the EU Digital Single Market.  The bill was adopted by the European Council and the European Parliament in early April 2016 and came into force on 24 May 2016 as the GDPR.  However, the GDPR provides for a two-year “grace period,” such that it will not become fully applicable until 25 May 2018.  The GDPR replaces the EU Data Protection Directive[12] and constitutes a set of data protection rules that are directly applicable to the processing of personal data across EU Member States (for additional details regarding the main requirements of the GDPR, please refer to Section 2 below). 2.     Principal Elements of the GDPR The core substantive elements of the GDPR, which will become fully applicable in May 2018, include the following: Extraterritorial Scope:  The GDPR will cover not only data controllers established in the EU, but will also apply to organizations that offer goods or services to residents in the EU, even if these organizations are not established in the EU and do not process data using servers in the EU.[13] Transparency Principle:  Under the GDPR, transparency is a general requirement applicable to three central areas: (i) the provision of information to data subjects; (ii) the way data controllers communicate with data subjects in relation to their rights under the GDPR; and (iii) how data controllers allow and facilitate the exercise of their rights by data subjects.  In late 2017, the WP29 made draft Guidelines on transparency public.[14]  Even though the final version of this document is not available yet, the purpose of such Guidelines is to provide practical guidance and interpretative assistance on the new transparency obligations as resulting from the GDPR. Consent of the Data Subjects:  The GDPR put emphasis on the notion of consent of data subjects by providing further clarification and specification of the requirements for obtaining and demonstrating valid consent.  In November 2017, the WP29 adopted Guidelines specifically dedicated to the concept of consent and focusing on the changes in this respect resulting from the GDPR.[15] “Right to Be Forgotten”:  The GDPR further develops the “right to be forgotten” (formally called the “right to erasure”) whereby personal data must be deleted when an individual no longer wants his or her data to be processed by a company and there are no legitimate reasons for retaining the data.[16]  This right was already introduced in the EU Data Protection Directive, and was the object of the litigation before the CJEU in Google Spain SL and Google Inc. v. AEPD and Mario Costeja González.[17] Among other points, the GDPR clarifies that this right is not absolute and will always be subject to the legitimate interests of the public, including the freedom of expression and historical and scientific research.  The GDPR also obliges controllers who have received a request for erasure to inform other controllers of such request in order to achieve the erasure of any links to or copy of the personal data involved.  This part of the GDPR may impose significant burdens on affected companies, as the creation of selective data destruction procedures often leads to significant costs. Data Breach Notification Obligation:  The GDPR requires data controllers to provide notice of serious security breaches to the competent Data Protection Authority/ies (“DPA(s)”) without undue delay and, in any event, within 72 hours after having become aware of any such breach.  The WP29 has issued Guidelines in order to explain the mandatory breach notification and communication requirements of the GDPR as well as some of the steps data controllers and data processors can take to meet these new obligations.[18] Profiling Activities:  The GDPR specifically addresses the use of profiling and other automated individual decision-making. In 2017, the WP29 made Guidelines public in this respect.[19]  These clarify the provisions of the GDPR regarding profiling, in particular by defining in more detail what profiling is. Data Protection Impact Assessment (“DPIA”):  Where processing activities are deemed likely to result in high risk to the rights and freedoms of data subjects, the GDPR requires that data controllers carry out, prior to the contemplated processing, an assessment of the impact thereof on the protection of personal data.[20]  However, the GDPR does not specifically detail the criteria to be taken into account for determining whether given processing activities represent “high risk.”  Instead, the GDPR provides a non-exhaustive list of examples falling within this scope.  Similarly, no process for performing DPIAs is detailed as part of the GDPR.  Considering the need for additional information in this respect, the WP29 issued Guidelines in 2017 intended to clarify which processing operations must be subject to DPIAs and how they should be carried out.[21]  These Guidelines were subsequently revised throughout the year.[22] Privacy-Friendly Techniques and Practices:  “Privacy by design” is the idea that a product or service should be conceived from the outset to ensure a certain level of privacy for an individual’s data.  “Privacy by default” is the idea that a product or service’s default settings should help ensure privacy of individual data.  The GDPR establishes privacy by design and privacy by default as essential principles.  Accordingly, businesses should only process personal data to the extent necessary for their intended purposes and should not store it for longer than is necessary for those purposes.  These principles will require data controllers to design data protection safeguards into their products and services from the inception of the product development process. Data Portability:  The GDPR establishes a right to data portability, which is intended to make it easier for individuals to transfer personal data from one service provider to another.According to the WP29, as a matter of good practice, companies should develop the means that will contribute to answering data portability requests, such as download tools and Application Programming Interfaces.  Companies should guarantee that personal data is transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.  The WP29 has also called industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability.[23]  In 2017, the WP29 issued revised Guidelines on the right to data portability providing guidance on the way to interpret and implement the right to data portability introduced by the GDPR.[24] Competent Supervisory Authority:  To date, in the EU the monitoring of the application of data protection rules has fallen almost exclusively under the jurisdiction of national DPAs.  Subject to the EU Data Protection Directive and the case law of the CJEU, DPAs only had jurisdiction to find a violation of their data protection laws and impose fines where, inter alia, their respective national laws were applicable.[25]With the adoption of the GDPR, a complex set of rules has been established to govern the applicability of the rules to data controllers that have cross-border processing practices.  First, where a case relates only to an establishment of a data controller or processor in a Member State or substantially affects residents only in a Member State, the DPA of the Member State will have jurisdiction to deal with the case.[26] Second, in other cases concerning cross-border data processing, the DPA of the main establishment of the controller or processor within the EU will have jurisdiction to act as lead DPA for the cross-border processing of this controller or processor.[27]  Articles 61 and 62 provide for mutual assistance and joint operations mechanisms, respectively, to ensure compliance with the GDPR.  Furthermore, the lead DPA will need to follow the cooperation mechanism provided in Article 60 with other DPAs “concerned.”  Ultimately, the European Data Protection Board (“EDPB,” where all EU DPAs and the European Commission are represented) will have decision-making powers in case of disagreement among DPAs as to the outcome of specific investigations.[28]  Third, the GDPR establishes an urgency procedure that any DPA can use to adopt time-barred measures regarding data processing in case of urgency.  These measures will only be applicable in the DPA’s own territory, pending a final decision by the EDPB.[29] In 2016, the WP29 issued Guidelines that aim to assist controllers and processors in the identification of their lead DPA.[30]  These Guidelines were updated in 2017, in particular for addressing circumstances involving joint data controllers.[31] Governance: Data controllers and processors may be required to designate a Data Protection Officer (“DPO”) in certain circumstances.  Small and medium-sized enterprises will be exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.  The WP29 has issued Guidelines that clarify the conditions for the designation, position and tasks of the DPO to ensure compliance with the GDPR; these Guidelines were revised in 2017.[32] These requirements will be supplemented by a much more rigid regime of fines for violations.  DPAs will be able to fine companies that do not comply with EU rules up to 4% of their global annual turnover. 3.     National Data Protection Reforms Implementing the GDPR Because the GDPR is a regulation, there is no need for Member States of the European Union to transpose its provisions in order to render them applicable within their national legal systems.  However, some Member States nonetheless have adapted their legal frameworks regarding data protection in light of the GDPR. The GDPR contains provisions granting flexibility to the Member States to implement such adaptations.  For example, Article 8 of the GDPR provides specific rules regarding the processing of personal data of children below the age of 16.  Nevertheless, Member States may provide by law for a lower age provided it is not below 13 years.  Another example is to be found under Article 58 of the GDPR, as Member States may provide by law that their supervisory authorities have additional powers beyond those already specified under the GDPR. Below is an overview of the national data protection reforms implemented throughout the European Union during 2017: Member State Status of National Data Protection Reform Austria The Datenschutz-Anpassungsgesetz 2018 was published in July 2017.  This act is expected to support the application of the GDPR and will enter into effect by 25 May 2018.  The Datenschutzgesezt 2000 will be replaced accordingly. Belgium Belgium is currently adapting its national data protection legal framework by: reforming the Belgian Privacy Commission (the draft bill in this respect was adopted by the Parliament on 16 November 2017 and was submitted for the King’s approval); and preparing a framework law for addressing the national considerations resulting from the GDPR (although no draft has been disclosed yet). Bulgaria In 2017, Bulgaria did not enact or propose a bill concerning GDPR-related privacy issues. Croatia In 2017, Croatia did not enact or propose a bill concerning GDPR-related privacy issues. Cyprus In 2017, Cyprus did not enact or propose a bill concerning GDPR-related privacy issues. Czech Republic A draft Data Protection Act, intended to adapt the current national legal framework to the GDPR, was discussed by the government.  The upcoming Data Protection Act is expected to replace the current act on data protection. Denmark On 25 October 2017, a proposal for a new Data Protection Act implementing the GDPR was made public.  This proposal was discussed by the Danish Parliament in late 2017 and is expected to pass in the first months of 2018. Estonia The Ministry of Justice rendered public a first draft of the legislation intended to implement the GDPR.  However, the draft was not submitted to Parliament for review in 2017. Finland A working group set up by the Ministry of Justice issued a report in June 2017 proposing to replace the current Finnish Data Protection Act with a new act intended to supplement the GDPR when the GDPR enters into application. France A draft data law intended to modify the current French Data Protection Act was made public in December 2017.  It is likely that this initial draft will go through subsequent modifications before the final law is eventually passed. Germany In June 2017, Germany adapted its Data Protection Act to the GDPR.  The previous version of the German Data Protection Act will remain in force until 25 May 2018. Greece In 2017, Greece did not enact or propose a bill concerning GDPR-related privacy issues. Hungary In 2017, Hungary launched a public consultation on a proposal to amend the current Hungarian Data Protection Act.  This proposal is expected to become final in early 2018. Ireland In May 2017, Ireland issued a General Scheme of Data Protection Bill providing a general scheme for the act intended to give effect to and complement the GDPR. Italy On 6 November 2017, the Italian Parliament passed a law (Law No. 163) adopting specific provisions with respect to the GDPR.  The currently applicable Italian Data Protection Code is to be modified within 6 months from the passage of Law No. 163. Latvia Latvia made public a draft Personal Data Processing Law in October 2017. Lithuania The law applicable in Lithuania (i.e., the Lithuanian Law on Legal Protection of Personal Data) is currently being amended so as to integrate the requirements of the GDPR. Luxembourg The government of Luxembourg proposed a bill specifically addressing data protection in order to adapt the local law to the requirements of the GDPR. Malta In 2017, Malta did not enact or propose a bill concerning GDPR-related privacy issues. Netherlands The data protection law currently applicable in the Netherlands results from the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens).  This Act will no longer be applicable after the GDPR enters into effect in May 2018. Poland In September 2017, Poland published a draft Personal Data Protection Act, intended to provide a legal framework for the GDPR.  This draft was made subject to public consultations and is expected to be enacted in 2018, prior to the entry into application of the GDPR. Portugal In 2017, Portugal did not enact or propose a bill concerning GDPR-related privacy issues. Romania Draft legislation for implementing the GDPR was disclosed and submitted for public debate in 2017. Slovakia On 29 November 2017, the Slovakian Data Protection Act was adopted by the Slovak Parliament with an entry into force on the same date as the GDPR. Slovenia The currently applicable Slovenian Data Protection Act is expected to be repealed by a new data protection act (“ZVOP-2”) intended to ensure the proper implementation of data protection requirements following the entry into application of the GDPR.  ZVOP-2 was subject to the legislative process in 2017 and is likely to be adopted in early 2018. Spain A bill regarding data protection intended to amend the current legal framework was published and made subject to debate, with an eye toward eventual approval by the Spanish Parliament. Sweden A report of the Swedish government proposing provisions intended to complement the GDPR was issued in May 2017, but no government bill was passed in this respect during 2017. United Kingdom On 14 September 2017, the Data Protection Bill was published with the aim to modernize data protection law.  Even though the Data Protection Bill has a wider scope than the mere adaptation of national law to the GDPR, one of its core features includes detailing how the UK uses the flexibility granted by the GDPR to Member States with respect to specific data protection issues. C.     EU Cyber Security Directive On 6 July 2016, the European Parliament officially adopted the Network and Information Security (“NIS”) Directive[33] which is expected to be fully applicable (via national regulations) as of May 2018.  The NIS Directive is the first set of cybersecurity rules to be adopted on the EU level, adding to an already complex array of laws with which companies must comply when implementing security and breach response plans.  It aims to set a minimum level of cybersecurity standards and to streamline cooperation between EU Member States at a time of growing cybersecurity breaches. In February 2017, the European Agency for Network and Information Security (“ENISA”) issued guidelines related to incident notification for digital service providers in the context of the NIS Directive, in order to provide practical information on the cases covered by the NIS Directive and the actions to be taken in such a case.[34] More details as to how the NIS Directive will be implemented at local level were also disclosed in 2017 as Member States started to adopt national legislation to transpose the NIS Directive.  For example, in France on 19 December 2017, a national bill for transposing the NIS Directive was adopted by the French Senate.  This bill specifies fines up to EUR 100,000 if officers of essential services providers do not comply with the security requirements specified by the French Prime Minister and fines up to EUR 75,000 if such officers do not comply with the obligation to provide notifications of data breaches.  Regarding legal persons, the fines for non-compliance with the security requirements specified by the French Prime Minister can be up to EUR 500,000, and up to EUR 375,000 in case data breaches are not duly notified. The final text of the NIS Directive sets out separate cybersecurity obligations for essential service and digital service providers: Essential service providers include actors in the energy, transport, banking and financial markets, as well as health, water and digital infrastructure[35] sectors. Digital service providers will include online marketplaces, search engines and cloud services (with an exemption for companies with less than 50 employees) but not social networks, app stores or payment service providers. In terms of geographic scope, the NIS Directive aims to address potential incidents taking place “within the [European] Union“[36] and will apply to all entities providing the above services[37] within the EU territory/to EU residents, regardless of their physical location.  In particular, all digital service providers that are not established in the EU, but offer services covered by the NIS Directive within the EU, are required to designate an EU-based representative.[38] Companies covered by the NIS Directive will have to ensure that their digital infrastructure is robust enough to withstand cyber-attacks and may need to report major security incidents to the national authorities.  Businesses will also be required to apply procedures demonstrating effective use of security policies and measures. 1.     Digital Service Providers Digital service providers will be obliged to report all incidents that have a “substantial impact” on their services (in terms of the duration, geographic spread and the number of users affected by the incident).[39]  It will be up to regulators to decide whether to inform the public about these incidents after consulting the company involved.  As a practical matter, the NIS Directive states that jurisdiction over a digital service provider should be attributed to the Member State in which it has its main EU establishment, which in principle corresponds to the place where the provider has its head office in the EU.[40]  Digital service providers not established in the EU will be deemed to be under the primary jurisdiction of the Member State where their EU representative has been appointed.[41] Notably, where an incident involves personal data, there may be an additional requirement to report to DPAs under the GDPR, which will come into effect on 25 May 2018.  As indicated above, the GDPR will also have a reporting provision for data breaches, although the notification obligation will focus on the protection of personal information, in contrast to the NIS Directive’s data reporting requirement which is aimed at improving computer and information technology systems overall.  Thus, it is possible that a single cybersecurity breach will need to be notified to more than one authority in each EU Member State affected. 2.     Member State Obligations The NIS Directive itself is not directly applicable.  It will first have to be transposed and implemented into national law by the Member States by May 2018.  Member States will need to, for example, designate the competent national authorities, identify operators of essential services, indicate which types of incidents they must report and establish sanctions for failure to notify.[42]  National procedural rules (for both administrative and court proceedings) will govern the application of the NIS Directive and the relevant national laws to affected entities.[43] In addition, each Member State is to adopt a national strategy to maintain the security of network and information systems and will designate one or more national competent authorities to monitor the application of the NIS Directive.  They are also to designate one or more Computer Security Incident Response Teams (“CSIRTs”) responsible for monitoring and responding to incidents and providing early warnings about risks. 3.     Minimum Harmonization and Coordination Among EU Member States The clear aim of the NIS Directive is to harmonize the EU Member State rules applicable to the security levels of network and information systems across the EU.  However, given the strategic character of certain services covered by the NIS Directive, the NIS Directive gives some powers and margin of discretion to Member States.  For example, the NIS Directive mandates each EU Member State to adopt a national strategy on the security of network and information systems, defining objectives, policies and measures envisaged with a view to achieve the aims of the NIS Directive.[44]  Thus, despite the ability of Member States to seek the assistance of the ENISA, the development of a strategy will remain a national competence.  Furthermore, as far as operators of essential services are concerned, EU Member States will identify the relevant operators subject to the NIS Directive and may impose stricter requirements than those laid down in the NIS Directive (in particular with regard to matters affecting national security).[45] In contrast, Member States should not identify digital service providers (as the NIS Directive applies to all digital service providers within its scope) and, in principle, may not impose any further obligations on such entities.[46]   The European Commission retains powers to adopt implementing rules regarding the application of the security and notification requirements rules applicable to digital service providers.[47]  It is expected that these rules will be developed in cooperation with the ENISA and stakeholders, and will enable uniform treatment of digital service providers across the EU.  In addition, the competent authorities will be able to exercise supervisory activities only when provided with evidence that a digital service provider is not complying with its obligations under the NIS Directive. Another tool for coordination among authorities will be the envisaged “Cooperation Group,” similar to the WP29 operating currently under the 1995 Data Privacy Directive.  The Cooperation Group will bring together the regulators of all EU Member States, who have different legal cultures and hold different approaches to IT and security matters (e.g., affecting national security).  It is therefore expected that the European Commission will play an active role in building trust and consensus among the Cooperation Group’s members with a view of providing meaningful and clear guidance to businesses. D.     Other EU Developments 1.     Reform of the ePrivacy Directive – the Draft EU ePrivacy Regulation 2016 has seen the initiation of the procedures for the reform of the EU’s main set of rules on ePrivacy, the ePrivacy Directive.  In this context, further to a public consultation held by the European Commission, a draft of the future EU ePrivacy Regulation (the “draft ePrivacy Regulation”) was leaked in December 2016.[48]  Such draft was followed by the release of the European Commission’s final proposal on 10 January 2017,[49] which, despite some changes, is mostly similar to the leaked version.  Later in 2017, the European Commission’s proposal was followed by an Opinion of the WP29 released on 4 April 2017.[50]  The European Parliament also proposed an amended version thereof on 20 October 2017,[51] and discussions at the Council of the European Union are still ongoing to date to adopt a final proposal, even though a first redraft has already been published.[52] a.     The European Commission’s ePrivacy Regulation proposal The Commission’s ePrivacy Regulation proposal released in January 2017 seeks to accommodate the reform of the ePrivacy regime to the feedback received from stakeholders and the WP29.  In summary, the draft ePrivacy Regulation prepared by the European Commission constitutes a more comprehensive piece of legislation that aims to fix and close certain open issues identified in the application of the ePrivacy Directive: Regulation versus Directive: The draft instrument that is deemed to replace the ePrivacy Directive is a Regulation.  Under EU law, a Directive is an instrument that only binds EU Member States as to its content and objectives; it cannot be directly applied against individuals, and needs to be transposed into national laws and regulations for its terms to be fully effective.  The ePrivacy Directive has been incorporated into numerous different acts and regulations at national level, which are subject to uneven enforcement by the respective national authorities.The European Commission’s proposal to replace the ePrivacy Directive with a Regulation means that its terms will in principle apply directly across all EU Member States.  This decision is consistent with the approach adopted with regard to the GDPR.  Although Member States will still be given some freedom to deviate from the ePrivacy Regulation (particularly in the area of national security), the choice to adopt a Regulation will increase the homogeneous application of the ePrivacy Regulation across all EU Member States. Alignment with the GDPR:  A number of provisions in the draft ePrivacy Regulation demonstrate alignment with the GDPR.  For example, as with the GDPR, the draft ePrivacy Regulation has a broad territorial scope and applies to the provision of electronic communication services (e.g., voice telephony, SMS services) from outside the EU to residents in the EU.As indicated below, the draft ePrivacy Regulation also aims to close the gap with the GDPR from an enforcement perspective, by empowering DPAs to monitor the application of the privacy-related provisions of the draft ePrivacy Regulation under the conditions established in the GDPR.  The regime for sanctions is also aligned with the GDPR, foreseeing the possibility that organizations be imposed fines up to EUR 20 million or 4% of their worldwide annual turnover for certain infringements (e.g., breaches of secrecy requirements, cookies requirements and the rules on the use of metadata).From a substantive perspective, the definition of a number of legal concepts used in both the GDPR and in the draft ePrivacy Regulation has also been aligned (e.g., the conditions for “consent,” the “appropriate technical and organization measures to ensure a level of security appropriate to the risks”). Inclusion of OTT Service Providers:  In response to the feedback of stakeholders, the draft ePrivacy Regulation indicates that the new Regulation will apply to providers of services that run over the Internet (referred to as “over-the-top” or “OTT” service providers), such as instant messaging services, video call service providers and other interpersonal communications services.[53]  This expansion in scope is achieved by the broad definition of “electronic communications services” of the draft, and is consistent with the current regulatory overhaul that is ongoing in the field of electronic communications.[54] Cookies and Other Connection Data:  Like the ePrivacy Directive, the draft ePrivacy Regulation contains a provision that addresses the circumstances under which the storage and collection of data on users’ devices is lawful.  These practices can continue to be based on the prior consent obtained from users.  Absent users’ consent, according to the draft ePrivacy Regulation, it will still be possible to carry out these practices provided that:[55] they serve the purpose of carrying out (not facilitating) the transmission of a communication over an electronic communications network; or they are necessary (albeit not strictly necessary) for providing: (i) a service requested by the end user; or (ii) first-party web audience measuring. The recitals of the draft ePrivacy Regulation suggest that the circumstances in which consent is not required can be interpreted more broadly than under the current ePrivacy Directive.[56]  For example, first-party analytics cookies, cookies used to give effect to users’ website preferences and cookies required to fill out online forms could be understood to be exempt from the consent requirement.[57] The ePrivacy Regulation contains a new set of seemingly more stringent rules applicable to the “collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment.”  Under the current draft, this collection may only occur “if it is done exclusively in order to, for the time necessary for, and for the purpose of establishing a connection,” and is subject to significant information and consent requirements.[58]    Marketing Communications: The draft ePrivacy Regulation requires all end users (including corporate and individual subscribers) to consent to direct marketing communications undertaken via electronic communications services.  While telephone marketing continues to be permitted on an opt-out basis, the draft ePrivacy Regulation requires entities placing marketing calls to use a specific code or prefix identifying it as a marketing call.[59] Supervisory Authorities and EDPB:  One of the novelties introduced by the draft ePrivacy Regulation is a section devoted to the appointment and powers of national supervisory authorities.[60]  The relevant provisions clarify that the DPAs responsible for monitoring the application of the GDPR shall also be responsible for monitoring the application of the provisions of the draft ePrivacy Regulation related to privacy in electronic communications, and that the rules on competence, cooperation and powers of action of DPAs foreseen in the GDPR also apply to the draft ePrivacy Regulation.  Finally, the EDPB is empowered to ensure the consistent application of the relevant provisions of the draft ePrivacy Regulation. Implementation:  The draft provides for the ePrivacy Regulation to enter into force on 25 May 2018, at the same time as the GDPR.  However, it is highly unlikely to come into force on that date, or even any time later in 2018. b.     The WP29 Opinion on the European Commission Proposal Following the release of the European Commission’s proposal, the WP29 released its opinion on the proposed regulation in April 2017[61]. The WP29 stated that it “welcomes the proposal” and “the choice for a regulation as the regulatory instrument.”  More broadly, it supported the approach of the regulation and its broad scope, along with its principle of “broad prohibitions and narrow exceptions.”  However, it highlighted four points of “grave concern” that would “lower the level of protection enjoyed under the GDPR” if adopted, and made recommendations in this respect concerning: The rules concerning the tracking of the location of terminal equipment, for instance WiFi tracking, which are inconsistent with the rules of the GDPR.  The WP29 advised the European Commission to “promote a technical standard for mobile devices to automatically signal an objection against such tracking.” The conditions under which the content and metadata can be analyzed should be limited:  Consent of all end-users (senders and recipients) should be the principle with limited exceptions for “purely personal purposes.” Barriers used by some websites to completely block access to the service unless visitors agree to third-party tracking, known as “tracking walls,” should be explicitly prohibited to give individuals the choice to refuse such tracking while still being able to access the website. Terminal equipment and software should offer “privacy protective settings” by default, in addition to allowing the user to adjust these settings.  It is interesting to note that this was initially in the Commission’s leaked draft but not in its final proposal. The WP29 expects that their concerns will be addressed during the ongoing legislative process. c.     The European Parliament’s amended proposal In October 2017, the European Parliament proposed an amended version of the European Commission’s proposal.[62]  It draws on some of the propositions made by the WP29.  For example, the Parliament’s version is more stringent on the use of personal data, and users’ privacy.  Some of the notable changes include: The prohibition to block access to a service solely because the user has refused the processing of personal data which is not necessary for the functioning of the service. The requirement for providers of electronic communications services to ensure the confidentiality of the data, for instance with end-to-end encryption and the prohibition of backdoors. The requirement for browsers to block third-party cookies by default until the user has adjusted his/her cookie settings. The prohibition of “cookie walls” and cookie banners that prevent the use of the service unless users agree to all cookies. In addition to the Parliament’s version, the Council of the European Union has also published a working proposal.[63]  However it is merely a draft of the presidency of the Council, which has yet to adopt a final proposal.  Bulgaria, which takes the presidency of the Council of the European Union during the first half of 2018 has indicated it intends to focus on moving negotiations ahead on the ePrivacy Regulation.[64]  Tripartite negotiations will then need to begin in order to agree upon a common text to be adopted. In any case, it most likely will not be adopted by May 2018 as initially planned. 2.     CJEU Case Law 2017 has also witnessed important cases before the Court of Justice of the European Union (“CJEU”). a.     The Determination of the Data Controller and Applicable Law Under the EU Data Protection Directive, the applicability of the data protection laws of a Member State depends primarily on the existence of a relevant “establishment” in that Member State.  In the past years, the concept of “establishment” gave rise to considerable debate.  (See, for example, the 2016 ruling in the Verein für Konsumenteninformation v. Amazon EU Sàrl case[65], repeating the CJEU’s findings in the Weltimmo judgment of 1 October 2015[66] where it defined broadly the concept of “establishment” contained in Article 4(1)(a) of the EU Data Protection Directive.)  While the CJEU has indicated that the absence of “a branch or subsidiary in a Member State does not preclude [the controller] from having an establishment there within the meaning of Article 4(1)(a)” (e.g., through the existence of other stable arrangements, like an office), such an establishment cannot be presumed to exist “merely […] because the undertaking’s website is accessible there.” Regarding the interpretation of the notion of “establishment,”, additional information was brought to light in the course of 2017.  Indeed, on 24 October 2017 Advocate General Bot made his opinion public regarding the determination of the applicable law in a case where data processing activities were performed through a social media page.[67]  A German company set up a fan page through a U.S.-based social network, which provided statistics based on the personal data of the visitors (such as their preferences and habits) to the company administrating the fan page.  The data protection authority of Schleswig-Holstein required the German company to shut down its fan page as neither the social media site nor the company itself allegedly informed visitors that their personal data was used for this particular purpose. The German Federal Administrative Court sought a preliminary ruling from the CJEU, requesting clarification.  In his opinion, Advocate General Bot first determined that the company administrating the fan page was a joint controller with the social media company regarding the collection of personal data. Second, Advocate General Bot held that data processing is carried out in the context of the activities of an establishment of the controller on the territory of a Member State when an undertaking, operating a social network, sets up in that Member State a subsidiary which is intended to promote and sell advertising space offered by that undertaking and which directs its activities toward residents in that Member State.[68] It is worth noting yet that the opinion of Advocate General Bot in this respect is controversial. A ruling from the CJEU, which could either follow the opinion of Advocate General Bot or depart therefrom, is expected in 2018. b.     Claims Assignment On 14 November 2017, Advocate General Bobek delivered his opinion on the Maximilian Schrems v. Facebook Ireland Limited case pending in the CJEU.[69] Mr. Schrems had started legal proceedings against Facebook Ireland Limited before a court in Austria, which raised the question of whether jurisdiction was established in the domicile of a consumer claimant who was assigned claims by other consumers, thus opening up the possibility of collecting consumer claims from around the world.  Advocate General Bobek held that a consumer cannot invoke, at the same time as his own claims, claims on the same subject assigned by other consumers domiciled in other places in the same Member State, in other Member States, or in non-member States. c.     Outlook On 3 October 2017, the Irish High Court referred the issue of the validity of the standard contractual clauses decisions to the CJEU for a preliminary ruling.[70]  If the CJEU were to decide to invalidate the standard contractual clauses, this ruling would in all likelihood have tremendous impact on businesses around the world, many of which rely on these legal warranties to ensure an adequate level of data protection to data transfers outside the European Union. 3.     Article 29 Working Party (WP29) Opinions As indicated above, during 2017 the WP29 issued several Guidelines concerning the application of the GDPR to the right to data portability, the appointment and duties of DPOs, the identification of lead DPAs, the concepts of consent and transparency, and other issues.  In parallel, within the framework of the GDPR, the WP29 also adopted Guidelines intended for use by the supervisory authorities to ensure better application and enforcement of the GDPR regarding the application and setting of administrative fines.[71] In addition to the abovementioned Guidelines, the WP29 issued various opinions regarding the key issues of the Law Enforcement Directive No. 2016/680,[72] data processing in the context of Cooperative Intelligent Transport Systems (C-ITS),[73] and data processing at work,[74] as well as the draft ePrivacy Regulation proposal.[75] The WP29 also rendered public some working documents on the adequacy referential within the framework of data transfers to third countries[76] and the elements and principles to be found in Binding Corporate Rules.[77] II.     Asia-Pacific and Other Notable International Developments In an increasingly connected world, 2017 also saw many other countries try to get ahead of the challenges within the cybersecurity and data protection landscape.  Several international developments bear brief mention here: On 1 June 2017, China’s Cybersecurity Law went into effect, becoming the first comprehensive Chinese law to regulate how companies manage and protect digital information.  The law also imposes significant restrictions on the transfer of certain data outside of the mainland (data localization) enabling government access to such data before it is exported.[78]Despite protests and petitions by governments and multinational companies, the implementation of the Cybersecurity Law continues to progress with the aim of regulating the behavior of many companies in protecting digital information.[79]  While the stated objective is to protect personal information and individual privacy, and according to a government statement in China Daily, a state media outlet, to “effectively safeguard national cyberspace sovereignty and security,” the law in effect gives the Chinese government unprecedented access to network data for essentially all companies in the business of information technology.[80]  Notably, key components of the law disproportionately affect multinationals because the data localization requirement obligates international companies to store data domestically and undergo a security assessment by supervisory authorities for important data that needs to be exported out of China.  Though the law imposes more stringent rules on critical information infrastructure operators (whose information could compromise national security or public welfare) in contrast to network operators (whose information capabilities could include virtually all businesses using modern technology), the law effectively subjects a majority of companies to government oversight.  As a consequence, the reality for many foreign companies is that these requirements would likely be onerous, will increase the costs of doing business in China, and will heighten the risk of exposure to industrial espionage.[81]  Despite the release of additional draft guidelines meant to clarify certain provisions of the law, there is a general outlook that the law is still a work in progress, with the scope and definition still vague and uncertain.[82]  Nonetheless, companies should endeavor to assess their data and information management operations to evaluate the risks of the expanding scope of the data protection law as well as their risk appetite for compliance with the Chinese government’s access to their network data. With the growing threat of hacking and identity theft, the Personal Data Protection Commission of Singapore issued proposed advisory guidelines on 7 November 2017 for the collection and use of national registration identification numbers.  The guidance, which covers a great deal of personal and biometric data, emphasized the obligations of companies to ensure policies and practices are in place to meet the obligations for data protection under the Personal Data Protection Act of 2012.  The Commission is giving businesses and organizations 12 months from publication to review their processes and implement necessary changes to ensure compliance.[83] Several other countries, such as Australia and Turkey, also sought to address privacy issues and published important guidelines regarding procedures for deleting, destroying, and anonymizing personal data.  Other countries like Argentina forged ahead with an overhaul of the country’s data protection regime by publishing a draft data protection bill that would align the country’s privacy laws with the GDPR requirements of the European Union.[84] There has also been civic engagement with the public as a number of countries solicited public comments to certain proposed regulations.  For example, Canada opened up for comments a proposed regulation that would mandate reporting of privacy breaches under its Personal Information Protection and Electronic Documents Act of 2015, while India recently issued a white paper inviting comments that would inform the legal framework for drafting a data protection bill to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.”[85] [1]   See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, pp. 1-88, available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679. [2]   Case C-362/14, Maximillian Schrems v. Data Protection Commissioner (Oct. 6, 2016), European Court of Justice. [3]   For a detailed analysis of the Schrems decision, please see Gibson Dunn Client Alert: Cybersecurity and Data Privacy Outlook and Review: 2016 (Jan. 28, 2016) available at http://www.gibsondunn.com/publications/Pages/Cybersecurity-and-Data-Privacy-Outlook-and-Review–2016.aspx. [4]   http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf. [5]   http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=605619. [6]   https://www.whitehouse.gov/briefings-statements/statement-president-fisa-amendments-reauthorization-act-2017/. [7]   http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48782. [8]   http://curia.europa.eu/juris/document/document.jsf?text=&docid=185146&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=320298 [9]   Order of the General Court of the European Union, Digital Rights Ireland v. Commission, 22 November 2017, T-670/16. [10]  http://curia.europa.eu. [11]  http://curia.europa.eu. [12]  See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, pp. 31-50. [13] See GDPR, at Article 3. [14]  See WP29, Guidelines on Transparency under Regulation 2016/679 (WP260; draft not adopted yet), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [15]  See WP29, Guidelines on Consent under Regulation 2016/679 (WP259; 28 November 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [16] See GDPR, at Article 17. [17] See EU Data Protection Directive, at Articles 12 and 14; and Case C-131/12 Google Spain SL and Google Inc. v. AEPD and Mario Costeja González ECLI:EU:C:2014:317. [18]  See WP29, Guidelines on Personal Data Breach Notification under Regulation 2016/679 (WP250; 3 October 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [19]  See WP29, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP251; 3 October 2017). [20]  See GDPR, at Article 35. [21]  See WP29, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP248; 4 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [22]  See WP29, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP248; 4 October 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [23]  See WP29, Guidelines on the right to data portability (WP 242; 13 December 2016), available at http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_en_40852.pdf. [24]  See WP29, Guidelines on the right to data portability (WP242 rev.01; 5 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [25]  See EU Data Protection Directive, at Articles 4(1) and 28; and Case C-230/14 Weltimmo s.r.o v. Nemzeti Adatvédelmi és Információszabadság Hatóság ECLI:EU:C:2015:639. [26]  See GDPR, at Article 56(2). [27]  See GDPR, at Article 56(1). [28]  See GDPR, at Article 63. [29]  See GDPR, at Article 66. [30]  See WP29, Guidelines for Identifying a Controller or Processor’s Lead Supervisory Authority (WP 244; 13 December 2016), available at http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp244_en_40857.pdf. [31] See WP29, Guidelines for Identifying a Controller or Processor’s Lead Supervisory Authority (WP244 rev.01; 5 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [32]  See WP29, Guidelines on Data Protection Officers (‘DPOs’) (WP243 rev.01; 5 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [33]  See Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19.7.2016, pp. 1-30, available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC. [34]  See ENISA, Incident Notification for DSPs in the Context of the NIS Directive: A Comprehensive Guideline on How to Implement Incident Notification for Digital Service Providers, in the Context of the NIS Directive, February 2017, available at https://www.enisa.europa.eu/publications/incident-notification-for-dsps-in-the-context-of-the-nis-directive/. [35]  E.g., domain name systems (DNS) providers and top level domain (TLD) registries; see Article 4, NIS Directive. [36]  See NIS Directive, at Article 1(1). [37]  With regard to essential services, the NIS Directive will apply to all entities identified by the respective national authorities as “essential” providers of such services in that Member State, see NIS Directive, at Article 5(2). [38]  See NIS Directive, at Article 18(2). [39]  See NIS Directive, at Article 16(3). [40]  See NIS Directive, at Article 18(1).  This criterion will not depend on whether the network and information systems are physically located in a given place. See NIS Directive, at Recital 64. [41]  See NIS Directive, at Article 18(2). [42]  Member States will have an additional six months after the transposition into national law to identify operators of essential services (i.e., a total of 27 months). See NIS Directive, at Article 5(1). [43]  These should respect the fundamental rights of the effective remedy and the right to be heard.  See NIS Directive, at Recital 75. [44]  See NIS Directive, at Article 7. [45]  See NIS Directive, at Recital (57) and Article 3. [46]  See NIS Directive, at Article 16(10). [47]  See NIS Directive, at Articles 16(8) and (9). [48]  See Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and personal data in electronic communications and repealing Directive 2002/58/EC (‘Privacy and Electronic Communications Regulation’), available at http://www.politico.eu/wp-content/uploads/2016/12/POLITICO-e-privacy-directive-review-draft-december.pdf. [49] https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation. [50] http://ec.europa.eu/newsroom/document.cfm?doc_id=44103. [51] http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&reference=A8-2017-0324&language=EN. [52] https://iapp.org/resources/article/council-of-the-eu-eprivacy-regulation-proposal-december-2017/. [53]  See draft ePrivacy Regulation, at Recital (13).  See Explanatory Memorandum, at Section 3.2. [54]  See, e.g., Proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast), COM/2016/0590, available at http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=comnat:COM_2016_0590_FIN. [55]  See draft ePrivacy Regulation, at Article 8(1). [56]  However, in practice, the WP29 had already expressed the possibility that operators do not obtain consent for the setting and receipt of cookies in some of the circumstances now covered in the draft ePrivacy Regulation, provided that certain conditions are met.  See WP29, Opinion 04/2012 on Cookie Consent Exemption (WP 194; 7 June 2012), available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf. [57]  See draft ePrivacy Regulation, at Recital (25). [58]  See draft ePrivacy Regulation, at Article 8(2). [59]  See draft ePrivacy Regulation, at Article 16. [60]  See draft ePrivacy Regulation, at Articles 18 ff. [61]  See WP29, Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC) (WP247; 4 April 2017) available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [62]  See European Parliament’s proposal available at http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&reference=A8-2017-0324&language=EN. [63]  See Council of the European Union’s working proposal available at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_11995_2017_INIT&from=EN. [64]  https://www.euractiv.com/section/digital/news/bulgaria-makes-telecoms-overhaul-a-focus-during-council-presidency/. [65]  See Case C-191/15 Verein für Konsumenteninformation v. Amazon EU Sàrl available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=182286&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1126849. [66]  See Case C-230/14 Weltimmo s.r.o v. Nemzeti Adatvédelmi és Információszabadság Hatóság ECLI:EU:C:2015:639. [67]  See, Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH. [68]  See Opinion of Advocate General Bot delivered on 24 October 2017, Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH. [69]  See Opinion of Advocate General Bobek on Case C-498/16 Maximilian Schrems v. Facebook Ireland Limited. [70]  See Irish High Court Commercial, The Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems, 2016 No. 4809 P. [71]  See WP29, Guidelines on the Application and Setting of Administrative Fines for the Purposes of the Regulation 2016/679 (WP253; 3 October 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [72]  See WP29, Opinion on Some Key Issues of the Law Enforcement Directive (EU 2016/680) (WP258; 29 November 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [73]  See WP29, Opinion 03/2017 on Processing Personal Data in the Context of Cooperative Intelligent Transport Systems (C-ITS) (WP252; 4 October 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [74]  See WP29, Opinion 2/2017 on Data Processing at Work (WP249; 8 June 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [75]  See WP29, Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC) (WP247; 4 April 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [76]  See WP29, Adequacy Referential (updated) (WP254; 28 November 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [77]  See WP29, Working Document Setting up a Table with the Elements and Principles to be Found in Binding Corporate Rules (WP256 and WP257; 29 November 2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083. [78]  See FT Cyber Security, “China’s cyber security law rattles multinationals,” Financial Times (30 May 2017), available at https://www.ft.com/content/b302269c-44ff-11e7-8519-9f94ee97d996. [79]  Alex Lawson, “US Asks China Not To Implement Cybersecurity Law,” Law360 (Sept. 27, 2017) available at https://www.law360.com/articles/968132/us-asks-china-not-to-implement-cybersecurity-law. [80]  Sophie Yan, “China’s new cybersecurity law takes effect today, and many are confused,” CNBC.com (1 June 2017), available at https://www.cnbc.com/2017/05/31/chinas-new-cybersecurity-law-takes-effect-today.html. [81]  Christina Larson, Keith Zhai, and Lulu Yilun Chen, “Foreign Firms Fret as China Implements New Cybersecurity Law”, Bloomberg News (24 May 2017), available at https://www.bloomberg.com/news/articles/2017-05-24/foreign-firms-fret-as-china-implements-new-cybersecurity-law. [82]  Clarice Yue, Michelle Chan, Sven-Michael Werner and John Shi, “China Cybersecurity Law update: Draft Guidelines on Security Assessment for Data Export Revised!,” Lexology (Sept. 26, 2017), available at https://www.lexology.com/library/detail.aspx?g=94d24110-4487-4b28-bfa5-4fa98d78a105. [83]  Singapore Personal Data Protection Commission, Proposed Advisory Guidelines on the Personal Data Protection Act For NRIC Numbers, published 7 November 2017, available at https://www.pdpc.gov.sg/docs/default-source/public-consultation-6—nric/proposed-nric-advisory-guidelines—071117.pdf?sfvrsn=4. [84]  Office of the Australian Information Commissioner, “De-identification Decision-Making Framework”, Australian Government (Sept. 18, 2017), available at https://www.oaic.gov.au/agencies-and-organisations/guides/de-identification-decision-making-framework; Lyn Nicholson, “Regulator issues new guidance on de-identification and implications for big data usage”, Lexology (Sept. 26, 2017) available at https://www.lexology.com/library/detail.aspx?g=f6c055f4-cc82-462a-9b25-ec7edc947354; “New Regulation on the Deletion, Destruction or Anonymization of Personal Data,” British Chamber of Commerce of Turkey (Sept. 28, 2017), available at https://www.bcct.org.tr/news/new-regulation-deletion-destruction-anonymization-personal-data-2/64027; Jena M. Valdetero and David Chen, “Big Changes May Be Coming to Argentina’s Data Protection Laws,” Lexology (5 June 2017), available at https://www.lexology.com/library/detail.aspx?g=6a4799ec-2f55-4d51-96bd-3d6d8c04abd2. [85]  Naïm Alexandre Antaki and Wendy J. Wagner, “No escaping notification: Government releases proposed regulations for federal data breach reporting & notification”, Lexology (Sept. 6, 2017), available at https://www.lexology.com/library/detail.aspx?g=0a98fd33-1f2c-4a52-98c0-cf1feeaf0b90; Ministry of Electronics & Information Technology, “White Paper of the Committee of Experts on a Data Protection Framework for India,”  Government of India (Nov. 27, 2017), available at http://meity.gov.in/white-paper-data-protection-framework-india-public-comments-invited. The following Gibson Dunn lawyers assisted in the preparation of this client alert:  Ahmed Baladi, Alexander Southwell, Ryan Bergsieker and Bastien Husson. Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work or any of the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection practice group: Europe Ahmed Baladi – Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com) James A. Cox – London (+44 (0)207071 4250, jacox@gibsondunn.com) Patrick Doris – London (+44 (0)20 7071 4276, pdoris@gibsondunn.com) Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com) Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) Jean-Philippe Robé – Paris (+33 (0)1 56 43 13 00, jrobe@gibsondunn.com) Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com) Nicolas Autet – Paris (+33 (0)1 56 43 13 00, nautet@gibsondunn.com) Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com) Sarah Wazen – London (+44 (0)20 7071 4203, swazen@gibsondunn.com) Emmanuelle Bartoli – Paris (+33 (0)1 56 43 13 57, ebartoli@gibsondunn.com) Alejandro Guerrero Perez – Brussels (+32 2 554 7218, aguerreroperez@gibsondunn.com) Asia Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com) Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com) United States Alexander H. Southwell – Chair, PCCP Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com) Caroline Krass – Chair, National Security Practice, Washington, D.C. (+1 202-887-3784, ckrass@gibsondunn.com) M. Sean Royall – Dallas (+1 214-698-3256, sroyall@gibsondunn.com) Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com) Richard H. Cunningham – Denver (+1 303-298-5752, rhcunningham@gibsondunn.com) Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com) Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com) Shaalu Mehra – Palo Alto (+1 650-849-5282, smehra@gibsondunn.com) Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com) Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com) Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com) Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com) Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com) Questions about SEC disclosure issues concerning data privacy and cybersecurity can also be addressed to the following leaders and members of the Securities Regulation and Corporate Disclosure Group: James J. Moloney – Orange County, CA (+1 949-451-4343, jmoloney@gibsondunn.com) Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com) Lori Zyskowski – New York (+1 212-351-2309, lzyskowski@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

January 1, 2018 |
WTR1000 Recognizes Gibson Dunn’s Trademark Work

The 2018 edition of the World Trademark Review 1000 recognized Gibson Dunn’s work in the area of trademarks, noting that the firm “deftly serves global brand leaders and makes light work of even the most complicated suits.”  Washington, D.C. partner Howard Hogan is also recognized as “a leader in helping to shape policy initiatives that benefit trademark practice in the United States and elsewhere.”  The WTR 1000, published January 2018, recommends individual practitioners and their firms exclusively in the trademark field, and identifies the leading players in 70 key jurisdictions globally.

January 24, 2018 |
Kristin Linsley and Eric Vandevelde Named Top Cyber/Artificial Intelligence Lawyers 2018

The Daily Journal named San Francisco partner Kristin Linsley and Los Angeles partner Eric Vandevelde to its 2018 list of the Top 20 Cyber/Artificial Intelligence Lawyers in California. Profiles of Linsley [PDF] and Vandevelde [PDF] were published on January 24, 2018.

January 25, 2018 |
U.S. Cybersecurity and Data Privacy Outlook and Review – 2018

Click for PDF In honor of Data Privacy Day—an international effort to raise awareness and promote privacy and data protection best practices—we offer this sixth edition of Gibson Dunn’s Cybersecurity and Data Privacy Outlook and Review.  In 2017, companies were again challenged to navigate a constantly evolving landscape of cybersecurity and privacy issues.  Last year revealed some of the largest data breaches in history, saw a new administration’s shift in priorities regarding cybersecurity, and exposed new challenges posed by increasingly “smart” and connected devices. Among other key regulatory developments this year, the Trump administration issued an executive order addressing the cybersecurity of federal networks and critical infrastructure.  The Securities and Exchange Commission (“SEC”) announced a new Cyber Unit focused on targeting cyber-related misconduct and pursued cases involving novel cyber issues, including insider trading in the wake of a data breach.  The Federal Trade Commission (“FTC”) remained active in the privacy and cybersecurity space, but indicated a shift of focus to cases involving “substantial consumer injury.”  The Department of Health and Human Services (“HHS”) continued enforcement of regulations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), announcing several notable settlements.  The Federal Communication Commission’s (“FCC”) role in privacy enforcement was substantially adjusted following the repeal of privacy rules put in place in 2016.  And state attorneys general were active at the forefront of concerted efforts to bring enforcement actions and develop privacy and cybersecurity regulations.  Indicative of this collaboration, 2017 saw the largest state data breach settlement in history. Last year also saw frequent data breaches of varying magnitudes.  Throughout the year, hackers targeted government agencies and companies in every industry, seeking personally identifiable information (“PII”), customer login information, payment information, and health care information, among others.  As litigation—especially class action litigation—quickly followed many of the announced breaches, courts continued to grapple with standing issues in the wake of Spokeo, Inc. v. Robins.  New class actions related to connected devices, such as TVs and cars, were also filed in 2017, and 2018 will likely see developments in this arena as more courts begin assessing standing in the context of the Internet of Things. Overlapping international privacy frameworks also posed significant challenges for U.S. companies in 2017.  With the quickly approaching May 2018 deadline for compliance with Europe’s General Data Protection Regulation (“GDPR”), companies worked to put in place appropriate policies and other safeguards.  Last year also saw many other countries impose new or updated cybersecurity and data privacy regulations. We cover these topics and many more in this year’s Review: (I) U.S. regulation of privacy and data security; (II) civil litigation; (III) international regulation of privacy and data security; and (IV) government data collection and device unlocking.  For additional coverage of international developments, please see our separate International Cybersecurity and Data Privacy Outlook and Review. Table of Contents __________________________________________ I.         U.S. Regulation of Privacy and Data Security A.  Enforcement and Guidance 1.   Federal Trade Commission (“FTC”)       2.   Department of Health and Human Services (“HHS”)       3.   Securities and Exchange Commission (“SEC”)       4.   Federal Communications Commission (“FCC”)       5.   Consumer Financial Protection Bureau (“CFPB”)       6.   State Attorneys General       7.   New York Department of Financial Services (“NYDFS”)       8.   Trump Administration Actions B.  Legislative Developments       1.   Federal Developments       2.   State Developments II.        Civil Litigation A.  Standing After Spokeo       1.   Background       2.   Post-Spokeo Standing Decisions in Privacy Cases       3.   Looking Ahead B.  Data Breach Litigation       1.   Litigation       2.   Settlement Trends       3.   Shareholder Derivative Suits C.  Interceptions and Eavesdropping       1.   Email Scanning       2.   Call Recording       3.   Other “Interceptions” D.  Telephone Consumer Protection Act E.   Video Privacy Protection Act F.   California’s Song-Beverly Credit Card Act and Point-of-Service Data Collection G.  Biometric Information Privacy Acts H.  Internet of Things and Device Hacking       1.   Connected and Autonomous Vehicles       2.   Routers, Cloud Storage, and Connected Cameras       3.   Smart TVs       4.   Smart Toys       5.   Regulatory Guidance I.    Civil Litigation: Cybersecurity Insurance       1.   State of the Market       2.   State of the Law – Key Cases J.    Fair Credit Reporting Act III.       Government Data Collection A.  Challenge to Government “Gag Orders” B.  Carpenter v. United States and the Collection of Cell Phone Data C.  Electronic Communications Privacy Act Reform Efforts D.  Device Unlocking E.   Extraterritoriality of Subpoenas and Warrants F.   Collection of Records from Third-Party Cloud Providers G.  Foreign Intelligence Surveillance Act Section 702 IV.       International Regulation of Privacy and Data security A.  The European Union       1.   General Data Protection Regulation (“GDPR”)       2.   EU-U.S. Privacy Shield B.  China and Other International Developments V.        Conclusion __________________________________________ I.     U.S. Regulation of Privacy and Data Security Companies doing business in (and with) the United States continue to face a morass when it comes to government regulation of privacy and data security due to the competing and overlapping efforts of myriad federal and state government regulators in this space.  Nearly every major federal agency has now weighed in on data security issues in one form or another, as have most states.  Below, we cover the most notable enforcement efforts, regulatory guidance, and legislative developments from the past year. A.    Enforcement and Guidance 1.     Federal Trade Commission (“FTC”) In 2017, the FTC remained one of the most active and far-reaching government agencies regulating privacy and data security.  All told, the FTC announced 12 enforcement actions related to privacy and data security issues, while also making headlines with its related public statements and guidance.  We address the most notable enforcement actions and guidance from the FTC below. a.      Data Security and Privacy Enforcement Equifax .   In September 2017, the FTC announced it had begun investigating the massive data breach at Equifax Inc., the Atlanta-based consumer credit bureau. [1]   The week before the announcement, Equifax revealed that in May, hackers had exploited a flaw in the company’s website that allowed them to access the account information of up to 143 million customers, including driver’s license numbers, addresses, birthdates, and Social Security numbers.  This breach represented one of the largest in recent memory and, given the centrality of credit-reporting agencies to activity throughout the economy and the sensitive nature of the information involved, sparked renewed public scrutiny of data security issues. The FTC did not elaborate on the scope of its investigation, but the announcement itself was significant given that the Commission rarely comments on ongoing investigations. TaxSlayer .      Further underscoring the FTC’s increased attention to companies that store consumer financial data, in August 2017 the Georgia-based online tax preparation service TaxSlayer, LLC, agreed to settle FTC allegations that it allowed hackers to access nearly 9,000 user accounts between October and December 2015. [2]   The hackers then used this information to fraudulently obtain tax returns.  The FTC alleged that TaxSlayer failed to implement adequate security measures, such as requiring strong passwords, providing a clear and conspicuous privacy notice, or conducting risk assessments.  As part of the settlement, TaxSlayer agreed to obtain biennial third-party assessments of its compliance with data privacy regulations, but neither confirmed nor denied liability. LabMD .  As we highlighted in our 2016 Year-End Update , the now-defunct medical testing laboratory LabMD appealed an FTC order finding that the company failed to reasonably protect its customers’ personal information from data breaches and requiring it to establish a comprehensive information security program to safeguard against such breaches in the future. [3]   In 2008, billing information for approximately 9,300 consumers became accessible on a peer-to-peer network, and other personal information for at least 500 consumers ended up in the hands of identity thieves. [4]   The FTC’s order overturned the initial ruling of its own Administrative Law Judge, which had dismissed the Commission’s charges because they failed to show that the company’s conduct created a probability of harm. [5]   In November 2016, the Eleventh Circuit granted the company’s request for a stay pending appeal of the Commission’s decision, [6]   and this past June the court heard oral argument in the case.  The Eleventh Circuit’s ruling could significantly reshape the FTC’s authority to regulate data privacy harms.  At issue in the oral argument was whether the FTC must show proof of actual consumer harm to bring a data security enforcement action under Section 5 of the FTC Act.  LabMD argued that the FTC overstepped its enforcement authority because no consumer suffered an actual injury as a result of the company’s data breach.  The FTC countered that it nevertheless could exercise its enforcement authority under Section 5 because the unauthorized exposure of health care information constitutes a substantial injury under traditional principles of privacy tort law.  The panel was expected to issue a ruling in the months after the oral argument, but it has not yet done so. D-Link .  In January 2017, the FTC filed suit against the network equipment manufacturer D-Link Corp. over the company’s allegedly inadequate security measures in its routers and internet cameras. [7]   In its complaint, the FTC alleged that the company’s failure to properly secure its routers and cameras left consumers vulnerable to hackers, particularly through their live video and audio feeds.  Further, the complaint alleged that the company misled consumers by advertising on its website that its products are “Easy to Secure” and contain “Advanced Network Security.”  In September, the district court granted in part and denied in part the company’s motion to dismiss the FTC’s complaint. [8]   The district court’s ruling may have a dramatic impact on the FTC’s ability to bring claims against companies for putting consumers’ information at risk.  The court found that three of the complaint’s six counts were pled inadequately or with insufficient particularity, and gave the FTC until late October to re-plead its claims.  Specifically, the court found that, for the three dismissed claims, the FTC failed to adequately plead harm because it relied “solely on the likelihood that [D-Link] put consumers at ‘risk’ because ‘remote attackers could take simple steps, using widely available tools, to locate and exploit defendants’ devices, which were widely known to be vulnerable,'” [9] and that this amounts to “a mere possibility of injury at best.” [10]   D-Link submitted its amended answer on October, and fact discovery is ongoing. Vizio .   In February 2017, TV manufacturer Vizio Inc. entered into a settlement with the FTC and the New Jersey Attorney General over allegations that it secretly gathered users’ viewing data and shared it with third parties. [11]   The settlement is significant given the increasing ubiquity of so-called “smart” devices, from televisions to thermostats to electronic assistants.  Specifically, the regulators alleged that beginning in February 2014, Vizio began collecting second-by-second information about the content displayed on its “smart TVs,” including content from cable, broadband, set-top boxes, streaming devices, and DVDs.  Vizio allegedly appended this information with its users’ personal information, such as users’ age, sex, income level, marital status, household size, education level, home ownership, and home value.  Vizio would then sell this information to third parties.  As part of the settlement, Vizio agreed to pay $2.2 million and overhaul its data collection practices, as well as delete data obtained prior to March 1, 2016, and obtain affirmative consent from consumers regarding the company’s data collection practices.  Notably, Acting Chairwoman Maureen Ohlhausen issued a concurring statement expressing skepticism that Vizio’s conduct caused, or was likely to cause, a substantial injury to consumers.  As part of the settlement, Vizio neither admitted nor denied liability. Lenovo .   In September 2017, the FTC announced that it had entered into a settlement, along with 32 state Attorneys General, with Lenovo Inc. over allegations that the company preloaded some of its computers with invasive software that compromised consumers’ privacy and security. [12]   The Commission alleged that, beginning in August 2014, Lenovo began selling laptops in the U.S. with a software program called VisualDiscovery, created by a company called Superfish, Inc., that would access consumers’ personal information transmitted via the internet, such as login info for websites, Social Security numbers, medical information, and financial and payment information.  The software would then send some of this information to the software company’s servers, where the information was allegedly stored insecurely.  This settlement is significant given the high value digital companies place on leveraging data regarding consumers’ preferences to target their advertisements.  As part of the settlement, Lenovo must get consumers’ affirmative consent before preinstalling this sort of software; must implement a comprehensive software security program, which is subject to third-party audits for a period of 20 years; and must pay $3.5 million to state regulators.  Lenovo neither admitted nor denied liability as part of the settlement. b.      Data Breach Guidance With the arrival of the Trump administration, and 3 open seats on the Commission, companies and commentators have been watching carefully for any signal of whether, and how, the FTC’s regulatory focus and enforcement priorities will change in coming years.  Several recent statements provide some indication—albeit not definitive answers—about what the future may hold under the Trump administration. In September, Acting FTC Chairwoman Maureen Ohlhausen said during a speech at the Federal Communications Bar Association that the FTC should focus on “substantial consumer injury” in determining which cases to pursue, rather than “hypothetical” harms. [13]   “Government does the most good with the fewest unintended side effects when it focuses on stopping substantial consumer injury instead of expending resources to prevent hypothetical injuries,” Ohlhausen said. “So understanding consumer injury in the context of privacy and data security is very important for the commission.” [14] While the FTC thus seems poised to cede some regulatory ground by moving away from regulating speculative harms, Acting Chairwoman Ohlhausen has also signaled that the Commission may adopt a broader definition of what constitutes a “substantial” injury.  In a speech at a cybersecurity event at the Georgetown University Law Center in May, Ohlhausen noted that the FTC historically has focused on direct financial harms to consumers, but that this understanding may be too narrow. [15]   Health and safety risks, such as those posed by the sharing of real-time and highly accurate location data that may leave consumers vulnerable to stalking, could also constitute a substantial injury, as could the disclosure of sensitive medical information.  Whether Joseph J. Simons, whom President Trump in October announced that he intended to nominate to head the FTC, will take positions similar to those of Acting Chairwoman Ohlhausen is yet to be seen. In her September speech, Ohlhausen announced a December workshop at which the FTC would examine the consumer harms that stem from informational injury.  Leading up to the workshop, a host of pro-business groups including the U.S. Chamber of Commerce, the Association of National Advertisers, and the Retail Industry Leaders Association, issued public comments urging the Commission to adopt a regulatory framework designed to regulate actual injuries, rather than conjectural ones. [16]   In contrast, several consumer groups such as the Electronic Privacy Information Center, encouraged the FTC to focus on the rise in data breaches and the concomitant increased risk of identity theft.  The workshop took place on December 12, but the FTC has not yet announced any shifts in enforcement priorities as a result. c.       Scope of Authority—Common Carriers As we mentioned in our last update, in May the Ninth Circuit granted the FTC’s petition to rehear en banc a dispute between the Commission and AT&T over the company’s allegedly deceptive “data throttling.” [17]   AT&T argued that it was not subject to the FTC’s authority because it is a common carrier, a category that Section 5 of the FTC Act excludes from the FTC’s jurisdiction.  In August 2016, a Ninth Circuit panel agreed with AT&T that, because the company engaged in non-common carrier activities such as providing consumers with mobile data and email services, it fell outside the Commission’s regulatory ambit. The full Ninth Circuit held oral argument in September but has not yet issued a ruling.  An affirmance could significantly curtail the FTC’s jurisdiction. 2.     Department of Health and Human Services (“HHS”) The flurry of HHS activity in 2016 related to the protection of patient privacy continued in 2017.  As HHS continued the second-phase of its audit program to assess compliance with patient privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”), [18]   HHS also announced several multimillion-dollar settlements with health care companies for alleged HIPAA violations. Matching the largest-ever HIPAA-related settlement, Memorial Healthcare Systems agreed to pay $5.5 million and implement a “robust corrective action plan” to settle claims that its employees had improperly accessed and disclosed information for over 115,000 patients. [19]   HHS alleged that Memorial Health Care Systems failed to implement and manage user access rights and, despite results of previous risk analyses, failed to regularly review information system activity by employees and users at affiliated physician practices on applications that maintain protected information. HHS also fined Children’s Medical Center of Dallas $3.2 million for alleged HIPAA violations after two data breaches involving lost or stolen devices that contained unencrypted patient medical information. [20]   The investigation by the Office for Civil Rights (“OCR”) found that the medical center failed to implement risk management plans and failed to use encryption on its devices despite previous warnings to do so. In addition, St. Luke’s Roosevelt Hospital Center Inc. agreed to a settlement and corrective action plan following a complaint alleging that the hospital had faxed sensitive information concerning a patient’s HIV status. [21]   Although the total settlement amounted only to $387,000, the agreement stemmed from only two disclosures of Protected Health Information (“PHI”), highlighting the potential impact of even seemingly limited events. HHS also announced several “firsts” in its HIPAA enforcement efforts, including the first enforcement action involving delayed reporting of a patient information breach and the first settlement with a wireless services provider.  In the former, Presence Health agreed to pay $475,000 and revise its policies governing the privacy of patient information following allegations that it failed to properly notify more than 800 of its patients within 60 days of discovering that their personal information had been stolen. [22]   In the latter, CardioNet, which provides remote mobile monitoring for patients at risk for cardio arrhythmias, agreed to pay $2.5 million and implement a corrective action plan for the alleged disclosure of unsecured electronic protected health information (“ePHI”) after an employee’s laptop was stolen from a parked vehicle. [23]   OCR found that CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft, as well as a lack of final policies and procedures implementing ePHI safeguards and the HIPAA Security Rule. Closing out the year, HHS OCR announced that 21st Century Oncology, Inc. agreed to pay $2.3 million and adopt a comprehensive corrective action plan to settle alleged violations of the HIPAA Privacy and Security Rules that were uncovered after a hacker gained access to more than 2.2 million patient records, some of which were later sold to undercover agents from the FBI. [24] Finally, following Acting HHS Secretary Eric Hargan’s declaration of the opioid crisis as a public health emergency, HHS issued guidance regarding the circumstances in which health care providers may share a patient’s PHI with family members, friends, or legal representatives. [25]   Focusing on patients who are in crisis or incapacitated, such as during an opioid overdose, the guidance interprets current HIPAA regulations as allowing health care providers to share information in certain emergency or dangerous situations, including with persons who are in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.  The guidance also discusses factors to consider in assessing a patient’s decision-making capacity and provides direction on health care providers’ ability to share PHI in different situations, including when unable to obtain a patient’s consent and after the patient has had an opportunity to object. 3.     Securities and Exchange Commission (“SEC”) a.      Cybersecurity Focus In 2017, the SEC maintained the previous year’s focus on cybersecurity incidents with respect to both its external oversight responsibilities and the internal operations of the agency.  Since the issuance of its cybersecurity guidance in 2011, the SEC has continued to emphasize proper communications regarding cybersecurity issues within a company’s management as well as proper disclosure of cybersecurity risks by registrants. [26] The SEC announced in November that it will likely issue new guidance to public companies regarding disclosure and reporting of cybersecurity incidents. [27]   Signaling this potential guidance, Acting Enforcement Director Stephanie Avakian stated in April that she could “absolutely” envision circumstances where enforcement would be necessary in light of a company’s failure to report cyber incidents and risks. [28]   The new guidance may also include provisions encouraging companies to consider how they handle stock sales by corporate insiders around the time of a cybersecurity breach. [29]   In November, Director of the SEC’s Division of Corporate Finance, William Hinman, stated, “it would be wise for folks to re-examine their insider trading policies.” [30] Two cybersecurity incidents with potential insider trading consequences that may influence the SEC’s new guidance were disclosed in the fall of 2017.  After Equifax discovered its massive breach in July—but before it was publicly reported in September—Equifax executives sold nearly $2 million in company stock. [31]   Once the news of the breach broke, stock prices dropped significantly. [32]   While the SEC has not confirmed or denied any SEC investigation of the executives for insider trading, Equifax reported in its third quarter 10-Q that the SEC had subpoenaed the company “regarding trading activities by certain employees in relation to the cybersecurity incident.” [33]   The second incident occurred this fall when the SEC faced its own cybersecurity threat.  On September 20, 2017, as part of its “Statement on Cybersecurity,” the SEC disclosed that a 2016 intrusion into EDGAR, the Commission’s electronic filing system for public company disclosures, may have allowed hackers to gain access to and trade on the basis of the non-public information exposed. [34]   The SEC stated it did not believe the intrusion was the result of a systemic risk or that it led to the exposure of any personally identifiable information. [35]   Days after the statement, the SEC announced the establishment of a Cyber Unit to “focus on targeting cyber-related misconduct.” [36] b.      Cyber Unit’s First Charges On December 4, 2017, the SEC announced the first charges filed by the newly established Cyber Unit. [37]   The SEC’s complaint alleges that Dominic Lacroix and his company, PlexCorp, operated an Initial Coin Offering (“ICO”) fraud that raised over $15 million from investors by selling a security called PlexCoin, a cryptocurrency, and promising a 1,354 percent profit in less than one month. [38]   The charges filed against PlexCorp, Lacroix, and his partner Sabrina Paradis-Royer [39] include violations of the anti-fraud provisions contained in Section 10(b) of the Exchange Act and Rule 10b-5, Section 17(a) of the Securities Act, as well as registration provisions in Sections 5(a) and 5(c) of the Securities Act. [40]   The district court issued an emergency order freezing the assets of the company and the executives charged, and the SEC is seeking permanent injunctions and disgorgement plus interest and penalties.  The SEC is also seeking a Final Judgment prohibiting the two executives from offering digital securities in the future. [41] 4.     Federal Communications Commission (“FCC”) a.      FCC Rulemaking i.     FCC Privacy Regulations for Broadband Providers Repealed On April 3, 2017, President Trump signed a resolution repealing FCC privacy rules adopted in the prior year. [42]   In 2016, the FCC adopted sweeping new regulations governing the ways in which providers of broadband Internet access service use and share their customers’ personal information. [43]   There were three key components to the regulations for broadband providers: (1) notice to consumers of data collection and use policies; (2) an opt-out provision for “non-sensitive” information used or shared by the providers and a requirement to obtain affirmative opt-in consent before they can use or share “sensitive” customer data; and (3) more stringent and specific requirements for notification of any data breaches.  The resolution was passed under the Congressional Review Act, which allows Congress to repeal agency rules through simple majority votes. ii.     FCC Approves Next-Gen Broadcasting Technology On November 16, 2017, the FCC voted 3-2 to permit the use of a new broadcast transmission standard, known as ATSC 3.0 or Next Gen TV.  This new broadcast standard will allow more precise geolocating of television signals, ultra-high definition picture quality, more interactive programming, and localized safety warnings that have the ability to turn on televisions as necessary to transmit emergency broadcasts. [44]   Privacy advocates argue that ATSC 3.0 allows broadcasters to collect data on viewing habits, spurring user-targeted ads similar to those on the Internet.  During a House Communications Subcommittee FCC oversight hearing in November, Representative Debbie Dingell requested that the FCC address the types of information broadcasters will be able to collect from consumers and how it will be handled and protected. [45] b.      Cell Phone Cybersecurity On August 24, 2017, the FCC’s Public Safety and Homeland Security Bureau released Public Notice DA 17-799.  This Notice was a result of Congress asking the FCC to tackle “fundamental security threats” to cell phones, since Congress felt current oversight by police and private entities “neither adequately addressed these serious cybersecurity vulnerabilities nor warned its customers about the risks they face.”  The Notice encourages communications service providers to implement recommended security countermeasures to prevent exploitation of carrier Signaling System 7 (“SS7”) network infrastructure. [46]   According to the Notice, security vulnerabilities present within SS7 networks allow attackers to obtain subscriber information, eavesdrop on subscriber traffic, engage in financial theft, and conduct denial-of-service attacks.  The March 2017 recommendations for best practices to reduce SS7 security risks include: (1) awareness and protection, which covers the set of industry recommendations that advocate increased awareness of SS7 signaling and protective measures that can be deployed by telecommunication service providers; and (2) security best practices, which covers the set of industry recommendations that deal with best security best practices for SS7 communications. c.       FCC Settlements / Enforcement i.     $100M Settlement for Squatting on Spectrum Licenses On January 12, 2017, a wireless spectrum trading company settled a dispute with the FCC over allegations it lied about its buildout of wireless infrastructure for $100 million and possible divestment from its spectrum licenses. [47]   Because wireless spectrum is a scarce public resource, the FCC requires companies that license spectrum to put it to good use.  In 2013 and 2014, the spectrum company received licenses in the 28GHz and 39GHz bands, which are identified for use in the next generation of cellular network, on the condition that it use them to provide services. [48]  A November 2015 anonymous report alleged that the company never built several of the 39GHz systems it had told the FCC were completed. [49]  As part of the settlement, the company agreed to pay a $100 million civil penalty, to surrender its licenses in the 39GHz spectrum, and to sell the remainder of its license portfolio. ii.     Robocall Fines On June 22, 2017, FCC Chairman Ajit Pai stated that robocalls were the Commission’s top enforcement priority. [50]   That same day, the FCC voted to fine a Miami man a record-breaking $120 million for allegedly making 96 million spoofed robocalls to consumers in three months in violation of the Truth in Caller ID Act. [51]   Spoofing refers to deliberately falsifying caller ID information to disguise an identity with the intent to harm or defraud consumers, or wrongfully obtain anything of value.  The calls—which appeared to come from local numbers—purported to offer vacation deals from major companies like TripAdvisor, Expedia, and others.  Consumers who “pressed 1” were transferred to foreign call centers where operators attempted to sell them timeshares.  TripAdvisor alerted the FCC to the robocalls after fielding complaints from its customers.  In July and August, the FCC levied fines of nearly $3 million and $82 million against other companies for unsolicited robocalls, the magnitude of the latter due in part to the targeting of vulnerable consumers, including the elderly, the infirm, and low income families. [52] 5.     Consumer Financial Protection Bureau (“CFPB”) The CFPB was not particularly active in the area of data privacy and security in 2017.  However, on October 18, 2017, the CFPB announced a series of non-binding Consumer Protection Principles to address the developing market for financial “aggregation services.” [53]   Such companies offer a broad range of products and services that are developed using consumer-provided financial data.  This data is collected and aggregated by financial services companies, “fintech” firms, and other companies.  The services offered range from the provision of financial advice to the facilitation of underwriting or fraud-screening.  The release of the Principles followed a November 2016 Request for Information to stakeholders in the “aggregation services” market.  The Principles, intended to protect consumers who authorize third parties to collect their financial data to provide these services, are not intended to alter or interfere with the scope of existing consumer protections in this market.  The CFPB simultaneously released a summary of the stakeholder insights underlying the development of the Principles. [54]   The CFPB identified the following nine principles that providers of “aggregation services” should follow, all of which are anchored by the core belief that users should retain control over their information: [55] Access:   Users should be able to request and obtain information about their ownership or use of a financial product or service from the provider. Data Scope and Usability:  The scope of financial data subject to consumer and consumer-authorized access includes, but is not limited to, information about any transaction and the terms of an account.  Information should be made available in a usable format for consumers and consumer-authorized third parties. Control and Informed Consent:   Consumers should be entitled to a full and effective disclosure of the authorized terms of access, storage, use and disposal of information.  Consumers should also be able to readily revoke authorization to access, use or store their data. Authorizing Payments:   A user’s consent to the access of data does not constitute consent for payment authorization.  Providers may request both types of authorization from a consumer requesting its services. Security:   Consumer data must be maintained securely.  Parties with access to data must have adequate processes in place to protect against and effectively respond to data breaches. Access Transparency:  Users should be able to obtain information regarding the uses to which their information will be put and the parties to which it will be provided. Accuracy:  Consumer data gathered by “aggregation services” must be accurate and up-to-date. Ability to Dispute and Resolve Unauthorized Access:   Users should have the ability to dispute and resolve incidents involving unauthorized access and data sharing. Efficient and Effective Accountability Mechanisms:   Commercial participants should be incentivized to protect consumer-provided data, but also must be held responsible for any risks they introduce to consumers. The agency emphasized that the Principles do not “establish binding requirements or obligations relevant to the Consumer Bureau’s exercise of its rulemaking, supervisory, or enforcement authority.” [56]   Nor are they intended to “provide guidance on existing statutes and regulations that apply in this market.” [57]   Nevertheless, the CFPB stated that the Principles “express the Bureau’s vision for realizing a robust, safe, and workable data aggregation market” and suggested that the Bureau “will continue to monitor closely developments in this market.” [58]   Thus, it is possible that as “aggregation services” and “fintech” firms become increasingly prevalent, the CFPB will become more involved with the regulation of data privacy-related issues. 6.     State Attorneys General State attorneys general play a key role in data privacy and security matters.  During the past year, state attorneys general were at the forefront of concerted efforts to bring enforcement actions and develop privacy and cybersecurity regulations. a.      Collaboration Among Attorneys General During the past year, states increasingly coordinated their enforcement efforts with each other and with other government agencies to settle multi-state litigations involving mega-data breach cases.  In May 2017, the Target Corporation (“Target”) reached an $18.5 million settlement—the largest state data breach settlement in history—with 47 states and the District of Columbia.  The settlement brought an end to investigations jointly led by state attorneys general into Target’s November 2013 data breach involving unauthorized access to portions of Target’s computer systems that process payment card transactions at Target’s retail stores and to portions that store Target customer contact information. [59]   Under the terms of the agreement, Target will be required to develop, implement, and maintain a comprehensive information security program, to hire a third party to conduct a security assessment, and implement additional administrative safeguards to further strengthen the company’s data security. [60] In August 2017, 33 state attorneys general reached a $5.5 million multi-state settlement with Nationwide Mutual Insurance Company (“Nationwide”) and its wholly owned subsidiary Allied Property & Casualty Insurance Company (“Allied”) over a 2012 data breach. [61]   The personal information of 1.27 million people was stolen when hackers exploited a vulnerability in Nationwide/Allied’s web application hosting software—a vulnerability that allegedly could have been remedied with a previously available software patch that Nationwide/Allied had failed to apply. [62] As described more fully above, in September 2017 Lenovo reached a $3.5 million multi-state settlement to resolve charges brought by 32 state attorneys general and the FTC. [63]   Of the 23 states involved in the settlement, California received the largest share, amounting to $389,204, based largely on its size and leadership role in the investigation. [64] Following the public announcement of the Equifax breach in September, Massachusetts became the first state to sue Equifax, claiming that Equifax failed to maintain the appropriate safeguards to protect consumer data, despite being aware of the vulnerabilities in its system for months. [65]   On November 30, 2017, the Judicial Panel on Multidistrict Litigation held a hearing on the pending motion to consolidate and transfer the numerous cases filed (and cases to be filed in the future) against Equifax to the U.S. District Court for the Northern District of Georgia, near the company’s headquarters in Atlanta. [66] b.      Developments Within States The California Attorney General settled a number of data breach and consumer protection cases.  On November 22, 2017, the Attorney General settled a case with Cottage Health System (“Cottage Health”) and its affiliated hospitals to resolve allegations resulting from two separate and unrelated data breach incidents in 2013 and 2015. [67]   The Attorney General alleged that Cottage Health failed to implement basic, reasonable safeguards to protect personal medical information, in violation of California’s Confidentiality of Medical Information Act, Unfair Competition Law, and HIPAA. [68]   Under the terms of the settlement, Cottage Health agreed to update its security measures and pay a $2 million penalty. [69]   Cottage Health was also required to hire a data privacy security officer to ensure it develops and follows appropriate procedures, as well as to begin completing annual privacy risk assessments. [70] The New York Attorney General’s Office remained active in combatting violations of data security.  On October 31, 2017, the New York Attorney General, along with the Vermont Attorney General, reached a $700,000 settlement with Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc. (“Hilton”) as a result of two separate data security incidents in 2015 which exposed credit card numbers. [71]   The investigation allegedly revealed that Hilton did not adequately protect consumers’ information and failed to provide timely notice of the breach, as New York General Business Law § 899-aa(2) requires notice to customers in the “most expedient time possible and without unreasonable delay.” [72]   The reached settlement, among other things, requires Hilton to maintain a comprehensive information security program designed to protect consumer cardholder data and to conduct annual data security assessments. As noted earlier, on February 6, 2017 the New Jersey Attorney General reached a settlement agreement with Vizio, Inc., a smart TV maker, for alleged violations of consumer protection laws by collecting and sharing data on the viewing habits of its smart TV users without their consent. [73]   Vizio agreed to pay $2.2 million and to change its data collection practices to resolve allegations, ending parallel investigations conducted by the Attorney General and the FTC. [74]   The state obtained $1 million and the FTC obtained $1.5 million in the settlement. [75] The Washington Attorney General released its second edition of the Annual Data Breach Report, containing a summary of the data collected from the data breach notifications required by Washington’s notification laws. [76]   Since the 2015 amendment to Washington’s data breach laws, the Attorney General has actively enforced compliance with the state’s notification regulations. 7.     New York Department of Financial Services (“NYDFS”) In 2017, New York’s Department of Financial Services (“NYDFS”) adopted groundbreaking regulations that broadly regulate cybersecurity within the financial services industry.  NYDFS is the New York state regulator of financial services licensed in the state and thus supervises many large banks and insurance companies.  Effective March 1, 2017, the NYDFS regulations require banks, insurance companies, and other financial services institutions subject to regulation by the NYDFS to establish and maintain a comprehensive cybersecurity program. [77]   “Covered Entities” are required, among other things, to perform a risk assessment to assess their cyber risks, implement a written cybersecurity policy, and maintain a comprehensive cybersecurity program. [78]   While some security measures were mandated by August 28, 2017, others are mandated by September 3, 2018, with a final compliance date of March 1, 2019. [79] The final regulations, codified in 23 NYCRR Part 500, are largely the same as the proposed rules discussed in last year’s 2016 Year-End Update , but differ in the following key ways: Cybersecurity programs must be based on the risk assessment performed by each Covered Entity. Risk assessments must be performed “periodically” instead of “annually.” The company’s cybersecurity plan can be reviewed by either a senior officer or the board of directors, but does not need to be reviewed by both. Covered Entities must hold records, schedules, and data supporting the certificate of compliance for five years, and make this documentation of compliance available to NYDFS upon request.  However, the record retention for audit trails designed to detect and respond to cybersecurity events is limited to three years. There is a limited small business exemption for Covered Entities that have fewer than ten New York employees and less than $5 million in gross annual revenue or under $10 million in year-end total assets. The Chief Information Security Officer (“CISO”) does not need to be an internal employee, but instead can be employed by the Covered Entity, one of its affiliates or a third-party service provider. Companies do not need to encrypt nonpublic information in transit over external networks if doing so is “infeasible.”  Instead, they may secure the information using “alternative compensating controls reviewed and approved” by the CISO. [80] This fall, Governor Cuomo directed the NYDFS to extend the regulations to credit bureaus, expanding the reach of both the rules and the NYDFS itself, which had not previously had oversight over credit reporting agencies.  Under the proposed regulation, all consumer credit reporting bureaus that operate in New York must register with the NYDFS annually, beginning on or before February 1, 2018.  The compliance schedule will begin on April 4, 2018. [81] 8.     Trump Administration Actions a.      Presidential Executive Order On May 11, 2017, President Trump issued an executive order entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which lays out the administration’s priorities in three areas of focus:  (1) cybersecurity of federal networks, (2) cybersecurity of critical infrastructure, and (3) cybersecurity of the nation. [82]   The order directed a thoroughgoing review of existing policies regarding cybersecurity in a variety of different sectors. For cybersecurity of federal networks , the Executive Order stated that the President would hold agency heads accountable for managing the cybersecurity risks to their agencies, and directed them to use The Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology, to manage cybersecurity risk. [83]   The Executive Order also directed the agency heads to submit a risk management report to Homeland Security and the Office of Management and Budget (“OMB”) within 90 days, outlining their existing risk mitigation strategies and each agency’s action plan to implement the Framework, and then contemplated that the Director of the OMB would submit its own determination to the President within 60 days. [84] The Executive Order also articulated the administration’s policy to “build and maintain a modern, secure, and more resilient executive branch IT architecture,” directing the Director of the American Technology Council—created by the President on May 1, 2017—to coordinate a report on the feasibility of transitioning all agencies to “one or more consolidated network architectures” or to “shared IT services.” [85]   The American Technology Council issued a detailed report to the President on federal IT modernization in the fall of 2017, and delivered the final Federal IT Modernization report on December 13, 2017. [86] For cybersecurity of critical infrastructure , the Executive Order stated the administration’s policy to “support the cybersecurity risk management efforts of the owners and operators” of critical infrastructure. [87]   First, it directed the Secretary of Homeland Security to coordinate with other senior administration officials to identify the greatest risk of attacks to infrastructure that could result in wide-scale effects on public health, economic security or national security, and to deliver a report setting forth its findings and recommendations within 180 days. [88]   Second, it directed the Secretary of Homeland Security to work with the Secretary of Commerce to determine whether existing federal policy sufficiently promotes “market transparency of cybersecurity risk management practices.” [89]   Third, it directed the Secretary of Homeland Security with the Secretary of Commerce to work together with “appropriate stakeholders to improve the resilience of the internet and communications ecosystem” to “threats perpetrated by automated and distributed attacks (e.g., botnets).” [90]   In response to the Executive Order, on January 5, 2018, both agencies released for public comment a report on enhancing the resilience of the Internet and communications ecosystem against botnets and other automated, distributed threats. [91]   Fourth, it directed the Secretary of Energy and the Secretary of Homeland Security to coordinate with state and local governments to prepare an assessment of the Nation’s vulnerability to prolonged power outages resulting from cyber incidents. [92]   Fifth, it directed the Secretary of Defense, again in coordination with the Department of Homeland Security, to prepare an assessment of the risks facing the defense industry. [93] For cybersecurity for the nation , the Order states the administration’s policy to ensure that the internet “remains valuable for future generations.” [94]   First, the Order directs various agencies to prepare a report to the President “on the Nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.” [95]   Second, the Order directs agency heads to prepare a report on the agencies’ “international cybersecurity priorities” to the Secretary of State, who would then prepare a report “documenting an engagement strategy for international cooperation in cybersecurity.” [96]   Finally, the Order solicits three different reports in the area of “workforce development,” focused on the education and development of an American cybersecurity workforce, on the United States’ competitiveness with peer programs in other countries, and on the United States’ national-security-related cyber capabilities. [97] Although the release of the Executive Order was met with praise across party lines, critics in the months since it was released have noted gaps in its implementation.  To date, it is unclear which federal agencies have complied with the review process set forth in the Executive Order, and in September 2017, a commentator observed that “the goal of a speedy review process . . . ha[d] not materialized.” [98]   The administration has seen some turnover in cybersecurity-related posts. [99]   In December 2017, the administration affirmed that cybersecurity remained a key priority and suggested that it would build on the Executive Order by releasing a new strategy for cybersecurity. [100] b.      Release of the Vulnerabilities Equities Process (“VEP”) On November 15, 2017, the Trump administration publicly disclosed the Vulnerabilities Equities Process (“VEP”), a set of guidelines used by government agencies and departments to determine when to inform market actors of security vulnerabilities in their software and hardware. [101]   The unclassified document states that the purpose of the VEP is to “balance[] whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge . . . for national security and law enforcement.” [102]   The VEP describes an Equities Review Board for interagency deliberation, consisting of representatives from several government agencies, with the National Security Agency (“NSA”) serving as the VEP Executive Secretariat. [103]   Generally, an agency that learns of a vulnerability will submit information regarding the vulnerability, together with a recommendation whether to disseminate or restrict the vulnerability, to the VEP Executive Secretariat once the vulnerability reaches a certain threshold. [104]   The VEP Executive Secretariat then notifies points of contacts at relevant agencies.  Interested agencies then state whether they concur with the recommendation to disseminate or restrict the vulnerability. [105]   The VEP states that the purpose of distributing information is to obtain a consensus regarding dissemination or restriction, but also provides procedures for resolving contested preliminary determinations. [106]   The VEP outlines the considerations that bear on determining whether to disseminate or restrict information regarding a vulnerability. [107] B.     Legislative Developments 1.     Federal Developments Last year did not see much congressional legislation in the area of cybersecurity.  The most significant piece of privacy legislation to reach President Trump’s desk was not new legislation, but a repeal of FCC broadband provider privacy rules that were set to take effect at the end of 2017.  In addition to rolling back the FCC broadband rules, Congress also took steps toward addressing foreign surveillance, cybersecurity, and data breach notification, but as of the date of this review, few of those bills have yet to become law. a.      Repeal of Broadband Privacy Rules In March 2017, both the House and Senate passed resolutions under the Congressional Review Act to repeal FCC broadband privacy rules that were set to take effect at the end of 2017.   Entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunication Services,” 81 Fed. Reg. 87274 (December 2, 2016), the rules would have imposed certain privacy regulations on internet service providers (“ISPs”), such as requiring them to provide adequate privacy notices and comply with data breach notification requirements.  The most controversial of these rules was the requirement that ISPs obtain consumers’ opt-in consent before sharing consumer information (such as browsing history) with third parties, as certain commentators argued that the proposed rules placed ISPs at a disadvantage when compared to other online companies such as Google and Facebook. [108]   FCC Chairman Ajit Pai stated his support for the repeal in part on the belief that the rules “were designed to benefit one group of favored companies.” [109]   Chairman Pai’s announcement also indicated that the FCC will “be working with the FTC to restore its authority to police internet service providers’ privacy practices,” and to “end the uncertainty and confusion that was created in 2015 when the FCC intruded in this space.” [110]   On April 3, 2017, President Trump signed the repeal into law. [111] b.      Foreign Surveillance With Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) [112] initially set to expire at the end of 2017, there has been significant debate over the appropriate scope of the U.S. government’s foreign surveillance powers.  Section 702 allows the U.S. government to gather foreign intelligence information without a warrant, subject to certain restrictions. [113]   Even before legislation on this topic was introduced, government and industry groups began advocating for their respective positions.  For example, on April 18, 2017, the Office of the Director of National Intelligence released a report supporting a reauthorization of Section 702, including controversial aspects such as “upstream” collection whereby the “NSA obtains communications directly from the Internet backbone, with the compelled assistance of companies that maintain those networks.” [114]   With the deadline for reauthorization approaching, the House Judiciary Committee introduced the FISA Amendments Reauthorization Act of 2017 to renew Section 702 for four years while making “key reforms” to the program to “strengthen privacy protections for Americans.” [115]  The Senate Intelligence Committee also advanced a reauthorization bill. [116]  The White House and Congress subsequently pushed the deadline for reauthorization from December 31, 2017 forward to January 19, 2018. [117]   On January 11, 2018, the House of Representatives voted to extend Section 702 for six years with minimal changes, rejecting a push by a bipartisan group of lawmakers to impose privacy limits on the U.S. government’s ability to gather emails and other personal communications. [118]   The Senate approved the FISA reauthorization bill on January 18, 2018, [119] and President Trump signed the bill into law on January 19, 2018. [120]   FISA is now set to expire in December 2023. [121] c.       Email Collection by Law Enforcement Congress continues to introduce legislation to reform the Electronic Communications Privacy Act (“ECPA”), [122] but has yet to finalize a bill for the President’s signature.  ECPA addresses, among other issues, procedures for law enforcement to obtain stored electronic communications.  For example, ECPA currently requires only a subpoena for the U.S. government to collect emails over 180 days old, while emails under 180 days old require a warrant.  In February 2017, the House unanimously passed a bill called the Email Privacy Act [123] to reform ECPA. [124]   Among other changes, the House bill would require a warrant to obtain emails over 180 days old.  In July 2017, Senators Patrick Leahy and Mike Lee proposed the ECPA Modernization Act, a Senate version of ECPA reform. [125]   The ECPA Modernization Act marks the third time in five years that the bipartisan team has attempted to reform the ECPA.  The bill currently languishes in the Senate. d.      Cybersecurity and Data Breach Notification In 2016 the House and Senate each passed legislation related to cybersecurity without finalizing any bills to be signed into law.  This past year, Congress similarly attempted to address cybersecurity measures with limited success in enacting new law.  For example, on May 16, 2017, the House overwhelmingly passed the Strengthening State and Local Cyber Crime Fighting Act of 2017, which formalizes the Secret Service’s National Computer Forensic Institute as the entity responsible for coordinating investigations into cyberattacks and other computer hacking, as well as providing training to state and local agencies on dealing with cybercrimes. [126]   After the Senate passed a version of the same bill, President Trump signed the bill into law on November 2, 2017. [127] Following the Equifax data breach, the Senate and House have been considering the Consumer Privacy Protection Act of 2017. [128]   The bill requires that companies report data breaches “as expediently as possible” or face civil penalties.  Congress has previously considered similar bills, however, without adopting a nationwide data breach notification standard. [129]   Thus data breach notification requirements continue to vary among the 48 states that have adopted laws on the subject. [130] 2.     State Developments In 2017, at least 42 states introduced over 240 bills related to cybersecurity and data privacy. [131]   Key areas of legislative activity include ISP data collection and tracking, data breach notification, cybersecurity committees, computer crimes, employee monitoring notice, and cybersecurity training. a.      ISP Data Collection and Tracking A number of states introduced legislation requiring ISPs to obtain consumer consent before gathering and sharing online data with third parties.  This flurry of legislative activity comes on the heels of Congress’s rollback of FCC regulations that were poised to expand online privacy rules and to require ISPs to notify customers before selling data to a third party. [132]   While only Nevada and Minnesota have actually passed privacy laws protecting consumers’ data privacy in the wake of the now-repealed FCC regulations, nearly 30 other states have introduced similar legislation.  Both Nevada’s and Minnesota’s legislation prohibit disclosure of personal identifying information to third parties.  Beyond personal identifying information, Minnesota’s legislation also requires ISPs to obtain permission before disclosing subscribers’ online usage and browser history.  Common features across other state bills include requiring consent before collecting customers’ personal identifying information, specifying the form of ISP data collection notice, and prohibiting discounts for customers who consent to their personal identifying information being shared with third parties.  In California, a recent ballot initiative would impose even greater restrictions, by requiring medium and large-sized businesses and ISPs to compile and maintain detailed records of disclosed consumer information and requiring ISPs to maintain the same level of service for all customers—regardless of whether they opt out of information-sharing. [133]   Beyond these common features, all of the proposed legislation in this area varies as to the liability extended beyond ISPs, including website operators, as well as the form of consent that must be given before gathering and sharing consumer data. b.      Data Breach Notification Forty-eight states—and the District of Columbia, Guam, Puerto Rico, and the Virgin Islands—have now passed legislation requiring both private companies and government entities to notify individuals regarding security breaches of personal identifying information.  Alabama and South Dakota are the only two exceptions.  Since our last update, New Mexico passed legislation on April 6, 2017, effective June 16, 2017, requiring notification upon the unauthorized acquisition of personal identifying information. [134]   Delaware took legislative action to expand its definition of “personal identifying information,” to include, in addition to the usual triggers like passport numbers and state identification card numbers, health insurance policy numbers or other health insurance identifiers, medical history or diagnosis information, and DNA profiles. [135] c.       Cybersecurity Committees Another trend in 2017 was the continued establishment of state committees on cybersecurity.  Four states—Georgia, Massachusetts, North Carolina, and Pennsylvania—introduced bills to form cybersecurity committees to study and improve cybersecurity preparedness and enhance state-wide responses to security threats.  Illinois introduced legislation that would form an International Cybersecurity Task Force to review reports from the Department of Homeland Security and the FBI on “Russian Malicious Cyber Activity” and develop strategies to implement or reject the recommendations espoused by those reports. [136]   Puerto Rico also enacted legislation directing the Senate and House Committees on Public Safety to research computer security with an eye towards understanding how new technologies might help ensure the proper handling of confidential information. [137] d.      Computer Crimes In 2017, states continued to pass legislation to target computer crimes, with increased penalties for such offenses.  For example, Connecticut passed legislation establishing the crime of computer extortion by the use of ransomware as a felony. [138]   This bill was introduced after the WannaCry attack, in which a ransomware worm targeted Microsoft Windows, disrupting the normal functions of numerous organizations, including hospitals, ambulances, health clinics, shipping companies, and schools.  Connecticut’s legislature framed the bill as a preventative measure to protect against and deter similar cyberattacks.  Wyoming passed legislation to create the criminal offense of computer extortion, a felony punishable by a prison term of up to ten years and a fine of $10,000, and to expand the computer crimes to be investigated by Wyoming’s division of criminal investigation. [139]   A number of other states also introduced legislation concerning computer crimes that remains pending.  For example, New Jersey introduced a bill that clarifies the scope of the crime of unlawful access to password-protected communications—limiting it to access that is “knowingly” without authorization—and provides for imprisonment terms of up to 18 months for the most serious version of this offense. [140]   New York also introduced bills to provide for the calculation of damages caused by computer tampering, requiring that cyber terrorism be classified as a Class B felony [141] and increasing penalties for crimes involving the use of personal information, fraud, tampering, theft, and use of a computer to commit crimes. [142] e.       Notice of Monitoring Employee Communications and Internet Access In 2017, a handful of states introduced legislation requiring private or government employers to notify employees before monitoring employees’ email communications or Internet access and browsing histories.  Specifically, Colorado and Tennessee passed legislation providing that government entities operating electronic mail communications systems must adopt written policies on monitoring activities that specify when employee correspondence may be considered a public record. [143]   Connecticut and Delaware now require private and public employers to give notice to employees before monitoring employee email communications or Internet usage behavior. [144]   The ramifications of non-compliance for Connecticut employers are civil penalties of $500 for the first offense, $1,000 for the second offense, and $3,000 for each subsequent offense. [145]   The ramifications of non-compliance for Delaware employers are civil penalties of $100 per violation. [146] f.       Cybersecurity Training This year, several states introduced legislation to improve state employee cybersecurity training.  Illinois passed a bill that requires state employees to participate in annual training by the Department of Innovation and Technology to enhance cybersecurity preparedness. [147]   New Jersey and Oregon introduced similar bills. [148]   Relatedly, California introduced legislation that would direct the Regents of the University of California and other higher education institutions to evaluate their cybersecurity education and training programs to ensure that “the state is meeting the workforce needs of the cybersecurity industry.” [149] II.     Civil Litigation Privacy-related civil litigation was again prevalent in 2017, which witnessed one of the largest private data breaches in history.  Numerous data breaches announced in 2017 led to civil actions, including actions on behalf of government entities.  Courts grappled with issues related to standing post-Spokeo, approved settlements of numerous class action suits, and presided over shareholder derivative suits alleging that directors and officers breached their fiduciary duties in overseeing corporate cybersecurity. In addition to breach-related litigation, plaintiffs filed multiple class action lawsuits alleging that technology companies violated state and federal laws by scanning user emails for targeted advertising and other business purposes.  Last year also continued the recent trend of civil and criminal cases being brought against both businesses and individuals for recording phone calls without the requisite consent and against companies for violating the Telephone Consumer Protection Act (“TCPA”) and the Video Privacy Protection Act (“VPPA”).  Additionally, there was an increase in regulatory guidance and regulatory and private actions related to the “Internet of Things,” i.e., smart and connected devices. A.     Standing After Spokeo 1.     Background In 2017, litigation over standing often predominated in data privacy actions as a result of the Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins. [150]   As discussed further in our 2016 Year-End Update , the Supreme Court held in Spokeo that “a bare procedural violation” of a statute without a resulting “concrete” injury does not satisfy the “injury-in-fact” requirement of Article III standing. [151]   The Court emphasized that “Article III standing requires a concrete injury even in the context of a statutory violation.” [152] We thus observed last year that, on its face, Spokeo seemed poised to favor defendants in data privacy litigation, but noted that lower courts’ subsequent interpretation and application of Spokeo had been decidedly mixed.  That trend continued in 2017, as appellate courts continued to split on the question of whether the risk of future identity theft stemming from data breaches that resulted in stolen personal information is enough to confer standing without present injury.  Further, while courts continued to favor plaintiffs in cases brought under the Video Privacy Protection Act (“VPPA”) and the Telephone Consumer Protection Act (“TCPA”) in 2017, they often ruled for defendants on standing challenges in lawsuits concerning unlawful data retention. 2.     Post-Spokeo Standing Decisions in Privacy Cases a.      Data Breach Last year, the circuit courts diverged on the question of whether plaintiffs have standing to sue based on the possibility that they may become victims of identity theft following a data breach. For example, in January 2017, the Third Circuit reversed a district court dismissal, finding that a putative class of customers sufficiently pled standing in a Fair Credit Reporting Act (“FCRA”) case based on allegations that the defendant inadequately protected personal information stolen from that company. [153]   The court agreed with the plaintiffs that the purported “violation of their statutory right to have their personal information secured against unauthorized disclosure constitute[d], in and of itself, an injury in fact,” and that establishing standing did not require additional “specific harm,” such as economic damages. [154]   It further emphasized that the wrongful “dissemination of [the plaintiffs’] own private information” was “the very injury that FCRA is intended to prevent,” rather than a de minimis technical infraction that would be insufficient under Spokeo. [155]   Likewise, the D.C. Circuit found standing in a data breach case based on allegations that the plaintiffs “face[d] a substantial risk of identity theft” resulting from their stolen personal information. [156] Conversely, in an unpublished decision, the Second Circuit affirmed dismissal of a suit predicated on alleged theft of credit card information, because the plaintiff failed to plead “a particularized and concrete injury suffered from the attempted fraudulent purchases,” since she was never asked to pay for an unauthorized transaction. [157]   Moreover, the court held that there was no risk of future harm because the “stolen credit card was promptly canceled after the breach and no other personally identifying information . . . [was] alleged to have been stolen.” [158]   The Fourth Circuit reached a similar conclusion in a data breach case concerning personal information obtained from veterans’ medical care facilities after determining that the “threatened injury of future identity theft” was speculative rather than sufficiently imminent. [159]   A number of district courts also dismissed data breach claims for lack of standing where the risk of prospective harm from a data breach was, in their view, hypothetical. [160] The Eighth Circuit reached a split decision on the question of standing based on the possibility of identity theft following a data breach in In re SuperValu, Inc., a multi-district litigation involving several putative classes that sued retail grocery stores that had suffered two cyber-attacks. [161]   The plaintiffs alleged theft of their personal information and violations of, among other things, various state data breach notification statutes. [162]   The Eighth Circuit agreed with the district court that the plaintiffs had failed to adequately plead injury based on the risk of future identity theft, and it noted that its sister circuits—as discussed above and in our last review—had reached “differing conclusions on the question of standing” in similar data breach cases. [163]   Observing that “this out-of-circuit precedent . . . ultimately turned on the substance of the allegations before each court,” the Eighth Circuit concluded that the plaintiffs in SuperValu had not plausibly alleged that the “defendants’ data breaches create[d] a substantial risk that [the] plaintiffs [would] suffer credit or debit card fraud.” [164]   However, the court also found that one named plaintiff had sufficiently pled a present injury based on actual misuse of his credit card information, and it accordingly reversed the dismissal of that particular individual’s claims. [165] b.      Unlawful Disclosure Standing decisions in unlawful disclosure cases in 2017 turned on whether dissemination of the information at issue posed a material risk of harm to a plaintiff’s statutory interests.  In keeping with Spokeo, lower courts dismissed lawsuits predicated on de minimis procedural infractions. After the Supreme Court vacated and remanded Spokeo for further consideration of whether the plaintiff had pled a concrete injury under the FCRA, the Ninth Circuit answered in the affirmative. [166]   It held that the inaccurate information disclosed in the credit report at issue implicated “material facts” about the plaintiff’s life and “could be deemed a real harm” to, inter alia, his employment prospects. [167]   The Ninth Circuit similarly found standing in Syed v. M-I, LLC, an FCRA case concerning the alleged failure of an employer to inform job applicants that it would check their credit histories as part of the application process, [168] as well as in a VPPA action based on allegations that the defendant disclosed information about the plaintiff’s video-watching habits. [169]   In the latter decision, the court held that, “although the FCRA outlines procedural obligations that  sometimes protect individual interests, the VPPA identifies a substantive right to privacy that suffers  any time a video service provider discloses otherwise private information.” [170]   The Eleventh Circuit issued an identical ruling in another VPPA appeal. [171]   A number of district courts also reached similar decisions in cases concerning failures to comply with the FCRA’s and the Fair Debt Collections Practices Act’s (“FDCPA”) disclosure requirements. [172] However, in contrast to Syed, the Seventh Circuit found in Groshek v. Time Warner Cable, Inc. that a plaintiff did not suffer “a concrete informational injury” under the FCRA based on a prospective employer’s purported failure to properly obtain an applicant’s permission before procuring a credit report. [173]   The court distinguished Syed on the ground that the “Ninth Circuit had factual allegations from which it could infer harm, whereas” the plaintiff in Groshek  “present[ed] no factual allegations plausibly suggesting that he was confused by the disclosure form or the form’s inclusion of a liability release . . . .” [174]   Likewise, in an FCRA class action based on a credit reporting agency’s inclusion of a defunct credit card company on its reports, the Fourth Circuit found that the named plaintiff had failed to demonstrate how he had been injured by the erroneous information and therefore had “suffered no real harm, let alone the harm Congress sought to prevent in enacting the FCRA.” [175]   Accordingly, the court vacated the judgment awarding damages to the class. [176]   The Second Circuit similarly affirmed dismissals of two Fair and Accurate Credit Transactions Act (“FACTA”) suits predicated on the disclosure of credit card information on restaurant and retail receipts after finding that the purported injuries did not pose a “material risk of harm” to the plaintiffs’ statutory interests. [177]   District courts have followed course in other FACTA actions. [178] c.       Unlawful Retention Unlawful retention cases have continued to trend in defendants’ favor on the question of standing.  For instance, earlier this year in Gubala v. Time Warner Cable, Inc., the Seventh Circuit determined that there was no standing in a Cable Communications Privacy Act (“CCPA”) action based on allegations that the defendant had retained the plaintiff’s personal information after the plaintiff canceled a cable subscription. [179]   The court determined that there was no cognizable injury because the plaintiff failed to allege that the defendant had “ever given away or leaked or lost any of his personal information or intend[ed] to give it away or [was] at risk of having the information stolen from it.” [180] d.      Unlawful Acquisition/Use The courts have continued to split on the question of standing in unlawful acquisition and use cases.  In Santana v. Take-Two Interactive Software, Inc., for example, the Second Circuit affirmed the district court’s dismissal of a Biometric Information Privacy Act (“BIPA”) lawsuit predicated on the defendant’s alleged unlawful collection, dissemination, and retention of biometric data used to create 3D models of players’ faces in basketball video games, for lack of standing. [181]   The court held that the purported BIPA violations were procedural and did not pose a “material risk of harm” to the plaintiffs’ statutory interests sufficient to establish an Article III injury. [182]   Conversely, over the past year, district courts found standing for a Wiretap Act claim predicated on use of a smartphone application to track users’ physical movements, [183] as well as for VPPA, Wiretap Act, and state law claims based on the collection of video-viewing information through smart TVs. [184]   Courts also found standing in the context of Driver’s Privacy Protection Act claims stemming from the sale of vehicle accident reports containing personal information to third parties for solicitation purposes. [185] e.       TCPA Claims In TCPA cases, courts have continued to find that unsolicited electronic communications constitute a concrete injury to statutory privacy rights.  For example, the Ninth Circuit held that spam-like text messages about gym memberships violated “the substantive [TCPA] right to be free from certain types of phone calls and texts absent consumer consent,” [186] and the Second and Third Circuits found that plaintiffs adequately alleged harm in actions based on unwanted, prerecorded telephone calls. [187]   A number of district courts have reached identical conclusions in TCPA cases; [188] however, one court refused to certify a proposed TCPA class after determining that some prospective class members had consented to receive the calls at issue and thus did not suffer a cognizable injury. [189] 3.      Looking Ahead Spokeo did not provide a bright-line rule squarely prohibiting plaintiffs from suing for intangible injuries.  Accordingly, lower courts have continued to grapple with its application in the data privacy space.  There appears to be an emerging pro-plaintiff consensus in VPPA and TCPA actions, and courts have continued to favor defendants in retention suits.  However, the circuit courts have adopted divergent views on whether data breaches resulting in stolen personal information and the associated risk of future identity theft are, by themselves, enough to confer standing absent allegations of present harm.  On December 6, 2017, Spokeo again petitioned for certiorari and sought review of the Ninth Circuit’s latest standing determination. [190]  However, shortly before publication of this review, the Supreme Court rejected Spokeo’s petition, [191] thereby declining the opportunity to clarify its precedent. B.     Data Breach Litigation 1.     Litigation a.      High-Profile Breaches in 2017 Last year witnessed one of the largest data breaches in history, when it was reported that Equifax, Inc., one of the three major American credit bureaus, had its systems compromised, affecting more than 143 million Americans.  But Equifax was not alone in suffering massive data breaches: for example, a white hat hacker revealed in July that a political data analytics company had left the voting information of nearly 200 million Americans exposed.  Throughout the year hackers targeted government agencies and companies in every industry, seeking out personally identifiable information (“PII”), customer login information, payment information, and health care information, among others.  Litigation quickly followed many of the announced breaches, including civil actions and suits on behalf of government entities. i.     Credit Bureau Attacks In the Equifax attack, hackers were able to access names, Social Security numbers, addresses, and other PII, making the breach not just one of the largest in terms of the number of individuals affected, but also in terms of the breadth and sensitivity of PII lost.  The hackers gained entry by exploiting a website application vulnerability, and were not discovered until after they had accessed dozens of sensitive databases and created over 30 different entry points into Equifax’s computer systems. [192] To date, over 240 class action lawsuits by consumers have been filed against Equifax in the U.S., including a “50-state” complaint seeking to consolidate dozens of individual suits. [193]   Those suits allege a variety of common law and statutory claims, seeking monetary damages, injunctive relief, and other related relief. [194]   Equifax also faces municipal suits by Chicago and San Francisco generally alleging violations of state laws and local ordinances regarding protection of personal data, consumer fraud, business practices, and breach notice requirements. [195]    Additionally, the Massachusetts Attorney General has filed a suit against the credit reporting agency in relation to the data breach. [196]   Financial institutions including banks and credit unions also filed suit, seeking monetary relief for data breach costs to the financial institutions, such as canceling and reissuing credit cards and absorbing the cost of any fraudulent charges. [197]   Shareholders have also sued Equifax, alleging violations of securities laws and seeking damages against the company and its top officers. [198] Equifax moved to consolidate the lawsuits it faces, which continue to proliferate. [199]   As a result, a Judicial Panel on Multidistrict Litigation ordered centralization of the cases on December 6, 2017. [200]   Going forward, litigation will be heard in the Northern District of Georgia. Equifax was not the only bureau to have sensitive information left vulnerable.  On December 20, 2017, security firm UpGuard announced that it had discovered a cache of materials on an unsecured server, this time maintained by Alteryx, a data analytics company that is partnered with the major credit bureau Experian. [201]   Sensitive personal information on 123 million U.S. households was left unsecured, including datasets from Experian and the U.S. Census Bureau. [202]   The exposed data included home addresses, contact information, purchasing behavior, and financial information. [203]   At least two lawsuits have already been filed against Alteryx, in California and Oregon. [204] ii.     Political Breaches The U.S. government continued investigating the July 2016 cyberattack on the Democratic National Committee, with related lawsuits drawing attention throughout 2017.  Such suits included a complaint under the Freedom of Information Act filed by the Electronic Privacy Information Center against the FBI, seeking records relating to its investigation into the attack, [205] and lawsuits brought by Microsoft against command-and-control servers used by KGB hacking group “Fancy Bear” to covertly direct malware onto victims’ computers. [206] Then, on June 19, 2017, UpGuard announced that they had discovered that Deep Root Analytics, LLC, a data analytics company contracted by the Republican National Committee to gather voting data, had stored information on more than 198 million Americans on an unsecured storage server. [207]   This information included names, birth dates, addresses, voter registration details, and social media posts. [208]   While it is unclear whether any nefarious parties accessed the data, the breach did lead to a class action lawsuit against Deep Root. [209]   That lawsuit was dismissed by the plaintiffs with prejudice in November. [210] Additionally, the U.S. Department of Homeland Security announced in September 2017 that it appeared Russia had undertaken extensive efforts to hack state election systems in the lead-up to the presidential election. [211]   Illinois had its systems breached, while 20 other states were targeted but are not believed to have been breached. [212] iii.     Customer Information Fast Food Restaurant Chains .  2017 was a particularly notable year for data breaches at American fast food restaurants.  In February, Arby’s Restaurant Group Inc. revealed a breach of customer data from malicious software accessing point-of-sale systems at its restaurants; suits sprang up almost immediately. [213]   In April, Chipotle Mexican Grill, Inc. announced that it had detected a security breach in its processing and transmission of customer and employee data, leading to lawsuits from financial institutions. [214]   In September, Sonic Corp. was confronted with multiple suits following a data breach announced by a security analyst, in which millions of credit and debit card users may have had their accounts pilfered. [215]   Then, in October, Pizza Hut Inc. announced that it had discovered what it deemed to be a “temporary security intrusion” that compromised the PII of nearly 60,000 customers who completed orders on its website or mobile app between October 1 and 2, 2017. [216] On November 7, 2017, a class action suit was filed against the company in Washington. [217] Hotel Groups .  2017 was not any kinder to hotel groups.  Lawsuits were filed in July against Sabre Hospitality Solutions, a vendor whose electronic reservation system services thousands of travel agencies and hotels, which announced that it had suffered a data breach compromising the information of customers who made reservations using the system between August 2016 and March 2017. [218]   Credit card information and cardholder names were stolen.  Intercontinental Hotels Group (“IHG”) is facing its own class action lawsuit, after it announced a data breach that affected 12 of its properties.  Malware was found on servers which processed payments made at on-site restaurants and bars during the second half of 2016. [219]   The matter is currently being briefed by IHG for dismissal. Whole Foods .  Whole Foods Market Group, Inc. found itself the target of a lawsuit following its September 28, 2017 announcement that its point-of-sale systems at taprooms and full-service restaurants (but not its grocery stores) had been hacked.  The suit, a class action filed by a customer, alleges negligence on the part of Whole Foods for failing to protect her information, as well as violations of the Fair Credit Reporting Act and Ohio’s Consumer Sales Practices Act. [220] iv.     Health Information The number of data breaches affecting health care providers continued to rise in 2017, with over 340 incidents reported to the Department of Health and Human Services. [221]    The past year did not, however, witness any massive breaches comparable to the 2015 attack on Anthem, which resulted in the disclosure of more than 78 million patients’ PII. [222]   Interestingly, of the five largest health care-related breaches in 2017, only one has resulted in litigation so far. Commonwealth Health Corporation .  In March 2017, Commonwealth Health Corporation’s Kentucky-based Med Center Health announced that up to 697,800 individuals may have had their billing and health information stolen via a breach that occurred in 2014-15. [223]   No hacking was involved with the breach; rather, a former employee accessed the information without authorization.  This is believed to be the largest breach of a health care provider in 2017, in terms of number of records compromised. [224]   While federal investigators look into the matter, at least one lawsuit has been filed against the company by affected patients. [225] v.       Law Firms and Business Information Cyberattacks affected two large international law firms, amongst others, in 2017.  While DLA Piper suffered a ransom- or wiper-ware attack that disabled the firm’s communications systems for several days, no lawsuits have been filed by its clients as yet. [226]   Litigation followed a data breach at the Cayman Islands-based law firm Appleby; however, it was Appleby going on the attack, suing the BBC and The Guardian over their reporting of offshore transactions by the firm’s clients. [227]   Millions of documents, dubbed the “Paradise Papers” by the media, were leaked to journalists detailing the arrangements and offshore activities of Appleby’s clients. [228]   Appleby sued the two media companies in British court in order to force the disclosure of the documents that formed the basis of their investigation. [229] b.      Update on High-Profile Data Breach Cases from Prior Years While many prior data breach cases headed for settlement instead of being decided by the courts (as discussed in detail in the Settlements section below), some cases received significant rulings in the past year.  Others continue to be litigated. i.     District Court Litigation Yahoo.   On August 30, 2017, a district court in the Northern District of California granted in part and denied in part Yahoo’s motion to dismiss data breach litigation, opening the way for class action lawsuits to proceed against the web portal, now owned by Verizon Communications. [230]   The district court ruled that some of the named plaintiffs had alleged Article III standing at the pleading stage, because they had “alleged a risk of future identity theft, in addition to loss of value of their [personal identification information].” [231]   The court dismissed certain claims in the consolidated actions, but allowed the actions to continue and the plaintiffs to amend their complaints. [232] Office of Personnel Management .  The District Court for the District of Columbia dismissed a class action data breach suit stemming from the attack against the Office of Personnel Management, which compromised the personal data of current, former, and prospective U.S. government employees. [233]   The court ruled that the theft of data alone was not enough to establish standing for the class and that they must allege unreimbursed out-of-pocket expenses from the alleged identity theft to state an injury in fact. [234]   While the court held that two plaintiffs had alleged such expenses, it found that their claims were insufficient to establish standing because they had not sufficiently tied those injuries to the breach. [235]   The court also dismissed the case on sovereign immunity and contractor immunity grounds, and found that the complaint failed to state a claim under the Privacy Act, the Little Tucker Act, and the Constitution. [236]   Gibson Dunn represented OPM’s co-defendant, contractor KeyPoint Government Solutions, in this litigation. VTech .  The litigation arising from a 2015 cyberattack on digital learning toy-maker VTech’s servers continued to wind its way through the Northern District of Illinois.  VTech won its motion to dismiss the cases against it on July 5, 2017, as the court ruled that the plaintiffs had failed to show how the data breach could lead to future harm. [237]   Specifically, the court held that plaintiffs did not explain how the stolen data would be used to perpetrate identity theft. [238]   However, the court did not dismiss the claims with prejudice; accordingly, plaintiffs’ counsel brought an amended complaint against the company in August. [239]   The case settled in early 2018. [240] Uber.   Uber won its motion to dismiss a lawsuit stemming from a 2014 data breach.  The court held that the plaintiffs did not “plausibly allege an immediate, credible risk of harm” and thus lacked standing. [241]   In particular, the named plaintiff did not allege that any passwords, PINs, or Social Security numbers were among the data obtained. [242] Gibson Dunn represents Uber in this dispute, which is ongoing following Plaintiffs’ filing of a Third Amended Complaint. Noodles & Co.   Noodles & Co. won its motion to dismiss a proposed class action brought by financial institutions over its data breach suffered in early 2016. [243]   The court found that the chain had no obligation towards the credit unions that had brought the suit. [244]   The court ruled that the claims were barred under the economic loss rule. [245]   Because the duties allegedly breached were contained in a network of interrelated contracts, the rule applied; because the rule only allows for recovery of damages on a breach of contract claim, the negligence claims brought by the credit unions were invalid. ii.     Appellate Litigation CareFirst BlueCross BlueShield .  The D.C. Circuit Court revived a class action lawsuit brought by policyholders of CareFirst BlueCross BlueShield health insurance, which suffered a cyberattack in 2014 leading to the theft of 1.1 million members’ personal information, including names, birthdates, addresses, and subscriber ID numbers. [246]   The circuit court found that the breach likely exposed Social Security and credit card numbers and other personal data such that fraudulent medical claims could result, resulting in harm concrete enough to establish standing under the Supreme Court’s Spokeo decision. [247]   Although the district court had dismissed the complaint, finding that it was based on statutory violations and not concrete harm, the appellate court found that it was plausible to infer that the hackers had the intent and ability to use the stolen data for ill, leading to concrete harm. [248] Veterans Affairs .  Conversely, the Fourth Circuit dismissed a class action suit arising from the theft of a laptop from a Veterans Affairs medical facility, which contained the unencrypted personal information of patients. [249]   The circuit court agreed with the district court’s ruling, finding that the plaintiffs’ fear of harm from future identity theft was too speculative to confer standing, even if the plaintiffs took actions to mitigate that speculative future harm. [250]   The court reasoned that the allegations of harm rested on an attenuated chain of possibilities, including the assumption that the laptop thief planned to misuse the personal information on the laptop, and planned to misuse the plaintiffs‘ personal information specifically. [251]   This chain of logic was not sufficient to establish standing under Spokeo. c.      Trends in Data Breach Cases in 2017 Courts continued to grapple with specific issues in 2017, including issues that some had thought would be settled from Supreme Court precedent in past years, such as the Spokeo decision. i.      Standing Post-Spokeo As seen in the appellate litigation above, the circuit courts are split when it comes to interpreting the high court’s decision in Spokeo (and Clapper v. Amnesty International) regarding the tests for sufficient imminence and concrete harm to confer standing.  The D.C. Circuit found in Attias that there was concrete harm from the CareFirst data breach, because it was plausible to infer that the hackers had the intent and ability to wrongfully use the stolen data. [252]   But the Fourth Circuit found in Beck that there was no concrete harm from a stolen laptop containing patient information, because the harm rested on a logical chain requiring misuse of the plaintiff’s specific personal information. [253]   The Second Circuit used similar reasoning in Whalen v. Michaels Stores, Inc., finding that a data breach leading to stolen credit card information was not sufficient to allege concrete harm, because the plaintiff had promptly canceled her card and there were no specifics alleged regarding any other particularized or concrete injury. [254] Like the D.C. Circuit, the Seventh, Third, and Sixth Circuits have found that risk of identity theft or credit card fraud was enough to grant constitutional standing to those who had been hacked. [255] The Eight Circuit added a new split in September in reviving a class action lawsuit brought against SuperValu Inc., by reasoning that while there was not sufficient personal information lost to allow plaintiffs to rely on risk of imminent harm due to stolen identities, there was standing because someone had used a plaintiff’s credit card to make an unauthorized purchase. [256]   That allegation was sufficient to meet the concrete injury test, even though SuperValu’s attorneys argued that there was no indication the purchase was a result of the breach. [257] ii.      Companies on the Attack 2017 has seen an uptick in firms taking the offensive in wielding litigation as a tool to fight hackers.  For instance, Microsoft has focused its attention on the command-and-control servers used by one of the most sophisticated hacking collectives attempting to direct malware onto victims’ computers.  To do so, it sued Fancy Bear in the Eastern District of Virginia. [258]   Microsoft argued that it had standing to sue because Fancy Bear had been using domain names that contained the names of Microsoft’s products to setup websites containing malware. [259]   Thereafter, Microsoft won orders from the court to compel domain name registrars to alter domains to point to Microsoft, instead of to Fancy Bear’s sites. [260]   Microsoft is now seeking a permanent injunction to give Microsoft ownership of the domains it has targeted. [261] In a different vein, as noted above, Appleby has wielded litigation against journalists who reported on the Paradise Papers. [262] Ultimately, these actions point to the possibility that other companies will take the fight to hackers, especially companies in the tech industry whose products are often targeted in order to foster data breaches. 2.      Settlement Trends As in 2016, companies facing major data breach litigation in 2017 have continued to choose to settle claims on a class-wide basis.  As discussed more fully below, Anthem Inc., one of the nation’s largest health insurance providers, agreed to settle a class action lawsuit brought by consumers stemming from a 2015 data security breach for $115 million. [263]   Given the financial, regulatory, and reputational risks attendant to data breach litigation, this trend is understandable.  Other trends emerged in 2017 as well.  First, defendants in data breach litigation are continuing to settle with financial institution-plaintiffs in addition to consumer-plaintiffs.  Additionally, in the aftermath of data breach settlements, some class members have objected to various elements of the settlements or proceedings.  Lastly, as is discussed more fully below, defendants facing data breach enforcement have increasingly entered into settlement agreements with state attorneys general. a.      Anthem’s Settlement In 2015, Anthem, one of the nation’s largest health insurance providers, announced that it had been the victim of a data breach in which hackers gained access to individuals’ personal information. [264]   Customer-plaintiffs brought numerous class action lawsuits against Anthem and its affiliates that were ultimately consolidated in the Northern District of California. [265]   After the court denied the defendants’ motion to dismiss in part, [266] the parties entered into a settlement on May 31, 2017. [267]   The court preliminarily approved the settlement at the end of August. [268] The broad strokes of the Anthem settlement are familiar.  As part of the settlement, the defendants agreed to make a $115 million payment into a settlement fund. [269]   The fund will be used, in part, to cover reimbursement for out-of-pocket costs and credit monitoring services for class members, [270] and to pay up to $37.95 million in attorneys’ fees. [271]   In addition, the defendants agreed to implement improved data security practices for at least three years and to engage an independent consultant to ensure that these practices are followed. [272] b.      Home Depot Settles with Financial Institutions Following a 2014 data breach, in 2016 Home Depot settled a class action lawsuit brought on behalf of over 50 million of its customers for $13 million. [273]   However, the settlement did not include coexisting claims brought by a consolidated class of financial institutions claiming that they were harmed by Home Depot’s failure to prevent the data breach because they were required to issue consumers new credit cards and to reimburse any fraudulent charges stemming from the data breach. [274]   In early 2017 Home Depot entered into an additional settlement with the financial intuitions and agreed to pay $25 million into a settlement fund intended for distribution among the class members. [275]   In September 2017, the Northern District of Georgia approved this settlement. [276] c.       Developments Regarding the Target Settlement In 2015, Target agreed to settle a consumer class action arising out of a 2013 data breach for $10 million. [277]   The ultimate disposition of the case and distribution of the settlement fund, however, have been significantly delayed due to various claims by objectors. [278]   For instance, in May 2017, the District of Minnesota rejected an objector’s claim that the class representatives in the case had a conflict of interest with other class members such that the settlement was inadequate. [279]   As of this writing, the objector’s appeal is pending before the Eighth Circuit Court of Appeals. [280] In addition, in May 2017 Target agreed to pay $18.5 million to 47 states and the District of Columbia as part of a settlement that arose out of a multi-state investigation into the same breach. [281] d.      Historical Context for Settlements of Data Breach Claims As demonstrated in the chart below, the data breach settlements in 2017 appear to be similar to those of recent years. Defendant Approval  Data Type Relief to the Class Service Awards, Fees, & Costs Home Depot (Financial Institution Class) [282] September 22, 2017 Card Data $25 million for class claims; up to $2.25 million to certain sponsored entities; security practice changes Up to $2,500 for each class representative; $710,000 in litigation costs; $15.3 million in fees Anthem [283] August 25, 2017 (preliminary approval) Personal Information $115 million for, among other things, class members’ out-of-pocket expenses and credit monitoring services; security practice changes Up to $3 million in costs and $37.95 million in fees, to be covered by $115 million settlement payment Home Depot (Consumer Class) [284] August 23, 2016  Card Data Up to $13 million for class claims; up to $6.5 million for 18 months of credit monitoring services; security practices changes $1,000 for each representative plaintiff; $166,925 in costs; $7.536 million in fees Target Corp. (Financial Institution Class) [285] May 12, 2016 Card data Up to $20.25 million for class claims; $19.108 million to MasterCardReportedly up to $67 million for Visa’s claims against Target [286] $20,000 for 5 representative plaintiffs; $2.109 million in costs; $17.8 million in fees Sony Pictures Entertainment, Inc. [287] April 6, 2016 Login and Personal Information Up to $2 million for preventative losses; up to $2.5 million for claims for identity theft losses; up to two years of credit monitoring services $3,000 for each named plaintiff; $1,000 for each plaintiff who initially filed an action; $2.588 million in fees St. Joseph Health System [288] February 3, 2016 Health Information $7.5 million in cash payment; up to $3 million for class claims; one year of credit monitoring services (offered during remediation); security practice changes $50,000 in incentive payments for class representatives; $7.45 million in fees and costs Target Corp. (Consumer Class) [289] November 17, 2015 Card Data Up to $10 million for claims; security practice changes $1,000 for three deposed plaintiffs; $500 for other plaintiffs; $6.75 million in fees LinkedIn [290] September 15, 2015 Login Information Up to $1.25 million for claims; security practice changes $5,000 for the named plaintiff; $26,609 in costs; $312,500 in fees Adobe Systems, Inc. [291] August 13, 2015 Voluntary Dismissal Login and Card Data Security practice changes and audit $5,000 to each individual plaintiff; $1.18 million in fees Sony Gaming Networks [292] May 4, 2015 Card Data and Personal Information Up to $1 million for identity theft losses; benefit options including free games and themes or month subscription, unused wallet credits, virtual currency; some small cash payments $2.75 million in fees 3.      Shareholder Derivative Suits In recent years, shareholders have occasionally responded to data breaches by filing derivative lawsuits against corporate directors and officers for breach of fiduciary duty in overseeing corporate cybersecurity.  From 2014 to 2017, shareholders brought five such high-profile derivative lawsuits on behalf of Wyndham Worldwide, Target, Home Depot, Wendy’s, and Yahoo.  However, these suits have generally struggled to move past the motion-to-dismiss stage.  Both the Wyndham and Target lawsuits were dismissed after courts respectively found that the Wyndham board’s actions were protected under the business judgment rule, [293] and that pursuing legal action against Target’s directors and officers was not in the corporation’s best interest. [294]   The Home Depot case was similarly dismissed in 2015; however, the parties reached a settlement this year after the plaintiffs filed an appeal of the dismissal.  The outcomes of the Wendy’s and Yahoo litigations remain to be seen. The Home Depot .  After news broke that hackers stole the email addresses and credit card information of more than 50 million Home Depot customers, a number of the company’s shareholders filed a derivative lawsuit in September 2015 in the Northern District of Georgia, alleging that the board of directors breached its fiduciary duty by disbanding Home Depot’s infrastructure committee and moving too slowly in addressing the security breach.  On November 30, 2016, the district court dismissed the action on grounds that the shareholders failed to either demand that the board take action or demonstrate with particularized facts that such a demand would have been futile. [295]   Plaintiffs subsequently filed an appeal in the Eleventh Circuit.  However, on April 28, 2017, the parties reached a settlement pursuant to which Home Depot agreed to adopt certain cybersecurity-related corporate governance reforms and to pay the plaintiffs’ legal fees, totaling around $1.1 million. [296]   The promised reforms included maintaining an executive committee on data security, documenting the responsibilities of the company’s corporate information security officer, and requiring regular reports on the company’s IT and cybersecurity budget. [297] Wendy’s .   On December 16, 2016, just two weeks after the district court’s dismissal of the Home Depot suit, plaintiff shareholders filed a derivative action in the Southern District of Ohio against The Wendy’s Co. (“Wendy’s”) and certain of the company’s directors and officers.  The lawsuit stemmed from a data breach that occurred between October 2015 and June 2016, which affected 1,025 Wendy’s franchises and spawned a series of consumer protection lawsuits. [298]   The complaint asserted claims for breach of fiduciary duty, waste of corporate assets, unjust enrichment, and gross mismanagement. [299]  The plaintiffs sought money damages, corporate governance reforms, and restitution of benefits and compensation.  In an attempt to avoid the fate of the Home Depot shareholder litigation, the Wendy’s plaintiffs provide detailed allegations to support their claim of demand futility, arguing that the controlling shareholder defendants have familial or past business ties with certain directors, resulting in these directors being “beholden to the controlling shareholder defendants.” [300]   On March 10, 2017, the Wendy’s board responded with a motion to dismiss, arguing failure to state a claim and failure to make a demand or adequately plead demand futility. [301]   The board members contended that the complaint was nothing more than speculation and failed to include any specific allegations that they breached any corporate duty in regard to data security protocols. [302]  At the time of this writing, the board’s motion to dismiss was still pending. Yahoo .  The Yahoo data breach has given rise to two shareholder derivative suits.  On February 16, 2017, a Yahoo shareholder filed a lawsuit on behalf of the company in the Northern District of California. [303]  On February 23, 2017, another group of Yahoo Inc. shareholders filed a second derivative lawsuit in Delaware Chancery Court. [304]   Both cases have since been stayed, the former pending the entry of final judgments in the securities and consumer class actions also filed against Yahoo in the wake of the breach. [305] C.     Interceptions and Eavesdropping 1.      Email Scanning As in past years, 2017 saw key developments in class action lawsuits alleging technology companies violated state and federal laws by scanning user emails for targeted advertising and other business purposes.  Companies operating electronic communications services should continue to monitor such lawsuits, as they allege privacy violations based on what many consider to be standard industry practices, concern potentially massive proposed classes including all or many users of such services, and analyze the disclosures that satisfy consent to information collection and use. Matera v. Google Inc.   Plaintiffs in Matera v. Google Inc. filed a class action against Google in September 2015, alleging that Gmail violates the CIPA and ECPA by intercepting emails of non-Gmail users in order to provide targeted advertising.  In 2016, the court denied Google’s motion to dismiss as to the merits of plaintiffs’ claims, [306] and granted in part and denied in part Google’s motion to dismiss based on lack of standing. [307]   Most significantly, the court concluded that based on “the historical practice of courts recognizing that the unauthorized interception of communication constitutes cognizable injury” and “the judgment of Congress and the California Legislature [that] alleged violations of . . . the Wiretap Act and CIPA constitute injury in fact,” the plaintiffs’ complaint survived Spokeo. [308]   However, the court also held that plaintiffs lacked standing to enjoin Google from engaging in the alleged “intercepting and scanning,” which Google confirmed it had ceased. [309] In November 2016, the parties requested a stay of the proceedings and announced that they had successfully mediated a resolution of the case and finalized a settlement agreement. [310]   In a preliminary approval hearing held on March 9, 2017, the parties explained that, pursuant to the agreement, Google would be enjoined from “scanning in transit email for the sole purpose of collecting advertising data.” [311]   However, Google would be allowed to scan incoming in-transit email for “the ‘dual purpose’ of (1) detecting spam and malware and (2) obtaining information that would be ‘later used for advertising.'” [312]   Google also agreed to pay $2.2 million in attorneys’ fees, $2,000 for each of the two lead plaintiffs, and $123,500 for the settlement administrator. [313] On March 15, 2017, the court rejected this settlement offer, stating that the class settlement notice was “inadequate” because it was “difficult to understand.” [314]   In particular, the preliminary settlement failed to clearly disclose the “dual purpose” to which Google agreed or “the fact that Google intercepts, scans, and analyzes the content of emails sent by non-Gmail users to Gmail users for the purpose of creating user profiles” for targeted advertising. [315]   Furthermore, the court found that it was not clear whether the changes Google planned to make would bring Google into compliance with the CIPA and ECPA. [316] On July 21, 2017, the parties proposed a new settlement, which included a “plain language” recap of the changes Google plans to make. [317]   The summary stated that for three years, Google would “cease all automated scanning of emails sent to Google accounts for advertising purposes while the emails are in transmission prior to delivery to the Gmail user’s inbox.”  The settlement does not prohibit Google from scanning email for the prevention of spam or malware.  In addition, Google stated that it is making “business-related” changes to Gmail, whereby it “will no longer scan the contents of emails sent to Gmail accounts for advertising services,” either during the transmission process or after the emails have been delivered.  These changes are not subject to the three-year time period, and are independent of the settlement. [318]  The court preliminarily approved the revised settlement on August 31, 2017. [319]   A final fairness hearing is scheduled for February 8, 2018. Cooper v. Slice Technologies, Inc. & UnrollMe Inc.   In Cooper v. Slice, plaintiffs brought a class action for damages and injunctive relief, alleging that UnrollMe and its parent company, Slice Technologies, violated the ECPA and SCA by failing to adequately disclose UnrollMe’s practice of scanning emails and selling data to third parties. [320]   UnrollMe is a web service that unsubscribes users from mailing lists, newsletters, and other unwanted emails. [321]   Plaintiffs asserted that UnrollMe intercepted and accessed user’s emails without consent or authorization, or exceeded authorization by accessing emails for the purpose of extracting and selling consumer data. [322] Defendants moved to dismiss the lawsuit on October 12, 2017. [323]   Among other things, defendants argued that plaintiffs failed to allege injury in fact to establish Article III standing under Spokeo, since plaintiffs did not allege their actual emails were sold to other companies, or that anonymized data that was extracted from plaintiffs’ emails was reidentified after being sold.  Defendants also asserted that plaintiffs failed to state a claim under the Wiretap Act because defendants purportedly disclosed the activities at issue in their privacy policy, and because plaintiffs alleged only access to their stored emails, whereas the Wiretap Act applies to the “interception” of communications. 2.     Call Recording In recent years, there have been a number of civil and criminal cases brought against both businesses and individuals for recording phone calls without the requisite consent.  The recording of telephone conversations is governed by a patchwork of federal and state law.  At the federal level, the Wiretap Act permits the recording of phone calls, so long as one party to the call consents to the recording. [324]   The vast majority of states have similarly adopted a “one-party” consent requirement. [325]   A minority of states have arguably adopted either a “two-party” or “all-party” consent requirement. [326] Most of the call recording cases brought in recent years have been against companies for large-scale recordings of commercial calls, rather than individual illicit recordings.  Although nearly a dozen states have all-party consent laws, much of the litigation surrounding unauthorized recordings has arisen out of California’s Invasion of Privacy Act (“CIPA”), California Penal Code § 630, et seq. [327]   Most call recording litigation based on CIPA has focused on §§ 632 and 632.7, which prohibit eavesdropping on calls to landlines and cell phones, respectively. Recently, courts have held that non-California plaintiffs may assert CIPA claims against California defendants where the alleged violations occurred in California. [328]   Indicative of this national reach, California business owners brought suit in Illinois against various banks and telemarketers alleging illegal recordings of discussions containing sensitive business information. [329]   The various defendants filed motions to dismiss, transfer, and sever the case, but the case is still pending in the Northern District of Illinois.  Significantly, some of the defendants have sought to change venue based on forum selection clauses in their customer or user agreements, rather than challenging the ability of plaintiffs to bring CIPA claims outside of California, indicating that few litigants are willing to challenge the national reach of CIPA. Also in the realm of jurisdictional issues related to CIPA, the Ninth Circuit recently reversed a decision to remand a CIPA class action back to state court, concluding that the plaintiff had failed to demonstrate that two-thirds of the class actually resided in California, as required by the Class Action Fairness Act (“CAFA”). [330]   Specifically, CAFA exempts from federal jurisdiction “home-state controversies,” where at least two-thirds of the proposed class and the primary defendants are all citizens of the State in which the action was originally filed. [331]   Plaintiffs’ proof that two-thirds of all class members were Californians was lacking, according to the Ninth Circuit, because, although the class contained an indeterminate number of people who were “located in” California when they received the allegedly improperly recorded phone calls, the allegations never specified how many of them were California citizens or even how large the whole class was. [332]   In reaching its decision, the court noted that Plaintiffs were aware of the class definition issue and failed to carry their burden of proving the citizenship of a sufficient number of class members. [333] In the class certification context, in Raffin v. Medicredit, Inc., the Central District of California certified a CIPA class action against Medicredit, a debt collector, for recording cell phone calls and failing to inform plaintiffs of the recording. [334]   The action sought certification of a § 632.7 class, which prohibits the recording of cell phone communications. [335]   Notably, the court concluded that the class was ascertainable for certification purposes, even though it may be necessary to undertake the challenging process of using cell site location information to verify that putative class members were in California when called. [336]   In analyzing § 632.7 more generally, the court also concluded that a party must be informed “at the outset,” meaning “prior to any recording of the plaintiff’s communication,” that the call is being recorded. [337]   Subsequent courts have adopted this interpretation of § 632.7, suggesting a broadening of the law’s scope. [338] If this becomes settled law, it would align the law under § 632.7 with that under § 632, which already requires notification “at the outset” for any recordings of calls over a landline.  However, class certification appears to be more difficult under § 632 than § 632.7, as the more generous test applied in Raffin diverges from the stricter analysis in Saulsberry v. Meridian Financial Services, Inc., decided last year. [339]  This may be an indicator of a unique area of divergence in the interpretation of two statutes that are otherwise converging, or it may represent a reversal of the trend of denying class certification.  Ultimately, very few §§ 632 and 632.7 class certification cases have been decided this year, but all three have granted class certification. [340] Adding to the body of law regarding the scope of § 632.7, the court in Ronquillo-Griffin concluded that § 632.7, like § 632, applies to parties to a communication, not just third parties, adding to the already significant number of district courts who have so interpreted § 632.7. [341]   Like the Raffin case discussed above, this indicates an increasing overlap between § 632 and § 632.7, generating a more consistent body of law between call recordings over landlines and cell phones. On the criminal side, the California Court of Appeal invalidated part of CIPA. [342]   California Penal Code § 632(d) renders inadmissible as evidence recordings obtained without all parties’ consent.  However, California’s constitution contains a “Right to Truth-in-Evidence” provision, which permits all relevant evidence to be admitted unless the legislature provides otherwise by a two-thirds majority vote. [343]   The Court of Appeal concluded that this provision abrogated the inadmissibility component of CIPA, rendering recordings that otherwise violate CIPA admissible. [344] Outside of California, there has also been some litigation regarding the scope of local eavesdropping statutes.  The Arizona Court of Appeals confirmed that a phone message may be shared by the recipient of the message, even if the person leaving the message does not consent. [345]   In State v. Smith, the defendant had argued that, when leaving a voice message, there is only one “participant,” to the call, but the court rejected this logic, concluding that the recipient of the message is also a participant and may consent to sharing the recorded voicemail. [346]   In a similar case—also captioned State v. Smith —the Supreme Court of Washington considered whether an inadvertent recording through the voicemail function of a cell phone falls within the purview of Washington’s all-party consent statute. [347]   The Court concluded that “the plain language of the act confirms that even an inadvertent recording of a private conversation falls within the purview of the act.” [348] 3.     Other “Interceptions” Emails and telephone calls are not the only communications that can be intercepted, and plaintiffs are increasingly bringing lawsuits based on novel theories of interception and collection of data.  This year saw a number of developments in ongoing lawsuits, as well as several actions alleging new theories of Wiretap Act violations. Opperman et al v. Kong Technologies, Inc. et al.  In April 2017, several major tech companies, including Twitter, Yelp, Instagram, Foursquare, and Path, agreed to settle a putative class action accusing them of violating the ECPA and the Texas Wiretap Act, among other common law privacy rights. [349]   The putative class action complaint, originally filed in 2012, alleged that the defendants’ applications access user contact information without their consent. [350]   For instance, plaintiffs claimed that Twitter’s “Find Friends” feature violated consumer privacy by scanning users’ address books to see which of their contacts are on Twitter.  Twitter, on the other hand, argued users were informed of the process and gave their permission for the service to scan their address books.  Path users alleged that the photo sharing and messaging app was accessing their contacts and calendar information without permission.  Path later issued an apology.  Plaintiffs agreed to pay a consolidated $5.3 million as part of a deal, which covers a proposed class of an estimated 7 million claimants who downloaded the companies’ iOS apps on their Apple devices and activated the “Add Friends,” “Find Friends” or “Suggested Friends” feature offered by the relevant application. [351]   A final approval hearing was held on December 14, 2017. In re Vizio, Inc., Consumer Privacy Litig .   In this putative class action complaint, plaintiffs alleged that Vizio violated the ECPA and the VPPA, as well as several state law fraud, negligent misrepresentation, and consumer protection claims, by using their smart TVs to secretly collect, and distribute to advertisers, information on customer viewing habits so that advertisers could deliver targeted advertising in real time. [352]   On March 2, 2017, the court granted Vizio’s motion to dismiss plaintiffs’ Wiretap Act, state law video privacy, negligent misrepresentation, affirmative fraud, and California false advertising claims with leave to amend.  Vizio’s motion was denied as to plaintiffs’ VPPA, fraudulent omission, state privacy law, and unjust enrichment claims.  With respect to the Wiretap Act claims, the court found that plaintiffs failed to adequately plead simultaneous interception (relying instead on vague allegations about how Vizio’s data collection occurred in “real time”), but did not reach Vizio’s argument that its collection and disclosure software does not capture the “contents” of electronic communication. [353]   On March 23, 2017, plaintiffs filed a second consolidated complaint that dropped all of the dismissed causes of action except the Wiretap Act claims. [354]   Addressing the deficiencies in the prior complaint, plaintiffs now alleged that Vizio’s software takes samples of the programming displayed on a TV at any point in time and sends fingerprints of those samples to the centralized fingerprint matching server to compare against already existing fingerprints in the database, a process that operates sufficiently fast to provide “at least some context-sensitive content substantially simultaneously with at least one targeted video.” [355] On April 13, 2017, Vizio moved to dismiss plaintiffs’ Wiretap Act claims for failure to state a claim, attacking only whether its software captures the “contents” of electronic communications. [356]   Denying dismissal on July 25, 2017, the court ruled that because the intended message conveyed by Vizio’s software communication is the program being watched, the intercepted data extends beyond metadata to samples of the actual content. [357]   The court also dismissed Vizio’s assertion that its software does not collect the contents of electronic communications because the samples are “tiny” and “unrecognizable,” noting that the standard for determining whether information qualifies as content data does not depend on how much content is collected or whether the intercepted information would be “recognizable.” [358] In its motion to dismiss, Vizio also argued that plaintiffs’ demand for injunctive relief was moot because a recent agreement with the FTC and New Jersey Attorney General—in which Vizio was fined $2.2 million and agreed to obtain affirmative express consent before collecting any consumer data—ensured the offensive data collection had stopped. [359]  Finding that the agreements were insufficient to ensure that Vizio’s improper data collection would not recur, the court denied Vizio’s motion to dismiss on mootness grounds. [360] Satchell v. Sonic Notify, Inc.  In a class action filed in August 2016, plaintiff alleged that the Golden State Warriors’ mobile app, developed by YinzCam, uses the phone’s microphone to track users’ locations by picking up on sonic beacons built by Signal360, and violates the Wiretap Act by secretly recording users’ conversations in the process. [361]   Defendants moved to dismiss on November 1, 2016, and on February 13, 2017, the court granted the motion in part and denied it in part. [362]   The court ruled that although plaintiff alleged sufficient facts to demonstrate she suffered an injury in fact from the purported spying, she did not sufficiently allege a violation of the Wiretap Act because she failed to show how the defendants intercepted and then used those oral communications. [363]   Plaintiff filed an amended complaint on March 13, 2017, [364] in which the court determined she cured those defects by alleging sufficient facts to show defendants intercepted an oral communication. [365]   In a November 20, 2017 decision denying defendants’ motion to dismiss, the court explained, “Plaintiff cites at least four instances where she had her phone with her, the app was running and she had conversations about private matters, including nonpublic information during a business meeting and private financial matters.” [366]  However, the court dismissed YinzCam from the lawsuit, ruling that plaintiff failed to demonstrate that the company was more than a conduit for the alleged communications that were intercepted by the Warriors and Signal 360. [367] Rackemann v. Lisnr, Inc. et al.   In October 2016, the NFL’s Indianapolis Colts, and audio software companies involved in creating the Colt’s mobile app, faced similar allegations that beacon technology was used to spy on the conversations of fans using the teams’ app. [368]   Defendants moved to dismiss, and on September 29, 2017, the court denied defendants’ motion with respect to plaintiff’s interception claims and granted it with respect to their use claims.  Regarding interception, the court rejected defendants’ argument that plaintiff need allege specific details of communications that may have been intercepted, finding that it was reasonable to infer that plaintiff’s smartphone was activated while he was engaged in a private conversation over a four-year period. [369]  The court also found that plaintiff adequately plead that his communications were captured and the content acquired, as he asserted that the app recorded portions of audio, including private conversations, captured by the phone’s microphone, and that audio was analyzed by defendants. [370]   Following the Sixth Circuit’s recent decision in Luis v. Zang, the court refused to dismiss Adept Mobile, the audio software company that, among other things, maintained the code for the app and integrated the audio technology into the app. [371]   Citing the Sixth Circuit, the court explained that “allegations of defendants working in concert or participating in the interception of communications can suffice to state a claim.” [372]   The court did, however, dismiss plaintiff’s claim that defendants “used” intercepted data, as plaintiff pled no facts showing that the contents of plaintiff’s communications, as opposed to beacon signals, were used to send targeted advertising. [373] Zak v. Bose Corp.  In a putative class action, plaintiff accused Bose of violating the Wiretap Act and the Illinois Eavesdropping Statute by secretly collecting, transmitting, and disclosing the private music selections of customers who downloaded Bose’s mobile app. [374]   Bose’s app allows users to pair their mobile devices with Bose wireless headphones and access key features, such as controlling the content they play. [375]   Plaintiff asserted that when he used the Bose app to view information about and control music playing on his Bose headphones, Bose collected and retained the song information displayed in the app. [376]   Plaintiff alleged that this collection constitutes an interception of electronic communications between Bose users and streaming music providers such as Spotify. [377] In a motion to dismiss filed on August 3, 2017, Bose argued that the Wiretap Act does not apply to Bluetooth communications between an app and headphones because such communications operate between devices in close physical proximity, and do not effect interstate or foreign commerce. [378]   Furthermore, Bose contended that the Wiretap Act and the Eavesdropping Statute do not apply to communications where the interceptor is one of the parties, and the communications at issue occurred between plaintiff’s Bose headphones and Bose’s app. [379] Allen v. Quicken Loans Inc. and Navistone, Inc.   In December 2017, Quicken Loans was hit with a proposed class action alleging it breached the Wiretap Act by installing software on its website that secretly tracks visitors’ keystrokes, mouse clicks, and other electronic communications in order to gather personally identifiable information and de-anonymize their names and addresses. [380]   This action, which was filed in the District of New Jersey, follows two nearly identical lawsuits brought by the same plaintiff’s firm against mattress seller Casper and retailer Moosejaw. [381] D.     Telephone Consumer Protection Act The past year has been eventful for actions under the TCPA. [382] Perhaps the most anticipated TCPA topic in 2017—the D.C. Circuit’s ruling in ACA International v. FCC—remains outstanding. [383]   ACA International interprets the FCC’s 2015 omnibus Declaratory Ruling and Order (the “omnibus order”) that, among other things, defined an autodialer to include any equipment with the “potential ability” to store or produce telephone numbers to be called or to call those numbers, as opposed to equipment with the current capability to do this. [384]   The omnibus order also changed the means through which a consumer can revoke consent.  Under the omnibus order, not only may “a called party . . . revoke consent at any time and through any reasonable means,” but “[a] caller may not limit the manner in which revocation [of consent] may occur.” [385]   Oral argument was held in October 2016 and lasted for over two hours, but the D.C. Circuit has yet to issue a decision. In Congress, both sides of the aisle appeared interested in amending the TCPA.  In late 2016, the House Energy and Commerce Committee’s Subcommittee on Communications and Technology held a hearing on the TCPA wherein a Democratic ranking member applauded a move to modernize the TCPA, [386] and the Republican subcommittee chairman stated “it is increasingly clear that the law is outdated and in many cases, counterproductive.” [387]   Though Congress has not yet acted, some of Congress’s possible changes to the TCPA could be to cap statutory damages at $500,000 (matching the Truth in Lending Act’s cap) [388] or to update the TCPA to reflect the increased use of text messaging and the creation of apps that could turn a smartphone into an autodialer. Yet Democrats and Republicans have not agreed on every TCPA issue in 2017.  For example, in March 2017, the FCC received a petition from All About the Message LLC seeking a declaration that the use of ringless robocalls that go straight to voicemail do not violate the TCPA. [389]   After the FCC issued a request for public comment, eleven Democratic Senators sent a letter to the FCC urging it to protect consumers from such calls, while the Republican National Committee voiced support for the petition. [390] Even though Congress did not pass legislation amending the act, FCC leadership changed in 2017.  The FCC, which has interpretative authority over the TCPA, is statutorily required to have two commissioners from each party, and, for the past several years, was led by three Democrats and two Republicans. [391]   Following the inauguration of President Trump, the FCC now has three Republicans and two Democrats. [392]   In the upcoming year, it is likely that the Republican commissioners will scale back FCC enforcement of the TCPA. [393]   Commissioner Michael O’Reilly, a Republican, vehemently disagreed with the FCC’s 2015 omnibus order, and Chairman Ajit Pai applauded the D.C. Circuit’s March ruling in Yaakov v. FCC, which held that the FCC lacked the authority under the TCPA to require opt-out notices on solicited faxes. [394]   Chairman Pai previously has been critical of plaintiff’s counsel’s choice of litigation targets, noting that these “lawyers have found legitimate, domestic businesses a much more profitable target” for TCPA litigation, rather than “go[ing] after the illegal telemarketers, the over-the-phone scam artists, and the foreign fraudsters.” [395]  The sentiment of the current leadership suggests some regulatory restraint in 2018. The past year also saw the resolution of several closely-watched cases.  In Krakauer v. Dish Network LLC, a jury awarded damages to a class of plaintiffs who allegedly received unwanted phone calls. [396]   The court ordered treble damages on the basis that Dish allegedly had knowledge that its marketing firm had repeatedly violated the TCPA. [397] In United States v. Dish Network LLC, the district court found that Dish Network violated the TCPA and state laws through both its direct telephone marketing and third-party telephone marketing campaigns. [398]   The civil penalties ordered in the case included awards to both the federal government and the state participants in the suit: California, Illinois, North Carolina, and Ohio. [399]   The matter is currently on appeal. [400] In Birchmeier v. Caribbean Cruise Line, Inc., the parties agreed to a $76 million settlement of a class action accusing several cruise marketing companies of robocalling. [401]   The agreement provides a minimum of $135 per call where the vast majority of class members claimed three calls, leaving plaintiffs with a much higher payment than is typical in a TCPA class action settlement of this size. [402] E.     Video Privacy Protection Act In 2017, courts resolved some significant VPPA-related cases that had been filed in previous years.  The VPPA, which was enacted in 1998 following a D.C. newspaper’s disclosure of Supreme Court nominee Judge Robert Bork’s video rental records, [403] prohibits “video tape service providers” from “knowingly” disclosing “personally identifiable information concerning any consumer” to third parties. [404]   The VPPA was originally intended as a straightforward rule to prevent video stores from disclosing the video-rental habits of its patrons.  Over 20 years later, courts continue to grapple with applying this antiquated law to constantly changing technologies. This year, courts addressed three main issues as related to the VPPA: (1) standing, (2) the definition of “personally identifiable information,” and (3) the definition of “consumer” or “subscriber.”  While there is an emerging consensus on the procedural issue of standing, courts remain split on how to apply the more substantive provisions of the statute. Both circuit courts to address the issue of standing this year found that an allegation of mere disclosure in violation of the VPPA is sufficient to meet Article III’s standing requirements.  In Eichenberger v. ESPN, Inc., plaintiffs alleged that ESPN had disclosed users’ “personally identifiable information” to Adobe Analytics, a third-party analytics company, in violation of the VPPA. [405]   Joining every circuit court [406] and all district courts [407] that have addressed the issue post-Spokeo, the three-judge panel held that the plaintiff did not need to allege any further harm beyond a disclosure of “personally identifiable information” to plead Article III standing. [408]   As described above, in Spokeo v. Robins the Supreme Court strengthened the requirements for Article III standing, requiring allegations of a concrete injury rather than a mere statutory violation. [409]   In finding that disclosure in and of itself constitutes a concrete harm, the Ninth Circuit in Eichenberger explained that the VPPA confers a substantive right to privacy, meaning that “every disclosure” of an individual’s personally identifiable information and video-viewing history “offends the interests” the VPPA protects. [410]   Earlier this year, in Perry v. Cable News Network, the Eleventh Circuit similarly found that a disclosure alone, even without any alleged misuse of information, satisfied Article III standing requirements. [411]   The precedent set by these decisions sets a low barrier for entry for plaintiffs to bring suit under the VPPA, which may yield an increase in VPPA litigation. Circuit courts have taken different approaches in addressing the scope of “personally identifiable information,” but the significance of any differences between the two tests is yet to be determined.  The VPPA defines “personally identifiable information” to “include[] information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” [412]   As discussed in our 2016 Year-End Update , the First and Third Circuits articulated two separate tests to determine what information Congress intended to cover in this statute.  In Yershov v. Gannett, the First Circuit diverged from virtually all district courts in embracing a broader definition of “personally identifiable information,” holding that it extends beyond a person’s name to include “information reasonably and foreseeably likely to reveal which . . . videos [a person] has obtained.” [413]   The court concluded that GPS coordinates and a device ID fell within this definition. [414]   In contrast, in In re Nickelodeon Consumer Privacy Litigation, the Third Circuit adopted an “ordinary person” test, finding that “personally identifiable information” includes only information that “would readily permit an ordinary person to identify a specific individual’s video-watching behavior.” [415]   In finding that digital identifiers such as MAC addresses and IP addresses did not constitute “personally identifiable information,” it explained that Congress’s purpose in passing the VPPA was narrowly restricted to preventing “disclosures of information that would, with little or no extra effort, permit an ordinary recipient to identify a particular person’s video-watching habits.” [416]   In January 2017, the Supreme Court denied certiorari, [417] declining to address what some have characterized as a split between the two circuit courts. In Eichenberger, Ninth Circuit considered both of these standards, but ultimately adopted the narrower “ordinary person” test promulgated by the Third Circuit.  Notably, the court instructed that the statute “looks to what information a video service provider discloses, not to what the recipient of that information decides to do with it.” [418]   The court held that the information allegedly disclosed to Adobe by ESPN—(1) the serial number of the plaintiff’s Roku device, and (2) the identity of videos the plaintiff had watched on the WatchESPN Channel application—could not be used by an “ordinary person” to identify an individual.  The fact that Adobe might be able to identify the individual with other personal information in its possession, that ESPN never shared nor possessed, was irrelevant.  The court reasoned that this test “fits most neatly” with congressional intent, stating that “the advent of the Internet did not change the disclosing-party focus of the statute.” [419]   By assessing liability based on the information disclosed from the disclosing party’s perspective, companies should be able to better assess their compliance with the law.  Although these courts have applied different standards, both the Third and Ninth Circuits assert that the practical differences may be minimal. [420] On the other hand, the Central District of California applied the First Circuit standard in In re Vizio, Inc. Consumer Privacy Litigation .  In that case, plaintiffs alleged that Vizio violated the VPPA and the ECPA by using their televisions to secretly collect, and distribute to advertisers, information on customer viewing habits. [421]   In denying in part defendants’ motion to dismiss, the court held that the disclosure of “consumers’ MAC addresses and information about other devices connected to the same network” could qualify as “personally identifiable information” under the VPPA because MAC addresses are “frequently linked to an individual’s name and can be used to acquire highly specific geolocation data.” [422]   This case will be one to watch this year; the district court denied Vizio an immediate appeal of the decision to the Ninth Circuit, [423] and the next filing regarding a motion to compel was due on January 3, 2018. The final issue considered by courts this year was the issue of who is a “subscriber,” and thus a “consumer,” under the statute.  In Perry v. Cable News Network, the plaintiff alleged that CNN violated the VPPA by tracking his views of news articles and videos on the CNN app and disclosing this information to third parties.  In affirming the dismissal of the putative class action, the court found that the plaintiff did not qualify as a “subscriber”  because he had not established an account with CNN, provided any personal information, made any payments, become a registered user, received a CNN ID, or established a CNN profile. [424]   Thus, he had not “demonstrated an ongoing commitment or relationship with CNN.” [425]   In In re Vizio, on the other hand, the court held that plaintiffs are “subscribers” based on the allegation that Vizio charges them a premium for its smart TVs because of the video content it provides. [426]   Additionally, the court found that plaintiffs plausibly alleged that Vizio is a “video tape service provider” because it is engaged in the business of delivering video content. [427] In 2017, courts sought to add more clarity to VPPA jurisprudence.  With the exception of the First Circuit and Central District of California, most courts have interpreted the VPPA narrowly and relieved media companies of liability.  Nevertheless, plaintiffs who can clear the Spokeo standing bar are likely to continue to bring suit under the VPPA in the hope of winning substantial statutory damages. F.     California’s Song-Beverly Credit Card Act and Point-of-Service Data Collection There were few cases this year arising under California’s Song-Beverly Credit Card Act, which prohibits merchants from requesting and recording “personal identification information” concerning the cardholder during credit card transactions. [428]   The lack of cases is likely due to the impact of the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, [429]  which defendants have invoked to defeat class actions brought under Song-Beverly.  Indeed, in the one significant case this year, Medellin v. IKEA U.S.A. W., Inc., the representative plaintiff alleged that IKEA had requested and collected her ZIP code as part of her credit card purchases, but conceded that “she alleged only a bare procedural violation of the [Song-Beverly] statute and suffered no other cognizable harm” as required for standing. [430]   The Ninth Circuit consequently vacated the district court’s judgment and remanded the case with instructions to dismiss without prejudice for lack of standing—due to the fact that the plaintiff’s claim did not “satisfy the injury-in-fact requirement of Article III.” [431]   IKEA appealed to the U.S. Supreme Court, seeking to expand the Spokeo doctrine, but the Supreme Court declined certiorari on October 2, 2017. [432] The lack of significant Song-Beverly cases in 2017 may be explained a number of ways.  It is likely that some plaintiffs decided to wait for the outcome of the Supreme Court’s certiorari decision in Medellin before moving forward with their case.  It is also likely that possible plaintiffs are exploring how best to argue that their violations of Song-Beverly satisfy Article III standing requirements, especially after the Medellin plaintiff conceded that her allegations did not.  Regardless, we can expect that after Spokeo and Medellin, many plaintiffs were forced to revise their litigation strategy to adapt to these decisions or determine whether California state courts may be a preferred venue, given that Spokeo has evidently narrowed federal class action doctrine.  As a result, we may see new cases with novel arguments for standing brought in 2018. G.    Biometric Information Privacy Acts In 2017, companies have continued to integrate biometric technology into both their products and their day-to-day operations.  In previous years, Texas and Illinois enacted legislation regulating the collection and use of certain biometric data.  In July of 2017, Washington became the third state to enact such legislation, requiring in certain circumstances that commercial entities “provid[e] notice, obtain[] consent, or provid[e] a mechanism to prevent the subsequent use” of biometric data before collecting such information.  However, like Texas’s law, and unlike the Illinois Biometric Information Privacy Act (“BIPA”), the Washington bill does not provide a private right of action. The private right of action allowed by the Illinois BIPA continues to energize the plaintiff’s bar, which in 2017 filed dozens of class actions against companies for their allegedly improper collection of alleged biometric information.  Plaintiffs in these cases have generally fallen under one of two categories: (1) employees of companies that allegedly utilize biometric information, such as fingerprints, for time keeping purposes; and (2) customers of companies (often in the technology industry) that use alleged biometric information to enhance the consumer experience, such as photo sharing and social media services. The first category of plaintiffs represents a relatively new trend in BIPA litigation, as 2017 witnessed a surge of class actions by employees of companies using alleged biometric timekeeping methods.  For example, in October, employees of Illinois trucking company RJW Transport filed suit against the company, alleging that it captured and stored their fingerprints for timekeeping purposes, “without obtaining informed written consent or publishing its data retention and deletion policies,” as required by statute.  Similarly, employees of hotel chain Hyatt filed an action against their employer, claiming that they suffered “serious and irreversible privacy risks,” such as risk of identity theft, as a result of the collection of their fingerprints.   These suits are just two of many class actions filed in relation to alleged biometric timekeeping systems in the past year; however, these cases may come to a quick end in light of a December decision from the Illinois Second District Appellate Court in which the court held that “[i]f a person alleges only a technical violation of the Act without alleging any injury or adverse effect, then he or she is not aggrieved and may not recover under” BIPA. [433] Consumer class actions were the second primary category of BIPA cases facing courts this year.  There have been two major issues arising out of consumer-driven litigation recently: (1) Article III standing; and (2) the photograph exception of BIPA.  Several court opinions in 2017 addressed these issues and will likely affect plaintiffs’ litigation strategies moving forward. First is the matter of Article III standing.  Our 2016 Year-End Update described defendant’s motion to dismiss in In re Facebook Biometric Information Privacy Litigation, a suit in which plaintiffs alleged that Facebook’s facial recognition and photo tagging system violated the Illinois BIPA.  Facebook argued that plaintiffs had not suffered a concrete harm sufficient to establish Article III standing.  The court stayed Facebook’s motion pending the Ninth Circuit’s decision on remand in Robins v. Spokeo, Inc.  The court heard oral argument in November 2017 after that Spokeo decision came down, but has not yet issued a ruling. Meanwhile, in November, the Second Circuit affirmed dismissal of the complaint in Santana v. Take-Two Interactive Software, Inc. on the ground that plaintiffs, consumers of a video game that used facial recognition technology to create life-like player personas, alleged harms that were merely procedural, and did not show a “risk of real harm” under Spokeo absent allegations that the company was misusing the collected biometric information.  This decision will likely make it difficult, at least in the Second Circuit, for consumer plaintiffs to bring class actions for mere procedural violations of BIPA. The second key issue impacting consumer class actions this year was whether BIPA covers the practice of scanning facial features from digital photographs; specifically, whether such scanning technologies are excluded from BIPA’s protection of “biometric identifiers” under the statute’s exception for “photographs.”  In 2016, in Facebook, the court held that this alleged conduct did not fall under the photographs exception, reasoning that the term “photographs” is listed along with other “low-tech” categories of data in the statute—such as writing samples and physical descriptions—and thus was only intended to refer to “paper prints of photographs, not digitized images.” In 2017, the Northern District of Illinois reached a similar conclusion about facial scanning technologies, but under a different analysis.  In Rivera v. Google, Inc., plaintiffs alleged that Google extracted biometric identifiers from digitized photographs without users’ consent.   Google argued in its motion to dismiss that the statute did not regulate biometric data derived from these photograph based on a plain reading of the exception.  The judge rejected Google’s argument, reasoning that although the photographs exception did excuse Google’s storage of the photographs themselves, it did not cover the collection of face geometry data derived therefrom .   Furthermore, the judge wrote, there was nothing in the text of the legislation to suggest that biometric identifiers must be derived from a person in real time.  Google has since appealed the district court’s decision. H.    Internet of Things and Device Hacking The Internet of Things (“IoT”) is continuously expanding as traditional devices are becoming increasingly “smart” and connected.  Throughout 2017, corresponding with an increase in the IoT, there was an increase in regulatory guidance and regulatory and private actions related to smart and connected devices. 1.      Connected and Autonomous Vehicles Concerns about security breaches and privacy violations related to self-driving and other automobile software have played an important role during recent legislative developments in this area.  The House passed the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution, or SELF DRIVE, Act on September 6, 2017. [434]  The bill largely allows automakers to set their own cybersecurity standards, including a plan to deal with “reasonably foreseeable vulnerabilities” in their systems. [435]  On October 4, 2017, the Senate approved its own version of the bill, the American Vision for Safer Transportation through Advancement of Revolutionary Technologies (“AV START”) Act. [436]  A recent amendment requires that manufacturers develop, maintain, and execute a written plan for identifying and reducing cybersecurity risks to the motor vehicle safety of automated vehicles.  The Senate Commerce Committee plans to hold a hearing on self-driving and other auto technologies on January 24, 2018. [437]  For further detail, please see our 2017 client alert Accelerating Progress Toward a Long-Awaited Federal Regulatory Framework for Autonomous Vehicles in the United States . On June 28, 2017, the FTC and the National Highway Traffic Safety Administration (“NHTSA”) hosted a workshop to examine the consumer privacy and security issues posed by automated and connected cars among industry representatives, consumer advocates, academics, and government officials. [438]  In her opening remarks, Acting FTC Chairman Maureen Ohlhausen emphasized the potential benefits of connected cars and stressed that while the FTC would use its enforcement powers under the FTC Act, its approach would be one of “regulatory humility”—aiming to “avoid unnecessary or duplicative regulation that could slow or stop innovation.”  She urged Congress to consider data security and data breach notification legislation to “strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach.” [439]  Highlighting the importance of collaboration between industry and regulators, stakeholders also pointed to self-regulatory efforts such as the Alliance of Automobile Manufacturers’ Privacy Principles for Vehicle Technologies and Services voluntary industry standards, which went into effect in January 2016. [440] Developments continued on the litigation front as well.  In July 2015, Chrysler and Harmon International Industries voluntarily recalled their vehicles because the vehicle computer system (“uConnect”) had design vulnerabilities that could allow hackers to take remote control of the vehicle’s functions. [441]  In Flynn v. FCA US LLC, plaintiffs alleged that these vulnerabilities violated the Magnuson-Moss Warranty Act and Michigan, Illinois, and Missouri state laws. [442]  In August 2017, the court dismissed all claims that possible future car-hacking could cause injury or death, but allowed plaintiffs to pursue claims that they overpaid for the vehicles in light of the alleged system vulnerabilities. [443]  On October 13, 2017, plaintiffs asked the court to certify a class of 1.4 million car owners. [444]  Automaker FCA US LLC moved for summary judgment on all plaintiffs’ claims on October 5 and subsequently filed alternative motions for summary judgment against particular plaintiffs. [445]  On November 6, 2017, plaintiffs opposed these motions. [446] In November 2015, in Cahen v. Toyota Motor Corp., the court granted Toyota, Ford, and General Motors’ motions to dismiss a class action complaint alleging, among other claims, that the vehicles’ computers were vulnerable to hacking and privacy violations related to their computer software. [447]  In September 2016, plaintiffs appealed to the Ninth Circuit, arguing that the district court erred in holding that plaintiffs failed to establish standing to assert their claims. [448]  On December 21, 2017, the Ninth Circuit affirmed the district court’s dismissal, noting that the alleged risks and defects were speculative and that plaintiffs had not pleaded sufficient facts demonstrating how the aggregate collection and storage of non-individually identifiable driving history and vehicle performance data caused an actual injury. [449] 2.      Routers, Cloud Storage, and Connected Cameras On January 5, 2017, the FTC sued D-Link, a provider of wireless routers and IP-connected cameras, in the Northern District of California for alleged violations of the FTC Act. [450]  As outlined in our 2016 Year-End Update , the FTC alleged that D-Link engaged in unfair and deceptive practices by advertising its routers and cameras as containing “Advanced Network Security,” while flaws in D-Link’s security allow hackers to easily access consumers’ information and cameras. [451]   The complaint against D-Link alleges one count of unfairness relating to D-Link’s failure to secure consumer’s information and five counts of misrepresentation relating to D-Link’s advertising and statements that its routers and internet cameras are secure. [452]  On September 19, 2017, the court dismissed the FTC’s unfairness claim and two of the misrepresentation claims under Section 5 of the FTC Act.  The district court ruled that, in the absence of a breach, the FTC had failed to allege that device security flaws caused or were likely to cause substantial consumer harm, and that two misrepresentation claims, which centered on alleged misrepresentations in promotional materials for IP cameras and graphic user interfaces (“GUI”s) for routers, lacked specificity as to the deceptive conduct alleged. [453]  The district court allowed the remaining three misrepresentation claims to continue. [454] 3.      Smart TVs Private actions against smart television manufacturers have continued apace along with the rapid growth of consumer demand for the devices.  In the most prominent case, plaintiffs alleged that Vizio violated the VPPA and the ECPA by using their televisions to secretly collect, and distribute to advertisers, information on customer viewing habits. [455]   In July 2017, the court denied Vizio’s motion to dismiss, finding that the agreement the company struck with the Federal Trade Commission and New Jersey’s Attorney General  was insufficient to ensure that Vizio’s improper data collection would not recur. [456]   Similarly, in March 2017, a proposed class action was filed against Samsung Electronics America Inc. and its parent company Samsung Electronics Co. Ltd., claiming that smart TV devices with the capability to respond to human voices through a built-in “always on” recording device were being used by the company to intercept and record consumers’ private communications inside their homes for profit, violating the New Jersey Consumer Fraud Act. [457]   The case was dismissed without prejudice on September 27, 2017. [458] Sling Media Inc. fared better in the Second Circuit, which in November 2017 affirmed the dismissal of a class action complaint against Sling Media that alleged deceptive business practices in connection with Sling’s introduction of unwanted advertisements into its television streaming service. [459]   In a summary order, the panel affirmed the district court’s holding that the complaint and proposed amendments to the complaint failed to plausibly allege a violation of New York General Business Law Section 349, because plaintiffs failed to point to any affirmative statement or omission made by Sling Media that would have misled a reasonable consumer into believing that the service would never include advertisements. [460] 4.      Smart Toys On August 8, 2017, a proposed class action was brought against Viacom by parents of children who, while playing online games via smart phone apps, allegedly had their personal information collected and sold to advertisers. [461]   Plaintiffs allege that Viacom makes and markets to children games that collect user data which is then cross-referenced with the child’s activity across other apps and platforms and used for targeted advertising. [462]   Plaintiffs assert violations of the federal Children’s Online Privacy Protection Act and, on behalf of a California subclass, violations of the California constitutional right to privacy. [463] 5.      Regulatory Guidance On June 21, 2017, the FTC released an updated guidance document for complying with the Children’s Online Privacy Protection Act (“COPPA”), which explicitly identifies connected toys and other IoT devices as being covered under COPPA. [464]   The FTC then issued a clarification on October 23, 2017 that it would not take enforcement action against an operator who—without first obtaining verifiable parental consent—collected an audio file containing a child’s voice solely as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request (provided the audio that was sought did not contain personal information), and only maintained the file for the brief time necessary for that purpose. [465]   The privacy and data security risks for emerging and novel connected devices were further emphasized when, in July 2017, the FBI warned consumers that internet-connected toys present privacy and safety risks for children. [466] The FTC has identified IoT as a privacy enforcement priority and has taken several actions against IoT manufacturers. [467]   In addition to the private actions against Vizio described above, the FTC also brought an enforcement action against Vizio, asserting that the company had violated the unfairness and deception prongs of Section 5 of the FTC Act and that Vizio’s actions caused or were likely to cause “substantial injury” to consumers. [468]   In February 2017, Vizio agreed to pay a $2.2 million fine to resolve allegations by the FTC and the New Jersey Attorney General. [469]  In addition to the fine, the agreement also required Vizio to obtain affirmative express consent prior to collecting any consumer data. [470] The rapid adoption of internet-connected devices has spurred action on international as well as state level.  The European Union Agency for Network and Information Security has joined several semiconductor makers in calling for baseline privacy and cybersecurity requirements for connected devices. [471]   The proposed requirements include certification and labeling of trusted devices. [472]   States also continue to explore new legislation to address this issue.  One of a number of bills pending in state legislatures is California’s SB-327. [473]  If passed, it would require disclosure to consumers of the extent to which “connected devices” are capable of collecting biometric data. [474] I.      Civil Litigation: Cybersecurity Insurance 1.      State of the Market Although still a nascent industry, the cybersecurity insurance market is expected to experience massive growth throughout 2018. [475]   This anticipated market expansion is based on persistent cyber threats and new state, federal, and international regulatory schemes. [476] This cybersecurity regulatory fabric includes the already complex web of individual state regulations, as well as a new federal regulatory agency and the European Union’s General Data Protection Regulation (“GDPR”).  Several states—including New York, [477] California, Illinois, Colorado, and Maryland—already contribute to the vast web of regulatory requirements. [478]   For example, as discussed above, a series of class action lawsuits have arisen from Illinois’ Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1, et seq., presenting new questions for insurers on how cyber liability insurance policies relate to these actions. [479] The regulation expansion will not only yield industry growth, but will also present significant challenges for insurance companies catering to this complex regulatory landscape. [480]   Ultimately, recent figures estimate that “total annual cyber premiums are expected to rise from $2.5 billion in 2017 to $10 billion by 2020.” [481] 2.      State of the Law – Key Cases a.      Computer Fraud Insurance Provisions One frequently recurring debate in this year’s cases was whether computer fraud insurance provisions covered variations in hacking, intrusions, or cyber-fraud schemes.  The Ninth, Sixth, and Second Circuits all heard arguments or decided cases on these issues. Although each decision depended heavily on the precise wording of an individual insurance policy, several courts held that computer fraud coverage did not apply to email spoofing schemes where the policy holder voluntarily wired money.  For example, in Taylor Lieberman v. Federal Insurance Co., the Ninth Circuit held that a policy’s coverage for computer fraud did not apply when wire transfers were made in response to a hacker who was masquerading as a client. [482]   The court rejected the plaintiff’s claims that the fraudulent email constituted an unauthorized entry or trespass into the plaintiff’s computer system. [483]   The Sixth Circuit recently heard arguments on the scope of a computer fraud policy as well in American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America . [484]   The litigation was triggered after plaintiff, a tool manufacturer, received an email from a cyber-attacker posing as a vendor and requesting payment. [485]   The plaintiff wired the cyber fraudsters $800,000 as a result of the sham. [486]   When the insurance company denied coverage, the tooling manufacturer sued.  The district court granted summary judgment for the insurance company, reasoning that, “[a]lthough fraudulent emails were used to impersonate a vendor and dupe [the plaintiff] into making a transfer of funds, such emails do not constitute the ‘use of any computer to fraudulently cause a transfer.'” [487]   Relying on the Ninth Circuit’s reasoning, the district court adopted the interpretation that the phrase “fraudulently cause a transfer” required the “unauthorized transfer of funds.” [488]   The district court therefore concluded that plaintiff did not “suffer a ‘direct loss’ that was ‘directly caused by computer fraud.'” [489]   On appeal, petitioner contended that such intervening steps should not be dispositive of the analysis when use of a computer is at the heart of the fraud. [490] The Second Circuit heard arguments in November 2017 in a very similar case, Medidata Solutions, Inc. v. Federal Insurance Co. [491]   Cybercriminals spoofed the email account of the company’s president, resulting in the wiring of $4.7 million from the plaintiff to the cybercriminals. [492]   The insurance company, as in the Sixth Circuit case, disputed whether the insurance agreement’s computer fraud provision covered the incident. [493]   Here, however, the district court determined that the policy provided coverage for the losses. [494]   The court considered that “the fraud on Medidata was achieved by entry into Medidata’s email system with spoofed emails armed with a computer code that masked the thief’s true identity.” [495]   And the losses were a direct cause of a computer violation. [496]   The Medidata court distinguished the Ninth Circuit’s decision in Taylor & Lieberman, reasoning that, in Medidata, “Medidata did not suffer a loss from spoofed emails sent from one of its clients,” but rather “[a] thief spoofed emails armed with a computer code into the email system that Medidata used,” and that “the fraud caused transfers out of Medidata’s own bank account.” [497]   The district court therefore held that the policy did in fact cover the fraud, reasoning that the fraudster’s approach in Medidata’s case is the type of unauthorized, “deceitful and dishonest access” contemplated by the ruling in Universal American Corp. v. National Union Fire Insurance Co. [498]   In its amicus brief on appeal, the Surety & Fidelity Association of America contended that “‘[o]utwitting of the computer system is a very different risk than misleading the insured’s human employees — who have the ability to take reasonable steps to confirm the legitimacy of a wire transfer request or direction received by email — and who then make an authorized transfer based upon such request or direction.'” [499] In a separate type of scheme, a debit card processor’s system flaw allowed pre-paid debit card holders to reuse card balances multiple times. [500]   The district court considered whether this scheme constituted a “computer fraud” within the meaning of the policy and under Georgia law. [501]   The court held that, because the “cardholders ‘used’ telephones to provide responses to prompts from a computer that [plaintiff] owned and operated,” a computer did not perpetrate the scheme. [502]   The computer fraud provision therefore did not cover any losses from the scheme. [503] b.      Litigation Costs Another significant area of contention was the coverage for data breach litigation costs.  For example, the Fifth Circuit recently heard arguments in Spec’s Family Partners, Ltd. v. The Hanover Insurance Co. where the plaintiff’s card payment system experienced two data breaches, prompting litigation between the plaintiff and its third-party transaction service provider. [504]   The plaintiff submitted claims to the defendant, its insurance company, to pay for litigation expenses. [505]   Defendant refused to pay. [506]   In the ensuing case, the district court considered the meaning of the “duty to defend,” where plaintiff received demand letters and also instituted its own litigation vis-à-vis the third-party provider. [507]   The court looked to the eight corners rule in ascertaining whether the insurer had a duty to defend. [508]   That is, the court compared the words of the insurance policy with the allegations of plaintiff’s complaint “to determine whether any claim asserted in the pleading is potentially within the policy’s coverage.” [509]   Here, the policy provided that the insurer had “the right and duty to defend ‘Claim,’ even if the allegations in such ‘Claims’ are groundless[.]” [510]   The definition of a “Claim” included a written demand for damages or non-monetary relief, or “[a]ny complaint or similar pleading initiating a judicial, civil, administrative, regulatory, alternative dispute, or arbitration proceeding[.]” [511]   Because the demand letters were not separate claims against plaintiff Spec’s specifically, they did not meet the definition of a “claim” under the policy. [512]   Moreover, the court agreed with defendant insurer that “the only claim Spec’s asserted is [the third-party’s] demand for indemnification based on the Merchant Agreement – which is expressly excluded from policy coverage.” [513] The court therefore granted the defendant’s motion for judgment on the pleadings on all grounds. [514] In a similar matter, a hospital inadvertently sent out the private information of 20,000 patients to job applicants, triggering a lawsuit. [515]   The hospital’s insurer then declined to provide a defense in the underlying action because it considered its policy only excess coverage. [516]   Upon removal to federal court, the hospital contended that the denial of coverage to cover its defense in the ensuing litigation constituted a breach of contract and a breach of the covenant of good faith. [517]   Finally, in Innovak International, Inc. v. The Hanover Insurance Co., the district court held that an insurance company was not responsible for the defense of a database software company where the claims in the underlying action—failure to implement proper security measures—were not the type of claims covered by the insurance policy, which only covered claims for “personal and advertising injury.” [518] J.      Fair Credit Reporting Act Credit agencies and employers continued to face Fair Credit Reporting Act class action claims in 2017, which were on the rise from last year [519] despite continued uncertainty resulting from inconsistent lower-court applications of the Supreme Court’s decision in Spokeo, Inc. v. Robins. [520]  Enacted in 1970, the Fair Credit Reporting Act (“FCRA”) promotes the accuracy, fairness, and privacy of consumer information in the files of consumer reporting agencies and protects consumers from the willful and/or negligent inclusion of inaccurate information in their background check reports. [521]   The FCRA provides for penalties of up to $1000 per “willful” violation, actual damages for negligent violations, punitive damages, and attorney’s fees. [522] A substantial verdict against TransUnion awarded this year may spur further litigation regarding the accuracy of credit agency reporting. [523]   In June 2017, a California jury awarded $60 million in statutory and punitive damages to a class of more than 8,000 members claiming TransUnion hindered their ability to obtain credit and adversely affected other eligibility decisions by unreasonably linking them with similarly named terrorists and criminals from a government watch list and failing to properly notify them of their rights once discovered. [524]   TransUnion has since filed a notice of appeal to the Ninth Circuit. [525] Meanwhile, courts remain split on how to interpret the FCRA’s requirement of “maximum possible accuracy” in credit reports. [526]   In an August 2017 ruling, the Eleventh Circuit, in dicta, agreed with the Fourth, Fifth, and D.C. Circuit Courts that the standard requires “information that is both technically accurate and not misleading or incomplete,” whereas some courts, including District Courts in Maryland, Connecticut and the Northern District of Alabama, have ruled that the standard requires only that credit reporting agencies report information that is “technically accurate.” [527]   The Eleventh Circuit explained that the difference between the two standards is like “the difference between report[ing] that a person was ‘involved’ in a credit card scam and report[ing] that he was in fact one of the victims of the scam.” [528] Also increasing in frequency are class action suits alleging that employers ran background checks on prospective hires without prior expressed, written consent in “a document that consists solely of the disclosure,” as required by the FCRA. [529]   With mixed success so far, plaintiffs have pursued litigation against, among others, Amazon, [530] Wells Fargo, [531] Michaels Stores, [532] and Home Depot [533] this year.  Many of these cases involve online employment applications that include pages containing FCRA disclosures, putting at issue how to interpret the statute’s definition of “a document that consists solely of the disclosure” in a world where more companies are turning to web-based forms.  However, while some cases are proceeding, other courts, in light of Spokeo, have been dismissing similar suits for the lack of an injury sufficient to confer Article III standing. III.     Government Data Collection Unsurprisingly, this past year has witnessed continued friction between tech companies and privacy advocates, on the one hand, and law-enforcement and national security entities on the other.  Two major decisions are expected from the Supreme Court in the coming months, both addressing the scope of the government’s powers under the Stored Communications Act.  These cases are described in greater detail below.  One major debate in 2017, over the future of the Foreign Intelligence Surveillance Act (FISA), ended with a whimper.  Although FISA was set to expire at the end of last year, it is now clear that the status quo will remain in place, if only because lawmakers could not agree about how to amend the law. A.    Challenge to Government “Gag Orders” As we reported in our 2017 Data Privacy Outlook and Review, Microsoft Corporation sued the U.S. Department of Justice in April 2016 alleging the unconstitutionality of 18 U.S.C. §§ 2703 and 2705(b)—which permit the federal government to issue “[p]reclusion of notice” or “gag” orders preventing cloud storage companies from disclosing government warrants for seizure of user data. [534]   These orders, which may last “for such period as the court deems appropriate,” must be issued upon application by a government agency if a court finds “reason to believe” that disclosure of the warrant at issue will endanger public safety, jeopardize an ongoing investigation, or unduly delay trial. [535]   Microsoft stated that it had received over 3,250 such orders in the 20 months ending in May 2016. [536] A number of organizations filed amicus briefs in support of Microsoft, including a group of law professors represented in part by Gibson Dunn; [537] civil liberties organizations such as the Electronic Frontier Foundation; [538] news organizations, including the Associated Press and Fox News; [539] and technology companies, including Apple and Mozilla. [540] In February 2017, the District Court for the Western District of Washington partially denied the government’s motion to dismiss Microsoft’s claims, finding that the gag orders’ indefinite limitation on Microsoft’s ability to speak about warrants issued under § 2703 was a First Amendment injury sufficient to support standing. [541]   The court also found that Microsoft had sufficiently stated a claim that indefinite § 2705(b) gag orders were unconstitutional prior restraints and content-based restrictions on speech, whether subject to a strict scrutiny analysis or a lesser standard of review. [542]   However, the court rejected Microsoft’s effort to assert its customers’ Fourth Amendment right against unreasonable search and seizure, finding third-party standing disfavored by the Supreme Court and the Ninth Circuit in a wide range of contexts, despite acknowledging that “some of Microsoft’s customers will be practically unable to vindicate their own Fourth Amendment rights.” [543] Following the lawsuit, the Office of the Deputy Attorney General issued new guidance to federal prosecutors last October that substantially tightens requirements for obtaining protective orders under § 2705(b). [544]   Most notably, the new policy bars Department of Justice attorneys from seeking protective orders that delay notice for more than one year “[b]arring exceptional circumstances.” [545]  It also requires that prosecutors explain which of the five conditions set forth in subsection (b) apply to the case at hand and seek protective orders under § 2705(b) only “when circumstances require.” In response to the policy, Microsoft promptly filed an unopposed motion to voluntarily dismiss its lawsuit, in which it acknowledged that “the new Policy significantly improves DOJ practices under Section 2705(b),” and the motion was granted. [546] B.     Carpenter v. United States and the Collection of Cell Phone Data On November 29, 2017, the Supreme Court heard oral argument in Carpenter v. United States, a case addressing another aspect of the Stored Communications Act.  Specifically, the Court is considering whether the government violates the Fourth Amendment by obtaining historical cell tower location data pursuant to a court order issued under 18 U.S.C. § 2703(d) rather than a probable cause warrant.  Carpenter is expected to test the limits of the so-called “third-party doctrine,” which holds that government acquisition of information voluntarily provided to a third party—such as call records—is not a search for Fourth Amendment purposes and thus does not require a warrant. The Carpenter petitioner was convicted of robbing several stores in 2010 and 2011. [547]   During its investigation, the government obtained court orders pursuant to § 2703(d) to obtain “cell site information for [petitioner’s] telephone,” which identified the cell towers to which petitioner’s phone connected when making and receiving calls during a 127-day period encompassing the robberies. [548]   This data permitted only a rough estimation of petitioner’s location at the times of the calls, but nonetheless allowed the government to place petitioner’s phone in the vicinities of the robberies when they occurred. [549]   Petitioner moved to suppress the cell-site records, arguing that their acquisition without a probable cause warrant violated the Fourth Amendment, and the district court denied his motion. [550]   On appeal, the Sixth Circuit affirmed, analogizing cell tower information to “mailing addresses, phone numbers, and IP addresses”—non-content information used to “facilitate personal communications” in which a person has no reasonable expectation of privacy. [551]   In reaching its decision, the Sixth Circuit relied on two landmark third-party doctrine precedents:  Smith v. Maryland, which held that use of a “pen register” to capture dialed telephone numbers did not implicate a reasonable expectation of privacy, [552] and United States v. Miller, which held that a customer had no reasonable expectation of privacy in account statements, deposit slips, and cancelled checks held by a bank. [553] On appeal to the Supreme Court, the government also cites Smith and Miller in arguing that the third-party doctrine encompasses cell site data, and that its acquisition was not a Fourth Amendment search of petitioner. [554]   In the alternative, the government argues that if that acquisition did constitute a search, it was reasonable in light of the 18 U.S.C. § 2703(d) requirement that the government show “specific articulable facts” to support a court order and the importance of cell site records to law enforcement investigations. [555]   Petitioner argues that the retrospective acquisition of long-term cell site data is a Fourth Amendment search, analogizing it to “longer term GPS monitoring.” [556]   Petitioner also urges the Court to look to the future, asserting that “the rule [the Court] adopt[s] must take account of more sophisticated systems that are already in use or development,” and noting that cell site data is becoming both more precise and more voluminous. [557] The case has garnered significant public attention, with a variety of amici filing briefs in support of petitioner (including, among others, the Center for Democracy and Technology, [558] the Competitive Enterprise Institute, [559] the Electronic Privacy Information Center, [560] the Reporters Committee for Freedom of the Press and a group of nineteen media organizations, [561] a group of 42 privacy and criminal procedure scholars, [562] and a group of 19 technology experts [563] ), the government (including, among others, the National District Attorneys Association, [564] a group of 19 state Attorneys General, [565] and Professor Orin Kerr [566] ), and of neither party (a group of 15 technology companies including Apple, Google, Facebook, Microsoft, Twitter, Verizon, and others [567] ). C.    Electronic Communications Privacy Act Reform Efforts There are currently two bills pending before Congress to reform the ECPA in ways that would address the issues raised by both the Microsoft gag order litigation and the warrantless collection of geolocation data in Carpenter v. United States.  The Email Privacy Act, [568] introduced by Senators Patrick Leahy (D-Vermont), Mike Lee (R-Utah), and others on July 27, 2017, is a companion bill to the Email Privacy Act passed by the House of Representatives by voice vote in February. [569]   Most significantly, the Email Privacy Act would require law enforcement to obtain a probable cause warrant to acquire the content of all emails or other electronic communications (under 18 U.S.C. § 2703 the government can currently obtain the contents of electronic communications that are more than 180 days old via a court order). [570] Also on July 27, Senators Leahy and Lee introduced the ECPA Modernization Act of 2017. [571]   Like the Email Privacy Act, this bill would require a warrant for acquisition of electronic communication content, [572] but would also add a variety of additional reforms.  First, it would substantially amend 18 U.S.C. § 2705(b) by adding a requirement that a court issuing a § 2705(b) nondisclosure order find “specific articulable facts” supporting its issuance, and by limiting § 2705(b) nondisclosure orders to 90 days (extendable by one or more periods of not more than 90 days). [573]   This change would eliminate the government’s ability to obtain nondisclosure orders of indefinite duration—one of the central issues identified by Microsoft in challenging § 2705(d) and addressed in the Deputy Attorney General’s subsequent guidance document that generally bars “gag” orders lasting more than one year. [574] Second, the ECPA Modernization Act would amend 18 U.S.C. § 2703 to permit government officials to obtain “stored geolocation information” [575] only pursuant to a warrant supported by probable cause, and would require notice to the subscriber whose geolocation information was accessed within ten days. [576]   Under current law, acquisition of stored geolocation information does not require a warrant, but rather only a court order supported by “specific articulable facts” showing that the information is “relevant and material to an ongoing criminal investigation.” [577]   The constitutionality of warrantless acquisition of this kind of information is the question currently before the Supreme Court in Carpenter v. United States. Other significant changes proposed in the ECPA Modernization Act include requiring the government to notify a subscriber within 10 days of obtaining the contents of the subscriber’s  wire or electronic communications or geolocation information from a third-party cloud storage provider, [578] and explicitly providing a suppression remedy for cloud content or stored or real-time geolocation information obtained without a warrant or otherwise in violation of the law. [579] A variety of research, advocacy, and technology industry groups and companies have publicly expressed support for the ECPA Modernization Act of 2017, including the Electronic Frontier Foundation, [580] the American Civil Liberties Union, [581] FreedomWorks, [582] Citizens Against Government Waste, [583] the Consumer Technology Association, [584] the Center for Democracy and Technology, [585] the National Association of Criminal Defense Lawyers, [586] and Microsoft. [587] D.    Device Unlocking The use of biometric security systems—such as facial recognition, fingerprint unlocking, and iris scanning—in mobile devices has become increasingly prevalent in recent years, and has received even greater attention with the introduction of Apple’s Face ID technology in September 2017.  While there remains some division among courts about whether police violate the Fifth Amendment by compelling a suspect to unlock an electronic device using a traditional passcode, [588] courts have recently held—although not without exception—that unlocking a device using a thumbprint is not “testimonial” and thus does not implicate a suspect’s Fifth Amendment right against self-incrimination. [589]   There is currently no case law addressing whether the government may compel a suspect to unlock a device using facial features as opposed to a thumbprint, but the same reasoning is likely to apply.  Thus, while biometric security may offer sufficient protection from intrusion by hackers, it may offer less protection against government access than traditional security measures such as passcodes or PINs.  A new feature in Apple’s most recent operating system iOS 11 would provide one means of addressing this concern.  Pressing the power button on an iOS 11-equipped device five times in rapid succession disables biometric unlocking and thus requires a PIN or passcode to unlock it. [590] E.     Extraterritoriality of Subpoenas and Warrants Before the end of the 2017-18 term, the Supreme Court will determine the scope of the government’s power to obtain information stored overseas under the Stored Communications Act (“SCA”).  This case, now styled United States v. Microsoft, Inc., arose in December 2013, when the Southern District of New York issued a warrant under Section 2703 of the SCA requiring Microsoft to produce the contents of an email account. [591]   Microsoft filed a motion to quash, arguing that the data was stored in a server in Ireland and the warrant was an inappropriate extraterritorial application of the SCA. [592]   On April 25, 2014, the district court denied Microsoft’s motion to quash, holding that a warrant under Section 2703 requires the recipient to produce all information in its possession, custody, or control, even if the information is stored abroad. [593]   On July 14, 2016, the Second Circuit reversed and remanded on appeal. [594]   The court concluded that SCA warrants are not equivalent to subpoenas which may require the production of communications stored overseas, and further held that the case involved an extraterritorial application of the statute because the focus of the SCA is on privacy and a privacy invasion occurs where a customer’s content is accessed. [595] The government requested rehearing en banc.  On January 24, 2017, the Second Circuit denied the motion in a split four-to-four decision. [596]   The concurring opinion reiterated the view that the SCA’s focus is on privacy and that the statute protects privacy at the place that data is stored. [597]   Four judges, however, authored dissents, each taking issue with a distinct aspect of Microsoft’s argument. [598]   In particular, Judge Jacobs rejected Microsoft’s analogy to paper documents and reasoned that it is irrelevant where the contents are stored if they are accessible in the US; [599] Judge Cabranes found the conduct at issue to be disclosure, not access, and cautioned that the panel’s decision burdened legitimate law enforcement efforts [600] ; and Judge Droney opined that there are no extraterritoriality concerns because the service provider is located domestically. [601] Since the Second Circuit’s decision, district courts in other circuits have taken the opposing approach.  The District of the District of Columbia, the Northern District of California, and the Eastern District of Pennsylvania each ordered Google to comply with SCA warrants that were directed to the contents of email accounts stored overseas. [602]   The courts found that the focus of the SCA is disclosure and that whether a service provider must produce records if it has sufficient control over the evidence, regardless of where the records are located. [603] On October 16, 2017, the Supreme Court granted certiorari. [604] In its brief filed on December 6, 2017, the government first argues that the focus of Section 2703 is on the disclosure of information, not storage. [605]   Even if privacy is the focus of the provision, no search or seizure would occur in Ireland because Microsoft does not interfere with a customer’s possessory interests or reasonable expectation of privacy when it gathers or moves materials in its control. [606]   Rather, any invasion to privacy would occur domestically, when Microsoft discloses information to a third party. [607]   Next, the government asserts that an SCA warrant resembles a subpoena because it is directed at a person rather than a place, and Microsoft thus must produce all documents under its control. [608]   Lastly, the government contends that its ability to collect information for legitimate law enforcement purposes should not be subject to a company’s business decision of where to store its data. [609] On January 11, 2018, Microsoft filed its brief, in which it argues that the SCA’s focus is where electronic communications are stored and that a search and seizure occurs in the jurisdiction of the storage. [610]   Thus, according to Miscrosoft, the disclosure of communications stored abroad is an impermissible extraterritorial application of the SCA. [611]   Oral argument is scheduled for February 27, 2018, and a decision will likely follow this summer. F.     Collection of Records from Third-Party Cloud Providers On December 13, 2017, the Computer Crime and Intellectual Property Section of the Department of Justice issued internal guidance that instructs prosecutors to request electronic records directly from companies and not third-party cloud service providers. [612]   Compelling information from cloud computing services may raise several complications, such as delays and the inability of the cloud provider to preserve, access, extract, and decrypt the data. [613]   The guidance permits exceptions if law enforcement believes the company is unwilling to comply, is engaged in criminal conduct, or is unable to disclose the necessary information. [614]   In response to the memorandum, Microsoft praised the policy as “a win” for cloud and enterprise customers. [615] G.    Foreign Intelligence Surveillance Act Section 702 The Foreign Intelligence Surveillance Act (FISA) [616] was passed in 1978 and amended in 2008.  FISA was enacted in order to allow the United States government to conduct electronic surveillance “to acquire foreign intelligence information.” [617]   Foreign intelligence information is defined in the act as information that relates to terrorism, an attack by a foreign power, or national defense generally. [618]   The Act established a tribunal – the Foreign Intelligence Surveillance Court [619] – to decide based on classified ex parte proceedings whether to approve government requests to collect data through FISA.  The FISA Court famously approved the National Security Agency’s PRISM Program, which allowed the agency to clandestinely collect certain data on American citizens from American internet companies, such as Google. [620] FISA Section 702 specifically allows the U.S. government to target the electronic communications of persons reasonably believed to be outside the United States for intelligence collection without a warrant.  The data collected often includes the communications of American citizens who interact with targeted foreigners, so-called “incidental collection.” [621]   Some believe FISA, including Section 702, is constitutionally sufficient in light of the need to protect U.S. national security, [622] while others believe that the Act violates the First and Fourth Amendments to the Constitution. [623]   This controversial law was set to expire in January 2018 unless reauthorized by Congress.  Both the Senate and House reauthorized Section 702 for an additional six years without any changes, and President Trump signed the bill into law on January 19. [624] The past year had seen numerous attempts in the House and Senate to reauthorize or overhaul FISA Section 702.  Last October, the Senate Intelligence Committee voted in favor of sending the FISA Amendments Reauthorization Act of 2017 – which was said by its drafters to contain greater protections to civil liberties while maintaining FISA as a powerful tool for national security – to the full Senate. [625] The proposed bill would have required law enforcement to obtain court approval before using information gathered about U.S. citizens in the course of conducting surveillance on foreign nationals, among other changes. [626]   Another FISA reauthorization bill, which passed through the House Intelligence Committee in December 2017 and similarly contained additional restrictions on the use of data collected about U.S. citizens, would have renewed Section 702 for four more years, to the end of 2021. [627]   However, the January 2018 reauthorization of FISA closed the book on the attempts to amend the law to include greater constitutional protections. Congress’ eleventh-hour reauthorization of FISA after months of debate generated uncertainty around the role of the Act in national defense.  The debate over the constitutionality of FISA is sure to continue and may even impact the 2020 presidential election. IV.     International Regulation of Privacy and Data security We address international developments in more detail in our separate International Cybersecurity and Data Privacy Outlook and Review, but below we highlight several international developments that are likely to have important implications for U.S companies. A.    The European Union 1.      General Data Protection Regulation (“GDPR”) One of the most important and pressing issues for U.S.-based companies over the coming year is the upcoming implementation and enforcement of the GDPR. [628]   For a more complete overview, please see our recently published primer specifically on the GDPR, accessible here .  But as an introduction, here is a quick run-down of some of the most salient facets of the GDPR that are relevant to U.S.-based companies. The GDPR requires compliance by all companies that process personal data of data subjects within the EU, regardless of whether the company is located in the EU. [629]   It also requires compliance by companies that process data related to monitoring behavior within the EU. [630]   Most international companies will therefore be subject to the GDPR. The GDPR establishes a high bar for ensuring that a data subject has consented voluntarily to a company’s processing of the subject’s personal data.  A request for consent cannot be obtained through pressure and must be “clearly distinguishable” from other matters in a written agreement. [631]  The data subject has the right to withdraw consent at any time and must be informed of this right when initially granting consent. [632]   These standards are more stringent than the U.S. standards. If a company subject to the GDPR performs data processing that will likely entail a high risk to individual privacy rights, the company must conduct a data protection impact assessment (“DPIA”). [633]  The GDPR recommends a DPIA, in particular, when a company is using new technologies. [634]  The DPIA must include a detailed description of the processing operations, an assessment of the necessity and proportionality of the operations relative to their purpose, an assessment of the rights of the subjects, and the measures that will be implemented to protect those rights. [635] The GDPR ensures that its protections will not be undermined by the transfer of data outside the EU or to international organizations that lack the protections of the GDPR.  Data transfers can only take place under the GDPR’s guidelines. [636]   Data transfers to the U.S. from the EU are currently permissible under the EU-U.S. Privacy Shield, discussed below, as well as under Binding Corporate Rules (“BCRs”) and the use of model contractual clauses. It remains unclear exactly how substantial penalties under the GDPR will be after enforcement begins on May 25, 2018.  Individual countries will be responsible for enforcing the GDPR within their borders, so enforcement likely will vary.  Notably, the GDPR authorizes substantial penalties for non-compliance—up to 4% of a company’s annual global turnover or €20 million, whichever is greater. [637] 2.      EU-U.S. Privacy Shield As noted above, one way that a company may comply with the EU’s requirements for secure data transfers is through the EU-U.S. Privacy Shield Framework.  Administered in the U.S. by the Department of Commerce, the Privacy Shield allows companies to participate voluntarily by establishing a commitment to privacy compliance and self-certifying annually. The EU-U.S. Privacy Shield has been challenged by groups in Europe that claim its protections are inadequate.  But on October 18, 2017, the EU Commission published a report that established that the Privacy Shield, unlike the Safe Harbor framework that preceded it, “ensures an adequate level of protection for personal data that has been transferred from the European Union to organi[z]ations in the U.S.” [638]   Thus, as of this publication, the Privacy Shield stands as a valid option for companies to comply with the GDPR. However, the Commission also noted that “the practical implementation of the Privacy Shield framework can be further improved in order to ensure that the guarantees and safeguards provided therein continue to function as intended.” [639]   The Commission will continue to review the adequacy of the Privacy Shield annually and has provided some recommendations for the U.S. in maintaining the Privacy Shield’s adequacy. [640]   For now, participation in the Privacy Shield can protect companies that perform data transfers between the EU and the U.S.  But companies must be sure they actually are adhering to the Privacy Shield, and not merely paying lip service to it.  Indeed, U.S. regulators at the FTC have already taken action against several companies that allegedly deceived consumers by falsely claiming participation in the Privacy Shield framework. [641] B.     China and Other International Developments In an increasingly connected world, 2017 also saw many countries outside of the United States try to get ahead of the challenges within the cybersecurity and data protection landscape.  Several international developments bear brief mention here: On June 1, 2017, China’s Cybersecurity Law went into effect, becoming the first comprehensive Chinese law to regulate how companies manage and protect digital information.  The law also imposes significant restrictions on the transfer of certain data outside of the mainland (data localization) enabling government access to such data before it is exported. [642] Despite protests and petitions by governments and multinational companies, the implementation of the Cybersecurity Law continues to progress with the aim of regulating the behavior of many companies in protecting digital information. [643]   While the stated objective is to protect personal information and individual privacy, and according to a government statement in China Daily, a state media outlet, to “effectively safeguard national cyberspace sovereignty and security,” the law in effect gives the Chinese government unprecedented access to network data for essentially all companies in the business of information technology. [644]   Notably, key components of the law disproportionately affect multinationals because the data localization requirement obligates international companies to store data domestically and undergo a security assessment by supervisory authorities for important data that needs to be exported out of China.  Though the law imposes more stringent rules on critical information infrastructure operators (whose information could compromise national security or public welfare) in contrast to network operators (whose information capabilities could include virtually all businesses using modern technology), the law effectively subjects a majority of companies to government oversight.  As a consequence, the reality for many foreign companies is that these requirements would likely be onerous, will increase the costs of doing business in China, and will heighten the risk of exposure to industrial espionage. [645]   Despite the release of additional draft guidelines meant to clarify certain provisions of the law, there is a general outlook that the law is still a work in progress, with the scope and definition still vague and uncertain. [646]  Nonetheless, companies should endeavor to assess their data and information management operations to evaluate the risks of the expanding scope of the data protection law as well as their risk appetite for compliance with the Chinese government’s access to their network data. With the growing threat of hacking and identity theft, the Personal Data Protection Commission of Singapore issued proposed advisory guidelines on November 7, 2017 for the collection and use of national registration identification numbers.  The guidance, which covers a great deal of personal and biometric data, emphasized the obligations of companies to ensure policies and practices are in place to meet the obligations for data protection under the Personal Data Protection Act of 2012.  The Commission is giving businesses and organizations twelve months from publication to review their processes and implement necessary changes to ensure compliance. [647] Several other countries, such as Australia and Turkey, also sought to address privacy issues and published important guidelines regarding procedures for deleting, destroying, and anonymizing personal data.  Other countries like Argentina forged ahead with an overhaul of the country’s data protection regime by publishing a draft data protection bill that would align the country’s privacy laws with the GDPR requirements of the European Union. [648] There has also been civic engagement with the public as a number of countries solicited public comments to certain proposed regulations.  For example, Canada opened up for comments a proposed regulation that would mandate reporting of privacy breaches under its Personal Information Protection and Electronic Documents Act of 2015, while India recently issued a white paper inviting comments that would inform the legal framework for drafting a data protection bill to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” [649] V.     Conclusion We expect 2018 to be another significant year in the development and application of data privacy and cybersecurity law.  As technology and data collection become more sophisticated, companies and governments will continue to explore the potential permissible uses of personal information.  At the same time, the public will continue to debate the ideal balance between the benefits of big data and concerns for privacy and security.  We will be tracking these important issues in the year ahead. [1] Susan Heavey and Dustin Volz, FTC Probes Equifax, Top Democrat Likens It To Enron, Reuters (Sept. 14, 2017), available at https://www.reuters.com/article/us-equifax-cyber-ftc/ftc-probes-equifax-top-democrat-likens-it-to-enron-idUSKCN1BP1VX. [2] Press Release, Federal Trade Commission, Operator of Online Tax Preparation Service Agrees to Settle FTC Charges That it Violated Financial Privacy and Security Rules (Aug. 29, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/08/operator-online-tax-preparation-service-agrees-settle-ftc-charges. [3] Final Order at 1, In the Matter of LabMD, Inc., No. 9357 (F.T.C. July 28, 2016). [4] Press Release, Federal Trade Commission, FTC Files Complaint Against LabMD for Failing to Protect Consumers’ Privacy (Aug. 29, 2013), available at https://www.ftc.gov/news-events/press-releases/2013/08/ftc-files-complaint-against-labmd-failing-protect-consumers. [5] Initial Decision at 13–14, In the Matter of LabMD, Inc., No. 9357 (F.T.C. Nov. 13, 2015). [6] LabMD, Inc. v. Fed. Trade Comm’n , 678 F. App’x 816, 817 (11th Cir. 2016). [7] Press Release, Federal Trade Commission, FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras (Jan. 5, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate. [8] Fed. Trade Comm’n v. D-Link Sys., Inc. , No. 3:17-CV-00039-JD, 2017 WL 4150873, at *1 (N.D. Cal. Sept. 19, 2017). [9] Id . at *5. [10] Id . [11] Press Release, Federal Trade Commission, VIZIO to Pay $2.2 Million to FTC, State of New Jersey to Settle Charges It Collected Viewing Histories on 11 Million Smart Televisions without Users’ Consent (Feb. 6, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/02/vizio-pay-22-million-ftc-state-new-jersey-settle-charges-it. [12] Press Release, Federal Trade Commission, Lenovo Settles FTC Charges it Harmed Consumers with Preinstalled Software on its Laptops that Compromised Online Security (Sept. 5, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/09/lenovo-settles-ftc-charges-it-harmed-consumers-preinstalled. [13] Press Release, Federal Trade Commission, Painting the Privacy Landscape: Informational Injury in FTC Privacy and Data Security Cases (Sept. 19, 2017), available at https://www.ftc.gov/public-statements/2017/09/painting-privacy-landscape-informational-injury-ftc-privacy-data-security. [14] Id. [15] Bryan Koenig, FTC’s Definition Of Cyber Injury Getting Broader, Chief Says , Law360 (May 17, 2017), available at https://www.law360.com/articles/925071/ftc-s-definition-of-cyber-injury-getting-broader-chief-says. [16] Allison Grande, Biz Groups Push FTC To Avoid ‘Theoretical’ Privacy Harms, Law360 (Nov. 1, 2017), available at https://www.law360.com/articles/980724/biz-groups-push-ftc-to-avoid-theoretical-privacy-harms . [17] Fed. Trade Comm’n v. AT&T Mobility LLC , 864 F.3d 995 (9th Cir. 2017). [18] Press Release, Department of Health and Human Services,OCR Launches Phase 2 of HIPAA Audit Program, (no date), available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2announcement/ . [19] Press Release, Department of Health and Human Services, $5.5 million HIPAA settlement shines light on the importance of audit controls (Feb. 16, 2017), available at https://www.hhs.gov/about/news/2017/02/16/hipaa-settlement-shines-light-on-the-importance-of-audit-controls.html . [20] Press Release, Department of Health and Human Services, Lack of timely action risks security and costs money (Feb. 1, 2017), available at https://www.hhs.gov/about/news/2017/02/01/lack-timely-action-risks-security-and-costs-money.html . [21] Press Release, Department of Health and Human Services, Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k (May 23, 2017), available at https://www.hhs.gov/about/news/2017/05/23/careless-handling-hiv-information-costs-entity.html . [22] Press Release, Department of Health and Human Services, First HIPAA enforcement action for lack of timely breach notification settles for $475,000 (Jan. 9, 2017), available at http://wayback.archive-it.org/3926/20170127111957/https://www.hhs.gov/about/news/2017/01/09/first-hipaa-enforcement-action-lack-timely-breach-notification-settles-475000.html [23] Press Release, Department of Health and Human Services, $2.5 million settlement shows that not understanding HIPAA requirements creates risk (Apr. 24, 2017), available at https://www.hhs.gov/about/news/2017/04/24/2-5-million-settlement-shows-not-understanding-hipaa-requirements-creates-risk.html . [24] Press Release, Department of Health and Human Services, Failure to protect the health records of millions of persons costs entity millions of dollars (Dec. 28, 2017), available at https://www.hhs.gov/about/news/2017/12/28/failure-to-protect-the-health-records-of-millions-of-persons-costs-entity-millions-of-dollars.html . [25] Department of Health and Human Services, How HIPAA Allows Doctors to Respond to the Opioid Crisis (no date), available at https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf . [26] SEC Division of Corporation Finance, CF Disclosure Guidance:Topic No. 2—Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm . [27] Ed Beeson, SEC Likely To Revisit Cybersecurity Guidance, Official Says , Law360 (Nov. 9, 2017, 8:48 PM), https://www.law360.com/cybersecurity-privacy/articles/983742/sec-likely-to-revisit-cybersecurity-guidance-official-says . [28] Jimmy Hoover, SEC Suits Over Cyber Reporting Could Be On Horizon, Law360 (Apr. 20, 2017, 1:25 PM), https://www.law360.com/privacy/articles/915377/sec-suits-over-cyber-reporting-could-be-on-horizon . [29] Beeson, supra note 27. [30] Id. [31] Chris Isidore, Equifax is investigating executive stock sales, CNN Money (Sept. 29, 2017, 3:19 PM), http://money.cnn.com/2017/09/29/news/companies/equifax-investigation/index.html . [32] Tom Schoenberg, Anders Melin, and Matt Robinson, Equifax Stock Sales Are the Focus of U.S. Criminal Probe, Bloomberg (Sept. 18, 2017, 12:20 PM), https://www.bloomberg.com/news/articles/2017-09-18/equifax-stock-sales-said-to-be-focus-of-u-s-criminal-probe . [33] Equifax Inc., Quarterly Report (Form 10-Q) at 40 (Nov. 9, 2017), available at https://otp.tools.investis.com/clients/us/equifax/SEC/sec-show.aspx?Type=html&FilingId=12372346&CIK=0000033185&Index=10000 ; see also Hayley Tsukayama, Equifax faces hundreds of class-action lawsuits and an SEC subpoena over the way it handled its data breach , Washington Post (Nov. 9, 2017), https://www.washingtonpost.com/news/the-switch/wp/2017/11/09/equifax-faces-hundreds-of-class-action-lawsuits-and-an-sec-subpoena-over-the-way-it-handled-its-data-breach/?utm_term=.ceebfb8dc054 . [34] Public Statement, SEC Chairman Jay Clayton,Statement on Cybersecurity, SEC (Sept. 20, 2017), available at https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20#_ftnref10 . [35] Id. [36] Press Release, SEC, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors , SEC (Sept. 25, 2017), available at https://www.sec.gov/news/press-release/2017-176 . [37] Press Release, SEC, SEC Emergency Action Halts ICO Scam, SEC (Dec. 4, 2017), available at https://www.sec.gov/news/press-release/2017-219 . [38] Id. [39] The SEC alleges that Paradis-Royer, believed to be Lacroix’s romantic partner, helped to cover up the scheme when she, amongst other conduct, registered payments in her name, and attempted to resist Quebec authorities when they arrived at Lacroix and Paradis-Royer’s residence and warn Lacroix of the search.  See Compl., ECF No. 1, SEC v. PlexCorps et. al., 1:17-CV-07007, at ¶¶ 24, 63, 92 (E.D.N.Y. Dec 1, 2017), available at https://www.sec.gov/litigation/complants/2017/comp-pr2017-219.pdf . [40] See Compl., ECF No. 1, SEC v. PlexCorps et. al., 1:17-CV-07007 (E.D.N.Y. Dec 1, 2017), available at https://www.sec.gov/litigation/complants/2017/comp-pr2017-219.pdf ; see also Press Release, SEC, supra note 37. [41] Press Release, SEC, supra note 37. [42] David Shepardson, Trump Signs Repeal of U.S. Broadband Privacy Rules, Reuters (April 3, 2017, 7:50 PM), available at https://www.reuters.com/article/us-usa-internet-trump/trump-signs-repeal-of-u-s-broadband-privacy-rules-idUSKBN1752PR . [43] See Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Report & Order (“Commission Order”), FCC Dkt. No. 16-148 (Nov. 2, 2016), available at http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db1103/FCC-16-148A1.pdf. [44] David Shepardson, FCC Approves TV Technology that Gives Better Pictures but Less Privacy , Reuters (Nov. 16, 2017, 3:25 PM), available at https://www.reuters.com/article/us-usa-television-technology/fcc-approves-tv-technology-that-gives-better-pictures-but-less-privacy-idUSKBN1DG2XF . [45] See John Eggerton, Dingell has Privacy Concerns over ATSC 3.0, Broadcasting Cable, (Nov. 8, 2017, 4:52 PM), http://www.broadcastingcable.com/news/washington/dingell-has-privacy-concerns-over-atsc-30/169962 . [46] SS7 is a signaling protocol that supports call setup, routing, exchange, and billing functions in communications networks by transmitting messages between fixed and mobile service providers.  See FCC’s Public Safety & Homeland Security Bureau Encourages Implementation of CSRIC Signaling System 7 Security Best Practices , DA-17-799 (Aug. 24, 2017), https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0ahUKEwi8_tXflYrYAhXC5CYKHTC4BroQFggwMAE&url=https%3A%2F%2Fapps.fcc.gov%2Fedocs_public%2Fattachmatch%2FDA-17-799A1.docx&usg=AOvVaw3NB4Lc5YhzWjjTAxZv9Hss ; see also Jenna Ebersole, Dem Lawmakers Urge FCC Action On Cellphone Cybersecurity, Law360 (March 28, 2017, 8:05 PM), https://www.law360.com/articles/906956/dem-lawmakers-urge-fcc-action-on-cellphone-cybersecurity . [47] FCC, Order, Straight Path Communications Inc., Ultimate Parent Company of Straight Path Spectrum, LLC, Straight Path Spectrum LLC, File No. EC-SED-16-00022575, Acct. No. 201732100003, FRN: 0022779334 (Jan. 12, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DA-17-40A1.pdf. [48] Stephen Lawson, FCC looks to higher frequencies for 5G mobile (Oct. 22, 2015, 1:44 PM), https://www.computerworld.com/article/2996149/mobile-wireless/fcc-looks-to-higher-frequencies-for-5g-mobile.html . [49] FCC, Order, Straight Path Communications Inc., Ultimate Parent Company of Straight Path Spectrum, LLC, Straight Path Spectrum LLC, File No. EC-SED-16-00022575, Acct. No. 201732100003, FRN: 0022779334 (Jan. 12, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DA-17-40A1.pdf. [50] Blog of FCC Chairman Ajit Pai, Consumer Protection Month at the FCC (June 22, 2017, 2:20 PM), https://www.fcc.gov/news-events/blog/2017/06/22/consumer-protection-month-fcc . [51] Press Release, Federal Communications Commission, Robocall Scammer Faces $120 Million Proposed Fine for Massive Caller ID Spoofing Operation (June 22, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DOC-345470A1.pdf . [52] Kelcee Griffis, FCC Fines Co. $2.8M For Powering Robocalls To Cellphones, Law360 (July 13, 2017, 4:27 PM), https://www.law360.com/articles/944001/fcc-fines-co-2-8m-for-powering-robocalls-to-cellphones ; Press Release, Federal Communications Commission, FCC Proposes $82 Million Fine for Spoofed Telemarketing Robocalls (Aug. 3, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DOC-346059A1.pdf. [53] Consumer Protection Principles:  Consumer-Authorized Financial Data Sharing and Aggregation, Consumer Financial Protection Bureau (Oct. 18, 2017), available at http://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation.pdf. [54] Stakeholder Insights that Inform the Consumer Protection Principles, Consumer Financial Protection Bureau (October 18, 2017), available at http://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation_stakeholder-insights.pdf. [55] See supra note 54. [56] Press Release, Bureau Seeks to Ensure a Workable Data Aggregation Market that Gives Consumers Protection and Value (Oct. 18, 2017), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-outlines-principles-consumer-authorized-financial-data-sharing-and-aggregation/. [57] Id. [58] See supra note 54. [59] Assurance of Voluntary Compliance, In the Matter of Investigation by Eric T. Schneiderman, Attorney General of the State of New York, of Target Corporation , No. 17-094 (May 15, 2017) , available at https://ag.ny.gov/sites/default/files/nyag_target_settlement.pdf [60] Id .; see also Press Release, A.G. Schneiderman Announces $18.5 Million Multi-State Settlement With Target Corporation over 2013 Data Breach (May 23, 2017), available at https://ag.ny.gov/press-release/ag-schneiderman-announces-185-million-multi-state-settlement-target-corporation-over. [61] Assurance of Voluntary Compliance, In Re Nationwide Mutual Ins. Co. and Allied Prop. & Casualty Ins. Co ., (Aug. 3, 2017), available at https://ag.ny.gov/sites/default/files/nationwide-aod.pdf; see also Press Release, A.G. Schneiderman Announces $5.5 Million Multi-State Settlement With Nationwide Mutual Insurance Company Over 2012 Data Breach (Aug. 9, 2017), available at https://ag.ny.gov/press-release/ag-schneiderman-announces-55-million-multi-state-settlement-nationwide-mutual. [62] Id . [63] Press Release, Lenovo Settles FTC Charges it Harmed Consumers With Preinstalled Software on its Laptops that Compromised Online Security (Sept. 5, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/09/lenovo-settles-ftc-charges-it-harmed-consumers-preinstalled. [64] Press Release, Attorney General Becerra Announces $3.5M Settlement with Lenovo for Preinstalling Software that Compromised Security of its Computers (Sept. 5, 2017), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-35m-settlement-lenovo-preinstalling-software. [65] Press Release, AG’s Office Alleges Company Failed to Protect Personal Information of Nearly Three Million Massachusetts Residents, Despite Knowing its System was Vulnerable to Hackers (Sept. 19, 2017), available at http://www.mass.gov/ago/news-and-updates/press-releases/2017/2017-09-19-equifax-lawsuit.html;see also Complaint, Commonwealth of Massachusetts v. Equifax, Inc., (Suffolk Sup. Ct. Sept. 19, 2017). [66] Memorandum In Support of Plaintiffs’ Motion For Transfer of Actions to the Northern District of Georgia And For Consolidation Pursuant to 28 U.S.C. 1407, In Re: Equifax Inc., Consumer Data Security Breach Litigation , MDL Dkt. No. 2800 (Judicial panel on Multi-district Litigation, Sept. 11, 2017), available at: http://www.almcms.com/contrib/content/uploads/sites/292/2017/09/Equifax-MDL-motion.pdf. [67] Press Release, Attorney General Becerra Announces $2 Million Settlement Involving Santa Barbara-based Cottage Health System Over Failure to Protect Patient Medical Records (Nov. 22, 2017), available at https://www.oag.ca.gov/news/press-releases/attorney-general-becerra-announces-2-million-settlement-involving-santa-barbara. [68] Id .; see also Complaint for Injunction, Civil Penalties, and Other Equitable Relief, California v. Cottage Health et al ., No. 17CV05269 (Sup. Ct. County of Santa Barbara, November 15, 2017), available at https://www.oag.ca.gov/system/files/attachments/press_releases/Conformed%20Cottage%20Complaint%20SIGNED.PDF. [69] Stipulation for Entry of Final Judgment and Permanent Injunction, California v. Cottage Health, et al., No. 17CV05269 (Sup. Ct. County of Santa Barbara, November 15, 2017). [70] Id . [71] Press Release, A.G. Schneiderman Announces $700,000 Joint Settlement With Hilton After Data Breach Exposed Hundreds of Thousands of Credit Card Numbers (Oct. 31, 2017), available at https://ag.ny.gov/press-release/ag-schneiderman-announces-700000-joint-settlement-hilton-after-data-breach-exposed . [72] Id .; N. Y. Gen. Bus. Law § 899-aa(2) (McKinney 2017). [73] Press Release, New Jersey Division of Consumer Affairs, Federal Trade Commission Reach $2.5 Million Settlement with Smart TV Manufacturer to Settle Allegations of Invasive Data Collection (Feb. 6, 2017), available at http://nj.gov/oag/newsreleases17/pr20170206a.html. [74] Id .; see also Stipulated Order for Permanent Injunction and Monetary Judgment, Federal Trade Commission, et al. v. Vizio, Inc., No. 2:17-cv-00758 (D. N.J. Feb. 6, 2017), available at http://nj.gov/oag/newsreleases17/Vizio-Order.pdf. [75] Id . [76] Washington State Attorney General’s Office, 2017 Data Breach Report, available at http://agportal-s3bucket.s3.amazonaws.com/uploadedfiles/Home/Safeguarding_Consumers/Data_Breach/2017%20Data%20Breach%20Report%20Final.pdf. [77] 23 NYCRR 500, available at http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf. [78] Id . [79] Id .  See also Key Dates under New York’s Cybersecurity Regulation (23 NYCRR Part 500) , N.Y. Dep’t of Fin. Servs., http://www.dfs.ny.gov/about/cybersecurity.htm (last visited Jan. 23, 2018). [80] Id. [81] Proposed Financial Services Regulations , N.Y. Dep’t of Fin. Servs., http://www.dfs.ny.gov/legal/regulations/proposed/propdfs.htm (last visited Jan. 23, 2018). [82] Executive Order 13,800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure , May 11, 2017. [83] Id. at 1. [84] Id. at 1-2. [85] Id. at 4. [86] See Press Release, Final IT Modernization Report, Dec. 13, 2017, available at https://www.whitehouse.gov/articles/final-modernization-report/ ; Report to the President on Federal IT Moderization, available at https://itmodernization.cio.gov/. [87] Executive Order, at 5. [88] Id. at 5-6. [89] Id. at 6. [90] Id. [91]            A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats , National Telecommunications and Information Administrations, U.S. Dep’t of Commerce, Jan. 5, 2018, available at https://www.ntia.doc.gov/report/2018/report-president-enhancing-resilience-internet-and-communications-ecosystem-against . [92] Id. at 6-7. [93] Id. at 7. [94] Id. [95] Id. [96] Id. at 7-8. [97] Id. at 8-9. [98] Lily Hay Newman, Taking Stock of Trump’s Cybersecurity Executive Order so Far , WIRED, Sept. 3, 2017, available at https://www.wired.com/story/trump-cybersecurity-executive-order/. [99] See, e.g., Sonam Sheth, Over a Quarter of the Members on Trump’s Cybersecurity Advisory Council Have Resigned En Masse , Business Insider, Aug. 28, 2017, available at http://www.businessinsider.com/members-of-trump-cybersecurity-council-resign-2017-8. [100] Joseph Marks, Trump Administration Plans a New Cybersecurity Strategy, Defense One, Oct. 25, 2017, available at http://www.defenseone.com/technology/2017/10/trump-administration-plans-new-cybersecurity-strategy/142042/. [101] Vulnerabilities Equities Policy and Process for the United States Government, Nov. 15, 2017, available at https://www.whitehouse.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF. [102] Id. at 1. [103] Id. at 3-4. [104] Id. at 6-7. [105] Id. [106] Id. at 7-8. [107] Id. at 13-14. [108] David Shepardson, Trump Signs Repeal of U.S. Broadband Privacy Rules, Reuters, Apr. 3, 2017, https://www.reuters.com/article/us-usa-internet-trump/trump-signs-repeal-of-u-s-broadband-privacy-rules-idUSKBN1752PR. [109] Richard Lawler, Trump Signs Bill Rolling Back FCC Privacy Rules for ISPs, Engadget, Apr. 3, 2017, https://www.engadget.com/2017/04/03/trump-signs-bill-rolling-back-fcc-privacy-rules-for-isps/. [110] Id. [111] Shepardson , supra note 109. [112] See generally 50 U.S.C. § 1881 (2012). [113] See, e.g. , 50 U.S.C. § 1881a. [114] The FISA Amendments Act:  Q &A , Office of the Director of National Intelligence, https://www.dni.gov/files/icotr/FISA%20Amendments%20Act%20QA%20for%20Publication.pdf. [115] H.R. 139, 115th Cong. (2017). [116] S. 2010, 115th Cong. (2017); see also David Shortell, Senate Intel Advances Bill to Reauthorize Spying Program with Minimal Reform , CNN, Oct. 27, 2017, http://www.cnn.com/2017/10/26/politics/fisa-702-reauthorization-bill-advanced/index.html. [117] Pub. L. 115-96 (2017); see also Matthew Kahn, Congress Buys Itself Another Three Weeks on Section 702, Lawfare, Dec. 22, 2017, https://www.lawfareblog.com/year-review-fisa-section-702. [118]   H. 137, 115th Cong. (2017); see also Charlie Savage, Eileen Sullivan & Nicholas Fandos, House Extends Surveillance Law, Rejecting New Privacy Safeguards , N.Y. T IMES, Jan. 11, 2018, https://www.nytimes.com/2018/01/11/us/politics/fisa-surveillance-congress-trump.html. [119]   See Ted Barrett and Ashley Killough, Senate Passes FISA Section 702 Reauthorization, CNN Politics, Jan. 18, 2018, http://www.cnn.com/2018/01/18/politics/fisa-reauthorization-senate-vote/index.html. [120]   See Gregory Korte and Erin Kelly, Trump signs bill extending surveillance law – the same law he says was used to spy on him , USA Today, Jan. 19, 2018, https://www.usatoday.com/story/news/politics/onpolitics/2018/01/19/trump-signs-bill-extending-surveillance-law-same-law-he-says-used-spy-him/1049663001/. [121]   See Andrew Liptak, President Donald Trump Has Signed the FISA Reauthorization Bill , The Verge, Jan. 20, 2018, https://www.theverge.com/2018/1/20/16913534/president-donald-trump-signed-fisa-amendments-reauthorization-act-of-2017-section-702. [122] See 18 U.S.C. § 2510 (2012). [123] H.R. 387, 115th Cong. (2015). [124] Mario Trujillo, House Unanimously Passes Email Privacy Bill, The Hill, Apr. 27, 2016, http://thehill.com/policy/technology/277897-house-unanimously-passes-bill-to-protect-email-privacy. [125] S. 1654, 115th Cong. (2017). [126] H.R. 1616, 115th Cong. (2017); see also Michael Macagnone, House Authorizes National Cyber Security Center, Law360, May 16, 2017, https://www.law360.com/privacy/articles/924495. [127]   Pub. L. No. 115-76 (2017). [128] H.R. 4081, 115th Cong. (2017); S. 2124, 115th Cong. (2017). [129] Mike Lennon, U.S. Senators Introduce SEC Cybersecurity Disclosure Legislation , Security Week, Dec. 18, 2015, http://www.securityweek.com/us-senators-introduce-sec-cybersecurity-disclosure-legislation. [130] See Security Breach Notification Laws , National Conference of State Legislatures, Jan. 4, 2016, http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx (listing the 47 states, along with the District of Columbia, Guam, Puerto Rico, and the Virgin Islands that have passed data breach notification laws). [131] See Nat’l Conference of State Legislatures, Cybersecurity Legislation 2017, http://ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2017.aspx (last visited Jan. 22, 2018). [132] See Act of Apr. 3, 2017, Pub. L. No. 115-22, 131 Stat. 88 (2017) (disapproving Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Report and Order, 81 Fed. Reg. 87,274 (Dec. 2, 2016)). [133] See California Consumer Privacy Act of 2018, Initiative No. 17-0027 (Cal. 2018), available at https://oag.ca.gov/system/files/initiatives/pdfs/17-0027%20%28Consumer%20Privacy%29_1.pdf . [134] Data Breach Notification Act, H.B. 15 (N.M. 2017), available at https://legiscan.com/NM/text/HB15/2017 (defining “personal identifying information” as an “[i]ndividual’s first name or last initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable:  social security number; driver’s license number; government issued identification number; account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to a person’s financial account; or biometric data”). [135] Act to Amend Title 6 of the Delaware Code Relating to Breaches of Security Involving Personal Information, H.B. 180 (Del. 2017), available at https://legis.delaware.gov/BillDetail/26009. [136] H.J.R. 59, 100th Gen. Assemb., 1st Sess. (Ill. 2017), available at http://ilga.gov/legislation/fulltext.asp?DocName=10000HJ0059eng&GA=100&SessionId=91&DocTypeId=HJR&LegID=107003&DocNum=59&GAID=14&Session=&print=true. [137] See Nat’l Conference of State Legislatures, Cybersecurity Legislation 2017, http://ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2017.aspx (last visited Jan. 22, 2018) (discussing H.R. 353 (P.R. 2017)); see also H.R. 353 (P.R. 2017), available at http://www.oslpr.org/2017-2020/%7B89C0F2C716C0425EA321DE9FC40CC10A%7D.docx (Spanish-language version). [138] H.B. 7304 (Conn. 2017), available at https://www.cga.ct.gov/2017/act/pa/pdf/2017PA-00223-R00HB-07304-PA.pdf. [139] S.B. 33, 64th Legis. Sess. (Wy. 2017), available at https://legiscan.com/WY/text/SF0033/2017. [140] S.B. 1028, 217th Leg. (N.J. 2017), available at https://legiscan.com/NJ/text/S1028/2016. [141] Assemb. B. 2765 (N.Y. 2017), available at http://assembly.state.ny.us/leg/?default_fld=&bn=A02765&term=2017&Summary=Y&Actions=Y&Text=Y&Committee%26nbspVotes=Y&Floor%26nbspVotes=Y. [142] S.B. 2406-A (N.Y. 2017), available at http://legislation.nysenate.gov/pdf/bills/2017/S2406A. [143] Colo. Rev. Stat. Ann. § 24-72-204.5 (West 2017); Tenn. Code. Ann. § 10-7-512 (West 2017). [144] Conn. Gen. Stat. Ann. § 31-48d (West 2017); Del. Code Ann. tit. 19, § 705 (West 2017). [145]   Conn. Gen. Stat. Ann. § 31-48d(c). [146]   Del. Code Ann. tit. 19, § 705(c). [147] H.B. 2371, 100th Gen. Assemb., 1st Sess. (Ill. 2017), available at http://www.ilga.gov/legislation/fulltext.asp?DocName=&SessionId=91&GA=100&DocTypeId=HB&DocNum=2371&GAID=14&LegID=103007&SpecSess=&Session=. [148] Assemb. B. 4936, 217th Leg. (N.J. 2017), available at https://legiscan.com/NJ/text/A4936/2016; H.B. 3221, 79th Legis. Sess. (Or. 2017), available at https://olis.leg.state.or.us/liz/2017R1/Downloads/MeasureDocument/HB3221. [149] Assemb. B. 276 (Cal. 2017), available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB276. [150]   Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). [151]   Id. at 1545. [152]   Id. [153]  In re Horizon Healthcare Servs. Inc. Data Breach Litig ., 846 F.3d 625, 634–35 (3d Cir. 2017). [154]   Id. at 634–35. [155]   Id. at 640 (footnotes omitted); see also id. (“There is thus a de facto injury that satisfies the concreteness requirement for Article III standing.”) (footnote omitted). [156]   Attias v. Carefirst, Inc., 865 F.3d 620, 627 (D.C. Cir. 2017). [157]   Whalen v. Michaels Stores, Inc., 689 F. App’x 89, 90 (2d Cir. 2017). [158]   Id. [159]   Beck v. McDonald, 848 F.3d 262, 274–75 (4th Cir.), cert. denied sub nom. Beck v. Shulkin, 137 S. Ct. 2307 (2017). [160]   See e.g., In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., No. MC 15-1394 (ABJ), 2017 WL 4129193, at *34–35 (D.D.C. Sept. 19, 2017) (“Neither complaint directly alleges, or marshals any facts that would support an inference, that those behind this attack are likely to use the information for credit card fraud or identify theft purposes, that they are likely to make it available to other criminals for that purpose, or that the breach has enabled other bad actors to have greater access to the information than they did before.”), appeals docketed, No. 17-5217 (D.C. Cir. Sep. 27, 2017), No. 17-5232 (D.C. Cir. Oct. 12 2017), No. 18-1182 (Fed. Cir. Nov. 15, 2017); In re VTech Data Breach Litig., No. 15 CV 10889, 2017 WL 2880102, at *4 (N.D. Ill. July 5, 2017) (“Plaintiffs here fail to make the connection between the data breach they allege and the identity theft they fear.  Specifically, plaintiffs do not explain how the stolen data would be used to perpetrate identity theft.”); Nayab v. Capital One Bank, N.A., No. 3:16-CV-3111-CAB-MDD, 2017 WL 2721982, at *2–3  (S.D. Cal. June 23, 2017) (finding that allegations of “increased risk” of identity theft were “speculative and conjectural”), appeal docketed, No. 17-55944 (9th Cir. July 5, 2017). [161]   In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017). [162]   Id. at 765–67 . [163]   Id. at 769 (citing Attias, 865 at 625–29; Whalen, 689 F. App’x at 89–91;Beck, 848 F.3d at 273–76; Galaria v. Nationwide Mut. Ins., 663 F. App’x. 384, 387–90  (6th Cir. 2016); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 966–69 (7th Cir. 2016); and Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692–93  (7th Cir. 2015)). [164]   Id. at 769, 771 (citation omitted). [165]   Id. at 772–74. [166]   See Robins v. Spokeo, Inc., 867 F.3d 1108, 1117 (9th Cir. 2017), petition for cert. filed, No. 17-806 (U.S. Dec. 6, 2017). [167]   Id. [168]   Syed v. M-I, LLC, 853 F.3d 492, 499–500  (9th Cir. 2017), cert. denied, No. 16-1524, 2017 WL 2671483 (U.S. Nov. 13, 2017). [169]   Eichenberger v. ESPN, Inc., 876 F.3d 979, 983 (9th Cir. 2017). [170]   Id. [171]   See Perry v. Cable News Network, Inc., 854 F.3d 1336, 1340–41  (11th Cir. 2017) (“We conclude that violation of the VPPA constitutes a concrete harm. . . . The structure and purpose of the VPPA supports the conclusion that it provides actionable rights.”) (citations omitted). [172]   See e.g., Aguirre v. Absolute Resolutions Corp., No. 15 C 11111, 2017 WL 4280957, at *5 (N.D. Ill. Sept. 27, 2017) (FDCPA case); Hargrett v. Amazon.com DEDC LLC, 235 F. Supp. 3d 1320, 1326 (M.D. Fla. 2017) (FCRA case);  Bock v. Pressler & Pressler, LLP, 254 F. Supp. 3d 724, 734–737 (D.N.J. 2017) (FDCPA case). [173]   See Groshek v. Time Warner, Inc., 865 F.3d 884, 887 (7th Cir. 2017). [174]   Id. at 889. [175]   Dreher v. Experian Info. Sols., Inc., 856 F.3d 337, 346–47 (4th Cir. 2017). [176]   See id. at 347. [177]   See Crupar-Weinmann v. Paris Baguette Am., Inc., 861 F.3d 76, 81–82 (2d Cir. 2017); Katz v. Donna Karan Co., L.L.C., 872 F.3d 114, 121 (2d Cir. 2017) (“FACTA does not prohibit printing the [credit card] issuer identity on a receipt . . . .”). [178]   See e.g., Fullwood v. Wolfgang’s Steakhouse, Inc., No. 13 CIV. 7174 (KPF), 2017 WL 5157466, at *5–6 (S.D.N.Y. Nov. 3, 2017); Kamal v. J. Crew Grp., Inc., No. CV 2:15-0190 (WJM), 2017 WL 2443062, at *4–5 (D.N.J. June 6, 2017). [179]   See Gubala v. Time Warner Cable, Inc., 846 F.3d 909, 913 (7th Cir. 2017). [180]   Id. at 910. [181]   See Santana v. Take-Two Interactive Software, Inc., — F. App’x —-, 2017 WL 5592589, at *5 (2d Cir. Nov. 21, 2017). [182]   Id. at *2–3. [183]   See Satchell v. Sonic Notify, Inc., 234 F. Supp. 3d 996, 1005 (N.D. Cal. 2017) (holding that the plaintiff alleged an adequate injury based on allegation that the “[d]efendants captured and listened to private conversations without her knowledge or consent”). [184]   See In re Vizio, Inc., Consumer Privacy Litig., 238 F. Supp. 3d 1204, 1215–17 (C.D. Cal. 2017). [185]   E.g., Whitaker v. Appriss, Inc., 229 F. Supp. 3d 809, 812–17 (N.D. Ind. 2017); Hatch v. Demayo, No. 1:16CV925, 2017 WL 4357447, at *3–6 (M.D.N.C. Sept. 29, 2017). [186]   Van Patten v. Vertical Fitness Grp., LLC, 847 F.3d 1037, 1043 (9th Cir. 2017). [187]   See Leyse v. Lifetime Entm’t Servs., LLC, 679 F. App’x 44, 46 (2d Cir. 2017); Susinno v. Work Out World Inc., 862 F.3d 346, 352 (3d Cir. 2017). [188]   See e.g., Melito v. Am. Eagle Outfitters, Inc., No. 14-CV-2440 (VEC), 2017 WL 3995619, at *7 (S.D.N.Y. Sept. 11, 2017) (certifying class and approving class settlement over objections, and holding that the “receipt of an unconsented to voicemail message was sufficient to establish a concrete injury”),appeal docketed, No. 17-3277 (2d Cir. Oct 10, 2017); Heather McCombs, D.P.M., L.L.C. v. Cayan LLC, No. 15 C 10843, 2017 WL 1022013, at *4 (N.D. Ill. Mar. 16, 2017) (holding “that in pleading the receipt of an unsolicited fax advertisement in violation of the TCPA, Plaintiff has alleged a particularized and concrete injury sufficient to satisfy Article III”),  appeal dismissed, No. 17-1946, 2017 WL 5185363 (7th Cir. July 7, 2017). [189]   Legg v. PTZ Ins. Agency, Ltd., 321 F.R.D. 572, 577–78 (N.D. Ill. 2017), appeal docketed, No. 17-8018 (7th Cir. Aug. 31, 2017). [190]   Allison Grande,Spokeo Wants Justices To Revisit Last Year’ s Standing Ruling, Law360 (Dec. 13, 2017, 10:50 PM), https://www.law360.com/cybersecurity-privacy/articles/994507/spokeo-wants-justices-to-revisit-last-year-s-standing-ruling. [191]   Allison Grande, Spokeo Standing Fight Won’t Go Another Round At High Court , Law360 (Jan. 22, 2018, 4:15 PM), https://www.law360.com/cybersecurity-privacy/articles/1004192/spokeo-standing-fight-won-t-go-another-round-at-high-court.  [192]  Michael Riley, Jordan Robertson, and Anita Sharpe, The Equifax data breach has the hallmarks of state-sponsored pros , Bloomberg Businessweek (Sept. 29, 2017), https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros.  [193]  See, e.g., Compl., Allen et al v. Equifax, Inc., No. 1:17-cv-04544 (N.D. Ga. Nov. 10, 2017); see also Wolf Richter, Equifax’s data breach will cost it for months to come, Business Insider (Nov. 11, 2017), http://www.businessinsider.com/equifax-data-breach-will-keep-costing-it-for-months-to-come-2017-11 .  [194]  Id.  [195]  See Compl., People of the State of California v. Equifax, Inc., No. CGC-17-561529 (Sep. 26, 2017); Compl., City of Chicago v. Equifax, Inc., 2017-CH-13047 (Sep. 28, 2017).  [196]  Compl., Commonwealth of Massachusetts v. Equifax, Inc., No. 1784CV03009 (Sep. 19, 2017).  [197]  Renae Merle, After the breach, Equifax now faces the lawsuits, Washington Post (Sep. 22, 2017), https://www.washingtonpost.com/news/business/wp/2017/09/22/after-the-breach-equifax-now-faces-the-lawsuits/?utm_term=.185a237742fb .  [198]  Compl., Kuhns et al. v. Equifax, Inc., No. 1:17-cv-03463 (N.D. Ga. Sep. 8, 2017).  [199]  See, e.g., Knepper v. Equifax Information Servs., LLC., No. 2:17-CV-02368 (D. Nev. Oct. 2, 2017) (order granting motion to stay pending consolidation).  [200]  In re Equifax, Inc. Customer Data Security Breach Litigation , MDL No. 2800 (J.P.M.L. Dec. 6, 2017).  [201]  Teri Robinson, Open AWS S3 bucket exposes sensitive Experian and census info on 123 million U.S. households , SC Magazine (Dec. 20, 2017), https://www.scmagazine.com/open-aws-s3-bucket-exposes-sensitive-experian-and-census-info-on-123-million-us-households/article/720067/ .  [202]  Id.  [203]  Id. [204]   Ray Schultz, Alteryx Slammed with Two Data Breach Suits, Email Marketing Daily (Dec. 22, 2017), https://www.mediapost.com/publications/article/312126/alteryx-slammed-with-two-data-breach-suits.html. [205] Elec. Privacy Info. Ctr. v. FBI , No. 1:17-cv-00121 (D.D.C. Jan. 18, 2017). [206] Compl., Microsoft Corp. v. Does 1-12, No.2016-cv-00993 (E.D. Va. Filed Aug. 3, 2016), at ECF No. 1; see also Kevin Poulsen, Putin’s Hackers Now Under Attack – From Microsoft, Daily Beast (July 20, 2017), https://www.thedailybeast.com/microsoft-pushes-to-take-over-russian-spies-network . [207] Selena Larson, Data of almost 200 million voters leaked online by GOP analytics firm , CNN (June 19, 2017), http://money.cnn.com/2017/06/19/technology/voter-data-leaked-online-gop/index.html?iid=EL . [208] Id . [209] Compl., McAleer et al v. Deep Root Analytics, LLC, No. 6:17-cv-01142 (M.D. Fl. June 21, 2017). [210] Order, McAleer et al v. Deep Root Analytics, LLC, No. 6:17-cv-01142 (M.D. Fl. Nov. 7, 2017). [211]   Callum Borchers, What we know about the 21 states targeted by Russian hackers , Washington Post (Sept. 23, 2017), https://www.washingtonpost.com/news/the-fix/wp/2017/09/23/what-we-know-about-the-21-states-targeted-by-russian-hackers/?utm_term=.28d2dcb475c7 . [212]   Id. [213] See, e.g. , Compl., Weiss et al. v. Arby’s Restaurant Group, Inc., No. 1:17-cv-01035 (N.D. Ga., Mar. 22, 2017). [214] See, e.g. , Compl., Bellwether Comm. Credit Union v. Chipotle Mexican Grill, Inc. , No. 1:17-cv-01102 (D. Colo., May 4, 2017). [215] See, e.g. , Order, In re Sonic Corp. Customer Data Security Breach Litig., No. 2807 (JPML, Dec. 15, 2017); David P. Willis, Sonic Drive-In hit by security breach, Asbury Park Press (Sept. 27, 2017), https://www.usatoday.com/story/tech/2017/09/27/sonic-drive-hit-security-breach/708850001/ . [216] Josh Magness & Donovan Harrell, Pizza Hut was hacked, company says, Miami Herald (Oct. 14, 2017, updated Oct. 18, 2017), https://www.usatoday.com/story/tech/2017/09/27/sonic-drive-hit-security-breach/708850001/ . [217] Compl., Yoachim et al. v. Pizza Hut Inc., No. 17-cv-1675 (W.D. Wash., Nov. 7, 2017). [218] Jamie Biesiada, Sabre sued for data breach of hotel res system, Travel Weekly (July 14, 2017), http://www.travelweekly.com/Travel-News/Travel-Technology/Sabre-sued-for-data-breach-of-hotel-res-system . [219] Compl., Orr v. InterContinental Hotels Group, PLC, No. 1:17-cv-01622 (N.D. Ga., May 5, 2017). [220] Compl., Banus v. Whole Foods Market Group, Inc., No. 1:17-cv-02132 (N.D. Ohio, Oct. 10, 2017). [221]   Largest Healthcare Data Breaches of 2017, HIPAA J. (Jan. 4, 2018), https://www.hipaajournal.com/largest-healthcare-data-breaches-2017/. [222]   Id. [223] Marianne Kolbasuk McGee, Breach involving encrypted devices raises questions, Health Care Info Security (Mar. 23, 2017), https://www.healthcareinfosecurity.com/breach-involving-encrypted-devices-raises-questions-a-9789 . [224]   Largest Healthcare Data Breaches of 2017, HIPAA J. (Jan. 4, 2018), https://www.hipaajournal.com/largest-healthcare-data-breaches-2017/. [225] Compl., Palmer v. Bowling Green-Warren Cnty. Comm. Hosp. Corp., No. 17-CI-00579 (Cir. Ct. Warren Cnty., May 12, 2017). [226] Jeff John Roberts, Law firm DLA Piper reels under cyber attack, fate of files unclear , Fortune (June 29, 2017), https://www.healthcareinfosecurity.com/breach-involving-encrypted-devices-raises-questions-a-9789 . [227] Guardian to fight legal action over Paradise Papers , The Guardian (Dec. 18, 2017), https://www.theguardian.com/uk-news/2017/dec/18/guardian-bbc-legal-action-paradise-papers?CMP=Share_iOSApp_Other . [228] Id . [229] Id . [230] See Order, In re: Yahoo! Inc. Customer Data Sec. Breach Litigation, No. 16-MD-02752-LHK, 2017 WL 3727318 (N.D. Cal. Aug. 30, 2017). [231] Id. at *17. [232] Id . at *53. [233] In re: U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., 266 F. Supp. 3d 1 (D.D.C. 2017). [234] Id . at 20, 28. [235] Id . at 36-38. [236] Id . at 39-47, 49-50. [237] In re VTech Data Breach Litig., No. 1:15-cv-10889, -10891, -11620, -11885, 2017 WL 2880102, at *4 (N.D. Ill. July 5, 2017). [238] Id . [239] Amended Complaint, In re VTech Data Breach Litig., No. 1:15-cv-10889, -10891, -11620, -11885 (N.D. Ill. Aug. 17, 2017). [240]   Electronic Toy Maker VTech Settles FTC Allegations That It Violated Children’s Privacy Law and the FTC Act , Fed. Trade Comm’n (Jan. 8, 2018), https://www.ftc.gov/news-events/press-releases/2018/01/electronic-toy-maker-vtech-settles-ftc-allegations-it-violated. [241]   Id. at 14. [242]   Id. at 12. [243] SELCO Comm. Credit Union v. Noodles & Co. , 267 F. Supp. 3d 1292 (D. Colo. 2017). [244] Id . [245] Id . [246] Attias v. CareFirst, Inc. , 865 F.3d 620, 622-23 (D.C. Cir. 2017). [247] Id . at 628. [248] Id . [249] Beck v. McDonald , 848 F.3d 262, 267 (4th Cir. Feb. 6, 2017). [250] Id . at 274, 276-77. [251] Id . at 275. [252] Attias , 865 F.3d at 628. [253] Beck , 848 F.3d at 275. [254] Whalen v. Michaels Stores, Inc. , 689 Fed. App’x 89, 90-91 (2d Cir. 2017). [255] See Alison Frankel, 8th Circuit Adds to Data Breach Litigation Uncertainty, Ahead of SCOTUS Petition , Reuters (Sept. 1, 2017), https://www.reuters.com/article/us-otc-databreach/8th-circuit-adds-to-data-breach-litigation-uncertainty-ahead-of-scotus-petition-idUSKCN1BC5OJ. [256] In re SuperValu, Inc., Customer Data Sec. Breach Litig., 870 F.3d 763, 770-72 (8th Cir. 2017). [257]   Id. at 772. [258] Complaint, Microsoft Corp. v. Does 1-12, No. 2016-cv-00993 (E.D. Va. Aug. 3, 2016), ECF No. 1; see also Kevin Poulsen, Putin’s Hackers Now Under Attack – From Microsoft, Daily Beast (July 20, 2017), https://www.thedailybeast.com/microsoft-pushes-to-take-over-russian-spies-network. [259] Id . [260] Preliminary Injunction Order, Microsoft Corp. v. Does 1-12 , No. 2016-cv-00993 (E.D. Va. Aug. 12, 2016), ECF No. 33. [261] Motion for Default Judgment and Permanent Injunction, Microsoft Corp. v. Does 1-12, No. 2016-cv-00993 (E.D. Va. Jun. 29, 2017), ECF No. 55. [262] Guardian to Fight Legal Action over Paradise Papers , The Guardian (Dec. 18, 2017), https://www.theguardian.com/uk-news/2017/dec/18/guardian-bbc-legal-action-paradise-papers. [263] Settlement Agreement and Release at 11, In re Anthem, Inc. Data Breach Litig. (“In re Anthem “), No. 5:15-md-02617-LHK, (N.D. Cal. June 23, 2017). [264] See In re Anthem, 162 F. Supp. 3d 953, 967 (N.D. Cal. 2016). [265] See id. at 968. [266] Id. at 1016. [267] Settlement Agreement and Release at 4, In re Anthem, No. 5:15-md-02617-LHK (N D. Cal. June 23, 2017). [268] See generally Order Granting Motion for Preliminary Approval of Class Action Settlement, In re Anthem, No. 5:15-md-02617-LHK, (N.D. Cal. Aug. 25, 2017). [269] Settlement Agreement and Release at 11, In re Anthem, No. 5:15-md-02617-LHK, (N.D. Cal. May 31, 2017). [270] Id. [271] Id. at 11, 23. [272] Id. at 10. [273] See Memorandum of Law in Support of Consumer Plaintiffs’ Motion for Preliminary Approval of Class Settlement, In re: The Home Depot, Inc., Customer Data Sec. Breach Litig.  (“In re Home Depot“), No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016). [274] See Final Order and Judgment at 1–2, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Sept. 22, 2017). [275] Id. at 3. [276] Id. at 13. [277] See Memorandum and Order at 3, In re: Target Corp. Customer Data Sec. Breach Litig., No. 14-md-2522 (PAM) (D. Minn. May 17, 2017). [278] See id. [279] See id. at 19-21. [280] See generally Objector Olson’s Amended Notice of Appeal, In re: Target Corp. Customer Data Sec. Breach Litig., No. 14-md-2522 (PAM) (D. Minn. June 2, 2017). [281] Press Release, N.Y. State Office of the Attorney Gen., A.G. Schneiderman Announces $18.5 Million Multi-State Settlement with Target Corporation over 2013 Data Breach (May 23, 2017), https://ag.ny.gov/press-release/ag-schneiderman-announces-185-million-multi-state-settlement-target-corporation-over. [282] See Final Order and Judgment at 3–6, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Sept. 22, 2017), ECF No. 343 (adopting Settlement Agreement, ECF No. 327-3). [283] See Settlement Agreement and Release at 10–18, 23, In re Anthem, No. 5:15-md-02617-LHK, (N.D. Cal. Jun. 23, 2017), ECF No. 869-8. [284] Order Granting Final Approval of Class Action Settlement and Final Judgment, In re Home Depot, No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 260 (adopting Settlement Agreement, ECF No. 181-2); Order Granting Consumer Plaintiffs’ Motion For Service Awards, Attorneys’ Fees and Litigation Expense Reimbursement, No. 1:14-md-02583-TWT (N.D. Ga. Aug. 23, 2016), ECF No. 261 (adopting Settlement Agreement, ECF No. 181-2). [285] Mem. and Order Granting Mot. for Final Approval of Financial Institutions’ Class Action Settlement and Mot. for Att’y Fees and Expenses and Service Payments, In re Target, No. 0:14-md-02522-PAM (D. Minn. May 12, 2016), ECF No. 758 (adopting Settlement Agreement, ECF No. 653-1). [286]   Robin Sidel, Target to Settle Claims Over Data Breach, Wall St. J. (Aug. 18, 2015, 5:10 PM ET), http://www.wsj.com/articles/target-reaches-settlement-with-visa-over-2013-data-breach-1439912013. [287] Final Approval of Class Settlement, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. Apr. 6, 2016), ECF No. 165 (approving Settlement Agreement, ECF No. 146-1); Order on Mot. for Att’y Fees, Costs, and Service Awards at 3, In re Sony, No. 2:14-cv-09600-RGK-E (C.D. Cal. Apr. 12, 2016), ECF No. 166. [288] St. Joseph Health System Med. Info. Cases , JCCP No. 4716 (Cal. Sup. Ct.). [289] Mem. and Order Granting Mot. for Final Approval of Consumer Settlement and Mot for Payment of Service Awards and Fees and Expenses, In re Target, No. 0:14-md-02522-PAM (D. Minn. Nov. 16, 2016), ECF No. 645 (approving Settlement Agreement, ECF No. 358-1). [290] Order Granting Final Approval of Class Action Settlement, In re LinkedIn User Privacy Litig., No. 12-CV-03088-EJD (N.D. Cal. Sept. 15, 2015), ECF No. 147 (approving Settlement Agreement, ECF No. 145-1). [291] Mot. for Approval of Voluntary Dismissal, In re Adobe Systems Inc. Privacy Litig., No. 5:13-CV-05226-LHK (N.D. Cal. June 9, 2015), ECF No. 87; Settlement Agreement, In re Adobe Systems Inc. Privacy Litig., No. 5:13-CV-05226-LHK (N.D. Cal. June 9, 2015), ECF No. 87-2. [292] Min. Order Granting Motion for Settlement, In re Sony Gaming Networks & Customer Data Sec. Breach Litig ., No. 3:11-md-02258 (S.D. Cal. May 4, 2015), ECF No. 210; Settlement Agreement, In re Sony Gaming Networks, No. 3:11-md-02258 (S.D. Cal. June 13, 2014), ECF No. 190-2. [293] Opinion at 3, 9–11, Palkon et al. v. Holmes et al., No. 2:14-cv-01234 (SRC) (D.N.J. Oct. 20, 2014), ECF No. 49. [294] Order Granting Motion to Dismiss, In re Target Corp. S’holder Derivative Litig., No. 0:14-cv-00203 (PAM/JJK) (D. Minn. July 7, 2016), ECF No. 19; Target Corporation Report of the Special Litigation Committee at 2, In re Target Corp. S’holder Derivative Litig., No. 0:14-cv-00203 (PAM/JJK) (Mar. 30, 2016), ECF No. 62-2; see also Memorandum of Law of the Special Litigation Committee of the Board of Directors of Target Corporation in Support of its Motion for Approval and Dismissal, In re Target Corp. S’holder Derivative Litig., No. 0:14-cv-00203 (PAM/JJK) (D. Minn. May 6, 2016), ECF No. 59. [295] Opinion and Order at 11, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Nov. 30, 2016), ECF No. 62. [296] Unopposed Motion for Order for Preliminary Approval of Shareholder Derivative Settlement with Brief In Support, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Apr. 28, 2017), ECF No. 73; Notice of Proposed Settlement at 5, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Apr. 28, 2017), ECF No. 74-4. [297] Notice of Proposed Settlement at 4-5, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Apr. 28, 2017), ECF No. 74-4. [298]   See Updates Related to Investigation of Unusual Payment Card Activity at Wendy’s, WENDYS.COM, (last visited Jan. 21, 2018), https://www.wendys.com/en-us/about-wendys/the-wendys-company-updates. [299] Verified Shareholder Derivative Complaint at 71-74, Graham v. Peltz et al, No. 1:16-cv-01153-TSB (S.D. Ohio Dec. 16, 2016), ECF No. 1. [300] Id. at 4. [301] Memorandum in Support of Defendants’ Motion to Dismiss Verified Shareholder Derivative Complaint, Graham v. Peltz et al, No. 1:16-cv-01153-TSB (S.D. Ohio Mar. 10, 2017), ECF No. 9-1. [302] Id. at 15. [303] Complaint, In re: Yahoo! Inc. Shareholder Derivative Litigation, No. 5:17-cv-00787-LHK (N.D. Cal. Feb. 16, 2017), ECF No. 1. [304] Complaint, Okla. Firefighters Pension And Ret. Sys. v. Brandt, et al. , No. 2017-0133-SG, 2017 WL 771182 (Del. Ch. Feb. 23, 2017). [305] Order Staying Case Pending Entry of Final Judgments in Securities and Customer Class Actions, In re: Yahoo! Inc. Shareholder Derivative Litigation, No. 5:17-cv-00787-LHK (N.D. Cal. Sep. 25, 2017), ECF No. 40. [306]   Order Denying Motion to Dismiss, Matera v. Google, Inc., No. 5:15-cv-04062-LHK (N.D. Cal. Aug. 12, 2016), ECF No. 49. [307]   Matera v. Google Inc., No. 15-CV-04062, 2016 WL 5339806, at *14 (N.D. Cal. Sept. 23, 2016). [308]   Id. [309]   Id. at *16 (“[I]t appears that there is no ‘real and immediate threat of repeated injury in the future.'”). [310]   Stipulation Staying Proceedings, Matera v. Google, Inc., No. 5:15-cv-04062-LHK (N.D. Cal. Nov. 28, 2016), ECF No. 60. [311]   Matera v. Google Inc., 2017 WL 1365021, at *2 (N.D. Cal. 2017). [312]   Id. [313]   Motion for Preliminary Approval of Class Action Settlement, Matera v. Google, Inc., No. 5:15-cv-04062-LHK (N.D. Cal. Dec. 13, 2016), ECF No. 62. [314]   Id. [315]   Id. [316]   Id. [317]   Motion for Preliminary Approval of Class Action Settlement, Matera v. Google, Inc., 5:15-cv-04062-LHK (N.D. Cal. July 21, 2017), ECF No. 79. [318]   Id. [319]   Order Granting Preliminary Approval of Class Action Settlement, Matera v. Google, Inc., 5:15-cv-04062-LHK (N.D. Cal. Aug. 31, 2017), ECF No. 89. [320]   Amended Complaint, Cooper & Parikh v. Slice Technologies, Inc., & UnrollMe Inc. , No. 1:17-cv-07102-JPO (N.D. Cal. July 10, 2017), ECF No. 29. [321]   Id. [322]   Id. [323]   Motion to Dismiss, Cooper & Parikh v. Slice Technologies, Inc., & UnrollMe Inc. , No. 1:17-cv-07102-JPO (N.D. Cal. Oct. 12, 2017), ECF No. 54. [324] 18 U.S.C. § 2511(2)(d). [325] See Ala. Code §§ 13A-11-30(1), 31; Alaska Stat. Ann. §§ 42.20.300(a), 310(a)(1); Ariz. Rev. Stat. Ann. §§ 13-3012(5(c)), (9); Ark. Code Ann. § 5-60-120; Colo. Rev. Stat. Ann. § 18-9-303(1); Conn. Gen. Stat. Ann. §§ 53a-187, -189 but see § 52-570d; D.C. Code Ann. § 23-542(b)(3); Ga. Code Ann. §§ 16-11-62, 66(a); Haw. Rev. Stat. Ann. § 803-42(3)(A); Idaho Code Ann. § 18-6702(2)(d); Ind. Code Ann. § 35-31.5-2-176; Iowa Code Ann. §§ 727.8, 808B.2 (2)(c); Kan. Stat. Ann. § 21-6101; Ky. Rev. Stat. Ann. §§ 526.010, 526.020; La. Stat. Ann. § 15:1303(c)(4); Me. Stat. tit. 15, § 710; Mich. Comp. Laws § 750.539(c) but see Sullivan v. Gray, 324 N.W.2d 58 (Mich. Ct. Ap.. 1982); Minn. Stat. Ann. § 626A.02(d); Miss. Code. Ann. § 41-29-531(e); Mo. Ann. Stat. § 542.402(2)(3); Neb. Rev. Stat. Ann. §§ 86-276, -290(2)(c); N.J. Stat. Ann. §§ 2A:156A-2, -4(d); N.M. Stat. Ann. § 30-12-1(C); N.Y. Penal Law §§ 250.00(1), 250.05; N.C. Gen. Stat. Ann. § 15A-287(a); N.D. Cent. Code Ann. § 12.1-15-02; Ohio Rev. Code Ann. §§ 2933.51, 2933.52(B)(4); Okla. Stat. tit. 13, §§ 176.2, 176.4; Or. Rev. Stat. Ann. §§ 165.535, 165.540; R.I. Gen. Laws Ann. §§ 11-35-21, 12-5.1-1; S.C. Code Ann. §§ 17-30-15, -30; S.D. Codified Laws §§  23A-35A-1, -20; Tenn. Code Ann. §§ 39-13-601, -604, 40-6-303; Tex. Penal Code Ann. § 16.02; Tex. Code Crim. Proc. Ann. art. 18.20; Utah Code Ann. § 77-23a-3, -4; Va. Code Ann. § 19.2-62; W. Va. Code Ann. § 62-1D-3; Wis. Stat. Ann. §§ 968.27, 968.31 but see Wis. Stat. Ann. § 885.365(1) (rendering inadmissible as evidence in civil cases recordings obtained without the consent of all parties); Wyo. Stat. Ann. § 7-3-702. Vermont has no applicable statute or definitive cases on consent to record a phone conversation. [326] Cal. Penal Code § 632; Del. Code Ann. tit. 11, § 1335(a)(4) but see § 2402(c)(4); Fla. Stat. § 934.03(3)(d); 720 Ill .Comp. Stat. 5/14-2(a); Md. Code Ann., Cts. & Jud. Proc. § 10-402(c)(3); Mass. Gen. Laws Ann. ch. 272, § 99; Mont. Code Ann. § 45-8-213; Nev. Rev. Stat. Ann. §§ 200.620, 200.650 but see Lane v. Allstate Ins. Co., 969 P.2d 938 (Nev. 1998); N.H. Rev. Stat. Ann. § 570-A:2(I-a); 18 Pa. Stat. and Cons. Stat. Ann. §§ 5702, 5704; Wash. Rev. Code Ann. § 9.73.030. [327] Cal. Penal Code § 630, et seq. [328] See Bona Fide Conglomerate, Inc. v. SourceAmerica , No. 3:14-CV-00751-GPC, 2016 WL 3543699, at *6 (S.D. Cal. June 29, 2016) (citing Valentine v. NebuAd, Inc., 804 F. Supp. 2d 1022, 1028 (N.D. Cal. 2011); see also Carrese v. Yes Online Inc., No. 16-CV-05301-SJO, 2016 WL 6069198, at *4 (C.D. Cal. Oct. 13, 2016). [329] Complaint, Wang, et al. v. Wells Fargo Bank, N.A., et al., 1:16-CV-11223 (N.D. Ill. Dec. 9, 2017), ECF No. 1. [330] Brinkley v. Monterey Fin. Servs., Inc. , 873 F.3d 1118, 1122-23 (9th Cir. 2017). [331] 28 U.S.C. § 1332(d)(4)(B). [332] Brinkley , 873 F.3d at 1121-23. [333] Id. [334] Raffin v. Medicredit, Inc. , No. 15-CV-4912, 2017 WL 131745 (C.D. Cal. Jan. 3, 2017). [335] Id. at *1.  § 632 prohibits recordings over landlines. [336] Id. at *3. [337] Id. at *8. [338] See, e.g. , Zaklit v. Nationstar Mortg. LLC, 5:15-CV-2190-CAs, 2017 WL 3174901 (C.D. Cal. July 24, 2017); Ronquillo-Griffin v. Telus Commc’ns, Inc., No. 17-CV-129-JM, 2017 WL 2779329 (S.D. Cal. June 27, 2017). [339]   Compare Raffin, 2017 WL 131745, at *3 with Saulsberry v. Meridian Fin. Servs., Inc., No. 14-CV-6256, 2016 WL 3456939, at *15-16 (C.D. Cal. Apr. 14, 2016). [340]   See Raffin, 2017 WL 131745; Zaklit, 2017 WL 3174901; Reyes v. Educational Credit Mgmt. Corp., No. 15-CV-00628, 2017 WL 4169720 (S.D. Cal. Sept. 20, 2017). [341] See Ronquillo Griffin , 2017 WL 2779329, at *3-4; Carrese, 2016 WL 6069198, at *8 n.8 (collecting cases); but see Granina v. Eddie Bauer LLC, No. BC569111, 2015 WL 9855304 (L.A. Cty. Super. Ct. Dec. 2, 2015). [342] People v. Guzman , 217 Cal. Rptr. 3d 509 (Cal. Ct. App. 2017). [343] Cal. Const., art. I, § 28, subd. (f), ¶ (2). [344] Guzman , 217 Cal. Rptr. 3d at 514-19. [345] State v. Smith , No. 1 CA-CR 16-0259 PRPC, 2017 WL 3481244 (Ariz. Ct. App. Aug. 15, 2017). [346] Id. at *4. [347] State v. Smith , 405 P.3d 997 (Wash. 2017). [348] Id. at 1001. [349]   Class Action Settlement Agreement, Opperman et al v. Kong Technologies, Inc. et al., No. 3:13-cv-00453-JST (N.D. Cal, April 3, 2017), ECF No. 884. [350]   Complaint, Opperman et al v. Kong Technologies, Inc. et al., No. 3:13-cv-00453-JST (W.D. Texas Mar. 12, 2012), ECF No. 1. [351]   Class Action Settlement Agreement, supra note 246. [352]   Complaint, In re Vizio, Inc., Consumer Privacy Litig., No. 8:16-ml-02693-JLS-KES (C.D. Cal. Mar. 23, 2017), ECF No. 1. [353]   In re Vizio, Inc., Consumer Privacy Litigation, 238 F.Supp.3d 1204, 1228 (C.D. Cal. 2017). [354]   Second Consolidated Complaint, In re Vizio, Inc., Consumer Privacy Litigation, 8:16-ml-02693-JLS-KES (C.D. Cal March 23, 2017), ECF No. 136. [355]   Id. [356]   Motion to Dismiss Second Consolidated Complaint and Motion to Strike Class Allegations, In re Vizio, Inc., Consumer Privacy Litigation, 8:16-ml-02693-JLS-KES (C.D. Cal April 13, 2017), ECF No. 145. [357]   Order Denying Defendants’ Motion to Dismiss and Strike, In re Vizio, Inc., Consumer Privacy Litigation, 8:16-ml-02693-JLS-KES (C.D. Cal July 25, 2017), ECF No. 199. [358]   Id. [359]   Id. [360]   Id. [361]   Complaint, Satchell v. Signal360, Inc. et al, No. 4:16-cv-04961-JSW (N.D. Cal Aug. 29, 2017), ECF No. 1. [362]   Satchell v. Sonic Notify, Inc., 234 F.Supp.3d 996 (N.D.Cal. 2017). [363]   Id. at 1005-1009. [364]   Amended Complaint, Satchell v. Signal360, Inc. et al, No. 4:16-cv-04961-JSW (N.D. Cal Mar. 13, 2017), ECF No. 58. [365]   Order Granting In Part and Denying In Part Motions to Dismiss, Satchell v. Sonic Notify, Inc., et al., No. 4:16-cv-04961-JSW (N.D. Cal Nov. 20, 2017), ECF No. 89. [366]   Id. at 10. [367]   Id. at 10-12. [368]   Complaint, Rackemann v. Lisnr, Inc. et al., No. 2:16-cv-01573-AJS (W.D. Penn. Oct. 16, 2016), ECF No. 1. [369]   Rackemann v. LISNR, Inc., 2017 WL 4340349, at *5 (S.D. Ind. 2017). [370]   Id. at *5-8. [371]   Id. at *8. [372]   Id. at *8 (citing Luis v. Zang, 833 F.3d 619, 633 (6th Cir. 2016)). [373]   Id. at *9. [374]   Amended Complaint, Zak v. Bose Corp., No. 1:17-cv-02928 (N.D. Ill. July 10, 2017), ECF No. 24. [375]   Id. [376]   Id. [377]   Id. [378]   Motion to Dismiss Plaintiffs’ Second Amended Complaint, Zak v. Bose Corp., No. 1:17-cv-02928 (N.D. Ill. Aug. 3, 2017), ECF No. 28. [379]   Id. [380]   Complaint, Allen v. Quicken Loans Inc. & Navistone, Inc., No. 2:17-cv-12352-ES-MAH (D. N.J. Dec. 1, 2017), ECF No. 1. [381]   Complaint, Cohen v. Casper Sleep Inc. & Navistone, No. 1:17-cv-09325 (S.D.N.Y. Nov. 28, 2017), ECF No. 1; Complaint, Cohen v. New Moosejaw, LLC & Navistone, No. 1:17-cv-09391 (S.D.N.Y. Nov. 30, 2017), ECF No. 1. [382] 47 U.S.C. §§ 227 et seq. [383] ACA International v. FCC, et al , No. 15-1211 (D.C. Cir. filed July 10, 2015). [384] Rules & Regs. Implementing the Tel. Consumer Prot. Act of 1991, 30 FCC Rcd. 7961, 7975–76 ¶ 19 (2015). [385] Id. at 7989–90 ¶ 47. [386]   Modernizing the Telephone Consumer Protection Act: Hearing Before the Subcomm. on Communications and Technology of the H. Comm. on Energy and Commerce, 114th Cong. 8-9 (2016) (statement of Representative Anna Eshoo). [387] Id. at 3-41 (statement of Subcommittee Chairman Greg Walden). [388]         12 C.F.R. § 1002.16(b). [389] Pet. for Declaratory Ruling of All About The Message, LLC, In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991 , CG Docket No. 20-278 (FCC Mar. 31, 2017). [390] Eric Zorn, Hang Up Now On The Idea Of ‘Ringless Voicemail’ , Chi. Trib., June 2, 2017, http://www.chicagotribune.com/news/opinion/zorn/ct-ringless-voicemail-20170602-column.html ; Letter from Edward J. Markey et al., U.S. Senate, to Ajit Pai, Chairman of the FCC (June 14, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DOC-345975A4.pdf. [391] What We Do , About the FCC, https://www.fcc.gov/about-fcc/what-we-do (last visited Jan. 22, 2018). [392] Organizational Charts of the Federal Communications Commission, Federal Communications Commission, https://www.fcc.gov/sites/default/files/fccorg-08112017.pdf ; Jim Puzzanghera, Here Are The Five Officials Who Will Decide The Controversial Changes to Net Neutrality Rules , L.A. Times (Nov. 22, 2017), http://www.latimes.com/business/la-fi-net-neutrality-fcc-20171122-htmlstory.html. [393] See, e.g. , Ajit Pai, The FCC Shouldn’t Enable More TCPA Lawsuits, The Daily Caller (June 16, 2015), http://dailycaller.com/2015/06/16/the-fcc-shouldnt-enable-more-tcpa-lawsuits/2/. [394] Yaakov v. FCC , No. 14-1234 (D.C. Cir. Mar. 31, 2017); Statement of FCC Chairman Ajit Pai, FCC News (Mar. 31, 2017), https://apps.fcc.gov/edocs_public/attachmatch/DOC-344186A1.pdf . [395]   Dissenting Statement of Commissioner Pai, Re: In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991 , CG Docket No. 02-278, WC Docket No. 07-135 (FCC July 10, 2015). [396] Krakauer v. Dish Network LLC , No. 1:14-333, 2017 WL 2242952 (M.D.N.C. Oct. 3, 2017). [397] Id. at *12. [398] United States v. Dish Network LLC , 256 F. Supp. 3d 810 (C.D. Ill. June 5, 2017). [399] Id. at 991. [400]   United States v. Dish Network LLC, No. 09-3073-SEM-RSH (C.D. Ill. notice of appeal filed June 16, 2017). [401] Birchmeier v. Caribbean Cruise Line, Inc. , No. 1:12-cv-04069 (N.D. Ill. Mar. 2, 2017). [402] Id. [403] See Andrea Peterson, How a Failed Supreme Court Bid Is Still Causing Headaches For Hulu and Netflix, Washington Post (Dec. 27, 2013), available at https://www.washingtonpost.com/news/the-switch/wp/2013/12/27/how-a-failed-supreme-court-bid-is-still-causing-headaches-for-hulu-and-netflix/. [404] 18 U.S. § 2710(b)(1). [405] Eichenberger v. ESPN, Inc. , 876 F.3d 979, 982(9th Cir. 2017). [406] In re Nickelodeon Consumer Privacy Litig. , 827 F.3d 262, 272–75 (3d Cir. 2016);  Sterk v. Redbox Automated Retail, LLC, 770 F.3d 618, 623 (7th Cir. 2014). [407] See, e.g. , Yershov v. Gannet Satellite Info. Network, Inc., 204 F. Supp. 3d 353, 358-61 (D. Mass. 2016); Boelter v. Advance Magazine Publishers Inc., 210 F. Supp. 3d 579, 590 (S.D.N.Y. 2016); Austin-Spearman v. AMC Network Entm’t LLC, 98 F. Supp. 3d 662, 666 (S.D.N.Y. 2015); In re Hulu Privacy Litig., No. C 11-03764 LB, 2013 WL 6773794, at *5 (N.D. Cal. Dec. 20, 2013); Ellis v. Cartoon Network, Inc., No. 1:14-CV-484-TWT, 2014 WL 5023535, at *2 (N.D. Ga. Oct. 8, 2014), aff’d on other grounds, 803 F.3d 1251 (11th Cir. 2015). [408] Eichenberger , 876 F.3d at 984. [409] Spokeo, Inc. v. Robins , 136 S. Ct. 1540 (2016). [410] Eichenberger , 876 F.3d at 983. [411] Perry v. Cable News , 854 F.3d 1336, 1340-41 (11th Cir. 2017). [412] 18 U.S.C. § 2710(a)(3). [413] Yershov v. Gannett Satellite Information Network Inc. , 820 F.3d 482, 486 (1st Cir. 2016) (emphasis added). [414] Id. [415] In re Nickelodeon Consumer Privacy Litig. , 827 F.3d 262, 290 (3d Cir. 2016) (emphasis added). [416] Id. at 284. [417] C.A.F. v. Viacom, Inc. , 137 S.Ct. 624 (2017). [418] Eichenberger , 876 F.3d at 985. [419] Id . [420] Id . at 986 (quoting Yershov, 820 F.3d at 486); Nickelodeon Consumer Privacy Litig., 827 F.3d at 290. [421] In re Vizio, Inc. Consumer Privacy Litig. , 238 F. Supp. 3d 1204, 1225 (C.D. Cal. 2017). [422] Id . at 1224-25. [423] In re Vizio, Inc. Consumer Privacy Litig. , Case No. 8:16-ml-02693-JLS-KES (C.D. Cal. October 13, 2017), Dkt no. 224. [424] Perry , 854 F.3d at 1342. [425] Id. [426] Vizio , 238 F. Supp. 3d at 1223. [427] Id. at 1221-22. [428]   Cal. Civ. Code § 1747.08. [429]   Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). [430]   Medellin v. IKEA U.S.A. W., Inc., 672 F. App’x 782, 783 (9th Cir. 2017), cert. denied, 138 S. Ct. 220 (2017). [431]   Id. (citing Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016)). [432]   IKEA U.S.A. W., Inc. v. Medellin, 138 S. Ct. 220 (2017). [433]   Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317 (Ill. Ct. App. Dec. 21, 2017). [434] H.R. 3388, 115th Cong. (2017), available at https://www.congress.gov/bill/115th-congress/house-bill/3388/text [435] Id ., at § 30130(a)(1)(A). [436] Press Release, U.S. Senate Committee on Commerce, Science and Transportation (Oct. 24, 2017), available at https://www.commerce.senate.gov/public/index.cfm/pressreleases?ID=BA5E2D29-2BF3-4FC7-A79D-58B9E186412C [437] U.S. Senate Committee on Commerce, Science and Transportation, Notice of Hearing ” Driving Automotive Innovation and Federal Policies” on Jan. 24, 2018, available at https://www.commerce.senate.gov/public/index.cfm/hearings?ID=68CDF867-FFB6-425B-BD24-9542E35AC767 [438] Press Release, Federal Trade Commission (Jun. 28, 2017), available at https://www.ftc.gov/news-events/events-calendar/2017/06/connected-cars-privacy-security-issues-related-connected [439] Federal Trade Commission, Acting Chairman’s Opening Remarks, Connected Car Workshop, Jun. 28, 2017, at 5, available at https://www.ftc.gov/system/files/documents/public_statements/1227733/ohlhausen_-_connected_cars_workshop_opening_remarks_6-28-17.pdf [440] Jimmy H. Koo, Regulators, Carmakers Plot Road to Connected Car Privacy, Security , Bloomberg News, Jun. 29, 2017, available at https://www.bna.com/regulators-carmakers-plot-n73014460960/ [441] Flynn v. FCA US LLC , No. 15-cv-00855-MJR-DGW, 2016 WL 5341749, at *1 (S.D. Ill. Sept. 23, 2016). [442] Id . at *2–4. [443] Flynn v. FCA US LLC , No. 15-cv-00855-MJR-DGW, 2017 WL 3592040, at *5 (S.D. Ill. Aug. 21, 2017). [444] Plaintiffs’ Motion for Class Certification at 1, Flynn v. FCA US LLC, No. 15-cv-00855-MJR-DGW (S.D. Ill. Oct. 13, 2017), ECF No. 266. [445] See FCA US LLC’s Motion for Summary Judgment and Brief in Support at 1, Flynn v. FCA US LLC, No. 15-cv-00855-MJR-DGW (S.D. Ill. Oct. 5, 2017), ECF No. 256. [446] See Plaintiffs’ Memorandum in Opposition to FCA US LLC’s Motion for Summary Judgment (Filed Under Seal and Redacted in Its Entirety), Flynn v. FCA US LLC, No. 15-cv-008855-MJR-DGW (S.D. Ill. Nov. 6, 2017), ECF No. 278. [447] Cahen v. Toyota Motor Corp., 147 F. Supp. 3d 955, 974 (N.D. Cal. 2015). [448] See Cahen v. Toyota Motor Corp. , No. 16-15496, 2017 WL 6525501, at *1 (9th Cir. Dec. 21, 2017).    [449]           Id. [450]   Complaint, Fed. Trade Comm’n v. D-Link Sys., Inc., No. 17-CV-00039-JD (N.D. Cal. Jan. 5, 2017), ECF No. 1. [451] Id . at 5–6, 8, 11–13. [452] Id . at 10–13. [453]   See Fed. Trade Comm’n v. D-Link Sys., Inc., No. 3:17-cv-00039-JD, 2017 WL 4150873, at *1–2 (N.D. Cal. Sept. 19, 2017). [454]   See id. at 6. [455] In re Vizio, Inc., Consumer Privacy Litig. , No. 8:16-ml-02693 (C.D. Cal. Apr. 11, 2016). [456]   Order Denying Defendants’ Motion to Dismiss and Strike, In re: Vizio, Inc., Consumer Privacy Litigation, 8:16-ml-02693-JLS-KES (C.D. Cal July 25, 2017), ECF No. 199; s ee supra pp. 2, 35-36, 41 and infra p. 46. [457] Siegel v. Samsung Electronics America, Inc. et al ., No. 2:17-cv-01687 (D.N.J. Mar. 10. 2017), ECF. No. 1. [458]   Id., ECF No. 18. [459] In re Sling Media Slingbox , No. 17-1094 (2d. Cir. Apr. 18, 2017). [460] Id. [461] Rushing v. Viacom Inc., No. 3:17-CV-4492 (N.D. Cal. Aug. 7, 2017). [462]   Id., at 20-21. [463]   Id., at 22. [464] Press Release, Federal Trade Commission (June 21, 2017), available at https://www.ftc.gov/news-events/blogs/business-blog/2017/06/ftc-updates-coppa-compliance-plan-business [465] Press Release, Federal Trade Commission (Oct. 23, 2017), available at https://www.ftc.gov/system/files/documents/public_statements/1266473/coppa_policy_statement_audiorecordings.pdf [466] Federal Bureau of Investigation, Consumer Notice: Consumer Notice: Internet-Connected Toys Could Present Privacy and Contact Concerns for Children (July 17, 2017), available at https://www.ic3.gov/media/2017/170717.aspx . [467]           Internet of Things: Privacy & Security in a Connected World, FTC Staff Report (January 2015), available at https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf . [468]   Federal Trade Commission, Attorney General of the State of New Jersey v. Vizio Inc. et al, 2:17-cv-00758 (Feb. 6, 2017) [469] The FTC asserted that Vizio violated the unfairness and deception prongs of Section 5 of the FTC Act and that Vizio’s actions caused or were likely to cause “substantial injury” to consumers—a conclusion about which Acting Chair Maureen Ohlhausen expressed skepticism in a concurring statement.  Concurring Statement of Acting Chairman Maureen K. Ohlhausen, In the Matter of Vizio, Inc., Matter No. 1623024 (Feb. 6, 2017) . [470]   Federal Trade Commission, Attorney General of the State of New Jersey v. Vizio Inc. et al , 2:17-cv-00758, at 3 (Feb. 6, 2017). [471] Press Release: ENISA works together with European semiconductor industry on key cybersecurity areas, European Union Agency for Network and Information Security (May 22, 2017), available at https://www.enisa.europa.eu/news/enisa-news/enisa-works-together-with-european-semiconductor-industry-on-key-cybersecurity-areas. [472] Id. [473] California Legislative Information, SB-327 Information Privacy: connected devices, available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327 . [474] Text of proposed bill available at https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327 . [475]   Najiyya Budaly, Data Rules to Bring Cyber Insurance Surge, Report Says, Law360 (Dec. 13, 2017), https://www.law360.com/articles/994267/data-rules-to-bring-cyber-insurance-surge-report-says. [476]   Id.; William Shaw, Insurers Urge Leniency On Profiling Under EU Data Laws, Law360 (Dec. 5, 2017), https://www.law360.com/cybersecurity-privacy/articles/991522/insurers-urge-leniency-on-profiling-under-eu-data-laws. [477]   Evan Weinberger, Banks, Insurers Get More Time for NY Cybersecurity Rule, Law360 (Dec. 21, 2016), https://www.law360.com/articles/875764/banks-insurers-get-more-time-for-ny-cybersecurity-rule. [478]   Cybersecurity Legislation 2017, National Conference of State Legislatures (Oct. 30, 2017), http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2017.aspx. [479]   Jeff Sistrunk, A Guide to Insurance Coverage for Biometric Privacy Suits, Law360 (Nov. 6, 2017), https://www.law360.com/cybersecurity-privacy/articles/981980/a-guide-to-insurance-coverage-for-biometric-privacy-suits. [480]   See Jeff Sistrunk, Small Cos. Slow To Pick Up Cyberinsurance, Lawmakers Hear, Law360 (July 26, 2017), https://www.law360.com/articles/947964/small-cos-slow-to-pick-up-cyberinsurance-lawmakers-hear. [481]   Budaly, supra note 477. [482]   Taylor & Lieberman v. Fed. Ins. Co., 681 F. App’x 627, 629 (9th Cir. 2017). [483]   Id. [484]   American Tooling Ctr., Inc. v. Travelers Cas. and Sur. Co. of Am. , No. 16-12108, 2017 WL 3263356 (E.D. Mich. Aug. 1, 2017); Jeff Sistrunk, Travelers Tells 6th Circ. To Uphold Email Scam Coverage Win , Law360 (Dec. 13, 2017), https://www.law360.com/articles/994258/travelers-tells-6th-circ-to-uphold-email-scam-coverage-win. [485]   American Tooling Ctr., 2017 WL 3263356 at *1. [486]   Sistrunk, supra note 486. [487]   American Tooling Ctr., Inc., 2017 WL 3263356 at *3. [488]   Id. [489]   Id. [490]   Sistrunk, supra note 486. [491]   Medidata Sols., Inc. v. Fed. Ins. Co., No. 15-CV-907 (ALC), 2017 WL 3268529, at *1 (S.D.N.Y. July 21, 2017). [492]   Id. at * 1–2. [493]   Id. at *4. [494]   Id. at *4. [495]   Id. at *6. [496]   Id. at *7. [497]   Id. at *6. [498]   Id. at *5; Universal American Corp. v. National Union Fire Insurance Co ., 37 N.E.3d 78 (N.Y. 2015). [499]   Jeff Sistrunk, Email Scam Not a Covered Fraud, Insurer Org. Tells 2nd Circ. , Law360 (Nov. 29, 2017), https://www.law360.com/articles/989344/email-scam-not-a-covered-fraud-insurer-org-tells-2nd-circ-; See also Posco Daewoo Am. Corp. v. Allinex USA, Inc., No. 17-483, 2017 WL 4922014, at *5–6 (D. N.J. Oct. 31, 2017) (granting defendant’s motion to dismiss on the grounds that an email spoofing scheme and plaintiff’s voluntary wire transfer did not meet the definition of computer fraud). [500]   InComm Holdings, Inc. v. Great Am. Ins. Co., 1:15-cv-2671-WSD, 2017 WL 1021749, at * 1–2 (N.D. Ga. Mar. 16, 2017). [501]   Id. at *6–7. [502]   Id. at *8–9. [503]   Id. at *11. [504]   Spec’s Family Partners, Ltd. v. The Hanover Ins. Co., No. H-16-438, 2017 WL 3278060, at *1 (S.D. Tex. Mar. 15, 2017). [505]   Id. [506]   Id. [507]   Id. at * 4–9. [508]   Id. at *3. [509]   Id. (internal quotation marks omitted). [510]   Id. [511]   Id. [512]   Id.at *4. [513]   Id. at *5. [514]   Id. at *8. [515]   Dave Simpson, Children’s Hospital Sues Insurer for Data Breach Coverage, Law360 (Nov. 20, 2017), https://www.law360.com/cybersecurity-privacy/articles/987237/children-s-hospital-sues-insurer-for-data-breach-coverage. [516]   Id. [517]   Id. [518]   Innovak Int’l, Inc. v. Hanover Ins. Co., No. 8:16-cv-2453-MSS-JSS, 2017 WL 5632718, at * 6–7 (M.D Fla. Nov. 17, 2017); Jeff Sistrunk, Insurer Doesn’t Owe Defense of Data Breach Suit, Judge Says , Law360 (Nov. 17, 2017), https://www.law360.com/cybersecurity-privacy/articles/986792/insurer-doesn-t-owe-defense-of-data-breach-suit-judge-says. [519] Report: TCPA Consumer Litigation Filings on Track to End 2017 Under Recent Annual Totals , ACA International (Nov. 28, 2017), https://www.acainternational.org/news/report-tcpa-consumer-litigation-filings-on-track-to-end-2017-under-recent-annual-totals. [520] Spokeo, Inc. v. Robins , 136 S. Ct. 1540, 1545, 1549–50 (2016). [521] 15 U.S.C. § 1681 et seq. [522] 15 U.S.C. §§ 1681(n), 1681(o). [523] Judgement, Sergio L. Ramirez v. Trans Union, LLC, No. 12-cv-00632-JSC (June 21, 2017) ECF No. 309; see also Order Re: Plaintiff Sergio Ramirez’s Motion for a Service Award, Sergio L. Ramirez v. Trans Union, LLC, No. 12-cv-00632-JSC (Nov. 7, 2017) ECF No. 345. [524] Id. [525] Sergio Ramirez v. Trans Union LLC ,  No. 17-17244 (9th Cir. docketed Nov. 02, 2017). [526] See 15 U.S.C. § 1681e(b). [527] Pedro v. Equifax, Inc. , 868 F.3d 1275, 1281 (11th Cir. 2017) (internal quotation marks omitted) (finding credit reporting agency’s interpretation of the FCPA was not objectively unreasonable given judicial precedent, though expressing preference for a more exacting interpretation). [528] Id. at 1283 (Rosenbaum, R., concurring) (internal quotation marks omitted) (citing Alexander v. Moore & Assocs., Inc., 553 F. Supp. 948, 952 (D. Haw. 1982)). [529] See 15 U.S.C. § 1681b(b)(2)(A). [530] Hargrett v. Amazon.com DEDC LLC , 235 F. Supp. 3d 1320 (M.D. Fla. 2017) (denying defendant’s motion to dismiss for lack of Article III standing for FCRA claims). [531] Anderson v. Wells Fargo Bank, N.A. , 266 F. Supp. 3d 1175 (D.S.D. 2017) (holding plaintiffs’ claims were time-barred though they would have had Article III standing to pursue FCRA claims). [532] In re Michaels Stores, Inc., Fair Credit Reporting Act (FCRA) Litig. , No. 2615, 2017 WL 354023 (D.N.J. Jan. 24, 2017) (dismissed for lack of Article III standing). [533] Saltzberg vs. Home Depot U.S.A., Inc. , No. 2:17-CV-05798, 2017 WL 4776969 (C.D. Cal. Oct. 18, 2017) (dismissed for lack of Article III standing). [534] See Compl., Microsoft Corp. v. U.S. Dep’t of Justice (“Microsoft”), No. 2:16-cv-00538-JLR (W.D. Wash. Apr. 14, 2016), ECF No. 1. [535] 18 U.S.C. § 2705(b).  Specifically, a court must grant a government application for a nondisclosure order if it finds reason to believe that disclosure will result in: (1) Endangering the life or physical safety of an individual; (2) Flight from prosecution; (3) Destruction or tampering with evidence; (4) Intimidation of potential witnesses; or (5) Otherwise seriously jeopardizing an investigation or unduly delaying a trial. Id. [536] See First Am. Compl., ¶ 5, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 28. [537]   Unopposed Motion for Leave to File Brief of Amici Curiae, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 49. [538]   Motion for Leave to File Brief of Amici Curiae, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 58. [539]   Stipulated Motion for Leave to File Brief of Amici Curiae, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 56. [540]   Unopposed Motion for Leave to File Brief as Amici Curiae, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. June 17, 2016), ECF No. 66. [541] See Microsoft Corp. v. U.S. Dep’t of Justice , 233 F. Supp. 3d 887, 889–902 (W.D. Wash. 2017). [542] Id . at 907–08. [543] Id. at 915–16. [544] U.S. Dep’t of Justice, Memorandum re Policy Regarding Applications for Protective Orders Pursuant to 18 U.S.C. § 2705(b) (Oct. 19, 2017), available at https://www.justice.gov/criminal-ccips/page/file/1005791/download. [545] Id. at 2.  The policy memo cites “national security investigations that materially differ from routine criminal investigations” as an example of what might constitute “exceptional circumstances.” Id. at 2 n.3. [546]   See Microsoft Corporation’s Unopposed Motion for Voluntary Dismissal at 2, Microsoft, No. 2:16-cv-00538-JLR (W.D. Wash. Oct. 24, 2017), ECF No. 117; see also Order Granting Microsoft Corporation’s Unopposed Motion for Voluntary Dismissal (W.D. Wash. Oct. 25, 2017), ECF No. 119. [547] United States v. Carpenter , 819 F.3d 880, 884–85 (6th Cir. 2016). [548] Id. at 884–86. [549] Id. at 885. [550] Id. at 884. [551] Id. at 887. [552] Smith v. Maryland , 442 U.S. 735, 740 (1979). [553] United States v. Miller , 425 U.S. 435, 440 (1976). [554] Brief for United States at 15–18, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 4311113. [555] Id. at 43–52. [556] Brief for Petitioner at 15, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3575179; see also United States v. Jones, 565 U.S. 400, 430 (2012) (Alito, J., concurring in the judgment) “[T]he use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy.”). [557] Id. at 26–29. [558] Brief of the Center for Democracy and Technology as Amicus Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530958. [559] Brief for the Competitive Enterprise Institute, et al. as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530955. [560] Brief of Amici Curiae Electronic Privacy Information Center (EPIC) and Thirty-Six Technical Experts, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530960. [561] Brief Amici Curiae for The Reporters Committee for Freedom of the Press and 19 Media Organizations, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530966. [562] Brief for Scholars of Criminal Procedure and Privacy as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3614233. [563] Brief for Technology Experts as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3530967. [564] Amicus Curiae Brief for National District Attorneys Association, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 4417212. [565] Brief for the States of Alabama, et al. as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 4417211. [566] Brief of Professor Orin S. Kerr as Amicus Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 4417210. [567] Brief for Technology Companies as Amici Curiae, Carpenter v. United States, __ U.S. __ (2018) (No. 16-402), 2017 WL 3601390. [568] S. 1654, 115th Cong. (2017). [569] H.R. 387, 115th Cong. (2017). [570] S. 1654, 115th Cong. § 3 (2017). [571] S. 1657, 115th Cong. (2017). [572] S. 1657, 115th Cong. § 2 (2017). [573] S. 1657, 115th Cong. § 4 (2017). [574]   U.S. Dep’t of Justice, Memorandum re Policy Regarding Applications for Protective Orders Pursuant to 18 U.S.C. § 2705(b) (Oct. 19, 2017), available at https://www.justice.gov/criminal-ccips/page/file/1005791/download. [575] The ECPA Modernization Act of 2017 defines “geolocation information” to mean “any information concerning the past or current location of an electronic communications device that is in whole or in part generated by or derived from the operation or use of the electronic communications device,” and defines “geolocation service” to mean “the provision of a service or functionality that uses or collects geolocation information.”  S. 1657, 115th Cong. § 5 (2017). [576] S. 1657, 115th Cong. § 2 (2017). [577] 18 U.S.C. § 2703(d). [578] Id . [579] S. 1657, 115th Cong. § 5 (2017). [580] Sophia Cope, EFF Supports Senate Email and Location Privacy Bill, Eff.org (Jul. 27, 2017), https://www.eff.org/deeplinks/2017/07/eff-applauds-senate-email-and-location-privacy-bill (last visited Dec. 20, 2017). [581] American Civil Liberties Union, ACLU Statement On Introduction Of Electronic Communications Privacy Modernization Act , aclu.org (Jul. 27, 2017), https://www.aclu.org/news/aclu-statement-introduction-electronic-communications-privacy-modernization-act (last visited Dec. 20, 2017). [582] Adam Brandon, Support the ECPA Modernization Act, S. 1657, Freedomworks.org (Jul. 31, 2017), http://www.freedomworks.org/content/support-ecpa-modernization-act-s-1657 (last visited Dec. 20, 2017). [583] Deborah Collier, ECPA Modernization Act of 2017 Introduced , cagw.org (Jul. 27, 2017), https://www.cagw.org/thewastewatcher/ecpa-modernization-act-2017-introduced (last visited Dec. 20, 2017). [584] Consumer Technology Association, CTA Applauds Senate for Bipartisan ECPA Reform Bill, cta.tech (Jul. 27, 2017), https://www.cta.tech/News/Press-Releases/2017/July/CTA-Applauds-Senate-for-Bipartisan-ECPA-Reform-Bil.aspx (last visited Dec. 20, 2017). [585] Chris Calabrese, The Bill Our Privacy Desperately Needs in the Digital Age, Cdt.org (Jul. 27, 2017), https://cdt.org/blog/the-bill-our-privacy-desperately-needs-in-the-digital-age/ (last visited Dec. 20, 2017). [586] Ivan Dominguez, Ezra Dunkle-Polier, Alexandra Funk, NACDL News: NACDL Welcomes Introduction of Bipartisan ECPA Modernization Act of 2017 (Aug. 2017), nacdl.org, https://www.nacdl.org/Champion.aspx?id=48305 (last visited Dec. 20, 2017). [587] Brad Smith, DOJ acts to curb the overuse of secrecy orders. Now it’s Congress’ turn , Microsoft.com (Oct. 23, 2017), https://blogs.microsoft.com/on-the-issues/2017/10/23/doj-acts-curb-overuse-secrecy-orders-now-congress-turn/ (last visited Dec. 20, 2017). [588] Compare In re Grand Jury Subpoena Duces Tecum Dated Mar. 25 , 2011, 670 F.3d 1335, 1346 (11th Cir. 2012) (holding that providing a password is a testimonial act), and Order Denying Application to Compel Decryption, In re The Decryption of a Seized Data Storage System, Case No. 13-M-449 (E.D. Wisc. Apr. 19, 2013) (same), with United States v. Fricosu, 841 F. Supp. 2d 1232, 1237 (D. Colo. 2012) (holding production of unencrypted drive by defendant did not implicate Fifth Amendment right against self-incrimination), and Commonwealth v. Gelfgatt, SUCR2010-10491 (Sup. Ct. Mass. Nov. 6, 2014) (holding defendant in contempt for failure to unlock password protected drives), and State v. Stahl, 206 So. 3d 124, 135 (Fla. Dist. Ct. App. 2016) (quashing order denying motion to compel production of cell phone passcode and noting that “we are not inclined to believe that the Fifth Amendment should provide greater protection to individuals who passcode protect their iPhones with letter and number combinations than to individuals who use their fingerprint as the passcode”). [589] See, e.g. , Com. v. Baust, 89 Va. Cir. 267 (Va. Cir. Ct. 2014) (granting motion to compel defendant to unlock phone with fingerprint and noting that “like physical characteristics that are non-testimonial, the fingerprint of Defendant if used to access his phone is likewise non-testimonial and does not require Defendant to ‘communicate any knowledge’ at all.”); State v. Diamond, 890 N.W.2d 143, 150 (Minn. Ct. App. 2017), review granted (Mar. 28, 2017) (“By being ordered to produce his fingerprint, [defendant] was not required to disclose any knowledge he might have or to speak his guilt.”); but see Opinion and Order at 11-14, In re Application for a Search Warrant, No. 1:17-mc-00081 (N. D. Il. Feb. 16, 2017), ECF No. 1 (denying application for warrant to compel all individuals present during execution to use fingerprints to unlock “any Apple iPhone, iPad, or other Apple brand device” and noting that “[t]he connection between the fingerprint and Apple’s biometric security system, shows a connection with the suspected contraband.”) [590] See Oleg Afornin, New Security Measures in iOS 11 and Their Forensic Implications , Elcomsoft.com (Sep. 7, 2017), https://blog.elcomsoft.com/2017/09/new-security-measures-in-ios-11-and-their-forensic-implications/ (last visited Dec. 20, 2017). [591] In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 15 F. Supp. 3d 466, 467 (S.D.N.Y. 2014), rev’d, 829 F.3d 197 (2d Cir. 2016). [592] Brief for Microsoft at 17-18, In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 15 F. Supp. 3d 466, 467 (S.D.N.Y. 2014), rev’d, 829 F.3d 197 (2d Cir. 2016). [593] In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 15 F. Supp. 3d at 467, rev’d, 829 F.3d 197 (2d Cir. 2016). [594] Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 829 F.3d 197, 201 (2d Cir. 2016), cert. granted, United States v. Microsoft Corp., No. 17-2, 2017 WL 2869958 (U.S. Oct. 16, 2017). [595] Id. at 214-20. [596] Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp. , 855 F.3d 53, 76 (2d Cir. 2017) (Carney, J., concurring) (denying rehearing en banc). [597] Id. at 55-56 (Carney, J., concurring). [598]   Id. at 61 (Jacobs, J., dissenting); Id. at 63, 66 (Cabranes, J., dissenting); Id. at 70 (Raggi, J., dissenting); Id. at 75 (Droney, J., dissenting). [599]   Id. at 61 (Jacobs, J., dissenting). [600]   Id. at 63, 66 (Cabranes, J., dissenting). [601]   Id. at 75 (Droney, J., dissenting). [602] In re Search of Info. Associated with [redacted]@gmail.com that Is Stored at Premises Controlled by Google, Inc. , No. 16-MJ-00757 (BAH), 2017 WL 3445634 (D.D.C. July 31, 2017); Matter of Search of Content Stored at Premises Controlled by Google Inc. , No. 16-MC-80263-RS, 2017 WL 3478809 (N.D. Cal. Aug. 14, 2017); In re Search Warrant No. 16-960-M-1 to Google, No. 16-1061, 2017 WL 3535037 (E.D. Pa. Aug. 17, 2017). [603] In re Search of Info. Associated with [redacted]@gmail.com that Is Stored at Premises Controlled by Google, Inc. , 2017 WL 3445634, at *16, *23-24; Matter of Search of Content Stored at Premises Controlled by Google Inc. , 2017 WL 3478809, at *3; In re Search Warrant No. 16-960-M-1 to Google, 2017 WL 3535037, at *7-9. [604] United States v. Microsoft Corp. , No. 17-2, 2017 WL 2869958, at *1 (U.S. Oct. 16, 2017). [605] Brief for Petitioner at 21-25, United States v. Microsoft Corp., No. 17-2, 2017 WL 2869958 (U.S. Dec. 6, 2017). [606] Id. at 29-31. [607] Id. at 26-28. [608] Id. at 32-37. [609] Id. at 42-43. [610]   Brief for Respondent at 20-37, United States v. Microsoft Corp., No. 17-2, 2017 WL 2869958 (U.S. Jan. 11, 2018). [611]   Id. at 19. [612] Comput. Crime & Intellectual Prop. Section, Criminal Div., U.S. Dep’t of Justice, Seeking Enterprise Customer Data Held by Cloud Service Providers, at 1 (Dec. 2017), https://www.justice.gov/criminal-ccips/file/1017511/download. [613] Id. at 2. [614] Id. at 2-3. [615] Neal Suggs, DOJ’s Newly Released Recommended Practices Are a Win for Cloud and Enterprise Customers , Microsoft (Dec. 14, 2017), https://blogs.microsoft.com/on-the-issues/2017/12/14/new-doj-guidelines-win-cloud-enterprise-customers. [616] 50 U.S.C. §§ 1801-1885. [617] 50 U.S.C. § 1802(a)(1). [618] 50 U.S.C. § 1801(e). [619] See http://www.fisc.uscourts.gov/ (last visited Dec. 20, 2017). [620] Barton Gellman and Laura Poitras, U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program , The Washington Post, available at https://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html [621] See Decoding 702: What is Section 702 , Elec. Frontier Found., https://www.eff.org/702-spying . [622] See Reauthorizing FISA Section 702 , The Heritage Found., http://www.heritage.org/reauthorizing-fisa-section-702 . [623] See Decoding 702: What is Section 702 , Elec. Frontier Found., https://www.eff.org/702-spying . [624]   Dustin Volz, Trump signs bill renewing NSA’s internet surveillance program , Reuters (Jan. 19, 2018), https://www.reuters.com/article/us-usa-trump-cyber-surveillance/trump-signs-bill-renewing-nsas-internet-surveillance-program-idUSKBN1F82MK. [625] FISA Amendments Reauthorization Act of 2017, S. 2010, 115th Congr., available at https://www.congress.gov/bill/115th-congress/senate-bill/2010 ; see also Daniel Wilson, Senate Intel Panel Approves Renewal of Surveillance Powers , Law 360, https://www.law360.com/articles/978227/senate-intel-panel-approves-renewal-of-surveillance-powers . [626] See id. [627] Daniel Wilson, House Panel Approves Surveillance Renewal Bill, Law 360, https://www.law360.com/articles/989972/house-panel-approves-surveillance-renewal-bill . [628]   Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, available at http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf. [629] Art. 3, ¶ 2, GDPR. [630] Art. 3, ¶ 2(b), GDPR. [631] Art. 7, GDPR. [632] Id. [633] Art. 35, GDPR. [634] Id. [635] Id . [636] Art. 44–48, GDPR. [637]   Art. 83, ¶¶ 4–5, GDPR. [638] European Commission, Report from the Commission to the European Parliament and the Council on the first annual review of the functioning of the EU-U.S. Privacy Shield 2 (2017), available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=605619. [639] Id. at 4. [640]   Id. at 4–7. [641]   Press Release, Federal Trade Commission, FTC Gives Final Approval to Settlements with Companies that Falsely Claimed Participation in Privacy Shield (Nov. 29, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/11/ftc-gives-final-approval-settlements-companies-falsely-claimed . [642] See FT Cyber Security, “China’s cyber security law rattles multinationals,” Financial Times (May 30, 2017), available at https://www.ft.com/content/b302269c-44ff-11e7-8519-9f94ee97d996 . [643] Alex Lawson, “US Asks China Not To Implement Cybersecurity Law,” Law360 (Sept. 27, 2017) available at https://www.law360.com/articles/968132/us-asks-china-not-to-implement-cybersecurity-law. [644] Sophie Yan, “China’s new cybersecurity law takes effect today, and many are confused,” CNBC.com (June 1, 2017), available at https://www.cnbc.com/2017/05/31/chinas-new-cybersecurity-law-takes-effect-today.html. [645] Christina Larson, Keith Zhai, and Lulu Yilun Chen, “Foreign Firms Fret as China Implements New Cybersecurity Law”, Bloomberg News (May 24, 2017), available at https://www.bloomberg.com/news/articles/2017-05-24/foreign-firms-fret-as-china-implements-new-cybersecurity-law . [646] Clarice Yue, Michelle Chan, Sven-Michael Werner and John Shi, “China Cybersecurity Law update: Draft Guidelines on Security Assessment for Data Export Revised!,” Lexology (Sept. 26, 2017), available at https://www.lexology.com/library/detail.aspx?g=94d24110-4487-4b28-bfa5-4fa98d78a105 . [647] Singapore Personal Data Protection Commission, Proposed Advisory Guidelines on the Personal Data Protection Act For NRIC Numbers,  published 7 November 2017, available at https://www.pdpc.gov.sg/docs/default-source/public-consultation-6—nric/proposed-nric-advisory-guidelines—071117.pdf?sfvrsn=4 . [648] Office of the Australian Information Commissioner, “De-identification Decision-Making Framework”, Australian Government (Sept. 18, 2017), available at https://www.oaic.gov.au/agencies-and-organisations/guides/de-identification-decision-making-framework ; Lyn Nicholson, “Regulator issues new guidance on de-identification and implications for big data usage”, Lexology (Sept. 26, 2017) available at https://www.lexology.com/library/detail.aspx?g=f6c055f4-cc82-462a-9b25-ec7edc947354 ; “New Regulation on the Deletion, Destruction or Anonymization of Personal Data,”  British Chamber of Commerce of Turkey (Sept. 28, 2017), available at https://www.bcct.org.tr/news/new-regulation-deletion-destruction-anonymization-personal-data-2/64027 ; Jena M. Valdetero and David Chen, “Big Changes May Be Coming to Argentina’s Data Protection Laws,” Lexology (June 5, 2017), available at https://www.lexology.com/library/detail.aspx?g=6a4799ec-2f55-4d51-96bd-3d6d8c04abd2. [649] Naïm Alexandre Antaki and Wendy J. Wagner, “No escaping notification: Government releases proposed regulations for federal data breach reporting & notification”, Lexology (Sept. 6, 2017), available at https://www.lexology.com/library/detail.aspx?g=0a98fd33-1f2c-4a52-98c0-cf1feeaf0b90 ; Ministry of Electronics & Information Technology, “White Paper of the Committee of Experts on a Data Protection Framework for India,”  Government of India (Nov. 27, 2017), available at  http://meity.gov.in/white-paper-data-protection-framework-india-public-comments-invited .   The following Gibson Dunn lawyers assisted in the preparation of this client alert:  Alexander Southwell, Joshua Jessen, Caroline Krass, Eric Vandevelde, Ryan Bergsieker, Abbey Barrera, Kamola Kobildjanova, Lindsey Young, Amy Chmielewski, Melissa Goldstein, Alex Murchison, Reid Rector and Ilissa Samplin, with contributions from Angelica Agishi, Jacob Arber, Stephanie Balitzer, Melinda Biancuzzo, Sheli Chabon, Alli Chapin, Soolean Choy, Josiah Clarke, Tim Deal, Amanda George, Zoey Goldnick, Christian Hudson, Jordan Jacobsen, Miranda Lievsay, Ian Long, Cary McClelland, Jon Newmark, Sheri Pan, Nathan Powell, Jacob Rierson, Alon Sachar, Nick Scheiner, Sydney Sherman, Frances Smithson, Sam Spears, Marc Takagaki, Kayla Wieche and Alex Zbrozek. Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work or any of the following leaders and members of the firm’s Privacy, Cybersecurity and Consumer Protection practice group: United States Alexander H. Southwell – Chair, PCCP Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com) Caroline Krass – Chair, National Security Practice, Washington, D.C. (+1 202-887-3784, ckrass@gibsondunn.com) M. Sean Royall – Dallas (+1 214-698-3256, sroyall@gibsondunn.com) Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com) Richard H. Cunningham – Denver (+1 303-298-5752, rhcunningham@gibsondunn.com) Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com) Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com) Shaalu Mehra – Palo Alto (+1 650-849-5282, smehra@gibsondunn.com) Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com) Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com) Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com) Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com) Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com) Europe Ahmed Baladi – Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com) James A. Cox – London (+44 (0)207071 4250, jacox@gibsondunn.com) Patrick Doris – London (+44 (0)20 7071 4276, pdoris@gibsondunn.com) Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com) Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) Jean-Philippe Robé – Paris (+33 (0)1 56 43 13 00, jrobe@gibsondunn.com) Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com) Nicolas Autet – Paris (+33 (0)1 56 43 13 00, nautet@gibsondunn.com) Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com) Sarah Wazen – London (+44 (0)20 7071 4203, swazen@gibsondunn.com) Emmanuelle Bartoli – Paris (+33 (0)1 56 43 13 57, ebartoli@gibsondunn.com) Alejandro Guerrero Perez – Brussels (+32 2 554 7218, aguerreroperez@gibsondunn.com) Asia Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com) Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com) Questions about SEC disclosure issues concerning data privacy and cybersecurity can also be addressed to the following leaders and members of the Securities Regulation and Corporate Disclosure Group: James J. Moloney – Orange County, CA (+1 949-451-4343, jmoloney@gibsondunn.com) Elizabeth Ising – Washington, D.C. (+1 202-955-8287, eising@gibsondunn.com) Lori Zyskowski – New York (+1 212-351-2309, lzyskowski@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

January 19, 2018 |
2017 Trade Secrets Litigation Round-Up

2017 saw a number of interesting developments in trade secrets law, including the emergence of several trends under the Defend Trade Secrets Act, as courts grappled with the federal civil trade secrets statute enacted just over a year and a half ago.  On the criminal side, we saw the Trump administration aggressively prosecute individuals for trade secret theft and cyberespionage, including an engineer who allegedly sold military trade secrets to an undercover FBI agent whom he believed to be a Russian spy.  We also saw the U.S. Supreme Court deny certiorari in two closely watched trade secrets cases under the Computer Fraud and Abuse Act. Jason Schwartz, Greta Williams, Mia Donnelly and Brittany Raia discuss these and other significant 2017 developments in trade secrets law in their article “2017 Trade Secrets Litigation Round-Up” published in BNA’s Patent, Trademark & Copyright Journal in January 2018. Reprinted with permission from BNA’s Patent, Trademark & Copyright Journal, January 19, 2018.  © 2018, The Bureau of National Affairs, Inc.  Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update.  Please contact the Gibson Dunn lawyer with whom you usually work or the authors in the firm’s Washington, D.C. office: Jason C. Schwartz (+1 202-955-8242, jschwartz@gibsondunn.com) Greta B. Williams (+1 202-887-3745, gbwilliams@gibsondunn.com) Mia C. Donnelly (+1 202-887-3617, mdonnelly@gibsondunn.com) Brittany A. Raia (+1 202-887-3773, braia@gibsondunn.com) Please also feel free to contact any of the following practice group leaders and members: Labor and Employment Group: Catherine A. Conway – Los Angeles (+1 213-229-7822, cconway@gibsondunn.com) Jason C. Schwartz – Washington, D.C. (+1 202-955-8242, jschwartz@gibsondunn.com) Intellectual Property Group: Josh Krevitt – New York (+1 212-351-2490, jkrevitt@gibsondunn.com) Wayne Barsky – Los Angeles (+1 310-557-8183, wbarsky@gibsondunn.com) Mark Reiter – Dallas (+1 214-698-3360, mreiter@gibsondunn.com) Michael Sitzman – San Francisco (+1 415-393-8200, msitzman@gibsondunn.com) Privacy, Cybersecurity and Consumer Protection Group: Alexander H. Southwell – New York (+1 212-351-3981, asouthwell@gibsondunn.com) Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

January 18, 2018 |
2017 Year-End E-Discovery Update

Click for PDF E-discovery in 2017  featured increasing stability and maturity, due in large part to the continuing impact of the 2015 federal rule amendments addressing sanctions and proportionality. Yet, many challenges remain. Here are some of the highlights from the past year: Most courts are faithfully applying the requirements of amended Rule 37(e) to sanctions motions, only awarding the most serious sanctions where the responding party destroyed evidence with the intent to deprive, tailoring sanctions to be proportionate to actual prejudice, and denying sanctions where there was no prejudice. Nevertheless, some courts have based their findings of an intent to deprive on inferences drawn from conduct that might reasonably have been interpreted as negligent. A surprising number of courts continued to analyze spoliation sanctions issues on common law pre-dating the 2015 rule amendments, apparently unaware of amended Rule 37(e) and its requirements. Reliance on courts’ inherent powers to sanction persists—and may even have increased in 2017—despite the statement in the Committee Note that the amendment to Rule 37(e) was intended to foreclose such reliance. Proportionality continues to gain traction in limiting the scope of discovery. With respect to possession, custody and control, there continues to be a split in authority between courts applying the legal right test and those applying the practical ability test. Courts in jurisdictions applying the practical ability test are increasingly finding litigants to have control—and therefore preservation obligations—over discoverable information in the possession of non-parties. Discovery of social media is becoming increasingly commonplace. Decisions in 2017 reflected that early notions of social media having a “special status” because of privacy concerns (leading to, for example, a requirement of a threshold showing before discovery could be propounded) are giving way to social media being treated no differently from other forms of evidence. The use of technology assisted review (“TAR”)—also known as predictive coding—to search and review large document populations appears more widespread than in past years, particularly for requesting parties’ review of substantial incoming productions and in symmetrical litigation involving large document volumes, where both sides may want to use TAR. The consolidation among medium-sized and large e-discovery service providers only seemed to accelerate in 2017. It is not apparent whether this consolidation is fundamentally altering the market for e-discovery services, other than to possibly result in greater stability in the space once all of the M&A dust settles. Local and regional vendors seem to be increasingly squeezed, being acquired or facing stiff competition from large commodity vendors on the one hand, and potentially losing smaller customers to vendors of do-it-yourself online e-discovery software services, on the other hand. Other noteworthy developments in the vendor space have been the challenges posed by mobile devices, social media and ESI stored in the cloud—often requiring advanced tools and significant expertise to collect, process and search—and the more widespread availability of analytics applications that vendors can license and provide to their clients rather than having to develop in-house. As always, the year was an interesting one for e-discovery. We invite you to read our more detailed analysis and observations below. Spoliation Sanctions: Rule 37(e) Continues to Have a Substantial Impact Amended Federal Rule of Civil Procedure 37(e) continues to have a substantial impact on sanctions for failure to preserve ESI. Most courts are faithfully applying the requirements of amended Rule 37(e) to sanctions motions, only awarding the most serious sanctions where the responding party destroyed evidence with intent to deprive, tailoring sanctions to be proportionate to actual prejudice, and denying sanctions where there was no prejudice. Nevertheless, a surprising number of courts still relied on common law pre-dating the 2015 rule amendments, apparently unaware of amended Rule 37(e) and its requirements. Intent to Deprive Leads to Most Serious Sanctions Under amended Rule 37(e), courts can only issue the most serious sanctions—e.g., case terminating sanctions or an adverse inference jury instruction—where a party acted with the intent to deprive another party from using the ESI in the litigation. In Organik Kimya, San ve Tic. A.S. v. Int’l Trade Comm’n, 848 F.3d 994, 103 (Fed. Cir. 2017), the defendant presented evidence that, days before an investigation was to take place, the plaintiffs intentionally began overwriting their laptops to delete what the court estimated to be hundreds of thousands of relevant files. Applying Rule 37(e), the court found that the plaintiffs acted with intent to deprive and held that a default judgment was appropriate “not merely to penalize those whose conduct may be deemed to warrant such a sanction, but [also] to deter those who might be tempted to such conduct in the absence of such a deterrent.” In Basra v. Ecklund Logistics, Inc., No. 8:16-cv-832017, WL 1207482, at *1, *4 (D. Neb. Mar. 31, 2017), which arose out of an accident involving two trailer-tractors, the plaintiffs alleged the defendant had intentionally destroyed relevant ESI, including accident logs and reports. The plaintiffs requested an adverse jury instruction and attorneys’ fees. The court found that, “although [the] defendant’s record-keeping [was] less than meticulous,” the plaintiffs did not establish that the defendant had destroyed evidence with an intent to suppress the truth. The court therefore held that the defendant did “not engage in conduct that would warrant the sanction of an adverse jury instruction for spoliation of evidence,” and did not issue any sanctions. The court did not explicitly reference Rule 37(e), but appeared to apply its requirements. In Jackson v. Haynes & Haynes, No. 2:16-cv-01297-AKK, 2017 WL 3173302, at *3–4 (N.D. Ala. Jul. 26, 2017), the court found that the plaintiff failed to take reasonable steps to preserve relevant ESI on her smartphone when she relinquished it to her provider after having retained counsel to pursue the litigation. The court denied the defendants’ request for default judgment or an adverse inference jury instruction, however, because the plaintiff had not acted with intent to deprive the defendants of the evidence. The court reasoned that being “negligent and irresponsible in maintaining the information” and “knowing of her obligation to preserve the integrity of the information” are “not sufficient to show an intent to deprive[.]” Some courts have found an intent to deprive based on inferences drawn from conduct that might reasonably have been interpreted as negligent, at worst. For example, in Moody v. CSX Transp., — F. Supp. 3d —, No. 07-CV-6398 P, 2017 WL 4173358, at *15 (W.D.N.Y. Sept. 21, 2017), a case arising out of railway accident, the court granted the plaintiff’s motion for an adverse inference instruction where the defendant transferred information from an event data recorder saved on a laptop computer to a central repository, permitted the data on the recorder to be overwritten and recycled the laptop, only to later discover that the data in the repository was unreadable. The court found that the defendant’s conduct supported an inference that it acted with the intent to deprive plaintiff of the event recorder data. Actual Prejudice Required Absent evidence of actual prejudice, courts continued to deny sanctions under amended Rule 37(e)—even in the face of an intentional failure to preserve evidence. For example, in HCC Ins. Holdings, Inc. v. Flowers, No. 1:15-cv-3262-WSD, 2017 WL 393732, at *2-*4 (N.D. Ga. Jan. 30, 2017), the defendant and her husband ran several computer cleaning programs on her personal laptop after a court ordered her to produce her computer. The court concluded that, although the couple’s actions were “troubling, and in breach of [their] duty to preserve,” spoliation sanctions were “not warranted” because the presence of any trade secrets or other information that was relevant to the case was merely “speculati[ve].” Similarly, in Simon v. City of New York, No. 14-CV-8391-JMF, 2017 WL 57860, at *7 (S.D.N.Y. Jan. 5, 2017), the court refused to impose sanctions against the plaintiff for failing to retain a cell phone video of the events giving rise to an alleged false arrest. The court held there was no prejudice under amended Rule 37(e) because there was no evidence that the video would help the defendants and arguments regarding the contents of the video amounted to “pure speculation.” In Eshelman v. Puma Biotechnology, Inc., No. 7:16-cv-18-D, 2017 WL 2483800, at *5 (E.D. N.C. June 7, 2017), the plaintiffs sought an adverse inference jury instruction due to the defendant’s failure to preserve internet web browser and search histories relating to an alleged defamatory investor presentation. In refusing to sanction the defendant, the court first noted that, despite the loss of the internet browser history, “other avenues of discovery [were] likely to reveal information about the searches performed.” For example, the defendant could seek such information from people who previously had worked with the plaintiff and assisted her in preparing the investor presentation. The court also found that the defendant had failed to present any evidence “regarding the particular nature of the missing ESI in order to evaluate the prejudice it [was] being requested to mitigate.” In Crow v. Cosmo Specialty Fibers, Inc., No. 3:15-cv-05665-RJB, 2017 WL 1128505, at *1, *5 (W.D. Wa. Mar. 24, 2017), a court refused to sanction a party under amended Rule 37(e) for its failure to produce an email, where the email was later produced after a more careful search, finding only “meager prejudice.” The moving party was able to conduct several depositions in which it explored topics in the email, and there was no showing that delayed receipt of the email had affected any aspects of the case. In Edelson v. Cheung, No. 2:13-cv-5870 (JLL (JAD), 2017 WL 150241, at *2-*4 (D. N.J. Jan. 12, 2017), the court awarded an adverse inference jury instruction sanction against the defendant for deleting emails from his personal computer. The plaintiff presented evidence that the defendant had opened a second email account, which he did not disclose even to his own counsel, for the purpose of evading discovery, and then deleted key emails when it was discovered. The plaintiff pointed to an email from the undisclosed account obtained from a third party that stated, “don’t forget to use only gmail account . . . Do not use frontier email. They read everything.” The defendant, for his part, testified that it “didn’t occur” to him to disclose the email account and that he deleted the e-mails because his computer “was running very sluggish” and someone recommended that he delete “certain items” from his computer in order to increase its speed. The court did not find the defendant’s explanation credible. Remedy Should be No Greater than Necessary to Cure the Prejudice Pursuant to amended Rule 37(e), courts have continued to order remedies no greater than necessary to cure the prejudice that the moving party suffered. For example, in Edelson, supra, 2017 WL 150241 at *1, *4, the plaintiff sought a default judgment, or, in the alternative, an adverse inference jury instruction, where the defendant deleted key emails from his personal computer. The court found that the defendant had intentionally deleted the emails in an attempt to deprive the plaintiff of relevant information. Nevertheless, the court held that the plaintiff had “failed to demonstrate that he ha[d] suffered a degree of prejudice that merit[ed] the imposition of a default judgment against [the] defendant.” Other evidence besides the emails at issue was available for use at trial to support the plaintiff’s allegations. Thus, the court adopted the “more appropriate sanction [and] instruct[ed] the jury that it [could] presume the information was unfavorable to [the] defendant.” Some Courts Still Fail to Apply Amended Rule 37(e) Despite fairly broad application of amended Rule 37(e) in 2017, a surprising number of courts failed to apply it in spoliation sanctions motions. In many, but not all, of the cases, it nevertheless appears that the sanctions decision would have been the same under Rule 37(e). For example, in Dallas Buyers Club, LLC v. Huszar, No. 3:15–cv–907–AC, 2017 WL 481469 (D. Or. Feb. 6, 2017), the plaintiff claimed that the defendant illegally downloaded its eponymous movie. The defendant denied doing so, and subsequently destroyed his computer’s hard drive. He claimed the computer began exhibiting signs of failure, at which point he took it to a technician and the content was lost. Id. The court found the defendant credible but still issued an adverse inference jury instruction, finding that “although an adverse inference instruction is not as drastic a remedy as a default order, it is still a harsh remedy and will sufficiently compensate for the potential prejudice suffered by [the plaintiff].” Id. The Court did not consider amended Rule 37(e). Had it done so, the court’s finding that the defendant’s explanation was credible may have precluded a finding of intent to deprive, which would have been necessary to award an adverse inference instruction, and its finding of “potential prejudice” rather than actual prejudice would have been insufficient for any sanction under Rule 37(e). In Redzepagic v. Hammer, No. 14-civ-9808-ER, 2017 WL 780809, at *4, n. 9 (S.D.N.Y. Feb. 27, 2017), the court refused to issue spoliation sanctions for the plaintiff’s deletion of text messages following commencement of the lawsuit, despite the defendant’s argument that a “very strong inference” could be drawn “that the information [the] plaintiff had would support [the] defendant’s position.” Without reference to amended Rule 37(e), the court found that an employee of the defendant had separately preserved the relevant text messages, and the employee voluntarily turned over those texts to the court. The court reasoned that “because these documents were preserved by an employee . . . and were available to both parties in the action, there [was] no reason to infer that the text messages [the plaintiff] deleted would support [the defendant’s] position.” Thus, the court “decline[d] to impose sanctions or grant an adverse inference,” a result that would likely have been the same under Rule 37(e). Brown v. Certain Underwriters at Lloyds, London, No. 16-cv-02737, 2017 WL 2536419, at *2–6 (E.D. Pa. Jun. 12, 2017), arose out of a fire that occurred at plaintiffs’ property. The defendants suspected that the plaintiff was involved in setting the fire. They were interested in examining his cell phone to determine whether it contained any evidence that would tend to corroborate their suspicion. A day before the plaintiff was scheduled to produce the contents of his cell phone, he claimed for the first time that he had lost it “months ago.” He provided no details, however, regarding how he lost the phone or his attempts to preserve or recover its contents. The court failed to reference Rule 37(e) and instead relied on common law superseded by the rule. Finding that the defendant’s explanation lacked credibility, the court awarded an adverse inference jury instruction and attorneys’ fees. Finally, in Charles v. City of New York, No. 12-cv-6180 (SLT) (SMG), 2017 WL 530460, at *25-26 (E.D.N.Y. Feb. 8, 2017), a wrongful arrest case, the court declined to apply Rule 37(e) to a video recording on a smart phone. The defendant sought case terminating sanctions because the plaintiff had lost the smart phone on which she recorded video of her interaction with the police. Noting that the smart phone was not the only evidence in the case, and that there was no evidence of intentional destruction, the court refused to issue sanctions, finding that the plaintiff’s actions at most amounted to “mere negligence, not gross negligence.” The court did not apply amended Rule 37(e), reasoning that amended Rule 37(e) only applies to ESI and that neither the phone nor the video constituted ESI. Inherent Authority: Still Alive Many had expected that the December 2015 amendment to Rule 37(e) would eliminate courts’ inherent authority to impose sanctions for preservation failures, particularly in light of the statement in the Committee Notes that the amended rule “forecloses reliance on inherent authority or state law to determine when certain measures should be used.” Yet, the language of the amended rule itself did not address the issue. And, barely a month after the amendment’s effective date, Magistrate Judge James C. Francis IV held in Cat 3 LLC v. Black Lineage Inc., 164 F. Supp. 3d 488 (S.D.N.Y. 2016), that if a party’s apparent alteration of e-mails was not sanctionable under amended Rule 37(e), then the court could still impose sanctions pursuant to its inherent authority. Judge Francis subsequently co-authored an article laying out his case for the survival of inherent authority. See Hon. James C. Francis IV & Eric P. Mandel, Limits on Limiting Inherent Authority: Rule 37(e) and the Power to Sanction, The Sedona Conference Journal (Vol. 17, No. 2, p. 613) (2016). Following Judge Francis’ opinion in Cat 3, Judge Paul Grimm, who was a member of the Civil Rules Advisory Committee, stated that “[w]hen the drafters were crafting Rule 37(e), we did so with a desire to occupy the field.” To obtain spoliation sanctions under inherent authority, according to Judge Grimm, you would “have to argue that in some way, the existing Rule is insufficient and you also have to be faithful to the law of inherent authority,” meaning “you would need to show bad faith.” Tera Brostoff, Reports of Death of Inherent Judicial Authority Exaggerated?, Bloomberg BNA Electronic Discovery and E-Evidence (Nov. 15, 2016). Judge Grimm’s statement is reminiscent of the Supreme Court’s statement in Chambers v. NASCO, a key case regarding inherent authority, that courts ordinarily should rely on the Rules in imposing sanctions, but “if in the informed discretion of the court, neither the statute nor the Rules are up to the task,” the court may rely on inherent authority. Similarly, Judge Francis has stated that “[t]he point is, if there is a gap in the rule, then the exercise of inherent power is appropriate[.]”  Views from the Bench: Leading Federal Judges in Conversation on EDiscovery and More, 34 (R. Hilson & C. Sullivan eds., 2017). Nevertheless, it appears to be Judge Francis’ view that inherent authority exists even if a matter is covered by Rule 37(e). See id. at 34-35. That view is not shared by all others.  See, e.g., id. at 35 (Hon. Frank Maas, ret., quoted as stating “I’m far less sure than Judge Francis is that inherent authority lives on in cases that fall within the four corners of Rule 37(e).”) See also Gareth Evans and Phillip Favro, Unfinished Business: A Holiday Wish List For New E-Discovery Centered FRCP Amendments, LegalTech News (Dec. 15, 2017) (calling for moving to the text of the rule the language in the Rule 37(e) Committee Note foreclosing reliance on inherent authority). In 2017, the Supreme Court addressed courts’ inherent authority to impose discovery-related sanctions in Goodyear Tire & Rubber Co. v. Haeger, __ U.S. __, 137 S.Ct. 1178 (2017). The Court held that sanctions imposed under inherent authority must be compensatory rather than punitive and must have been “causally related to the sanctioned party’s misconduct.” The case did not involve spoliation, however, and the court did not address whether amended Rule 37(e) forecloses reliance on inherent authority. Thus, it appears unlikely that Goodyear has resolved the issue whether courts may rely on inherent powers in awarding sanctions for a failure to preserve ESI. Meanwhile, some courts continued to rely upon inherent powers in issuing sanctions for preservation failures. In Hsueh v. New York State Dept. of Financial Servs., 15-civ.-3401-PAC, 2017 WL 1194706, at *4, *6 (S.D.N.Y. Mar. 31, 2017), for example, the court found that amended Rule 37(e) did not apply to the destruction of ESI where the party had “intentionally deleted” the information (despite the fact that Rule 37(e) expressly applies where a party acted with intent to deprive). The court stated that “[b]ecause Rule 37(e) does not apply, the Court may rely on its inherent power to control litigation in imposing spoliation sanctions” in granting an adverse inference sanction for spoliation. The court in Hsueh observed that amended Rule 37(e) is aimed at “serious problems resulting from the continued exponential growth in the volume of ESI as well as excessive effort and money that litigants have had to expend to avoid potential sanctions for failure to preserve ESI.”  In this case, the court reasoned, the ESI was not lost on account of “improper systems in place to prevent the loss of the recording” but rather “because she took specific action to delete it.” The court concluded, however, that under either amended Rule 37(e) or the court’s inherent authority an adverse inference and attorneys’ fees were appropriate because (i) the plaintiff was under an obligation to preserve the recording, (ii) there was no doubt the destroyed evidence was relevant to the claims in the case, and (iii) the plaintiff acted in bad faith and with an intent to destroy the ESI. Accordingly, the debate continues over whether inherent authority survives as a basis for spoliation sanctions. At least some of the discussion, however, has shifted to limits on the circumstances under which inherent authority may be invoked (assuming that it can be invoked at all)—for example, that Rule 37(e) must not provide an adequate remedy and bad faith conduct must have been involved. In any event, we doubt that we have heard the last of this issue from courts, commentators and possibly even drafters of future rule amendments. Proportionality: Alive, and Well Proportionality as a limit on the scope of discovery continues to gain traction following its incorporation into Rule 26(b)(1)’s definition of the scope of discovery in the 2015 rule amendments. Of particular note in 2017, the Sedona Conference released its Commentary on Proportionality in Electronic Discovery, 18 Sedona Conf. J. 141 (2017), which sets forth six “Principles of Proportionality” pertaining to the amended rule’s proportionality factors and courts’ application of them since the 2015 rule amendments. These principles consist of the following: (1) “[t]he burdens and costs of preserving relevant electronically stored information should be weighed against the potential value and uniqueness of the information when determining the appropriate scope of preservation;” (2) “[d]iscovery should focus on the needs of the case and generally be obtained from the most convenient, least burdensome, and least expensive sources;” (3) “[u]ndue burden, expense, or delay resulting from a party’s action or inaction should be weighed against that party;” (4) “[t]he application of proportionality should be based on information rather than speculation;” (5) “[n]onmonetary factors should be considered in the proportionality analysis;” and (6) “[t]echnologies to reduce cost and burden should be considered in the proportionality analysis.” The discussion in the Commentary on Proportionality reflects that the evaluation of whether discovery is “proportional to the needs of the case” is highly dependent on the specific facts of any given case, and it is the parties’ burden to provide evidence and educate the court on their specific situation. Additionally, proportionality does not merely involve an analysis of the cost of collection and production compared to the need for the documents—it extends beyond this, taking into account the good faith of the parties, the parties’ comparative access to information, and the importance of the issues. Further, the Commentary advocates that parties work together and utilize appropriate technologies in the discovery process. Judicial decisions in 2017 continued to reflect that proportionality in discovery has gained traction since the 2015 federal rule amendments. In Solo v. United Parcel Service Co., No. 14-12719, 2017 WL 85832 (E.D. Mich., Jan. 10, 2017), for example, the court considered whether UPS should be compelled to produce information stored on backup tapes because their billing system only maintained live data for a short period of time. Id. at *2. UPS submitted a declaration attesting that it would take six months and $120,000 to recover the data from the back-up tapes. The court held that restoring back-up tapes was not proportional to the needs of the case not only because of the expense, but also because the data would only be relevant if the plaintiffs prevailed on certain issues on the merits. In Scott v. Eglin Fed. Credit Union, No. 3:16-CV-719-RV-GRJ2017, 2017 WL 1364600, at *3 (N.D. Fla. Apr. 13, 2017), an employment discrimination case, the defendant (the plaintiff’s former employer) moved to compel the plaintiff’s current employer (a third party) to produce emails and text messages with the plaintiff. Noting that “emails and text messages may be fair game for discovery in most cases,” the court nonetheless denied the motion to compel, explaining  “[b]alancing the marginal relevance of information in emails and text messages against the time and expense that would be involved for a small business … in searching cellular telephones, servers and other electronic storage facilities makes little sense and would cause Plaintiff’s current employer to incur an expense that ultimately will have little or no impact on the outcome of this case.” Id. at *3. In Simon v. Northwestern Univ., No. 1:150-CV-01433, 2017 WL 467677 (N.D. Ill. Feb. 3, 2017), the court engaged in a substantial proportionality analysis, including analyzing the importance of the issues (“The court finds the importance of the issues at stake in this action extremely high”); the amount in controversy (“the Court finds this amount to be high as well”); the relative burden on the defendants (the court determined it was high as to the individuals but “relatively low” as to the university); and the parties’ access to relevant information (determining that the university had the greatest access). In Crabtree v. Angie’s List, Inc., No. 1:16-CV-0087-SEP-MJD, 2017 WL 413242, at *3 (S.D. Ind. Jan. 31, 2017), a wages and hours action, the defendant requested a forensic examination of the plaintiffs’ electronic devices to determine how many hours the plaintiffs were working offsite. The court denied the request as not proportional to the needs of the case. Notably, as part of its proportionality analysis, the court considered the plaintiffs’ privacy and security interests. In Gordon v. T.G.R. Logistics, Inc., 321 F.R.D. 401 (D. Wyo. 2017), the defendant moved to compel production of an electronic copy of the “entire Facebook account history” from the plaintiff’s two Facebook accounts on the ground that the information would be relevant to her claims of physical and emotional injury resulting from a motor vehicle accident. The court engaged in a proportionality analysis, stating that “[s]ocial media presents some unique challenges to courts in their efforts to determine the proper scope of discovery of relevant information and maintaining proportionality.” While it is conceivable that almost any post to social media will provide some relevant information concerning a person’s physical and/or emotional health, it also has the potential to disclose more information than has historically occurred in civil litigation. Possession, Custody or Control: Split in Authority Persists Whether a party has “possession, custody or control” over relevant and responsive documents—and therefore an obligation to preserve and produce them—continued to be an important issue in 2017. A split in authority has persisted between courts applying the “legal right” test (i.e., finding that a party has control over documents in the possession of others only when it has the legal right to the documents) and those applying the “practical ability” (i.e., finding that a party has control when it has the practical ability to obtain the documents, even if it does not have a legal right to them). In Parris v. Pappas, No. 3:10-cv-1128 WWE, 2017 WL 3314001, at *2 (D. Conn. Aug. 3, 2017), the court applied the practical ability test in denying a motion to compel the defendant to produce documents in the possession of his girlfriend. The court held that the plaintiff had failed to sustain her burden of establishing that the documents were in the defendant’s possession, custody or control because the defendant attested that he had asked his girlfriend for the documents, but she had refused to provide them. The court noted, however, that the plaintiff could subpoena the documents from the girlfriend pursuant to Rule 45. By contrast, the court in Ronnie Van Zant, Inc. v. Pyle, No. 17 Civ. 3360-RWS, 2017 WL 3721777, at *8-*9 ( S.D.N.Y. Aug. 28, 2017), also applying the practical ability test, imposed sanctions on a defendant for its failure to prevent a third-party independent contractor from destroying relevant text messages on his smart phone. The lawsuit arose out of a “blood oath” among the surviving members of the band Lynyrd Skynyrd and the family members of band members who had been killed in a 1977 plane crash that none would seek to profit from the band’s name or story. Despite the oath, which was later reflected in a consent order, the band’s drummer—Artemis Pyle—worked with the defendant film company to produce a film about the band. In the ensuing lawsuit for breach of the consent order, the court awarded an adverse inference jury instruction holding the defendant film company responsible for the failure of the film’s director—an independent contractor—to preserve relevant text messages that were lost when he turned in and upgraded his personal smart phone. The court reasoned not only that the film company had the ability to ensure that the director preserved relevant data on his smart phone, but also that its failure to do so coupled with the director’s actions “evince the kind of deliberate behavior that sanctions are intended to prevent and weigh in favor of an adverse inference.” In Williams v. Angie’s List, No. 1:16-00878-WTL-MJD, 2017 WL 1318419, at *2-*3 (S.D. Ind. April 10, 2017), a wage and hours action, the court applied the legal right test. The plaintiffs—who often worked from home and, accordingly, their hours were not reflected in badge-swipe data—sought from the defendant background data automatically recorded while they were working on Salesforce, a sales platform utilized by the defendant. The court rejected the defendant’s argument that it did not have possession, custody or control of the Salesforce data, citing the defendant’s contractual relationship with Salesforce giving the defendant the right to the data. Discovery of Social Media Grows Increasingly Commonplace It is not an overstatement to say that social media has become an integral part of modern life. Social media has played an important role for a number of years in keeping us in touch with friends and family. In recent years, social media applications have also played an prominent role in professional networking and, increasingly, in workplace communications and collaboration. Not surprisingly, therefore, the discovery of social media is also becoming increasingly commonplace. As social media has expanded into many different areas, conceptions of what it exactly is are becoming somewhat blurred. No longer just Facebook, but numerous other social and professional networking and communication applications may be considered social media. The Oxford English Dictionary defines “social media” as “websites and applications used for social networking” and “social network,” in turn, as “the use of dedicated websites and applications to communicate with each other by posting information, comments, messages, images, etc.” See Concise Oxford English Dictionary (12th ed. 2011). Many social media applications have their own direct and group messaging functions, and many instant messaging applications have features that are common to social media. As social media is becoming ubiquitous, early notions that social media might have a special status because of privacy concerns (leading to, for example, a requirement of a threshold showing before discovery could be propounded) are giving way to social media being treated no differently from other forms of evidence. See, e.g., United States ex rel Reaster v. Dopps Chiropractic Clinic, LLC, No.13-1453-EFM-KGG, 2017 WL 957436, at *1-*2 (D. Kan. Mar. 13, 2017) (“while information on social networking sites is not entitled to special protection, discovery requests seeking this information should be tailored so as not to constitute the proverbial fishing expedition in the hope that there might be something of relevance in the respondent’s social media presence”) (internal quotations and citation omitted). Proportionality and relevance requirements can play a particularly important role in discovery of social media. Because social media accounts usually contain a substantial amount of irrelevant and personal information, courts must balance legitimate rights to discovery against overly broad and intrusive inquiries. See, e.g., Brown v. Ferguson, No. 4:15-cv-0083-ERW, 2017 WL 386544, at *1-*2 (E.D. Mo. Jan. 27, 2017) (rejecting disclosure of social media passwords as constituting unfettered access, but also rejecting a distinction between private messages and public content on Facebook). Gordon v. T.G.R. Logistics, Inc., 321 F.R.D. 401 (D. Wyo. 2017), illustrates the challenge facing courts in determining the appropriate scope of social media discovery. In Gordon, the defendant brought a motion to compel the production of the “entire Facebook account history” of the plaintiff’s two Facebook accounts on the ground that the information would be relevant to her claims of physical and emotional injury resulting from a motor vehicle accident. The court engaged in a proportionality analysis, observing that “[s]ocial media presents some unique challenges to courts in their efforts to determine the proper scope of discovery of relevant information and maintaining proportionality.” The court continued that “[w]hile it is conceivable that almost any post to social media will provide some relevant information concerning a person’s physical and/or emotional health, it also has the potential to disclose more information than has historically occurred in civil litigation. While we can debate the wisdom of individuals posting information which has historically been considered private, we must recognize people are providing a great deal of personal information publicly to a very loosely defined group of ‘friends,’ or even the entire public internet.” The court explained that the relative ease and low cost of downloading a user’s Facebook history would not itself resolve the issue. The court observed that, in the past, “[n]o court would have allowed unlimited depositions of every friend, social acquaintance, co-employee or relative of a plaintiff to inquire as to all disclosures, conversations or observations. Now, far more reliable disclosures can be obtained with a simple download of a social media history.” The court reasoned, on the one hand, that even though producing the plaintiff’s Facebook history would involve very little time or expense, it could nevertheless have a very significant impact in generating additional discovery and in lengthening testimony. “It’s not difficult to imagine a plaintiff being required to explain every statement contained within a lengthy Facebook history in which he or she expressed some degree of angst or emotional distress or discussing life events which could be conceived to cause emotion upset, but which is extremely personal and embarrassing.” On the other hand, the court recognized that “Defendant has a legitimate interest in discovery which is important to the claims and damages it is being asked to pay. Information in social media which reveals that the plaintiff is lying or exaggerating his or her injuries should not be protected from disclosure. Courts must balance these realities regarding discovery of social media and that is what most of the courts which have addressed this issue have done.” In the end, the court denied the defendant’s request for the entirety of the plaintiff’s Facebook history and instead limited the scope of the discovery to Facebook posts after the accident that relate to the accident and her resulting physical and emotional injuries and any posts relating to other events that could reasonably be expected to result in emotional distress. Technology Assisted Review: Gaining Strength? A noticeable practice trend in 2017 has been that the use of technology assisted review (“TAR”)—also known as predictive coding—to search and review large document populations appears to be more widespread than in past years. We are seeing requesting parties more frequently using TAR in their review of substantial incoming productions, where the TAR protocol and training of the TAR tool will not be subject to challenge from the opposing party. We are also seeing TAR used more often in symmetrical litigation, where both sides have large production obligations and both use TAR—or want to have the option to use TAR—in their document search and review process. That is not to say that the use of TAR is commonplace, as many had anticipated would be the case by now. Rather, within a relatively small slice of litigation matters—those that involve particularly massive amounts of ESI to search and review—it appears that TAR is being used more than in the past. A substantial body of case law has developed regarding issues relating to the use of TAR.  See The Sedona Conference TAR Case Law Primer, 18 Sedona Conf. J. 1 (2017). Yet, many issues remain unresolved—except that TAR is generally accepted by the courts as a legitimate search and review methodology. There was a dearth of case law in 2017 involving disputes over TAR, perhaps reflecting that TAR is most being used on incoming productions and pursuant to stipulated protocols in symmetrical litigation. The two decisions in 2017 regarding TAR disputes dealt with the extent of transparency required regarding the TAR process and the use of search terms to cull a document population before the use of TAR. In Winfield v. City of New York, No. 15-cv-05236 (S.D.N.Y. Nov. 27, 2017), the plaintiffs argued that the defendant’s TAR model was improperly trained because its reviewers had over designated documents in the seed and training sets as non-responsive. The plaintiffs argued—and the court agreed—that several inadvertently produced documents designated as non-responsive used to train the TAR model were actually responsive. The plaintiffs sought both to bar the defendant from continuing to use TAR and to require disclosure of information about the TAR process—including the defendant’s coding of seed and training documents, how the defendant trained its document reviewers, and detailed information about the ranking system used in the TAR process (i.e., what relevance score cut-off was used, and how many documents were deemed responsive and unresponsive at each ranking level). The court referenced Sedona Principle 6, which provides that the producing party is in the best position to “evaluate the procedures, methodologies, and technologies appropriate for preserving and producing their own electronically stored information.” Id., slip op. at 20; see also The Sedona Conference Principles, Third Edition, 19 Sedona Conf. J. 1, 118 et. seq. (forthcoming 2018) (available at www.thesedonaconference.org). The court stated that, “[t]raditionally, courts have not micro-managed parties’ internal review processes for a number of reasons.” Those reasons include that “attorneys, as officers of the court, are expected to comply with Rules 26 and 34 in connection with their search, collection, review and production of documents, including ESI.” Additionally, the court stated that “internal attorney ESI work processes may reveal work product” and noted that “perfection in ESI discovery is not required[.]” Nevertheless, the court asserted, “parties cannot be permitted to jeopardize the integrity of the discovery process by engaging in halfhearted and ineffective efforts to identify and produce relevant documents.” Id., slip op. at 20-21. The court reviewed information about the defendant’s TAR process in camera—including information about the seed and training sets, its training of reviewers, and the validation process the defendant used. The court concluded that “the City’s training and review processes and protocols present no basis for finding that the City engaged in gross negligence in connection with its ESI discovery—far from it.” Id., slip op. at 23. Additionally, with respect to detailed information about the defendant’s TAR process—such as the cut-off used and the number of responsive and unresponsive documents at each ranking level—the court stated that it “views this information as protected by the work product privilege and, accordingly, [it] is not subject to disclosure.” Id., slip op. at 27; see also John M. Facciola and Philip J. Favro, Safeguarding the Seed Set: Why Seed Set Documents May Be Entitled to Work Product Protection, 8 Fed. Cts. L. Rev. 1 ( Feb. 2015). Nevertheless, because there was some evidence of “human error” in the training process, the court ordered the defendant to provide the plaintiffs, on an attorneys’ eyes only basis, with a random sample of 300 non-privileged documents from the population of documents the TAR process determined to be non-responsive. Id., slip op. at 25-26. The only other reported or widely publicized TAR decision in 2017, FCA US LLC, v. Cummins, Inc., No. 16-12883, 2017 WL 2806896, at *1 (E.D. Mich. Mar. 28, 2017), involved a dispute over “whether the universe of electronic material subject to TAR review should first be culled by the use of search terms.” Without any substantive discussion, other than to cite materials that it reviewed, the court stated that “[a]pplying TAR to the universe of electronic material before any keyword search reduces the universe of electronic material is the preferred method.” E-Discovery Vendor Developments The consolidation among medium-sized and large e-discovery service providers, usually financed by private equity funding, that has been going on for several years now only seemed to accelerate more in 2017. It is not apparent whether this consolidation is fundamentally altering the market for e-discovery services, other than to possibly result in greater stability in the space once all of the M&A dust settles. Generally, the market appears to be settling into several different segments: (1) large vendors with a national and often international footprint providing basic, commodity services using mostly standard technologies; (2) medium-sized vendors—also with a national and global footprint—focused on providing both expert e-discovery consulting and professional services as well as standard and more advanced technologies; (3) vendors of “do it yourself” online e-discovery software services (i.e., “SAAS,” aka software as a service), usually targeted at small and medium-sized law firms that now, increasingly, must deal with e-discovery; and (4) traditional local and regional vendors providing basic services, much as they have in the past. The local and regional vendors seem to be increasingly squeezed in this market, either being acquired by or not able to compete with the large vendors providing commodity services. Notably, it appears that there are far fewer new entrants in e-discovery services market—which used to have relatively low barriers to entry—than in the past. Also, there appears to have been significant maturation of some of the SAAS providers, which appear to be finding a solid niche in a potentially large market segment—small and medium-sized law practices—often not previously serviced by e-discovery providers. Other noteworthy developments in the vendor space have been the challenges posed by mobile devices, social media and ESI stored in the cloud—often requiring advanced tools and significant expertise to collect, process and search—and the more widespread availability of analytics applications that vendors can license and provide to their clients rather than having to develop in-house. Conclusion The past year showed once again that e-discovery continues to progress, but also continues to face new and pre-existing challenges. We hope that you found our 2017 Year-End E-Discovery Update informative. We invite you review further the many articles, client alerts and updates that our attorneys have published by going to the Gibson Dunn Electronic Discovery Practice Group’s page on the Firm’s website. The following Gibson Dunn lawyers assisted in the preparation of this client update:  Gareth Evans, Jennifer Rearden, Heather Richardson, Chelsea Mae Thomas and Natalie Dygert. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. The Electronic Discovery and Information Law practice group brings together lawyers with extensive knowledge of electronic discovery and information law.  The group is comprised of seasoned litigators with a breadth of experience who have assisted clients in various industries and in jurisdictions around the world.  The group’s lawyers work closely with the firm’s technical specialists to provide cutting-edge legal advice and guidance in this complex and evolving area of law.  For further information, please contact the Gibson Dunn lawyer with whom you usually work or the following leaders of the Electronic Discovery and Information Law practice group: Gareth T. Evans – Orange County (+1 949-451-4330, gevans@gibsondunn.com) Jennifer H. Rearden – New York (+1 212-351-4057, jrearden@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

January 7, 2018 |
2017 Year-End German Law Update

Click for PDF “May you live in interesting times” goes the old Chinese proverb, which is not meant for a friend but for an enemy. Whoever expressed such wish, interesting times have certainly come to pass for the German economy. Germany is an economic giant focused on the export of its sophisticated manufactured goods to the world’s leading markets, but it is also, in some ways, a military dwarf in a third-tier role in the re-sketching of the new world order. Germany’s globally admired engineering know-how and reputation has been severely damaged by the Volkswagen scandal and is structurally challenged by disruptive technologies and regulatory changes that may be calling for the end of the era of internal combustion engines. The top item on Germany’s foreign policy agenda, the further integration of the EU-member states into a powerful economic and political union, has for some years now given rise to daily crisis management, first caused by the financial crisis and, since last year, by the uncertainties of BREXIT. As if this was not enough, internal politics is still handling the social integration of more than a million refugees that entered the country in 2015, who rightly expect fair and just treatment, education, medical care and a future. It has been best practice to address such manifold issues with a strong and hands-on government, but – unfortunately – this is also currently missing. While the acting government is doing its best to handle the day-to-day tasks, one should not expect any bold move or strategic initiative before a stable, yet to be negotiated parliamentary coalition majority has installed new leadership, likely again under Angela Merkel. All that will drag well into 2018 and will not make life any easier. In stark contrast to the difficult situation the EU is facing in light of BREXIT, the single most impacting piece of regulation that will come into effect in May 2018 will be a European Regulation, the General Data Protection Regulation, which will harmonize data protection law across the EU and start a new era of data protection. Because of its broad scope and its extensive extraterritorial reach, combined with onerous penalties for non-compliance, it will open a new chapter in the way companies world-wide have to treat and process personal data. In all other areas of the law, we observe the continuation of a drive towards ever more transparency, whether through the introduction of new transparency registers disclosing relevant ultimate beneficial owner information or misconduct, through obligatory disclosure regimes (in the field of tax law), or through the automatic exchange under the OECD’s Common Reporting Standard of Information that hitherto fell under the protection of bank secrecy laws. While all these initiatives are well intentioned, they present formidable challenges for companies to comply with the increased complexity and adequately respond to the increased availability and flow of sensitive information. Even more powerful than the regulatory push is the combination of cyber-attacks, investigative journalism, and social media: within a heartbeat, companies or individuals may find themselves exposed on a global scale to severe allegations or fundamental challenges to the way they did or do business. While this trend is not of a legal nature, but a consequence of how we now communicate and whom we trust (or distrust), for those affected it may have immediate legal implications that are often highly complex and difficult to control and deal with. Interesting times usually are good times for lawyers that are determined to solve problems and tackle issues. This is what we love doing and what Gibson Dunn has done best time and again in the last 125 years. We therefore remain optimistic, even in view of the rough waters ahead which we and our clients will have to navigate. We want to thank you for your trust in our services in Germany and your business that we enjoy here and world-wide. We do hope that you will gain valuable insights from our Year-End Alert of legal developments in Germany that will help you to successfully focus and resource your projects and investments in Germany in 2018 and beyond; and we promise to be at your side if you need a partner to help you with sound and hands-on legal advice for your business in and with Germany or to help manage challenging or forward looking issues in the upcoming exciting times. ________________________________ Table of Contents 1.  Corporate, M&A 2.  Tax 3.  Financing and Restructuring 4.  Labor and Employment 5.  Real Estate 6.  Data Protection 7.  Compliance 8.  Antitrust and Merger Control ________________________________ 1. Corporate, M&A 1.1       Corporate, M&A – Transparency Register – New Transparency Obligations on Beneficial Ownership As part of the implementation of the 4th European Money Laundering Directive into German law, Germany has created a new central electronic register for information about the beneficial owners of legal persons organized under German private law as well as registered partnerships incorporated within Germany. Under the restated German Money Laundering Act (Geldwäschegesetz – GWG) which took effect on June 26, 2017, legal persons of German private law (e.g. capital corporations like stock corporations (AG) or limited liability companies (GmbH), registered associations (eingetragener Verein – e.V.), incorporated foundations (rechtsfähige Stiftungen)) and all registered partnerships (e.g. offene Handelsgesellschaft (OHG), Kommanditgesellschaft (KG) and GmbH & Co. KG) are now obliged to “obtain, keep on record and keep up to date” certain information about their “beneficial owners” (namely: first and last name, date of birth, place of residence and details of the beneficial interest) and to file the respective information with the transparency register without undue delay (section 20 (1) GWG). A “beneficial owner“ in this sense is a natural person who directly or indirectly holds or controls more than 25% of the capital or voting rights, or exercises control in a similar way (section 3 (2) GWG). Special rules apply for registered associations, trusts, non-charitable unregulated associations and similar legal arrangements. “Obtaining” the information does not require the entities to carry out extensive investigations, potentially through multi-national and multi-level chains of companies. It suffices to diligently review the information on record and to have in place appropriate internal structures to enable it to make a required filing without undue delay. The duty to keep the information up to date generally requires that the company checks at least on an annual basis whether there have been any changes in their beneficial owners and files an update, if necessary. A filing to the transparency register, however, is not required if the relevant information on the beneficial owner(s) is already contained in certain electronic registers (e.g. the commercial register or the so-called “Unternehmensregister“). This exemption only applies if all relevant data about the beneficial owners is included in the respective documents and the respective registers are still up to date. This essentially requires the obliged entities to diligently review the information available in the respective electronic registers. Furthermore, as a matter of principle, companies listed on a regulated market in the European Union (“EU“) or the European Economic Area (“EEA“) (excluding listings on unregulated markets such as e.g. the Entry Standard of the Frankfurt Stock Exchange) or on a stock exchange with equivalent transparency obligations with respect to voting rights are never required to make any filings to the transparency register. In order to enable the relevant entity to comply with its obligations, shareholders who qualify as beneficial owners or who are directly controlled by a beneficial owner, irrespective of their place of residence, must provide the relevant entity with the relevant information. If a direct shareholder is only indirectly controlled by a beneficial owner, the beneficial owner himself (and not the direct shareholder) must inform the company and provide it with the necessary information (section 20 (3) sentence 4 GWG). Non-compliance with these filing and information obligations may result in administrative fines of up to EUR 100,000. Serious, repeated or systematic breaches may even trigger sanctions up to the higher fine threshold of EUR 1 million or twice the economic benefit of the breach. The information submitted to the transparency register is not generally freely accessible. There are staggered access rights with only certain public authorities, including the Financial Intelligence Unit, law enforcement and tax authorities, having full access rights. Persons subject to know-your-customer (“KYC“) obligations under the Money Laundering Act such as e.g. financial institutions are only given access to the extent the information is required for them to fulfil their own KYC obligations. Other persons or the general public may only gain access if they can demonstrate a legitimate interest in such information. Going forward, every entity subject to the Money Laundering Act should verify whether it is beneficially owned within the aforementioned sense, and, if so, make the respective filing to the transparency register unless the relevant information is already contained in a public electronic register. Furthermore, relevant entities should check (at least) annually whether the information on their beneficial owner(s) as filed with the transparency or other public register is still correct. Also, appropriate internal procedures need to be set up to ensure that any relevant information is received by a person in charge of making filings to the registers. Back to Top 1.2       Corporate, M&A – New CSR Disclosure Obligations for German Public Interest Companies  Effective for fiscal years commencing on or after January 1, 2017, large companies with more than 500 employees are required to include certain non-financial information regarding their management of social and environmental challenges in their annual reporting (“CSR Information“). The new corporate social responsibility reporting rules (“CSR Reporting Rules“) implement the European CSR Directive into German law and are intended to help investors, consumers, policy makers and other stakeholders to evaluate the non-financial performance of large companies and encourage companies to develop a responsible and sustainable approach to business. The CSR Reporting Rules apply to companies with a balance sheet sum in excess of EUR 20 million and an annual turnover in excess of EUR 40 million, whose securities (stock or bonds etc.) are listed on a regulated market in the EU or the EEA as well as large banks and large insurance companies. It is estimated that approximately 550 companies in Germany are covered. Exemptions apply to consolidated subsidiaries if the parent company publishes the CSR Information in the group reporting. The CSR Reporting Rules require the relevant companies to inform on the policies they implemented, the results of such policies and the business risks in relation to (i) environmental protection, (ii) treatment of employees, (iii) social responsibility, (iv) respect for human rights and (v) anti-corruption and bribery. In addition, listed stock corporations are also obliged to inform with regard to diversity on their company boards. If a company has not implemented any such policy, an explicit and justified disclosure is required (“comply or explain”). Companies must further include significant non-financial performance indicators and must also include information on the amounts reported in this respect in their financial statements. The CSR Information can either be included in the annual report or by way of a separate CSR report, to be published on the company’s website or together with its regular annual report with the German Federal Gazette (Bundesanzeiger). The CSR Reporting Rules will certainly increase the administrative burden placed on companies when preparing their annual reporting documentation. It remains to be seen if the new rules will actually meet the expectations of the European legislator and foster and create a more sustainable approach of large companies to doing business in the future . Back to Top 1.3       Corporate, M&A – Corporate Governance Code Refines Standards for Compliance, Transparency and Supervisory Board Composition Since its first publication in 2002, the German Corporate Governance Code (Deutscher Corporate Governance Kodex – DCGK) which contains standards for good and responsible governance for German listed companies, has been revised nearly annually. Even though the DCGK contains only soft law (“comply or explain”) framed in the form of recommendations and suggestions, its regular updates can serve as barometer for trends in the public discussion and sometimes are also a forerunner for more binding legislative measures in the near future. The main changes in the most recent revision of the DCGK in February 2017 deal with aspects of compliance, transparency and supervisory board composition. Compliance The general concept of “compliance” was introduced by the DCGK in 2007. In this respect, the recent revision of the DCGK brought along two noteworthy new aspects. On the one hand, the DCGK now stresses in its preamble that good governance and management does not only require compliance with the law and internal policies but also ethically sound and responsive behavior (the “reputable businessperson concept”). On the other hand, the DCGK now recommends the introduction of a compliance management system (“CMS“). In keeping with the common principle of individually tailored compliance management systems that take into account the company’s specific risk situation, the DCGK now recommends appropriate measures reflecting the company’s risk situation and disclosing the main features of the CMS publically, thus enabling investors to make an informed decision on whether the CMS meets their expectations. It is further expressly recommended to provide employees with the opportunity to blow the whistle and also suggested to open up such whistle-blowing programs to third parties. Supervisory Board In line with the ongoing international trend of focusing on supervisory board composition, the DCGK now also recommends that the supervisory board not only should determine concrete objectives for its composition, but also develop a tailored skills and expertise profile for the entire board and to disclose in the corporate governance report to which extent such benchmarks and targets have been implemented in practice. In addition, the significance of having sufficient independent members on the supervisory board is emphasized by a new recommendation pursuant to which the supervisory board should disclose the appropriate number of independent supervisory board members as well as the members which meet the “independence” criteria in the corporate governance report. In accordance with international best practice, it is now also recommended to provide CVs for candidates for the supervisory board including inter alia relevant knowledge, skills and experience and to publish this information on the company’s website. With regard to supervisory board transparency, the DCGK now also recommends that the chairman of the supervisory board should be prepared, within an appropriate framework, to discuss topics relevant to the supervisory board with investors (please see in this regard our 2016-Year-End Alert, section 1.2). These new 2017 recommendations further highlight the significance of compliance and the role of the supervisory board not only for legislators but also for investors and other stakeholders. As soon as the annual declarations of non-conformity (“comply or explain”) are published over the coming weeks and months, it will be possible to assess how well these new recommendations will be received as well as what responses there will be to the planned additional supervisory board transparency (including, in particular, by family-controlled companies with employee co-determination on the supervisory board). Back to Top 1.4       Corporate, M&A – Employee Co-Determination: No European Extension As set out in greater detail in past alerts (please see in this regard our 2016 Year-End Alert, section 1.3 with further references), the scope and geographic reach of the German co-determination rules (as set out in the German Co-Determination Act; Mitbestimmungsgesetz – MitbestG and in the One-Third-Participation Act; Drittelbeteiligungsgesetz – DrittelbG) were the subject of several ongoing court cases. This discussion has been put to rest in 2017 by a decision of the European Court of Justice (ECJ, C-566/15 – July 18, 2017) that held that German co-determination rules and their restriction to German-based employees as the numeric basis for the relevant employee thresholds and as populace entitled to vote for such co-determined supervisory boards do not infringe against EU law principles of anti-discrimination and freedom of movement. The judgment has been received positively by both German trade unions and corporate players because it preserves the existing German co-determination regime and its traditional, local values against what many commentators would have perceived to be an undue pan-Europeanization of the thresholds and the right to vote for such bodies. In particular, the judgment averts the risk that many supervisory boards would have had to be re-elected based on a pan-European rather than solely German employee base. Back to Top 1.5       Corporate, M&A – Germany Tightens Rules on Foreign Takeovers On July 18, 2017, the amended provisions on foreign direct investments under the Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung – AWV), expanding and specifying the right of the Federal Ministry for Economic Affairs and Energy (“Ministry“) to review whether the takeover of domestic companies by investors outside the EU or the European Free Trade Area poses a danger to the public order or security of the Federal Republic of Germany came into force. The amendment has the following five main effects which will have a considerable impact on the M&A practice: (i) (non-exclusive) standard categories of companies and industries which are relevant to the public order or security for cross-sector review are introduced, (ii) the stricter sector-specific rules for industries of essential security interest (such as defense and IT-security) are expanded and specified, (iii) there is a reporting requirement for all takeovers within the relevant categories, (iv) the time periods for the review process are extended, and (v) there are stricter and more specific restrictions to prevent possible circumventions. Under the new rules, a special review by the German government is possible in cases of foreign takeovers of domestic companies which operate particularly in the following sectors: (i) critical infrastructure amenities, such as the energy, IT and telecommunications, transport, health, water, food and finance/insurance sectors (to the extent they are very important for the functioning of the community), (ii) sector-specific software for the operation of these critical infrastructure amenities, (iii) telecom carriers and surveillance technology and equipment, (iv) cloud computing services and (v) telematics services and components. The stricter sector-specific rules for foreign takeovers within the defense and IT-security industry are also expanded and now also apply to the manufacturers of defense equipment for reconnaissance and support. Furthermore, the reporting requirement no longer applies only to transactions within the defense and IT-security sectors, but also to all foreign takeovers that fall within the newly introduced cross-sector standard categories described above. The time periods allowed for the Ministry to intervene have been extended throughout. In particular, if an application for a clearance certificate is filed, the clearance certificate will be deemed granted in the absence of a formal review two months following receipt of the application rather than one month as in the past, and the review periods are suspended if the Ministry conducts negotiations with the parties involved. Further, a review may be commenced until five years after the signing of the purchase agreement, which in practice will likely result in an increase of applications for a clearance certificate in order to obtain more transaction certainty. Finally, the new rules provide for stricter and more specific restrictions of possible circumventions by, for example, the use of so-called “front companies” domiciled in the EU or the European Free Trade Area and will trigger the Ministry’s right to review if there are indications that an improper structuring or evasive transaction was at least partly chosen to circumvent the review by the Ministry. Although the scope of the German government’s ability to intervene in M&A processes has been expanded where critical industries are concerned, it is not clear yet to what extent stronger interference or more prohibitions or restrictions will actually occur in practice. And even though the new law provides further guidance, there are still areas of legal uncertainty which can have an impact on valuations and third party financing unless a clearance certificate is obtained. Due to the suspension of the review period in the case of negotiations with the Ministry, the review procedure has, at least in theory, no firm time limit. As a result, the M&A advisory practice has to be prepared for a more time-consuming and onerous process for transactions in the critical industries and may thus be forced to allow for more time between signing and closing. In addition, appropriate termination clauses (and possibly break fees) must be considered for purposes of the share purchase agreement in case a prohibition or restriction of the transaction on the basis of the amended AWV cannot be excluded. Back to Top 2. Tax 2.1       Tax – Unconstitutionality of German Change-of-Control Rules Tax loss carry forwards are an important asset in every M&A transaction. Over the past ten years the German change-of-control rules, which limit the use of losses and loss carry forwards (“Losses“) of a German target company, have undergone fundamental legislative changes. The current change-of-control rules may now face another significant revision as – according to the German Federal Constitutional Court (Bundesverfassungsgericht – BVerfG) and the Lower Tax Court of Hamburg – the current tax regime of the change-of-control rules violates the constitution. Under the current change-of-control rules, Losses of a German corporation will be forfeited on a pro rata basis if within a period of five years more than 25% but not more than 50% of the shares in the German loss-making corporation are transferred (directly or indirectly) to a new shareholder or group of shareholders with aligned interests. If more than 50% are transferred, Losses will be forfeited in total. There are exceptions to this rule for certain intragroup restructurings, built-in gains and – since 2016 – for business continuations, especially in the venture capital industry. On March 29, 2017, the German Federal Constitutional Court ruled that the pro rata forfeiture of Losses (share transfer of more than 25% but not more than 50%) is not in line with the constitution. The BVerfG held that the provision leads to unequal treatment of companies. The aim of avoiding legal but undesired tax optimizations does not justify the broad and general scope of the provision. The BVerfG has asked the German legislator to amend the change-of-control rules retroactively for the period from January 1, 2008 until December 31, 2015 and bring them in line with the constitution. The legislative changes need to be finalized by December 31, 2018. Furthermore, in another case on August 29, 2017, the Lower Tax Court of Hamburg held that the change-of-control rules, which result in a full forfeiture of Losses after a transfer of more than 50% of the shares in a German corporation, are also incompatible with the constitution. The ruling is based on the 2008 wording of the change-of-control rules but the wording of these rules is similar to that of the current forfeiture rules. In view of the March 2017 ruling of the Federal Constitutional Court on the pro-rata forfeiture, the Lower Tax Court referred this case also to the Federal Constitutional Court to rule on this issue as well. If the Federal Constitutional Court decides in favor of the taxpayer the German tax legislator may completely revise the current tax loss limitation regime and limit its scope to, for example, abusive cases. A decision by the Federal Constitutional Court is expected in the course of 2018. Affected market participants are therefore well advised to closely monitor further developments and consider the impact of potential changes on past and future M&A deals with German entities. Appeals against tax assessments should be filed and stays of proceedings applied for by reference to the case before the Federal Constitutional Court in order to benefit from a potential retroactive amendment of the change-of-control rules. Back to Top 2.2       Tax – New German Tax Disclosure Rules for Tax Planning Schemes In light of the Panama and Paradise leaks, the respective Finance Ministers of the German federal states (Bundesländer) created a working group in November 2017 to establish how the new EU Disclosure Rules for advisers and taxpayers as published by the European Commission (“Commission“) on July 25, 2017 can be implemented into German law. Within the member states of the EU, mandatory tax disclosure rules for tax planning schemes already exist in the UK, Ireland and Portugal. Under the new EU disclosure rules certain tax planners and advisers (intermediaries) or certain tax payers themselves must disclose potentially aggressive cross-border tax planning arrangements to the tax authorities in their jurisdiction. This new requirement is a result of the disclosure rules as proposed by the OECD in its Base Erosion and Profit Shifting (BEPS) Action 12 report, among others. The proposal requires tax authorities in the EU to automatically exchange reported information with other tax authorities in the EU. Pursuant to the Commission’s proposal, an “intermediary” is the party responsible for designing, marketing, organizing or managing the implementation of a tax payer´s reportable cross border arrangement, while also providing that taxpayer with tax related services. If there is no intermediary, the proposal requires the taxpayer to report the arrangement directly. This is, for example, the case if the taxpayer designs and implements an arrangement in-house, if the intermediary in question does not have a presence within the EU or in case the intermediary cannot disclose the information because of legal professional privilege. The proposal does not define what “arrangement” or “aggressive” tax planning means but lists characteristics (so-called “hallmarks“) of cross-border tax planning schemes that would strongly indicate whether tax avoidance or abuse occurred. These hallmarks can either be generic or specific. Generic hallmarks include arrangements where the tax payer has complied with a confidentiality provision not to disclose how the arrangement could secure a tax advantage or where the intermediary is entitled to receive a fee with reference to the amount of the tax advantage derived from the arrangement. Specific hallmarks include arrangements that create hybrid mismatches or involve deductible cross border payments between related parties with a preferential tax regime in the recipient’s tax resident jurisdiction. The information to be exchanged includes the identities of the tax payer and the intermediary, details about the hallmarks, the date of the arrangement, the value of the transactions and the EU member states involved. The implementation of such mandatory disclosure rules on tax planning schemes are heavily discussed in Germany especially among the respective bar associations. Elements of the Commission’s proposal are regarded as a disproportionate burden for intermediaries and taxpayers in relation to the objective. Further clarity is needed to align the proposal with the general principle of legal certainty. Certain elements of the proposal may contravene EU law or even the German constitution. And the interaction with the duty of professional secrecy for lawyers and tax advisors is also still unclear. Major efforts are therefore needed for the German legislator to make such a disclosure regime workable both for taxpayers/intermediaries and the tax administrations. It remains to be seen how the Commission proposal will be implemented into German law in 2018 and how tax structuring will be affected. Back to Top 2.3       Tax – Voluntary Self-Disclosure to German Tax Authorities Becomes More Challenging German tax law allows voluntary self-disclosure to correct or supplement an incorrect or incomplete tax return. Valid self-disclosure precludes criminal liability for tax evasion. Such exemption from criminal prosecution, however, does not apply if the tax evasion has already been “detected” at the time of the self-disclosure and this is at least foreseeable for the tax payer. On May 5, 2017 the German Federal Supreme Court (Bundesgerichtshof – BGH) further specified the criteria for voluntary self-disclosure to secure an exemption from criminal prosecution (BGH, 1 StR 265/16 – May 9, 2017). The BGH ruled that exemption from criminal liability might not apply if a foreign authority had already discovered the non- or underreported tax amounts prior to such self-disclosure. Underlying the decision of the BGH was the case of a German employee of a German defense company, who had received payments from a Greek business partner, but declared neither the received payments nor the resulting income in his tax declaration. The payment was a reward for his contribution in selling weapons to the Greek government. The Greek authorities learned of the payment to the German employee early in 2004 in the course of an anti-bribery investigation and obtained account statements proving the payment through intermediary companies and foreign banks. On January 6, 2014, the German employee filed a voluntary self-disclosure to the German tax authorities declaring the previously omitted payments. The respective German tax authority found that this self-disclosure was not submitted in time to exempt the employee from criminal liability. The issue in this case was by whom and at what moment in time the tax evasion needed to be detected in order to render self-disclosure invalid. The BGH ruled that the voluntary self-disclosure by the German employee was futile due to the fact that the payment at issue had already been detected by the Greek authorities at the time of the self-disclosure. In this context, the BGH emphasized that it was not necessary for the competent tax authorities to have detected the tax evasion, but it was sufficient if any other authority was aware of the tax evasion. The BGH made clear that this included foreign authorities. Thus, a prior detection is relevant if on the basis of a preliminary assessment of the facts a conviction is ultimately likely to occur. This requirement is for example met if it can be expected that the foreign authority that detected the incorrect, incomplete or omitted fact will forward this information to the German tax authorities as in the case before the BGH. In particular, there was an international assistance procedure in place between German and Greek tax authorities and the way the payments were made by using intermediaries and foreign banks made it obvious to the Greek authorities that the relevant amounts had not been declared in Germany. Due to the media coverage of the case, this was also at least foreseeable for the German employee. This case is yet another cautionary tale for tax payers not to underestimate the effects of increased international cooperation of tax authorities. Back to Top 3. Financing and Restructuring 3.1       Financing and Restructuring – Upfront Banking Fees Held Void by German Federal Supreme Court On July 4, 2017, the German Federal Supreme Court (Bundesgerichtshof – BGH) handed down two important rulings on the permissibility of upfront banking fees in German law governed loan agreements. According to the BGH, boilerplate clauses imposing handling, processing or arrangement fees on borrowers are void if included in standard terms and conditions (Allgemeine Geschäftsbedingungen). With this case, the court extended its prior rulings on consumer loans to commercial loans. The BGH argued that clauses imposing a bank’s upfront fee on a borrower fundamentally contradict the German statutory law concept that the consideration for granting a loan is the payment of interest. If ancillary pricing arrangements (Preisnebenabreden) pass further costs and expenses on to the borrower, the borrower is unreasonably disadvantaged by the user (Verwender) of standard business terms, unless the additional consideration is agreed for specific services that go beyond the mere granting of the loan and the handling, processing or arrangement thereof. In the cases at hand, the borrowers were thus awarded repayment of the relevant fee. The implications of these rulings for the German loan market are far-reaching. The rulings affect all types of upfront fees for a lender’s services which are routinely passed on to borrowers even though they would otherwise be owed by the lender pursuant to statutory law, a regulatory regime or under a contract or which are conducted in the lender’s own interest. Consequently, this covers fees imposed on the borrower for the risk assessment (Bonitätsprüfung), the valuation of collateral, expenses for the collection of information on the assessment of a borrower’s financing requirements and the like. At this stage, it is not yet certain if, for example, agency fees or syndication fees could also be covered by the decision. There are, however, good arguments to reason that services rendered in connection with a syndication are not otherwise legally or contractually owed by a lender. Upfront fees paid in the past, i.e. in 2015 or later, can be reclaimed by borrowers. The BGH applied the general statutory three year limitation period and argued that the limitation period commenced at the end of 2011 after Higher District Courts (Oberlandesgerichte) had held upfront banking fees void in deviation from previous rulings. As of such time, borrowers should have been aware that a repayment claim of such fees was possible and could have filed a court action even though the enforcement of the repayment was not risk-free. Going forward, it can be expected that lenders will need to modify their approach as a result of the rulings: Choosing a foreign (i.e. non-German) law for a separate fee agreement could be an option for lenders, at least, if either the lender or the borrower is domiciled in the relevant jurisdiction or if there is a certain other connection to the jurisdiction of the chosen law. If the loan is granted by a German lender to a German borrower, the choice of foreign law would also be generally recognized, but under EU conflict of law provisions mandatory domestic law (such as the German law on standard terms) would likely still continue to apply. In response to the ruling, lenders are also currently considering alternative fee structures: Firstly, the relevant costs and expenses underlying such fees are being factored into the calculation of the interest and the borrower is then given the option to choose an upfront fee or a (higher) margin. This may, however, not always turn out to be practical, in particular given that a loan may be refinanced prior to generating the equivalent interest income. Secondly, a fee could be agreed in a separate fee letter which specifically sets out services which go beyond the typical services a bank renders in its own interest. It may, however be difficult to determine services which actually justify a fee. Finally, a lender might charge typical upfront fees following genuine individual negotiations. This requires that the lender not only shows that it was willing to negotiate the amount of the relevant fee, but also that it was generally willing to forego the typical upfront fee entirely. However, if the borrower rejects the upfront fee, the lender still needs to rely on alternative fee arrangements. Further elaboration by the courts and market practice should be closely monitored by lenders and borrowers alike. Back to Top 3.2       Financing and Restructuring – Lingering Uncertainty about Tax Relief for Restructuring Profits Ever since the German Federal Ministry of Finance issued an administrative order in 2003 (“Restructuring Order“) the restructuring of distressed companies has benefited from tax relief for income tax on “restructuring profits”. In Germany, restructuring profits arise as a consequence of debt to equity swaps or debt waivers with regard to the portion of such debt that is unsustainable. Debtors and creditors typically ensured the application of the Restructuring Order by way of a binding advance tax ruling by the tax authorities thus providing for legal certainty in distressed debt scenarios for the parties involved. However, in November 2016, the German Federal Tax Court (Bundesfinanzhof – BFH) put an end to such preferential treatment of restructuring profits. The BFH held the Restructuring Order to be void arguing that the Federal Ministry of Finance had lacked the authority to issue the Restructuring Order. It held that such a measure would need to be adopted by the German legislator instead. The Ministry of Finance and the German restructuring market reacted with concern. As an immediate response to the ruling the Ministry of Finance issued a further order on April 27, 2017 (“Continuation Order”) to the effect that the Restructuring Order continued to apply in all cases in which creditors finally and with binding effect waived claims on or before February 8, 2017 (the date on which the ruling of the Federal Tax Court was published). But the battle continued. In August 2017, the Federal Tax Court also set aside this order for lack of authority by the Federal Ministry of Finance. In the meantime, the German Bundestag and the Bundesrat have passed legislation on tax relief for restructuring profits, but the German tax relief legislation will only enter into force once the European Commission issues a certificate of non-objection confirming the new German statutory tax relief’s compliance with EU restrictions on state aid. This leaves uncertainty as to whether the new law will enter into force in its current wording and when. Also, the new legislation will only cover debt waivers/restructuring profits arising after February 8, 2017 but at this stage does not provide for the treatment of cases before such time. In the absence of the 2003 Restructuring Order and the 2017 Continuation Order, tax relief would only be possible on the basis of equitable relief in exceptional circumstances. It appears obvious that no reliable restructuring concept can be based on potential equitable relief. Thus, it is advisable to look out for alternative structuring options in the interim: Subordination of debt: while this may eliminate an insolvency filing requirement for illiquidity or over indebtedness, the debt continues to exist. This may make it difficult for the debtor to obtain financing in the future. In certain circumstances, a carve-out of the assets together with a sustainable portion of the debt into a new vehicle while leaving behind and subordinating the remainder of the unsustainable portion of the debt, could be a feasible option. As the debt subsists, a silent liquidation of the debtor may not be possible considering the lingering tax burden on restructuring profits. Also, any such carve-out measures by which the debtor is stripped of assets may be challenged in case of a later insolvency of the debtor. A debt hive up without recourse may be a possible option, but a shareholder or its affiliates are not always willing to assume the debt. Also, as tax authorities have not issued any guidelines on the tax treatment of debt hive ups, a binding advance tax ruling from the tax authorities should be obtained before the debt hive up is executed. Still, a debt hive up could be an option if the replacement debtor is domiciled in a jurisdiction which does not impose detrimental tax consequences on the waiver of unsustainable debt. Converting the debt into a hybrid instrument which constitutes debt for German tax purposes and equity from a German GAAP perspective is no longer feasible. Pursuant to a tax decree from May 2016, the tax authorities argue that the creation of a hybrid instrument amounts to a taxable waiver of debt on the basis that tax accounting follows commercial accounting. It follows that irrespective of potential alternative structures which may suit a specific set of facts and circumstances, restructuring transactions in Germany continue to be challenging pending the entry into force of the new tax relief legislation. Back to Top 4. Labor and Employment 4.1       Labor and Employment – Defined Contribution Schemes Now Allowed In an effort to promote company pension schemes and to allow more flexible investments, the German Company Pension Act (Betriebsrentengesetz – BetrAVG) was amended considerably with effect as of January 1, 2018. The most salient novelty is the introduction of a purely defined contribution pension scheme, which had not been permitted in the past. Until now, the employer would always be ultimately liable for any kind of company pension scheme irrespective of the vehicle it was administered through. This is no longer the case with the newly introduced defined contribution scheme. The defined contribution scheme also entails considerable other easements for employers, e.g. pension adjustment obligations or the requirement of insolvency insurance no longer apply. As a consequence, a company offering a defined contribution pension scheme does not have to deal with the intricacies of providing a suitable investment to fulfil its pension promise, but will have met its duty in relation to the pension simply by paying the promised contribution (“pay and forget”). However, the introduction of such defined contribution schemes requires a legal basis either in a collective bargaining agreement (with a trade union) or in a works council agreement, if the union agreement so allows. If these requirements are met though, the new legal situation brings relief not only for employers offering company pension schemes but also for potential investors into German businesses for whom the German-specific defined benefit schemes have always been a great burden. Back to Top 4.2     Labor and Employment – Federal Labor Court Facilitates Compliance Investigations In a decision much acclaimed by the business community, the German Federal Labor Court (Bundesarbeitsgericht – BAG) held that intrusive investigative measures by companies against their employees do not necessarily require a suspicion of a criminal act by an employee; rather, less severe forms of misconduct can also trigger compliance investigations against employees (BAG, 2 AZR 597/16 – June 29, 2017). In the case at hand, an employee had taken sick leave, but during his sick leave proceeded to work for the company owned by his sons who happened to be competing against his current employer. After customers had dropped corresponding hints, the company assigned a detective to ascertain the employee’s violation of his contractual duties and subsequently fired the employee based on the detective’s findings. In the dismissal protection trial, the employee argued that German law only allowed such intrusive investigation measures if criminal acts were suspected. This restriction was, however, rejected by the BAG. This judgment ends a heated debate about the permissibility of internal investigation measures in the case of compliance violations. However, employers should always adhere to a last-resort principle when investigating possible violations. For instance, employees must not be seamlessly monitored at their workplace by way of a so-called “key logger” as the Federal Labor Court held in a different decision (BAG, 2 AZR 681/16 – July 27, 2017). Also, employers should keep in mind a recent ruling of the European Court of Human Rights of September 5, 2017 (ECHR, 61496/08). Accordingly, the workforce should be informed in advance that and how their email correspondence at the workplace can be monitored. Back to Top 5. Real Estate Real Estate – Invalidity of Written Form Remediation Clauses for Long-term Lease Agreements On September 27, 2017, the German Federal Supreme Court (Bundesgerichtshof – BGH) ruled that so-called “written form remediation clauses” (Schriftformheilungsklauseln) in lease agreements are invalid because they are incompatible with the mandatory provisions of section 550 of the German Civil Code (Bürgerliches Gesetzbuch – BGB; BGH, XII ZR 114/16 – September 27, 2017). The written form for lease agreements requires that all material agreements concerning the lease, in particular the lease term, identification of the leased premises and the rent amount, must be made in writing. If a lease agreement entered into for a period of more than one year does not comply with this written form requirement, mandatory German law allows either lease party to terminate the lease agreement with the statutory notice period irrespective of whether or not a fixed lease term was agreed upon. The statutory notice period for commercial lease agreements is six months (less three business days) to the end of any calendar quarter. To avoid the risk of termination for non-compliance with the written form requirement, German commercial lease agreements regularly contain a general written form remediation clause. Pursuant to such clause, the parties of the lease agreement undertake to remediate any defect in the written form upon request of one of the parties. While such general written form remediation clauses were upheld in several decisions by various Higher District Courts (Oberlandesgerichte) in the past, the BGH had already rejected the validity of such clauses vis-à-vis the purchasers of real property in 2014. With this new decision, the BGH has gone one step further and denied the validity of general written form remediation clauses altogether. Only in exceptional circumstances, the lease parties are not entitled to invoke the non-compliance with the written form requirement on account of a breach of the good faith principle. Such exceptional circumstances may exist, for example, if the other party faced insolvency if the lease were terminated early as a result of the non-compliance or if the lease parties had agreed in the lease agreement to remediate such specific written form defect. This new decision of the BGH forces the parties to long-term commercial lease agreements to put even greater emphasis on ensuring that their lease agreements comply with the written form requirement at all times because remediation clauses as potential second lines of defense no longer apply. Likewise, the due diligence process of German real estate transactions will have to focus even more on the compliance of lease agreements with the written form requirement. Back to Top 6.  Data Protection Data Protection – Employee Data Protection Under New EU Regulation After a two-year transition period, the EU General Data Protection Regulation (“GDPR“) will enter into force on May 25, 2018. The GDPR has several implications for data protection law covering German employees, which is already very strictly regulated. For example, under the GDPR any handling of personnel data by the employer requires a legal basis. In addition to statutory laws or collective agreements, another possible legal basis is the employee’s explicit written consent. The transfer of personnel data to a country outside of the European Union (“EU“) will have to comply with the requirements prescribed by the GDPR. If the target country has not been regarded as having an adequate data protection level by the EU Commission, additional safeguards will be required to protect the personnel data upon transfer outside of the EU. Otherwise, a data transfer is generally not permitted. The most threatening consequence of the GDPR is the introduction of a new sanctions regime. It now allows fines against companies of up to 4% of the entire group’s revenue worldwide. Consequently, these new features, especially the drastic new sanction regime, call for assessments of, and adequate changes to, existing compliance management systems with regard to data protection issues. Back to Top 7. Compliance 7.1       Compliance – Misalignment of International Sanction Regimes Requires Enhanced Attention to the EU Blocking Regulation and the German Anti-Boycott Provisions The Trump administration has been very active in broadening the scope and reach of the U.S. sanctions regime, most recently with the implementation of “Countering America’s Adversaries Through Sanctions Act (H.R. 3364) (‘CAATSA‘)” on August 2, 2017 and the guidance documents that followed. CAATSA includes significant new law codifying and expanding U.S. sanctions on Russia, North Korea, and Iran. The European Union (“EU“) has not followed suit. More so, the EU and European leaders openly stated their frustration about both a perceived lack of consultation during the process and the substance of the new U.S. sanctions. Specifically, the EU and European leaders are concerned about the fact that CAATSA authorizes secondary sanctions on any person supporting a range of activities. Among these are the development of Russian energy export pipeline projects, certain transactions with the Russian intelligence or defense sectors or investing in or otherwise facilitating privatizations of Russia’s state-owned assets that unjustly benefits Russian officials or their close associates or family members. The U.S. sanctions regime differentiates between primary sanctions that apply to U.S. persons (U.S. citizens, permanent U.S. residents and companies under U.S. jurisdiction) and U.S. origin goods, and secondary sanctions that expand the reach of U.S. sanctions by penalizing non-U.S. persons for their involvement in certain targeted activities. Secondary sanctions can take many forms but generally operate by restricting or threatening to restrict non-U.S. person access to the U.S. market, including its global financial institutions. European, especially export-heavy and internationally operating German companies are thus facing a dilemma. While they have to fear possible U.S. secondary sanctions for not complying with U.S. regulations, potential penalties also loom from European member state authorities when doing so. These problems are grounded in European and German legislation aimed at protecting from and counteracting financial and economic sanctions issued by countries outside of the EU and Germany, unless such sanctions are themselves authorized under relevant UN, European, and German sanctions legislation. On the European level, Council Regulation (EC) No 2271/96 of November, 22 1996 as amended (“EU Blocking Regulation“) is aimed at protecting European persons against the effects of the extra-territorial application of laws, such as certain U.S. sanctions directed at Cuba, Iran and Libya. Furthermore, it also aims to counteract the effects of the extra-territorial application of such sanctions by prohibiting European persons from complying with any requirement or prohibition, including requests of foreign courts, based on or resulting, directly or indirectly, from such U.S. sanctions. For companies subject to German jurisdiction, section 7 of the German Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung – AWV), states that “[t]he issuing of a declaration in foreign trade and payments transactions whereby a resident participates in a boycott against another country (boycott declaration) shall be prohibited” to the extent such a declaration would be contradictory to UN, EU and German policy. With the sanctions regime on the one hand and the blocking legislation at EU and German level on the other hand, committing to full compliance with U.S. sanctions whilst falling within German jurisdiction, could be deemed a violation of the AWV.  Violating the AWV can lead to fines by the German authorities and, under German civil law, might render a relevant contractual provision invalid. For companies conducting business transactions on a global scale, the developing non-alignment of U.S. and European / German sanctions requires special attention. Specifically, covenants with respect to compliance with U.S. or other non-EU sanctions should be reviewed and carefully drafted in light of the diverging developments of U.S. and other non-EU sanctions on the one hand and European / German sanctions on the other hand. Back to Top 7.2       Compliance – Restated (Anti-) Money Laundering Act – Significant New Requirements for the Non-Financial Sector and Good Traders On June 26, 2017, the restated German Money Laundering Act (Geldwäschegesetz – GWG), which transposes the 4th European Anti-Money Laundering Directive (Directive (EU 2015/849 of the European Parliament and of the Council) into German law, became effective. While the scope of businesses that are required to conduct anti-money laundering procedures remains generally unchanged, the GWG introduced a number of new requirements, in particular for non-financial businesses, and significantly increases the sanctions for non-compliance with these obligations. The GWG now extends anti money laundering (“AML“) risk management concepts previously known from the financial sector also to non-financial businesses including good traders. As a matter of principle, all obliged businesses are now required to undertake a written risk analysis for their business and have in place internal risk management procedures proportionate to the type and scope of the business and the risks involved in order to effectively mitigate and manage the risks of money laundering and terrorist financing. In case the obliged business is the parent company of a group, a group-wide risk analysis and group-wide risk management procedures are required covering subsidiaries worldwide who also engage in relevant businesses. The risk analysis must be reviewed regularly, updated if required and submitted to the supervisory authority upon request. Internal risk management procedures include, in particular, client due diligence (“know-your customer”), which requires the identification and verification of customers, persons acting on behalf of customers as well as of beneficial owners of the customer (see also section 1.1 above on the Transparency Register). In addition, staff must be monitored for their reliability and trained regularly on methods and types of money laundering and terrorist financing and the applicable legal obligations under the GWG as well as data protection law, and whistle-blowing systems must be implemented. Furthermore, businesses of the financial and insurance sector as well as providers of gambling services must appoint a money laundering officer (“MLO“) at senior management level as well as a deputy, who are responsible for ensuring compliance with AML rules. Other businesses may also be ordered by their supervisory authority to appoint a MLO and a deputy. Good traders including conventional industrial companies are subject to the AML requirements under the GWG, irrespective of the type of goods they are trading in. However, some of the requirements either do not apply or are significantly eased. Good traders must only conduct a risk analysis and have in place internal AML risk management procedures if they accept or make (!) cash payments of EUR 10,000 or more. Furthermore, client due diligence is only required with respect to transactions in which they make or accept cash payments of EUR 10,000 or more, or in case there is a suspicion of money laundering or terrorist financing. Suspicious transactions must be reported to the Financial Intelligence Unit (“FIU“) without undue delay. As a result, also low cash or cash free good traders are well advised to train their staff to enable them to detect suspicious transactions and to have in place appropriate documentation and reporting lines to make sure that suspicious transactions are filed with the FIU. Non-compliance with the GWG obligations can be punished with administrative fines of up to EUR 100,000. Serious, repeated or systematic breaches may even trigger sanctions up to the higher fine threshold of EUR 1 million or twice the economic benefit of the breach. For the financial sector, even higher fines of up to the higher of EUR 5 million or 10% of the total annual turnover are possible. Furthermore, offenders will be published with their names by relevant supervisory authorities (“naming and shaming”). Relevant non-financial businesses are thus well advised to review their existing AML compliance system in order to ensure that the new requirements are covered. For good traders prohibiting cash transactions of EUR 10,000 or more and implementing appropriate safeguards to ensure that the threshold is not circumvented by splitting a transaction into various smaller sums, is a first and vital step. Furthermore, holding companies businesses who mainly acquire and hold participations (e.g. certain private equity companies), must keep in mind that enterprises qualifying as “finance enterprise” within the meaning of section 1 (3) of the German Banking Act (Kreditwesengesetz – KWG) are subject to the GWG with no exemptions. Back to Top  7.3       Compliance – Protection of the Attorney Client Privilege in Germany Remains Unusual The constitutional complaint (Verfassungsbeschwerde) brought by Volkswagen AG’s external legal counsel requesting the return of work product prepared during the internal investigation for Volkswagen AG remains pending before the German Federal Constitutional Court (Bundesverfassungsgericht – BVerfG). The Munich public prosecutors had seized these documents in a dawn raid of the law firm’s offices. While the BVerfG has granted injunctive relief (BVerfG, 2 BvR 1287/17, 2 BvR 1583/17 – July 25, 2017) and ordered the authorities, pending a decision on the merits of the case, to refrain from reviewing the seized material, this case is a timely reminder that the concept of the attorney client privilege in Germany is very different to that in common law jurisdictions. In a nutshell: In-house lawyers do not enjoy legal privilege. Material that would otherwise be privileged can be seized on the client’s premises – with the exception of correspondence with and work product from / for criminal defense counsel. The German courts are divided on the question of whether corporate clients can already appoint criminal defense counsel as soon as they are concerned that they may be the target of a future criminal investigation, or only when they have been formally made the subject of such an investigation. Searches and seizures at a law firm, however, are a different matter. A couple of years ago, the German legislator changed the German Code of Criminal Procedure (Strafprozessordnung – StPO) to give attorneys in general, not only criminal defense counsel, more protection against investigative measures (section 160a StPO). Despite this legislation, the first and second instance judges involved in the matter decided in favor of the prosecutors. As noted above, the German Federal Constitutional Court has put an end to this, at least for now. According to the court, the complaints of the external legal counsel and its clients were not “obviously without any merits” and, therefore, needed to be considered in the proceedings on the merits of the case. In order not to moot these proceedings, the court ordered the prosecutors to desist from a review of the seized material, and put it under seal until a full decision on the merits is available. In the interim period, the interest of the external legal counsel and its clients to protect the privilege outweighed the public interest in a speedy criminal investigation. At this stage, it is unclear when and how the court will decide on the merits. Back to Top 7.4       Compliance – The European Public Prosecutor’s Office Will Be Established – Eventually After approximately four years of discussions, 20 out of the 28 EU member states agreed in June 2017 on the creation of a European Public Prosecutor’s Office (“EPPO“). In October, the relevant member states adopted the corresponding regulation (Regulation (EU) 2017/1939 – “Regulation“). The EPPO will be in charge of investigating, prosecuting and bringing to justice the perpetrators of offences against the EU’s financial interests. The EPPO is intended to be a decentralized authority, which operates via and on the basis of European Delegated Prosecutors located in each member state. The central office in Luxembourg will have a European Chief Prosecutor supported by 20 European Prosecutors, as well as technical and investigatory staff. While EU officials praise this Regulation as an “important step in European justice cooperation“, it remains to be seen whether this really is a measure which ensures that “criminals [who] act across borders […] are brought to justice and […] taxpayers’ money is recovered” (U. Reinsalu, Estonian Minister of Justice). It will take at least until 2020 until the EPPO is established, and criminals will certainly not restrict their activities to the territories of those 20 countries which will cooperate under the new authority (being: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Estonia, Germany, Greece, Finland, France, Italy, Latvia, Lithuania, Luxembourg, Portugal, Romania, Slovenia, Slovakia and Spain). In addition, as the national sovereignty of the EU member states in judicial matters remains completely intact, the EPPO will not truly investigate “on the ground”, but mainly assume a coordinating role. Last but not least, its jurisdiction will be limited to “offences against the EU’s financial interests”, in particular criminal VAT evasion, subsidy fraud and corruption involving EU officials. A strong enforcement, at least prima facie, looks different. To end on a positive note, however: the new body is certainly an improvement on the status quo in which the local prosecutors from 28 member states often lack coordination and team spirit. Back to Top 7.5       Compliance – Court Allows for Reduced Fines in Compliance Defense Case The German Federal Supreme Court (Bundesgerichtshof – BGH) handed down a decision recognizing for the first time that a company’s implementation of a compliance management system (“CMS“) constitutes a mitigating factor for the assessment of fines imposed on such company where violations committed by its employees are imputed to the company (BGH 1 StR 265/16 – May 9, 2017). According to the BGH, not only the implementation of a compliance management system at the time of the detection of the offense should be considered, but the court may also take into account subsequent efforts of a company to enhance its respective internal processes that were found deficient. The BGH held that such remediation measures can be considered as a mitigating factor when assessing the amount of fines if they are deemed suitable to “substantially prevent an equivalent violation in the future.” The BGH’s ruling has finally clarified the highest German court’s views on a long-lasting discussion about whether establishing and maintaining a CMS may limit a company’s liability for legal infringements. The recognition of a company’s efforts to establish, maintain and improve an effective CMS should encourage companies to continue working on their compliance culture, processes and systems. Similarly, management’s efforts to establish, maintain and enhance a CMS, and conduct timely remediation measures, upon becoming aware of deficiencies in the CMS, may become relevant factors when assessing potential civil liability exposure of corporate executives pursuant to section. 43 German Limited Liability Companies Act (Gesetz betreffend Gesellschaften mit beschränkter Haftung – GmbHG) and section 93 (German Stock Companies Act (Aktiengesetz – AktG). Consequently, the implications of this landmark decision are important both for corporations and their senior executives. Back to Top 8.  Antitrust and Merger Control In 2017, the German Federal Cartel Office (Bundeskartellamt – BKartA) examined about 1,300 merger filings, imposed fines in the amount of approximately EUR 60 million on companies for cartel agreements and conducted several infringement proceedings. On June 9, 2017, the ninth amendment to the German Act against Restraints of Competition (Gesetz gegen Wettbewerbsbeschränkungen – GWB) came into force. The most important changes concern the implementation of the European Damages Directive (Directive 2014/104/EU of the European Parliament and of the Council of November, 26 2014), but a new merger control threshold was also introduced into law. Implementation of the European Damages Directive The amendment introduced various procedural facilitations for claimants in civil cartel damage proceedings. There is now a refutable presumption in favor of cartel victims that a cartel caused damage. However, the claimant still has the burden of proof regarding the often difficult to argue fact, if it was actually affected by the cartel and the amount of damages attributable to the infringement. The implemented passing-on defense allows indirect customer claimants to prove that they suffered damages from the cartel – even if not direct customers of the cartel members – because the intermediary was presumably able to pass on the cartel overcharge to his own customers (the claimants). The underlying refutable presumption that overcharges were passed on is not available in the relationship between the cartel member and its direct customer because the passing-on defense must not benefit the cartel members. In deviation from general principles of German civil procedural law, according to which each party has to produce the relevant evidence for the facts it relies on, the GWB amendment has significantly broadened the scope for requesting disclosure of documents. The right to request disclosure from the opposing party now to a certain degree resembles discovery proceedings in Anglo-American jurisdictions and has therefore also been referred to as “discovery light”. However, the documents still need to be identified as precisely as possible and the request must be reasonable, i.e., not place an undue burden on the opposing party. Documents can also be requested from third parties. Leniency applications and settlement documents are not captured by the disclosure provisions. Furthermore, certain exceptions to the principle of joint and several liability of cartelists for damage claims in relation to (i) internal regress against small and medium-sized enterprises, (ii) leniency applicants, and (iii) settlements between cartelists and claimants were implemented. In the latter case, non-settling cartelists may not recover contribution for the remaining claim from settling cartelists. Finally, the regular limitation period for antitrust damages claims has been extended from three to five years. Cartel Enforcement and Corporate Liability Parent companies can now also be held liable for their subsidiary’s anti-competitive conduct under the GWB even if they were not party to the infringement themselves. The crucial factor – comparable to existing European practice – is the exercise of decisive control. Furthermore, legal universal successors and economic successors of the infringer can also be held liable for cartel fines. This prevents companies from escaping cartel fines by restructuring their business. Publicity The Bundeskartellamt has further been assigned the duty to inform the public about decisions on cartel fines by publishing details about such decisions on its webpage. Taking into account recent efforts to establish a competition register for public procurement procedures, companies will face increased public attention for competition law infringements, which may result in infringers being barred from public or private contracting. Whistleblower Hotline Following the example of the Bundeskartellamt and other antitrust authorities, the European Commission (“Commission“) has implemented a whistleblowing mailbox. The IT-based system operated by an external service provider allows anonymous hints to or bilateral exchanges with the Commission – in particular to strengthen its cartel enforcement activities. The hope is that the whistleblower hotline will add to the Commission’s enforcement strengths and will balance out potentially decreasing leniency applications due to companies applying for leniency increasingly facing the risk of private cartel damage litigation once the cartel has been disclosed. Merger Control Thresholds To provide for control over transactions that do not meet the current thresholds but may nevertheless have significant impact on the domestic market (in particular in the digital economy), a “size of transaction test” was implemented; mergers with a purchase price or other consideration in excess of EUR 400 million now require approval by the Bundeskartellamt if at least two parties to the transaction achieve at least EUR 25 million and EUR 5 million in domestic turnover, respectively. Likewise, in Austria a similar threshold was established (EUR 200 million consideration plus a domestic turnover of at least EUR 15 million). The concept of ministerial approval (Ministererlaubnis), i.e., an extra-judicial instrument for the Minister of Economic Affairs to exceptionally approve mergers prohibited by the Bundeskartellamt, has been reformed by accelerating and substantiating the process. In May 2017, the Bundeskartellamt published guidance on remedies in merger control making the assessment of commitments more transparent. Remedies such as the acceptance of conditions (Bedingungen) and obligations (Auflagen) can facilitate clearance of a merger even if the merger actually fulfils the requirements for a prohibition. The English version of the guidance is available at: http://www.bundeskartellamt.de/SharedDocs/Publikation/EN/Leitlinien/Guidance%20on%20Remedies%20in%20Merger%20Control.html; jsessionid=5EA81D6D85D9FD8891765A5EA9C26E68.1_cid378?nn=3600108. Case Law Finally on January 26, 2017, there has been a noteworthy decision by the Higher District Court of Düsseldorf (OLG Düsseldorf, Az. V-4 Kart 4/15 OWI – January 26, 2017; not yet final): The court confirmed a decision of the Bundeskartellamt that had imposed fines on several sweets manufacturers for exchanging competitively sensitive information and even increased the fines. This case demonstrates the different approach taken by courts in calculating cartel fines based on the group turnover instead of revenues achieved in the German market. Back to Top     The following Gibson Dunn lawyers assisted in preparing this client update:  Birgit Friedl, Marcus Geiss, Jutta Otto, Silke Beiter, Peter Decker, Ferdinand Fromholzer, Daniel Gebauer, Kai Gesing, Franziska Gruber, Johanna Hauser, Maximilian Hoffmann, Markus Nauheim, Richard Roeder, Katharina Saulich, Martin Schmid, Sebastian Schoon, Benno Schwarz, Michael Walther, Finn Zeidler, Mark Zimmer and Caroline Ziser Smith. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. The two German offices of Gibson Dunn in Munich and Frankfurt bring together lawyers with extensive knowledge of corporate / M&A, financing, restructuring and bankruptcy, tax, labor, real estate, antitrust, intellectual property law and extensive compliance / white collar crime experience. The German offices are comprised of seasoned lawyers with a breadth of experience who have assisted clients in various industries and in jurisdictions around the world. Our German lawyers work closely with the firm’s practice groups in other jurisdictions to provide cutting-edge legal advice and guidance in the most complex transactions and legal matters. For further information, please contact the Gibson Dunn lawyer with whom you work or any of the following members of the German offices: General Corporate, Corporate Transactions and Capital Markets Lutz Englisch (+49 89 189 33 150), lenglisch@gibsondunn.com) Markus Nauheim (+49 89 189 33 122, mnauheim@gibsondunn.com) Ferdinand Fromholzer (+49 89 189 33 170, ffromholzer@gibsondunn.com) Dirk Oberbracht (+49 69 247 411 510, doberbracht@gibsondunn.com) Wilhelm Reinhardt (+49 69 247 411 520, wreinhardt@gibsondunn.com) Birgit Friedl (+49 89 189 33 180, bfriedl@gibsondunn.com) Silke Beiter (+49 89 189 33 170, sbeiter@gibsondunn.com) Marcus Geiss (+49 89 189 33 122, mgeiss@gibsondunn.com) Annekatrin Pelster (+49 69 247 411 521, apelster@gibsondunn.com) Finance, Restructuring and Insolvency Sebastian Schoon (+49 89 189 33 160, sschoon@gibsondunn.com) Birgit Friedl (+49 89 189 33 180, bfriedl@gibsondunn.com) Marcus Geiss (+49 89 189 33 122, mgeiss@gibsondunn.com) Tax Hans Martin Schmid (+49 89 189 33 110, mschmid@gibsondunn.com) Labor Law Mark Zimmer (+49 89 189 33 130, mzimmer@gibsondunn.com) Real Estate Peter Decker (+49 89 189 33 115, pdecker@gibsondunn.com) Daniel Gebauer (+ 49 89 189 33 115, dgebauer@gibsondunn.com) Technology Transactions / Intellectual Property / Data Privacy Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com) Kai Gesing (+49 89 189 33 180, kgesing@gibsondunn.com) Corporate Compliance / White Collar Matters Benno Schwarz (+49 89 189 33 110, bschwarz@gibsondunn.com) Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com) Mark Zimmer (+49 89 189 33 130, mzimmer@gibsondunn.com) Finn Zeidler (+49 69 247 411 530, fzeidler@gibsondunn.com) Antitrust and Merger Control Michael Walther (+49 89 189 33 180, mwalther@gibsondunn.com) Kai Gesing (+49 89 189 33 180, kgesing@gibsondunn.com) © 2018 Gibson, Dunn & Crutcher LLP, 333 South Grand Avenue, Los Angeles, CA 90071 Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

December 30, 2017 |
Cybersecurity & Critical Infrastructure

Washington, D.C. associate Melinda Biancuzzo is the author of “Cybersecurity & Critical Infrastructure,” [PDF] published by Thomson Reuters Briefing Papers in December 2017.

December 18, 2017 |
The Beginning of the End, or the End of the Beginning? The General Court’s Ruling in the Coty Case

On 6 December 2017, the European Court of Justice (the “ECJ”), delivered a landmark Judgment in the Coty Case,[1] issuing a Preliminary Ruling in response to a series of questions posed by the Higher Regional Court of Frankfurt am Main in Germany.[2] In its Ruling, the ECJ confirmed that the manufacturer of ‘luxury’ goods was permitted to require distributors of its products that formed part of a so-called “selective distribution network” to refrain from selling its luxury goods on certain online marketplaces such as Amazon and eBay, at least insofar as such a requirement was directed towards the support of the luxury nature of its product. While the ECJ Ruling undoubtedly constitutes a major victory for the luxury goods industry, there continue to remain a number of open issues as to enforcement policy which suggest that the precedent leaves as many implementation questions open as it closes doctrinal disputes. The Facts The case arose from a dispute between the German operations of luxury perfume producer Coty and one of the distributors in its selective distribution network, Parfümerie Akzente. Coty sought to prevent Parfümerie Akzente from selling the contract luxury goods over the online platform ‘Amazon.de’. In doing so, Coty did not go so far as to prohibit the sale of such products over the Internet via the retailer’s own online store (‘electronic shop window’), nor did it impose any additional problematic constraints on its ability to sell via the more traditional “bricks and mortar” distribution chain. However, Coty did seek to prohibit sales via third party websites, given its concern that such third party online sales diminished the premium quality otherwise associated with its products and brand by consumers. Issues Before the National Courts When Parfümerie Akzente did not accept the imposition of such a restriction by Coty, it brought a case against the reseller, which it lost at first instance. On appeal, the Frankfurt Higher Regional Court was unsure whether the contractual prohibition was compatible with Article 101(1) of the Treaty of the Functioning of the European Union (‘TFEU’)[3] and the so-called Vertical Block Exemption Regulation (‘VBER’).[4] Article 101(1) TFEU inter alia prohibits horizontal and vertical anti-competitive agreements and concerted practices. While the VBER exempts from the prohibition of Article 101(1) TFEU those vertical agreements between a supplier and its selected resellers where the market shares of those parties fall below 30%, such an exemption does not extend to an agreement which contains a so-called ‘hardcore’ restriction of competition.[5] In hearing the appeal, the Frankfurt Court sought guidance from the ECJ in relation to a number of legal questions which related to the interpretation of EU competition law, including whether: a selective distribution system (such as that operated by Coty) is compatible with Article 101(1) TFEU if its main purpose is to preserve the ‘luxury image’ of high-end goods; an outright platform ban is compatible with Article 101(1) TFEU, irrespective of whether the quality standards of the supplier would be impaired in each particular instance; and a platform ban constitutes a ‘hardcore’ restriction, as defined in the VBER. The ECJ’s Judgment In its Judgment, the ECJ largely followed the Opinion of Advocate General Wahl, who delivered his Opinion in the Case in July 2017.[6] As regards the first question, the ECJ reiterated the principle that a vertical distribution agreement did not violate Article 101(1) TFEU as long as the so-called ‘Metro criteria’ were fulfilled.[7] The satisfaction of these criteria requires that: resellers be entitled to distribute the goods on the basis of objective criteria of a qualitative nature, laid down uniformly for all potential resellers and applied in a non-discriminatory fashion; the characteristics of the product in question necessitate the use of such a network in order to preserve their quality; and, finally, the criteria laid down do not go beyond what is necessary.[8] The ECJ confirmed that the quality of luxury goods was to be determined ‘by the allure and prestigious image which bestow on them an aura of luxury‘ and that the creation and maintenance of this aura was essential insofar as it allowed consumers to distinguish them from similar goods. An impairment of that aura of luxury was also likely to affect the actual quality of the goods in the eyes of the consumer.[9] Establishing a distribution system that ensured that the products were presented in a way that is reflective of their value was thus also considered to contribute to their special aura.[10] Based on this logic, the ECJ concluded that a selective distribution system might be necessary to preserve the contract product’s luxury image, and was hence compatible with Article 101(1) TFEU.[11] Importantly, the ECJ dismissed the argument that the Pierre Fabre Case suggested a different approach. In Pierre Fabre, the Court took the view that a specific clause banning online sales was incompatible with competition law rules, given that it imposed an outright ban on all sales of the manufacturer’s product over the Internet.[12] The situation in Coty was different, as it concerned the fundamental legality of a selective distribution system with regard to luxury products. Moreover, Pierre Fabre concerned cosmetic and body hygiene products, namely, non-luxury products that might not be associated with luxury in the consumer’s mind. The need to preserve the goods’ prestigious image was therefore found to not constitute a legitimate requirement for the purpose of justifying a comprehensive prohibition on sales via the Internet.[13] As regards the second question, the Court held that the clause banning sales over third party platforms had to be measured against the ‘Metro criteria’. The question at issue was whether such a ban was appropriate to preserve the luxury image of the goods in question and whether it went beyond what was necessary in the circumstances to achieve this objective.[14] As regards the appropriateness criterion, the ECJ stated that an obligation to sell only through the retailers’ own online shops provided the supplier with a guarantee that the sold goods would only be associated with the authorized retailer, which would in turn help to preserve the quality and luxury image of those goods.[15] This was true also in light of the fact that, on online market platforms, all kinds of goods were sold.[16] Moreover, only the direct contractual relationship with the retailer enabled the supplier to enforce quality conditions; if goods were to be distributed over third party platforms, there would be no such relationship.[17] Given that distributors were generally still allowed to sell online through their own webshops (which still constituted the main online distribution channel and were operated by over 90% of distributors), the prohibition was also found to be proportional, in that it did not go beyond what was necessary to achieve the object of preserving their luxury image.[18] Accordingly, the ECJ responded to the second question by concluding that the outright platform ban did not violate Article 101(1) TFEU in the circumstances, given the widespread availability of luxury goods through online means. Finally, the ECJ ruled that, with regard to the third question, the ban on sales over a particular platform did not constitute a hardcore restriction.[19]  In this regard, the ECJ Ruling runs counter the 2015 Decision of the German Cartel Office (Bundeskartellamt) in the Asics Case, in which it was found (as later confirmed by the Higher Regional Court of Düsseldorf) that a ban on third party platforms, even if required in the context of a selective distribution network, violated both the terms of Article 101 TFEU and the relevant VBER provisions.[20] Conclusions The ECJ Ruling, which now forms part of the corpus of German law, at first glance appears to sit uncomfortably against the decision-making of the Bundeskartellamt and the Regional Court’s Judgment in Asics. However, the positions can be reconciled because the ratio decidendi of the Coty Case is limited only to ‘luxury products’. It was the particular nature of these products which led the ECJ to rule that a platform ban was justified, given that the ‘luxury aura’ of these products might be otherwise compromised. By comparison, the running shoes in the Asics Case were merely considered to connote a particular level of quality. Thus, it would appear that the Rulings of the ECJ and the German authorities may be reconciled by reference to the distinction drawn between luxury goods and other goods.[21] However, the Advocate General had explicitly held that both luxury and quality products could, subject to the satisfaction of the “Metro criteria”, justify the use of a distribution system which is compatible with Article 101(1) TFEU. The ECJ took a narrower approach, having focused solely on the ‘luxury’ character of Coty’s products as the only determinant of whether the online platform restriction was legal. It hence remains unclear whether the Ruling can also be applied merely to higher ‘quality’ products that fall short of more widely understood notions of ‘luxury’. It seems the ECJ has missed  the opportunity to draw a more explicit line between those products which can benefit from a selective distribution system and those that cannot. One can hardly argue that luxury products, which usually require heavy investments in marketing, skilled staff, breadth of selection of product ranges and décor, do not justify favourable treatment under EU competition rules.[22] Having said that, where does one draw the line between Coty’s luxury cosmetics products and the supposedly unluxurious beauty creams considered in the Pierre Fabre Case (especially given that beauty is supposed to be in the eye of the beholder)? Why not include ‘quality’ products, too, where manufacturers try no less to preserve the reputation and uniform brand image of their products? Is the narrow exception of ‘luxury’ – which is favourable to manufacturers of luxury products but which is opposed by the online platforms that sell a wide range of goods – prone to generating arbitrary distinctions being drawn by national court judges faced with resolving competitive law disputes in the context of selective distribution? Surely, having provided the rationale for why the contract in Coty was not anti-competitive, the question needs to be asked why the category of exemption could not be wide enough to embrace all goods with serious connotation of ‘quality’, which can often be established by reference to a higher price. In a world where increasing market penetration is based on the uniqueness of a product, one would think that the ‘quality’ dimension should in principle justify the same treatment as that of ‘luxury’.[23] By not following the Advocate General’s more expansive view, the ECJ may have succeeded in narrowing the exception to the general rule against sales prohibitions, but may have inadvertently opened up a hornet’s nest of fine distinctions needing to be made by national judges across the EU. Perhaps it is the case that the Judgment, which is notable for its brevity, may be more helpful in theory than in practice for those operating selective distribution systems in the EU.    [1]   C-230/16 Coty Germany [2017] EU:C:2017:603. See here: http://curia.europa.eu/juris/document/document.jsf?text=&docid=197487&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=954093. For the press release, see here: https://curia.europa.eu/jcms/upload/docs/application/pdf/2017-12/cp170132en.pdf.    [2]   According to Article 267 TFEU, national courts can refer abstract questions of European Union law to the European court, which then provides a response. It is then up to the referring national court to interpret and apply to the facts of the particular case the statements of legal principle set forth by the ECJ in its Ruling.    [3]   For the relevant provision, see here: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12008E101:EN:HTML.    [4]   Commission Regulation (EU) No 330/2010 of 20 April 2010 on the application of Article 101(3) of the Treaty on the Functioning of the European Union to categories of vertical agreements and concerted practices. See here: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32010R0330&from=EN.    [5]   “Hardcore” restrictions include provisions such as absolute sales ban based on territory or customer identity, Resale Price Maintenance, and so forth, whose anti-competitive effects are so significant that it would be unlikely for the restrictions to be justified by reference to the exemption criteria listed in Article 101(3) TFEU.    [6]   See Opinion of July 26, 2017, available at: http://curia.europa.eu/juris/document/document.jsf?text=&docid=193231&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=654963.    [7]   Case C-230/16, supra at para. 24.    [8]   See Case C‑26/76 Metro SB-Großmärkte [1977] EU:C:1977:167, especially at para. 20.    [9]   Case C-230/16, supra at para. 25.   [10]   Case C-230/16, supra at para. 27.   [11]   Case C-230/16, supra at para. 29.   [12]   See Case C‑439/09 Pierre Fabre [2011] EU:C:2011:649.   [13]   Case C-230/16, supra at paras. 32 and 34.   [14]   Case C-230/16, supra at para 43.   [15]   Case C-230/16, supra at paras 44 and 46.   [16]   Case C-230/16, supra at para 50.   [17]   Case C-230/16, supra at para 48.   [18]   Case C-230/16, supra at paras 52-54.   [19]   Case C-230/16, supra at para 68.   [20]   Decision B2-98/11 Bundeskartellamt v ASICS Deutschland GmbH, Neuss et al. of August 26, 2015. An English language summary can be found here: http://www.bundeskartellamt.de/SharedDocs/Entscheidung/DE/Fallberichte/Kartellverbot/2016/B2-98-11.pdf?__blob=publicationFile&v=2. The full decision can be found in the German language at: http://www.bundeskartellamt.de/SharedDocs/Entscheidung/DE/Entscheidungen/Kartellverbot/2015/B2-98-11.pdf?__blob=publicationFile&v=3. The Judgment of the Higher Regional Court (Case VI-Kart 13/15 (V)) of April 5, 2017 can be found in the German language at: https://www.justiz.nrw.de/nrwe/olgs/duesseldorf/j2017/VI_Kart_13_15_V_Beschluss_20170405.html.   [21]   Notably, the Bundeskartellamt’s Chief, Andreas Mundt, has commented that he expects the ECJ’s Ruling to have only a limited effect on the policy of his Office, as its Decisions have thus far involved brand manufacturers outside the luxury industries. See at http://www.wiwo.de/unternehmen/handel/eugh-urteil-zum-online-handel-luxus-muss-nicht-in-die-schmuddelecke/20677432.html. [22]   In this regard, refer to the Study prepared for the European Commission in 2007, which explains how competition for the supply of luxury cosmetics depends critically on non-price elements which add to the aura of the brand: Global Insight, Study of the European Cosmetics Industry, October 2007. Indeed, the possibility that selective distribution networks are more likely to promote non-price elements of competition explains why they are also less likely to produce price volatility; in this regard see Case 107/82 AEG Telefunken v. Commission [1983] ECR 3151 at paras. 33 ff, and Case T-67/01, JCB v. Commission EU.T.2004.3 at paras. 131-133. [23]   Selective distribution networks are also understood to be appropriate for the distribution of highly technical or industrial quality goods, although the rationale for preventing online sales for such products seems more problematic, given the technical knowledge possessed by the average purchaser of such products, e.g., bath fittings. At the other extreme, the view has been expressed by P. Ibanez Colomo that the exception identified in Coty should extend to all products distributed in such networks. See, e.g., blogpost of 6 December 2017 on Coty Case at: https://chillingcompetition.com/. Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these issues.  Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Antitrust and Competition Practice Group, or the authors in the firm’s Brussels office: Peter Alexiadis (+32 2 554 72 00, palexiadis@gibsondunn.com) Jens-Olrik Murach (+32 2 554 72 40, jmurach@gibsondunn.com) Balthasar Strunz (+32 2 554 72 25, bstrunz@gibsondunn.com) Please also feel free to contact any of the following practice group leaders and members: Brussels Peter Alexiadis (+32 2 554 72 00, palexiadis@gibsondunn.com) Jens-Olrik Murach (+32 2 554 72 40, jmurach@gibsondunn.com) David Wood (+32 2 554 72 10, dwood@gibsondunn.com) London Ali Nikpay (+44 20 7071 4273, anikpay@gibsondunn.com) Philip Rocher (+44 20 7071 4202, procher@gibsondunn.com) Charles Falconer (+44 20 7071 4270, cfalconer@gibsondunn.com) Patrick Doris (+44 20 7071 4276, pdoris@gibsondunn.com) Deirdre Taylor (+44 20 7071 4274, dtaylor2@gibsondunn.com) Munich Michael Walther (+49 89 189 33-180, mwalther@gibsondunn.com) Benno Schwarz (+49 89 189 33 110, bschwarz@gibsondunn.com) Kai Gesing (+49 89 189 33 180, kgesing@gibsondunn.com) Hong Kong Sébastien Evrard (+852 2214 3798, sevrard@gibsondunn.com) Kelly Austin (+852 2214 3788, kaustin@gibsondunn.com) Washington, D.C. Scott D. Hammond (+1 202-887-3684, shammond@gibsondunn.com) F. Joseph Warin (+1 202-887-3609, fwarin@gibsondunn.com) D. Jarrett Arp (+1 202-955-8678, jarp@gibsondunn.com) David P. Burns (+1 202-887-3786, dburns@gibsondunn.com) Cynthia Richman (+1 202-955-8234, crichman@gibsondunn.com) David Debold (+1 202-955-8551, ddebold@gibsondunn.com) New York Randy M. Mastro (+1 212-351-3825, rmastro@gibsondunn.com) Eric J. Stock (+1 212-351-2301, estock@gibsondunn.com) Peter Sullivan (+1 212-351-5370, psullivan@gibsondunn.com) Lawrence J. Zweifach (+1 212-351-2625, lzweifach@gibsondunn.com) Denver Robert C. Blume (+1 303-298-5758, rblume@gibsondunn.com) Dallas Veronica S. Lewis (+1 214-698-3320, vlewis@gibsondunn.com) Brian Robison (+1 214-698-3370, brobison@gibsondunn.com) Robert C. Walters (+1 214-698-3114, rwalters@gibsondunn.com) San Francisco Rachel S. Brass (+1 415-393-8293, rbrass@gibsondunn.com) Trey Nicoud (+1 415-393-8308, tnicoud@gibsondunn.com) Los Angeles Daniel G. Swanson (+1 213-229-7430, dswanson@gibsondunn.com) Samuel G. Liversidge (+1 213-229-7420, sliversidge@gibsondunn.com) Steven E. Sletten (+1 213-229-7505, ssletten@gibsondunn.com) Jay P. Srinivasan (+1 213-229-7296, jsrinivasan@gibsondunn.com) Rod J. Stone (+1 213-229-7256, rstone@gibsondunn.com) Sarretta C. McDonough (+1 213-229-7227, smcdonough@gibsondunn.com) © 2017 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

December 13, 2017 |
A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 2

Washington, D.C. partner Caroline Krass, Paris partner Ahmed Baladi, Washington, D.C. associate Jason Kleinwaks, and Paris associate Emmanuelle Bartoli are the authors of “A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 2,” [PDF] published by Law360 on December 13, 2017.

December 12, 2017 |
A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 1

Washington, D.C. partner Caroline Krass, Paris partner Ahmed Baladi, Washington, D.C. associate Jason Kleinwaks, and Paris associate Emmanuelle Bartoli are the authors of “A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 1,” [PDF] published by Law360 on December 12, 2017.

December 4, 2017 |
The General Data Protection Regulation: A Primer for U.S.-Based Organizations That Handle EU Personal Data

The General Data Protection Regulation (GDPR), a new European Union data privacy and protection regime, has already entered into force and is slated to become effective on May 25, 2018.  Designed to provide greater protections to the personal data of individuals located in the EU, the GDPR imposes a host of new obligations on both “controllers” and “processors” of such data.  Additionally, the GDPR calls for large penalties when companies fail to comply with these new obligations.  While many U.S. companies have already begun the process of bringing themselves into compliance, the GDPR has such a long reach that it may encompass a large subset of U.S. organizations that would not ordinarily expect to be subject to European data privacy laws.  Smaller organizations or those that deal with a relatively small amount of data originating in the EU may be especially likely to be caught off-guard.  Such organizations must take immediate steps to assess whether they are subject to the new GDPR and to bring themselves into compliance. This client alert lays out the global scope of the GDPR and describes which organizations may be required to comply.  Next, we explain the obligations that the GDPR imposes on controllers and processors, as well as the stringent restrictions placed on cross-border data transfers to countries outside of the EU.  We then provide an overview of the various compliance mechanisms and penalties the GDPR includes, and potential deviations in the implementation of the GDPR that might be seen in particular EU member states.  Finally, we conclude with practical advice for organizations transitioning to the new regime. Click for PDF As 2017 draws to an end, U.S. companies that handle the personal data of individuals located in the European Union (EU) are closer to confronting a new data security and privacy regime that will require an increased focus on compliance, even where such companies do not have establishments in the EU.  Though it has already entered into force, the EU’s General Data Protection Regulation[1] (GDPR) will take effect on May 25, 2018, formally replacing the 1995 EU Data Protection Directive[2] (1995 EU Directive) as the framework governing the processing of personal data across EU Member States.  The GDPR is intended to provide greater protections to personal data belonging to individuals located in the EU, as well as greater consistency in application across the Union.  Significantly, the GDPR will impose new obligations on organizations involved in the processing of EU personal data.  Fines under the GDPR will likely vary significantly, with a maximum of the greater of either €20,000,000 or 4% of annual worldwide turnover, depending on the seriousness of the violation. While large, data-driven companies with a global footprint are likely already well-aware of the GDPR, U.S. organizations that handle even small amounts of EU personal data may be surprised to find themselves subject to the GDPR and need to take steps to bring themselves into compliance before the regulation goes into effect.  One significant change is that while the 1995 EU Directive currently places the burden of compliance on controllers of personal data, the GDPR creates direct obligations and liability for processors, including those based in the U.S.  In other words, the GDPR rebalances obligations between companies requesting services (controllers) and companies offering services (processors).  The purpose of this client alert is to increase awareness of possible GDPR obligations among smaller U.S. organizations, organizations in which data processing is not a large proportion of their business, and organizations that do not have a large European footprint but may nonetheless handle some data belonging to persons located in the EU, as well as to explain the different EU-approved mechanisms for the transfer of data from the EU to the United States for processing.  Because controllers and processors may incur both large penalties and liability for non-compliance with the GDPR, and because it will take time to bring programs into compliance, the time is now for entities involved in the processing of EU personal data to familiarize themselves with the relevant requirements of the GDPR and to work on implementation of any necessary changes. 1.    Who Must Comply with the GDPR? First and foremost, U.S. organizations that interact with the EU market and/or that have entities in the EU should assess whether they will be required to abide by the GDPR when it takes effect in May 2018.  The GDPR applies to organizations involved in the processing of personal data of individuals located in the EU.  “[P]ersonal data” is defined broadly as “any information relating to an identified or identifiable natural person.”[3]  “Processing” means “any operation or set of operations which is performed on personal data or on sets of personal data.”[4]  These are broad definitions encompassing a range of data types and a variety of data usages—they are designed in particular to sweep in U.S. technology companies.  Indeed, information such as log-in information, IP addresses, and vehicle identification numbers, though not enabling direct identification of individuals, allow for identification of individuals indirectly and are therefore considered to be personal data.  This means that, in practice, most services and/or projects will be considered to involve processing of personal data.  Also important to note is the possibility that, because these definitions—particularly the definition of personal data—are specific to the EU and the GDPR, U.S. companies may be less familiar with their scope and contours. Organizations involved in processing personal data are divided into two categories: “controllers” and “processors.”  A controller, acting alone or together with others, “determines the purposes and means of the processing of personal data.”[5]  A processor, on the other hand, “processes personal data on behalf of the controller.”[6]  These definitions remain essentially unchanged from the 1995 EU Directive, and thus an entity that qualifies as a controller or processor under the 1995 EU Directive will likely continue to be a controller or processor under the GDPR. However, the GDPR significantly expands the territorial reach of EU data laws, applying its requirements to three specific categories of entities: First, a controller or processor that maintains an “establishment” in the EU will be subject to the GDPR if it processes personal data “in the context of” that EU establishment, regardless of whether the processing actually takes place in the EU.[7]  While the term “establishment” is not defined, the GDPR explains that “effective and real exercise of activity through stable arrangements” will satisfy the provision.[8]  Additionally, “[t]he legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”[9]  In other words, the regulation may apply even if an organization’s nexus to the EU is less formal than a parent-subsidiary relationship. Second, a controller or processor not established in the EU will be subject to the GDPR “where the processing activities are related to offering goods or services to data subjects in the Union,” even when the goods and services are offered for free.[10]   Determining whether an entity “envisages” offering goods or services in at least one EU Member State, thereby triggering the GDPR’s requirements, depends on “factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union.”[11] Third, a controller or processor not established in the EU will be subject to the GDPR if it processes the personal data of data subjects in the EU and that processing is related to the “monitoring” in the EU of the “behavior” of data subjects as their behavior takes place within the EU.[12]  Processing fits within this definition when “natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”[13]  This internet profiling is just one example of what monitoring can entail.  Physical monitoring may also be included, such as by video camera recording. Organizations, including U.S.-based companies, that fall within any of these three categories will be required to comply with the numerous obligations imposed by the GDPR. 2.    What Obligations Does the GDPR Create for Controllers? The GDPR imposes many obligations on controllers of EU personal data.  Some of these obligations are a continuation of those established by the 1995 EU Directive, but others are either new or expanded.  These obligations can be organized into three different streams: (i) principles applicable to the processing of personal data; (ii) data subjects’ rights, and (iii) accountability. 2.1    Principles Applicable to the Processing of Personal Data Lawful Basis for Processing:[14]  Processing of EU personal data may only be undertaken if the controller has a lawful basis for that processing under the GDPR.  Permissible lawful bases are listed in Article 6 of the GDPR and include: (1) processing necessary for the performance of or entry into a contract with a particular data subject; (2) processing necessary for compliance with a legal obligation to which the controller is subject under EU or Member State law; (3) processing necessary to protect the “vital interests” of the data subject or of another natural person; (4) processing necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller; or (5) processing necessary for the purposes of legitimate interests pursued by the controller or third party, “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”Where the controller cannot rely on any of the five legal bases set forth above, it will need to obtain the individual’s express consent.  To be valid, consent must be freely given, specific, informed and unambiguous.  Controllers intending to rely on consent will therefore need to make sure that they implement a mechanism that actually enables them to collect and monitor where consent is actually obtained (e.g., a clear banner or a box to be ticked specifically consenting to the purposes for processing).  When personal data are to be processed for a purpose other than the one for which the data have been collected initially, the controller must consider whether the new purpose is compatible with the original purpose of processing, and if not, the controller will need to ensure that it relies on one of the five legal bases described above.[15] Delegation to a Processor: When a controller enlists a processor to process personal data on its behalf, the controller must use only processors that provide, by a binding written contract or other legal act, sufficient guarantees that they will implement appropriate safeguards required by the GDPR and ensure the protection of EU data subjects’ rights.[16]   Any sub-processor must also commit in a binding written contract (or other legal act) to abiding by the same safeguards.[17]  The contract must specify the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data; the categories of data subjects; and the obligations and rights of the controller.[18]  Thus, controllers should reevaluate their contractual relationships with processors in advance of the effective date of the GDPR.  Agreeing to EC-approved standard contractual clauses, discussed further below, is one option for seamlessly complying with such requirements. Specific Contractual Obligations:[19]  In addition to requiring a contractual relationship between controllers and processors, the GDPR mandates a host of stipulations that must be included in such contracts: (1) processing must be performed only in accordance with documented instructions from the controller; (2) persons authorized to process personal data must have committed themselves to confidentiality or be subject to a statutory obligation of confidentiality; (3) processors must implement requisite security measures; (4) processors must abide by the requirements for enlisting sub-processors; (5) processors must assist the controller in fulfilling the controller’s obligation to respond to requests for exercising data subjects’ rights under the GDPR; (6) processors must assist the controller in complying with requirements for data security and breaches; (7) personal data must be deleted or returned to the controller after processing services have been rendered; (8) all information necessary to demonstrate compliance with these requirements must be made available to the controller, and (9) the processor must allow for and contribute to audits conducted by the controller. Data Breach Notification:[20]  In the event of a data breach, the controller must notify the supervisory authority “without undue delay” and within 72 hours of discovering the breach, where feasible.  Any delay must be explained.  In practice, this 72-hour deadline may be difficult to meet given the nature of detecting data breaches and determining their extent.  Additionally, if the data breach is likely to result in a “high risk to the rights and freedoms of natural persons,” the controller must notify the affected data subjects without undue delay, unless one of a number of exceptions is triggered.[21] 2.2    Individuals’ Rights Information and Access:  Controllers must provide certain specified information to data subjects at the time personal data is obtained.[22]  This information is designed to ensure fair and transparent processing, and it is particularly important where the controller will intend to rely on consent.  Minimum information required by the GDPR includes the purpose of processing; the categories of data recipients; the existence of data transfers out of the EU and the guarantees implemented in case of such transfer; the data retention period; and data subjects’ rights.  Data subjects also have a right to request and obtain specified information from the controller about the processing of their personal data as well as a copy of the personal data undergoing processing.[23] Rectification and Erasure:  Controllers are obligated to allow data subjects to correct inaccurate personal data and add to incomplete personal data.[24] Further, controllers must accommodate data subjects’ requests to have their personal data erased without undue delay if certain grounds apply, including if the personal data is no longer necessary for the purposes it was originally collected or processed.[25] Data Portability:[26]  Upon request from a data subject, controllers must provide a data subject’s personal data in a machine-readable format or transmit that personal data directly to another controller. 2.3    Accountability Organizations are expected to be accountable in relation to the processing of personal data. Consequently, they will need to implement several governance measures to demonstrate and document their compliance. Record-Keeping:[27]  The GDPR represents a change of paradigm for companies.  Under the 1995 EU Directive currently in force, companies are expected to give notice to competent data protection authorities prior to engaging in certain processing activities.  The GDPR removes prior notice obligations and instead requires controllers to maintain records of all processing activities, including certain specified types of information.  The purpose of these records is to allow the controller to demonstrate compliance with GDPR requirements, and records must be made available to the relevant supervisory authority upon request.  To comply with this obligation, organizations must begin conducting data protection audits to make an inventory of the different personal data processing activities carried out within the organization.  Organizations that do not begin to implement record-keeping as the effective date of the GDPR approaches will certainly face difficulties in complying with the GDPR’s requirements.  (Note that these requirements do not apply to a controller employing fewer than 250 people unless it carries out high-risk processing, carries out more than occasional processing, or processes special categories of data.) Data Protection Officer:  As part of the cultural change in data protection management, the appointment of a Data Protection Officer (DPO) is also specified by the GDPR.[28]  Indeed, controllers may be required to appoint a DPO when: (i) the core activities of the controller are processing operations that require large-scale, regular and systematic monitoring of data subjects or, similarly, (ii) when a controller’s core activities involve large-scale processing of other special categories of data.[29]  DPOs are responsible for accountability of the controller, must be included in all matters relating to the protection of personal data, and “act as intermediaries between relevant stakeholders.”[30]  In doing so, DPOs must be given a sufficient degree of autonomy to perform their required tasks under GDPR Article 39.[31]  DPOs are assured independence and job security through the GDPR’s prohibition on dismissing or penalizing a DPO “for performing [their] tasks.”[32]  In practice, organizations need to consider whether they are subject to the obligation of appointing a DPO.  Even where not strictly necessary, companies may still consider whether having a DPO would help in complying with the different obligations defined by the GDPR. Data Protection Impact Assessment:[33]  Where the controller undertakes a type of processing that is likely to result in a high risk to the rights and freedoms of natural persons, the controller must carry out an impact assessment of that processing, in consultation with any designated DPO.  While the supervisory authority is required to create a list of processing operations that require an impact assessment, the GDPR specifies several scenarios in which impact assessments are required.  It also provides requirements for the content of such assessments.  Where an impact assessment indicates that processing would “result in a high risk in the absence of measures taken by the controller to mitigate the risk,” the controller must consult with the supervisory authority prior to undertaking the processing.[34]  This obligation indicates that companies will need to have a risk-based approach in relation to data protection. “Data Protection by Design and by Default”:[35]  All controllers must implement appropriate technical and organizational safeguards to ensure that any processing of personal data complies with the GDPR, including, as appropriate, data protection policies, data minimization, and “pseudonymisation.”[36]  Controllers should take into account both the cost of such safeguards, as well as the protections current technology allows, adapting to the risks posed by the processing to the “rights and freedoms” of EU data subjects.[37]  Adherence to approved codes of conduct or certification mechanisms, discussed further below, is one way to demonstrate compliance. Designated Representatives:[38]  When a controller is not established in the EU but is nonetheless subject to the GDPR, the controller in certain circumstances must designate a representative in a Member State where the EU individuals whose personal data is being processed in connection to the offering of goods and services, or whose behavior is being monitored, are located.  This requirement does not apply when the processing is occasional or when the processing does not involve widespread processing of certain special categories of data, such as genetic and biometric data. 3.    What Obligations Does the GDPR Create for Processors? The GDPR creates a number of direct obligations for processors who fall within the scope of the regulation.  While processors may have undertaken certain similar obligations by virtue of contracts with controllers in the past, the 1995 EU Directive does not itself impose such requirements on processors.  While processors should carefully assess their new obligations with their legal counsel, the GDPR addresses the following topics: Data Security:[39]  A processor is required to implement appropriate technical and organizational measures to ensure adequate data security.  Assessment of the requisite security must take into account “the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.” Data Breach Notification:[40]  In the event of a data breach, the processor must notify the controller “without undue delay.” Following Controller’s Instructions:[41]  A processor may not process any personal data except in accordance with instructions from the controller.  If a processor acts outside the scope of its authority granted by the controller, it will be considered to be a controller and subject to controller obligations under the GDPR. Contractual Relationships:[42]  All processing by a processor on the controller’s behalf must be governed by a binding contract “or other legal act” under EU or Member State law that specifically sets forth “the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects[,] and the obligations and rights of the controller.”  The contract must be in both written and electronic form.[43] Sub-Processing:[44]  A processor may not utilize another processor in connection with its processing of EU personal data without first receiving authorization from the controller.  The controller must be notified of any changes in sub-processers and given the opportunity to object.  Where a sub-processor is engaged, the same data protection obligations in the contract between the controller and processor must be imposed on the sub-processor by way of contract or other “organisational measures.”[45]  The processor will remain fully liable to the controller for performance of the sub-processor’s obligations. Designated Representatives:[46]  As with controllers, see above, when a processor is not established in the EU but is still subject to the GDPR, it must designate a representative in one of the Member States in which one of the relevant data subjects is located, unless the processing is occasional or does not involve widespread processing of certain special categories of data. Record-Keeping:[47]  Processors with 250 or more employees are required to maintain a record of all categories of processing activity carried out on behalf of a controller containing specific information.  A processor with fewer than 250 employees need keep such records only if it is undertaking processing that is likely to result in a risk to the rights and freedoms of data subjects, the processing is more than occasional, or the processing includes certain special categories of data relating to racial or ethnic origin, religious and other beliefs, sexual orientation, or criminal convictions and offenses.  Records must be kept in written and electronic form, and must be made available to a supervisory authority upon request. Data Protection Officer:[48]  In much the same way that controllers may be required to appoint a data protection officer, processors may also face such a requirement. 4.    How Can U.S. Organizations Comply with Restrictions on Transferring EU Personal Data to the United States? The 1995 EU Directive significantly restricts the transfer of EU personal data to third countries, and these restrictions continue under the GDPR.  Both the 1995 EU Directive and the GDPR allow for transfers of personal data out of the EU when the data are being sent to a country that the European Commission (EC) has determined provides an adequate level of protection.[49]  But the United States is conspicuously absent from the list of countries that have received an EC adequacy decision.  Transfers to countries which have not received the EC’s blessing, like the United States, must either fall within one of the various derogations[50] in the Directive (or Regulation) or the parties involved in the transfer themselves must provide adequate assurances that the data will be protected.  Because the GDPR requires the same protections be carried over for “onward transfers” or transfers following the initial third-country transfer, compliance with transfer requirements is important for any organization down the chain. Adequate assurances of data protection can be made in a number of ways, including: 4.1    EU-U.S. Privacy Shield Between 1998 and 2000, the International Safe Harbor Principles were developed in order to provide an alternate mechanism by which U.S. companies could comply with the 1995 EU Directive’s data transfer requirements.  Safe Harbor provided a framework of seven data protection principles, and companies could self-certify under the program.  In July of 2000, the EC determined that companies complying with the Safe Harbor principles could transfer EU personal data to the United States in compliance with the Directive.  But a combination of factors, including the rapid expansion of global online activities and their importance to the transatlantic economy; the rapid increase in the number of U.S. companies taking advantage of the Safe Harbor principles; and the controversy resulting from Edward Snowden’s 2013 leaks of classified information related to U.S. government surveillance activities threw the continuing viability of Safe Harbor into question.[51]  In 2015, the European Court of Justice struck down its previous decision that the Safe Harbor Program provided adequate protections for data transferred to the United States.[52] Consequently, the U.S. government began talks with the EU seeking to develop a new framework.  In February of 2016, a political agreement was reached to implement the new Privacy Shield program.  Despite concerns raised by the Article 29 Data Protection Working Party and the EU Data Protection Supervisor, the EC adopted the framework in July of 2016. The 2016 EU-U.S. Privacy Shield allows participating organizations to transfer EU personal data to the United States.  Organizations must self-certify as Privacy Shield-compliant, committing to process data only in accordance with the principles set forth by the program.[53]  Only organizations subject to the enforcement authority of the Federal Trade Commission or the Department of Transportation are eligible to participate. Despite the concerns raised by some groups, the Privacy Shield recently successfully passed its first annual review[54] by the EC, with the relatively lukewarm endorsement that the “Privacy Shield works well, but there is some room for improving its implementation.”[55]  While the EC found that the framework provides an adequate level of protection for personal data, it made five key recommendations to ensure continued protection:[56] More proactive and frequent monitoring by the Department of Commerce conduct to ensure that self-certified companies are complying with their Privacy Shield obligations, including regular searches to find companies making false claims about their participation in the Privacy Shield.  During the first year of implementation, only three enforcement actions have been reported.[57] Increased attention to making EU data subjects aware of how to exercise their rights under the Privacy Shield, including how to lodge complaints. Increased cooperation between the Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), including in developing guidance for enforcers and companies alike. Federal legislation to make permanent the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28).  PPD-28 is an Obama-era limitation on the collection of signals intelligence that requires appropriate safeguards for all personal information, regardless of whether they are U.S. or foreign.[58] The appointment of a permanent Privacy Shield Ombudsman at the U.S. State Department to provide European citizens with a recourse mechanism and the filling of numerous vacancies on the Privacy and Civil Liberties Oversight Board (PCLOB). The continued viability of the Privacy Shield may hinge on the Trump administration’s response to these recommendations.  The four vacant PCLOB positions require Presidential appointment and Senate confirmation.  President Trump has explained in general that many vacancies across federal departments have not been filled because the administration believes the underlying positions are unnecessary.  While it remains unclear whether and how quickly the Ombudsman and PCLOB vacancies will be filled, the Trump administration recently nominated Adam Klein as the PCLOB’s chairman.  It also remains unclear whether the administration would support the codification of PPD-28’s protections for non-U.S. persons. In spite of these concerns, over 2,400 companies currently participate in the Privacy Shield.  For U.S. companies that routinely receive transfers of EU personal data, the Privacy Shield provides the easiest method of ensuring compliance with the EU data regimes, present and future, and also affords those companies goodwill with their European customers. 4.2    Standard Contractual Clauses[59] Another popular way to comply with the EU data regimes while transferring personal data to third countries that have not received an adequacy decision from the EC is through standard contractual clauses (SCCs) approved by the EC.  Through the use of SCCs embedded in contracts between a data exporter and a data importer, the parties guarantee an adequate level of protection for the personal data involved in the transaction.  The EC has adopted SCCs for controller-to-processor and controller-to-controller transactions, which will, for now, continue to provide an adequate level of protection for personal data involved in transfers.  Under the 1995 EU Directive, only the EC was permitted to adopt SCCs, but the GDPR permits national supervisory authorities to adopt SCCs as well.[60]  SCCs remain a burdensome approach to data transfers because, in practice, data protection authorities require organizations to enter into SCCs to cover each new purpose of processing. The SCCs have been under legal attack on the theory that U.S. law fails to adequately provide legal remedies to EU citizens and that the SCCs do not address that deficiency.  Recently, the Irish High Court in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems[61] referred the issue to the EU Court of Justice to assess whether the EC’s prior decisions approving the SCCs remain valid, finding that the Irish Data Protection Controller’s concerns regarding the continued validity of SCCs are “well-founded,” primarily in light of concerns regarding remedies available in the United States to EU data subjects.  Still, SCCs remain one of the most common legal methods utilized to effect personal data transfers out of the EU. 4.3    Binding Corporate Rules[62] While the 1995 EU Directive did not expressly recognize binding corporate rules (BCRs) (which were created by the Article 29 Working Party[63]), the GDPR explicitly codifies the possibility for organizations to adopt BCRs.  BCRs are legally binding internal rules that can be adopted by either multi-national groups of undertakings, or groups of enterprises engaged in a joint economic activity (i.e., groups of legally independent entities).  The GDPR introduces regulatory requirements related to BCR content and a simplified approval process.  Compared to the SCCs and Privacy Shield framework, BCRs offer an opportunity for more customization that is tailored to the needs of the adopting group of companies. BCRs are also seen by data protection authorities as providing more legal certainty to data transfers.  Moreover, BCRs are seen as a tool for accountability because the requirements companies must comply with when adopting BCRs will assist the companies’ efforts in structuring their data protection governance. 4.4    Codes of Conduct and Certifications[64] Companies can also demonstrate compliance with the GDPR through Codes of Conduct[65] and Certification[66] mechanisms.  Codes of Conduct are prepared by associations or bodies representing categories of controllers or processors and must go through a specified approval process that differs depending on whether it governs processing activities in a single EU state or in several states.[67]  Compliance will be monitored by an independent body with relevant expertise and accredited by the appropriate supervisory authority.[68]  Certification mechanisms, seals, or marks, on the other hand, might be established by the supervisory authorities, European Data Protection Board, and the EC in the future as a way similarly to demonstrate compliance.[69]  Adherence to a Code of Conduct or certification mechanism, if binding and enforceable, can be used to demonstrate appropriate safeguards for data transfers to third countries.  The viability of these new mechanisms under the GDPR remains to be seen. 4.5    Compliance with U.S. Court Rulings or Subpoenas Requiring Production of EU Personal Data Significantly, Article 48 of the GDPR could impede a company’s ability to comply with the U.S. legal process requiring the production of EU personal data.  Under this provision, any judgment of a court or decision by an administrative authority of a third country that would require transfer or disclosure of EU personal data is only recognizable and enforceable if based on an international agreement, such as a mutual legal assistance treaty between the third country and the EU or a particular member state.  Although the United States and the EU have entered into a binding Mutual Legal Assistance Agreement (MLAA),[70] Article 48 may present challenges where there is a conflict between U.S. legal process and the requirements of the MLAA.  Further, if the U.S. courts’ collective disregard for European blocking statues is any indication of how they will approach this provision of the GDPR, we may find that courts are particularly unsympathetic to the claim that production would violate the GDPR, potentially placing companies in the difficult position of choosing whether to comply with the U.S. legal process or the GDPR. 5.    What Are the Compliance Mechanisms and Penalties for Non-Compliance with the GDPR? The GDPR grants investigative powers to the Member States’ supervisory authorities that are roughly consistent with those under the 1995 EU Directive,[71] and controllers and processors are obligated to cooperate with supervisory authorities on request.[72]  Supervising authorities are also given an array of corrective powers[73] with which to address infringements of the GDPR, including the ability to issue warnings or orders and impose administrative fines.  Maximum fines for violations of specific articles are provided, topping out at the greater of either €20,000,000 or 4% of the total worldwide annual turnover from the preceding financial year.[74] The GDPR also creates a right to compensation for any person who has suffered material or non-material damage as a result of an infringement of the obligations in the regulation.[75]  For the first time, a processor is directly liable for damage caused by processing that does not comply with GDPR obligations specifically directed to processors or where it has acted contrary to the controller’s lawful instructions unless the processor can prove that it is not “in any way responsible for the event giving rise to the damage.”[76]  A data subject’s claim under Art. 82 of the GDPR is without prejudice to any claims involving the violation of other provisions of EU or Member State law.[77] Data subjects may lodge a complaint with a competent supervisory authority for violations of the GDPR.[78]  They may also seek a judicial remedy against a controller or processor before the courts of the Member State in which the controller or processor has an establishment or where the data subject habitually resides.[79]  Additionally, both data subjects and controllers/processors can seek a judicial remedy against legally binding decisions of a supervisory authority in the courts of the Member State in which the supervisory authority is established.[80] 6.    Will EU Member States Uniformly Apply the GDPR? While the GDPR was designed to provide a more uniform data regime across the EU than its predecessor directive, which required implementing legislation in each Member State, it includes a number of opening clauses that allow Member States to introduce particularized legislation in certain areas of data protection.  Organizations should therefore pay close attention to any national distinctions that develop as Member States begin to pass such legislation.  In particular, the GDPR allows for Member States to set general data protection requirements involving the processing of employee personal data that align with their respective labor law regimes.[81]  Notably, most European countries are currently working on the adoption of national legislation that intends to embody the GDPR’s requirements.  The risk, however, is that each national legislature will introduce its own specific constraints. In October 2017, the Article 29 Working Party issued guidance with the stated objective of helping supervisory authorities across the EU to apply administrative fines consistently.[82]  Given the general nature of the criteria to apply, uniformity will be challenging to achieve. 6.1    Germany The German Parliament recently adopted the new Federal Data Protection Act (the “DPA”),[83] which will come into force simultaneously with the GDPR on May 25, 2018, and which is meant to implement the GDPR into German law.  During the legislative process, Germany made use of several opening clauses contained in the GDPR to maintain certain well-established provisions of the old DPA. However, the EC has questioned whether all new provisions in the DPA are actually covered by these opening clauses; in fact, some European officials noted off the record that the new DPA may undermine the goal of full harmonization within the EU. Important deviations from the GDPR include: Appointment of Data Protection Officers:  The DPA requires the appointment of a DPO by every company employing at least ten persons that is involved in the automatic processing of personal data.  Further, regardless of the number of employees, companies are obliged to appoint a DPA if they are processing data for the purpose of commercial transfer of data or for marketing and market research purposes. Consumer Damage Claims:  Consumers are entitled to monetary compensation if they are affected by a violation of the DPA even if they did not suffer monetary damages.  This may lead to increased risks for organizations as the new right for consumer protection associations to launch class-action-style proceedings facilitates the enforcement of corresponding claims. 6.2    The United Kingdom Respecting the results of a national referendum that took place on June 23, 2016, the UK government gave the European Council formal notification of the UK’s intention to withdraw from the EU (“Brexit”) on March 29, 2017.  Absent an extension agreed upon by all other Member States, the UK will leave the EU at midnight on March 29, 2019. In preparation for Brexit, the UK government is planning to enact national legislation that would continue to apply GDPR-compliant standards of data protection in the UK after Brexit.  It is hoped that an agreement will be reached under which UK laws are acknowledged by the EU to provide an adequate level of protection post-Brexit, thus permitting data transfers between EU countries and the UK without the usual restrictions applying to “third country” transfers (see section 4 above).  While transfers of data between the UK and U.S. may fall outside the EU-U.S. Privacy Shield after Brexit, it is hoped that a similar UK-U.S. agreement will maintain free data flows with the U.S. post-Brexit. 7.    How Can Organizations Prepare for the GDPR? As the implementation date for the GDPR approaches, organizations need to bring their operations into compliance with the new regime.  The very first step an organization must take is to determine whether it is covered by the GDPR.  If so, the organization must make efforts to fully understand what data it collects, processes, and stores.  An organization must identify what personal data is being gathered across all of the organization’s groups and functions and determine the purpose for collection, whether that collection is being minimized to meet only that purpose, and whether the company is collecting any of the various types of sensitive data under the GDPR. Beyond collection of data, the organization must understand how the data is being processed and stored.  This includes the lawful basis for processing each set of data, data protection measures that are being used, the location of the stored data, the period of time such data will be stored, where and how records of processing and storage are being kept, and many other considerations.  Obtaining all of this information will likely require a company-wide audit and stakeholders in all aspects of the business should be involved in this assessment.  Often, collection and processing activities take place in departments that are not normally associated with data processing.  Thus, data mapping is an important first step in determining what changes an organization must make to bring itself into compliance with the GDPR. On top of the collection, processing, and storage considerations, organizations must be aware of how they transfer and share data.  As discussed above, the GDPR places restrictions on data transfers, especially those in which data is transferred across borders to countries outside the EU.  These considerations apply regardless of whether such transfers take place only within the company or group of companies.  Further, companies that transfer data to processors or sub-processors will need to reevaluate their contractual relationships with such processors, as well as the capabilities of the processor. After data mapping and auditing, the company should put together a plan to bring itself into compliance with the GDPR.  Processing activities that imply processing of sensitive personal data or that relate to purposes implying intrusion into data subjects’ lives should be given top priority.  The compliance plan should include specific training needs, as well as legal and technological elements that need to be addressed.  Again, stakeholders in all aspects of the business should be involved in order to best implement organization-wide changes. Data management will likely require significant thought and investment moving forward.  Organizations must comply with GDPR requirements surrounding deletion of data, limitations on its use, and ensuring adequate security measures are in place.  Systems and processes must be in place to comply with requests from data subjects, such as providing copies of data, transferring data to other controllers, rectifying errors, and even erasure in certain cases.  Record-keeping may require further investment, as organizations will have to maintain detailed records of their processing and compliance with the GDPR.  Data controllers should reconfigure their privacy policies to properly notify individuals of processing, making sure to comply with GDPR principles governing transparency and consent. Organizations may even need to make changes to their corporate governance.  As discussed above, some organizations will be required to obtain a DPO to monitor GDPR compliance, serve as a contact for regulators, and oversee data impact assessments.  The DPO can either exist within the organization or externally, but every indication is that the DPO must be highly knowledgeable both in terms of data privacy expertise and awareness of the inner workings of the organization.  Because of requirements relating to the independence of the DPO, organizations should give significant thought to the organizational placement of the DPO and to whom the DPO should report within the corporate structure.  Even where a DPO is not required, organizations should reevaluate their current privacy team to account for ongoing compliance requirements under the GDPR, such as data impact assessments, handling requests from data subjects, interfacing with regulators, and ensuring adequate record-keeping.  Many larger, data-driven businesses have approached regulators with their current plans to obtain their input. 8.    Conclusion When the GDPR takes effect in May of 2018, it will take some time to sort out some of the ambiguities that exist and to understand how enforcement is being carried out.  Nonetheless, organizations should make concerted efforts to comply with the terms of the regulation from its outset, especially given the potential for such weighty penalties.  Any concerns should be discussed with counsel well in advance of the GDPR’s effective date in order to ensure a smooth transition to the new regime.    [1]   Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.  http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf.    [2]   Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995.  http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.    [3]   Art. 4, ¶ 1, GDPR.    [4]   Art. 4, ¶ 2, GDPR.    [5]   Art. 4, ¶ 7, GDPR.    [6]   Art. 4, ¶ 8, GDPR.    [7]   Art. 3, ¶ 1, GDPR.    [8]   Rec. 22, GDPR.    [9]   Id. [10]   Rec. 23, GDPR; see also Art. 3, ¶  2(a), GDPR. [11]   Rec. 23, GDPR. [12]   Rec. 24, GDPR; see also Art. 4, ¶ 2(b), GDPR. [13]   Rec. 24, GDPR. [14]   Art. 6, ¶ 1, GDPR. [15]   Art. 6, ¶ 4, GDPR. [16]   Art. 28, ¶ 1, GDPR. [17]   Art. 28, ¶ 2, GDPR. [18]   Art. 28, ¶ 3, GDPR. [19]   Art. 28, ¶ 3 (a)–(h), GDPR. [20]   Art. 33, ¶ 1, GDPR. [21]   Art. 34, GDPR. [22]   Arts. 13 & 14, GDPR. [23]   Art. 15, GDPR. [24]   Art. 16, GDPR. [25]   Art. 17, GDPR. [26]   Art. 20, GDPR. [27]   Art. 30, GDPR [28]   Art. 37, GDPR. [29]   Id. [30]   Guidelines on Data Protection Officers (‘DPOs’), Article 29 Working Party, at 4 (Dec. 13, 2016).  http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf. [31]   Id. at 14. [32]   Id. at 15. [33]   Art. 35, GDPR. [34]   Art. 36, GDPR. [35]   Arts. 24 & 25, GDPR. [36]   See also Art. 32, GDPR. [37]   Art. 25, GDPR. [38]   Art. 27, GDPR. [39]   Art. 32, GDPR. [40]   Art. 33, ¶ 2, GDPR. [41]   Art. 29, GDPR. [42]   Art. 28, ¶ 3, GDPR. [43]   Art. 28, ¶ 9, GDPR. [44]   Art. 28, ¶ 2, GDPR. [45]   Art. 28, ¶ 4, GDPR. [46]   Art. 27, GDPR. [47]   Art. 30, ¶¶ 2–5, GDPR. [48]   Art. 37, GDPR. [49]   Art. 45, GDPR. [50]   Art. 49, GDPR. [51]   See European Commission Implementing Decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, Section 1 (Dec. 7, 2016).  http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision_en.pdf. [52]   Maximillian Schrems v. Data Protection Commissioner, Case C-362/14 (Oct. 6, 2015).  http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1444299455884&uri=CELEX:62014CJ0362. [53]   Privacy Shield Framework. https://www.privacyshield.gov/article?id=OVERVIEW. [54]   First Annual Review of the EU-U.S. Privacy Shield (Oct. 18, 2017).  http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=605619. [55]   EU-U.S. Privacy Shield: First review shows it works well but implementation can be improved (Oct. 18, 2017).  http://europa.eu/rapid/press-release_IP-17-3966_en.htm. [56]   Id. [57]   Three Companies Agree to Settle FTC Charges They Falsely Claimed Participation in EU-US Privacy Shield Framework, Federal Trade Commission (Sept. 8, 2017).  https://www.ftc.gov/news-events/press-releases/2017/09/three-companies-agree-settle-ftc-charges-they-falsely-claimed. [58]   Sec. 4, Presidential Policy Directive 28 (Jan. 17, 2014).  https://obamawhitehouse.archives.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities. [59]   Art. 46, ¶ 2(c) GDPR. [60]   Art. 46, ¶ 2(d), GDPR. [61]   Irish Data Protection Commissioner v. Facebook and Max Schrems, 2016 No. 4809 P.  https://arstechnica.co.uk/wp-content/uploads/sites/3/2016/07/Judgment-of-the-High-Court-of-Ireland-in-the-case-data-protection-Commissioner-v-Facebook-relating-to-motions-to-allow-amicus-curia.pdf [62]   Arts. 46, ¶ 2(b) & 47, GDPR. [63]   The Article 29 Working Party is the independent European Union Advisory Board on Data Protection and Privacy established under Article 29 of the 1995 EU Directive. [64]   Art. 46, ¶¶ 2(e) & (f), GDPR. [65]   Arts. 40 & 41, GDPR. [66]   Arts. 42 & 43, GDPR. [67]   Art. 40, GDPR. [68]   Art. 41, GDPR. [69]   Arts. 42 & 43, GDPR. [70]   Agreement Between the United States of America and the European Union (signed June 25, 2003; entered into force February 1, 2010).  https://www.state.gov/documents/organization/180815.pdf. [71]   Art. 58, ¶ 1, GDPR. [72]   Art. 31, GDPR. [73]   Art. 58, GDPR. [74]   Art. 83, ¶¶ 4–5, GDPR. [75]   Art. 82, ¶ 1, GDPR. [76]   Art. 82, ¶¶ 2–3, GDPR. [77]   Rec. 146, GDPR. [78]   Art. 77, ¶ 1, GDPR. [79]   Art. 79, GDPR. [80]   Art. 78, GDPR. [81]   See Art. 88, ¶ 1, GDPR. [82]   Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, Article 29 Data Protection Working Party (Oct. 3, 2017).  https://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889. [83]   Federal Data Protection Act (June 30, 2017).  https://iapp.org/media/pdf/resource_center/Eng-trans-Germany-DPL.pdf. Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed above. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Privacy, Cybersecurity and Consumer Protection or National Security practice group, or the following authors: Caroline Krass – Chair, National Security Practice, Washington, D.C. (+1 202-887-3784, ckrass@gibsondunn.com) Alexander H. Southwell – Chair, Privacy, Cybersecurity & Consumer Protection Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com) Ahmed Baladi – Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com) Emanuelle Bartoli – Paris (+33 (0)1 56 43 13 57, ebartoli@gibsondunn.com) James A. Cox – London (+44 (0)20 7071 4250, jacox@gibsondunn.com) Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com) Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com) Jason N. Kleinwaks – Washington, D.C. (+1 202-887-3793, jkleinwaks@gibsondunn.com) © 2017 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

November 17, 2017 |
Webcast: Hot Topics in Securities and Governance

With the final quarter of 2017 upon us and the 2018 calendar year fast approaching, it is time to focus on several hot topics in securities and corporate governance to prepare for your upcoming board meetings, 10‑K and proxy season. Please join us for a one-hour discussion of hot topics in securities and governance, focusing on: Key considerations that companies and their boards of directors should be focusing on as they approach upcoming pay ratio disclosure requirements for 2018 proxy statements and key takeaways from recent SEC and Staff interpretive guidance; The PCAOB’s new audit reporting standard which will require additional disclosures in the auditor’s report on companies’ financial statements; Preparing for upcoming 10-K disclosures related to the long-anticipated revenue recognition standard, ASC 606, which is required for annual reporting periods beginning after December 15, 2017; and Effective practices for board oversight of cybersecurity risks and legal risks that boards should consider in an environment of cybersecurity breaches and disruptive cyberattacks, including risks arising from how and when cyber-incidents are disclosed. View Slides [PDF]   PANELISTS: Lori I. Zyskowski is a partner in the New York office of Gibson Dunn where she is a member of the Firm’s Securities Regulation and Corporate Governance Practice Group. Ms. Zyskowski advises public companies and their boards of directors on a wide range of corporate law matters, including corporate governance, compliance with U.S. federal securities laws and the requirements of the major U.S. stock exchanges, and shareholder engagement and activism matters. She formerly served as Executive Counsel, Corporate, Securities & Finance at the General Electric Company, where she advised GE’s board of directors and senior management on corporate governance and securities law issues. Caroline D. Krass is a partner in the Washington, D.C. office of Gibson Dunn where she is Chair of the Firm’s National Security Practice Group. Ms. Krass’ practice focuses on advising clients on the most complicated and sensitive matters involving national security, intelligence, cybersecurity, data privacy, government investigations, and regulatory issues. Until January 2017, she was the Central Intelligence Agency’s General Counsel. She also served as the Acting Assistant Attorney General for the Office of Legal Counsel in the U.S. Department of Justice and as a senior national security lawyer in the Obama and George W. Bush Administrations. Ms. Krass is widely recognized for her extensive experience, both in Washington and abroad. Michael J. Scanlon is a partner in the Washington, D.C. office of Gibson Dunn where he is a member of the Firm’s Securities Regulation and Corporate Governance, and Securities Enforcement Practice Groups. Mr. Scanlon has an extensive practice representing U.S. and foreign public company and audit firm clients on regulatory, corporate governance, and enforcement matters. He advises corporate clients on SEC compliance and disclosure issues, the Sarbanes-Oxley Act of 2002, and corporate governance best practices, with a particular focus on financial reporting matters. Maia R. Gez is of counsel in the New York office of Gibson Dunn where she is a member of the Firm’s Securities Regulation and Corporate Governance Practice Group. Ms. Gez advises public companies and their boards of directors on a wide range of corporate law matters, including corporate governance, compliance with U.S. federal securities laws and the requirements of the major U.S. stock exchanges, board and executive compensation and pay ratio disclosure, and shareholder engagement and activism matters. MCLE CREDIT INFORMATION: This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1. 0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement.  This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast.  Please contact Jeanine McKeown (National Training Administrator), at 213-229-7140 or  jmckeown@gibsondunn.com  to request the MCLE form. Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour. California attorneys may claim “self-study” credit for viewing the archived version of this webcast.  No certificate of attendance is required for California “self-study” credit.

August 8, 2017 |
Cybersecurity & Data Privacy: An Overview for Health Care, Pharmaceutical, and Biotech Companies

Cyberthreats are ubiquitous, and significant cyberattacks on private and publicly traded companies occur on a near-daily basis.  As a result of the ongoing barrage of increasingly advanced and evolving cyberattacks, even companies with sophisticated security systems are potentially susceptible to a cybersecurity breach.  A breach may lead to unauthorized access to sensitive company and personal data and have far-ranging and costly consequences.  Immediately following a cyberattack, a company must work to secure its systems from further damage and/or data loss, handle media inquiries, and confront often-complex legal issues concerning notification to consumers, business partners, and government agencies.  Thereafter, there may be civil lawsuits (including litigation with business partners, consumer class actions, and, for publicly traded companies, actions by shareholders), regulatory enforcement actions, and investigations by federal and state agencies.  As breaches have become more frequent, federal, state, and foreign government regulators have responded by strengthening and expanding laws, regulations, and enforcement concerning cybersecurity and data privacy.  This article provides an overview of the key issues health care, pharmaceutical, and biotech companies face with regard to cybersecurity and data privacy.  The article begins with a discussion of federal regulations, guidance, and enforcement actions.  With myriad federal regulators asserting jurisdiction to regulate data security, companies are subject to an increasingly complex regulatory framework.  The article also reviews certain notable state regulations and guidance that address cybersecurity and data security issues, and briefly summarizes some of the key issues related to data privacy outside the United States.  Finally, the article closes with a discussion of the private civil litigation that can result from a data breach.  ________________________________________ Table of Contents 1.             Federal Regulation, Enforcement, and Guidance 1.1           Federal Trade Commission 1.1.1        Authority to Regulate Privacy and Cybersecurity1.1.2        Enforcement1.1.3        Guidance 1.2           Department of Health and Human Services 1.2.1        Applicability to Health Care, Pharmaceutical, and Biotech Companies1.2.2        The Privacy Rule1.2.3        The Security Rule1.2.4        The Breach Notification Rule1.2.5        HHS OCR Enforcement 1.3           Securities and Exchange Commission 1.3.1        Guidance 1.3.2       Enforcement 1.4           Food and Drug Administration 1.4.1        Guidance1.4.2       Enforcement 2.                     State Regulation, Enforcement, and Guidance 3.                     International Issues 3.1            Key Non-U.S. Regulators 3.2           EU-U.S. Safe Harbor and Data Transfer 3.3           New European Regulations: NIS and GDPR 3.4           New Asia-Pacific Regulations 4.                     Civil Litigation 4.1           Data that Creates Exposure to Civil Litigation 4.1.1        Consumer Data4.1.2        Employee Data4.1.3        Intellectual Property and Trade Secrets 4.2           Theories of Liability 4.2.1         Common Law Liability—Negligence and Related Theories4.2.2        Statutory Liability4.2.3        Contractual Liability 4.3           Standing in Data Breach Litigation 4.4           Shareholder and Securities Litigation 4.4.1         Shareholder Derivative Litigation4.4.2        Securities Class Action Litigation 5.                     Conclusion ________________________________________   1.    Federal Regulation, Enforcement, and Guidance There is no single regulatory body tasked with enforcing a uniform set of cybersecurity standards.  For many years, the Federal Trade Commission ("FTC" or the "Commission") and the Department of Health and Human Services ("HHS") have been the primary federal regulators in the cybersecurity area.  Recently, however, a number of other federal regulators have also entered the arena and have issued guidance and/or taken legal action against companies that allegedly have failed to implement adequate cybersecurity measures.  These regulators include the Securities and Exchange Commission ("SEC"), the Food and Drug Administration ("FDA"), the Federal Communications Commission ("FCC"), the Consumer Financial Protection Bureau ("CFPB"), the Department of Energy ("DOE"), the Federal Deposit Insurance Corporation ("FDIC"), and the Financial Industry Regulatory Authority ("FINRA"), among others. Although there are many federal regulators asserting jurisdiction over cybersecurity issues, the primary cybersecurity and privacy regulators for health care, pharmaceutical, and biotech companies (and those covered in this article) are the FTC, HHS, SEC, and FDA.  The recent trends in guidance and enforcement actions by these agencies are described below. 1.1     Federal Trade Commission 1.1.1     Authority to Regulate Privacy and Cybersecurity The FTC derives its authority to regulate cybersecurity practices from Section 5 of the FTC Act, which states that "unfair or deceptive acts or practices in or affecting commerce, are . . . unlawful."[1]  Because the FTC Act dates to 1914, it does not mention cybersecurity.  However, the FTC has long taken the position that Congress intended "unfair" practices to be defined broadly and flexibly to allow the agency to effectively protect consumers as the economy and technology develop.[2] The FTC first asserted that its authority under Section 5 encompassed investigating and prosecuting companies for insufficient data security procedures in 2002.[3]  Since that time, the FTC has brought more than 60 data security cases—with more than half of those initiated since 2010.  Although most FTC enforcement actions have settled with a company agreeing to a consent order (discussed further below), there have been several high-profile challenges to the FTC’s authority to bring data security enforcement actions.  For example, companies have argued that Congress did not intend for the FTC to have broad regulatory authority over corporate cybersecurity practices under the FTC Act.[4] While courts have thus far accepted the FTC’s assertions of jurisdiction, a case regarding that issue is currently pending before the Eleventh Circuit.  The case involves LabMD, a now-defunct medical testing laboratory.  In 2013, the FTC sued LabMD, alleging that the company had failed to "develop, implement, or maintain a comprehensive information security program" to protect consumers’ sensitive personal and health information.[5]  After an Administrative Law Judge ruled in favor of LabMD on the company’s argument that the FTC lacked authority to bring the action, the Commission overturned that decision and entered an order against the company.  LabMD sought relief from the Eleventh Circuit, challenging the FTC’s broad regulatory authority over cybersecurity practices.[6]  Oral argument was heard on June 21, 2017, but the case remains pending; a three-judge panel granted LabMD’s request to stay enforcement of the FTC’s decision pending appeal.[7] 1.1.2     Enforcement As noted above, the FTC has used its regulatory authority to initiate a number of civil enforcement actions in recent years.  When the FTC brings these actions, data security liability under Section 5 is governed by a "reasonableness" test.  This test considers data security measures (and statements made about such measures) in light of factors such as the sensitivity and volume of consumer information being stored; the size and complexity of the data storage operations; and the costs and benefits of taking additional steps to improve security and reduce vulnerabilities within the system.  The FTC has stressed that because a perfect data security system is neither expected nor required, the mere fact that a data breach occurred will not necessarily subject a company to liability—so long as the security system and all statements issued about it were reasonable under the circumstances.  The LabMD case described above is relatively unique because most enforcement actions brought by the FTC are not litigated but, rather, result in the FTC entering into a consent order with the targeted company.  Consent orders often include civil penalties and require that companies establish comprehensive security programs subject to independent audits or monitoring for up to 20 years; agree to make no misrepresentations regarding their handling of consumer data; and agree to notify consumers about the data breach and about methods to safeguard their personal information.[8] 1.1.3     Guidance The FTC also has issued cybersecurity guidance to companies falling within its purview.  For example, in June 2015 the FTC launched the "Start with Security" business education initiative.[9]  The initiative includes guidance for businesses drawing on lessons learned from the data security cases previously brought by the FTC.  The guidance outlines ten steps to implement in order to achieve effective data security.  The steps are high-level, consisting of general advice such as "control access to data sensibly"; "require secure passwords and authentication"; "secure remote access to your network"; and "make sure your service providers implement reasonable security measures." In September 2016, the FTC published a guide specifically relating to data breaches, Data Breach Response: A Guide for Business.[10]  The guide features steps for securing operations, preventing additional data loss, fixing vulnerabilities, and notifying the appropriate parties of a data breach—including law enforcement, regulators, affected businesses and individuals, and the media.  In May 2017, the FTC also launched a new website, ftc.gov/SmallBusiness, that includes articles, videos, and other information aimed at helping small businesses protect their computers and networks from scams and cyberattacks.[11] Notably, whether or not a company follows the FTC’s cybersecurity guidance has been cited as a factor in determining liability in FTC enforcement actions.  For example, in FTC v. Wyndham Worldwide Corp., the Third Circuit held that the defendant was on sufficient notice that its cybersecurity practices fell short of the FTC’s cybersecurity standards.[12]  In reaching its decision, the court pointed to several FTC publications and enforcement actions regarding cybersecurity, and noted that the company should have been aware that its practices fell short of those the FTC had previously deemed necessary.[13] The FTC seems determined to maintain its position as the primary federal regulator of cybersecurity issues, as evidenced by recent statements regarding the regulation of broadband providers.  In March 2017, Acting FTC Chair Maureen K. Ohlhausen issued a statement, together with the Chair of the FCC, stating that "jurisdiction over broadband providers’ privacy and data security practices should be returned [from the FCC] to the FTC, the nation’s expert agency with respect to these important subjects."[14]  Ohlhausen expressed that all online actors should be governed by the same rules, enforced by one agency, stating that the federal government shouldn’t favor one set of companies over another—and certainly not when it comes to a marketplace as dynamic as the Internet.  So going forward, we will work together to establish a technology-neutral privacy framework for the online world.  Such a uniform approach is in the best interests of consumers and has a long track record of success. 1.2     Department of Health and Human Services The United States Department of Health and Human Services Office for Civil Rights ("HHS OCR") has enforcement responsibility for the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  HIPAA provides a comprehensive framework for the use and disclosure of certain protected health information ("PHI").  Its requirements govern how such data may be used (the "Privacy Rule"); physical, technical, and administrative security standards that companies must have in place (the "Security Rule"); and notice obligations in the case of unauthorized use or disclosure (the "Breach Notification Rule"). Enacted in 1996, HIPAA is in many ways the oldest and most well-developed data security regime under federal law.  Although most other government agencies have only begun to address cyber-related issues in recent years, HHS OCR has been addressing these issues for more than two decades. There has been a recent increase in both attention and enforcement proceedings related to HIPAA.  As data security gets more attention, HHS OCR has increased the aggressiveness and scope of its enforcement efforts.  Moreover, as health care companies increasingly become the target of cyberattacks, HIPAA has emerged as a key backdrop for all sorts of data breach litigation, in cases brought by both the government and private plaintiffs.  1.2.1     Applicability to Health Care, Pharmaceutical, and Biotech Companies HIPAA regulations are directly applicable to "covered entities," which include health plans (e.g. insurers), certain health care providers (e.g., hospitals), and health care clearinghouses.  However, HIPAA also is applicable to "business associates" of those covered entities, including companies that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. By the very nature of their businesses, health care, pharmaceutical, and biotech companies are very likely to encounter some type of protected health information.  Although not every such company will be covered by HIPAA, many will, at least in some capacity.  Indeed, it is possible that certain aspects of a company’s business will be covered, for example, in its role as a business associate, even while others may not.  1.2.2     The Privacy Rule The HIPAA Privacy Rule[15] establishes a set of standards for the protection of certain health information, and requires that covered entities and business associates use or disclose PHI only as permitted by the rule.[16]  Although the rule is meant to allow for ordinary business operations, the regulations are nonetheless complicated and demand significant attention.  Uses generally permitted under the rule include those connected with the treatment of a patient, payment requests, and a company’s own health care operations (e.g., quality assessment and improvement activities).[17]  There is also a hierarchy of other permitted uses, which are organized according to the type of permission or authorization required: some uses are permitted only with express patient authorization (e.g., commercial sale of PHI);[18] other uses require an opportunity for the individual to agree or object (e.g., listing in facility directories or for disaster relief purposes);[19] and finally, some uses are permitted even without authorization, so long as certain protections are in place (e.g., in litigation when there is a HIPAA-qualified protective order in place).[20]  The Privacy Rule also establishes standards that govern the use of PHI for marketing purposes (e.g., prescription refill reminders),[21] research purposes,[22] and reporting related to public health activities, including reporting to the FDA.[23]  The Privacy Rule is directly applicable to both covered entities and business associates, and also requires that covered entities have agreements in place with their business associates that limit the use of PHI to the specific purposes enumerated by the agreement and permitted by HIPAA.[24]  Before using or disclosing PHI in any fashion, it is important to understand how HIPAA treats that type of use under the hierarchy just described, and what rules therefore might apply. 1.2.3     The Security Rule Whereas the Privacy Rule establishes how and when protected information may be used and disclosed, the Security Rule establishes standards for how that information must be protected.[25]  The Security Rule references a variety of administrative, technical, and physical safeguards, and it includes required standards and implementation specifications related exclusively to electronic PHI ("ePHI").  Those standards and specifications deal at a relatively granular level with system requirements where ePHI is kept or stored.  For example, HIPAA includes implementation specifications that govern encryption, automatic logoff, password management, and other detailed issues.  Like the Privacy Rule, the Security Rule is also directly applicable to business associates. Importantly, the Security Rule also requires that companies "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to . . . electronic protected health information."[26]  These mandatory HIPAA risk assessments can be complicated and time-consuming, and HHS OCR has demonstrated its willingness to take enforcement action where a comprehensive and up-to-date assessment is not in place, as discussed below.  A risk analysis process includes: (1) evaluating the likelihood and impact of potential risks to ePHI; (2) implementing appropriate security measures to address the risks identified in the risk analysis; (3) documenting the chosen security measures and, where required, the rationale for adopting those measures; and (4) maintaining continuous, reasonable, and appropriate security protections.  Every company that deals with ePHI should therefore carefully evaluate its obligation to conduct a risk analysis and ensure it has a current, well documented, and comprehensive assessment in place. 1.2.4     The Breach Notification Rule The third major component of HIPAA is the Breach Notification Rule.[27]  Under the Breach Notification Rule, a covered entity must report unauthorized uses or disclosures of PHI to the government, the media, and affected individuals, with certain exceptions for small breaches.[28]  Business associates are required to report breaches to the covered entity.[29]  Under HIPAA, a breach is (1) the acquisition, access, use, or disclosure (2) of PHI (3) in a manner not permitted under the HIPAA Privacy Rule (4) that compromises the security or privacy of the PHI.[30]  Any disclosure of PHI in a manner not permitted under the Privacy Rule is presumed to be a breach unless the covered entity performs a required "Risk Assessment" under 45 C.F.R. § 164.402(2) and demonstrates that there is a "low probability that the [PHI] has been compromised."  Generally speaking, breach notifications must be sent within 60 days of the discovery of the breach.[31]  HIPAA’s notification obligations are in addition to state law requirements, which may impose notice obligations of shorter than 60 days. 1.2.5     HHS OCR Enforcement HHS OCR has increased its enforcement efforts related to HIPAA in recent years.  Several recent enforcement actions illustrate the types of incidents that can draw scrutiny from HHS OCR and the types of failures under the Privacy and Security Rules that can lead to large settlements.[32] In April 2017, HHS OCR announced the first ever settlement involving a wireless health service provider, CardioNet, which provides mobile monitoring and rapid response to patients with cardiac arrhythmias.  CardioNet agreed to pay $2.5 million in a HIPAA settlement after an employee’s laptop containing the ePHI of over 1,300 individuals was stolen from a parked vehicle.[33]  OCR’s investigation revealed that CardioNet’s policies and procedures were in draft form and had not yet been implemented, and CardioNet had "insufficient risk analysis and risk management processes in place." In February 2017, Memorial Healthcare System paid a $5.5 million HIPAA settlement with HHS.[34]  Memorial Healthcare System reported to HHS OCR that the ePHI of more than 115,000 individuals had been impermissibly accessed by its employees and improperly disclosed to affiliated physician office staff when the login credentials of a former employee had been used to access ePHI on a daily basis without detection for a year.  HHS noted that although Memorial Healthcare System had workforce access policies and procedures in place, it failed to implement the procedure with regard to reviewing, modifying, or terminating users’ rights of access. In January 2017, HHS OCR issued a notice of Final Determination and a $3.3 million civil monetary penalty against Children’s Medical Center of Dallas ("Children’s") following impermissible disclosure of ePHI and many years of alleged non-compliance with the Security Rule.[35]  The penalty followed several separate incidents resulting in the loss of ePHI, including loss of an employee’s BlackBerry and theft of an unencrypted laptop.  OCR’s investigation of these incidents revealed that Children’s failed to implement risk management plans even after they received external recommendations to do so, and they failed to deploy encryption measures on their devices, despite knowledge of the risk of maintaining unencrypted devices containing ePHI.  The OCR Acting Director stated that "[a]lthough OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine." In November 2016, the University of Massachusetts – Amherst ("UMass") agreed to pay $650,000 and enter a corrective action plan to settle alleged HIPAA violations.[36]  UMass reported to OCR that "a workstation . . . was infected with a malware program, which resulted in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes."[37]  According to OCR, UMass "determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place."[38]  OCR’s investigation found that UMass had failed to categorize components of its operations appropriately under HIPAA, resulting in ePHI being present on systems that were not HIPAA compliant.  OCR’s investigation also faulted UMass for its failure to complete an accurate and thorough risk analysis and the lack of a firewall. In August 2016, Advocate Health Care System ("Advocate") agreed to pay $5.55 million to settle a variety of HIPAA violations.[39]  Among the violations was a data breach of Advocate’s subcontractor billing company that exposed sensitive patient information.  HHS found that Advocate failed to obtain written assurances from its business associate that electronic patient data would be appropriately protected. Finally, in December 2015, the University of Washington ("UW") agreed to pay $750,000 and enter into a corrective action plan to resolve allegations that it violated the HIPAA Security Rule.[40]  OCR initiated an investigation of UW after it received a breach report indicating that ePHI for more than 90,000 individuals was "accessed after an employee downloaded an email attachment that contained malicious malware."[41]  According to OCR, the malware "compromised the organization’s IT system," including patient data such as names, medical record numbers, dates of service, bill balances, social security numbers, and insurance identification or Medicare numbers.[42]  OCR’s investigation found that UW failed to ensure that its affiliates conducted risk assessments and responded to risks and vulnerabilities in their environments. 1.3     Securities and Exchange Commission In the last few years, the SEC has increased its focus on cybersecurity, particularly in the areas of protecting client data, creating disclosure standards for cybersecurity risks and incidents, and ensuring the orderly functioning of the markets.  In May 2016, then-SEC Chair Mary Jo White explained that cybersecurity is the biggest risk facing the financial system, stating that the "[SEC] can’t do enough in this sector[.]"[43]  The SEC’s Office of Compliance Inspections and Examinations identified cybersecurity as one of its examination priorities in 2015, 2016 and 2017.[44]  And most recently, Trump administration officials reiterated the SEC’s dedication to cybersecurity issues and enforcement, with SEC Chairman Jay Clayton affirming that the SEC is working "to improve [its] ability to receive critical information and alerts and react to cyber threats."[45] In addition, as explained below, the SEC staff has issued disclosure guidance relating to cybersecurity that is applicable to all public companies, including those in the health care, pharmaceutical, and biotech industries.  1.3.1     Guidance In 2011, the SEC staff released CF Disclosure Guidance: Topic No. 2, which relates to public company disclosures regarding cybersecurity risks and cyber incidents.[46]  The guidance provides that registrants should disclose risks of cybersecurity incidents if "these issues are among the most significant factors that make an investment in the company speculative or risky."[47]  The guidance provides recommendations on a number of topics.  For example, the SEC instructs that companies should disclose the risk of cyber incidents and that disclosures should not be generic or boilerplate.  However, companies are not required to disclose threats if doing so would compromise the companies’ cybersecurity.  The guidance also advises that companies should address cybersecurity risks in their Management’s Discussion and Analysis of Financial Condition and Results of Operations ("MD&A") if the costs associated with the risks are likely to have a material effect on the company’s operations, liquidity, or financial condition, or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.  The SEC staff further advises that companies should disclose cyber incidents that materially affect their operations in their Description of Business and Legal Proceedings disclosures.  Finally, the SEC staff provides guidance on how to account for cybersecurity risks and incidents in company financial statements.  Additionally, in a June 2014 speech, then-SEC Commissioner Luis A. Aguilar provided boards of directors with important, albeit informal, cybersecurity guidance.[48]  He advised that boards of directors should ensure the adequacy of a company’s cybersecurity measures and, as a guide, should look to the industry standards and best practices described in the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology ("NIST").  Commissioner Aguilar’s other recommendations included cyber-risk education for directors, creating a separate enterprise risk committee on the board, ensuring that the company has cyber-risk management personnel who report regularly to the board, and developing a well-constructed, deliberate company cyber incident response plan.[49] The SEC also issued a Ransomware Alert in response to the WannaCry ransomware attack of May 2017, which affected numerous organizations in over one hundred countries.[50]   The alert explained how hackers gain access to servers, and encouraged organizations to review the alert published by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team and evaluate whether applicable operating system patches had been installed.  The SEC alert also discussed the importance of conducting periodic cyber-risk assessments, conducting penetration tests and vulnerability scans, and updating system maintenance.  1.3.2     Enforcement  To date, the SEC has brought only a few cybersecurity enforcement actions, involving companies’ failure to adequately safeguard their customers’ personal information.  The enforcement actions involved companies in the financial sector and alleged violations of Rule 30(a) of Regulation S-P, also know n as the "Safeguards Rule."  This regulation requires brokers, dealers, investment companies, and registered investment advisers to "adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information."[51] In 2015, investment adviser R.T. Jones Capital Equities Management agreed to pay a $75,000 penalty as a settlement for the firm’s failure to establish cybersecurity policies and practices.[52]  The penalty was levied in response to a June 2013 breach of the company’s server, which exposed the personal information of 100,000 customers.  On April 12, 2016, Craig Scott Capital agreed to pay $100,000 to resolve allegations that it violated the Safeguards Rule by using email addresses other than those with the company’s domain name to electronically receive more than 4,000 faxes from customers and other third parties.[53]  The SEC found that this practice was evidence of a "failure to adopt written policies and procedures reasonably designed to insure the security and confidentiality of customer records and information." On June 8, 2016, Morgan Stanley agreed to pay a $1 million penalty to settle charges "related to its failures to protect customer information, some of which was hacked and offered for sale online."[54]  These alleged failures included the company’s decision not to conduct auditing or testing of its "portals" that allowed for access to customer data.[55]  As a result of these failures, the company suffered a breach, which exposed customer data on the internet.  Despite the fact that Morgan Stanley had acted quickly to respond to the breach, take the customer data offline, and alert the proper authorities, the SEC found that Morgan Stanley violated the "Safeguards Rule."[56] In each of these matters, the SEC found against the companies even though there was no apparent financial harm to their customers.  Thus, companies should be aware that lax cybersecurity standards could lead to an SEC enforcement action even if there is no appreciable harm to customers resulting from such practices.  That said, it is important to note that these cases involved companies in the financial sector, which are subject to the SEC’s Regulation S-P.  It is not clear whether the SEC would treat companies outside the financial sector (and not subject to Regulation S-P) in a similar manner.  In addition, while the SEC has now acted three times against companies for failure to protect investor data, it has yet to initiate an enforcement action against a company for the failure to disclose a cybersecurity incident or threat.  However, in April 2016, the SEC warned that it expects to initiate more cybersecurity enforcement actions in the future.[57] 1.4     Food and Drug Administration Thus far, the FDA has not been a leader in cybersecurity enforcement.  In fact, a recent report analyzing the FDA’s cybersecurity regulatory practices criticized the FDA as being "in a constant state of offering subtle suggestions where regulatory enforcement is needed."[58] In the absence of clarity on the agency’s cybersecurity priorities based on past enforcement actions, health care, pharmaceutical, and biotech companies should pay particular attention to recent cybersecurity guidance issued by the FDA.  The guidance is most applicable to medical device companies, as medical devices have been the primary focus of those guidance efforts.  1.4.1     Guidance In December 2016, the FDA released the Postmarket Management of Cybersecurity in Medical Devices Guidance, which outlines steps manufacturers should take to continually address cybersecurity risks associated with medical devices.[59]  The "Internet of Things" (which refers to everyday objects, such as thermostats and refrigerators, with connectivity to the Internet) now includes medical devices, which are often connected to both the Internet and hospital intranets and are vulnerable to cyberattacks.  The FDA’s guidance is aimed at ensuring the security of such devices in light of these vulnerabilities.  To that end, the FDA recommends that medical device manufacturers conduct routine post-market surveillance of their products and develop programs to assess the cyber risks that could potentially be associated with their products.  In January 2017, the FDA held a webinar on the guidance.[60]  The 2016 guidance follows guidance issued by the FDA in 2014 regarding pre-market steps medical device companies should take to implement security into the design and development of medical devices.[61] 1.4.2     Enforcement In April 2017, the FDA sent a warning letter to Abbott (St. Jude Medical Inc.), marking its most public enforcement effort to date in the cybersecurity space.[62]  Specifically, the letter addressed alleged cybersecurity issues related to Abbott’s at-home monitoring devices.  It remains to be seen, however, whether this is the beginning of a trend of FDA enforcement actions related to cybersecurity, or an isolated foray into the field. 2.     State Regulation, Enforcement, and Guidance State attorneys general play a significant role in policing cybersecurity issues.  Several states have enacted statutes or regulations that establish specific cybersecurity standards.[63]  State attorneys general also use state consumer protection laws, including laws patterned after the FTC Act (known as "Little FTC Acts"), and the Uniform Deceptive Trade Practice Act to address data security issues using theories analogous to those applied by the FTC in enforcing Section 5 of the FTC Act.  Companies may look to FTC guidance (supra, Section 1.1.3) to understand what these state analogues typically require with regard to data security practices. In addition, nearly every state has adopted laws that impose notification requirements on entities that have suffered a data breach.  These laws generally contain provisions describing who must comply with the law (e.g., businesses, data/information brokers, government entities); definitions of "personal information" (e.g., name combined with social security number, driver’s license or state ID numbers, account numbers); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).  State attorneys general have brought enforcement actions pursuant to these provisions.[64]  One such action revolves around Target’s 2013 data breach that resulted in the theft of the names, credit card numbers, and email addresses of approximately forty million customers.  In May 2017, Target reached a $18.5 million settlement agreement with forty-seven state attorneys general and the District of Columbia.[65]  In addition to the monetary settlement, Target agreed to better maintain software encryption programs, separate cardholder data from its normal computer network, and pay for an independent assessment of its security efforts.   Some states also have issued specific guidance or regulations on data security.  In 2014, the California Attorney General released "Cybersecurity in the Golden State," a framework for protecting against and responding to data breaches and other cyber incidents.[66]  The California report, like other guidance, emphasizes risk assessment, involvement from a company’s leadership, adherence to industry best practices, training and education, and incident response planning.  Likewise, in New York, new regulations relating to data security standards in the financial industry have recently come into effect; these regulations may affect many health insurance providers, among others.[67]  Companies should be aware of the regulations in those states in which they do business.  3.     International Issues 3.1     Key Non-U.S. Regulators In addition to the many U.S. government regulations, companies with operations overseas must also consider data protection regulations of foreign jurisdictions.  Prominent foreign regulators include those in the European Union (European Data Protection Supervisor), the United Kingdom (Information Commissioners Office – ICO), Germany (the Federal Data Protection Commissioner, the states’ Data Protection Authority), and Canada (Office of the Privacy Commission of Canada, provincial Information and Privacy Commissioners).  While a full discussion of cybersecurity requirements outside the United States is beyond the scope of this article, every company should evaluate the laws, regulations, and other requirements of each country in which it operates so that it complies with all applicable requirements and is prepared to interact quickly with regulators in the event of a breach. 3.2     EU-U.S. Safe Harbor and Data Transfer One important international privacy law issue for many companies involves European data transfer law, which governs the protection of personal data in the European Union and limits how U.S.-based companies may use and transfer data originating in Europe. The Charter of the Fundamental Rights of the European Union (the "Charter") creates a right to protection of personal data.[68]  The European Union also issued Directive 95/46/EC ("EU Data Protection Directive") in 1995, governing the protection of individuals with regard to the processing of their personal data within the EU.[69]  Article 28(1) of the EU Data Protection Directive requires Member States to establish public authorities responsible for independent monitoring of compliance with EU rules on the protection of individuals and processing of personal data.  Article 25(1) of the EU Data Protection Directive also specifies a principle that transfers of personal data from the Member States to third countries may take place only if the third country ensures an "adequate level of protection."[70] To facilitate international commerce between EU Member States and the United States, the U.S. Department of Commerce issued the Safe Harbor Privacy Principles (the "Safe Harbor") in 2000.[71]  The Safe Harbor included a number of principles on protection of personal data to which U.S. companies could subscribe voluntarily.  For years, the Safe Harbor was used by U.S. organizations receiving personal data from the EU.  Companies pledged adherence to Safe Harbor principles through a process of self-certification.  Despite European acceptance of the Safe Harbor for many years, the Safe Harbor became increasingly questioned, with EU policymakers calling for an overhaul of the system.  Then, in 2015, the European Court of Justice ("ECJ") invalidated the EU-U.S. Safe Harbor.[72] In mid-2016, the U.S. Department of Commerce announced the approval of the EU-U.S. Privacy Shield Framework ("Privacy Shield"), which replaces the Safe Harbor.  The Privacy Shield allows U.S. businesses to develop a conforming privacy policy, identify an independent recourse mechanism, and self-certify through a Commerce Department website.  Among other benefits, the Privacy Shield states that participating organizations will be deemed to provide "adequate" privacy protection for the transfer of personal data outside of the European Union under the EU Data Protection Directive.[73] However, legal challenges against the Privacy Shield already have been filed, asserting many of the same arguments used against the Safe Harbor.  Given the potential that the Privacy Shield, like the Safe Harbor, may be disallowed by the ECJ, companies would be well-served to consider a "belt and suspenders" approach to data transfer, pairing Privacy Shield participation with the adoption of other measures—such as Binding Corporate Resolutions ("BCRs") regarding the manner in which the company will handle EU data that can facilitate such transfers in accordance with EU law.  3.3     New European Regulations: NIS and GDPR In 2016, the European Union announced the adoption of the Network and Information Security ("NIS") Directive and General Data Protection Regulation ("GDPR"), which will go into effect in May 2018.  The GDPR establishes security and notification provisions to protect personal data, while the NIS establishes security obligations for operators of essential services and digital service providers.  The NIS and GDPR, taken together, amount to a comprehensive overhaul of EU data protection regulations, and impose steep penalties for non-compliance.  These regulations deserve close scrutiny from any company performing business in Europe or processing data on EU residents. The United Kingdom has repeatedly reaffirmed its commitment to data privacy in the wake of its decision to exit the European Union.  For example, in a June 2017 speech, Queen Elizabeth II outlined the UK’s proposed Data Protection Bill, which would replace the Data Protection Act of 1998.[74]  Importantly, the UK will implement the EU’s GDPR while the UK is still a member of the EU.  Once the UK has left the European Union, the UK appears poised to enable members of the UK to have the same ability to share data with the EU as they did previously. 3.4     New Asia-Pacific Regulations On June 1, 2017, a new Chinese law went into effect that "bans the collection and sale of users’ personal information" and requires that firms store sensitive user data on servers in China.[75]  Commentators have expressed concerns with the new law because it is unclear what information will be considered sensitive.  Additionally, the scope of some of the key provisions of the law, such as the requirement that companies submit their products to the Chinese government for cybersecurity checks, remains unknown.  It is unclear how often such checks will be required and how the Chinese government will determine what products need to be checked.[76]  Failure to comply with the new law could result in fines up to one million yuan (about $150,000) and potential criminal charges.[77] 4.     Civil Litigation In addition to government regulatory action, in the wake of a data breach companies handling sensitive data also face the risk of private civil litigation.  To date, pharmaceutical and biotech companies have not been frequent targets of such litigation.  But because no company is immune in the wake of a cyberattack, any comprehensive data security assessment and plan should account for the specific risks posed by civil litigation. This section (1) provides an overview of the types of information that create the greatest exposure to civil litigation, (2) reviews the most common theories of liability in civil litigation, and (3) discusses the key issue of a plaintiff’s standing to bring data breach litigation.  4.1     Data that Creates Exposure to Civil Litigation 4.1.1     Consumer Data Most data security litigation is premised on the loss or exposure of consumer data.  Often, these cases involve retailers, health care providers, and technology companies that collect personal identifying information ("PII") from customers, including names, addresses, credit card numbers, and social security numbers.  Any amount of consumer data—if accessed in a data breach—can create exposure for a company.  Indeed, while the greatest risks come from purported class actions involving compromises of hundreds of thousands of consumers’ information, plaintiffs have shown a willingness to bring suits even when far fewer consumer records are exposed in a breach.[78]  As such, health care, pharmaceutical and biotech companies should understand and identify what consumer data they collect and retain as part of their business operations, whether it is from clinical trials, customer lists, or other sources. 4.1.2     Employee Data Data breach litigation also can be premised on the loss or exposure of employee data.  Most companies have extensive information about their employees, including PII (e.g., name, address, social security number), financial information (e.g., bank account numbers, retirement account numbers), and even protected health information (e.g., medical insurance information, disability claims information).  Large companies may maintain such information for tens- or even hundreds-of-thousands of individuals.  To facilitate business functions related to human resources, benefits administration, and information technology systems, among other things, this information is often centrally managed and accessible.  It is no surprise then, that employee data can be a rich target for cyber criminals.  The loss of such data inevitably gives rise to civil litigation.  In one high-profile data breach, for example, employees at a media company sued their employer for allegedly failing to protect their personal data, claims that the company eventually settled for more than $8 million.[79] 4.1.3     Intellectual Property and Trade Secrets Although the vast majority of data breach litigation is based on the loss of consumer or employee data, health care, pharmaceutical, and biotech companies also may face a risk of litigation related to the theft of intellectual property or trade secrets during any data breach.  For companies that depend on research, development, and innovation to drive their business, loss of such information can be highly costly in its own right.  Although it has not been the basis of many prominent cases to date, theft of that information could also give rise to private litigation, whether from business partners, shareholders, or other affected groups. 4.2     Theories of Liability Data breach litigation is a relatively new area, with most cases having been filed within the last five years.  As such, few cases have proceeded to adjudication on the merits—whether through summary judgment or trial—and therefore substantive standards of liability are underdeveloped.  There are, however, several common theories of liability that plaintiffs routinely advance.  Under any of these claims, a company’s liability will, of course, depend on the facts of the case.  But in evaluating the risks associated with a data breach, companies should be mindful of how their actions could be viewed under different legal theories.  Some of the common claims and legal theories that have been advanced by plaintiffs are discussed below. 4.2.1     Common Law Liability—Negligence and Related Theories The most common claim in data breach litigation is common law negligence.  Plaintiffs argue that companies have a duty to provide security for customer, employee, and other sensitive information, and that a company violates that duty by failing to protect against a data breach.[80]  In negligence cases, the fundamental standard against which companies are judged is "reasonableness"—that is, did the company take reasonable precautions to understand risks, prepare for, and prevent a data breach.  In the event of a breach, the reasonableness of a company’s response, including adequate breach notification under relevant notice statutes (discussed below), is equally important.  Until a body of case law develops to determine what is considered "reasonable," the touchstone for reasonableness is likely to be the government guidance discussed in Section 2 above, along with industry best practices.  Even then, given the rapidly evolving nature of cyber threats and defenses, reasonableness is likely to be a moving target. In addition to negligence, other common law theories of liability advanced by plaintiffs include invasion of privacy,[81] unjust enrichment,[82] negligent misrepresentation, and fraud.[83]  Compared to negligence, which plaintiffs allege in almost every case, these are secondary theories of liability.  But they present some unique risks.  For example, to guard against the risk of negligent misrepresentation and fraud claims (in addition to securities actions and FTC enforcement actions, among others), companies must remain attuned to what they say and represent about their security practices, not only the objective reasonableness of those practices. 4.2.2     Statutory Liability There are also several federal and state statutes that, in certain circumstances, provide for a private right of action for an individual plaintiff in cases of data breaches. At the federal level, plaintiffs have attempted to bring suit under a variety of federal statutes in the wake of data breaches, including the Fair Credit Reporting Act,[84] the federal Privacy Act,[85] and the Stored Communications Act.[86]  Thus far, plaintiffs have not been very successful under these statutes,[87] which tend to require intentional or knowing behavior that results in a disclosure of information, and therefore are inapplicable to most data breach situations (where a company, along with its consumers or employees, is a victim of a criminal third party).  As such, these federal statutes, as interpreted and applied to date, have presented a relatively low risk in the civil litigation context—at least insofar as data breaches are concerned.[88] At the state level, there are several different theories of liability that plaintiffs have pursued with more success.  First, state consumer protection statutes often provide plaintiffs with private causes of action for unfair and deceptive trade practices, and plaintiffs have been able to use such statutes to pursue data breach litigation premised on those allegedly unfair business practices.[89]  Like FTC enforcement actions and claims premised on fraud and misrepresentation, these claims are most often based on statements a company makes about its data security practices, and are most successful when those statements are inconsistent with a company’s actual practices.  Second, some states have passed laws or regulations specific to data security or consumer records.[90]  And third, nearly every state also has a data breach notification statute that requires companies to notify consumers in the event of a data breach.[91]  Most data breach litigation includes at least some of these state law claims in addition to common law theories of liability discussed above.[92]  And in nationwide breaches, companies can often face numerous state law claims from different jurisdictions.[93] 4.2.3     Contractual Liability Health care, pharmaceutical, and biotech companies may also be subject to liability, based on an express or implied contract, for data security issues that affect their customers or business partners.[94]  Although these theories are less common than negligence-based and statutory theories by customers, their existence counsels in favor of careful consideration of contractual approaches to limiting risk in the event of a data breach.[95] There is also the potential for more novel theories of contractual liability.  For example, an area of risk for biotech companies is the possibility that medical devices may be hacked to create a "back-door" into networks at health care companies.  Indeed, some reports have warned against a threat of cyber criminals hacking devices such as X-ray machines, CT scanners, and MRI machines—which are connected to hospital networks—to gain broader access to patient records and other sensitive information at health care providers.[96]  Contracts should address the risks of improper use and cyberattacks of such devices.  Without contractual indemnification, this type of attack potentially could give rise to liability for manufacturers. 4.3     Standing in Data Breach Litigation As noted, very few data breach cases have reached adjudication on the merits.  Instead, much of the litigation by private plaintiffs has focused on the threshold issue of whether plaintiffs have standing to pursue their cases.  Because of the importance of standing issues to data breach litigation, this issue is addressed in more detail below. For many years, companies facing civil suits related to data breaches often succeeded at the motion to dismiss stage by arguing that plaintiffs could not show actual harm, and therefore did not have standing to pursue their claims.  As one court observed, "despite generating little or no discussion in most other cases, the issue of injury-in-fact has become standard fare in cases involving data privacy[, and] the court is hard-pressed to find even one recent data privacy case . . . in which injury-in-fact has not been challenged."[97]  Indeed, one of the first and most powerful defense tools in any data breach litigation is to challenge, with a motion to dismiss, whether a plaintiff or class of plaintiffs has sufficiently alleged actual harm.  Reflecting the importance of this issue, the Supreme Court has weighed in with two decisions in recent years that set the framework for analyzing standing in data breach cases. In Clapper v. Amnesty International USA[98] the Supreme Court established the test for the injury-in-fact element of Article III standing in data security cases.  In Clapper, human rights organizations and media groups challenged the constitutionality of an amendment to the Foreign Intelligence Surveillance Act that made it easier for the government to obtain wiretaps on intelligence targets outside of the United States.  The plaintiffs, all U.S. persons, alleged that they had standing because their work included privileged telephone and email communications with people who were likely foreign targets of surveillance and such communications could be intercepted in the future.  The plaintiffs also alleged that they had suffered injury by undertaking costly steps to protect their communications from surveillance.  The Supreme Court held that the allegations of potential interception of privileged communications were too speculative to sustain a claim, determining that "a highly attenuated chain of possibilities [] does not satisfy the requirement that threatened injury must be certainly impending"[99] and that plaintiffs cannot manufacture standing "merely by inflicting harm on themselves based on their fears of hypothetical future harm."[100] Where plaintiffs might not otherwise be able to satisfy Article III standing requirements—in particular the element of actual injury—they have often tried to predicate their privacy claims on statutory rights of action, under the theory that a statutory violation is a sufficient harm to create Article III standing.  That is the issue the Supreme Court took up in Spokeo, Inc. v. Robins.[101]  In Spokeo, the plaintiff, Thomas Robins, filed a class action complaint claiming that Spokeo—which operates a "people search engine" that gathers and provides information about individuals —willfully failed to comply with the requirements of the Fair Credit Reporting Act, 15 U.S.C. § 1681e(b).[102]  The Ninth Circuit ruled that Robins had satisfied the Article III injury-in-fact requirement because "Spokeo violated his statutory rights, not just the statutory rights of other people" and his "personal interests in the handling of his credit information are individualized rather than collective."[103] The Supreme Court vacated and remanded, holding that the Ninth Circuit’s Article III analysis was "incomplete"; although it considered whether the alleged injury was "particularized," it had "overlooked" whether Robins had also alleged a "concrete" injury.[104]  The Court explained that it has "made it clear time and time again that an injury in fact must be both concrete and particularized."[105] An injury must be "particularized" in that it "must affect the plaintiff in a personal and individual way."[106]  But while "[p]articularization is necessary to establish injury in fact, . . . it is not sufficient" because "[a]n injury in fact must also be ‘concrete.’"[107] While the Court did not resolve whether Robins had alleged a concrete injury, it provided guidance on the meaning of this requirement and the role that statutes play in assessing whether a plaintiff has standing under Article III.  The Court first explained that "[a]lthough tangible injuries are perhaps easier to recognize, . . . intangible injuries can nevertheless be concrete."[108] The Court made clear that this "does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right."[109]  Rather, "Article III standing requires a concrete injury even in the context of a statutory violation."[110]  Thus, "Robins could not, for example, allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III."[111]  The Court, however, noted that it is possible for a "risk of real harm" to "satisfy the requirement of concreteness," and acknowledged that "the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact."[112] After the decisions in Clapper and Spokeo, plaintiffs have become more adept at pleading standing, and more and more suits are therefore surviving motions to dismiss.  In the immediate wake of Clapper, the majority of courts deciding data breach cases held that absent allegations of actual identity theft or other fraud, increased risk of harm alone is insufficient to confer Article III standing.[113]  But plaintiffs have succeeded in pleading the requisite "certainly impending" harm when they are able to point to alleged injuries such as unlawful charges, restricted or blocked access to bank accounts, inability to pay bills, or late payment charges or new card fees.[114]  In the short time since the Supreme Court’s decision in Spokeo, lower courts have continued to grapple with when, and how, a statutory violation can create standing.  While several courts have held that plaintiffs fail to allege a concrete injury when their harm is based on a procedural violation of a statute,[115] others have found that plaintiffs can survive under Spokeo, especially where a statute creates substantive, not only procedural, rights.[116] One issue that could arise for health care, pharmaceutical and biotech companies in this context relates to the nature of the information they possess.  Whereas plaintiffs have had difficulty showing that mere disclosure of their identity—without more—creates standing, health-related information is more sensitive.  Thus far, medical information has not necessarily been subject to any heightened standard absent a showing of actual harm.  Indeed, several courts that have considered alleged breaches related to medical records and personal health information have declined to find standing.[117]  But as plaintiffs become more adept at pleading around the standing requirement, precisely how courts analyze standing in the context of health-related information after Clapper and Spokeo remains to be seen. 4.4     Shareholder and Securities Litigation 4.4.1      Shareholder Derivative Litigation Some corporate data breaches also may result in shareholder derivative litigation against a company’s officers and directors, alleging breaches of fiduciary duties, mismanagement, abuse of control, and/or corporate waste relating to a company’s policies and procedures concerning cybersecurity, disclosures, and response to cyberattacks.  To date, plaintiffs have not had great success pursuing such claims.  But the risk of shareholder derivative litigation remains alive in any data breach situation, so boards and officers should be proactive in addressing cybersecurity practices and disclosures both before and after any breach to protect themselves against liability. In Palkon v. Holmes, one of the few cases to address claims against directors and officers after a cyberattack, plaintiff filed a derivative lawsuit in the District of New Jersey against directors and officers of Wyndham Hotels.  After making a demand on the board that was refused, plaintiff brought an action asserting claims for breach of fiduciary duty, waste of corporate assets, and unjust enrichment, relating to three separate data breaches that took place between April 2008 and January 2010 and impacted more than 600,000 customers, alleging that the defendants failed to implement adequate data security mechanisms and failed to timely disclose the breaches after they occurred.[118]  In October 2014, the district court dismissed the action, finding that the board’s refusal of the shareholder demand constituted a legitimate exercise of the business judgment rule.  The court based this finding on a number of factors, including the fact that the board and audit committee had discussed the breaches and data security at numerous meetings, the company had hired technology security firms to investigate the breaches and make recommendations, and the company had begun to implement the recommendations.[119] One of the most prominent derivative actions based on a cyberattack was brought against directors and officers of Target after a breach in 2013 compromised credit card and personal data of up to 110 million people.  In Davis v. Steinhafel, plaintiffs filed derivative lawsuits against Target directors and officers, asserting claims of breach of fiduciary duty, gross mismanagement, waste of corporate assets, and abuse of control.  Plaintiffs alleged that the defendants failed to take adequate steps to prevent a cyberattack, concealed facts from the public, and "bungled" the company’s response to the attack.  In response to the derivative lawsuits and a demand on the board, Target’s board established a Special Litigation Committee, which conducted an extensive, two-year investigation into whether it was in the corporation’s best interests to pursue any of the claims.  The Special Litigation Committee ultimately concluded that it was not in Target’s best interests to pursue such claims based on numerous factual and legal considerations, including the applicability of the business judgment rule protecting reasonably prudent good faith business decisions.[120] After issuing a report containing its conclusions, the Committee made a motion to dismiss the action, which was unopposed by plaintiffs, and was granted in July 2016.[121] Plaintiffs brought similar claims against directors and officers of Home Depot following another high-profile data breach.  In In re the Home Depot, Inc. Shareholder Derivative Litigation, Home Depot shareholders filed a derivative lawsuit in September 2015 in district court in Georgia.  On November 30, 2016, the court dismissed the action on grounds that shareholders failed to either demand that the board take action or demonstrate that such a demand would have been futile.[122]  Since the Home Depot plaintiffs made no demand prior to filing suit, the court turned to the issue of demand futility.[123]  To demonstrate demand futility under Delaware law, a plaintiff must plead particularized facts that establish reasonable doubt regarding the ability and willingness of the board to evaluate a demand in a disinterested manner.[124]  With regard to plaintiffs’ primary claim for breach of the duty of loyalty, the court found that "[w]hen added to the general demand futility standard, the Plaintiffs essentially need to show with particularized facts beyond a reasonable doubt that a majority of the Board faced substantial liability because it consciously failed to act in the face of a known duty to act."[125]  The court concluded that plaintiffs’ allegations that the board violated this duty by disbanding Home Depot’s infrastructure committee and moving too slowly in addressing the security breach were insufficient to overcome this "incredibly high hurdle."[126]  After arriving at a similar conclusion for the claims for corporate waste[127] and violations of Section 14(a) of the Securities Exchange Act,[128] the court held that plaintiffs’ failure to make a pre-suit demand was not excused, dismissed the case with prejudice, and permitted defendants to recover costs.[129] Although the hurdles for success of such shareholder claims remain high, a company experiencing a major breach should be prepared for such litigation.  As the decisions to date demonstrate, in such litigation, it will be important for any defense of directors and officers to be able to show that cybersecurity risks are routinely considered and addressed, even before a breach occurs.  4.4.2     Securities Class Action Litigation In addition to shareholder derivative litigation, in the wake of a cyberattack, there is also a risk of securities class actions premised on a company’s public disclosures about its cybersecurity practices and risks, particularly if a disclosure concerning a breach causes a significant stock price drop. A good starting point for any company seeking to understand its obligations with regard to disclosures about data security is the SEC’s 2011 guidance.[130]  As discussed above in Section 2.3.1, the SEC has recommended that registrants make disclosures related to data security in certain circumstances, including where the risks associated with potential or actual cyber incidents represents a material event for the company or could have a material effect on the financial condition of the company.[131] In the few securities cases that have been filed, plaintiffs have argued that companies committed securities fraud by making misleading statements about their data security practices or the risks posed by cybersecurity incidents or breaches.  For example, in January 2017, Yahoo! Inc. (now Altaba Inc.) was sued after announcements in September and December 2016 that it had suffered significant cybersecurity breaches..[132]  Thus far, however, these types of theories have been largely unsuccessful.  Indeed, in one of the few cases to address such theories, a court rejected plaintiffs’ claims and recognized that even a company’s good-faith statements can be quickly outdated given the challenges of data security issues.[133]  As one court has noted, "[t]he fact that a company has suffered a security breach does not demonstrate that the company did not place significant emphasis on maintaining a high level of security."[134] Nonetheless, the threat of securities fraud litigation is another reason that every company should carefully evaluate its public disclosures regarding its data security practices and risks. 5.     Conclusion Given the varied cybersecurity-related regulatory and litigation risks that health care, pharmaceutical, and biotech companies face, planning, assessment, and preparation are key.  Among other things, such activities require close coordination between companies’ legal, IT, and senior management teams with regard to setting strategy; auditing areas of cyber risk; and developing, implementing, and testing response plans.  While no defense is perfect, making such preparations may help companies minimize the impact of any cybersecurity incidents when such incidents occur.  [1]   15 U.S.C. § 45(a)(1).    [2]   See FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 242 (3d Cir. 2015).     [3]   See Fed. Trade Comm’n, "Commission Statement Marking the FTC’s 50th Data Security Settlement" (Jan. 31, 2014), available at https://www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf.    [4]   See Wyndham, 799 F.3d at 247.  The hotel chain Wyndham Worldwide Corp. raised this argument (among others) in response to an enforcement action brought by the FTC in the wake of three data breaches suffered by the company.  The FTC alleged that the hotelier’s failure to use encryption, firewalls, and non-obvious passwords constituted an "unfair" practice under Section 5 of the FTC Act.  After Wyndham challenged the FTC’s ability to bring its case, in 2015 the Third Circuit unanimously upheld the FTC’s jurisdiction over such issues.  Id. at 240.  Wyndham entered into a consent order with the FTC shortly thereafter.  Press Release, Fed. Trade Comm’n, Wyndham Settles FTC Charges It Unfairly Placed Consumers’ Payment Card Information At Risk (Dec. 9, 2015), available athttps://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment.     [5]   Complaint, In the Matter of LabMD, Inc., No. 102-3099 (Aug. 28, 2013), No. 9357.    [6]   Specifically, LabMD challenged the FTC’s authority to bring an enforcement action on three bases, arguing: (1) only HHS is empowered to regulate patient-related or health care data-security practices, and the FTC is thus preempted from initiating enforcement actions in this area; (2) Congress intended for the FTC’s Section 5 "unfairness" authority to be limited and very narrow in scope, demonstrated by the fact that Congress has enacted many other specific statutes governing data security; and (3) the FTC had failed to publish guidelines or standards for data security practices that LabMD could follow and, as a result, the company did not have fair notice as to what a violation of Section 5 would entail.[6]  See Petition for Review from the Fed. Trade Comm’n, In the Matter of LabMD Inc., No. 16-16270, 2016 WL 7474626 (11th Cir. Dec. 27, 2016).    [7]   See Order, In the Matter of LabMD Inc., No. 16-16270 (11th Cir. Nov. 10, 2016).    [8]   For example, a recent settlement involving mobile advertising company inMobi required the company to pay $950,000 in civil penalties and implement a new privacy program that will be independently audited for the next 20 years.  See Press Release, Fed. Trade Comm’n, Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission (June 22, 2016), available athttps://www.ftc.gov/news-events/press-releases/2016/06/mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked.  See also Press Release, Fed. Trade Comm’n, ASUS Settles FTC Charges That Insecure Home Routers and "Cloud" Services Put Consumers’ Privacy At Risk (Feb. 23, 2016), available athttps://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-insecure-home-routers-cloud-services-put; Press Release, Fed. Trade Comm’n, FTC Approves Final Order In TRUSTe Privacy Case (Mar. 18, 2015), available athttps://www.ftc.gov/news-events/press-releases/2015/03/ftc-approves-final-order-truste-privacy-case.     [9]   Fed. Trade Comm’n, Start with Security: A Guide for Business, Lessons Learned from FTC Cases (June 2015), available athttps://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.   [10]   Fed. Trade Comm’n, Data Breach Response: A Guide for Business (Sept. 2016), available athttps://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business. [11]   Press Release, Fed. Trade Comm’n, New FTC Website Helps Small Businesses Avoid Scams and Cyber Attacks (May 19, 2017), available athttps://www.ftc.gov/news-events/press-releases/2017/05/new-ftc-website-helps-small-businesses-avoid-scams-cyber-attacks. [12]   799 F.3d at 259. [13]   Id. at 256–57. [14]   Press Release, Fed. Trade Comm’n, Joint Statement of Acting FTC Chairman Maureen K. Ohlhausen and FCC Chairman Ajit Pai on Protecting Americans’ Online Privacy (Mar. 1, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/03/joint-statement-acting-ftc-chairman-maureen-k-ohlhausen-fcc.  [15]   45 C.F.R. § 164.500 et seq. [16]   Id. § 164.504. [17]   Id. § 164.506. [18]   Id. § 164.508. [19]   Id. § 164.510. [20]   Id. § 164.512. [21]   Id. § 164.508. [22]   Id. § 164.512(i). [23]   Id. § 164.512(b). [24]   Id. § 164.504. [25]   Id. §§ 164.302–164.318. [26]   Id. § 164.308. [27]   Id. § 164.400, et seq. [28]   Id. §§ 164.404, 406, 408. [29]   Id. § 164.410. [30]   Id. § 164.402. [31]   E.g., id. § 164.404(b). [32]   The settlements detailed below are only a sample of recent HHS OCR settlements and fines.  Nine settlements have been reached between HHS and various covered entities in the first half of 2017 alone.  A list of settlements can be accessed at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html. [33]   Press Release, U.S. Dep’t of Health and Human Servs., Office for Civil Rights, $2.5 million settlement shows that not understanding HIPAA requirements creates risk (Apr. 24, 2017), available at https://www.hhs.gov/about/news/2017/04/24/2-5-million-settlement-shows-not-understanding-hipaa-requirements-creates-risk.html. [34]   Press Release, U.S. Dep’t of Health and Human Servs., $5.5 million HIPAA settlement shines light on the importance of audit controls (Feb. 16, 2017), available athttps://www.hhs.gov/about/news/2017/02/16/hipaa-settlement-shines-light-on-the-importance-of-audit-controls.html. [35]   Press Release, U.S. Dep’t of Health and Human Servs., Office for Civil Rights, Lack of timely action risks security and costs money (Feb. 1, 2017), available athttps://www.hhs.gov/about/news/2017/02/01/lack-timely-action-risks-security-and-costs-money.html. [36]   Press Release, U.S. Dep’t of Health and Human Servs., Office for Civil Rights, UMass settles potential HIPAA violations following malware infection (Nov. 22, 2016), available athttps://www.hhs.gov/about/news/2016/11/22/umass-settles-potential-hipaa-violations-following-malware-infection.html. [37]   Id. [38]   Id. [39]  Press Release, U.S. Dep’t of Health and Human Servs., Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million, available at http://www.hhs.gov/about/news/2016/08/04/advocate-health-care-settles-potential-hipaa-penalties-555-million.html. [40]   Press Release, U.S. Dep’t of Health and Human Servs., Office for Civil Rights, $750,000 HIPAA settlement underscores the need for organization-wide risk analysis (Dec. 14, 2015), available athttps://www.hhs.gov/about/news/2015/12/14/750000-hipaa-settlement-underscores-need-for-organization-wide-risk-analysis.html?language=en. [41]   Id. [42]   Id. [43]   Lisa Lambert & Suzanne Barlyn, SEC says cyber security biggest risk to financial system, Reuters (May 18, 2016), available at http://www.reuters.com/article/us-finance-summit-sec-idUSKCN0Y82K4. [44]   SeeOCIE’s 2015 Cybersecurity Examination Initiative, Nat’l Exam Program Risk Alert, Vol. IV, Issue 8 (Sept. 15, 2015), available at https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf; Carmen Germain, SEC Poised to Turn Cybersecurity Focus Into Enforcement, Law360.com, July 7, 2017, available athttps://www.law360.com/cybersecurity-privacy/articles/937197/sec-poised-to-turn-cybersecurity-focus-into-enforcement?nl_pk=daebfb21-b47a-48aa-a4f0-e78841e97f3a&utm_‌source=newsletter&‌utm_‌medium=email&utm_campaign=cybersecurity-privacy. [45]   Jay Clayton, Chairman, Sec. and Exch. Comm’n, Remarks at the Economic Club of New York (July 12, 2017), available at https://www.sec.gov/news/speech/remarks-economic-club-new-york. [46]   Sec. and Exch. Comm’n, CF Disclosure Guidance: Topic No. 2, Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. [47]   Id. [48]   Comm’r Luis Aguilar, Sec. and Exch. Comm’n, Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus (June 10, 2014), available at https://www.sec.gov/News/Speech/Detail/Speech/1370542057946. [49]   Id. [50]   OCIE’s Cybersecurity: Ransomware Alert, Nat’l Exam Program Risk Alert, Vol. VI, Issue 4 (May 17, 2017), available at https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf. [51]   17 C.F.R. § 248.30; see also Sec. and Exch. Comm’n, Regulation S-P, available at https://www.sec.gov/spotlight/regulation-s-p.htm. [52]   Teri Robinson, "R.T. Jones reaches settlement with SEC in data breach case," SC Magazine (Sept. 23, 2015), available athttp://www.scmagazine.com/sec-hits-security-adviser-with-75000-penalty-in-breach-settlement/article/440268/. [53]   SeeIn re Craig Scott Capital, Sec. Exch. Act Release No. 77595, Admin. Proceeding File No. 3-17206 (Apr. 12, 2016) (Order), available athttps://www.sec.gov/litigation/admin/2016/34-77595.pdf. [54]   Press Release, Sec. and Exch. Comm’n, SEC: Morgan Stanley Failed to Safeguard Customer Data (June 8, 2016), available at https://www.sec.gov/news/pressrelease/2016-112.html. [55]   See In re Morgan Stanley Smith Barney LLC, Sec. Exch. Act Release No. 78021, Inv. Advisers Act Release No. 4415, Admin. Proceeding File No. 3-17280 (June 8, 2016), available athttps://www.sec.gov/litigation/admin/2016/34-78021.pdf. [56]   Id. at 6. [57]   Andrew Ceresney, Dir., Sec. and Exch. Comm’n, Compliance Outreach Program – 2016 National Seminar for Inv. Adviser and Inv. Co. Senior Officers, Webcast (Apr. 19, 2016), available athttps://www.sec.gov/video/webcast-archive-player.shtml?document_id=041916ccoia. [58]   James Scott & Drew Spaniel, Assessing the FDA’s Cybersecurity Guidelines for Medical Device Manufacturers: Why Subtle ‘Suggestions’ May Not Be Enough 1 (2016), available at http://icitech.org/wp-content/uploads/2016/02/ICIT-Blog-FDA-Cyber-Security-Guidelines2.pdf. [59]   Food and Drug Admin., Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff (Dec. 2016), available at https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf. [60]   Food and Drug Admin., Webinar – Postmarket Management of Cybersecurity in Medical Devices Final Guidance (Jan. 12, 2017), available at https://www.fda.gov/MedicalDevices/NewsEvents/WorkshopsConferences/ucm534592.htm. [61]   Food and Drug Admin., Content of Premarket Submissions for Management of Cybersecurity in Medical Devices; Guidance for Industry and Food and Drug Administration Staff; Availability, 79 Fed. Reg. 59,493 (Oct. 2, 2014), available at https://www.federalregister.gov/documents/2014/10/02/2014-23457/content-of-premarket-submissions-for-management-of-cybersecurity-in-medical-devices-guidance-for. [62]   Food and Drug Admin., Warning Letter to Abbott (St. Jude Medical Inc.) (Apr. 12, 2017), available at https://www.fda.gov/iceci/enforcementactions/warningletters/2017/ucm552687.htm. [63]   See, e.g., 201 CMR 17.00 (promulgated under Mass. Gen. Law 93H) (establishing minimum data security standards for storing consumers’ personal information); Nev. Rev. Stat. 603A.210 (same). [64]   See, e.g., California v. Kaiser Foundation Health Plan, Inc., No. RG14711370 (Cal. Sup. Ct., Alameda Co., Feb. 10, 2014) (Kaiser paid $150,000 to settle claims by the California Attorney General that Kaiser’s notification regarding a breach of personal information was unreasonably delayed; according to the California Attorney General, Kaiser should have provided notice as soon as it determined that particular individuals’ information had been or was "reasonably believed to have been" breached.). [65]   Rachel Abrams, Target to Pay $18.5 Million to 47 States in Security Breach Settlement (May 23, 2017), available at https://www.nytimes.com/2017/05/23/business/target-security-breach-settlement.html. [66]   Atty. Gen. Kamala D. Harris, Cybersecurity in the Golden State: How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents (Feb. 2014), available athttps://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/2014_cybersecurity_guide.pdf. [67]   On March 1, 2017, new cybersecurity regulations enforced by the New York State Department of Financial Services ("DFS") became effective.  See http://www.dfs.ny.gov/about/cybersecurity.htm.  [68]   See Charter of Fundamental Rights of the European Union art. 8, 2000 O.J. C 364/01, available athttp://www.europarl.europa.eu/charter/pdf/text_en.pdf. [69]   See Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the Protection Of Individuals With Regard To The Processing Of Personal Data And On The Free Movement Of Such Data, 1995 O.J. L 281/31, available athttp://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=EN.‌ [70]   See id. at 47–48. [71]   Issuance of Safe Harbor Principles and Transmission to European Commission, 65 Fed. Reg. 45666 (July 24, 2000). [72]   See Case C-362/14, Maximillian Schrems v. Data Prot. Comm’r, 2015 E.C.R. I-1-35, available athttps://cdt.org/files/2015/10/schrems.pdf. [73]   A complete overview of the requirements and benefits of the Framework is maintained at www.privacyshield.gov. [74]   Queen’s Speech: new data protection law, BBC (June 21, 2017), available at http://www.bbc.com/news/technology-40353424. [75]   China data protection tightened in new laws, BBC (May 31, 2017), available athttp://www.bbc.com/news/technology-40106826. [76]   Mike Orcutt, Unprecedented Cyber Law Signals Its Intent to Protect a Precious Commodity: Data, MIT Technology Review (June 1, 2017), available athttps://www.technologyreview.com/s/608010/chinas-unprecedented-cyber-law-signals-its-intent-to-protect-a-precious-commodity-data/. [77]   Sophia Yan, China’s new cybersecurity law takes effect today, and many are confused, CNBC (June 1, 2017), available at http://www.cnbc.com/2017/05/31/chinas-new-cybersecurity-law-takes-effect-today.html. [78]   E.g., Smith v. Triad of Ala., LLC, 2017 WL 1044692 (M.D. Ala. Mar. 17, 2017) (discussing data breach that allegedly involved a maximum of 1,208 affected individuals); Khan v. Children’s Nat’l Health Sys., 188 F. Supp. 3d 524, 527 (D. Md. 2016) (allegations based on purported disclosure of 18,000 patient records). [79]   See Order re Motion for Preliminary Approval of Class Settlement, Corona v. Sony Pictures Entm’t, Inc., No. 14-cv-09600 (C.D. Cal. Nov. 24, 2015); see also Ben Fritz, Sony Pictures Settles Emp. Class Action Over Hack, Wall St. J., Oct. 20, 2015, available athttp://www.wsj.com/articles/sony-pictures-settles-employee-class-action-over-hack-1445369345. [80]   See, e.g., Dugas v. Starwood Hotels & Resorts Worldwide, Inc., No. 16-CV-00014, 2016 WL 6523428, at *12 (S.D. Cal. Nov. 3, 2016) (discussing allegations that defendant "did not take adequate security measures to protect the information they obtained, [] and that Defendants owed a duty to Plaintiff and class members to exercise reasonable care in [] securing, safeguarding, and protecting [] personal information" (internal quotations and citations omitted)); see also In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 963 (S.D. Cal. 2014) (discussing allegations that "Sony had a duty to provide reasonable security consistent with industry standards, to ensure Sony Online Services were secure, and to protect Plaintiffs’ Personal Information from theft or misuse . . . . [and that] Sony breached this duty by failing to adequately secure its network"). [81]   See, e.g., In re Barnes & Noble Pin Pad Litig., No. 12-CV-8617, 2013 WL 4759588, at *4 (N.D. Ill. Sept. 3, 2013) (dismissing invasion of privacy claim for lack of standing). [82]   See, e.g., In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1177–78 (D. Minn. 2014) (discussing theory of unjust enrichment in data breach cases). [83]   See, e.g., In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 976, 990 (S.D. Cal. 2014) (granting in part and denying in part a motion to dismiss claim for negligent and fraudulent misrepresentations). [84]   15 U.S.C. § 1681. [85]   5 U.S.C. § 552a. [86]   18 U.S.C. § 2702(a)(1). [87]   See, e.g., Holmes v. Countrywide Fin. Corp., No. 08-CV-00205, 2012 WL 2873892, at *15–17 (W.D. Ky. July 12, 2012) (granting motion to dismiss under FCRA where claims were not against a "consumer credit reporting agency"); In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 28–34 (D.D.C. 2014) (granting motion to dismiss claims under the Privacy Act); Worix v. MedAssets, Inc., 857 F. Supp. 2d 699, 701 (N.D. Ill. 2012) (granting motion to dismiss under Stored Communications Act). [88]   There are also a handful of federal statutes that plaintiffs use to litigate data privacy issues—separate from instances of data breaches.  These statutes (e.g., the Wiretap Act or the Telephone Consumer Protection Act) most often focus on the collection or disclosure of communications. [89]   In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 528 (N.D. Ill. 2011) (denying motion to dismiss under Illinois Consumer Fraud Act). [90]   See, e.g., 201 CMR 17.00 (Massachusetts’ "Standards for the Protection of Personal Information of Residents of the Commonwealth"). [91]   See, e.g., Cal. Civ. Code §§ 1798.29, 1798.80 et seq.; N.Y. Gen. Bus. Law § 899-aa; N.Y. State Tech. Law § 208. [92]   See, e.g., Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 690–91 (7th Cir. 2015) (discussing claims for "negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of multiple state data breach laws"). [93]   See, e.g., In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617, 2016 WL 3029783, at *39 (N.D. Cal. May 27, 2016) (discussing claims under state laws in New Jersey, New York, California, and Georgia). [94]   See, e.g., In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d at 1176–77 (discussing claims for breach of a credit card contract and "an implied contract in which Plaintiffs agreed to use their credit or debit cards to purchase goods at Target and Target agreed to safeguard Plaintiffs’ personal and financial information"). [95]   For example, companies have been subject to lawsuits by business partners, including financial institutions and other entities which suffered financial losses associated with a cyberattack on a business partner.  This type of litigation has arisen most frequently against retailers when credit and debit cards have been compromised.  See, e.g., Consolidated Class Action Complaint, In re Target Corp. Customer Data Sec. Breach Litig., No. 14-md- 02522 (D. Minn. Aug. 1, 2014) ECF No. 163. [96]   See, e.g., Darlene Storm, MEDJACK: Hackers hijacking medical devices to create backdoors in hospital networks, Computerworld (June 8, 2015), available at http://www.computerworld.com/article/2932371/cybercrime-hacking/medjack-hackers-hijacking-medicaldevices-to-create-backdoors-in-hospital-networks.html. [97]   In re Google, Inc. Privacy Policy Litig., No. 12-CV-01382, 2013 WL 6248499, at *4 (N.D. Cal. Dec. 3, 2013). [98]   133 S. Ct. 1138, 1147 (2013). [99]   Id. at 1148. [100]   Id. at 1151. [101]   136 S. Ct. 1540 (2016), as revised (May 24, 2016). [102]   Id. at 1543 [103]   Robins v. Spokeo, Inc., 742 F.3d 409, 413–14 (9th Cir. 2014) (emphasis in original). [104]   Spokeo, Inc., 136 S. Ct. at 1548–50. [105]   Id. at 1548 (emphasis in original). [106]   Id. [107]   Id. [108]   Id. at 1549. [109]   Id. [110]   Id. [111]   Id. [112]   Id. [113]   See, e.g., Storm v. Paytime, Inc., 90 F. Supp. 3d 359, 368 (M.D. Pa. 2015) (finding no standing where plaintiffs did not allege that they actually suffered any form of identity theft as a result of the defendant’s data breach); Green v. eBay Inc., No. 14-1688, 2015 WL 2066531, *1, *5 (E.D. La. May 4, 2015) (citing Clapper and finding threat of future harm stemming from disclosure of names, passwords, birthdates, email and physical addresses "far too hypothetical or speculative"); Peters v. St. Joseph Servs. Corp., 74 F. Supp. 3d 847, 850, 854 (S.D. Tex. 2015) (finding alleged future harm "speculative" where disclosed information included social security numbers, addresses, medical records and bank account information, and where fraudulent credit card purchase was declined); In re Zappos.com, Inc., 108 F. Supp. 3d 949, 958–59 (D. Nev. 2015) (distinguishing cases within the Ninth Circuit that conferred standing based on increased risk of harm alone, and holding that increased risk of future harm was insufficient to confer standing given no evidence of personal data misuse in three-year period). [114]   See, e.g., Galaria v. Nationwide Mut. Ins. Co., No. 15-3386, 2016 WL 4728027, at *3 (6th Cir. Sept. 12, 2016) (finding standing based on "a substantial risk of harm, coupled with reasonably incurred mitigation costs"); Remijas, 794 F.3d at 692 (finding standing based on allegations of, among other things, "lost time and money resolving [] fraudulent charges" and "protecting [] against future identity theft"). [115]   See, e.g., Smith v. Ohio State Univ., No. 15-CV-3030, 2016 WL 3182675, at *4 (S.D. Ohio June 8, 2016) (finding no Article III standing under FCRA); Gubala v. Time Warner Cable, Inc., No. 15-cv-1078, 2016 WL 3390415, at *5 (E.D. Wis. June 17, 2016) (finding plaintiff failed to allege a concrete harm where his suit was based on the defendant’s failure to comply with the Cable Communications Policy Act); Khan, 188 F. Supp. 3d at 534 (finding plaintiff failed to connect the alleged statutory and common law violations to a concrete harm). [116]   Aranda v. Caribbean Cruise Line, Inc., No. 12 C 4069, 2016 WL 4439935, at *6 (N.D. Ill. Aug. 23, 2016) (finding plaintiff’s allegations of harm under the Telephone Consumer Protection Act were "concrete and particularized, traceable to defendants’ conduct, and judicially redressable"). [117]   See Fernandez v. Leidos, Inc., 127 F. Supp. 3d 1078, 1087 (E.D. Cal. 2015)  (holding plaintiff had not "shown he has standing to bring actual identity theft, identity fraud and/or medical fraud claims"); In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d at 19 ("[T]he mere loss of data—without evidence that it has been either viewed or misused—does not constitute an injury sufficient to confer standing."). [118]   Verified Shareholder Derivative Complaint for Breach of Fiduciary Duty, Waste of Corporate Assets, and Unjust Enrichment, Palkon v. Holmes, No. 14-cv-01234, 2014 WL 11071195 (D.N.J. May 2, 2014). [119]   Palkon v. Holmes, No. 14-cv-01234, 2014 WL 5341880, at *5–7 (D.N.J. Oct. 20, 2014). [120]   Target Corp. Report of the Special Litig. Comm., Davis v. Steinhafel, No. 14-cv-00203 (D. Minn. May 5, 2016), ECF No. 62-2. [121]   Davis v. Steinhafel, No. 14-cv-00203 (D. Minn. July 7, 2016), ECF No. 88. [122]   Opinion and Order at 11, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Nov. 30, 2016), ECF No. 62. [123]   Id. at 11–12. [124]   Id. at 13–14. [125]   Id. at 14. [126]   Id. at 14–18. [127]   Id. at 22. [128]   Id. at 30. [129]   Judgment at 1, In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-cv-2999-TWT (N.D. Ga. Nov. 30, 2016), ECF No. 63.  Before plaintiffs appealed, the parties reached a settlement including $1,125,000 in attorneys’ fees to plaintiffs.  See  In re The Home Depot, Inc. S’holder Derivative Litig., No. 1:15-CV-2999, 2017 WL 1830055 (N.D. Ga. Apr. 28, 2017) (stipulation of settlement and release agreement). [130]   See Sec. & Exch. Comm’n, Div. of Corp. Fin., CF Disclosure Guidance: Topic No. 2 – Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. [131]   See id. [132]   See Complaint, Madrack v. Yahoo! Inc., No. 5:17-cv-00373 (N.D. Cal. Jan. 24, 2017). [133]   See, e.g., In re Heartland Payment Sys., Inc. Sec. Litig., No. 09-1043, 2009 WL 4798148, at *2, *7 (D.N.J. Dec. 7, 2009) (granting motion to dismiss where plaintiffs alleged that "statements concerning the general state of security [] [we]re fraudulent because [company officers] were aware that Heartland had poor data security and had not remedied the problem"); Avila v. LifeLock Inc., No. 15-01398, 2016 WL 4157358, at *7 (D. Ariz. Aug. 3, 2016) (granting motion to dismiss claims of misrepresentations concerning effectiveness of identity theft protection services and compliance with applicable payment card industry standards because plaintiffs failed to show that public statements regarding the company’s data security practices were made with scienter). [134]   In re Heartland Payment Sys., 2009 WL 4798148, at *5 (internal quotations omitted). The following Gibson Dunn lawyers prepared this client update: Jennifer L. Conn, Ryan T. Bergsieker, Reid F. Rector and Danielle Serbin. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments.  Please contact the Gibson Dunn lawyer with whom you usually work, or the following authors: Jennifer L. Conn – New York (+1 212-351-4086, jconn@gibsondunn.com)Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com) Please also feel free to contact the following practice group leaders: Alexander H. Southwell – Chair, Privacy, Cybersecurity and Consumer Protection Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com) Caroline Krass – Chair, National Security Practice, Washington, D.C. (+1 202-887-3784, ckrass@gibsondunn.com) Daniel J. Thomasch – Co-Chair, Life Sciences Practice, New York (+1 212-351-3800, dthomasch@gibsondunn.com) Tracey B. Davies – Co-Chair, Life Sciences Practice, Dallas (+1 214-698-3335, tdavies@gibsondunn.com) Ryan A. Murr – Co-Chair, Life Sciences Practice, San Francisco (+1 415-393-8373, rmurr@gibsondunn.com) Stephen C. Payne – Chair, FDA and Health Care Practice, Washington, D.C. (+1 202-887-3693, spayne@gibsondunn.com)   © 2017 Gibson, Dunn & Crutcher LLP Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

July 12, 2017 |
Will “Kokesh v. SEC” Put a Kink in the Federal Trade Commission’s Disgorgement Hose?

For decades, the Federal Trade Commission ("FTC") has sought and obtained monetary remedies as equitable "disgorgement" of ill-gotten gains.  Disgorgement amounts have exceeded a billion dollars in both antitrust and consumer protection matters and routinely total millions or tens-of-millions of dollars. Gibson Dunn partner Sean Royall and of counsel Rich Cunningham recently published an article titled Will "Kokesh v. SEC" Put a Kink in the Federal Trade Commission’s Disgorgement Hose? in the Washington Legal Foundation’s The Legal Pulse blog.  The article assesses whether the logic of the Supreme Court’s recent decision in Kokesh v. SEC extends to the FTC with the effect that the five-year statute of limitations in 28 U.S.C. § 2462 applies to the FTC’s disgorgement authority.  Gibson Dunn previously summarized the Kokesh decision in a June 5, 2017 Client Alert available here. Will "Kokesh v. SEC" Put a Kink in the Federal Trade Commission’sDisgorgement Hose? (click on link) © 2017, Washington Legal Foundation, The Legal Pulse, July 10, 2017. Reprinted with permission. Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the authors of this Client Alert, the Gibson Dunn lawyer with whom you usually work, or one of the leaders of the firm’s Antitrust and Competition or Privacy, Cybersecurity and Consumer Protection Practice Groups: Washington, D.C. Scott D. Hammond (202-887-3684, shammond@gibsondunn.com) D. Jarrett Arp (202-955-8678, jarp@gibsondunn.com) Adam Di Vincenzo (202-887-3704, adivincenzo@gibsondunn.com) Howard S. Hogan ( 202-887-3640, hhogan@gibsondunn.com) Joseph Kattan P.C. (202-955-8239, jkattan@gibsondunn.com) Joshua Lipton (202-955-8226, jlipton@gibsondunn.com) Cynthia Richman (202-955-8234, crichman@gibsondunn.com) Joshua H. Soven (202-955-8503, jsoven@gibsondunn.com) New YorkAlexander H. Southwell (212-351-3981, asouthwell@gibsondunn.com)John A. Herfort (212-351-3832, jherfort@gibsondunn.com)Peter Sullivan (212-351-5370, psullivan@gibsondunn.com)Eric J. Stock (212-351-2301, estock@gibsondunn.com) Los AngelesDaniel G. Swanson (213-229-7430, dswanson@gibsondunn.com) Debra Wong Yang (213-229-7472, dwongyang@gibsondunn.com)Samuel G. Liversidge (213-229-7420, sliversidge@gibsondunn.com) Jay P. Srinivasan (213-229-7296, jsrinivasan@gibsondunn.com) Rod J. Stone (213-229-7256, rstone@gibsondunn.com) Sarretta C. McDonough (213-229-7227, smcdonough@gibsondunn.com)Eric D. Vandevelde (213-229-7186, evandevelde@gibsondunn.com) San FranciscoRachel S. Brass (415-393-8293, rbrass@gibsondunn.com) Trey Nicoud (415-393-8308, tnicoud@gibsondunn.com) DallasM. Sean Royall (214-698-3256, sroyall@gibsondunn.com)Veronica S. Lewis (214-698-3320, vlewis@gibsondunn.com)Brian Robison (214-698-3370, brobison@gibsondunn.com)Robert C. Walters (214-698-3114, rwalters@gibsondunn.com) DenverRichard H. Cunningham (303-298-5752, rhcunningham@gibsondunn.com) Ryan T. Bergsieker (303-298-5774, rbergsieker@gibsondunn.com) © 2017 Gibson, Dunn & Crutcher LLP Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.