Aiming to identify, enhance, and test supply chain vulnerabilities in the energy sector and cybersecurity response capabilities between public and private sectors, the U.S. Senate Committee on Energy & Natural Resources approved legislation that directs the Department of Energy (DoE) to create several new programs towards the development of “advanced cybersecurity applications and technologies” for the sector.[1]  The Energy Cybersecurity Act of 2019 (the Act) directs DoE to establish programs that identify supply chain vulnerabilities and expand Federal cooperation and coordination for responses to cyber threats.

If passed, the Act will require the DoE to:

Continue Reading Energy Cybersecurity Act of 2019

In Ingham Regional Medical Center v. U.S. (Jan. 6, 2020), the Court of Federal Claims compelled production of certain government investigatory documents that the Court found were not privileged work product prepared “in anticipation of litigation.” The Medical Center sued to recover payments for outpatient healthcare services performed in connection with DoD’s TRICARE program after initial settlement discussions had failed. During discovery, the government inadvertently produced several documents that assessed the accuracy of its previous payments to the Medical Center, including documents that had been repeatedly logged as privileged. Although the government claimed that the documents were prepared in anticipation of litigation, the court held that the documents did not constitute protected work product because they were produced in furtherance of a business purpose (i.e., payment investigation) well before a genuine threat of litigation arose. The court equated the government’s function in assessing the hospital’s claims for alleged underpayments to that of an insurer who investigates a claim before making a final determination. Therefore, since the threat of litigation was too remote, the court found that the work product had been prepared for a possible negotiated business settlement between the parties, rather than for litigation. Contractors and others engaged in litigation with the government should keep “ordinary course of business” arguments in mind as a basis to challenge government privilege assertions.

The Department of Defense (DoD) has released Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC), Appendices A-F, and an Overview Briefing. While Version 1.0 largely mirrors the draft Version 0.7, the final version includes notable revisions. Please click here to see the full client alert.

Crowell & Moring has released Litigation Forecast 2020: What Corporate Counsel Need to Know for the Coming Year. The eighth-annual Forecast provides forward-looking insights from leading Crowell & Moring lawyers to help legal departments anticipate and respond to challenges that might arise in the year ahead.

For 2020, the Forecast focuses on how the digital revolution is giving rise to new litigation risks, and it explores trends in employment non-competes, the future of stare decisis, the role of smartphones in investigations and litigation, and more.

The cover story, “A Tangled Web: How the Internet of Things and AI Expose Companies to Increased Tort, Privacy, and Cybersecurity Litigation,” explores how the digital revolution is transforming not only high-tech companies, but also traditional industries with products, business models, and workforces that are being affected by increased connectivity, artificial intelligence, and the ability to gather and use tremendous amounts of data.

Be sure to follow the conversation on Twitter with #LitigationForecast.

On January 13, 2020, U.S. District Court Judge Castel of the Southern District of New York in SEC v. Telegram Group Inc. et al., No. 19 Civ. 9439 (PKC) granted the motion of the U.S. Securities and Exchange Commission (“SEC”) to compel Telegram Group Inc., a technology company best known for its secure messaging app, to produce overseas bank records (Dkt. 67). The SEC had sought these records “fully unredacted” on an expedited basis in support of its claim that Telegram engaged in an unregistered securities offering (Dkt. 52). Telegram objected to any production, asserting that the records were of questionable relevance, that they contained banking and personal information protected by a host of foreign laws, and that it would be unduly burdensome to “to cull through these records and redact the personal information of non-U.S. persons and entities subject to foreign data privacy law protections.” (Dkt. 55). In a short decision, the Court ordered Telegram to produce the records on a tight timeline, holding that “[o]nly redactions necessitated by foreign privacy laws shall be permitted, and a log stating the basis for any redaction shall be produced at the same time the redacted documents are produced.”

There are a few key takeaways from this decision. First, the Court recognized foreign data privacy laws as legitimate grounds for withholding otherwise discoverable information. Defendant was not given a blank check to redact; rather, the Court required Telegram to log the basis for any privacy assertions, and one can expect the SEC will closely question Telegram on the redactions. At the same time, the Court clearly did not agree with the SEC’s characterization of data privacy laws as “blocking statutes” to be ignored, and was not swayed by its complaints that Telegram had not shown that such laws require deference. This is consistent with an observed general heightened sensitivity to data privacy and data security interests in the U.S. and abroad.

Judge Castel’s approach represents a change from U.S. courts’ prior dismissive treatment of similar disclosure objections. Courts traditionally would apply a multi-factor comity analysis that generally prioritized U.S. discovery interests over those of conflicting foreign laws and ultimately required unredacted production. See, e.g., Laydon v. Mizuho Bank, Ltd., 183 F. Supp.3d 409 (S.D.N.Y. 2016) (requiring unredacted production of data protected by the then EU privacy regulation, the 1995 EU Directive 95/46/EC, based on comity analysis set out in Société Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, 482 U.S. 522, 544 n.29 (1987) (hereinafter “Aerospatiale”)). Certainly, the SEC pushed for the customary approach, but Judge Castel appears implicitly to have to have resolved in short form (or skipped over) the Aerospatiale comity analysis and accepted the legitimacy of foreign restrictions on disclosure in U.S. proceedings.

Continue Reading Burden of Compliance With Foreign Data Privacy Laws Does Not Justify Withholding of Banking Records

On January 1, 2020, California’s landmark privacy law, the California Consumer Privacy Act (CCPA), took effect. The CCPA imposes various obligations on covered businesses and provides extensive rights to consumers with respect to controlling the collection and use of their personal information. While some companies have largely completed their CCPA compliance efforts, many others are still digesting the CCPA and draft proposed regulations, and taking steps to meet the CCPA’s myriad compliance obligations.

Confusion persists about how businesses can comply with certain provisions of the CCPA. In October 2019, the California Attorney General issued proposed regulations that provide guidance on a number of key areas, but the regulations are not yet final. If adopted, violations of the proposed regulations will be treated the same as violations of the CCPA itself, with the same penalties. We have summarized the proposed regulations in previous alerts:

Comments on the proposed regulations can be viewed here.

Continue Reading California’s Landmark Privacy Law Now in Effect

GN Netcom, Inc. v. Plantronics, Inc., 930 F.3d 76 (3d. Cir. 2019)

The Third Circuit’s decision in GN Netcom illustrates how Federal Rule of Civil Procedure 37(e) has elevated the bar to obtaining a default judgment based on spoliation, raising the question of what level of egregious conduct would justify that penalty. The decision also is notable for its exploration of the evidentiary support that aggrieved parties should be permitted to submit when the lesser penalty of a permissive adverse inference instruction is ordered. In a split decision, the appellate court granted a new trial because plaintiff’s expert was precluded from testifying as to the degree of spoliation, which might have impacted the outcome of the case.

Defendant’s Spoliation of Evidence

Continue Reading Prohibition on Expert Testimony Results in New Trial

This time of year, everything tends to be more scary and spooky, but one thing doesn’t have to be – creating a defensible privilege log! Creating a privilege log can be one of the most time consuming, labor intensive and expensive parts of litigation. The last thing you want is to have to spend additional time and money defending or re-doing work on your privilege log.

Federal Rule of Civil Procedure 26(b)(5) only requires that the party withholding material based on a claim of privilege “(i) expressly make the claim; and (ii) describe the nature of the documents, communications, or tangible things not produced or disclosed – and do so in a manner that, without revealing information itself privileged or protected, will enable other parties to assess the claim.” Although this seems simple enough, in practice this can actually be more trick than treat.

Here are some things to keep in mind when creating a privilege log to help make it more defensible and less likely to lead to additional time and money making extensive revisions to the privilege log entries.

Continue Reading Tips For Making Privilege Logs Less Scary

Consent is only one of the six legal grounds for processing personal data under the GDPR, but it is certainly the most well-known. While it might look safe and solid at first sight, it is becoming the weakest link of the GDPR compliance chain.

First, consent can be withdrawn at any time, and the process for withdrawal must be as easy as the process for providing consent. Thus, a system built only on consent can fall apart quite quickly.

More importantly, consent can be considered invalid at any time, in which case the breakdown is immediate.

One example of consent being invalidated is a Belgian retailer that required the use of a customer’s e-ID as a prerequisite for the issuance of a loyalty card. While the merchant claimed consent as legal ground, the DPA ruled that such consent could not be freely given and that it was therefore invalid.

A second example is the recent judgment of the Court of Justice of the European Union stating that a pre-ticked checkbox cannot be considered as an active, unambiguous consent of the user. The consent, which was required as an ePrivacy requirement for the use of tracking cookies, was therefore invalid.

The impact of such invalidation should not be underestimated, as it leaves you without a valid legal ground and, thus, no way to continue the processing of personal data. If you need the personal data for your core business processes, the operational consequences can be enormous.

So how can you fortify this weak link? Make sure that you can demonstrate that users have a real choice and are fully in control when providing consent. This is a crucial step both for the validity of the consent and the fairness of the processing.

Consent without such choice or control can never be solid, and you just can’t build a castle on quicksand and expect it not to sink.

On October 1, 2019, the Court of Justice of the European Union (CJEU) issued a final ruling in the Planet49 case (case C-673/17 – available here).

Following a request for preliminary ruling from the German Federal Court of Justice, the Bundesgerichtshof, the CJEU interpreted the consent requirement of Directive 2002/58/EC, as amended by Directive 2009/136/EC (hereafter the “e-Privacy Directive”) in light of former Directive 95/46/EU (hereafter the “Data Protection Directive”) as well as in light of its successor – the General Data Protection Regulation (GDPR).

The Court made it clear that the placing and reading of tracking cookies on a user’s terminal equipment requires an active and unambiguous consent of the user. A pre-ticked checkbox does not meet these requirements and therefore does not constitute a valid consent. Also, the Court underlined that consent must be specific. In the case at hand, the act of selecting a button to participate in a promotional online lottery cannot be construed as consent of the user to the storage of cookies.

Moreover, the Court clarified that these requirements regarding the consent of the user for usage of cookies are applicable regardless of whether the information stored or consulted on the user’s device constitutes “personal data.”

Finally, the Court held that cookie consent must be “informed” as per the GDPR, which means that service providers must also provide information on the duration of the operation of cookies, as well as in relation to any third party access to those cookies.

The facts

Continue Reading Court of Justice of the European Union Finds that Pre-Ticked Checkboxes Are Not Valid Consents under GDPR