Our Tokyo Partner, Scott Warren, will be speaking at the Tokyo Summit 2023: Risk Management/Legal Tech/Cybersecurity in Tokyo, Japan at the Mandarin Oriental Hotel on January 24. The event, run by the CJK Group, is an all-day event covering a wide variety of legal technology and risk topics. Scott will deliver a presentation from 12-12:45 p.m. (Japan Standard Time) titled “Your Company Has Been Breached: Now What?” with Ari Davies, a Partner at Deloitte Tohmatsu (Japan). This panel will cover what you need to do to prepare for a cyber-incident, which can significantly reduce the cost of a breach, and how you need to respond to it especially when it involves cross-border data. Particular emphasis will be given to Japan and the greater APAC region as the discussion leaders are among the foremost experts experienced in some of the most significant data breaches in the region.

The event is a free in-person event only (no webinar will be held).

2022 was another eventful year in the realm of privacy, security and innovation.  Privacy World was there every step of the way, to keep you informed on key developments.  Starting next week, we will be rolling out our popular Year in Review series.  As a lead up to that, below are our ten most popular posts of 2022.

Squire Patton Boggs Named a World Leader in Data Protection by Global Data Review | Privacy World

Connecticut and Utah Latest States to Jump On Consumer Privacy Bandwagon | Privacy World

Third Time Lucky or Schrems III? The European Union Data Pact with the US Moves One Step Closer (To Be Challenged – Again) | Privacy World

New Webinar Recording: “Employee and Other HR Data Under the California Privacy Rights Act” | Privacy World

Security Breach Results in FTC Action, With Accompanying Executive Liability | Privacy World

Recent FTC Settlement Highlights Agency’s Focus on Children’s Privacy & Use of Disgorgement Remedy Including in AI Context | Privacy World

2022 Q3 Artificial Intelligence & Biometric Privacy Report | Privacy World

Congress Proposes Federal Privacy Legislation to Preempt Certain State Privacy Laws, Hearing Scheduled for Next Week | Privacy World

2021 Year in Review: Data Breach and Cybersecurity Litigations | Privacy World

2021 Year in Review: Financial Privacy Litigation and Developments Post-Ramirez | Privacy World

Amendments to the California Consumer Privacy Act (“CCPA”) went into effect on January 1 of this year, as did Virginia’s new privacy law. Virginia’s law is immediately enforceable. While the California amendments are not enforceable until July 1, 2023, on December 31, 2022 the opportunity cure violations before civil penalties could be assessed sunset (at least that is the Attorney General’s position) as did the extensions of time for Human Resources and Business-to-Business personal information to be subject to the CCPA. July 1 will also see the effectiveness and enforceability of the Colorado and Connecticut privacy laws. With these dates in mind, and to address regulatory rule making progress since our last publication, we have updated our client guidance on how to prepare for the 2023 US state privacy laws. Download a copy and contact your SPB relationship partner for further information.

Congratulations to Privacy World’s Kristin Bryan and Stephanie Faber, recognized as Legal Influencers (Q3 and Q4, respectively) by Lexology. Both lawyers were recognized regionally in the Technology, Media and Telecommunications category (TMT), with Kristin being acknowledged for the US and Stephanie for Europe. Lexology Legal Influencers recognizes industry thought leaders each quarter who consistently offer practical, insightful legal analysis in particular work areas and geographies. Stephanie is also a regular contributor to La Revue, a publication of the firm’s Paris office.

Their nominations as Lexology Legal Influencers were announced shortly after Squire Patton Boggs’ Data Privacy, Cybersecurity & Digital Assets Practice was listed in the top 25 Elite Firms by Global Data Review (GDR) in its 2023 edition of the GDR 100. The GDR 100 is a renowned publication that identifies and profiles the world’s leading 100 law and advisory firms with data privacy and cybersecurity practices. A testament to our incredible team, the GDR highlights that Squire Patton Boggs provides “exceptional coverage,” is “well equipped to advise in major and developing markets alike,” and that its expertise in counseling clients “is sought out by an impressive list of multinationals,” while clients praised the firm for its “quick, pragmatic and business-savvy advice.”

Last week, the U.S. Securities and Exchange Commission (“SEC”) filed an enforcement action in federal court requesting that the court compel an international law firm to comply with an administrative subpoena by disclosing the names of its clients whose information was obtained by malicious actors through a cyberattack on the law firm.  This lawsuit may have big implications for the scope of attorney-client privilege and the ability of companies to turn to their lawyers without fear of disclosing confidential information to the government.

According to the SEC’s filing, back in November 2020, the law firm was a victim of a cyberattack that resulted in malicious actors gaining access to the law firm’s computer network.  From the cyberattack, the malicious actors were able to access non-public information of roughly 300 of the law firm’s clients that are regulated by the SEC.  In March 2021, following a disclosure of a technical vulnerability affecting Microsoft Exchange Server, the law firm investigated its network and determined “that the threat actor collected email from the Outlook accounts of the Firm lawyers and staff who were targeted.”  The law firm disclosed the data breach to the FBI, but did not disclose the names of its clients that were affected.

In early 2022, the SEC learned that the law firm was a victim of the cyberattack and in March, the SEC issued a subpoena to the law firm in support of its own investigation.  Most notably, the SEC’s subpoena requested that the law firm produce documents “sufficient to identify all [law firm] clients or other impacted parties that are public companies whose data, files, or other information may have been viewed [in the cyberattack].”  The law firm objected to the request, arguing in its communications with the SEC that, under the D.C. Rules of Professional Conduct, lawyers cannot disclose the name of their clients in these circumstances because it would reveal a client secret, i.e., “that those clients . . . were affected by the cyberattack on their law firm.”  Although the law firm determined that only 7 of its roughly 300 SEC-regulated clients had material non-public information accessed by malicious actors, the SEC maintains that it needs the names of all SEC-regulated clients in order to investigate potential illegal trading on information obtained through the cyberattack.

In its filing last week, the SEC requests that the federal court order the law firm to comply with subpoena by providing client names.  The SEC argues that the D.C. Rules of Professional Conduct grants an exception to the rule against disclosing client confidences in the case of a valid subpoena.  In a statement following the filing, the law firm’s attorneys insisted that the firm is “ethically bound to protect the identities of its clients” and described the SEC’s action as “a blatant fishing expedition.”  Assuming both sides stick to their positions, this dispute sets up a showdown between the investigatory power of the SEC and the scope of attorney-client privilege that the federal court will have to squarely address.  When that decision comes, Privacy World will be here to break it down.  Stay tuned.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

LinkedIn’s Data Scraping Battle with hiQ Labs Ends with Proposed Judgment | Privacy World

SEC Accused of Violating FOIA Deadlines for Documents on Improper Database Access | Privacy World

OCR Joins Chorus of Regulators Warning About Health Data Tracking Technology | Privacy World

Welcome to PRIVACY WORLD | Privacy World

Squire Patton Boggs Again Ranks in Global Data Review’s 2023 Elite 25 – Clients Praise Firm’s “Quick, Pragmatic and Business-Savvy Advice” | Privacy World

Federal Communications Commission Proposes Revisions to Data Breach Rules  | Privacy World

Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment | Privacy World

PW’s Kristin Bryan and David Oberly to Present at Ohio Information Security Conference | Privacy World

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.   Continue Reading Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

The Federal Communications Commission (FCC) has unanimously adopted a Notice of Proposed Rulemaking (NPRM) to revise its requirements related to data breach reporting requirements applicable to telecommunications carriers and interconnected Voice over Internet Protocol providers. The proposal seeks to “strengthen the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI).” CPNI is data on the subscribers’ telephone usage as originally defined in Section 222 of the Communications Act. The Commission’s aim is “to better align its rules with recent developments in federal and state data breach laws covering other sectors.”

Continue Reading Federal Communications Commission Proposes Revisions to Data Breach Rules 

Global Data Review, the data law and regulation magazine, has again ranked Squire Patton Boggs among 25 Elite firms in its 2023 edition of the GDR 100. GDR identifies and profiles the world’s leading 100 law and advisory firms that have data privacy and cybersecurity practices. “Elite” is the highest level awarded by the publication, and is reserved for the top 25 firms.

Squire Patton Boggs was recognized for its global reach, with its “exceptional coverage” and its ability to serve as a single point of contact for all US and international data protection and privacy needs.  GDR highlights that the firm is “well equipped to advise in major and developing markets alike,” and that its expertise in counselling clients “is sought out by an impressive list of multinationals,” while clients praised the firm for its “quick, pragmatic and business-savvy advice.” Other client feedback included: “[The] team at Squire Patton Boggs provides stellar work product, is efficient and is always on the cutting edge of the latest regulations” and “They are very knowledgeable and able to provide feedback and services in an agile manner that is business-friendly.”

In addition to the firm’s Elite ranking, partners Colin Jennings and Kyle Fath were recognized as leading individuals in this field.

The firm’s Data Privacy, Cybersecurity & Digital Assets Practice is comprised of over 80 lawyers in 15 countries. Spearheaded by Alan Friel, the group is recognized for its cutting-edge transactional, regulatory, policy, cybersecurity and contentious capabilities, counseling clients around the world on business-critical matters.

In 2022, the firm continued to expand its practice with senior hires in London, New York, Brussels, Washington DC, Madrid and Milan, including partners David Naylor and Charles-Albert Helleputte, who co-head the firm’s EMEA team.

“We are delighted to be recognized as one of the world’s best data law firms, commented Alan Friel, chair of the firm’s Data Privacy, Cybersecurity & Digital Assets Practice. “We have built a comprehensive global practice that is equipped to meet the increasingly complex needs of our clients, and this ranking acknowledges the achievements of our very talented team.”

Global Data Review is the leading publication analyzing the law and regulation of the use and trade of data around the world.

For data privacy, security, and innovation updates from our team, you can subscribe here to receive email notifications from our newly refreshed Privacy World blog. Privacy World will be there to keep you in the loop.

Squire Patton Boggs (US) LLP is pleased to announce that, effective immediately, Privacy World is the name of our refreshed, award winning Consumer Privacy World blog.

Privacy World will continue to be your one-stop shop for fast-breaking news and views on the high-speed developments involving data privacy, security, and innovation – brought to you by our Global Data Review “Elite” team of lawyers that practice in this space around the world every day.

And there are now even more of our lawyers advising on the increasingly complex world of privacy, cybersecurity, and digital assets.  In the past year, our team has grown to 80 lawyers in 15 countries who offer the full range of legal services — from day-to-day counselling and assessing compliance with applicable privacy regimes, to providing policy advice and risk mitigation, to representing clients in regulatory investigations and litigating high stakes privacy and cybersecurity disputes in courts across the country. We understand that the protection of sensitive data (whether it is client information, intellectual property, or trade secrets) is vital to our client’s business operations and we bring the necessary experience to help clients navigate both existing and emerging regulatory requirements – including incident response and any litigation that may accompany it.

You can sign up to subscribe and have email Privacy World updates delivered directly to your inbox. And for more on data privacy, security, and innovation, stay tuned. Privacy World will be there to keep you in the loop.