Following in the footsteps of the Eastern District of Virginia’s Capital One decision last year and the District of D.C.’s Clark Hill decision earlier this year, the Eastern District of Pennsylvania has just ordered the production of a data breach forensic report and related communications.  In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021).  The Rutter’s decision is a reminder that although courts had generally found such documents protected by the attorney-client privilege and/or work product doctrine, the tide may be changing.

On May 29, 2019, Rutter’s received two security alerts which detailed “the execution of suspicious scripts and indications of the use of potentially compromised credentials.”  The same day, Rutter’s engaged outside counsel to advise on its potential notification obligations.  Outside counsel then engaged a forensic investigator to perform an analysis to determine the character and scope of the incident.  The parties all assumed that the investigation, including its ultimate report and the communications made in furtherance thereof, would be protected by the attorney-client privilege and/or the work product doctrine.  The plaintiffs moved to compel, and the federal magistrate judge granted the motion.

With respect to the work-product doctrine, the Court explained that the doctrine only applies where impending litigation is the “primary motivating purpose behind the creation of the document.”  The Court then held that it was clear from the contract that “the primary motivating purpose” behind the forensic investigation was not to prepare for the prospect of litigation—it was to determine whether data was compromised, and the scope of such compromise if it occurred.  The Court also relied on the testimony of Rutter’s corporate designee and the fact that outside counsel did not receive the report before Rutter’s.   Based on these facts, the Court held that the work product doctrine did not apply.

With respect to the attorney-client privilege, the Court explained that a “communication may only be privileged if its primary purpose is to gain or provide legal assistance.”  The Court further explained that for privilege to apply, the attorney must be “acting as a lawyer,” meaning that the lawyer “must guide future conduct by interpreting and applying legal principles to specific facts.”  The Court emphasized that privilege does not protect communications of fact, nor communications merely because a legal issue can be identified.  Based on that law, the Court found that Rutter’s had not demonstrated that the forensic report and related communications involved “presenting opinions and setting forth . . . tactics rather than discussing facts.”  Specifically, the Court noted that only one portion of the forensic vendor’s services was not inherently factual—working with Rutter’s IT personnel to identify and remediate potential vulnerabilities, which the Court found was not providing legal advice.

The Rutter’s opinion casts further doubt on whether courts will extend protection over data breach forensic investigation reports and communications.  However, like the Capital One and Clark Hill cases, the Rutter’s opinion leaves open the possibility for protection if certain facts occur—some of which companies and outside counsel can control to a degree.  Accordingly, although confusion and chaos can be pervasive at the beginning stages of a data breach, companies and outside counsel should take steps to build a record that may help them secure privilege down the road.

On July 9, 2021, New York City’s biometric identifier information law became effective. The law, which was enacted in January 2021, addresses the collection and use of biometric identifier information (BII) by commercial establishments—meaning places of entertainment, retail stores, or food and drink establishments—to track customer activity. It creates a private right of action and subjects violators to statutory damages.

Continue Reading New York City’s Biometric Identifier Information Law Takes Effect

Phil Yannella, Ballard Spahr litigation partner and Practice Leader of Ballard’s Privacy & Data Security Group, recently authored a treatise on data breach and privacy litigation. The book, Cyber Litigation: Data Brach, Data Privacy & Digital Rights, is published by Thomson Reuters and is available now for purchase. Continue Reading Ballard Spahr Partner, Phil Yannella, Authors Book on Data Breach and Privacy Litigation

On June 4, 2021, the European Commission adopted an updated and long-awaited set of standard contractual clauses (SCCs) for the international transfer of personal data. The previous SCCs were created prior to the implementation of the EU General Data Protection Regulation (GDPR) and required substantive revisions to bring them in line with the GDPR and the Court of Justice of the European Union’s July 2020 Schrems II decision (previously covered here). Continue Reading The European Commission’s Adoption of New SCCs

On June 14, the California Privacy Protection Agency (CPPA), the first state agency in the country dedicated to privacy, held its first public meeting. In her opening remarks, Acting Chairwoman Jennifer M. Urban introduced each of the Board members: John Christopher Thompson, Angela Sierra, Lydia de la Torre, and Vinhcent Le. The meeting covered an extensive agenda, available here, which highlighted the processes and procedures required by the Board to perform its duties, including issuing final regulations under the California Privacy Rights Act of 2020 (CPRA), which will go into effect on January 1, 2023.

The Board discussed the urgent need to hire at least two executive leadership positions to meet its July 1, 2022 deadline to issue final regulations under the CPRA. The Board also approved several subcommittees, including a Regulations Subcommittee, which will be dedicated to developing the CPRA regulations.

During the meeting, the Administrative Procedures Act process that the Board will follow in developing the CPRA regulations was described. Any regulations drafted and proposed by this Board will be sent to the Office of Administrative Law (OAL) in the form of a notice package. Once published in the state’s registrar, a minimum of a forty-five day public comment period will allow written comments to be submitted about the proposed regulations. After the public comment period, the Board will adopt the regulations as initially proposed or make additional modifications to the text. If modifications are made, there will be an additional public comment period of fifteen days. If the Board approves the changes, the final regulations will be sent to the OAL for final approval. Approved regulations by the OAL will become effective on a quarterly basis, however, the Board can also request the OAL to make the effective date of any such regulations to be the date of filing with the Secretary of State.

The Board plans to meet on a monthly basis, and all such meetings will be open to the public. Although the Board has not yet set a specific date for its next meeting, the Board will provide at least ten calendar days of notice and release an agenda to the public in advance of each meeting.

In a long awaited opinion, the Supreme Court recently resolved a circuit split regarding the proper interpretation of a statute implicated in many post-employment disputes. Since its enactment, federal courts of appeal have been divided over the proper interpretation of the phrase “exceeds authorized access” under the Computer Fraud and Abuse Act (“CFAA”), a primarily criminal statute that also includes a civil cause of action where an individual accesses a protected computer without authorization or exceeds authorized access. Some courts have held that the “exceeds authorized access” requirement only applies where the individual was authorized to access the computer itself but not the particular files or information that are the subject of the dispute. Continue Reading Supreme Court Limits the Scope of Computer Fraud and Abuse Act

Colorado has become the third state in the country to pass a comprehensive data privacy law, joining California and Virginia.  Assuming the governor signs—as he is widely expected to do—the Colorado Privacy Act (the “CPA”) will go into effect on July 1, 2023.

Similar to the California and Virginia laws, the CPA affords Colorado “consumers” certain privacy rights and imposes duties on the “controllers” and “processors” of those consumers’ personal data.  While the CPA generally follows the model set by the Virginia law, it contains important differences that will put Colorado at the forefront of consumer privacy.

Thresholds to Applicability

The CPA defines consumer to mean an individual who is a Colorado resident acting in an individual or household context, and does not include an individual acting in a commercial or employment context.  The definition of consumer therefore has a built in exclusion for the employment and business-to-business contexts.

The CPA only applies to controllers—defined to mean any person that, alone or jointly with others, determines the purposes for and means of processing personal data—that conduct business in Colorado and meet at least one of two thresholds:  (1) controlling or processing the personal data of 100,000 or more consumers during a calendar year; and/or (2) deriving revenue from the sale of personal data and processing or controlling the personal data of 25,000 or more consumers.  Personal data processed by a “processor” on behalf of a controller counts towards those thresholds.

The CPA contains several substantive exclusions to applicability.  For example, unlike the California model’s limited exclusion, the CPA contains a full exclusion for financial institutions subject to the federal Gramm-Leach-Bliley Act.  The CPA also does not apply to certain types of health and patient information governed by HIPAA.

Consumer Rights Under the CPA

The law grants Colorado consumers specific rights over the way their personal data is processed by controllers.  Personal data means “information that is linked or reasonably linkable to an identified or identifiable individual.”  Publicly available or otherwise de-identified information, along with employment records, is not included within this definition.

The rights afforded to consumers include: (1) the right to opt out of certain processing of personal data; (2) the right to access personal data; (3) the right to correct inaccurate personal data; (4) the right to delete personal data; and (5) the right to data portability.

Consumers can exercise these rights by submitting formal requests, and controllers must act on the request within 45 days.

Duties of Controllers and Processors

The duties of controllers include: (1) the duty of transparency; (2) the duty of purpose specification; (3) the duty of data minimization; (4) the duty to avoid secondary use; (5) the duty of care; (6) the duty to avoid unlawful discrimination; and (7) duties regarding “sensitive” data.

With respect to the duty of transparency, controllers will need to ensure that their privacy policies clearly and meaningfully disclose specific types of practices, as well as the manner in which consumers may exercise their rights.  The CPA does not require a “Do Not Sell My Information” page like the California law, but the Colorado Attorney General will be promulgating rules that detail the technical specifications for one or more universal opt-out mechanisms.

With respect to sensitive data, controllers must obtain consent to collect personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, and the personal information of a known child.  In the case of a child below thirteen years old, consent should be given by the child’s parent or legal guardian.

Processors are required to adhere to the instructions of the controller and assist the controller in meeting its obligations under the CPA.  Processors must also enter into a contract with the controller setting out various criteria relating to what personal data will be processed, how the data will be processed and retained, and audit/compliance rights.

Data Security and Data Protection Assessments

Both controllers and processors are required to implement appropriate technical and organizational measures to ensure a level of security proportionate to the risk.  For many companies, this type of data security requirement already exists for personally identifiable information under Colorado’s data security law.  However, personal data under the CPA is significantly broader than personally identifiable information under Colorado’s data security law.

The CPA also has the new requirement of performing “data protection assessments” for controllers whose processing presents a heightened risk of harm to a consumer.  Processing that presents a heightened risk of harm is defined to include processing for the purpose of targeted advertising and profiling, selling personal data, and processing sensitive data.  When performing the data protection assessment, controllers will have to weigh the benefits against the risks to the rights of the consumer, as well as potential safeguards that may mitigate those risks.  Controllers must make the data protection assessments available to the attorney general upon request.

Rulemaking and Enforcement

Unlike the Virginia law, the attorney general has the authority to promulgate rules for the purpose of carrying out the CPA.  Whereas the authority to promulgate rules generally implies discretion, the attorney general is required to adopt rules relating to the technical specifications for universal opt-out mechanisms by no later than July 1, 2023.  The attorney general also has the discretion to adopt rules that govern the process of issuing opinion letters and interpretive guidance to develop an operational framework for businesses that includes a good faith reliance defense of an action that may otherwise constitute a violation of the CPA, which must be done by January 1, 2025 if at all.

The CPA expressly provides that it does not create a private right of action for a violation of the CPA.  Instead, the attorney general and district attorneys will have exclusive enforcement powers, with violations punishable by civil penalties set forth in C.R.S. § 6-1-112.  Under that statute, penalties can be up to $20,000 for each violation, and each consumer involved constitutes a separate violation. The maximum penalty is $500,000 for one related series of violations.

*          *          *

Colorado’s entry into the privacy law world will require significant changes for many businesses.  The attorney general’s rules will provide more guidance, but businesses should, at the very least, begin ensuring that they have a full grasp of their data collection, usage, and documented policies so that they can prepare to meet their compliance obligations.

Ballard Privacy & Data Security partners Phil Yannella, Kim Phan and Greg Szewczyk recently wrote an article on managing compliance with the growing patchwork of state privacy laws for the Media Law Resource Center (MLRC).  The article was made available at last week’s  Legal Frontiers in Digital Media virtual conference sponsored by the MLRC and will appear in an upcoming edition of “Legal Frontiers in Digital Media,” MLRC Bulletin (June 2021).  A copy of the article is available here: Continue Reading Managing Compliance with a Patchwork of State Privacy Laws

2021 has so far been a year of conflicting impulses in biometrics law: two proposed bills in New York and Maryland would impose substantial new requirements on private entities, but in Illinois a proposed amendment would reign in that state’s existing Biometric Information Privacy Act (BIPA). Continue Reading The State of Proposed Biometrics Laws

On May 12, 2021, President Joe Biden issued an Executive Order to implement new policies aimed at strengthening the nation’s cybersecurity. The Executive Order was issued in response to the recent SolarWinds, Microsoft Exchange, and Colonial Pipeline cybersecurity incidents, which were, according to the White House, “a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.” Continue Reading President Biden’s Cybersecurity Executive Order Has Implications for the Private Sector