KMK Law Cybersecurity & Privacy Blog

Recently, the European Union Court of Justice invalidated a Safe Harbor Framework (established in 2000), which thousands of companies relied upon to facilitate the transfer, processing and storage of data from the EU to the U.S.  Any company that processes and stores data from the EU, including customer and employee personal data, should be reviewing its contracts and procedures and monitoring these developments. 

In a case that will have significant ramifications for the legal landscape relating to cybersecurity, the Third Circuit Court of Appeals affirmed a lower court’s decision that the Federal Trade Commission (FTC) had the authority to regulate companies’ data security practices.

On August 11, 2015, federal prosecutors in New York and New Jersey filed criminal charges against two alleged hackers and seven other individuals who allegedly traded securities based upon stolen information. The Securities and Exchange Commission filed a related civil complaint against those same nine individuals, as well as 23 other individuals and corporate entities.

As promised, the U.S. Office of Management and Budget on Tuesday released a set of proposed cybersecurity guidelines to help government agencies draft contracts with information technology contractors.

As the Supreme Court revels in its summer hiatus, and the federal government slows to its August halt, here is a status update and forecast on pending data breach litigation: 

Last week the Seventh Circuit reinstated the Neiman Marcus data breach class action, holding that plaintiffs had satisfied Article III’s standing requirements based on at least some of the injuries they alleged. In doing so, the Seventh Circuit became the first federal court of appeals to rule on a challenge to the standing of purported data breach victims in light of the Supreme Court’s decision in Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), and diverged from the growing majority of federal district courts that have held similar allegations are insufficient to confer standing.

Last week, the Eastern District of Louisiana joined the growing majority of district courts around the country that have held increased risk of future identity theft or identity fraud posed by a data breach is not sufficient to confer Article III standing on individuals whose information has been compromised but not yet misused.

On April 29, the Department of Justice published its “Best Practices for Victim Response and Reporting of Cyber Incidents”, which is an excellent, easy to read summary of steps companies can take to protect against cybersecurity incidents 

Cyber insurance
The risk of a data breach now tops the list of concerns of many in-house counsel and C-suite executives. Cyber insurance is an important component in managing this risk and mitigating the damages and loss that follow a data breach.