Mossack Fonseca, the beleaguered law firm at the center of the international Panama Papers scandal, has announced that it is closing its doors.  The firm cited “reputational deterioration” that has caused “irreversible damage.”

Founded in 1977 by Jurgen Mossack and Ramon Fonseca, Mossack Fonseca had been perched at the top of offshore legal services providers until April 2016, when it became ground zero for a global controversy because approximately 11.5 million of the firm’s internal legal and financial documents were leaked to the media. These leaked documents – publicized primarily by the International Consortium of Investigative Journalists (“ICIJ”) – allegedly reveal a global system of undisclosed offshore accounts, money laundering and tax evasion, and how the rich and powerful around the world use shell companies to conceal assets and possible illegal activity.

The incident is the largest publicly disclosed data breach involving a law firm. Following the April 2016 publication of data, founding partner Ramon Fonseca and other public sources claimed that the firm’s network had been compromised by hackers sometime in 2015.  Security researchers and other public sources identified numerous unpatched vulnerabilities in Mossack’s website and email server, which could have been very easily compromised by hackers. Approximately 2.6 terabytes of data – including 4.8 million emails, 3 million database files, and 2.1 million.pdf files – were leaked, including client documents dating back to the 1970s.  Approximately one year after the alleged data theft, ICIJ published the Mossack data and set off numerous investigations into the firm and its clients. Continue Reading “Panama Papers” Law Firm Announces Its Closure Due to Fallout from Massive Data Breach

On March 6, 2018, the FTC hosted a live Twitter chat to mark the twentieth anniversary of the Children’s Online Privacy Protection Act (COPPA).  The stated purpose of the chat was to discuss the FTC’s work to enforce COPPA and to ensure the FTC’s rule implementing the law stays in step with evolving technologies and data collection practices.

The chat began with the FTC pointing to its published FAQs, as well as two recent COPPA settlements:  a $650,000 settlement with VTech Electronics Limited, which was the FTC’s first children’s privacy case involving Internet-connected toys, and a $235,000 settlement with Prime Sites, Inc., which focused on how a company can gain “actual knowledge” that it is collecting information from a child. Continue Reading FTC Explains Evolution of COPPA in Live Twitter Chat

On February 28th, the Federal Trade Commission (“FTC”) released a report that offers several recommendations on ways to improve the security of mobile devices. In a press release accompanying the report, Tom Pahl, the Acting Director of the FTC’s Bureau of Consumer Protection, stated that “more needs to be done to make it easier for consumers to ensure their devices are secure.” The FTC’s recommendations center around the ongoing need to patch vulnerabilities. However, the complexity of the mobile ecosystem and the many stakeholders, including mobile device manufacturers and operating system software providers, can delay security updates from reaching the mobile devices in consumer hands. Continue Reading FTC Releases “Best Practices” to Improve Mobile Device Security

In the absence of federal action, state legislators continue to propose bills that would increase data privacy and security protections for consumers. Any entity that does business in these states or maintains confidential information of their residents should monitor the legislation to determine whether and how the proposed changes may affect operations.

The bills are a reaction to Equifax’s data breach disclosure last summer. In prior alerts and articles, we discussed proposed legislation in Arizona, Colorado, North Carolina, and South Dakota. In this post, we examine legislation being considered in Oregon, New York, Alabama, and Rhode Island.

To put the discussion into context, 48 states already have laws requiring entities to notify affected individuals if the entity suffers a loss or compromise of the individuals’ confidential information. Those laws differ in many respects, resulting in a complex web of legal responsibilities that creates headaches for entities required to comply with them.

The challenge will become even more complex if the proposed bills become law, because, generally speaking, they would:

  • expand the types of confidential information covered under state breach notification requirements;
  • implement specific deadlines for when affected individuals must be notified;
  • require businesses to implement and maintain reasonable security procedures to prevent data breaches; and
  • authorize state attorneys general to enforce these provisions through substantial fines and penalties for non-compliance.

Continue Reading Oregon, New York, Alabama, and Rhode Island Join List of States Considering Data Breach Legislation Post-Equifax

The Pennsylvania Supreme Court recently issued a sweeping ruling “that accessing any information from a cell phone without a warrant” violates the Fourth Amendment to the United States Constitution. In Commonwealth v. Fulton, the Court suppressed the warrantless search of the contents of a ‘flip phone’ and reversed a murder conviction that flowed from the unlawful search.  The Supreme Court held that the Superior Court’s decision contravened U.S. Supreme Court precedent in Riley v. California and United States v. Wurie, 134 S. Ct. 2473 (2014), holding that searches of cell phones generally require a warrant.

In June 2010, Philadelphia Police arrested I. Dean Fulton and three others on suspicion of unlawful drug activity and gun possession. They seized Fulton’s “smart phone” from his body at the time of the arrest.  They subsequently obtained a search warrant for the vehicle Fulton and the others were in at the time of their arrests.  That search turned up a firearm, a holster, three cell phones and other property.  The cell phones – which included one ‘flip phone’ later connected to Fulton –were provided to the Homicide Division, which was investigating a recent drug-related murder.  Continue Reading Pennsylvania Supreme Court: If You Want to Search a Cell Phone, Get a Warrant!

The U.S. Supreme Court heard oral arguments this morning in United States v. Microsoft, No. 17-2, which presents the question whether a United States court may issue a search warrant to a U.S.-based electronic communications service for email account data held on a server outside of the United States.

Here’s the transcript of this morning’s oral argument.  We will blog more about this case — and the important issues at stake — down the road.

On February 21, 2018, the U.S. Securities and Exchange Commission approved the release of Interpretive Guidance relating to public company disclosures of cybersecurity risks and incidents. This guidance replaces staff guidance from the Division of Corporate Finance issued way back in October 2011 – on the same day that iPhone 4 was released.

Although the Commission voted unanimously to release it, some Commissioners do not view the new guidance as going much beyond the 2011 staff guidance. In fact, Commissioner Kara Stein wondered whether the new guidance would cause public companies to step up their cybersecurity disclosures – or “will law firms simply produce a host of client alerts reaffirming their alerts from years past.” We sense a challenge. Continue Reading SEC Releases Guidance on Public Company Cybersecurity Disclosures

Earlier today, the Supreme Court of the United States denied certiorari in CareFirst v. Attias, a closely watched case that some thought provided the Court with an opportunity to clarify the standing analysis under Spokeo v. Robins in data breach class actions.

In January, we blogged about CareFirst.  We noted that the core issue in the case – whether fear of identity theft flowing from a data breach is an “injury in fact” sufficient to trigger Article III standing – could have major impact on the viability of future data breach class actions. The district court’s finding in favor of CareFirst on the standing issue was reversed and remanded last August by the U.S. Court of Appeals for the D.C. Circuit, which held that plaintiffs had alleged a risk of future injury because it was at least “plausible” that the cybercriminals had the intent and ability to use the stolen data for wrongful purposes. CareFirst then filed a petition for certiorari to the United States Supreme Court, which today denied the petition leaving in place the D.C. Circuit’s ruling in favor of Plaintiffs. Continue Reading Supreme Court Denies Cert Petition in CareFirst v. Attias

As we were the first in the nation to report, in January, Colorado lawmakers proposed legislation that would significantly change the way in which entities operating in Colorado must protect confidential information and disclose breaches involving same.

Last week, the bill’s sponsors submitted an amended bill that revises a number of key provisions. Among other changes, the amended bill would require entities to notify Colorado residents within 30 days of discovery of a data breach.  If enacted, Colorado would have the shortest time frame for disclosure in the country. Continue Reading Colorado Legislature Continues to Push Privacy and Data Security Legislation in Wake of Equifax

The GDPR’s impact on the ability of U.S. litigants to conduct discovery of EU personal data is an issue that has received scant legal analysis. In a recent article for The Legal Intelligencer, Philip N. Yannella discusses the challenges, and potential costs, awaiting U.S. litigants as they attempt to conduct EU discovery under the GDPR.

You can check out the article here.