Cybersecurity

Subscribe to Cybersecurity via RSS

The Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) sanctioned the online travel booking platform, Booking.com BV (Booking), with a EUR 475,000 fine for failing to notify a data breach to the AP within 72 hours after becoming aware of it, as required by the EU General Data Protection Regulation (GDPR). The decision is available in Dutch here.
Continue Reading Booking.com Fined EUR 475,000 for Failure to Timely Notify Dutch Supervisory Authority of Data Breach

On January 12, 2021, the District Court of the District of Columbia was the latest court to grant a motion to compel production of a forensic report prepared by an external security-consulting firm in data breach litigation.1 This case involved a cyberattack on a law firm that led to the public dissemination of the confidential information of the plaintiff, who was a former client of the firm. The plaintiff moved to compel his former law firm to produce “all reports of its forensic investigation into the cyberattack.”2 The defendant asserted that it had produced all relevant materials, including materials related to a second-track investigation conducted by its usual cybersecurity vendor, eSentire, for business continuity purposes. However, the plaintiff also sought a report prepared by Duff & Phelps, who was retained by the defendant’s outside litigation counsel. The defendant argued the Duff & Phelps report was protected by the work-product and attorney-client privileges. The court rejected the defendant’s arguments and ordered production of the Duff & Phelps report and associated materials.
Continue Reading Court Orders Production of a Data Breach Forensic Report, Rejecting Arguments That Attorney-Client Privilege and Work Product Protection Apply

On December 15, 2020, the European Commission (EC) unveiled a set of proposals to regulate digital platforms. The draft laws include antitrust-related requirements, addressed by the Digital Markets Act (DMA) and more general regulatory requirements, addressed in the Digital Services Act (DSA). The DMA/DSA package will apply to all digital services, including social media, online marketplaces, and other online platforms, meaning tech companies active in Europe will have a new set of rules to follow.
Continue Reading European Commission Proposes New Rules for Digital Platforms

Apple recently announced that app developers must check a series of yes/no boxes that will generate a “nutrition label”-style summary of the app’s privacy practices. This new summary, formally called “App Privacy,” will be shown to users within the App Store before they install an app. This is the latest move in Apple’s ongoing effort to make privacy practices more transparent, and it requires app developers to take action now to ensure they can continue to update their apps after December 8, 2020. If developers take no action, their apps will essentially be frozen as they exist on that date.
Continue Reading Apple Requires Apps to Include New Privacy “Nutrition Label” by December 8, Delays Opt-In for Tracking Requirement Until Early 2021

In a security advisory this past weekend, SolarWinds disclosed that its systems experienced a highly sophisticated supply chain attack on versions of its Orion network monitoring products released between March and June 2020. The New York Times has reported that it is highly likely that the Russian intelligence unit known as Cozy Bear, or A.P.T. 29, carried out the attack, which involved inserting malicious code into automatic product updates to allow the attackers to gain a foothold in networks, impersonate highly privileged accounts, and blend their reconnaissance traffic with legitimate activity. The U.S. government has not commented on attribution at this time.
Continue Reading Does the SolarWinds Supply Chain Attack Affect Your Company? Legal Considerations for Responding to the Massive Cybersecurity Incident

On November 11, 2020, the European Data Protection Board (EDPB), comprised of the European data protection regulators (DPAs), issued two long-awaited sets of recommendations. These recommendations are critical for any companies exporting or importing EU personal data.
Continue Reading EDPB Publishes Draft Recommendations on Supplementary Measures for Data Transfers